mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 18:08:23 +00:00
Code Issues Releases Wiki Activity

Stop using 8n width in tagged lists.

Browse Source 
Use either 4n, when the body is expected to wrap or the width of
the longest tag when no wrapping is expected.
This commit is contained in:
Todd C. Miller 2023-01-16 08:53:35 -07:00
parent 0814749132
commit 3726e38394
12 changed files with 215 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
docs/cvtsudoers.man.in
View File

@ -91,24 +91,24 @@ The supported types are:
.PP
.RS 8n
.PD 0
.TP 10n
.TP 9n
all
All Defaults entries.
.PD
.TP 10n
.TP 9n
global
Global Defaults entries that are applied regardless of
user, runas, host, or command.
.TP 10n
.TP 9n
user
Per-user Defaults entries.
.TP 10n
.TP 9n
runas
Per-runas user Defaults entries.
.TP 10n
.TP 9n
host
Per-host Defaults entries.
.TP 10n
.TP 9n
command
Per-command Defaults entries.
.PP
@ -138,7 +138,7 @@ The following formats are supported:
.PP
.RS 8n
.PD 0
.TP 10n
.TP 9n
CSV
CSV (comma-separated value) files are often used by spreadsheets
and report generators.
@ -146,7 +146,7 @@ See
\fICSV output format\fR
for more details.
.PD
.TP 10n
.TP 9n
JSON
JSON (JavaScript Object Notation) files are usually easier for
third-party applications to consume than the traditional
@ -159,7 +159,7 @@ format.
See
\fIJSON output format\fR
for more details.
.TP 10n
.TP 9n
LDIF
LDIF (LDAP Data Interchange Format) files can be imported into an LDAP
server for use with
@ -167,7 +167,7 @@ sudoers.ldap(@mansectform@).
.sp
Conversion to LDIF has the following limitations:
.PP
.RS 10n
.RS 9n
.PD 0
.TP 3n
\fB\(bu\fR
@ -182,7 +182,7 @@ sudoers LDAP schema so they are expanded during the conversion.
.PP
.RE
.PD
.TP 10n
.TP 9n
sudoers
Traditional sudoers format.
A new sudoers file will be reconstructed from the parsed input file.
@ -209,7 +209,7 @@ The following formats are supported:
.PP
.RS 8n
.PD 0
.TP 10n
.TP 9n
LDIF
LDIF (LDAP Data Interchange Format) files can be exported from an LDAP
server to convert security policies used by
@ -219,7 +219,7 @@ that match the base DN will be processed.
Not all sudoOptions specified in a sudoRole can be translated from
LDIF to sudoers format.
.PD
.TP 10n
.TP 9n
sudoers
Traditional sudoers format.
This is the default input format.
@ -899,30 +899,30 @@ The following names and values are supported:
.PP
.RS 6n
.PD 0
.TP 10n
.TP 9n
command
A string containing the command to run.
The special value
\fBALL\fR
it will match any command.
.PD
.TP 10n
.TP 9n
negated
A boolean value that, if true, will negate any comparison performed
with the object.
.TP 10n
.TP 9n
sha224
A string containing the SHA224 digest of the
\fIcommand\fR.
.TP 10n
.TP 9n
sha256
A string containing the SHA256 digest of the
\fIcommand\fR.
.TP 10n
.TP 9n
sha384
A string containing the SHA384 digest of the
\fIcommand\fR.
.TP 10n
.TP 9n
sha512
A string containing the SHA512 digest of the
\fIcommand\fR.
@ -1072,7 +1072,7 @@ defaults_type,binding,name,operator,value
.RS 6n
.sp
The fields are as follows:
.TP 10n
.TP 6n
defaults_type
The type of
\fIDefaults\fR
@ -1083,7 +1083,7 @@ setting; one of
\fIdefaults_runas\fR,
or
\fIdefaults_user\fR.
.TP 10n
.TP 6n
binding
For
\fIdefaults_command\fR,
@ -1092,12 +1092,12 @@ For
and
\fIdefaults_user\fR
this is the value that must match for the setting to be applied.
.TP 10n
.TP 6n
name
The name of the
\fIDefaults\fR
setting.
.TP 10n
.TP 6n
operator
The operator determines how the value is applied to the setting.
It may be either
@ -1108,8 +1108,9 @@ It may be either
or
\(oq-=\(cq
(remove).
.TP 10n
.TP 6n
value
.br
The setting's value, usually a string or, for
settings used in a boolean context,
\fItrue\fR
@ -1141,7 +1142,7 @@ alias_type,alias_name,members
.RS 6n
.sp
The fields are as follows:
.TP 10n
.TP 6n
alias_type
The type of alias; one of
\fICmnd_Alias\fR,
@ -1149,11 +1150,11 @@ The type of alias; one of
\fIRunas_Alias\fR,
or
\fIUser_Alias\fR.
.TP 10n
.TP 6n
alias_name
The name of the alias; a string starting with an upper-case letter that
consists of upper-case letters, digits, or underscores.
.TP 10n
.TP 6n
members
A comma-separated list of members belonging to the alias.
Due to the use of commas,
@ -1181,13 +1182,13 @@ rule,user,host,runusers,rungroups,options,command
.RS 6n
.sp
The fields are as follows:
.TP 10n
.TP 6n
rule
This field indicates a
\fIsudoers\fR
\fIrule\fR
entry.
.TP 10n
.TP 6n
user
The user the rule applies to.
This may also be a Unix group (preceded by a
@ -1202,7 +1203,7 @@ or a
If set to the special value
\fBALL\fR,
it will match any user.
.TP 10n
.TP 6n
host
The host the rule applies to.
This may also be a netgroup (preceded by a
@ -1213,7 +1214,7 @@ or a
If set to the special value
\fBALL\fR,
it will match any host.
.TP 10n
.TP 6n
runusers
An optional comma-separated list of users (or
\fIRunas_Alias\fRes)
@ -1224,9 +1225,8 @@ If set to the special value
\fBALL\fR,
it will match any user.
If empty, the root user is assumed.
.TP 10n
.TP 6n
rungroups
.br
An optional comma-separated list of groups (or
\fIRunas_Alias\fRes)
the command may be run as.
@ -1238,7 +1238,7 @@ it will match any group.
If empty, the
\fIrunuser\fR's
group is used.
.TP 10n
.TP 6n
options
An optional list of
\fIDefaults\fR
@ -1249,7 +1249,7 @@ entries in
\fIsudoers\fR
are converted to
\fIoptions\fR.
.TP 10n
.TP 6n
commands
A list of commands, with optional arguments, that the user is allowed to run.
If set to the special value

14
docs/cvtsudoers.mdoc.in
View File

@ -84,7 +84,7 @@ One or more
types may be specified, separated by a comma
.Pq Ql \&, .
The supported types are:
.Bl -tag -width 8n
.Bl -tag -width "command"
.It all
All Defaults entries.
.It global
@ -120,7 +120,7 @@ is JSON or sudoers.
.It Fl f Ar output_format , Fl -output-format Ns = Ns Ar output_format
Specify the output format (case-insensitive).
The following formats are supported:
.Bl -tag -width 8n
.Bl -tag -width "sudoers"
.It CSV
CSV (comma-separated value) files are often used by spreadsheets
and report generators.
@ -170,7 +170,7 @@ Display a short help message to the standard output and exit.
.It Fl i Ar input_format , Fl -input-format Ns = Ns Ar input_format
Specify the input format.
The following formats are supported:
.Bl -tag -width 8n
.Bl -tag -width "sudoers"
.It LDIF
LDIF (LDAP Data Interchange Format) files can be exported from an LDAP
server to convert security policies used by
@ -783,7 +783,7 @@ array consists of one or more objects containing
.Dq name:value
pair elements.
The following names and values are supported:
.Bl -tag -width 8n
.Bl -tag -width "command"
.It command
A string containing the command to run.
The special value
@ -941,7 +941,7 @@ defaults_type,binding,name,operator,value
.Ed
.Pp
The fields are as follows:
.Bl -tag -width 8n
.Bl -tag -width 4n
.It defaults_type
The type of
.Em Defaults
@ -998,7 +998,7 @@ alias_type,alias_name,members
.Ed
.Pp
The fields are as follows:
.Bl -tag -width 8n
.Bl -tag -width 4n
.It alias_type
The type of alias; one of
.Em Cmnd_Alias ,
@ -1027,7 +1027,7 @@ rule,user,host,runusers,rungroups,options,command
.Ed
.Pp
The fields are as follows:
.Bl -tag -width 8n
.Bl -tag -width 4n
.It rule
This field indicates a
.Em sudoers

55
docs/sudo.conf.man.in
View File

@ -2,7 +2,7 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2010-2022 Todd C. Miller <Todd.Miller@sudo.ws>
.\" Copyright (c) 2010-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -17,7 +17,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.nr SL @SEMAN@
.TH "SUDO.CONF" "@mansectform@" "December 26, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDO.CONF" "@mansectform@" "January 16, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@ -35,19 +35,19 @@ debug flags, and other settings.
The
\fBsudo.conf\fR
file supports the following directives, described in detail below.
.TP 10n
.TP 8n
Plugin
an approval, audit, I/O logging, or security policy plugin
.TP 10n
.TP 8n
Path
a plugin-agnostic path
.TP 10n
.TP 8n
Set
a front-end setting, such as
\fIdisable_coredump\fR
or
\fIgroup_source\fR
.TP 10n
.TP 8n
Debug
debug flags to aid in debugging
\fBsudo\fR,
@ -246,7 +246,7 @@ version 1.8.16 and higher.
The following plugin-agnostic paths may be set in the
\fI@sysconfdir@/sudo.conf\fR
file:
.TP 10n
.TP 6n
askpass
The fully qualified path to a helper program used to read the user's
password when no terminal is available.
@ -262,9 +262,8 @@ The value of
may be overridden by the
\fRSUDO_ASKPASS\fR
environment variable.
.TP 10n
.TP 6n
devsearch
.br
An ordered, colon-separated search path of directories to look in for
device nodes.
This is used when mapping the process's tty device number to a device name
@ -286,9 +285,8 @@ or
functions, for example
BSD,
macOS and Solaris.
.TP 10n
.TP 6n
intercept
.br
The fully-qualified path to a shared library containing a wrappers for the
execve(2),
execl(3),
@ -308,7 +306,7 @@ functionality on systems that support
or its equivalent.
The default value is
\fI@intercept_file@\fR.
.TP 10n
.TP 6n
noexec
The fully-qualified path to a shared library containing wrappers
for the
@ -337,14 +335,13 @@ functionality on systems that support
or its equivalent.
The default value is
\fI@noexec_file@\fR.
.TP 10n
.TP 6n
plugin_dir
The default directory to use when searching for plugins
that are specified without a fully qualified path name.
The default value is
\fI@plugindir@\fR.
.if \n(SL \{\
.TP 10n
.TP 6n
sesh
The fully-qualified path to the
\fBsesh\fR
@ -359,7 +356,7 @@ The default value is
The
\fBsudo.conf\fR
file also supports the following front-end settings:
.TP 10n
.TP 6n
disable_coredump
Core dumps of
\fBsudo\fR
@ -374,11 +371,11 @@ to false in
as follows:
.nf
.sp
.RS 14n
.RS 10n
Set disable_coredump false
.RE
.fi
.RS 10n
.RS 6n
.sp
All modern operating systems place restrictions on core dumps
from set-user-ID processes like
@ -400,7 +397,7 @@ This setting is only available in
\fBsudo\fR
version 1.8.4 and higher.
.RE
.TP 10n
.TP 6n
group_source
\fBsudo\fR
passes the invoking user's group list to the policy and I/O plugins.
@ -410,10 +407,10 @@ with NFS).
On systems with the
getconf(1)
utility, running:
.RS 16n
.RS 12n
getconf NGROUPS_MAX
.RE
.RS 10n
.RS 6n
will return the maximum number of groups.
.sp
However, it is still possible to be a member of a larger number of
@ -434,7 +431,7 @@ setting allows the administrator to change this default behavior.
Supported values for
\fIgroup_source\fR
are:
.TP 10n
.TP 6n
static
Use the static group list that the kernel returns.
Retrieving the group list this way is very fast but it is subject
@ -446,7 +443,7 @@ after the user logs in.
This was the default behavior prior to
\fBsudo\fR
1.8.7.
.TP 10n
.TP 6n
dynamic
Always query the group database directly.
It is
@ -466,7 +463,7 @@ HP-UX, Linux, macOS, and Solaris.
This is the default behavior on macOS in
\fBsudo\fR
1.9.6 and higher.
.TP 10n
.TP 6n
adaptive
Only query the group database if the static group list returned
by the kernel has the maximum number of entries.
@ -479,7 +476,7 @@ For example, to cause
to only use the kernel's static list of groups for the user:
.nf
.sp
.RS 14n
.RS 10n
Set group_source static
.RE
.fi
@ -488,7 +485,7 @@ This setting is only available in
\fBsudo\fR
version 1.8.7 and higher.
.RE
.TP 10n
.TP 6n
max_groups
The maximum number of user groups to retrieve from the group database.
Values less than one or larger than 1024 will be ignored.
@ -506,7 +503,7 @@ version 1.8.7 and higher.
It should not be required in
\fBsudo\fR
versions 1.8.24 and higher and may be removed in a later release.
.TP 10n
.TP 6n
probe_interfaces
By default,
\fBsudo\fR
@ -520,11 +517,11 @@ If IP-based matching is not required, network interface probing
can be disabled as follows:
.nf
.sp
.RS 14n
.RS 10n
Set probe_interfaces false
.RE
.fi
.RS 10n
.RS 6n
.sp
This setting is only available in
\fBsudo\fR

12
docs/sudo.conf.mdoc.in
View File

@ -1,7 +1,7 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2010-2022 Todd C. Miller <Todd.Miller@sudo.ws>
.\" Copyright (c) 2010-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -16,7 +16,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.nr SL @SEMAN@
.Dd December 26, 2022
.Dd January 16, 2023
.Dt SUDO.CONF @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@ -34,7 +34,7 @@ debug flags, and other settings.
The
.Nm
file supports the following directives, described in detail below.
.Bl -tag -width 8n
.Bl -tag -width "Plugin"
.It Plugin
an approval, audit, I/O logging, or security policy plugin
.It Path
@ -225,7 +225,7 @@ version 1.8.16 and higher.
The following plugin-agnostic paths may be set in the
.Pa @sysconfdir@/sudo.conf
file:
.Bl -tag -width 8n
.Bl -tag -width 4n
.It askpass
The fully qualified path to a helper program used to read the user's
password when no terminal is available.
@ -332,7 +332,7 @@ The default value is
The
.Nm
file also supports the following front-end settings:
.Bl -tag -width 8n
.Bl -tag -width 4n
.It disable_coredump
Core dumps of
.Nm sudo
@ -398,7 +398,7 @@ setting allows the administrator to change this default behavior.
Supported values for
.Em group_source
are:
.Bl -tag -width 8n
.Bl -tag -width 4n
.It static
Use the static group list that the kernel returns.
Retrieving the group list this way is very fast but it is subject

100
docs/sudo_logsrvd.conf.man.in
View File

@ -86,7 +86,7 @@ The
\fIserver\fR
section configures the address and port the server will listen on.
The following keys are recognized:
.TP 10n
.TP 6n
listen_address = host[:port][(tls)]
The host name or IP address, optional port to listen on and
an optional Transport Layer Security (TLS) flag in parentheses.
@ -115,19 +115,19 @@ connections and port 30344 will be used for TLS connections.
.sp
The default value is:
.nf
.RS 16n
.RS 12n
listen_address = *:30343
listen_address = *:30344(tls)
.RE
.fi
.RS 10n
.RS 6n
which will listen on all configured network interfaces for both
plaintext and TLS connections.
Multiple
\fIlisten_address\fR
lines may be specified to listen on more than one port or interface.
.RE
.TP 10n
.TP 6n
server_log = string
Where to log server warning and error messages.
Supported values are
@ -144,7 +144,7 @@ is only effective when used in conjunction with the
option.
The default value is
\fIsyslog\fR.
.TP 10n
.TP 6n
pid_file = path
The path to the file containing the process ID of the running
\fBsudo_logsrvd\fR.
@ -160,7 +160,7 @@ If
refers to a symbolic link, it will be ignored.
The default value is
\fI@rundir@/sudo_logsrvd.pid\fR.
.TP 10n
.TP 6n
tcp_keepalive = boolean
If true,
\fBsudo_logsrvd\fR
@ -170,7 +170,7 @@ If the client does not respond to a message in time, the connection will
be closed.
Defaults to
\fItrue\fR.
.TP 10n
.TP 6n
timeout = number
The amount of time, in seconds,
\fBsudo_logsrvd\fR
@ -178,7 +178,7 @@ will wait for the client to respond.
A value of 0 will disable the timeout.
The default value is
\fI30\fR.
.TP 10n
.TP 6n
tls_cacert = path
The path to a certificate authority bundle file, in PEM format,
to use instead of the system's default certificate authority database
@ -187,12 +187,12 @@ The default is to use
\fI/etc/ssl/sudo/cacert.pem\fR
if it exists, otherwise the system's default certificate authority
database is used.
.TP 10n
.TP 6n
tls_cert = path
The path to the server's certificate file, in PEM format.
The default value is
\fI/etc/ssl/sudo/certs/logsrvd_cert.pem\fR.
.TP 10n
.TP 6n
tls_checkpeer = bool
If true, client certificates will be validated by
\fBsudo_logsrvd\fR;
@ -205,7 +205,7 @@ setting must be set to a CA bundle that contains the CA certificate
used to generate the client certificate.
The default value is
\fIfalse\fR.
.TP 10n
.TP 6n
tls_ciphers_v12 = string
A list of ciphers to use for connections secured by TLS version 1.2 only,
separated by a colon
@ -220,7 +220,7 @@ The default value is
which consists of encryption cipher suites with key lengths larger than
128 bits, and some cipher suites with 128-bit keys.
Cipher suites that offer no authentication are excluded.
.TP 10n
.TP 6n
tls_ciphers_v13 = string
A list of ciphers to use for connections secured by TLS version 1.3 only,
separated by a colon
@ -228,47 +228,47 @@ separated by a colon
Supported cipher suites depend on the version of OpenSSL used,
but should include the following:
.sp
.RS 16n
.RS 12n
.PD 0
.TP 10n
.TP 6n
TLS_AES_128_GCM_SHA256
.TP 10n
.TP 6n
TLS_AES_256_GCM_SHA384
.TP 10n
.TP 6n
TLS_CHACHA20_POLY1305_SHA256
.TP 10n
.TP 6n
TLS_AES_128_CCM_SHA256
.TP 10n
.TP 6n
TLS_AES_128_CCM_8_SHA256
.RE
.RS 10n
.RS 6n
.sp
The default cipher suite is
\(lqTLS_AES_256_GCM_SHA384\(rq.
.RE
.PD
.TP 10n
.TP 6n
tls_dhparams = path
The path to a file containing custom Diffie-Hellman parameters in PEM format.
This file can be created with the following command:
.nf
.sp
.RS 10n
.RS 6n
openssl dhparam -out /etc/sudo_logsrvd_dhparams.pem 2048
.RE
.fi
.RS 10n
.RS 6n
.sp
By default,
\fBsudo_logsrvd\fR
will use the OpenSSL defaults for Diffie-Hellman key generation.
.RE
.TP 10n
.TP 6n
tls_key = path
The path to the server's private key file, in PEM format.
The default value is
\fI/etc/ssl/sudo/private/logsrvd_key.pem\fR.
.TP 10n
.TP 6n
tls_verify = bool
If true,
\fBsudo_logsrvd\fR
@ -292,7 +292,7 @@ They are only present in this section to make it possible for the relay
connection to use a different set of TLS parameters from the client-facing
server.
The following keys are recognized:
.TP 10n
.TP 6n
connect_timeout = number
The amount of time, in seconds,
\fBsudo_logsrvd\fR
@ -307,7 +307,7 @@ will wait for the relay to respond.
A value of 0 will disable the timeout.
The default value is
\fI30\fR.
.TP 10n
.TP 6n
relay_dir = path
The directory in which log messages are temporarily stored before they
are sent to the relay host.
@ -315,7 +315,7 @@ Messages are stored in the wire format specified by
sudo_logsrv.proto(@mansectform@)
The default value is
\fI@relay_dir@\fR.
.TP 10n
.TP 6n
relay_host = host[:port][(tls)]
The relay host name or IP address, optional port to connect to and
an optional Transport Layer Security (TLS) flag in parentheses.
@ -340,13 +340,13 @@ protocol.
If multiple
\fIrelay_host\fR
lines are specified, the first available relay host will be used.
.TP 10n
.TP 6n
retry_interval = number
The number of seconds to wait after a connection error before making
a new attempt to forward a message to a relay host.
The default value is
\fI30\fR.
.TP 10n
.TP 6n
store_first = boolean
If true,
\fBsudo_logsrvd\fR
@ -356,7 +356,7 @@ and the log is relayed.
If the network connection is interrupted before the log can be fully
transferred, it will be retransmitted later.
The default is to relay logs in real-time.
.TP 10n
.TP 6n
tcp_keepalive = boolean
If true,
\fBsudo_logsrvd\fR
@ -365,7 +365,7 @@ This enables the periodic transmission of keepalive messages to the relay
server.
If the relay does not respond to a message in time, the connection will
be closed.
.TP 10n
.TP 6n
timeout = number
The amount of time, in seconds,
\fBsudo_logsrvd\fR
@ -373,7 +373,7 @@ will wait for the relay server to respond after a connection has succeeded.
A value of 0 will disable the timeout.
The default value is
\fI30\fR.
.TP 10n
.TP 6n
tls_cacert = path
The path to a certificate authority bundle file, in PEM format,
to use instead of the system's default certificate authority database
@ -382,13 +382,13 @@ The default is to use the value specified in the
\fIserver\fR
section, or the system's default certificate authority database if
no value is set.
.TP 10n
.TP 6n
tls_cert = path
The path to the server's certificate file, in PEM format.
The default is to use the value specified in the
\fIserver\fR
section.
.TP 10n
.TP 6n
tls_checkpeer = bool
If true, the relay host's certificate will be validated by
\fBsudo_logsrvd\fR;
@ -402,7 +402,7 @@ used to generate the relay certificate.
The default is to use the value specified in the
\fIserver\fR
section.
.TP 10n
.TP 6n
tls_ciphers_v12 = string
A list of ciphers to use for connections secured by TLS version 1.2 only,
separated by a colon
@ -415,7 +415,7 @@ for full details.
The default is to use the value specified in the
\fIserver\fR
section.
.TP 10n
.TP 6n
tls_ciphers_v13 = string
A list of ciphers to use for connections secured by TLS version 1.3 only,
separated by a colon
@ -427,19 +427,19 @@ section for more information.
The default is to use the value specified in the
\fIserver\fR
section.
.TP 10n
.TP 6n
tls_dhparams = path
The path to a file containing custom Diffie-Hellman parameters in PEM format.
The default is to use the value specified in the
\fIserver\fR
section.
.TP 10n
.TP 6n
tls_key = path
The path to the server's private key file, in PEM format.
The default is to use the value specified in the
\fIserver\fR
section.
.TP 10n
.TP 6n
tls_verify = bool
If true, the server's certificate used for relaying will be verified at startup.
If false, no verification is performed of the server certificate.
@ -455,7 +455,7 @@ section configures I/O log parameters.
These settings are identical to the I/O configuration in
sudoers(@mansectform@).
The following keys are recognized:
.TP 10n
.TP 6n
iolog_compress = boolean
If set, I/O logs will be compressed using
\fBzlib\fR.
@ -463,7 +463,7 @@ Enabling compression can make it harder to view the logs in real-time as
the program is executing due to buffering.
The default value is
\fIfalse\fR.
.TP 10n
.TP 6n
iolog_dir = path
The top-level directory to use when constructing the path
name for the I/O log directory.
@ -475,7 +475,7 @@ The following percent
(\(oq%\(cq)
escape sequences are supported:
.PP
.RS 10n
.RS 6n
.PD 0
.TP 6n
%{seq}
@ -514,7 +514,7 @@ character, the string
\(oq%%\(cq
should be used.
.RE
.TP 10n
.TP 6n
iolog_file = path
The path name, relative to
\fIiolog_dir\fR,
@ -550,7 +550,7 @@ overwritten unless
ends in six or
more
\fIX\fRs.
.TP 10n
.TP 6n
iolog_flush = boolean
If set, I/O log data is flushed to disk after each write instead of
buffering it.
@ -561,7 +561,7 @@ I/O logs are always flushed before sending a commit point to the client
regardless of this setting.
The default value is
\fItrue\fR.
.TP 10n
.TP 6n
iolog_group = name
The group name to look up when setting the group-ID on new I/O log
files and directories.
@ -575,7 +575,7 @@ If neither
nor
\fIiolog_user\fR
are set, I/O log files and directories are created with group-ID 0.
.TP 10n
.TP 6n
iolog_mode = mode
The file mode to use when creating I/O log files.
Mode bits for read and write permissions for owner, group, or other
@ -587,7 +587,7 @@ to match the read and write bits specified by
\fIiolog_mode\fR.
The default value is
\fI0600\fR.
.TP 10n
.TP 6n
iolog_user = name
The user name to look up when setting the owner of new
I/O log files and directories.
@ -596,7 +596,7 @@ If
is set, it will be used instead of the user's primary group-ID.
By default, I/O log files and directories are created with user and
group-ID 0.
.TP 10n
.TP 6n
log_passwords = bool
Most programs that require a user's password will disable echo before
reading the password to avoid displaying the plaintext password on
@ -625,7 +625,7 @@ option is set), only the
first character of the password will be replaced in the I/O log.
The default value is
\fItrue\fR.
.TP 10n
.TP 6n
maxseq = number
The maximum sequence number that will be substituted for the
\(lq%{seq}\(rq
@ -643,7 +643,7 @@ base 36 sequence number
will be silently truncated to 2176782336.
The default value is
\fI2176782336\fR.
.TP 10n
.TP 6n
passprompt_regex = string
One or more POSIX extended regular expressions used to
match password prompts in the terminal output when

8
docs/sudo_logsrvd.conf.mdoc.in
View File

@ -77,7 +77,7 @@ The
.Em server
section configures the address and port the server will listen on.
The following keys are recognized:
.Bl -tag -width 8n
.Bl -tag -width 4n
.It listen_address = host Ns Oo : Ns port Oc Ns Op (tls)
The host name or IP address, optional port to listen on and
an optional Transport Layer Security (TLS) flag in parentheses.
@ -206,7 +206,7 @@ separated by a colon
Supported cipher suites depend on the version of OpenSSL used,
but should include the following:
.Pp
.Bl -tag -compact -width 8n -offset indent
.Bl -tag -compact -width 4n -offset indent
.It TLS_AES_128_GCM_SHA256
.It TLS_AES_256_GCM_SHA384
.It TLS_CHACHA20_POLY1305_SHA256
@ -254,7 +254,7 @@ They are only present in this section to make it possible for the relay
connection to use a different set of TLS parameters from the client-facing
server.
The following keys are recognized:
.Bl -tag -width 8n
.Bl -tag -width 4n
.It connect_timeout = number
The amount of time, in seconds,
.Nm sudo_logsrvd
@ -404,7 +404,7 @@ section configures I/O log parameters.
These settings are identical to the I/O configuration in
.Xr sudoers @mansectform@ .
The following keys are recognized:
.Bl -tag -width 8n
.Bl -tag -width 4n
.It iolog_compress = boolean
If set, I/O logs will be compressed using
.Sy zlib .

18
docs/sudoers.ldap.man.in
View File

@ -2,7 +2,7 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2003-2022 Todd C. Miller <Todd.Miller@sudo.ws>
.\" Copyright (c) 2003-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDOERS.LDAP" "@mansectform@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDOERS.LDAP" "@mansectform@" "January 16, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@ -1197,19 +1197,21 @@ The following
\fIlevel\fR
values are supported:
.RS 10n
.TP 10n
.TP 6n
never
.br
The server certificate will not be requested or checked.
.TP 10n
.TP 6n
allow
.br
The server certificate will be requested.
A missing or invalid certificate is ignored and not considered an error.
.TP 10n
.TP 6n
try
The server certificate will be requested.
A missing certificate is ignored but an invalid certificate will
result in a connection error.
.TP 10n
.TP 6n
demand | \fIhard\fR
The server certificate will be requested.
A missing or invalid certificate will result in a connection error.
@ -1305,11 +1307,11 @@ The following sources are recognized:
.PP
.RS 4n
.PD 0
.TP 10n
.TP 7n
files
read sudoers from
\fI@sysconfdir@/sudoers\fR
.TP 10n
.TP 7n
ldap
read sudoers from LDAP
.RE

8
docs/sudoers.ldap.mdoc.in
View File

@ -1,7 +1,7 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2003-2022 Todd C. Miller <Todd.Miller@sudo.ws>
.\" Copyright (c) 2003-2023 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd September 13, 2022
.Dd January 16, 2023
.Dt SUDOERS.LDAP @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@ -1102,7 +1102,7 @@ will be unable to connect to it.
The following
.Ar level
values are supported:
.Bl -tag -width 8n -offset 4n
.Bl -tag -width 4n -offset 4n
.It never
The server certificate will not be requested or checked.
.It allow
@ -1200,7 +1200,7 @@ precedence over earlier ones (unless
is used, see below).
The following sources are recognized:
.Pp
.Bl -tag -width 8n -offset 4n -compact
.Bl -tag -width "files" -offset 4n -compact
.It files
read sudoers from
.Pa @sysconfdir@/sudoers

105
docs/sudoers.man.in
View File

@ -2,7 +2,7 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2022
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2023
.\" Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
@ -25,7 +25,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.TH "SUDOERS" "@mansectform@" "December 26, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDOERS" "@mansectform@" "January 16, 2023" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@ -110,7 +110,7 @@ Plugin sudoers_audit @sudoers_plugin@ sudoers_mode=0400 error_recovery=false
.fi
.PP
The following plugin arguments are supported:
.TP 10n
.TP 6n
error_recovery=bool
The
\fIerror_recovery\fR
@ -129,40 +129,40 @@ A value of
\fIfalse\fR
will disable error recovery.
Prior to version 1.9.3, no error recovery was performed.
.TP 10n
.TP 6n
ldap_conf=pathname
The
\fIldap_conf\fR
argument can be used to override the default path to the
\fIldap.conf\fR
file.
.TP 10n
.TP 6n
ldap_secret=pathname
The
\fIldap_secret\fR
argument can be used to override the default path to the
\fIldap.secret\fR
file.
.TP 10n
.TP 6n
sudoers_file=pathname
The
\fIsudoers_file\fR
argument can be used to override the default path to the
\fIsudoers\fR
file.
.TP 10n
.TP 6n
sudoers_uid=user-ID
The
\fIsudoers_uid\fR
argument can be used to override the default owner of the sudoers file.
It should be specified as a numeric user-ID.
.TP 10n
.TP 6n
sudoers_gid=group-ID
The
\fIsudoers_gid\fR
argument can be used to override the default group of the sudoers file.
It must be specified as a numeric group-ID (not a group name).
.TP 10n
.TP 6n
sudoers_mode=mode
The
\fIsudoers_mode\fR
@ -1670,16 +1670,16 @@ $ ppriv -l
In addition, there are several
\(lqspecial\(rq
privilege strings:
.TP 10n
.TP 7n
none
the empty set
.TP 10n
.TP 7n
all
the set of all privileges
.TP 10n
.TP 7n
zone
the set of all privileges available in the current zone
.TP 10n
.TP 7n
basic
the default set of privileges normal users are granted at login time
.PP
@ -2113,21 +2113,21 @@ and
fnmatch(3)
functions as specified by
IEEE Std 1003.1 (\(lqPOSIX.1\(rq).
.TP 10n
.TP 8n
*
Matches any set of zero or more characters (including white space).
.TP 10n
.TP 8n
\&?
Matches any single character (including white space).
.TP 10n
.TP 8n
[...]
Matches any character in the specified range.
.TP 10n
.TP 8n
[!...]
Matches any character
\fInot\fR
in the specified range.
.TP 10n
.TP 8n
\ex
For any character
\(oqx\(cq,
@ -5216,7 +5216,7 @@ It has the following possible values:
.PP
.RS 14n
.PD 0
.TP 10n
.TP 6n
all
All the user's
\fIsudoers\fR
@ -5225,12 +5225,12 @@ the
\fRNOPASSWD\fR
flag set to avoid entering a password.
.PD
.TP 10n
.TP 6n
always
The user must always enter a password to use the
\fB\-l\fR
option.
.TP 10n
.TP 6n
any
At least one of the user's
\fIsudoers\fR
@ -5238,8 +5238,9 @@ file entries for the current host
must have the
\fRNOPASSWD\fR
flag set to avoid entering a password.
.TP 10n
.TP 6n
never
.br
The user need never enter a password to use the
\fB\-l\fR
option.
@ -5260,7 +5261,7 @@ Supported log formats are:
.PP
.RS 14n
.PD 0
.TP 10n
.TP 6n
json
Logs in JSON format.
JSON log entries contain the full user details as well as the execution
@ -5269,7 +5270,7 @@ Due to limitations of the protocol, JSON events sent via
\fIsyslog\fR
may be truncated.
.PD
.TP 10n
.TP 6n
sudo
Traditional sudo-style logs, see
\fIEVENT LOGGING\fR
@ -5823,7 +5824,7 @@ If options are present, the string must be enclosed in double quotes
(\&"").
.PP
The following group provider plugins are installed by default:
.TP 10n
.TP 6n
group_file
The
\fIgroup_file\fR
@ -5836,11 +5837,11 @@ For example, if the group file to be used is
\fI/etc/sudo-group\fR:
.nf
.sp
.RS 10n
.RS 6n
Defaults group_plugin="group_file.so /etc/sudo-group"
.RE
.fi
.TP 10n
.TP 6n
system_group
The
\fIsystem_group\fR
@ -5853,7 +5854,7 @@ groups not present in the user's supplemental group vector.
This plugin takes no options:
.nf
.sp
.RS 10n
.RS 6n
Defaults group_plugin=system_group.so
.RE
.fi
@ -6439,66 +6440,65 @@ The file may contain the following elements:
.PP
.RS 10n
.PD 0
.TP 10n
.TP 6n
timestamp
.br
A JSON object containing time the command was run.
It consists of two values,
\fIseconds\fR
and
\fInanoseconds\fR.
.PD
.TP 10n
.TP 6n
columns
The number of columns of the terminal the command ran on, or zero
if no terminal was present.
.TP 10n
.TP 6n
command
The fully-qualified path of the command that was run.
.TP 10n
.TP 6n
lines
.br
The number of lines of the terminal the command ran on, or zero
if no terminal was present.
.TP 10n
.TP 6n
runargv
A JSON array representing the command's argument vector as passed to the
execve(2)
system call.
.TP 10n
.TP 6n
runenv
A JSON array representing the command's environment as passed to the
execve(2)
system call.
.TP 10n
.TP 6n
rungid
The group ID the command ran as.
This element is only present when the user specifies a group on the
command line.
.TP 10n
.TP 6n
rungroup
The name of the group the command ran as.
This element is only present when the user specifies a group on the
command line.
.TP 10n
.TP 6n
runuid
The user ID the command ran as.
.TP 10n
.TP 6n
runuser
The name of the user the command ran as.
.TP 10n
.TP 6n
submitcwd
.br
The current working directory at the time
\fBsudo\fR
was run.
.TP 10n
.TP 6n
submithost
The name of the host the command was run on.
.TP 10n
.TP 6n
submituser
The name of the user who ran the command via
\fBsudo\fR.
.TP 10n
.TP 6n
ttyname
The path name of the terminal the user invoked
\fBsudo\fR
@ -7277,7 +7277,7 @@ Common programs that permit shell escapes include shells (obviously),
editors, paginators, mail, and terminal programs.
.PP
There are four basic approaches to this problem:
.TP 10n
.TP 11n
restrict
Avoid giving users access to commands that allow the user to run
arbitrary commands.
@ -7290,9 +7290,8 @@ running editors via
Due to the large number of programs that
offer shell escapes, restricting users to the set of programs that
do not is often unworkable.
.TP 10n
.TP 11n
intercept
.br
On most systems,
\fBsudo\fR's
\fIintercept\fR
@ -7392,11 +7391,11 @@ tag as documented in the User Specification section above.
Here is that example again:
.nf
.sp
.RS 10n
.RS 11n
chuck research = INTERCEPT: ALL
.RE
.fi
.RS 10n
.RS 11n
.sp
This allows user
\fBchuck\fR
@ -7434,7 +7433,7 @@ See the description of the
\fIintercept_verify\fR
setting for more information.
.RE
.TP 10n
.TP 11n
log
There are two separate but related ways to log additional commands.
The first is to enable I/O logging using the
@ -7457,7 +7456,7 @@ The
flag uses the same mechanism as
\fIintercept\fR
(see above) and has the same limitations.
.TP 10n
.TP 11n
noexec
\fBsudo\fR's
\fInoexec\fR
@ -7509,11 +7508,11 @@ tag as documented in the User Specification section above.
Here is that example again:
.nf
.sp
.RS 10n
.RS 11n
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
.RE
.fi
.RS 10n
.RS 11n
.sp
This allows user
\fBaaron\fR

26
docs/sudoers.mdoc.in
View File

@ -1,7 +1,7 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2022
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2023
.\" Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
@ -25,7 +25,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.Dd December 26, 2022
.Dd January 16, 2023
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@ -104,7 +104,7 @@ Plugin sudoers_audit @sudoers_plugin@ sudoers_mode=0400 error_recovery=false
.Ed
.Pp
The following plugin arguments are supported:
.Bl -tag -width 8n
.Bl -tag -width 4n
.It error_recovery=bool
The
.Em error_recovery
@ -1594,7 +1594,7 @@ $ ppriv -l
In addition, there are several
.Dq special
privilege strings:
.Bl -tag -width 8n
.Bl -tag -width "basic"
.It none
the empty set
.It all
@ -2008,7 +2008,7 @@ and
.Xr fnmatch 3
functions as specified by
.St -p1003.1 .
.Bl -tag -width 8n
.Bl -tag -width "[!...]"
.It *
Matches any set of zero or more characters (including white space).
.It \&?
@ -2089,7 +2089,7 @@ For more information, see
below.
.Ss Exceptions to wildcard rules
The following exceptions apply to the above rules:
.Bl -tag -width 8n
.Bl -tag -width "sudoedit"
.It \&""
If the empty string
.Ql \&""
@ -4902,7 +4902,7 @@ with the
.Fl l
option.
It has the following possible values:
.Bl -tag -width 8n
.Bl -tag -width 4n
.It all
All the user's
.Em sudoers
@ -4938,7 +4938,7 @@ The default value is
.It log_format
The event log format.
Supported log formats are:
.Bl -tag -width 8n
.Bl -tag -width 4n
.It json
Logs in JSON format.
JSON log entries contain the full user details as well as the execution
@ -5456,7 +5456,7 @@ If options are present, the string must be enclosed in double quotes
.Pq \&"" .
.Pp
The following group provider plugins are installed by default:
.Bl -tag -width 8n
.Bl -tag -width 4n
.It group_file
The
.Em group_file
@ -5980,7 +5980,7 @@ that you expect.
.Ss I/O log format
For both local and remote I/O logs, each log is stored in a separate
directory that contains the following files:
.Bl -tag -width 8n
.Bl -tag -width "log.json"
.It Pa log
A text file containing information about the command.
The first line consists of the following colon-delimited fields:
@ -6007,7 +6007,7 @@ in preference to the
.Pa log
file if it exists.
The file may contain the following elements:
.Bl -tag -width 8n
.Bl -tag -width 4n
.It timestamp
A JSON object containing time the command was run.
It consists of two values,
@ -6727,7 +6727,7 @@ Common programs that permit shell escapes include shells (obviously),
editors, paginators, mail, and terminal programs.
.Pp
There are four basic approaches to this problem:
.Bl -tag -width 8n
.Bl -tag -width "intercept"
.It restrict
Avoid giving users access to commands that allow the user to run
arbitrary commands.
@ -7173,7 +7173,7 @@ and higher.
The following subsystems are used by the
.Nm
plugin:
.Bl -tag -width 8n
.Bl -tag -width "defaults"
.It Em alias
.Em User_Alias ,
.Em Runas_Alias ,

12
docs/visudo.man.in
View File

@ -84,7 +84,7 @@ There are two
settings that determine which editor
\fBvisudo\fR
will run.
.TP 10n
.TP 12n
editor
A colon
(\(oq:\&\(cq)
@ -116,7 +116,7 @@ The default editor path is
which can be set at compile time via the
\fR--with-editor\fR
configure option.
.TP 10n
.TP 12n
env_editor
If set,
\fBvisudo\fR
@ -334,26 +334,26 @@ Plugin sudoers_policy @sudoers_plugin@ sudoers_mode=0400
.fi
.PP
The following arguments are supported:
.TP 10n
.TP 6n
sudoers_file=pathname
The
\fIsudoers_file\fR
argument can be used to override the default path to the
\fIsudoers\fR
file.
.TP 10n
.TP 6n
sudoers_uid=user-ID
The
\fIsudoers_uid\fR
argument can be used to override the default owner of the sudoers file.
It should be specified as a numeric user-ID.
.TP 10n
.TP 6n
sudoers_gid=group-ID
The
\fIsudoers_gid\fR
argument can be used to override the default group of the sudoers file.
It must be specified as a numeric group-ID (not a group name).
.TP 10n
.TP 6n
sudoers_mode=mode
The
\fIsudoers_mode\fR

4
docs/visudo.mdoc.in
View File

@ -82,7 +82,7 @@ There are two
settings that determine which editor
.Nm visudo
will run.
.Bl -tag -width 8n
.Bl -tag -width "env_editor"
.It editor
A colon
.Pq Ql :\&
@ -322,7 +322,7 @@ Plugin sudoers_policy @sudoers_plugin@ sudoers_mode=0400
.Ed
.Pp
The following arguments are supported:
.Bl -tag -width 8n
.Bl -tag -width 4n
.It sudoers_file=pathname
The
.Em sudoers_file