mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 18:08:23 +00:00
Code Issues Releases Wiki Activity

Stop using 8n width in tagged lists.

Browse Source 
Use either 4n, when the body is expected to wrap or the width of
the longest tag when no wrapping is expected.
This commit is contained in:
Todd C. Miller 2023-01-16 08:53:35 -07:00
parent 0814749132
commit 3726e38394
12 changed files with 215 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
docs/cvtsudoers.man.in
View File

@ -91,24 +91,24 @@ The supported types are:
.PP .PP
.RS 8n .RS 8n
.PD 0 .PD 0
.TP 10n .TP 9n
all all
All Defaults entries. All Defaults entries.
.PD .PD
.TP 10n .TP 9n
global global
Global Defaults entries that are applied regardless of Global Defaults entries that are applied regardless of
user, runas, host, or command. user, runas, host, or command.
.TP 10n .TP 9n
user user
Per-user Defaults entries. Per-user Defaults entries.
.TP 10n .TP 9n
runas runas
Per-runas user Defaults entries. Per-runas user Defaults entries.
.TP 10n .TP 9n
host host
Per-host Defaults entries. Per-host Defaults entries.
.TP 10n .TP 9n
command command
Per-command Defaults entries. Per-command Defaults entries.
.PP .PP
@ -138,7 +138,7 @@ The following formats are supported:
.PP .PP
.RS 8n .RS 8n
.PD 0 .PD 0
.TP 10n .TP 9n
CSV CSV
CSV (comma-separated value) files are often used by spreadsheets CSV (comma-separated value) files are often used by spreadsheets
and report generators. and report generators.
@ -146,7 +146,7 @@ See
\fICSV output format\fR \fICSV output format\fR
for more details. for more details.
.PD .PD
.TP 10n .TP 9n
JSON JSON
JSON (JavaScript Object Notation) files are usually easier for JSON (JavaScript Object Notation) files are usually easier for
third-party applications to consume than the traditional third-party applications to consume than the traditional
@ -159,7 +159,7 @@ format.
See See
\fIJSON output format\fR \fIJSON output format\fR
for more details. for more details.
.TP 10n .TP 9n
LDIF LDIF
LDIF (LDAP Data Interchange Format) files can be imported into an LDAP LDIF (LDAP Data Interchange Format) files can be imported into an LDAP
server for use with server for use with
@ -167,7 +167,7 @@ sudoers.ldap(@mansectform@).
.sp .sp
Conversion to LDIF has the following limitations: Conversion to LDIF has the following limitations:
.PP .PP
.RS 10n .RS 9n
.PD 0 .PD 0
.TP 3n .TP 3n
\fB\(bu\fR \fB\(bu\fR
@ -182,7 +182,7 @@ sudoers LDAP schema so they are expanded during the conversion.
.PP .PP
.RE .RE
.PD .PD
.TP 10n .TP 9n
sudoers sudoers
Traditional sudoers format. Traditional sudoers format.
A new sudoers file will be reconstructed from the parsed input file. A new sudoers file will be reconstructed from the parsed input file.
@ -209,7 +209,7 @@ The following formats are supported:
.PP .PP
.RS 8n .RS 8n
.PD 0 .PD 0
.TP 10n .TP 9n
LDIF LDIF
LDIF (LDAP Data Interchange Format) files can be exported from an LDAP LDIF (LDAP Data Interchange Format) files can be exported from an LDAP
server to convert security policies used by server to convert security policies used by
@ -219,7 +219,7 @@ that match the base DN will be processed.
Not all sudoOptions specified in a sudoRole can be translated from Not all sudoOptions specified in a sudoRole can be translated from
LDIF to sudoers format. LDIF to sudoers format.
.PD .PD
.TP 10n .TP 9n
sudoers sudoers
Traditional sudoers format. Traditional sudoers format.
This is the default input format. This is the default input format.
@ -899,30 +899,30 @@ The following names and values are supported:
.PP .PP
.RS 6n .RS 6n
.PD 0 .PD 0
.TP 10n .TP 9n
command command
A string containing the command to run. A string containing the command to run.
The special value The special value
\fBALL\fR \fBALL\fR
it will match any command. it will match any command.
.PD .PD
.TP 10n .TP 9n
negated negated
A boolean value that, if true, will negate any comparison performed A boolean value that, if true, will negate any comparison performed
with the object. with the object.
.TP 10n .TP 9n
sha224 sha224
A string containing the SHA224 digest of the A string containing the SHA224 digest of the
\fIcommand\fR. \fIcommand\fR.
.TP 10n .TP 9n
sha256 sha256
A string containing the SHA256 digest of the A string containing the SHA256 digest of the
\fIcommand\fR. \fIcommand\fR.
.TP 10n .TP 9n
sha384 sha384
A string containing the SHA384 digest of the A string containing the SHA384 digest of the
\fIcommand\fR. \fIcommand\fR.
.TP 10n .TP 9n
sha512 sha512
A string containing the SHA512 digest of the A string containing the SHA512 digest of the
\fIcommand\fR. \fIcommand\fR.
@ -1072,7 +1072,7 @@ defaults_type,binding,name,operator,value
.RS 6n .RS 6n
.sp .sp
The fields are as follows: The fields are as follows:
.TP 10n .TP 6n
defaults_type defaults_type
The type of The type of
\fIDefaults\fR \fIDefaults\fR
@ -1083,7 +1083,7 @@ setting; one of
\fIdefaults_runas\fR, \fIdefaults_runas\fR,
or or
\fIdefaults_user\fR. \fIdefaults_user\fR.
.TP 10n .TP 6n
binding binding
For For
\fIdefaults_command\fR, \fIdefaults_command\fR,
@ -1092,12 +1092,12 @@ For
and and
\fIdefaults_user\fR \fIdefaults_user\fR
this is the value that must match for the setting to be applied. this is the value that must match for the setting to be applied.
.TP 10n .TP 6n
name name
The name of the The name of the
\fIDefaults\fR \fIDefaults\fR
setting. setting.
.TP 10n .TP 6n
operator operator
The operator determines how the value is applied to the setting. The operator determines how the value is applied to the setting.
It may be either It may be either
@ -1108,8 +1108,9 @@ It may be either
or or
\(oq-=\(cq \(oq-=\(cq
(remove). (remove).
.TP 10n .TP 6n
value value
.br
The setting's value, usually a string or, for The setting's value, usually a string or, for
settings used in a boolean context, settings used in a boolean context,
\fItrue\fR \fItrue\fR
@ -1141,7 +1142,7 @@ alias_type,alias_name,members
.RS 6n .RS 6n
.sp .sp
The fields are as follows: The fields are as follows:
.TP 10n .TP 6n
alias_type alias_type
The type of alias; one of The type of alias; one of
\fICmnd_Alias\fR, \fICmnd_Alias\fR,
@ -1149,11 +1150,11 @@ The type of alias; one of
\fIRunas_Alias\fR, \fIRunas_Alias\fR,
or or
\fIUser_Alias\fR. \fIUser_Alias\fR.
.TP 10n .TP 6n
alias_name alias_name
The name of the alias; a string starting with an upper-case letter that The name of the alias; a string starting with an upper-case letter that
consists of upper-case letters, digits, or underscores. consists of upper-case letters, digits, or underscores.
.TP 10n .TP 6n
members members
A comma-separated list of members belonging to the alias. A comma-separated list of members belonging to the alias.
Due to the use of commas, Due to the use of commas,
@ -1181,13 +1182,13 @@ rule,user,host,runusers,rungroups,options,command
.RS 6n .RS 6n
.sp .sp
The fields are as follows: The fields are as follows:
.TP 10n .TP 6n
rule rule
This field indicates a This field indicates a
\fIsudoers\fR \fIsudoers\fR
\fIrule\fR \fIrule\fR
entry. entry.
.TP 10n .TP 6n
user user
The user the rule applies to. The user the rule applies to.
This may also be a Unix group (preceded by a This may also be a Unix group (preceded by a
@ -1202,7 +1203,7 @@ or a
If set to the special value If set to the special value
\fBALL\fR, \fBALL\fR,
it will match any user. it will match any user.
.TP 10n .TP 6n
host host
The host the rule applies to. The host the rule applies to.
This may also be a netgroup (preceded by a This may also be a netgroup (preceded by a
@ -1213,7 +1214,7 @@ or a
If set to the special value If set to the special value
\fBALL\fR, \fBALL\fR,
it will match any host. it will match any host.
.TP 10n .TP 6n
runusers runusers
An optional comma-separated list of users (or An optional comma-separated list of users (or
\fIRunas_Alias\fRes) \fIRunas_Alias\fRes)
@ -1224,9 +1225,8 @@ If set to the special value
\fBALL\fR, \fBALL\fR,
it will match any user. it will match any user.
If empty, the root user is assumed. If empty, the root user is assumed.
.TP 10n .TP 6n
rungroups rungroups
.br
An optional comma-separated list of groups (or An optional comma-separated list of groups (or
\fIRunas_Alias\fRes) \fIRunas_Alias\fRes)
the command may be run as. the command may be run as.
@ -1238,7 +1238,7 @@ it will match any group.
If empty, the If empty, the
\fIrunuser\fR's \fIrunuser\fR's
group is used. group is used.
.TP 10n .TP 6n
options options
An optional list of An optional list of
\fIDefaults\fR \fIDefaults\fR
@ -1249,7 +1249,7 @@ entries in
\fIsudoers\fR \fIsudoers\fR
are converted to are converted to
\fIoptions\fR. \fIoptions\fR.
.TP 10n .TP 6n
commands commands
A list of commands, with optional arguments, that the user is allowed to run. A list of commands, with optional arguments, that the user is allowed to run.
If set to the special value If set to the special value

14
docs/cvtsudoers.mdoc.in
View File

@ -84,7 +84,7 @@ One or more
types may be specified, separated by a comma types may be specified, separated by a comma
.Pq Ql \&, . .Pq Ql \&, .
The supported types are: The supported types are:
.Bl -tag -width 8n .Bl -tag -width "command"
.It all .It all
All Defaults entries. All Defaults entries.
.It global .It global
@ -120,7 +120,7 @@ is JSON or sudoers.
.It Fl f Ar output_format , Fl -output-format Ns = Ns Ar output_format .It Fl f Ar output_format , Fl -output-format Ns = Ns Ar output_format
Specify the output format (case-insensitive). Specify the output format (case-insensitive).
The following formats are supported: The following formats are supported:
.Bl -tag -width 8n .Bl -tag -width "sudoers"
.It CSV .It CSV
CSV (comma-separated value) files are often used by spreadsheets CSV (comma-separated value) files are often used by spreadsheets
and report generators. and report generators.
@ -170,7 +170,7 @@ Display a short help message to the standard output and exit.
.It Fl i Ar input_format , Fl -input-format Ns = Ns Ar input_format .It Fl i Ar input_format , Fl -input-format Ns = Ns Ar input_format
Specify the input format. Specify the input format.
The following formats are supported: The following formats are supported:
.Bl -tag -width 8n .Bl -tag -width "sudoers"
.It LDIF .It LDIF
LDIF (LDAP Data Interchange Format) files can be exported from an LDAP LDIF (LDAP Data Interchange Format) files can be exported from an LDAP
server to convert security policies used by server to convert security policies used by
@ -783,7 +783,7 @@ array consists of one or more objects containing
.Dq name:value .Dq name:value
pair elements. pair elements.
The following names and values are supported: The following names and values are supported:
.Bl -tag -width 8n .Bl -tag -width "command"
.It command .It command
A string containing the command to run. A string containing the command to run.
The special value The special value
@ -941,7 +941,7 @@ defaults_type,binding,name,operator,value
.Ed .Ed
.Pp .Pp
The fields are as follows: The fields are as follows:
.Bl -tag -width 8n .Bl -tag -width 4n
.It defaults_type .It defaults_type
The type of The type of
.Em Defaults .Em Defaults
@ -998,7 +998,7 @@ alias_type,alias_name,members
.Ed .Ed
.Pp .Pp
The fields are as follows: The fields are as follows:
.Bl -tag -width 8n .Bl -tag -width 4n
.It alias_type .It alias_type
The type of alias; one of The type of alias; one of
.Em Cmnd_Alias , .Em Cmnd_Alias ,
@ -1027,7 +1027,7 @@ rule,user,host,runusers,rungroups,options,command
.Ed .Ed
.Pp .Pp
The fields are as follows: The fields are as follows:
.Bl -tag -width 8n .Bl -tag -width 4n
.It rule .It rule
This field indicates a This field indicates a
.Em sudoers .Em sudoers

55
docs/sudo.conf.man.in
View File

@ -2,7 +2,7 @@
.\" .\"
.\" SPDX-License-Identifier: ISC .\" SPDX-License-Identifier: ISC
.\" .\"
.\" Copyright (c) 2010-2022 Todd C. Miller <Todd.Miller@sudo.ws> .\" Copyright (c) 2010-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above .\" purpose with or without fee is hereby granted, provided that the above
@ -17,7 +17,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" .\"
.nr SL @SEMAN@ .nr SL @SEMAN@
.TH "SUDO.CONF" "@mansectform@" "December 26, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDO.CONF" "@mansectform@" "January 16, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -35,19 +35,19 @@ debug flags, and other settings.
The The
\fBsudo.conf\fR \fBsudo.conf\fR
file supports the following directives, described in detail below. file supports the following directives, described in detail below.
.TP 10n .TP 8n
Plugin Plugin
an approval, audit, I/O logging, or security policy plugin an approval, audit, I/O logging, or security policy plugin
.TP 10n .TP 8n
Path Path
a plugin-agnostic path a plugin-agnostic path
.TP 10n .TP 8n
Set Set
a front-end setting, such as a front-end setting, such as
\fIdisable_coredump\fR \fIdisable_coredump\fR
or or
\fIgroup_source\fR \fIgroup_source\fR
.TP 10n .TP 8n
Debug Debug
debug flags to aid in debugging debug flags to aid in debugging
\fBsudo\fR, \fBsudo\fR,
@ -246,7 +246,7 @@ version 1.8.16 and higher.
The following plugin-agnostic paths may be set in the The following plugin-agnostic paths may be set in the
\fI@sysconfdir@/sudo.conf\fR \fI@sysconfdir@/sudo.conf\fR
file: file:
.TP 10n .TP 6n
askpass askpass
The fully qualified path to a helper program used to read the user's The fully qualified path to a helper program used to read the user's
password when no terminal is available. password when no terminal is available.
@ -262,9 +262,8 @@ The value of
may be overridden by the may be overridden by the
\fRSUDO_ASKPASS\fR \fRSUDO_ASKPASS\fR
environment variable. environment variable.
.TP 10n .TP 6n
devsearch devsearch
.br
An ordered, colon-separated search path of directories to look in for An ordered, colon-separated search path of directories to look in for
device nodes. device nodes.
This is used when mapping the process's tty device number to a device name This is used when mapping the process's tty device number to a device name
@ -286,9 +285,8 @@ or
functions, for example functions, for example
BSD, BSD,
macOS and Solaris. macOS and Solaris.
.TP 10n .TP 6n
intercept intercept
.br
The fully-qualified path to a shared library containing a wrappers for the The fully-qualified path to a shared library containing a wrappers for the
execve(2), execve(2),
execl(3), execl(3),
@ -308,7 +306,7 @@ functionality on systems that support
or its equivalent. or its equivalent.
The default value is The default value is
\fI@intercept_file@\fR. \fI@intercept_file@\fR.
.TP 10n .TP 6n
noexec noexec
The fully-qualified path to a shared library containing wrappers The fully-qualified path to a shared library containing wrappers
for the for the
@ -337,14 +335,13 @@ functionality on systems that support
or its equivalent. or its equivalent.
The default value is The default value is
\fI@noexec_file@\fR. \fI@noexec_file@\fR.
.TP 10n .TP 6n
plugin_dir plugin_dir
The default directory to use when searching for plugins The default directory to use when searching for plugins
that are specified without a fully qualified path name. that are specified without a fully qualified path name.
The default value is The default value is
\fI@plugindir@\fR. \fI@plugindir@\fR.
.if \n(SL \{\ .TP 6n
.TP 10n
sesh sesh
The fully-qualified path to the The fully-qualified path to the
\fBsesh\fR \fBsesh\fR
@ -359,7 +356,7 @@ The default value is
The The
\fBsudo.conf\fR \fBsudo.conf\fR
file also supports the following front-end settings: file also supports the following front-end settings:
.TP 10n .TP 6n
disable_coredump disable_coredump
Core dumps of Core dumps of
\fBsudo\fR \fBsudo\fR
@ -374,11 +371,11 @@ to false in
as follows: as follows:
.nf .nf
.sp .sp
.RS 14n .RS 10n
Set disable_coredump false Set disable_coredump false
.RE .RE
.fi .fi
.RS 10n .RS 6n
.sp .sp
All modern operating systems place restrictions on core dumps All modern operating systems place restrictions on core dumps
from set-user-ID processes like from set-user-ID processes like
@ -400,7 +397,7 @@ This setting is only available in
\fBsudo\fR \fBsudo\fR
version 1.8.4 and higher. version 1.8.4 and higher.
.RE .RE
.TP 10n .TP 6n
group_source group_source
\fBsudo\fR \fBsudo\fR
passes the invoking user's group list to the policy and I/O plugins. passes the invoking user's group list to the policy and I/O plugins.
@ -410,10 +407,10 @@ with NFS).
On systems with the On systems with the
getconf(1) getconf(1)
utility, running: utility, running:
.RS 16n .RS 12n
getconf NGROUPS_MAX getconf NGROUPS_MAX
.RE .RE
.RS 10n .RS 6n
will return the maximum number of groups. will return the maximum number of groups.
.sp .sp
However, it is still possible to be a member of a larger number of However, it is still possible to be a member of a larger number of
@ -434,7 +431,7 @@ setting allows the administrator to change this default behavior.
Supported values for Supported values for
\fIgroup_source\fR \fIgroup_source\fR
are: are:
.TP 10n .TP 6n
static static
Use the static group list that the kernel returns. Use the static group list that the kernel returns.
Retrieving the group list this way is very fast but it is subject Retrieving the group list this way is very fast but it is subject
@ -446,7 +443,7 @@ after the user logs in.
This was the default behavior prior to This was the default behavior prior to
\fBsudo\fR \fBsudo\fR
1.8.7. 1.8.7.
.TP 10n .TP 6n
dynamic dynamic
Always query the group database directly. Always query the group database directly.
It is It is
@ -466,7 +463,7 @@ HP-UX, Linux, macOS, and Solaris.
This is the default behavior on macOS in This is the default behavior on macOS in
\fBsudo\fR \fBsudo\fR
1.9.6 and higher. 1.9.6 and higher.
.TP 10n .TP 6n
adaptive adaptive
Only query the group database if the static group list returned Only query the group database if the static group list returned
by the kernel has the maximum number of entries. by the kernel has the maximum number of entries.
@ -479,7 +476,7 @@ For example, to cause
to only use the kernel's static list of groups for the user: to only use the kernel's static list of groups for the user:
.nf .nf
.sp .sp
.RS 14n .RS 10n
Set group_source static Set group_source static
.RE .RE
.fi .fi
@ -488,7 +485,7 @@ This setting is only available in
\fBsudo\fR \fBsudo\fR
version 1.8.7 and higher. version 1.8.7 and higher.
.RE .RE
.TP 10n .TP 6n
max_groups max_groups
The maximum number of user groups to retrieve from the group database. The maximum number of user groups to retrieve from the group database.
Values less than one or larger than 1024 will be ignored. Values less than one or larger than 1024 will be ignored.
@ -506,7 +503,7 @@ version 1.8.7 and higher.
It should not be required in It should not be required in
\fBsudo\fR \fBsudo\fR
versions 1.8.24 and higher and may be removed in a later release. versions 1.8.24 and higher and may be removed in a later release.
.TP 10n .TP 6n
probe_interfaces probe_interfaces
By default, By default,
\fBsudo\fR \fBsudo\fR
@ -520,11 +517,11 @@ If IP-based matching is not required, network interface probing
can be disabled as follows: can be disabled as follows:
.nf .nf
.sp .sp
.RS 14n .RS 10n
Set probe_interfaces false Set probe_interfaces false
.RE .RE
.fi .fi
.RS 10n .RS 6n
.sp .sp
This setting is only available in This setting is only available in
\fBsudo\fR \fBsudo\fR

12
docs/sudo.conf.mdoc.in
View File

@ -1,7 +1,7 @@
.\" .\"
.\" SPDX-License-Identifier: ISC .\" SPDX-License-Identifier: ISC
.\" .\"
.\" Copyright (c) 2010-2022 Todd C. Miller <Todd.Miller@sudo.ws> .\" Copyright (c) 2010-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above .\" purpose with or without fee is hereby granted, provided that the above
@ -16,7 +16,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" .\"
.nr SL @SEMAN@ .nr SL @SEMAN@
.Dd December 26, 2022 .Dd January 16, 2023
.Dt SUDO.CONF @mansectform@ .Dt SUDO.CONF @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -34,7 +34,7 @@ debug flags, and other settings.
The The
.Nm .Nm
file supports the following directives, described in detail below. file supports the following directives, described in detail below.
.Bl -tag -width 8n .Bl -tag -width "Plugin"
.It Plugin .It Plugin
an approval, audit, I/O logging, or security policy plugin an approval, audit, I/O logging, or security policy plugin
.It Path .It Path
@ -225,7 +225,7 @@ version 1.8.16 and higher.
The following plugin-agnostic paths may be set in the The following plugin-agnostic paths may be set in the
.Pa @sysconfdir@/sudo.conf .Pa @sysconfdir@/sudo.conf
file: file:
.Bl -tag -width 8n .Bl -tag -width 4n
.It askpass .It askpass
The fully qualified path to a helper program used to read the user's The fully qualified path to a helper program used to read the user's
password when no terminal is available. password when no terminal is available.
@ -332,7 +332,7 @@ The default value is
The The
.Nm .Nm
file also supports the following front-end settings: file also supports the following front-end settings:
.Bl -tag -width 8n .Bl -tag -width 4n
.It disable_coredump .It disable_coredump
Core dumps of Core dumps of
.Nm sudo .Nm sudo
@ -398,7 +398,7 @@ setting allows the administrator to change this default behavior.
Supported values for Supported values for
.Em group_source .Em group_source
are: are:
.Bl -tag -width 8n .Bl -tag -width 4n
.It static .It static
Use the static group list that the kernel returns. Use the static group list that the kernel returns.
Retrieving the group list this way is very fast but it is subject Retrieving the group list this way is very fast but it is subject

100
docs/sudo_logsrvd.conf.man.in
View File

@ -86,7 +86,7 @@ The
\fIserver\fR \fIserver\fR
section configures the address and port the server will listen on. section configures the address and port the server will listen on.
The following keys are recognized: The following keys are recognized:
.TP 10n .TP 6n
listen_address = host[:port][(tls)] listen_address = host[:port][(tls)]
The host name or IP address, optional port to listen on and The host name or IP address, optional port to listen on and
an optional Transport Layer Security (TLS) flag in parentheses. an optional Transport Layer Security (TLS) flag in parentheses.
@ -115,19 +115,19 @@ connections and port 30344 will be used for TLS connections.
.sp .sp
The default value is: The default value is:
.nf .nf
.RS 16n .RS 12n
listen_address = *:30343 listen_address = *:30343
listen_address = *:30344(tls) listen_address = *:30344(tls)
.RE .RE
.fi .fi
.RS 10n .RS 6n
which will listen on all configured network interfaces for both which will listen on all configured network interfaces for both
plaintext and TLS connections. plaintext and TLS connections.
Multiple Multiple
\fIlisten_address\fR \fIlisten_address\fR
lines may be specified to listen on more than one port or interface. lines may be specified to listen on more than one port or interface.
.RE .RE
.TP 10n .TP 6n
server_log = string server_log = string
Where to log server warning and error messages. Where to log server warning and error messages.
Supported values are Supported values are
@ -144,7 +144,7 @@ is only effective when used in conjunction with the
option. option.
The default value is The default value is
\fIsyslog\fR. \fIsyslog\fR.
.TP 10n .TP 6n
pid_file = path pid_file = path
The path to the file containing the process ID of the running The path to the file containing the process ID of the running
\fBsudo_logsrvd\fR. \fBsudo_logsrvd\fR.
@ -160,7 +160,7 @@ If
refers to a symbolic link, it will be ignored. refers to a symbolic link, it will be ignored.
The default value is The default value is
\fI@rundir@/sudo_logsrvd.pid\fR. \fI@rundir@/sudo_logsrvd.pid\fR.
.TP 10n .TP 6n
tcp_keepalive = boolean tcp_keepalive = boolean
If true, If true,
\fBsudo_logsrvd\fR \fBsudo_logsrvd\fR
@ -170,7 +170,7 @@ If the client does not respond to a message in time, the connection will
be closed. be closed.
Defaults to Defaults to
\fItrue\fR. \fItrue\fR.
.TP 10n .TP 6n
timeout = number timeout = number
The amount of time, in seconds, The amount of time, in seconds,
\fBsudo_logsrvd\fR \fBsudo_logsrvd\fR
@ -178,7 +178,7 @@ will wait for the client to respond.
A value of 0 will disable the timeout. A value of 0 will disable the timeout.
The default value is The default value is
\fI30\fR. \fI30\fR.
.TP 10n .TP 6n
tls_cacert = path tls_cacert = path
The path to a certificate authority bundle file, in PEM format, The path to a certificate authority bundle file, in PEM format,
to use instead of the system's default certificate authority database to use instead of the system's default certificate authority database
@ -187,12 +187,12 @@ The default is to use
\fI/etc/ssl/sudo/cacert.pem\fR \fI/etc/ssl/sudo/cacert.pem\fR
if it exists, otherwise the system's default certificate authority if it exists, otherwise the system's default certificate authority
database is used. database is used.
.TP 10n .TP 6n
tls_cert = path tls_cert = path
The path to the server's certificate file, in PEM format. The path to the server's certificate file, in PEM format.
The default value is The default value is
\fI/etc/ssl/sudo/certs/logsrvd_cert.pem\fR. \fI/etc/ssl/sudo/certs/logsrvd_cert.pem\fR.
.TP 10n .TP 6n
tls_checkpeer = bool tls_checkpeer = bool
If true, client certificates will be validated by If true, client certificates will be validated by
\fBsudo_logsrvd\fR; \fBsudo_logsrvd\fR;
@ -205,7 +205,7 @@ setting must be set to a CA bundle that contains the CA certificate
used to generate the client certificate. used to generate the client certificate.
The default value is The default value is
\fIfalse\fR. \fIfalse\fR.
.TP 10n .TP 6n
tls_ciphers_v12 = string tls_ciphers_v12 = string
A list of ciphers to use for connections secured by TLS version 1.2 only, A list of ciphers to use for connections secured by TLS version 1.2 only,
separated by a colon separated by a colon
@ -220,7 +220,7 @@ The default value is
which consists of encryption cipher suites with key lengths larger than which consists of encryption cipher suites with key lengths larger than
128 bits, and some cipher suites with 128-bit keys. 128 bits, and some cipher suites with 128-bit keys.
Cipher suites that offer no authentication are excluded. Cipher suites that offer no authentication are excluded.
.TP 10n .TP 6n
tls_ciphers_v13 = string tls_ciphers_v13 = string
A list of ciphers to use for connections secured by TLS version 1.3 only, A list of ciphers to use for connections secured by TLS version 1.3 only,
separated by a colon separated by a colon
@ -228,47 +228,47 @@ separated by a colon
Supported cipher suites depend on the version of OpenSSL used, Supported cipher suites depend on the version of OpenSSL used,
but should include the following: but should include the following:
.sp .sp
.RS 16n .RS 12n
.PD 0 .PD 0
.TP 10n .TP 6n
TLS_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256
.TP 10n .TP 6n
TLS_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384
.TP 10n .TP 6n
TLS_CHACHA20_POLY1305_SHA256 TLS_CHACHA20_POLY1305_SHA256
.TP 10n .TP 6n
TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_SHA256
.TP 10n .TP 6n
TLS_AES_128_CCM_8_SHA256 TLS_AES_128_CCM_8_SHA256
.RE .RE
.RS 10n .RS 6n
.sp .sp
The default cipher suite is The default cipher suite is
\(lqTLS_AES_256_GCM_SHA384\(rq. \(lqTLS_AES_256_GCM_SHA384\(rq.
.RE .RE
.PD .PD
.TP 10n .TP 6n
tls_dhparams = path tls_dhparams = path
The path to a file containing custom Diffie-Hellman parameters in PEM format. The path to a file containing custom Diffie-Hellman parameters in PEM format.
This file can be created with the following command: This file can be created with the following command:
.nf .nf
.sp .sp
.RS 10n .RS 6n
openssl dhparam -out /etc/sudo_logsrvd_dhparams.pem 2048 openssl dhparam -out /etc/sudo_logsrvd_dhparams.pem 2048
.RE .RE
.fi .fi
.RS 10n .RS 6n
.sp .sp
By default, By default,
\fBsudo_logsrvd\fR \fBsudo_logsrvd\fR
will use the OpenSSL defaults for Diffie-Hellman key generation. will use the OpenSSL defaults for Diffie-Hellman key generation.
.RE .RE
.TP 10n .TP 6n
tls_key = path tls_key = path
The path to the server's private key file, in PEM format. The path to the server's private key file, in PEM format.
The default value is The default value is
\fI/etc/ssl/sudo/private/logsrvd_key.pem\fR. \fI/etc/ssl/sudo/private/logsrvd_key.pem\fR.
.TP 10n .TP 6n
tls_verify = bool tls_verify = bool
If true, If true,
\fBsudo_logsrvd\fR \fBsudo_logsrvd\fR
@ -292,7 +292,7 @@ They are only present in this section to make it possible for the relay
connection to use a different set of TLS parameters from the client-facing connection to use a different set of TLS parameters from the client-facing
server. server.
The following keys are recognized: The following keys are recognized:
.TP 10n .TP 6n
connect_timeout = number connect_timeout = number
The amount of time, in seconds, The amount of time, in seconds,
\fBsudo_logsrvd\fR \fBsudo_logsrvd\fR
@ -307,7 +307,7 @@ will wait for the relay to respond.
A value of 0 will disable the timeout. A value of 0 will disable the timeout.
The default value is The default value is
\fI30\fR. \fI30\fR.
.TP 10n .TP 6n
relay_dir = path relay_dir = path
The directory in which log messages are temporarily stored before they The directory in which log messages are temporarily stored before they
are sent to the relay host. are sent to the relay host.
@ -315,7 +315,7 @@ Messages are stored in the wire format specified by
sudo_logsrv.proto(@mansectform@) sudo_logsrv.proto(@mansectform@)
The default value is The default value is
\fI@relay_dir@\fR. \fI@relay_dir@\fR.
.TP 10n .TP 6n
relay_host = host[:port][(tls)] relay_host = host[:port][(tls)]
The relay host name or IP address, optional port to connect to and The relay host name or IP address, optional port to connect to and
an optional Transport Layer Security (TLS) flag in parentheses. an optional Transport Layer Security (TLS) flag in parentheses.
@ -340,13 +340,13 @@ protocol.
If multiple If multiple
\fIrelay_host\fR \fIrelay_host\fR
lines are specified, the first available relay host will be used. lines are specified, the first available relay host will be used.
.TP 10n .TP 6n
retry_interval = number retry_interval = number
The number of seconds to wait after a connection error before making The number of seconds to wait after a connection error before making
a new attempt to forward a message to a relay host. a new attempt to forward a message to a relay host.
The default value is The default value is
\fI30\fR. \fI30\fR.
.TP 10n .TP 6n
store_first = boolean store_first = boolean
If true, If true,
\fBsudo_logsrvd\fR \fBsudo_logsrvd\fR
@ -356,7 +356,7 @@ and the log is relayed.
If the network connection is interrupted before the log can be fully If the network connection is interrupted before the log can be fully
transferred, it will be retransmitted later. transferred, it will be retransmitted later.
The default is to relay logs in real-time. The default is to relay logs in real-time.
.TP 10n .TP 6n
tcp_keepalive = boolean tcp_keepalive = boolean
If true, If true,
\fBsudo_logsrvd\fR \fBsudo_logsrvd\fR
@ -365,7 +365,7 @@ This enables the periodic transmission of keepalive messages to the relay
server. server.
If the relay does not respond to a message in time, the connection will If the relay does not respond to a message in time, the connection will
be closed. be closed.
.TP 10n .TP 6n
timeout = number timeout = number
The amount of time, in seconds, The amount of time, in seconds,
\fBsudo_logsrvd\fR \fBsudo_logsrvd\fR
@ -373,7 +373,7 @@ will wait for the relay server to respond after a connection has succeeded.
A value of 0 will disable the timeout. A value of 0 will disable the timeout.
The default value is The default value is
\fI30\fR. \fI30\fR.
.TP 10n .TP 6n
tls_cacert = path tls_cacert = path
The path to a certificate authority bundle file, in PEM format, The path to a certificate authority bundle file, in PEM format,
to use instead of the system's default certificate authority database to use instead of the system's default certificate authority database
@ -382,13 +382,13 @@ The default is to use the value specified in the
\fIserver\fR \fIserver\fR
section, or the system's default certificate authority database if section, or the system's default certificate authority database if
no value is set. no value is set.
.TP 10n .TP 6n
tls_cert = path tls_cert = path
The path to the server's certificate file, in PEM format. The path to the server's certificate file, in PEM format.
The default is to use the value specified in the The default is to use the value specified in the
\fIserver\fR \fIserver\fR
section. section.
.TP 10n .TP 6n
tls_checkpeer = bool tls_checkpeer = bool
If true, the relay host's certificate will be validated by If true, the relay host's certificate will be validated by
\fBsudo_logsrvd\fR; \fBsudo_logsrvd\fR;
@ -402,7 +402,7 @@ used to generate the relay certificate.
The default is to use the value specified in the The default is to use the value specified in the
\fIserver\fR \fIserver\fR
section. section.
.TP 10n .TP 6n
tls_ciphers_v12 = string tls_ciphers_v12 = string
A list of ciphers to use for connections secured by TLS version 1.2 only, A list of ciphers to use for connections secured by TLS version 1.2 only,
separated by a colon separated by a colon
@ -415,7 +415,7 @@ for full details.
The default is to use the value specified in the The default is to use the value specified in the
\fIserver\fR \fIserver\fR
section. section.
.TP 10n .TP 6n
tls_ciphers_v13 = string tls_ciphers_v13 = string
A list of ciphers to use for connections secured by TLS version 1.3 only, A list of ciphers to use for connections secured by TLS version 1.3 only,
separated by a colon separated by a colon
@ -427,19 +427,19 @@ section for more information.
The default is to use the value specified in the The default is to use the value specified in the
\fIserver\fR \fIserver\fR
section. section.
.TP 10n .TP 6n
tls_dhparams = path tls_dhparams = path
The path to a file containing custom Diffie-Hellman parameters in PEM format. The path to a file containing custom Diffie-Hellman parameters in PEM format.
The default is to use the value specified in the The default is to use the value specified in the
\fIserver\fR \fIserver\fR
section. section.
.TP 10n .TP 6n
tls_key = path tls_key = path
The path to the server's private key file, in PEM format. The path to the server's private key file, in PEM format.
The default is to use the value specified in the The default is to use the value specified in the
\fIserver\fR \fIserver\fR
section. section.
.TP 10n .TP 6n
tls_verify = bool tls_verify = bool
If true, the server's certificate used for relaying will be verified at startup. If true, the server's certificate used for relaying will be verified at startup.
If false, no verification is performed of the server certificate. If false, no verification is performed of the server certificate.
@ -455,7 +455,7 @@ section configures I/O log parameters.
These settings are identical to the I/O configuration in These settings are identical to the I/O configuration in
sudoers(@mansectform@). sudoers(@mansectform@).
The following keys are recognized: The following keys are recognized:
.TP 10n .TP 6n
iolog_compress = boolean iolog_compress = boolean
If set, I/O logs will be compressed using If set, I/O logs will be compressed using
\fBzlib\fR. \fBzlib\fR.
@ -463,7 +463,7 @@ Enabling compression can make it harder to view the logs in real-time as
the program is executing due to buffering. the program is executing due to buffering.
The default value is The default value is
\fIfalse\fR. \fIfalse\fR.
.TP 10n .TP 6n
iolog_dir = path iolog_dir = path
The top-level directory to use when constructing the path The top-level directory to use when constructing the path
name for the I/O log directory. name for the I/O log directory.
@ -475,7 +475,7 @@ The following percent
(\(oq%\(cq) (\(oq%\(cq)
escape sequences are supported: escape sequences are supported:
.PP .PP
.RS 10n .RS 6n
.PD 0 .PD 0
.TP 6n .TP 6n
%{seq} %{seq}
@ -514,7 +514,7 @@ character, the string
\(oq%%\(cq \(oq%%\(cq
should be used. should be used.
.RE .RE
.TP 10n .TP 6n
iolog_file = path iolog_file = path
The path name, relative to The path name, relative to
\fIiolog_dir\fR, \fIiolog_dir\fR,
@ -550,7 +550,7 @@ overwritten unless
ends in six or ends in six or
more more
\fIX\fRs. \fIX\fRs.
.TP 10n .TP 6n
iolog_flush = boolean iolog_flush = boolean
If set, I/O log data is flushed to disk after each write instead of If set, I/O log data is flushed to disk after each write instead of
buffering it. buffering it.
@ -561,7 +561,7 @@ I/O logs are always flushed before sending a commit point to the client
regardless of this setting. regardless of this setting.
The default value is The default value is
\fItrue\fR. \fItrue\fR.
.TP 10n .TP 6n
iolog_group = name iolog_group = name
The group name to look up when setting the group-ID on new I/O log The group name to look up when setting the group-ID on new I/O log
files and directories. files and directories.
@ -575,7 +575,7 @@ If neither
nor nor
\fIiolog_user\fR \fIiolog_user\fR
are set, I/O log files and directories are created with group-ID 0. are set, I/O log files and directories are created with group-ID 0.
.TP 10n .TP 6n
iolog_mode = mode iolog_mode = mode
The file mode to use when creating I/O log files. The file mode to use when creating I/O log files.
Mode bits for read and write permissions for owner, group, or other Mode bits for read and write permissions for owner, group, or other
@ -587,7 +587,7 @@ to match the read and write bits specified by
\fIiolog_mode\fR. \fIiolog_mode\fR.
The default value is The default value is
\fI0600\fR. \fI0600\fR.
.TP 10n .TP 6n
iolog_user = name iolog_user = name
The user name to look up when setting the owner of new The user name to look up when setting the owner of new
I/O log files and directories. I/O log files and directories.
@ -596,7 +596,7 @@ If
is set, it will be used instead of the user's primary group-ID. is set, it will be used instead of the user's primary group-ID.
By default, I/O log files and directories are created with user and By default, I/O log files and directories are created with user and
group-ID 0. group-ID 0.
.TP 10n .TP 6n
log_passwords = bool log_passwords = bool
Most programs that require a user's password will disable echo before Most programs that require a user's password will disable echo before
reading the password to avoid displaying the plaintext password on reading the password to avoid displaying the plaintext password on
@ -625,7 +625,7 @@ option is set), only the
first character of the password will be replaced in the I/O log. first character of the password will be replaced in the I/O log.
The default value is The default value is
\fItrue\fR. \fItrue\fR.
.TP 10n .TP 6n
maxseq = number maxseq = number
The maximum sequence number that will be substituted for the The maximum sequence number that will be substituted for the
\(lq%{seq}\(rq \(lq%{seq}\(rq
@ -643,7 +643,7 @@ base 36 sequence number
will be silently truncated to 2176782336. will be silently truncated to 2176782336.
The default value is The default value is
\fI2176782336\fR. \fI2176782336\fR.
.TP 10n .TP 6n
passprompt_regex = string passprompt_regex = string
One or more POSIX extended regular expressions used to One or more POSIX extended regular expressions used to
match password prompts in the terminal output when match password prompts in the terminal output when

8
docs/sudo_logsrvd.conf.mdoc.in
View File

@ -77,7 +77,7 @@ The
.Em server .Em server
section configures the address and port the server will listen on. section configures the address and port the server will listen on.
The following keys are recognized: The following keys are recognized:
.Bl -tag -width 8n .Bl -tag -width 4n
.It listen_address = host Ns Oo : Ns port Oc Ns Op (tls) .It listen_address = host Ns Oo : Ns port Oc Ns Op (tls)
The host name or IP address, optional port to listen on and The host name or IP address, optional port to listen on and
an optional Transport Layer Security (TLS) flag in parentheses. an optional Transport Layer Security (TLS) flag in parentheses.
@ -206,7 +206,7 @@ separated by a colon
Supported cipher suites depend on the version of OpenSSL used, Supported cipher suites depend on the version of OpenSSL used,
but should include the following: but should include the following:
.Pp .Pp
.Bl -tag -compact -width 8n -offset indent .Bl -tag -compact -width 4n -offset indent
.It TLS_AES_128_GCM_SHA256 .It TLS_AES_128_GCM_SHA256
.It TLS_AES_256_GCM_SHA384 .It TLS_AES_256_GCM_SHA384
.It TLS_CHACHA20_POLY1305_SHA256 .It TLS_CHACHA20_POLY1305_SHA256
@ -254,7 +254,7 @@ They are only present in this section to make it possible for the relay
connection to use a different set of TLS parameters from the client-facing connection to use a different set of TLS parameters from the client-facing
server. server.
The following keys are recognized: The following keys are recognized:
.Bl -tag -width 8n .Bl -tag -width 4n
.It connect_timeout = number .It connect_timeout = number
The amount of time, in seconds, The amount of time, in seconds,
.Nm sudo_logsrvd .Nm sudo_logsrvd
@ -404,7 +404,7 @@ section configures I/O log parameters.
These settings are identical to the I/O configuration in These settings are identical to the I/O configuration in
.Xr sudoers @mansectform@ . .Xr sudoers @mansectform@ .
The following keys are recognized: The following keys are recognized:
.Bl -tag -width 8n .Bl -tag -width 4n
.It iolog_compress = boolean .It iolog_compress = boolean
If set, I/O logs will be compressed using If set, I/O logs will be compressed using
.Sy zlib . .Sy zlib .

18
docs/sudoers.ldap.man.in
View File

@ -2,7 +2,7 @@
.\" .\"
.\" SPDX-License-Identifier: ISC .\" SPDX-License-Identifier: ISC
.\" .\"
.\" Copyright (c) 2003-2022 Todd C. Miller <Todd.Miller@sudo.ws> .\" Copyright (c) 2003-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above .\" purpose with or without fee is hereby granted, provided that the above
@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" .\"
.TH "SUDOERS.LDAP" "@mansectform@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS.LDAP" "@mansectform@" "January 16, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -1197,19 +1197,21 @@ The following
\fIlevel\fR \fIlevel\fR
values are supported: values are supported:
.RS 10n .RS 10n
.TP 10n .TP 6n
never never
.br
The server certificate will not be requested or checked. The server certificate will not be requested or checked.
.TP 10n .TP 6n
allow allow
.br
The server certificate will be requested. The server certificate will be requested.
A missing or invalid certificate is ignored and not considered an error. A missing or invalid certificate is ignored and not considered an error.
.TP 10n .TP 6n
try try
The server certificate will be requested. The server certificate will be requested.
A missing certificate is ignored but an invalid certificate will A missing certificate is ignored but an invalid certificate will
result in a connection error. result in a connection error.
.TP 10n .TP 6n
demand | \fIhard\fR demand | \fIhard\fR
The server certificate will be requested. The server certificate will be requested.
A missing or invalid certificate will result in a connection error. A missing or invalid certificate will result in a connection error.
@ -1305,11 +1307,11 @@ The following sources are recognized:
.PP .PP
.RS 4n .RS 4n
.PD 0 .PD 0
.TP 10n .TP 7n
files files
read sudoers from read sudoers from
\fI@sysconfdir@/sudoers\fR \fI@sysconfdir@/sudoers\fR
.TP 10n .TP 7n
ldap ldap
read sudoers from LDAP read sudoers from LDAP
.RE .RE

8
docs/sudoers.ldap.mdoc.in
View File

@ -1,7 +1,7 @@
.\" .\"
.\" SPDX-License-Identifier: ISC .\" SPDX-License-Identifier: ISC
.\" .\"
.\" Copyright (c) 2003-2022 Todd C. Miller <Todd.Miller@sudo.ws> .\" Copyright (c) 2003-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above .\" purpose with or without fee is hereby granted, provided that the above
@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" .\"
.Dd September 13, 2022 .Dd January 16, 2023
.Dt SUDOERS.LDAP @mansectform@ .Dt SUDOERS.LDAP @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -1102,7 +1102,7 @@ will be unable to connect to it.
The following The following
.Ar level .Ar level
values are supported: values are supported:
.Bl -tag -width 8n -offset 4n .Bl -tag -width 4n -offset 4n
.It never .It never
The server certificate will not be requested or checked. The server certificate will not be requested or checked.
.It allow .It allow
@ -1200,7 +1200,7 @@ precedence over earlier ones (unless
is used, see below). is used, see below).
The following sources are recognized: The following sources are recognized:
.Pp .Pp
.Bl -tag -width 8n -offset 4n -compact .Bl -tag -width "files" -offset 4n -compact
.It files .It files
read sudoers from read sudoers from
.Pa @sysconfdir@/sudoers .Pa @sysconfdir@/sudoers

105
docs/sudoers.man.in
View File

@ -2,7 +2,7 @@
.\" .\"
.\" SPDX-License-Identifier: ISC .\" SPDX-License-Identifier: ISC
.\" .\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2022 .\" Copyright (c) 1994-1996, 1998-2005, 2007-2023
.\" Todd C. Miller <Todd.Miller@sudo.ws> .\" Todd C. Miller <Todd.Miller@sudo.ws>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
@ -25,7 +25,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.TH "SUDOERS" "@mansectform@" "December 26, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "@mansectform@" "January 16, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -110,7 +110,7 @@ Plugin sudoers_audit @sudoers_plugin@ sudoers_mode=0400 error_recovery=false
.fi .fi
.PP .PP
The following plugin arguments are supported: The following plugin arguments are supported:
.TP 10n .TP 6n
error_recovery=bool error_recovery=bool
The The
\fIerror_recovery\fR \fIerror_recovery\fR
@ -129,40 +129,40 @@ A value of
\fIfalse\fR \fIfalse\fR
will disable error recovery. will disable error recovery.
Prior to version 1.9.3, no error recovery was performed. Prior to version 1.9.3, no error recovery was performed.
.TP 10n .TP 6n
ldap_conf=pathname ldap_conf=pathname
The The
\fIldap_conf\fR \fIldap_conf\fR
argument can be used to override the default path to the argument can be used to override the default path to the
\fIldap.conf\fR \fIldap.conf\fR
file. file.
.TP 10n .TP 6n
ldap_secret=pathname ldap_secret=pathname
The The
\fIldap_secret\fR \fIldap_secret\fR
argument can be used to override the default path to the argument can be used to override the default path to the
\fIldap.secret\fR \fIldap.secret\fR
file. file.
.TP 10n .TP 6n
sudoers_file=pathname sudoers_file=pathname
The The
\fIsudoers_file\fR \fIsudoers_file\fR
argument can be used to override the default path to the argument can be used to override the default path to the
\fIsudoers\fR \fIsudoers\fR
file. file.
.TP 10n .TP 6n
sudoers_uid=user-ID sudoers_uid=user-ID
The The
\fIsudoers_uid\fR \fIsudoers_uid\fR
argument can be used to override the default owner of the sudoers file. argument can be used to override the default owner of the sudoers file.
It should be specified as a numeric user-ID. It should be specified as a numeric user-ID.
.TP 10n .TP 6n
sudoers_gid=group-ID sudoers_gid=group-ID
The The
\fIsudoers_gid\fR \fIsudoers_gid\fR
argument can be used to override the default group of the sudoers file. argument can be used to override the default group of the sudoers file.
It must be specified as a numeric group-ID (not a group name). It must be specified as a numeric group-ID (not a group name).
.TP 10n .TP 6n
sudoers_mode=mode sudoers_mode=mode
The The
\fIsudoers_mode\fR \fIsudoers_mode\fR
@ -1670,16 +1670,16 @@ $ ppriv -l
In addition, there are several In addition, there are several
\(lqspecial\(rq \(lqspecial\(rq
privilege strings: privilege strings:
.TP 10n .TP 7n
none none
the empty set the empty set
.TP 10n .TP 7n
all all
the set of all privileges the set of all privileges
.TP 10n .TP 7n
zone zone
the set of all privileges available in the current zone the set of all privileges available in the current zone
.TP 10n .TP 7n
basic basic
the default set of privileges normal users are granted at login time the default set of privileges normal users are granted at login time
.PP .PP
@ -2113,21 +2113,21 @@ and
fnmatch(3) fnmatch(3)
functions as specified by functions as specified by
IEEE Std 1003.1 (\(lqPOSIX.1\(rq). IEEE Std 1003.1 (\(lqPOSIX.1\(rq).
.TP 10n .TP 8n
* *
Matches any set of zero or more characters (including white space). Matches any set of zero or more characters (including white space).
.TP 10n .TP 8n
\&? \&?
Matches any single character (including white space). Matches any single character (including white space).
.TP 10n .TP 8n
[...] [...]
Matches any character in the specified range. Matches any character in the specified range.
.TP 10n .TP 8n
[!...] [!...]
Matches any character Matches any character
\fInot\fR \fInot\fR
in the specified range. in the specified range.
.TP 10n .TP 8n
\ex \ex
For any character For any character
\(oqx\(cq, \(oqx\(cq,
@ -5216,7 +5216,7 @@ It has the following possible values:
.PP .PP
.RS 14n .RS 14n
.PD 0 .PD 0
.TP 10n .TP 6n
all all
All the user's All the user's
\fIsudoers\fR \fIsudoers\fR
@ -5225,12 +5225,12 @@ the
\fRNOPASSWD\fR \fRNOPASSWD\fR
flag set to avoid entering a password. flag set to avoid entering a password.
.PD .PD
.TP 10n .TP 6n
always always
The user must always enter a password to use the The user must always enter a password to use the
\fB\-l\fR \fB\-l\fR
option. option.
.TP 10n .TP 6n
any any
At least one of the user's At least one of the user's
\fIsudoers\fR \fIsudoers\fR
@ -5238,8 +5238,9 @@ file entries for the current host
must have the must have the
\fRNOPASSWD\fR \fRNOPASSWD\fR
flag set to avoid entering a password. flag set to avoid entering a password.
.TP 10n .TP 6n
never never
.br
The user need never enter a password to use the The user need never enter a password to use the
\fB\-l\fR \fB\-l\fR
option. option.
@ -5260,7 +5261,7 @@ Supported log formats are:
.PP .PP
.RS 14n .RS 14n
.PD 0 .PD 0
.TP 10n .TP 6n
json json
Logs in JSON format. Logs in JSON format.
JSON log entries contain the full user details as well as the execution JSON log entries contain the full user details as well as the execution
@ -5269,7 +5270,7 @@ Due to limitations of the protocol, JSON events sent via
\fIsyslog\fR \fIsyslog\fR
may be truncated. may be truncated.
.PD .PD
.TP 10n .TP 6n
sudo sudo
Traditional sudo-style logs, see Traditional sudo-style logs, see
\fIEVENT LOGGING\fR \fIEVENT LOGGING\fR
@ -5823,7 +5824,7 @@ If options are present, the string must be enclosed in double quotes
(\&""). (\&"").
.PP .PP
The following group provider plugins are installed by default: The following group provider plugins are installed by default:
.TP 10n .TP 6n
group_file group_file
The The
\fIgroup_file\fR \fIgroup_file\fR
@ -5836,11 +5837,11 @@ For example, if the group file to be used is
\fI/etc/sudo-group\fR: \fI/etc/sudo-group\fR:
.nf .nf
.sp .sp
.RS 10n .RS 6n
Defaults group_plugin="group_file.so /etc/sudo-group" Defaults group_plugin="group_file.so /etc/sudo-group"
.RE .RE
.fi .fi
.TP 10n .TP 6n
system_group system_group
The The
\fIsystem_group\fR \fIsystem_group\fR
@ -5853,7 +5854,7 @@ groups not present in the user's supplemental group vector.
This plugin takes no options: This plugin takes no options:
.nf .nf
.sp .sp
.RS 10n .RS 6n
Defaults group_plugin=system_group.so Defaults group_plugin=system_group.so
.RE .RE
.fi .fi
@ -6439,66 +6440,65 @@ The file may contain the following elements:
.PP .PP
.RS 10n .RS 10n
.PD 0 .PD 0
.TP 10n .TP 6n
timestamp timestamp
.br
A JSON object containing time the command was run. A JSON object containing time the command was run.
It consists of two values, It consists of two values,
\fIseconds\fR \fIseconds\fR
and and
\fInanoseconds\fR. \fInanoseconds\fR.
.PD .PD
.TP 10n .TP 6n
columns columns
The number of columns of the terminal the command ran on, or zero The number of columns of the terminal the command ran on, or zero
if no terminal was present. if no terminal was present.
.TP 10n .TP 6n
command command
The fully-qualified path of the command that was run. The fully-qualified path of the command that was run.
.TP 10n .TP 6n
lines lines
.br
The number of lines of the terminal the command ran on, or zero The number of lines of the terminal the command ran on, or zero
if no terminal was present. if no terminal was present.
.TP 10n .TP 6n
runargv runargv
A JSON array representing the command's argument vector as passed to the A JSON array representing the command's argument vector as passed to the
execve(2) execve(2)
system call. system call.
.TP 10n .TP 6n
runenv runenv
A JSON array representing the command's environment as passed to the A JSON array representing the command's environment as passed to the
execve(2) execve(2)
system call. system call.
.TP 10n .TP 6n
rungid rungid
The group ID the command ran as. The group ID the command ran as.
This element is only present when the user specifies a group on the This element is only present when the user specifies a group on the
command line. command line.
.TP 10n .TP 6n
rungroup rungroup
The name of the group the command ran as. The name of the group the command ran as.
This element is only present when the user specifies a group on the This element is only present when the user specifies a group on the
command line. command line.
.TP 10n .TP 6n
runuid runuid
The user ID the command ran as. The user ID the command ran as.
.TP 10n .TP 6n
runuser runuser
The name of the user the command ran as. The name of the user the command ran as.
.TP 10n .TP 6n
submitcwd submitcwd
.br
The current working directory at the time The current working directory at the time
\fBsudo\fR \fBsudo\fR
was run. was run.
.TP 10n .TP 6n
submithost submithost
The name of the host the command was run on. The name of the host the command was run on.
.TP 10n .TP 6n
submituser submituser
The name of the user who ran the command via The name of the user who ran the command via
\fBsudo\fR. \fBsudo\fR.
.TP 10n .TP 6n
ttyname ttyname
The path name of the terminal the user invoked The path name of the terminal the user invoked
\fBsudo\fR \fBsudo\fR
@ -7277,7 +7277,7 @@ Common programs that permit shell escapes include shells (obviously),
editors, paginators, mail, and terminal programs. editors, paginators, mail, and terminal programs.
.PP .PP
There are four basic approaches to this problem: There are four basic approaches to this problem:
.TP 10n .TP 11n
restrict restrict
Avoid giving users access to commands that allow the user to run Avoid giving users access to commands that allow the user to run
arbitrary commands. arbitrary commands.
@ -7290,9 +7290,8 @@ running editors via
Due to the large number of programs that Due to the large number of programs that
offer shell escapes, restricting users to the set of programs that offer shell escapes, restricting users to the set of programs that
do not is often unworkable. do not is often unworkable.
.TP 10n .TP 11n
intercept intercept
.br
On most systems, On most systems,
\fBsudo\fR's \fBsudo\fR's
\fIintercept\fR \fIintercept\fR
@ -7392,11 +7391,11 @@ tag as documented in the User Specification section above.
Here is that example again: Here is that example again:
.nf .nf
.sp .sp
.RS 10n .RS 11n
chuck research = INTERCEPT: ALL chuck research = INTERCEPT: ALL
.RE .RE
.fi .fi
.RS 10n .RS 11n
.sp .sp
This allows user This allows user
\fBchuck\fR \fBchuck\fR
@ -7434,7 +7433,7 @@ See the description of the
\fIintercept_verify\fR \fIintercept_verify\fR
setting for more information. setting for more information.
.RE .RE
.TP 10n .TP 11n
log log
There are two separate but related ways to log additional commands. There are two separate but related ways to log additional commands.
The first is to enable I/O logging using the The first is to enable I/O logging using the
@ -7457,7 +7456,7 @@ The
flag uses the same mechanism as flag uses the same mechanism as
\fIintercept\fR \fIintercept\fR
(see above) and has the same limitations. (see above) and has the same limitations.
.TP 10n .TP 11n
noexec noexec
\fBsudo\fR's \fBsudo\fR's
\fInoexec\fR \fInoexec\fR
@ -7509,11 +7508,11 @@ tag as documented in the User Specification section above.
Here is that example again: Here is that example again:
.nf .nf
.sp .sp
.RS 10n .RS 11n
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
.RE .RE
.fi .fi
.RS 10n .RS 11n
.sp .sp
This allows user This allows user
\fBaaron\fR \fBaaron\fR

26
docs/sudoers.mdoc.in
View File

@ -1,7 +1,7 @@
.\" .\"
.\" SPDX-License-Identifier: ISC .\" SPDX-License-Identifier: ISC
.\" .\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2022 .\" Copyright (c) 1994-1996, 1998-2005, 2007-2023
.\" Todd C. Miller <Todd.Miller@sudo.ws> .\" Todd C. Miller <Todd.Miller@sudo.ws>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
@ -25,7 +25,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.Dd December 26, 2022 .Dd January 16, 2023
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -104,7 +104,7 @@ Plugin sudoers_audit @sudoers_plugin@ sudoers_mode=0400 error_recovery=false
.Ed .Ed
.Pp .Pp
The following plugin arguments are supported: The following plugin arguments are supported:
.Bl -tag -width 8n .Bl -tag -width 4n
.It error_recovery=bool .It error_recovery=bool
The The
.Em error_recovery .Em error_recovery
@ -1594,7 +1594,7 @@ $ ppriv -l
In addition, there are several In addition, there are several
.Dq special .Dq special
privilege strings: privilege strings:
.Bl -tag -width 8n .Bl -tag -width "basic"
.It none .It none
the empty set the empty set
.It all .It all
@ -2008,7 +2008,7 @@ and
.Xr fnmatch 3 .Xr fnmatch 3
functions as specified by functions as specified by
.St -p1003.1 . .St -p1003.1 .
.Bl -tag -width 8n .Bl -tag -width "[!...]"
.It * .It *
Matches any set of zero or more characters (including white space). Matches any set of zero or more characters (including white space).
.It \&? .It \&?
@ -2089,7 +2089,7 @@ For more information, see
below. below.
.Ss Exceptions to wildcard rules .Ss Exceptions to wildcard rules
The following exceptions apply to the above rules: The following exceptions apply to the above rules:
.Bl -tag -width 8n .Bl -tag -width "sudoedit"
.It \&"" .It \&""
If the empty string If the empty string
.Ql \&"" .Ql \&""
@ -4902,7 +4902,7 @@ with the
.Fl l .Fl l
option. option.
It has the following possible values: It has the following possible values:
.Bl -tag -width 8n .Bl -tag -width 4n
.It all .It all
All the user's All the user's
.Em sudoers .Em sudoers
@ -4938,7 +4938,7 @@ The default value is
.It log_format .It log_format
The event log format. The event log format.
Supported log formats are: Supported log formats are:
.Bl -tag -width 8n .Bl -tag -width 4n
.It json .It json
Logs in JSON format. Logs in JSON format.
JSON log entries contain the full user details as well as the execution JSON log entries contain the full user details as well as the execution
@ -5456,7 +5456,7 @@ If options are present, the string must be enclosed in double quotes
.Pq \&"" . .Pq \&"" .
.Pp .Pp
The following group provider plugins are installed by default: The following group provider plugins are installed by default:
.Bl -tag -width 8n .Bl -tag -width 4n
.It group_file .It group_file
The The
.Em group_file .Em group_file
@ -5980,7 +5980,7 @@ that you expect.
.Ss I/O log format .Ss I/O log format
For both local and remote I/O logs, each log is stored in a separate For both local and remote I/O logs, each log is stored in a separate
directory that contains the following files: directory that contains the following files:
.Bl -tag -width 8n .Bl -tag -width "log.json"
.It Pa log .It Pa log
A text file containing information about the command. A text file containing information about the command.
The first line consists of the following colon-delimited fields: The first line consists of the following colon-delimited fields:
@ -6007,7 +6007,7 @@ in preference to the
.Pa log .Pa log
file if it exists. file if it exists.
The file may contain the following elements: The file may contain the following elements:
.Bl -tag -width 8n .Bl -tag -width 4n
.It timestamp .It timestamp
A JSON object containing time the command was run. A JSON object containing time the command was run.
It consists of two values, It consists of two values,
@ -6727,7 +6727,7 @@ Common programs that permit shell escapes include shells (obviously),
editors, paginators, mail, and terminal programs. editors, paginators, mail, and terminal programs.
.Pp .Pp
There are four basic approaches to this problem: There are four basic approaches to this problem:
.Bl -tag -width 8n .Bl -tag -width "intercept"
.It restrict .It restrict
Avoid giving users access to commands that allow the user to run Avoid giving users access to commands that allow the user to run
arbitrary commands. arbitrary commands.
@ -7173,7 +7173,7 @@ and higher.
The following subsystems are used by the The following subsystems are used by the
.Nm .Nm
plugin: plugin:
.Bl -tag -width 8n .Bl -tag -width "defaults"
.It Em alias .It Em alias
.Em User_Alias , .Em User_Alias ,
.Em Runas_Alias , .Em Runas_Alias ,

12
docs/visudo.man.in
View File

@ -84,7 +84,7 @@ There are two
settings that determine which editor settings that determine which editor
\fBvisudo\fR \fBvisudo\fR
will run. will run.
.TP 10n .TP 12n
editor editor
A colon A colon
(\(oq:\&\(cq) (\(oq:\&\(cq)
@ -116,7 +116,7 @@ The default editor path is
which can be set at compile time via the which can be set at compile time via the
\fR--with-editor\fR \fR--with-editor\fR
configure option. configure option.
.TP 10n .TP 12n
env_editor env_editor
If set, If set,
\fBvisudo\fR \fBvisudo\fR
@ -334,26 +334,26 @@ Plugin sudoers_policy @sudoers_plugin@ sudoers_mode=0400
.fi .fi
.PP .PP
The following arguments are supported: The following arguments are supported:
.TP 10n .TP 6n
sudoers_file=pathname sudoers_file=pathname
The The
\fIsudoers_file\fR \fIsudoers_file\fR
argument can be used to override the default path to the argument can be used to override the default path to the
\fIsudoers\fR \fIsudoers\fR
file. file.
.TP 10n .TP 6n
sudoers_uid=user-ID sudoers_uid=user-ID
The The
\fIsudoers_uid\fR \fIsudoers_uid\fR
argument can be used to override the default owner of the sudoers file. argument can be used to override the default owner of the sudoers file.
It should be specified as a numeric user-ID. It should be specified as a numeric user-ID.
.TP 10n .TP 6n
sudoers_gid=group-ID sudoers_gid=group-ID
The The
\fIsudoers_gid\fR \fIsudoers_gid\fR
argument can be used to override the default group of the sudoers file. argument can be used to override the default group of the sudoers file.
It must be specified as a numeric group-ID (not a group name). It must be specified as a numeric group-ID (not a group name).
.TP 10n .TP 6n
sudoers_mode=mode sudoers_mode=mode
The The
\fIsudoers_mode\fR \fIsudoers_mode\fR

4
docs/visudo.mdoc.in
View File

@ -82,7 +82,7 @@ There are two
settings that determine which editor settings that determine which editor
.Nm visudo .Nm visudo
will run. will run.
.Bl -tag -width 8n .Bl -tag -width "env_editor"
.It editor .It editor
A colon A colon
.Pq Ql :\& .Pq Ql :\&
@ -322,7 +322,7 @@ Plugin sudoers_policy @sudoers_plugin@ sudoers_mode=0400
.Ed .Ed
.Pp .Pp
The following arguments are supported: The following arguments are supported:
.Bl -tag -width 8n .Bl -tag -width 4n
.It sudoers_file=pathname .It sudoers_file=pathname
The The
.Em sudoers_file .Em sudoers_file