mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 09:57:41 +00:00
Code Issues Releases Wiki Activity

regen

Browse Source
This commit is contained in:
Todd C. Miller 2008-02-18 16:05:20 +00:00
parent b072179192
commit 795a303ea1
8 changed files with 306 additions and 294 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

236
sudo.cat
View File

@ -1,7 +1,7 @@
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(8) MAINTENANCE COMMANDS SUDO(8)
NNAAMMEE NNAAMMEE
@ -14,8 +14,7 @@ SSYYNNOOPPSSIISS
_m_a_n_d] _m_a_n_d]
ssuuddoo [--bbEEHHPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] ssuuddoo [--bbEEHHPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d]
[--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] [{--ii | --ss] [<_c_o_m_m_a_n_d}]
[{--ii | --ss] [<_c_o_m_m_a_n_d}]
ssuuddooeeddiitt [--SS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] ssuuddooeeddiitt [--SS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d]
[--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] file ... [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] file ...
@ -58,19 +57,19 @@ DDEESSCCRRIIPPTTIIOONN
SUDO_USER. SUDO_USER.
ssuuddoo can log both successful and unsuccessful attempts (as well as ssuuddoo can log both successful and unsuccessful attempts (as well as
1.7 February 15, 2008 1
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
errors) to _s_y_s_l_o_g(3), a log file, or both. By default ssuuddoo will log errors) to _s_y_s_l_o_g(3), a log file, or both. By default ssuuddoo will log
1.7 February 18, 2008 1
SUDO(8) MAINTENANCE COMMANDS SUDO(8)
via _s_y_s_l_o_g(3) but this is changeable at configure time or via the _s_u_d_o_- via _s_y_s_l_o_g(3) but this is changeable at configure time or via the _s_u_d_o_-
_e_r_s file. _e_r_s file.
@ -95,7 +94,7 @@ OOPPTTIIOONNSS
starting point above the standard error (file descriptor starting point above the standard error (file descriptor
three). Values less than three are not permitted. This three). Values less than three are not permitted. This
option is only available if the administrator has enabled option is only available if the administrator has enabled
the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option in _s_u_d_o_e_r_s(4). the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option in _s_u_d_o_e_r_s(5).
-c _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified com- -c _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified com-
mand with resources limited by the specified login class. mand with resources limited by the specified login class.
@ -110,9 +109,9 @@ OOPPTTIIOONNSS
login classes. login classes.
-E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the -E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the
_e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(4)). It is only available when _e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(5)). It is only available when
either the matching command has the SETENV tag or the either the matching command has the SETENV tag or the
_s_e_t_e_n_v option is set in _s_u_d_o_e_r_s(4). _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s(5).
-e The --ee (_e_d_i_t) option indicates that, instead of running a -e The --ee (_e_d_i_t) option indicates that, instead of running a
command, the user wishes to edit one or more files. In command, the user wishes to edit one or more files. In
@ -123,22 +122,22 @@ OOPPTTIIOONNSS
1. Temporary copies are made of the files to be edited 1. Temporary copies are made of the files to be edited
with the owner set to the invoking user. with the owner set to the invoking user.
2. The editor specified by the VISUAL or EDITOR 2. The editor specified by the VISUAL or EDITOR environ-
ment variables is run to edit the temporary files. If
1.7 February 15, 2008 2 1.7 February 18, 2008 2
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(8) MAINTENANCE COMMANDS SUDO(8)
environment variables is run to edit the temporary neither VISUAL nor EDITOR are set, the program listed
files. If neither VISUAL nor EDITOR are set, the pro- in the _e_d_i_t_o_r _s_u_d_o_e_r_s variable is used.
gram listed in the _e_d_i_t_o_r _s_u_d_o_e_r_s variable is used.
3. If they have been modified, the temporary files are 3. If they have been modified, the temporary files are
copied back to their original location and the tempo- copied back to their original location and the tempo-
@ -164,15 +163,15 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-H The --HH (_H_O_M_E) option sets the HOME environment variable to -H The --HH (_H_O_M_E) option sets the HOME environment variable to
the homedir of the target user (root by default) as speci- the homedir of the target user (root by default) as speci-
fied in _p_a_s_s_w_d(4). By default, ssuuddoo does not modify HOME fied in _p_a_s_s_w_d(5). By default, ssuuddoo does not modify HOME
(see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e in _s_u_d_o_e_r_s(4)). (see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e in _s_u_d_o_e_r_s(5)).
-h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage message -h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage message
and exit. and exit.
-i [command] -i [command]
The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell spec- The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell spec-
ified in the _p_a_s_s_w_d(4) entry of the target user as a login ified in the _p_a_s_s_w_d(5) entry of the target user as a login
shell. This means that login-specific resource files such shell. This means that login-specific resource files such
as .profile or .login will be read by the shell. If a com- as .profile or .login will be read by the shell. If a com-
mand is specified, it is passed to the shell for execution. mand is specified, it is passed to the shell for execution.
@ -190,19 +189,19 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-k The --kk (_k_i_l_l) option to ssuuddoo invalidates the user's times- -k The --kk (_k_i_l_l) option to ssuuddoo invalidates the user's times-
tamp by setting the time on it to the Epoch. The next time tamp by setting the time on it to the Epoch. The next time
1.7 February 15, 2008 3
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
ssuuddoo is run a password will be required. This option does ssuuddoo is run a password will be required. This option does
1.7 February 18, 2008 3
SUDO(8) MAINTENANCE COMMANDS SUDO(8)
not require a password and was added to allow a user to not require a password and was added to allow a user to
revoke ssuuddoo permissions from a .logout file. revoke ssuuddoo permissions from a .logout file.
@ -255,36 +254,27 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
system password prompt on systems that support PAM unless system password prompt on systems that support PAM unless
the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s.
-r _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security
1.7 February 15, 2008 4
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
context to have the role specified by _r_o_l_e.
-S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from
the standard input instead of the terminal device. the standard input instead of the terminal device.
1.7 February 18, 2008 4
SUDO(8) MAINTENANCE COMMANDS SUDO(8)
-s [command] -s [command]
The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L
environment variable if it is set or the shell as specified environment variable if it is set or the shell as specified
in _p_a_s_s_w_d(4). If a command is specified, it is passed to in _p_a_s_s_w_d(5). If a command is specified, it is passed to
the shell for execution. Otherwise, an interactive shell the shell for execution. Otherwise, an interactive shell
is executed. is executed.
-t _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security con-
text to have the type specified by _t_y_p_e. If no type is
specified, the default type is derived from the specified
role.
-U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the -U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the
--ll option to specify the user whose privileges should be --ll option to specify the user whose privileges should be
listed. Only root or a user with ssuuddoo ALL on the current listed. Only root or a user with ssuuddoo ALL on the current
@ -295,7 +285,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
of a _u_s_e_r _n_a_m_e, use _#_u_i_d. When running commands as a _u_i_d, of a _u_s_e_r _n_a_m_e, use _#_u_i_d. When running commands as a _u_i_d,
many shells require that the '#' be escaped with a back- many shells require that the '#' be escaped with a back-
slash ('\'). Note that if the _t_a_r_g_e_t_p_w Defaults option is slash ('\'). Note that if the _t_a_r_g_e_t_p_w Defaults option is
set (see _s_u_d_o_e_r_s(4)) it is not possible to run commands set (see _s_u_d_o_e_r_s(5)) it is not possible to run commands
with a uid not listed in the password database. with a uid not listed in the password database.
-V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the version -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the version
@ -321,18 +311,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
ables with one important exception. If the _s_e_t_e_n_v option is set in ables with one important exception. If the _s_e_t_e_n_v option is set in
_s_u_d_o_e_r_s, the command to be run has the SETENV tag set or the command _s_u_d_o_e_r_s, the command to be run has the SETENV tag set or the command
matched is ALL, the user may set variables that would overwise be for- matched is ALL, the user may set variables that would overwise be for-
bidden. See _s_u_d_o_e_r_s(4) for more information. bidden. See _s_u_d_o_e_r_s(5) for more information.
1.7 February 15, 2008 5
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
RREETTUURRNN VVAALLUUEESS RREETTUURRNN VVAALLUUEESS
Upon successful execution of a program, the return value from ssuuddoo will Upon successful execution of a program, the return value from ssuuddoo will
@ -343,6 +322,18 @@ RREETTUURRNN VVAALLUUEESS
In the latter case the error string is printed to stderr. If ssuuddoo can- In the latter case the error string is printed to stderr. If ssuuddoo can-
not _s_t_a_t(2) one or more entries in the user's PATH an error is printed not _s_t_a_t(2) one or more entries in the user's PATH an error is printed
on stderr. (If the directory does not exist or if it is not really a on stderr. (If the directory does not exist or if it is not really a
1.7 February 18, 2008 5
SUDO(8) MAINTENANCE COMMANDS SUDO(8)
directory, the entry is ignored and no error is printed.) This should directory, the entry is ignored and no error is printed.) This should
not happen under normal circumstances. The most common reason for not happen under normal circumstances. The most common reason for
_s_t_a_t(2) to return "permission denied" is if you are running an auto- _s_t_a_t(2) to return "permission denied" is if you are running an auto-
@ -388,18 +379,6 @@ SSEECCUURRIITTYY NNOOTTEESS
ssuuddoo will check the ownership of its timestamp directory (_/_v_a_r_/_r_u_n_/_s_u_d_o ssuuddoo will check the ownership of its timestamp directory (_/_v_a_r_/_r_u_n_/_s_u_d_o
by default) and ignore the directory's contents if it is not owned by by default) and ignore the directory's contents if it is not owned by
root or if it is writable by a user other than root. On systems that root or if it is writable by a user other than root. On systems that
1.7 February 15, 2008 6
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
allow non-root users to give away files via _c_h_o_w_n(2), if the timestamp allow non-root users to give away files via _c_h_o_w_n(2), if the timestamp
directory is located in a directory writable by anyone (e.g., _/_t_m_p), it directory is located in a directory writable by anyone (e.g., _/_t_m_p), it
is possible for a user to create the timestamp directory before ssuuddoo is is possible for a user to create the timestamp directory before ssuuddoo is
@ -409,6 +388,18 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
since once the timestamp dir is owned by root and inaccessible by any since once the timestamp dir is owned by root and inaccessible by any
other user, the user placing files there would be unable to get them other user, the user placing files there would be unable to get them
back out. To get around this issue you can use a directory that is not back out. To get around this issue you can use a directory that is not
1.7 February 18, 2008 6
SUDO(8) MAINTENANCE COMMANDS SUDO(8)
world-writable for the timestamps (_/_v_a_r_/_a_d_m_/_s_u_d_o for instance) or cre- world-writable for the timestamps (_/_v_a_r_/_a_d_m_/_s_u_d_o for instance) or cre-
ate _/_v_a_r_/_r_u_n_/_s_u_d_o with the appropriate owner (root) and permissions ate _/_v_a_r_/_r_u_n_/_s_u_d_o with the appropriate owner (root) and permissions
(0700) in the system startup files. (0700) in the system startup files.
@ -427,7 +418,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
when giving users access to commands via ssuuddoo to verify that the com- when giving users access to commands via ssuuddoo to verify that the com-
mand does not inadvertently give the user an effective root shell. For mand does not inadvertently give the user an effective root shell. For
more information, please see the PREVENTING SHELL ESCAPES section in more information, please see the PREVENTING SHELL ESCAPES section in
_s_u_d_o_e_r_s(4). _s_u_d_o_e_r_s(5).
EENNVVIIRROONNMMEENNTT EENNVVIIRROONNMMEENNTT
ssuuddoo utilizes the following environment variables: ssuuddoo utilizes the following environment variables:
@ -454,18 +445,6 @@ EENNVVIIRROONNMMEENNTT
SUDO_GID Set to the gid of the user who invoked sudo SUDO_GID Set to the gid of the user who invoked sudo
1.7 February 15, 2008 7
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO_PS1 If set, PS1 will be set to its value SUDO_PS1 If set, PS1 will be set to its value
USER Set to the target user (root unless the --uu option is USER Set to the target user (root unless the --uu option is
@ -474,12 +453,26 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
VISUAL Default editor to use in --ee (sudoedit) mode VISUAL Default editor to use in --ee (sudoedit) mode
FFIILLEESS FFIILLEESS
_/_e_t_c_/_s_u_d_o_e_r_s List of who can run what _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
_/_v_a_r_/_r_u_n_/_s_u_d_o Directory containing timestamps
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mmooddee oonn LLiinnuuxx aanndd AAIIXX
1.7 February 18, 2008 7
SUDO(8) MAINTENANCE COMMANDS SUDO(8)
_/_v_a_r_/_r_u_n_/_s_u_d_o Directory containing timestamps
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on Linux and
AIX
EEXXAAMMPPLLEESS EEXXAAMMPPLLEESS
Note: the following examples assume suitable _s_u_d_o_e_r_s(4) entries. Note: the following examples assume suitable _s_u_d_o_e_r_s(5) entries.
To get a file listing of an unreadable directory: To get a file listing of an unreadable directory:
@ -505,8 +498,7 @@ EEXXAAMMPPLLEESS
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
SSEEEE AALLSSOO SSEEEE AALLSSOO
_g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), _s_u_d_o_e_r_s(4), _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(5), _s_u_d_o_e_r_s(5), _v_i_s_u_d_o(8)
_v_i_s_u_d_o(1m)
AAUUTTHHOORRSS AAUUTTHHOORRSS
Many people have worked on ssuuddoo over the years; this version consists Many people have worked on ssuuddoo over the years; this version consists
@ -520,27 +512,26 @@ AAUUTTHHOORRSS
CCAAVVEEAATTSS CCAAVVEEAATTSS
There is no easy way to prevent a user from gaining a root shell if There is no easy way to prevent a user from gaining a root shell if
that user is allowed to run arbitrary commands via ssuuddoo. Also, many that user is allowed to run arbitrary commands via ssuuddoo. Also, many
1.7 February 15, 2008 8
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
programs (such as editors) allow the user to run commands via shell programs (such as editors) allow the user to run commands via shell
escapes, thus avoiding ssuuddoo's checks. However, on most systems it is escapes, thus avoiding ssuuddoo's checks. However, on most systems it is
possible to prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality. possible to prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality.
See the _s_u_d_o_e_r_s(4) manual for details. See the _s_u_d_o_e_r_s(5) manual for details.
It is not meaningful to run the cd command directly via sudo, e.g., It is not meaningful to run the cd command directly via sudo, e.g.,
$ sudo cd /usr/local/protected $ sudo cd /usr/local/protected
1.7 February 18, 2008 8
SUDO(8) MAINTENANCE COMMANDS SUDO(8)
since when the command exits the parent process (your shell) will still since when the command exits the parent process (your shell) will still
be the same. Please see the EXAMPLES section for more information. be the same. Please see the EXAMPLES section for more information.
@ -589,6 +580,15 @@ DDIISSCCLLAAIIMMEERR
1.7 February 15, 2008 9
1.7 February 18, 2008 9

94
sudo.man.in
View File

@ -150,7 +150,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDO @mansectsu@" .IX Title "SUDO @mansectsu@"
.TH SUDO @mansectsu@ "February 15, 2008" "1.7" "MAINTENANCE COMMANDS" .TH SUDO @mansectsu@ "February 18, 2008" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
sudo, sudoedit \- execute a command as another user sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS" .SH "SYNOPSIS"
@ -160,14 +160,20 @@ sudo, sudoedit \- execute a command as another user
\&\fBsudo\fR \fB\-l[l]\fR [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-U\fR\ \fIusername\fR] \&\fBsudo\fR \fB\-l[l]\fR [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-U\fR\ \fIusername\fR]
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR]
.PP .PP
\&\fBsudo\fR [\fB\-bEHPS\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] \&\fBsudo\fR [\fB\-bEHPS\fR]
[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] @BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR] [\fB\-C\fR\ \fIfd\fR]
@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
@SEMAN@[\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
[\fB\s-1VAR\s0\fR=\fIvalue\fR] [{\fB\-i\fR\ |\ \fB\-s\fR]\ [<\fIcommand\fR}] [\fB\s-1VAR\s0\fR=\fIvalue\fR] [{\fB\-i\fR\ |\ \fB\-s\fR]\ [<\fIcommand\fR}]
.PP .PP
\&\fBsudoedit\fR [\fB\-S\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] \&\fBsudoedit\fR [\fB\-S\fR]
[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] @BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] file ... [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] file ...
.SH "DESCRIPTION" .SH "DESCRIPTION"
.IX Header "DESCRIPTION" .IX Header "DESCRIPTION"
@ -218,14 +224,14 @@ or via the \fIsudoers\fR file.
.SH "OPTIONS" .SH "OPTIONS"
.IX Header "OPTIONS" .IX Header "OPTIONS"
\&\fBsudo\fR accepts the following command line options: \&\fBsudo\fR accepts the following command line options:
.IP "\-a \fItype\fR" 12 @BAMAN@.IP "\-a \fItype\fR" 12
.IX Item "-a type" @BAMAN@.IX Item "-a type"
The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the @BAMAN@The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
specified authentication type when validating the user, as allowed @BAMAN@specified authentication type when validating the user, as allowed
by \fI/etc/login.conf\fR. The system administrator may specify a list @BAMAN@by \fI/etc/login.conf\fR. The system administrator may specify a list
of sudo-specific authentication methods by adding an \*(L"auth\-sudo\*(R" @BAMAN@of sudo-specific authentication methods by adding an \*(L"auth\-sudo\*(R"
entry in \fI/etc/login.conf\fR. This option is only available on systems @BAMAN@entry in \fI/etc/login.conf\fR. This option is only available on systems
that support \s-1BSD\s0 authentication. @BAMAN@that support \s-1BSD\s0 authentication.
.IP "\-b" 12 .IP "\-b" 12
.IX Item "-b" .IX Item "-b"
The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given
@ -240,17 +246,17 @@ above the standard error (file descriptor three). Values less than
three are not permitted. This option is only available if the three are not permitted. This option is only available if the
administrator has enabled the \fIclosefrom_override\fR option in administrator has enabled the \fIclosefrom_override\fR option in
\&\fIsudoers\fR\|(@mansectform@). \&\fIsudoers\fR\|(@mansectform@).
.IP "\-c \fIclass\fR" 12 @LCMAN@.IP "\-c \fIclass\fR" 12
.IX Item "-c class" @LCMAN@.IX Item "-c class"
The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command @LCMAN@The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
with resources limited by the specified login class. The \fIclass\fR @LCMAN@with resources limited by the specified login class. The \fIclass\fR
argument can be either a class name as defined in \fI/etc/login.conf\fR, @LCMAN@argument can be either a class name as defined in \fI/etc/login.conf\fR,
or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates @LCMAN@or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
that the command should be run restricted by the default login @LCMAN@that the command should be run restricted by the default login
capabilities for the user the command is run as. If the \fIclass\fR @LCMAN@capabilities for the user the command is run as. If the \fIclass\fR
argument specifies an existing user class, the command must be run @LCMAN@argument specifies an existing user class, the command must be run
as root, or the \fBsudo\fR command must be run from a shell that is already @LCMAN@as root, or the \fBsudo\fR command must be run from a shell that is already
root. This option is only available on systems with \s-1BSD\s0 login classes. @LCMAN@root. This option is only available on systems with \s-1BSD\s0 login classes.
.IP "\-E" 12 .IP "\-E" 12
.IX Item "-E" .IX Item "-E"
The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option will override the The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option will override the
@ -395,10 +401,10 @@ The prompt specified by the \fB\-p\fR option will override the system
password prompt on systems that support \s-1PAM\s0 unless the password prompt on systems that support \s-1PAM\s0 unless the
\&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR. \&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR.
.RE .RE
.IP "\-r \fIrole\fR" 12 @SEMAN@.IP "\-r \fIrole\fR" 12
.IX Item "-r role" @SEMAN@.IX Item "-r role"
The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to @SEMAN@The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
have the role specified by \fIrole\fR. @SEMAN@have the role specified by \fIrole\fR.
.IP "\-S" 12 .IP "\-S" 12
.IX Item "-S" .IX Item "-S"
The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
@ -409,11 +415,11 @@ The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\
environment variable if it is set or the shell as specified in environment variable if it is set or the shell as specified in
\&\fIpasswd\fR\|(@mansectform@). If a command is specified, it is passed to the shell \&\fIpasswd\fR\|(@mansectform@). If a command is specified, it is passed to the shell
for execution. Otherwise, an interactive shell is executed. for execution. Otherwise, an interactive shell is executed.
.IP "\-t \fItype\fR" 12 @SEMAN@.IP "\-t \fItype\fR" 12
.IX Item "-t type" @SEMAN@.IX Item "-t type"
The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to @SEMAN@The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
have the type specified by \fItype\fR. If no type is specified, the default @SEMAN@have the type specified by \fItype\fR. If no type is specified, the default
type is derived from the specified role. @SEMAN@type is derived from the specified role.
.IP "\-U \fIuser\fR" 12 .IP "\-U \fIuser\fR" 12
.IX Item "-U user" .IX Item "-U user"
The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR
@ -595,17 +601,15 @@ Set to the target user (root unless the \fB\-u\fR option is specified)
Default editor to use in \fB\-e\fR (sudoedit) mode Default editor to use in \fB\-e\fR (sudoedit) mode
.SH "FILES" .SH "FILES"
.IX Header "FILES" .IX Header "FILES"
.ie n .IP "\fI@sysconfdir@/sudoers\fR\*(C` \*(C'List of who can run what" 4 .IP "\fI@sysconfdir@/sudoers\fR" 24
.el .IP "\fI@sysconfdir@/sudoers\fR\f(CW\*(C` \*(C'\fRList of who can run what" 4 .IX Item "@sysconfdir@/sudoers"
.IX Item "@sysconfdir@/sudoers List of who can run what" List of who can run what
.PD 0 .IP "\fI@timedir@\fR" 24
.ie n .IP "\fI@timedir@\fR\*(C` \*(C'Directory containing timestamps" 4 .IX Item "@timedir@"
.el .IP "\fI@timedir@\fR\f(CW\*(C` \*(C'\fRDirectory containing timestamps" 4 Directory containing timestamps
.IX Item "@timedir@ Directory containing timestamps" .IP "\fI/etc/environment\fR" 24
.ie n .IP "\fI/etc/environment\fR\*(C` \*(C'\fRInitial environment for \fB\-i mode on Linux and \s-1AIX\s0" 4 .IX Item "/etc/environment"
.el .IP "\fI/etc/environment\fR\f(CW\*(C` \*(C'\fRInitial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0" 4 Initial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0
.IX Item "/etc/environment Initial environment for -i mode on Linux and AIX"
.PD
.SH "EXAMPLES" .SH "EXAMPLES"
.IX Header "EXAMPLES" .IX Header "EXAMPLES"
Note: the following examples assume suitable \fIsudoers\fR\|(@mansectform@) entries. Note: the following examples assume suitable \fIsudoers\fR\|(@mansectform@) entries.

122
sudoers.cat
View File

@ -1,7 +1,7 @@
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
NNAAMMEE NNAAMMEE
@ -61,13 +61,13 @@ DDEESSCCRRIIPPTTIIOONN
1.7 January 21, 2008 1 1.7 February 18, 2008 1
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
Host_Alias ::= NAME '=' Host_List Host_Alias ::= NAME '=' Host_List
@ -127,13 +127,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 January 21, 2008 2 1.7 February 18, 2008 2
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
Host ::= '!'* hostname | Host ::= '!'* hostname |
@ -193,13 +193,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 January 21, 2008 3 1.7 February 18, 2008 3
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
users on any host, all users on a specific host, a specific user, a users on any host, all users on a specific host, a specific user, a
@ -259,13 +259,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 January 21, 2008 4 1.7 February 18, 2008 4
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
Let's break that down into its constituent parts: Let's break that down into its constituent parts:
@ -325,13 +325,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 January 21, 2008 5 1.7 February 18, 2008 5
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
Cmnd_Spec_List, inherit the tag unless it is overridden by the opposite Cmnd_Spec_List, inherit the tag unless it is overridden by the opposite
@ -391,13 +391,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 January 21, 2008 6 1.7 February 18, 2008 6
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
WWiillddccaarrddss WWiillddccaarrddss
@ -457,13 +457,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 January 21, 2008 7 1.7 February 18, 2008 7
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss
@ -523,13 +523,13 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
1.7 January 21, 2008 8 1.7 February 18, 2008 8
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
env_editor If set, vviissuuddoo will use the value of the EDITOR or env_editor If set, vviissuuddoo will use the value of the EDITOR or
@ -572,30 +572,30 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
fied. This flag is _o_f_f by default. fied. This flag is _o_f_f by default.
ignore_local_sudoers ignore_local_sudoers
If set via LDAP, parsing of @sysconfdir@/sudoers will If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be
be skipped. This is intended for Enterprises that wish skipped. This is intended for Enterprises that wish to
to prevent the usage of local sudoers files so that prevent the usage of local sudoers files so that only
only LDAP is used. This thwarts the efforts of rogue LDAP is used. This thwarts the efforts of rogue opera-
operators who would attempt to add roles to tors who would attempt to add roles to _/_e_t_c_/_s_u_d_o_e_r_s.
@sysconfdir@/sudoers. When this option is present, When this option is present, _/_e_t_c_/_s_u_d_o_e_r_s does not even
@sysconfdir@/sudoers does not even need to exist. need to exist. Since this option tells ssuuddoo how to
Since this option tells ssuuddoo how to behave when no spe- behave when no specific LDAP entries have been matched,
cific LDAP entries have been matched, this sudoOption this sudoOption is only meaningful for the cn=defaults
is only meaningful for the cn=defaults section. This section. This flag is _o_f_f by default.
flag is _o_f_f by default.
insults If set, ssuuddoo will insult users when they enter an insults If set, ssuuddoo will insult users when they enter an
incorrect password. This flag is _o_f_f by default. incorrect password. This flag is _o_f_f by default.
1.7 January 21, 2008 9
1.7 February 18, 2008 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
log_host If set, the hostname will be logged in the (non-syslog) log_host If set, the hostname will be logged in the (non-syslog)
@ -655,13 +655,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 January 21, 2008 10 1.7 February 18, 2008 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
normally only be used if the passwod prompt provided by normally only be used if the passwod prompt provided by
@ -721,13 +721,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 January 21, 2008 11 1.7 February 18, 2008 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the
@ -787,13 +787,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 January 21, 2008 12 1.7 February 18, 2008 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
password before ssuuddoo logs the failure and exits. The password before ssuuddoo logs the failure and exits. The
@ -853,13 +853,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 January 21, 2008 13 1.7 February 18, 2008 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
environment variable. The following percent (`%') environment variable. The following percent (`%')
@ -919,13 +919,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 January 21, 2008 14 1.7 February 18, 2008 14
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
once Only lecture the user the first time they run ssuuddoo. once Only lecture the user the first time they run ssuuddoo.
@ -985,13 +985,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 January 21, 2008 15 1.7 February 18, 2008 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
syslog Syslog facility if syslog is being used for logging (negate syslog Syslog facility if syslog is being used for logging (negate
@ -1051,13 +1051,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 January 21, 2008 16 1.7 February 18, 2008 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
env_keep Environment variables to be preserved in the user's env_keep Environment variables to be preserved in the user's
@ -1079,9 +1079,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
iinngg. iinngg.
FFIILLEESS FFIILLEESS
_/_e_t_c_/_s_u_d_o_e_r_s List of who can run what _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
_/_e_t_c_/_g_r_o_u_p Local groups file
_/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups _/_e_t_c_/_g_r_o_u_p Local groups file
_/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups
EEXXAAMMPPLLEESS EEXXAAMMPPLLEESS
Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit
@ -1115,15 +1117,13 @@ EEXXAAMMPPLLEESS
1.7 February 18, 2008 17
1.7 January 21, 2008 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
# Cmnd alias specification # Cmnd alias specification
@ -1183,13 +1183,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 January 21, 2008 18 1.7 February 18, 2008 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias
@ -1249,13 +1249,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 January 21, 2008 19 1.7 February 18, 2008 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
jen ALL, !SERVERS = ALL jen ALL, !SERVERS = ALL
@ -1315,13 +1315,13 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
1.7 January 21, 2008 20 1.7 February 18, 2008 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
that permit shell escapes include shells (obviously), editors, pagina- that permit shell escapes include shells (obviously), editors, pagina-
@ -1381,13 +1381,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7 January 21, 2008 21 1.7 February 18, 2008 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5)
Note that restricting shell escapes is not a panacea. Programs running Note that restricting shell escapes is not a panacea. Programs running
@ -1397,7 +1397,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
approach is to give the user permission to run ssuuddooeeddiitt. approach is to give the user permission to run ssuuddooeeddiitt.
SSEEEE AALLSSOO SSEEEE AALLSSOO
_r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _s_u_d_o(1m), _v_i_s_u_d_o(8) _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _s_u_d_o(8), _v_i_s_u_d_o(8)
CCAAVVEEAATTSS CCAAVVEEAATTSS
The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which
@ -1447,6 +1447,6 @@ DDIISSCCLLAAIIMMEERR
1.7 January 21, 2008 22 1.7 February 18, 2008 22

52
sudoers.ldap.cat
View File

@ -1,7 +1,7 @@
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
NNAAMMEE NNAAMMEE
@ -61,13 +61,13 @@ DDEESSCCRRIIPPTTIIOONN
1.7 February 9, 2008 1 1.7 February 18, 2008 1
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following
@ -127,13 +127,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.7 February 9, 2008 2 1.7 February 18, 2008 2
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
dn: cn=%wheel,ou=SUDOers,dc=example,dc=com dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
@ -193,13 +193,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.7 February 9, 2008 3 1.7 February 18, 2008 3
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
# LDAP equivalent of puddles # LDAP equivalent of puddles
@ -251,7 +251,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
Typically, this file is shared amongst different LDAP-aware clients. Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo
parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from
those described in the _l_d_a_p_._c_o_n_f(4) manual. those described in the _l_d_a_p_._c_o_n_f(5) manual.
Also note that on systems using the OpenLDAP libraries, default values Also note that on systems using the OpenLDAP libraries, default values
specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are
@ -259,13 +259,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.7 February 9, 2008 4 1.7 February 18, 2008 4
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f that are sup- Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f that are sup-
@ -325,13 +325,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.7 February 9, 2008 5 1.7 February 18, 2008 5
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
BBIINNDDDDNN DN BBIINNDDDDNN DN
@ -391,13 +391,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.7 February 9, 2008 6 1.7 February 18, 2008 6
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
OpenLDAP libraries. OpenLDAP libraries.
@ -457,13 +457,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.7 February 9, 2008 7 1.7 February 18, 2008 7
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
SSAASSLL__SSEECCPPRROOPPSS none/properties SSAASSLL__SSEECCPPRROOPPSS none/properties
@ -523,13 +523,13 @@ EEXXAAMMPPLLEESS
1.7 February 9, 2008 8 1.7 February 18, 2008 8
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
# Either specify one or more URIs or one or more host:port pairs. # Either specify one or more URIs or one or more host:port pairs.
@ -589,13 +589,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.7 February 9, 2008 9 1.7 February 18, 2008 9
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
#tls_cacertfile /etc/certs/trusted_signers.pem #tls_cacertfile /etc/certs/trusted_signers.pem
@ -655,13 +655,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.7 February 9, 2008 10 1.7 February 18, 2008 10
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
attributetype ( 1.3.6.1.4.1.15953.9.1.2 attributetype ( 1.3.6.1.4.1.15953.9.1.2
@ -715,19 +715,19 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
SSEEEE AALLSSOO SSEEEE AALLSSOO
_l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(5) _l_d_a_p_._c_o_n_f(5), _s_u_d_o_e_r_s(5)
1.7 February 9, 2008 11 1.7 February 18, 2008 11
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5)
CCAAVVEEAATTSS CCAAVVEEAATTSS
@ -787,6 +787,6 @@ DDIISSCCLLAAIIMMEERR
1.7 February 9, 2008 12 1.7 February 18, 2008 12

2
sudoers.ldap.man.in
View File

@ -146,7 +146,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDOERS.LDAP @mansectform@" .IX Title "SUDOERS.LDAP @mansectform@"
.TH SUDOERS.LDAP @mansectform@ "February 9, 2008" "1.7" "MAINTENANCE COMMANDS" .TH SUDOERS.LDAP @mansectform@ "February 18, 2008" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
sudoers.ldap \- sudo LDAP configuration sudoers.ldap \- sudo LDAP configuration
.SH "DESCRIPTION" .SH "DESCRIPTION"

56
sudoers.man.in
View File

@ -150,7 +150,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDOERS @mansectform@" .IX Title "SUDOERS @mansectform@"
.TH SUDOERS @mansectform@ "January 21, 2008" "1.7" "MAINTENANCE COMMANDS" .TH SUDOERS @mansectform@ "February 18, 2008" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
sudoers \- list of which users may execute what sudoers \- list of which users may execute what
.SH "DESCRIPTION" .SH "DESCRIPTION"
@ -724,14 +724,14 @@ environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This
flag is \fI@ignore_dot@\fR by default. flag is \fI@ignore_dot@\fR by default.
.IP "ignore_local_sudoers" 16 .IP "ignore_local_sudoers" 16
.IX Item "ignore_local_sudoers" .IX Item "ignore_local_sudoers"
If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped. If set via \s-1LDAP\s0, parsing of \fI@sysconfdir@/sudoers\fR will be skipped.
This is intended for Enterprises that wish to prevent the usage of local This is intended for Enterprises that wish to prevent the usage of local
sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of
rogue operators who would attempt to add roles to \f(CW@sysconfdir\fR@/sudoers. rogue operators who would attempt to add roles to \fI@sysconfdir@/sudoers\fR.
When this option is present, \f(CW@sysconfdir\fR@/sudoers does not even need to exist. When this option is present, \fI@sysconfdir@/sudoers\fR does not even need to
Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0 entries exist. Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0
have been matched, this sudoOption is only meaningful for the cn=defaults entries have been matched, this sudoOption is only meaningful for the
section. This flag is \fIoff\fR by default. \&\f(CW\*(C`cn=defaults\*(C'\fR section. This flag is \fIoff\fR by default.
.IP "insults" 16 .IP "insults" 16
.IX Item "insults" .IX Item "insults"
If set, \fBsudo\fR will insult users when they enter an incorrect If set, \fBsudo\fR will insult users when they enter an incorrect
@ -885,11 +885,11 @@ If set, users must authenticate on a per-tty basis. Normally,
the user running it. With this flag enabled, \fBsudo\fR will use a the user running it. With this flag enabled, \fBsudo\fR will use a
file named for the tty the user is logged in on in that directory. file named for the tty the user is logged in on in that directory.
This flag is \fI@tty_tickets@\fR by default. This flag is \fI@tty_tickets@\fR by default.
.IP "use_loginclass" 16 @LCMAN@.IP "use_loginclass" 16
.IX Item "use_loginclass" @LCMAN@.IX Item "use_loginclass"
If set, \fBsudo\fR will apply the defaults specified for the target user's @LCMAN@If set, \fBsudo\fR will apply the defaults specified for the target user's
login class if one exists. Only available if \fBsudo\fR is configured with @LCMAN@login class if one exists. Only available if \fBsudo\fR is configured with
the \-\-with\-logincap option. This flag is \fIoff\fR by default. @LCMAN@the \-\-with\-logincap option. This flag is \fIoff\fR by default.
.PP .PP
\&\fBIntegers\fR: \&\fBIntegers\fR:
.IP "closefrom" 16 .IP "closefrom" 16
@ -990,6 +990,12 @@ two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW
.Sp .Sp
The default value is \f(CW\*(C`@passprompt@\*(C'\fR. The default value is \f(CW\*(C`@passprompt@\*(C'\fR.
.RE .RE
@SEMAN@.IP "role" 16
@SEMAN@.IX Item "role"
@SEMAN@The default SELinux role to use when constructing a new security
@SEMAN@context to run the command. The default role may be overridden on
@SEMAN@a per-command basis in \fIsudoers\fR or via command line options.
@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support.
.IP "runas_default" 16 .IP "runas_default" 16
.IX Item "runas_default" .IX Item "runas_default"
The default user to run commands as if the \fB\-u\fR flag is not specified The default user to run commands as if the \fB\-u\fR flag is not specified
@ -1012,6 +1018,12 @@ The default is \fI@timedir@\fR.
.IX Item "timestampowner" .IX Item "timestampowner"
The owner of the timestamp directory and the timestamps stored therein. The owner of the timestamp directory and the timestamps stored therein.
The default is \f(CW\*(C`root\*(C'\fR. The default is \f(CW\*(C`root\*(C'\fR.
@SEMAN@.IP "type" 16
@SEMAN@.IX Item "type"
@SEMAN@The default SELinux type to use when constructing a new security
@SEMAN@context to run the command. The default type may be overridden on
@SEMAN@a per-command basis in \fIsudoers\fR or via command line options.
@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support.
.PP .PP
\&\fBStrings that can be used in a boolean context\fR: \&\fBStrings that can be used in a boolean context\fR:
.IP "exempt_group" 12 .IP "exempt_group" 12
@ -1172,17 +1184,15 @@ supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo
\&\fBnotice\fR, and \fBwarning\fR. \&\fBnotice\fR, and \fBwarning\fR.
.SH "FILES" .SH "FILES"
.IX Header "FILES" .IX Header "FILES"
.ie n .IP "\fI@sysconfdir@/sudoers\fR\*(C` \*(C' List of who can run what" 4 .IP "\fI@sysconfdir@/sudoers\fR" 24
.el .IP "\fI@sysconfdir@/sudoers\fR\f(CW\*(C` \*(C'\fR List of who can run what" 4 .IX Item "@sysconfdir@/sudoers"
.IX Item "@sysconfdir@/sudoers List of who can run what" List of who can run what
.PD 0 .IP "\fI/etc/group\fR" 24
.ie n .IP "\fI/etc/group\fR\*(C` \*(C' Local groups file" 4 .IX Item "/etc/group"
.el .IP "\fI/etc/group\fR\f(CW\*(C` \*(C'\fR Local groups file" 4 Local groups file
.IX Item "/etc/group Local groups file" .IP "\fI/etc/netgroup\fR" 24
.ie n .IP "\fI/etc/netgroup\fR\*(C` \*(C' List of network groups" 4 .IX Item "/etc/netgroup"
.el .IP "\fI/etc/netgroup\fR\f(CW\*(C` \*(C'\fR List of network groups" 4 List of network groups
.IX Item "/etc/netgroup List of network groups"
.PD
.SH "EXAMPLES" .SH "EXAMPLES"
.IX Header "EXAMPLES" .IX Header "EXAMPLES"
Below are example \fIsudoers\fR entries. Admittedly, some of Below are example \fIsudoers\fR entries. Admittedly, some of

22
visudo.cat
View File

@ -1,7 +1,7 @@
VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) VISUDO(8) MAINTENANCE COMMANDS VISUDO(8)
NNAAMMEE NNAAMMEE
@ -11,7 +11,7 @@ SSYYNNOOPPSSIISS
vviissuuddoo [--cc] [--qq] [--ss] [--VV] [--ff _s_u_d_o_e_r_s] vviissuuddoo [--cc] [--qq] [--ss] [--VV] [--ff _s_u_d_o_e_r_s]
DDEESSCCRRIIPPTTIIOONN DDEESSCCRRIIPPTTIIOONN
vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to _v_i_p_w(1m). vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to _v_i_p_w(8).
vviissuuddoo locks the _s_u_d_o_e_r_s file against multiple simultaneous edits, pro- vviissuuddoo locks the _s_u_d_o_e_r_s file against multiple simultaneous edits, pro-
vides basic sanity checks, and checks for parse errors. If the _s_u_d_o_e_r_s vides basic sanity checks, and checks for parse errors. If the _s_u_d_o_e_r_s
file is currently being edited you will receive a message to try again file is currently being edited you will receive a message to try again
@ -61,13 +61,13 @@ OOPPTTIIOONNSS
1.7 January 21, 2008 1 1.7 February 18, 2008 1
VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) VISUDO(8) MAINTENANCE COMMANDS VISUDO(8)
combined with the --cc flag. combined with the --cc flag.
@ -91,8 +91,9 @@ EENNVVIIRROONNMMEENNTT
EDITOR Used by visudo if VISUAL is not set EDITOR Used by visudo if VISUAL is not set
FFIILLEESS FFIILLEESS
_/_e_t_c_/_s_u_d_o_e_r_s List of who can run what _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
_/_e_t_c_/_s_u_d_o_e_r_s_._t_m_p Lock file for visudo
_/_e_t_c_/_s_u_d_o_e_r_s_._t_m_p Lock file for visudo
DDIIAAGGNNOOSSTTIICCSS DDIIAAGGNNOOSSTTIICCSS
sudoers file busy, try again later. sudoers file busy, try again later.
@ -118,7 +119,7 @@ DDIIAAGGNNOOSSTTIICCSS
--ss (strict) mode this is an error, not a warning. --ss (strict) mode this is an error, not a warning.
SSEEEE AALLSSOO SSEEEE AALLSSOO
_v_i(1), _s_u_d_o_e_r_s(4), _s_u_d_o(1m), _v_i_p_w(8) _v_i(1), _s_u_d_o_e_r_s(5), _s_u_d_o(8), _v_i_p_w(8)
AAUUTTHHOORR AAUUTTHHOORR
Many people have worked on _s_u_d_o over the years; this version of vviissuuddoo Many people have worked on _s_u_d_o over the years; this version of vviissuuddoo
@ -126,14 +127,13 @@ AAUUTTHHOORR
1.7 February 18, 2008 2
1.7 January 21, 2008 2
VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) VISUDO(8) MAINTENANCE COMMANDS VISUDO(8)
Todd Miller Todd Miller
@ -193,6 +193,6 @@ DDIISSCCLLAAIIMMEERR
1.7 January 21, 2008 3 1.7 February 18, 2008 3

16
visudo.man.in
View File

@ -149,7 +149,7 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "VISUDO @mansectsu@" .IX Title "VISUDO @mansectsu@"
.TH VISUDO @mansectsu@ "January 21, 2008" "1.7" "MAINTENANCE COMMANDS" .TH VISUDO @mansectsu@ "February 18, 2008" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
visudo \- edit the sudoers file visudo \- edit the sudoers file
.SH "SYNOPSIS" .SH "SYNOPSIS"
@ -235,14 +235,12 @@ Invoked by visudo as the editor to use
Used by visudo if \s-1VISUAL\s0 is not set Used by visudo if \s-1VISUAL\s0 is not set
.SH "FILES" .SH "FILES"
.IX Header "FILES" .IX Header "FILES"
.ie n .IP "\fI@sysconfdir@/sudoers\fR\*(C` \*(C'List of who can run what" 4 .IP "\fI@sysconfdir@/sudoers\fR" 24
.el .IP "\fI@sysconfdir@/sudoers\fR\f(CW\*(C` \*(C'\fRList of who can run what" 4 .IX Item "@sysconfdir@/sudoers"
.IX Item "@sysconfdir@/sudoers List of who can run what" List of who can run what
.PD 0 .IP "\fI@sysconfdir@/sudoers.tmp\fR" 24
.ie n .IP "\fI@sysconfdir@/sudoers.tmp\fR\*(C` \*(C'Lock file for visudo" 4 .IX Item "@sysconfdir@/sudoers.tmp"
.el .IP "\fI@sysconfdir@/sudoers.tmp\fR\f(CW\*(C` \*(C'\fRLock file for visudo" 4 Lock file for visudo
.IX Item "@sysconfdir@/sudoers.tmp Lock file for visudo"
.PD
.SH "DIAGNOSTICS" .SH "DIAGNOSTICS"
.IX Header "DIAGNOSTICS" .IX Header "DIAGNOSTICS"
.IP "sudoers file busy, try again later." 4 .IP "sudoers file busy, try again later." 4