mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-28 12:57:50 +00:00
Code Issues Releases Wiki Activity

Style fixes from Bjarni Ingi Gislason.

Browse Source
This commit is contained in:
Todd C. Miller 2025-02-22 15:31:21 -07:00
parent b04386f631
commit 3ba525a348
2 changed files with 85 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
docs/sudoers.man.in
View File

@ -25,7 +25,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.TH "SUDOERS" "@mansectform@" "February 14, 2025" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "@mansectform@" "February 22, 2025" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -672,16 +672,16 @@ Resource limits may also be set in the
\fIsudoers\fR \fIsudoers\fR
file itself, in which case they override those set by the system. file itself, in which case they override those set by the system.
See the See the
\fIrlimit_as,\fR \fIrlimit_as\fR,
\fIrlimit_core,\fR \fIrlimit_core\fR,
\fIrlimit_cpu,\fR \fIrlimit_cpu\fR,
\fIrlimit_data,\fR \fIrlimit_data\fR,
\fIrlimit_fsize,\fR \fIrlimit_fsize\fR,
\fIrlimit_locks,\fR \fIrlimit_locks\fR,
\fIrlimit_memlock,\fR \fIrlimit_memlock\fR,
\fIrlimit_nofile,\fR \fIrlimit_nofile\fR,
\fIrlimit_nproc,\fR \fIrlimit_nproc\fR,
\fIrlimit_rss,\fR \fIrlimit_rss\fR,
\fIrlimit_stack\fR \fIrlimit_stack\fR
options described below. options described below.
Resource limits in Resource limits in
@ -805,7 +805,7 @@ Cmnd_Alias ::= NAME
Cmnd_Alias_Spec ::= Cmnd_Alias '=' Cmnd_List Cmnd_Alias_Spec ::= Cmnd_Alias '=' Cmnd_List
NAME ::= [A-Z]([A-Z][0-9]_)* NAME ::= [A\(enZ]([A\(enZ][0\(en9]_)*
.RE .RE
.fi .fi
.PP .PP
@ -1038,8 +1038,8 @@ only the case for non-networked systems.
.nf .nf
.sp .sp
.RS 0n .RS 0n
digest ::= [A-Fa-f0-9]+ | digest ::= [A\(enFa\(enf0\(en9]+ |
[A-Za-z0-9\e+/=]+ [A\(enZa\(enz0\(en9\e+/=]+
Digest_Spec ::= "sha224" ':' digest | Digest_Spec ::= "sha224" ':' digest |
"sha256" ':' digest | "sha256" ':' digest |
@ -1225,7 +1225,7 @@ For example, using openssl:
.nf .nf
.sp .sp
.RS 0n .RS 0n
$ openssl dgst -sha224 /bin/ls $ openssl dgst \-sha224 /bin/ls
SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25 SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
.RE .RE
.fi .fi
@ -1234,7 +1234,7 @@ It is also possible to use openssl to generate base64 output:
.nf .nf
.sp .sp
.RS 0n .RS 0n
$ openssl dgst -binary -sha224 /bin/ls | openssl base64 $ openssl dgst \-binary \-sha224 /bin/ls | openssl base64
EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ== EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
.RE .RE
.fi .fi
@ -1509,7 +1509,7 @@ For example:
.nf .nf
.sp .sp
.RS 0n .RS 0n
$ sudo -u operator /bin/ls $ sudo \-u operator /bin/ls
.RE .RE
.fi .fi
.PP .PP
@ -1564,9 +1564,9 @@ The following would all be permitted by the sudoers entry above:
.nf .nf
.sp .sp
.RS 0n .RS 0n
$ sudo -u operator /bin/ls $ sudo \-u operator /bin/ls
$ sudo -u operator -g operator /bin/ls $ sudo \-u operator \-g operator /bin/ls
$ sudo -g operator /bin/ls $ sudo \-g operator /bin/ls
.RE .RE
.fi .fi
.PP .PP
@ -1588,7 +1588,7 @@ For example:
.nf .nf
.sp .sp
.RS 0n .RS 0n
$ sudo -g dialer /usr/bin/cu $ sudo \-g dialer /usr/bin/cu
.RE .RE
.fi .fi
.PP .PP
@ -1729,7 +1729,7 @@ For example:
.nf .nf
.sp .sp
.RS 0n .RS 0n
$ ppriv -l $ ppriv \-l
.RE .RE
.fi .fi
.PP .PP
@ -1776,7 +1776,7 @@ It is also possible to specify a timezone offset from UTC in hours
and minutes instead of a and minutes instead of a
\(oqZ\(cq. \(oqZ\(cq.
For example, For example,
\(oq-0500\(cq \(oq\-0500\(cq
would correspond to Eastern Standard time in the US. would correspond to Eastern Standard time in the US.
As an extension, if no As an extension, if no
\(oqZ\(cq \(oqZ\(cq
@ -2083,10 +2083,10 @@ By default, if the
\fRNOPASSWD\fR \fRNOPASSWD\fR
tag is applied to any of a user's entries for the current host, tag is applied to any of a user's entries for the current host,
the user will be able to run the user will be able to run
\(oqsudo -l\(cq \(oqsudo \-l\(cq
without a password. without a password.
Additionally, a user may only run Additionally, a user may only run
\(oqsudo -v\(cq \(oqsudo \-v\(cq
without a password if all of the user's entries for the current without a password if all of the user's entries for the current
host have the host have the
\fRNOPASSWD\fR \fRNOPASSWD\fR
@ -2338,7 +2338,7 @@ This kind of rule is impossible to express safely using wildcards.
.nf .nf
.sp .sp
.RS 4n .RS 4n
john ALL = /usr/bin/passwd ^[a-zA-Z0-9_]+$,\e john ALL = /usr/bin/passwd ^[a\-zA\-Z0\-9_]+$,\e
!/usr/bin/passwd root !/usr/bin/passwd root
.RE .RE
.fi .fi
@ -4265,7 +4265,7 @@ if one exists.
Only available if Only available if
\fBsudo\fR \fBsudo\fR
is configured with the is configured with the
\fR--with-logincap\fR \fR\-\-with-logincap\fR
option. option.
This flag is This flag is
\fIoff\fR \fIoff\fR
@ -4373,7 +4373,7 @@ closefrom
Before it executes a command, Before it executes a command,
\fBsudo\fR \fBsudo\fR
will close all open file descriptors other than standard input, will close all open file descriptors other than standard input,
standard output, and standard error (file descriptors 0-2). standard output, and standard error (file descriptors 0\(en2).
The The
\fIclosefrom\fR \fIclosefrom\fR
option can be used to specify a different file descriptor at which option can be used to specify a different file descriptor at which
@ -4484,9 +4484,9 @@ Set this to 0 to always prompt for a password.
If set to a value less than 0 the user's time stamp will not expire If set to a value less than 0 the user's time stamp will not expire
until the system is rebooted. until the system is rebooted.
This can be used to allow users to create or delete their own time stamps via This can be used to allow users to create or delete their own time stamps via
\(oqsudo -v\(cq \(oqsudo \-v\(cq
and and
\(oqsudo -k\(cq \(oqsudo \-k\(cq
respectively. respectively.
.TP 18n .TP 18n
umask umask
@ -5169,7 +5169,7 @@ groups runs
Only available if Only available if
\fBsudo\fR \fBsudo\fR
is configured with the is configured with the
\fR--enable-admin-flag\fR \fR\-\-enable-admin-flag\fR
option. option.
The default value is The default value is
\fI~/.sudo_as_admin_successful\fR. \fI~/.sudo_as_admin_successful\fR.
@ -5866,7 +5866,7 @@ single value without double-quotes.
The list can be replaced, added to, deleted from, or disabled by using the The list can be replaced, added to, deleted from, or disabled by using the
\(oq=\(cq, \(oq=\(cq,
\(oq+=\(cq, \(oq+=\(cq,
\(oq-=\(cq, \(oq\-=\(cq,
and and
\(oq\&!\(cq \(oq\&!\(cq
operators respectively. operators respectively.
@ -5893,7 +5893,7 @@ single value without double-quotes.
The list can be replaced, added to, deleted from, or disabled by using the The list can be replaced, added to, deleted from, or disabled by using the
\(oq=\(cq, \(oq=\(cq,
\(oq+=\(cq, \(oq+=\(cq,
\(oq-=\(cq, \(oq\-=\(cq,
and and
\(oq\&!\(cq \(oq\&!\(cq
operators respectively. operators respectively.
@ -6542,7 +6542,7 @@ statement is never executed.
.nf .nf
.sp .sp
.RS 4n .RS 4n
$ sh -s < test.sh $ sh \-s < test.sh
testing testing
.RE .RE
.fi .fi
@ -6615,7 +6615,7 @@ flag or the
command tag will enable command tag will enable
\fIlog_stdout\fR \fIlog_stdout\fR
and and
\fIlog_stderr.\fR \fIlog_stderr\fR.
Careful ordering of rules may be necessary to achieve the results Careful ordering of rules may be necessary to achieve the results
that you expect. that you expect.
.SS "I/O log format" .SS "I/O log format"
@ -6774,7 +6774,7 @@ No post-processing is performed.
For manual viewing, you may wish to convert carriage return characters For manual viewing, you may wish to convert carriage return characters
in the log to line feeds. in the log to line feeds.
For example: For example:
\(oqgunzip -c ttyin | tr \&"\er\&" \&"\en\&"\(cq \(oqgunzip \-c ttyin | tr \&"\er\&" \&"\en\&"\(cq
.TP 10n .TP 10n
\fIstdin\fR \fIstdin\fR
The standard input when no terminal is present, or input redirected from The standard input when no terminal is present, or input redirected from
@ -7108,7 +7108,7 @@ to operator.
.nf .nf
.sp .sp
.RS 0n .RS 0n
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root* pete HPPA = /usr/bin/passwd [A\-Za\-z]*, !/usr/bin/passwd *root*
%opers ALL = (: ADMINGRP) /usr/sbin/ %opers ALL = (: ADMINGRP) /usr/sbin/
.RE .RE
@ -7153,7 +7153,7 @@ As a result, this rule will also allow:
.nf .nf
.sp .sp
.RS 4n .RS 4n
passwd username --expire passwd username \-\-expire
.RE .RE
.fi .fi
.PP .PP
@ -7225,7 +7225,7 @@ without giving a password.
.nf .nf
.sp .sp
.RS 0n .RS 0n
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* john ALPHA = /usr/bin/su [!\-]*, !/usr/bin/su *root*
.RE .RE
.fi .fi
.PP .PP
@ -7318,7 +7318,7 @@ to www.
.sp .sp
.RS 0n .RS 0n
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
/sbin/mount -o nosuid\e,nodev /dev/cd0a /CDROM /sbin/mount \-o nosuid\e,nodev /dev/cd0a /CDROM
.RE .RE
.fi .fi
.PP .PP
@ -7382,8 +7382,8 @@ file entry:
.nf .nf
.sp .sp
.RS 0n .RS 0n
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,\e
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
.RE .RE
.fi .fi
.PP .PP

62
docs/sudoers.mdoc.in
View File

@ -25,7 +25,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.Dd February 14, 2025 .Dd February 22, 2025
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -779,7 +779,7 @@ Cmnd_Alias ::= NAME
Cmnd_Alias_Spec ::= Cmnd_Alias '=' Cmnd_List Cmnd_Alias_Spec ::= Cmnd_Alias '=' Cmnd_List
NAME ::= [A-Z]([A-Z][0-9]_)* NAME ::= [A\(enZ]([A\(enZ][0\(en9]_)*
.Ed .Ed
.Pp .Pp
Each Each
@ -993,8 +993,8 @@ Also, the host name
will only match if that is the actual host name, which is usually will only match if that is the actual host name, which is usually
only the case for non-networked systems. only the case for non-networked systems.
.Bd -literal .Bd -literal
digest ::= [A-Fa-f0-9]+ | digest ::= [A\(enFa\(enf0\(en9]+ |
[A-Za-z0-9\e+/=]+ [A\(enZa\(enz0\(en9\e+/=]+
Digest_Spec ::= "sha224" ':' digest | Digest_Spec ::= "sha224" ':' digest |
"sha256" ':' digest | "sha256" ':' digest |
@ -1177,13 +1177,13 @@ format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
.Pp .Pp
For example, using openssl: For example, using openssl:
.Bd -literal .Bd -literal
$ openssl dgst -sha224 /bin/ls $ openssl dgst \-sha224 /bin/ls
SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25 SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
.Ed .Ed
.Pp .Pp
It is also possible to use openssl to generate base64 output: It is also possible to use openssl to generate base64 output:
.Bd -literal .Bd -literal
$ openssl dgst -binary -sha224 /bin/ls | openssl base64 $ openssl dgst \-binary \-sha224 /bin/ls | openssl base64
EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ== EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
.Ed .Ed
.Pp .Pp
@ -1455,7 +1455,7 @@ only as
.Sy operator . .Sy operator .
For example: For example:
.Bd -literal .Bd -literal
$ sudo -u operator /bin/ls $ sudo \-u operator /bin/ls
.Ed .Ed
.Pp .Pp
It is also possible to override a It is also possible to override a
@ -1501,9 +1501,9 @@ will run with the group listed in the target user's password database
entry. entry.
The following would all be permitted by the sudoers entry above: The following would all be permitted by the sudoers entry above:
.Bd -literal .Bd -literal
$ sudo -u operator /bin/ls $ sudo \-u operator /bin/ls
$ sudo -u operator -g operator /bin/ls $ sudo \-u operator \-g operator /bin/ls
$ sudo -g operator /bin/ls $ sudo \-g operator /bin/ls
.Ed .Ed
.Pp .Pp
In the following example, user In the following example, user
@ -1519,7 +1519,7 @@ In this example only the group will be set, the command still runs as user
.Sy tcm . .Sy tcm .
For example: For example:
.Bd -literal .Bd -literal
$ sudo -g dialer /usr/bin/cu $ sudo \-g dialer /usr/bin/cu
.Ed .Ed
.Pp .Pp
Multiple users and groups may be present in a Multiple users and groups may be present in a
@ -1652,7 +1652,7 @@ The
command can be used to list all privileges known to the system. command can be used to list all privileges known to the system.
For example: For example:
.Bd -literal .Bd -literal
$ ppriv -l $ ppriv \-l
.Ed .Ed
.Pp .Pp
In addition, there are several In addition, there are several
@ -1696,7 +1696,7 @@ It is also possible to specify a timezone offset from UTC in hours
and minutes instead of a and minutes instead of a
.Ql Z . .Ql Z .
For example, For example,
.Ql -0500 .Ql \-0500
would correspond to Eastern Standard time in the US. would correspond to Eastern Standard time in the US.
As an extension, if no As an extension, if no
.Ql Z .Ql Z
@ -1983,10 +1983,10 @@ By default, if the
.Dv NOPASSWD .Dv NOPASSWD
tag is applied to any of a user's entries for the current host, tag is applied to any of a user's entries for the current host,
the user will be able to run the user will be able to run
.Ql sudo -l .Ql sudo \-l
without a password. without a password.
Additionally, a user may only run Additionally, a user may only run
.Ql sudo -v .Ql sudo \-v
without a password if all of the user's entries for the current without a password if all of the user's entries for the current
host have the host have the
.Dv NOPASSWD .Dv NOPASSWD
@ -2224,7 +2224,7 @@ on any host but is not allowed to change
password. password.
This kind of rule is impossible to express safely using wildcards. This kind of rule is impossible to express safely using wildcards.
.Bd -literal -offset 4n .Bd -literal -offset 4n
john ALL = /usr/bin/passwd ^[a-zA-Z0-9_]+$,\e john ALL = /usr/bin/passwd ^[a\-zA\-Z0\-9_]+$,\e
!/usr/bin/passwd root !/usr/bin/passwd root
.Ed .Ed
.Pp .Pp
@ -4038,7 +4038,7 @@ if one exists.
Only available if Only available if
.Nm sudo .Nm sudo
is configured with the is configured with the
.Li --with-logincap .Li \-\-with-logincap
option. option.
This flag is This flag is
.Em off .Em off
@ -4142,7 +4142,7 @@ by default.
Before it executes a command, Before it executes a command,
.Nm sudo .Nm sudo
will close all open file descriptors other than standard input, will close all open file descriptors other than standard input,
standard output, and standard error (file descriptors 0-2). standard output, and standard error (file descriptors 0\(en2).
The The
.Em closefrom .Em closefrom
option can be used to specify a different file descriptor at which option can be used to specify a different file descriptor at which
@ -4246,9 +4246,9 @@ Set this to 0 to always prompt for a password.
If set to a value less than 0 the user's time stamp will not expire If set to a value less than 0 the user's time stamp will not expire
until the system is rebooted. until the system is rebooted.
This can be used to allow users to create or delete their own time stamps via This can be used to allow users to create or delete their own time stamps via
.Ql sudo -v .Ql sudo \-v
and and
.Ql sudo -k .Ql sudo \-k
respectively. respectively.
.It umask .It umask
File mode creation mask to use when running the command. File mode creation mask to use when running the command.
@ -4872,7 +4872,7 @@ groups runs
Only available if Only available if
.Nm sudo .Nm sudo
is configured with the is configured with the
.Li --enable-admin-flag .Li \-\-enable-admin-flag
option. option.
The default value is The default value is
.Pa ~/.sudo_as_admin_successful . .Pa ~/.sudo_as_admin_successful .
@ -5488,7 +5488,7 @@ single value without double-quotes.
The list can be replaced, added to, deleted from, or disabled by using the The list can be replaced, added to, deleted from, or disabled by using the
.Ql = , .Ql = ,
.Ql += , .Ql += ,
.Ql -= , .Ql \-= ,
and and
.Ql \&! .Ql \&!
operators respectively. operators respectively.
@ -5514,7 +5514,7 @@ single value without double-quotes.
The list can be replaced, added to, deleted from, or disabled by using the The list can be replaced, added to, deleted from, or disabled by using the
.Ql = , .Ql = ,
.Ql += , .Ql += ,
.Ql -= , .Ql \-= ,
and and
.Ql \&! .Ql \&!
operators respectively. operators respectively.
@ -6113,7 +6113,7 @@ This means that the
.Ql echo done .Ql echo done
statement is never executed. statement is never executed.
.Bd -literal -offset 4n .Bd -literal -offset 4n
$ sh -s < test.sh $ sh \-s < test.sh
testing testing
.Ed .Ed
.Pp .Pp
@ -6296,7 +6296,7 @@ No post-processing is performed.
For manual viewing, you may wish to convert carriage return characters For manual viewing, you may wish to convert carriage return characters
in the log to line feeds. in the log to line feeds.
For example: For example:
.Ql gunzip -c ttyin | tr \&"\er\&" \&"\en\&" .Ql gunzip \-c ttyin | tr \&"\er\&" \&"\en\&"
.It Pa stdin .It Pa stdin
The standard input when no terminal is present, or input redirected from The standard input when no terminal is present, or input redirected from
a pipe or file. a pipe or file.
@ -6595,7 +6595,7 @@ may only
.Xr su 1 .Xr su 1
to operator. to operator.
.Bd -literal .Bd -literal
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root* pete HPPA = /usr/bin/passwd [A\-Za\-z]*, !/usr/bin/passwd *root*
%opers ALL = (: ADMINGRP) /usr/sbin/ %opers ALL = (: ADMINGRP) /usr/sbin/
.Ed .Ed
@ -6637,7 +6637,7 @@ options to
may be specified after the user argument. may be specified after the user argument.
As a result, this rule will also allow: As a result, this rule will also allow:
.Bd -literal -offset 4n .Bd -literal -offset 4n
passwd username --expire passwd username \-\-expire
.Ed .Ed
.Pp .Pp
which may not be desirable. which may not be desirable.
@ -6698,7 +6698,7 @@ or
.Pc .Pc
without giving a password. without giving a password.
.Bd -literal .Bd -literal
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* john ALPHA = /usr/bin/su [!\-]*, !/usr/bin/su *root*
.Ed .Ed
.Pp .Pp
On the On the
@ -6773,7 +6773,7 @@ web pages) or simply
to www. to www.
.Bd -literal .Bd -literal
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
/sbin/mount -o nosuid\e,nodev /dev/cd0a /CDROM /sbin/mount \-o nosuid\e,nodev /dev/cd0a /CDROM
.Ed .Ed
.Pp .Pp
Any user may mount or unmount a CD-ROM on the machines in the CDROM Any user may mount or unmount a CD-ROM on the machines in the CDROM
@ -6831,8 +6831,8 @@ For example, given the following
.Em sudoers .Em sudoers
file entry: file entry:
.Bd -literal .Bd -literal
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,\e
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
.Ed .Ed
.Pp .Pp
User User