mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 09:57:41 +00:00
Code Issues Releases Wiki Activity

Expand description of fqdn to talk about systems where the hosts

Browse Source 
file is searched before DNS.
This commit is contained in:
Todd C. Miller 2012-08-16 10:11:04 -04:00
parent c2b6033c7a
commit 82115dfa17
3 changed files with 373 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

169
doc/sudoers.cat
View File

@ -281,7 +281,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
the command may only be run wwiitthhoouutt command line arguments. A directory
is a fully qualified path name ending in a `/'. When you specify a
directory in a Cmnd_List, the user will be able to run any file within
that directory (but not in any subdirectories therein).
that directory (but not in any sub-directories therein).
If a Cmnd has associated command line arguments, then the arguments in
the Cmnd must match exactly those given by the user on the command line
@ -293,7 +293,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
DDeeffaauullttss
Certain configuration options may be changed from their default values at
runtime via one or more Default_Entry lines. These may affect all users
run-time via one or more Default_Entry lines. These may affect all users
on any host, all users on a specific host, a specific user, a specific
command, or commands being run as a specific user. Note that per-command
entries may not include command line arguments. If you need to specify
@ -433,7 +433,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
SELinux role and/or type associated with a command. If a role or type is
specified with the command it will override any default values specified
in _s_u_d_o_e_r_s. A role or type specified on the command line, however, will
supercede the values in _s_u_d_o_e_r_s.
supersede the values in _s_u_d_o_e_r_s.
SSoollaarriiss__PPrriivv__SSppeecc
On Solaris systems, _s_u_d_o_e_r_s entries may optionally specify Solaris
@ -494,7 +494,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
without a password. Additionally, a user may only run ``sudo -v''
without a password if the NOPASSWD tag is present for all a user's
entries that pertain to the current host. This behavior may be
overridden via the verifypw and listpw options.
overridden via the _v_e_r_i_f_y_p_w and _l_i_s_t_p_w options.
_N_O_E_X_E_C _a_n_d _E_X_E_C
@ -568,7 +568,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
When matching the command line arguments, however, a slash ddooeess get
matched by wildcards since command line arguments may contain arbitrary
strings and not just pathnames.
strings and not just path names.
Wildcards in command line arguments should be used with care. Because
command line arguments are matched as a single, concatenated string, a
@ -585,7 +585,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
$ sudo cat /var/log/messages /etc/shadow
which is probaby not what was intended.
which is probably not what was intended.
EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
The following exceptions apply to the above rules:
@ -595,7 +595,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
with aannyy arguments.
sudoedit Command line arguments to the _s_u_d_o_e_d_i_t built-in command should
always be pathnames, so a forward slash (`/') will not be
always be path names, so a forward slash (`/') will not be
matched by a wildcard.
IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss
@ -677,7 +677,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
Long lines can be continued with a backslash (`\') as the last character
on the line.
Whitespace between elements in a list as well as special syntactic
White space between elements in a list as well as special syntactic
characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n (`=', `:', `(', `)') is optional.
The following characters must be escaped with a backslash (`\') when used
@ -746,7 +746,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
since it accesses the file system, glob(3) can take a
long time to complete for some patterns, especially
when the pattern references a network file system that
is mounted on demand (automounted). The _f_a_s_t___g_l_o_b
is mounted on demand (auto mounted). The _f_a_s_t___g_l_o_b
option causes ssuuddoo to use the fnmatch(3) function,
which does not access the file system to do its
matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is
@ -760,20 +760,48 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
flag is _o_f_f by default.
fqdn Set this flag if you want to put fully qualified host
names in the _s_u_d_o_e_r_s file. In other words, instead of
myhost you would use myhost.mydomain.edu. You may
still use the short form if you wish (and even mix the
two). Beware that turning on _f_q_d_n requires ssuuddoo to
make DNS lookups which may make ssuuddoo unusable if DNS
stops working (for example if the machine is not
plugged into the network). Also note that you must use
the host's official name as DNS knows it. That is, you
may not use a host alias (CNAME entry) due to
performance issues and the fact that there is no way to
get all aliases from DNS. If your machine's host name
(as returned by the hostname command) is already fully
qualified you shouldn't need to set _f_q_d_n. This flag is
_o_f_f by default.
names in the _s_u_d_o_e_r_s file when the local host name (as
returned by the hostname command) does not contain the
domain name. In other words, instead of myhost you
would use myhost.mydomain.edu. You may still use the
short form if you wish (and even mix the two). This
option is only effective when the ``canonical'' host
name, as returned by the ggeettaaddddrriinnffoo() or
ggeetthhoossttbbyynnaammee() function, is a fully-qualified domain
name. This is usually the case when the system is
configured to use DNS for host name resolution.
If the system is configured to use the _/_e_t_c_/_h_o_s_t_s file
in preference to DNS, the ``canonical'' host name may
not be fully-qualified. The order that sources are
queried for hosts name resolution is usually specified
in the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f,
_/_e_t_c_/_h_o_s_t_._c_o_n_f, or, in some cases, _/_e_t_c_/_r_e_s_o_l_v_._c_o_n_f
file. In the _/_e_t_c_/_h_o_s_t_s file, the first host name of
the entry is considered to be the ``canonical'' name;
subsequent names are aliases that are not used by
ssuuddooeerrss. For example, the following hosts file line
for the machine ``xyzzy'' has the fully-qualified
domain name as the ``canonical'' host name, and the
short version as an alias.
192.168.1.1 xyzzy.sudo.ws xyzzy
If the machine's hosts file entry is not formatted
properly, the _f_q_d_n option will not be effective if it
is queried before DNS.
Beware that when using DNS for host name resolution,
turning on _f_q_d_n requires ssuuddooeerrss to make DNS lookups
which renders ssuuddoo unusable if DNS stops working (for
example if the machine is disconnected from the
network). Also note that just like with the hosts
file, you must use the ``canonical'' name as DNS knows
it. That is, you may not use a host alias (CNAME
entry) due to performance issues and the fact that
there is no way to get all aliases from DNS.
This flag is _o_f_f by default.
ignore_dot If set, ssuuddoo will ignore "." or "" (both denoting
current directory) in the PATH environment variable;
@ -995,7 +1023,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
targetpw If set, ssuuddoo will prompt for the password of the user
specified by the --uu option (defaults to root) instead
of the password of the invoking user. In addition, the
timestamp file name will include the target user's
time stamp file name will include the target user's
name. Note that this flag precludes the use of a uid
not listed in the passwd database as an argument to the
--uu option. This flag is _o_f_f by default.
@ -1073,9 +1101,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
fractional component if minute granularity is
insufficient, for example 2.5. The default is 5. Set
this to 0 to always prompt for a password. If set to a
value less than 0 the user's timestamp will never
value less than 0 the user's time stamp will never
expire. This can be used to allow users to create or
delete their own timestamps via ``sudo -v'' and ``sudo
delete their own time stamps via ``sudo -v'' and ``sudo
-k'' respectively.
umask Umask to use when running the command. Negate this
@ -1239,17 +1267,17 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
locale may affect how sudoers is interpreted. Defaults
to ``C''.
timestampdir The directory in which ssuuddoo stores its timestamp files.
The default is _/_v_a_r_/_a_d_m_/_s_u_d_o.
timestampdir The directory in which ssuuddoo stores its time stamp
files. The default is _/_v_a_r_/_a_d_m_/_s_u_d_o.
timestampowner The owner of the timestamp directory and the timestamps
stored therein. The default is root.
timestampowner The owner of the time stamp directory and the time
stamps stored therein. The default is root.
type The default SELinux type to use when constructing a new
security context to run the command. The default type
may be overridden on a per-command basis in _s_u_d_o_e_r_s or
via command line options. This option is only
available whe ssuuddoo is built with SELinux support.
available when ssuuddoo is built with SELinux support.
SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
@ -1422,7 +1450,7 @@ LLOOGG FFOORRMMAATT
ssuuddooeerrss can log events using either syslog(3) or a simple log file. In
each case the log format is almost identical.
CCoommmmaanndd lloogg eennttrriieess
AAcccceepptteedd ccoommmmaanndd lloogg eennttrriieess
Commands that sudo runs are logged using the following format (split into
multiple lines for readability):
@ -1469,9 +1497,9 @@ LLOOGG FFOORRMMAATT
Messages are logged using the locale specified by _s_u_d_o_e_r_s___l_o_c_a_l_e, which
defaults to the ``C'' locale.
EErrrroorr lloogg eennttrriieess
If there was a problem running the command, an error string will follow
the user name. Possible errors include:
DDeenniieedd ccoommmmaanndd lloogg eennttrriieess
If the user is not allowed to run the command, the reason for the denial
will follow the user name. Possible reasons include:
user NOT in sudoers
The user is not listed in the _s_u_d_o_e_r_s file.
@ -1481,7 +1509,7 @@ LLOOGG FFOORRMMAATT
commands on the host.
command not allowed
The user is listed in the sudoers file for the host but they are not
The user is listed in the _s_u_d_o_e_r_s file for the host but they are not
allowed to run the specified command.
3 incorrect password attempts
@ -1492,6 +1520,73 @@ LLOOGG FFOORRMMAATT
a password is required
ssuuddoo's --nn option was specified but a password was required.
sorry, you are not allowed to set the following environment variables
The user specified environment variables on the command line that were
not allowed by _s_u_d_o_e_r_s.
EErrrroorr lloogg eennttrriieess
If an error occurs, ssuuddooeerrss will log a message and, in most cases, send a
message to the administrator via email. Possible errors include:
parse error in /etc/sudoers near line N
ssuuddooeerrss encountered an error when parsing the specified file. In some
cases, the actual error may be one line above or below the line number
listed, depending on the type of error.
problem with defaults entries
The sudoers file contains one or more unknown Defaults settings. This
does not prevent ssuuddoo from running, but the sudoers file should be
checked using vviissuuddoo.
timestamp owner (@timestampowner@): No such user
The time stamp directory owner, which defaults to @timestampowner@ but
which may be specified via the _t_i_m_e_s_t_a_m_p_o_w_n_e_r setting, could not be
found in the password database.
unable to open/read /etc/sudoers
The sudoers file could not be opened for reading. This can happen
when the sudoers file is located on a remote file system that maps
user ID 0 to a different value. Normally, ssuuddooeerrss tries to open
sudoers using group permissions to avoid this problem. Consider
changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s by adding an option like
``sudoers_uid=N'' (where `N' is the user ID that owns the sudoers
file) to the ssuuddooeerrss plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
unable to stat /etc/sudoers
The _/_e_t_c_/_s_u_d_o_e_r_s file is missing.
/etc/sudoers is not a regular file
The _/_e_t_c_/_s_u_d_o_e_r_s file exists but is not a regular file or symbolic
link.
/etc/sudoers is owned by uid N, should be 0
The sudoers file has the wrong owner. If you wish to change the
sudoers file owner, please add ``sudoers_uid=N'' (where `N' is the
user ID that owns the sudoers file) to the ssuuddooeerrss plugin line in the
_/_e_t_c_/_s_u_d_o_._c_o_n_f file.
/etc/sudoers is world writable
The permissions on the sudoers file allow all users to write to it.
The sudoers file must not be world-writable, the default file mode is
0440 (readable by owner and group, writable by none). The default
mode may be changed via the ``sudoers_mode'' option to the ssuuddooeerrss
plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
/etc/sudoers is owned by gid N, should be 1
The sudoers file has the wrong group ownership. If you wish to change
the sudoers file group ownership, please add ``sudoers_gid=N'' (where
`N' is the group ID that owns the sudoers file) to the ssuuddooeerrss plugin
line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
unable to open /var/adm/sudo/username/ttyname
_s_u_d_o_e_r_s was unable to read or create the user's time stamp file.
unable to write to /var/adm/sudo/username/ttyname
_s_u_d_o_e_r_s was unable to write to the user's time stamp file.
unable to mkdir to /var/adm/sudo/username
_s_u_d_o_e_r_s was unable to create the user's time stamp directory.
NNootteess oonn llooggggiinngg vviiaa ssyysslloogg
By default, _s_u_d_o_e_r_s logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and
_p_r_o_g_n_a_m_e fields are added by the syslog daemon, not _s_u_d_o_e_r_s itself. As
@ -1984,4 +2079,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details.
Sudo 1.8.6b4 July 16, 2012 Sudo 1.8.6b4
Sudo 1.8.6 July 16, 2012 Sudo 1.8.6

220
doc/sudoers.man.in
View File

@ -639,7 +639,7 @@ fully qualified path name ending in a
When you specify a directory in a
\fRCmnd_List\fR,
the user will be able to run any file within that directory
(but not in any subdirectories therein).
(but not in any sub-directories therein).
.PP
If a
\fRCmnd\fR
@ -666,7 +666,7 @@ option (or as
It may take command line arguments just as a normal command does.
.SS "Defaults"
Certain configuration options may be changed from their default
values at runtime via one or more
values at run-time via one or more
\fRDefault_Entry\fR
lines.
These may affect all users on any host, all users on a specific host, a
@ -954,7 +954,7 @@ type is specified with the command it will override any default values
specified in
\fIsudoers\fR.
A role or type specified on the command line,
however, will supercede the values in
however, will supersede the values in
\fIsudoers\fR.
.SS "Solaris_Priv_Spec"
On Solaris systems,
@ -1096,7 +1096,11 @@ Additionally, a user may only run
without a password if the
\fRNOPASSWD\fR
tag is present for all a user's entries that pertain to the current host.
This behavior may be overridden via the verifypw and listpw options.
This behavior may be overridden via the
\fIverifypw\fR
and
\fIlistpw\fR
options.
.PP
\fINOEXEC and EXEC\fR
.PP
@ -1264,7 +1268,7 @@ but not
When matching the command line arguments, however, a slash
\fBdoes\fR
get matched by wildcards since command line arguments may contain
arbitrary strings and not just pathnames.
arbitrary strings and not just path names.
.PP
Wildcards in command line arguments should be used with care.
Because command line arguments are matched as a single, concatenated
@ -1297,7 +1301,7 @@ $ sudo cat /var/log/messages /etc/shadow
.RE
.fi
.PP
which is probaby not what was intended.
which is probably not what was intended.
.SS "Exceptions to wildcard rules"
The following exceptions apply to the above rules:
.TP 10n
@ -1313,7 +1317,7 @@ arguments.
sudoedit
Command line arguments to the
\fIsudoedit\fR
built-in command should always be pathnames, so a forward slash
built-in command should always be path names, so a forward slash
(`/')
will not be matched by a wildcard.
.SS "Including other files from within sudoers"
@ -1505,7 +1509,7 @@ Long lines can be continued with a backslash
(`\e')
as the last character on the line.
.PP
Whitespace between elements in a list as well as special syntactic
White space between elements in a list as well as special syntactic
characters in a
\fIUser Specification\fR
(`=\&',
@ -1677,7 +1681,7 @@ However, since it accesses the file system,
glob(3)
can take a long time to complete for some patterns, especially
when the pattern references a network file system that is mounted
on demand (automounted).
on demand (auto mounted).
The
\fIfast_glob\fR
option causes
@ -1706,27 +1710,71 @@ by default.
fqdn
Set this flag if you want to put fully qualified host names in the
\fIsudoers\fR
file.
file when the local host name (as returned by the
\fRhostname\fR
command) does not contain the domain name.
In other words, instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
Beware that turning on
This option is only effective when the
``canonical''
host name, as returned by the
\fBgetaddrinfo\fR()
or
\fBgethostbyname\fR()
function, is a fully-qualified domain name.
This is usually the case when the system is configured to use DNS
for host name resolution.
.sp
If the system is configured to use the
\fI/etc/hosts\fR
file in preference to DNS, the
``canonical''
host name may not be fully-qualified.
The order that sources are queried for hosts name resolution
is usually specified in the
\fI@nsswitch_conf@\fR,
\fI@netsvc_conf@\fR,
\fI/etc/host.conf\fR,
or, in some cases,
\fI/etc/resolv.conf\fR
file.
In the
\fI/etc/hosts\fR
file, the first host name of the entry is considered to be the
``canonical''
name; subsequent names are aliases that are not used by
\fBsudoers\fR.
For example, the following hosts file line for the machine
``xyzzy''
has the fully-qualified domain name as the
``canonical''
host name, and the short version as an alias.
.sp
.RS 6n
192.168.1.1 xyzzy.sudo.ws xyzzy
.RE
.sp
If the machine's hosts file entry is not formatted properly, the
\fIfqdn\fR
option will not be effective if it is queried before DNS.
.sp
Beware that when using DNS for host name resolution, turning on
\fIfqdn\fR
requires
\fBsudoers\fR
to make DNS lookups which renders
\fBsudo\fR
to make DNS lookups which may make
\fBsudo\fR
unusable if DNS stops working (for example if the machine is not plugged
into the network).
Also note that you must use the host's official name as DNS knows it.
unusable if DNS stops working (for example if the machine is disconnected
from the network).
Also note that just like with the hosts file, you must use the
``canonical''
name as DNS knows it.
That is, you may not use a host alias
(\fRCNAME\fR
entry)
due to performance issues and the fact that there is no way to get all
aliases from DNS.
If your machine's host name (as returned by the
\fRhostname\fR
command) is already fully qualified you shouldn't need to set
\fIfqdn\fR.
.sp
This flag is
\fI@fqdn@\fR
by default.
@ -2194,7 +2242,7 @@ by the
option (defaults to
\fRroot\fR)
instead of the password of the invoking user.
In addition, the timestamp file name will include the target user's name.
In addition, the time stamp file name will include the target user's name.
Note that this flag precludes the use of a uid not listed in the passwd
database as an argument to the
\fB\-u\fR
@ -2350,8 +2398,8 @@ Set this to
to always prompt for a password.
If set to a value less than
\fR0\fR
the user's timestamp will never expire.
This can be used to allow users to create or delete their own timestamps via
the user's time stamp will never expire.
This can be used to allow users to create or delete their own time stamps via
``\fRsudo -v\fR''
and
``\fRsudo -k\fR''
@ -2632,12 +2680,12 @@ Defaults to
timestampdir
The directory in which
\fBsudo\fR
stores its timestamp files.
stores its time stamp files.
The default is
\fI@timedir@\fR.
.TP 18n
timestampowner
The owner of the timestamp directory and the timestamps stored therein.
The owner of the time stamp directory and the time stamps stored therein.
The default is
\fRroot\fR.
.TP 18n
@ -2647,7 +2695,7 @@ context to run the command.
The default type may be overridden on a per-command basis in
\fIsudoers\fR
or via command line options.
This option is only available whe
This option is only available when
\fBsudo\fR
is built with SELinux support.
.PP
@ -3008,7 +3056,7 @@ can log events using either
syslog(3)
or a simple log file.
In each case the log format is almost identical.
.SS "Command log entries"
.SS "Accepted command log entries"
Commands that sudo runs are logged using the following format (split
into multiple lines for readability):
.nf
@ -3095,10 +3143,10 @@ Messages are logged using the locale specified by
which defaults to the
``\fRC\fR''
locale.
.SS "Error log entries"
If there was a problem running the command, an error string will follow
the user name.
Possible errors include:
.SS "Denied command log entries"
If the user is not allowed to run the command, the reason for the denial
will follow the user name.
Possible reasons include:
.TP 3n
user NOT in sudoers
The user is not listed in the
@ -3112,7 +3160,7 @@ file but is not allowed to run commands on the host.
.TP 3n
command not allowed
The user is listed in the
sudoers
\fIsudoers\fR
file for the host but they are not allowed to run the specified command.
.TP 3n
3 incorrect password attempts
@ -3126,6 +3174,114 @@ a password is required
\fBsudo\fR's
\fB\-n\fR
option was specified but a password was required.
.TP 3n
sorry, you are not allowed to set the following environment variables
The user specified environment variables on the command line that
were not allowed by
\fIsudoers\fR.
.SS "Error log entries"
If an error occurs,
\fBsudoers\fR
will log a message and, in most cases, send a message to the
administrator via email.
Possible errors include:
.TP 3n
parse error in @sysconfdir@/sudoers near line N
\fBsudoers\fR
encountered an error when parsing the specified file.
In some cases, the actual error may be one line above or below the
line number listed, depending on the type of error.
.TP 3n
problem with defaults entries
The sudoers file contains one or more unknown Defaults settings.
This does not prevent
\fBsudo\fR
from running, but the sudoers file should be checked using
\fBvisudo\fR.
.TP 3n
timestamp owner (@timestampowner@): \&No such user
The time stamp directory owner, which defaults to
@timestampowner@ but which may be specified via the
\fItimestampowner\fR
setting, could not be found in the password database.
.TP 3n
unable to open/read @sysconfdir@/sudoers
The sudoers file could not be opened for reading.
This can happen when the sudoers file is located on a remote
file system that maps user ID 0 to a different value.
Normally,
\fBsudoers\fR
tries to open sudoers using group permissions to avoid this problem.
Consider changing the ownership of
\fI@sysconfdir@/sudoers\fR
by adding an option like
``sudoers_uid=N''
(where
`N'
is the user ID that owns the sudoers file)
to the
\fBsudoers\fR
plugin line in the
\fI@sysconfdir@/sudo.conf\fR
file.
.TP 3n
unable to stat @sysconfdir@/sudoers
The
\fI@sysconfdir@/sudoers\fR
file is missing.
.TP 3n
@sysconfdir@/sudoers is not a regular file
The
\fI@sysconfdir@/sudoers\fR
file exists but is not a regular file or symbolic link.
.TP 3n
@sysconfdir@/sudoers is owned by uid N, should be 0
The sudoers file has the wrong owner.
If you wish to change the sudoers file owner, please add
``sudoers_uid=N''
(where
`N'
is the user ID that owns the sudoers file) to the
\fBsudoers\fR
plugin line in the
\fI@sysconfdir@/sudo.conf\fR
file.
.TP 3n
@sysconfdir@/sudoers is world writable
The permissions on the sudoers file allow all users to write to it.
The sudoers file must not be world-writable, the default file mode
is 0440 (readable by owner and group, writable by none).
The default mode may be changed via the
``sudoers_mode''
option to the
\fBsudoers\fR
plugin line in the
\fI@sysconfdir@/sudo.conf\fR
file.
.TP 3n
@sysconfdir@/sudoers is owned by gid N, should be 1
The sudoers file has the wrong group ownership.
If you wish to change the sudoers file group ownership, please add
``sudoers_gid=N''
(where
`N'
is the group ID that owns the sudoers file) to the
\fBsudoers\fR
plugin line in the
\fI@sysconfdir@/sudo.conf\fR
file.
.TP 3n
unable to open @timedir@/username/ttyname
\fIsudoers\fR
was unable to read or create the user's time stamp file.
.TP 3n
unable to write to @timedir@/username/ttyname
\fIsudoers\fR
was unable to write to the user's time stamp file.
.TP 3n
unable to mkdir to @timedir@/username
\fIsudoers\fR
was unable to create the user's time stamp directory.
.SS "Notes on logging via syslog"
By default,
\fIsudoers\fR

64
doc/sudoers.mdoc.in
View File

@ -1608,18 +1608,63 @@ by default.
.It fqdn
Set this flag if you want to put fully qualified host names in the
.Em sudoers
file.
file when the local host name (as returned by the
.Li hostname
command) does not contain the domain name.
In other words, instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
Beware that turning on
This option is only effective when the
.Dq canonical
host name, as returned by the
.Fn getaddrinfo
or
.Fn gethostbyname
function, is a fully-qualified domain name.
This is usually the case when the system is configured to use DNS
for host name resolution.
.Pp
If the system is configured to use the
.Pa /etc/hosts
file in preference to DNS, the
.Dq canonical
host name may not be fully-qualified.
The order that sources are queried for hosts name resolution
is usually specified in the
.Pa @nsswitch_conf@ ,
.Pa @netsvc_conf@ ,
.Pa /etc/host.conf ,
or, in some cases,
.Pa /etc/resolv.conf
file.
In the
.Pa /etc/hosts
file, the first host name of the entry is considered to be the
.Dq canonical
name; subsequent names are aliases that are not used by
.Nm sudoers .
For example, the following hosts file line for the machine
.Dq xyzzy
has the fully-qualified domain name as the
.Dq canonical
host name, and the short version as an alias.
.sp
.Dl 192.168.1.1 xyzzy.sudo.ws xyzzy
.sp
If the machine's hosts file entry is not formatted properly, the
.Em fqdn
option will not be effective if it is queried before DNS.
.Pp
Beware that when using DNS for host name resolution, turning on
.Em fqdn
requires
.Nm sudoers
to make DNS lookups which renders
.Nm sudo
to make DNS lookups which may make
.Nm sudo
unusable if DNS stops working (for example if the machine is not plugged
into the network).
Also note that you must use the host's official name as DNS knows it.
unusable if DNS stops working (for example if the machine is disconnected
from the network).
Also note that just like with the hosts file, you must use the
.Dq canonical
name as DNS knows it.
That is, you may not use a host alias
.Po
.Li CNAME
@ -1627,10 +1672,7 @@ entry
.Pc
due to performance issues and the fact that there is no way to get all
aliases from DNS.
If your machine's host name (as returned by the
.Li hostname
command) is already fully qualified you shouldn't need to set
.Em fqdn .
.Pp
This flag is
.Em @fqdn@
by default.