From 7fd6edb6dfa34329c5eba7b906b6937cd744ff59 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 14 Sep 2016 10:29:18 -0600 Subject: [PATCH] Document negated sudoHost entries. --- doc/sudoers.ldap.cat | 4 +++- doc/sudoers.ldap.man.in | 7 +++++++ doc/sudoers.ldap.mdoc.in | 7 +++++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat index 6f0e75f00..3f57e3159 100644 --- a/doc/sudoers.ldap.cat +++ b/doc/sudoers.ldap.cat @@ -80,7 +80,9 @@ DDEESSCCRRIIPPTTIIOONN with a `+'). The special value ALL will match any host. Host netgroups are matched using the host (both qualified and unqualified) and domain members only; the user member is not used - when matching. + when matching. If a sudoHost entry is preceded by an exclamation + point, `!', and the entry matches, the sudoRole in which it resides + will be ignored. ssuuddooCCoommmmaanndd A fully-qualified Unix command name with optional command line diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in index 5737f0453..1c6b9b7e3 100644 --- a/doc/sudoers.ldap.man.in +++ b/doc/sudoers.ldap.man.in @@ -167,6 +167,13 @@ The special value will match any host. Host netgroups are matched using the host (both qualified and unqualified) and domain members only; the user member is not used when matching. +If a +\fRsudoHost\fR +entry is preceded by an exclamation point, +\(oq\&!\(cq, +and the entry matches, the +\fRsudoRole\fR +in which it resides will be ignored. .TP 6n \fBsudoCommand\fR A fully-qualified Unix command name with optional command line arguments, diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in index 47721bdf9..4b6ca4afe 100644 --- a/doc/sudoers.ldap.mdoc.in +++ b/doc/sudoers.ldap.mdoc.in @@ -159,6 +159,13 @@ The special value will match any host. Host netgroups are matched using the host (both qualified and unqualified) and domain members only; the user member is not used when matching. +If a +.Li sudoHost +entry is preceded by an exclamation point, +.Ql \&! , +and the entry matches, the +.Li sudoRole +in which it resides will be ignored. .It Sy sudoCommand A fully-qualified Unix command name with optional command line arguments, potentially including globbing characters (aka wild cards).