mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-29 13:28:10 +00:00
Code Issues Releases Wiki Activity

Build .man.in and .cat files from .mdoc.in files.

Browse Source 
Add new --with-man and --with-mdoc configure options.
This commit is contained in:
Todd C. Miller 2012-07-19 13:41:14 -04:00
parent 0d8aa46bb1
commit 90f2cfa589
24 changed files with 11796 additions and 8617 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
INSTALL
View File

@ -348,6 +348,16 @@ Special features/options:
Enable support for role based access control (RBAC) on Enable support for role based access control (RBAC) on
systems that support SELinux. systems that support SELinux.
--with-man
Use the "man" macros for manual pages. By default, mdoc
versions of the manuals are installed. This can be used
to override configure's test for "nroff -mdoc" support.
--with-mdoc
Use the "mdoc" macros for manual pages. By default, mdoc
versions of the manuals are installed. This can be used
to override configure's test for "nroff -mdoc" support.
The following options are also configurable at runtime: The following options are also configurable at runtime:
--with-long-otp-prompt --with-long-otp-prompt

14
MANIFEST
View File

@ -81,24 +81,22 @@ doc/schema.OpenLDAP
doc/schema.iPlanet doc/schema.iPlanet
doc/sudo.cat doc/sudo.cat
doc/sudo.man.in doc/sudo.man.in
doc/sudo.man.pl doc/sudo.mdoc.in
doc/sudo.pod
doc/sudo_plugin.cat doc/sudo_plugin.cat
doc/sudo_plugin.man.in doc/sudo_plugin.man.in
doc/sudo_plugin.pod doc/sudo_plugin.mdoc.in
doc/sudoers.cat doc/sudoers.cat
doc/sudoers.ldap.cat doc/sudoers.ldap.cat
doc/sudoers.ldap.man.in doc/sudoers.ldap.man.in
doc/sudoers.ldap.pod doc/sudoers.ldap.mdoc.in
doc/sudoers.man.in doc/sudoers.man.in
doc/sudoers.man.pl doc/sudoers.mdoc.in
doc/sudoers.pod
doc/sudoreplay.cat doc/sudoreplay.cat
doc/sudoreplay.man.in doc/sudoreplay.man.in
doc/sudoreplay.pod doc/sudoreplay.mdoc.in
doc/visudo.cat doc/visudo.cat
doc/visudo.man.in doc/visudo.man.in
doc/visudo.pod doc/visudo.mdoc.in
include/Makefile.in include/Makefile.in
include/alloc.h include/alloc.h
include/error.h include/error.h

3
NEWS
View File

@ -33,6 +33,9 @@ What's new in Sudo 1.8.6?
of "N incorrect password attempts". Likewise, the "mail_no_perms" of "N incorrect password attempts". Likewise, the "mail_no_perms"
sudoers option now takes precedence over "mail_badpass". sudoers option now takes precedence over "mail_badpass".
* The sudo manuals are now formatted in mdoc. Versions using the
legacy man macros are provided for systems that lack mdoc.
What's new in Sudo 1.8.5p2? What's new in Sudo 1.8.5p2?
* Fixed use of the SUDO_ASKPASS environment variable which was * Fixed use of the SUDO_ASKPASS environment variable which was

70
configure vendored
View File

@ -731,6 +731,7 @@ SUDOERS_MODE
SHLIB_MODE SHLIB_MODE
MANCOMPRESSEXT MANCOMPRESSEXT
MANCOMPRESS MANCOMPRESS
MANDIRTYPE
MANTYPE MANTYPE
AUTH_OBJS AUTH_OBJS
OSDEFS OSDEFS
@ -871,6 +872,8 @@ with_interfaces
with_stow with_stow
with_askpass with_askpass
with_plugindir with_plugindir
with_man
with_mdoc
enable_authentication enable_authentication
enable_root_mailer enable_root_mailer
enable_setreuid enable_setreuid
@ -1655,6 +1658,8 @@ Optional Packages:
--with-stow deprecated --with-stow deprecated
--with-askpass=PATH Fully qualified pathname of askpass helper --with-askpass=PATH Fully qualified pathname of askpass helper
--with-plugindir set directory to load plugins from --with-plugindir set directory to load plugins from
--with-man manual pages use man macros
--with-mdoc manual pages use mdoc macros
--with-selinux enable SELinux support --with-selinux enable SELinux support
--with-pic[=PKGS] try to use only PIC/non-PIC objects [default=use --with-pic[=PKGS] try to use only PIC/non-PIC objects [default=use
both] both]
@ -2899,6 +2904,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;}
# #
@ -2946,7 +2952,7 @@ secure_path="not set"
INSTALL_NOEXEC= INSTALL_NOEXEC=
devdir='$(srcdir)' devdir='$(srcdir)'
PROGS="sudo" PROGS="sudo"
: ${MANTYPE='man'} : ${MANDIRTYPE='man'}
: ${mansrcdir='.'} : ${mansrcdir='.'}
: ${SHLIB_MODE='0644'} : ${SHLIB_MODE='0644'}
: ${SUDOERS_MODE='0440'} : ${SUDOERS_MODE='0440'}
@ -5208,6 +5214,34 @@ fi
# Check whether --with-man was given.
if test "${with_man+set}" = set; then :
withval=$with_man; case $with_man in
yes) MANTYPE=man
;;
no) as_fn_error $? "\"--without-man not supported.\"" "$LINENO" 5
;;
*) as_fn_error $? "\"ignoring unknown argument to --with-man: $with_man.\"" "$LINENO" 5
;;
esac
fi
# Check whether --with-mdoc was given.
if test "${with_mdoc+set}" = set; then :
withval=$with_mdoc; case $with_mdoc in
yes) MANTYPE=mdoc
;;
no) as_fn_error $? "\"--without-mdoc not supported.\"" "$LINENO" 5
;;
*) as_fn_error $? "\"ignoring unknown argument to --with-mdoc: $with_mdoc.\"" "$LINENO" 5
;;
esac
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to do user authentication by default" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to do user authentication by default" >&5
$as_echo_n "checking whether to do user authentication by default... " >&6; } $as_echo_n "checking whether to do user authentication by default... " >&6; }
# Check whether --enable-authentication was given. # Check whether --enable-authentication was given.
@ -13649,7 +13683,7 @@ $as_echo "no" >&6; }
fi fi
for ac_prog in nroff mandoc for ac_prog in mandoc nroff
do do
# Extract the first word of "$ac_prog", so it can be a program name with args. # Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2 set dummy $ac_prog; ac_word=$2
@ -13692,6 +13726,29 @@ fi
done done
if test -n "$NROFFPROG"; then if test -n "$NROFFPROG"; then
test -n "$MANTYPE" && sudo_cv_var_mantype="$MANTYPE"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking which macro set to use for manual pages" >&5
$as_echo_n "checking which macro set to use for manual pages... " >&6; }
if ${sudo_cv_var_mantype+:} false; then :
$as_echo_n "(cached) " >&6
else
sudo_cv_var_mantype="man"
if test "$NROFFPROG" != "no"; then
echo ".Sh NAME" > conftest
echo ".Nm sudo" >> conftest
echo ".Nd sudo" >> conftest
echo ".Sh DESCRIPTION" >> conftest
echo "sudo" >> conftest
if $NROFFPROG -mdoc conftest >/dev/null 2>&1; then
sudo_cv_var_mantype="mdoc"
fi
rm -f conftest
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_mantype" >&5
$as_echo "$sudo_cv_var_mantype" >&6; }
MANTYPE="$sudo_cv_var_mantype"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $NROFFPROG supports the -c option" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $NROFFPROG supports the -c option" >&5
$as_echo_n "checking whether $NROFFPROG supports the -c option... " >&6; } $as_echo_n "checking whether $NROFFPROG supports the -c option... " >&6; }
if ${sudo_cv_var_nroff_opt_c+:} false; then : if ${sudo_cv_var_nroff_opt_c+:} false; then :
@ -13719,15 +13776,16 @@ else
else else
sudo_cv_var_nroff_opt_Tascii=no sudo_cv_var_nroff_opt_Tascii=no
fi fi
if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then
NROFFPROG="$NROFFPROG -Tascii"
fi
fi fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_nroff_opt_Tascii" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_nroff_opt_Tascii" >&5
$as_echo "$sudo_cv_var_nroff_opt_Tascii" >&6; } $as_echo "$sudo_cv_var_nroff_opt_Tascii" >&6; }
if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then
NROFFPROG="$NROFFPROG -Tascii"
fi
else else
MANTYPE="cat" MANTYPE=cat
MANDIRTYPE=cat
mansrcdir='$(srcdir)' mansrcdir='$(srcdir)'
fi fi

51
configure.in
View File

@ -38,6 +38,7 @@ AC_SUBST([GETGROUPS_LIB])
AC_SUBST([OSDEFS]) AC_SUBST([OSDEFS])
AC_SUBST([AUTH_OBJS]) AC_SUBST([AUTH_OBJS])
AC_SUBST([MANTYPE]) AC_SUBST([MANTYPE])
AC_SUBST([MANDIRTYPE])
AC_SUBST([MANCOMPRESS]) AC_SUBST([MANCOMPRESS])
AC_SUBST([MANCOMPRESSEXT]) AC_SUBST([MANCOMPRESSEXT])
AC_SUBST([SHLIB_MODE]) AC_SUBST([SHLIB_MODE])
@ -164,7 +165,7 @@ dnl
INSTALL_NOEXEC= INSTALL_NOEXEC=
devdir='$(srcdir)' devdir='$(srcdir)'
PROGS="sudo" PROGS="sudo"
: ${MANTYPE='man'} : ${MANDIRTYPE='man'}
: ${mansrcdir='.'} : ${mansrcdir='.'}
: ${SHLIB_MODE='0644'} : ${SHLIB_MODE='0644'}
: ${SUDOERS_MODE='0440'} : ${SUDOERS_MODE='0440'}
@ -1112,6 +1113,26 @@ AC_ARG_WITH(plugindir, [AS_HELP_STRING([--with-plugindir], [set directory to loa
*) ;; *) ;;
esac], [with_plugindir="$libexecdir"]) esac], [with_plugindir="$libexecdir"])
AC_ARG_WITH(man, [AS_HELP_STRING([--with-man], [manual pages use man macros])],
[case $with_man in
yes) MANTYPE=man
;;
no) AC_MSG_ERROR(["--without-man not supported."])
;;
*) AC_MSG_ERROR(["ignoring unknown argument to --with-man: $with_man."])
;;
esac])
AC_ARG_WITH(mdoc, [AS_HELP_STRING([--with-mdoc], [manual pages use mdoc macros])],
[case $with_mdoc in
yes) MANTYPE=mdoc
;;
no) AC_MSG_ERROR(["--without-mdoc not supported."])
;;
*) AC_MSG_ERROR(["ignoring unknown argument to --with-mdoc: $with_mdoc."])
;;
esac])
dnl dnl
dnl Options for --enable dnl Options for --enable
dnl dnl
@ -1428,8 +1449,25 @@ dnl Find programs we use
dnl dnl
AC_CHECK_PROG(UNAMEPROG, [uname], [uname]) AC_CHECK_PROG(UNAMEPROG, [uname], [uname])
AC_CHECK_PROG(TRPROG, [tr], [tr]) AC_CHECK_PROG(TRPROG, [tr], [tr])
AC_CHECK_PROGS(NROFFPROG, [nroff mandoc]) AC_CHECK_PROGS(NROFFPROG, [mandoc nroff])
if test -n "$NROFFPROG"; then if test -n "$NROFFPROG"; then
test -n "$MANTYPE" && sudo_cv_var_mantype="$MANTYPE"
AC_CACHE_CHECK([which macro set to use for manual pages],
[sudo_cv_var_mantype],
[sudo_cv_var_mantype="man"
if test "$NROFFPROG" != "no"; then
echo ".Sh NAME" > conftest
echo ".Nm sudo" >> conftest
echo ".Nd sudo" >> conftest
echo ".Sh DESCRIPTION" >> conftest
echo "sudo" >> conftest
if $NROFFPROG -mdoc conftest >/dev/null 2>&1; then
sudo_cv_var_mantype="mdoc"
fi
rm -f conftest
fi]
)
MANTYPE="$sudo_cv_var_mantype"
AC_CACHE_CHECK([whether $NROFFPROG supports the -c option], AC_CACHE_CHECK([whether $NROFFPROG supports the -c option],
[sudo_cv_var_nroff_opt_c], [sudo_cv_var_nroff_opt_c],
[if $NROFFPROG -c </dev/null >/dev/null 2>&1; then [if $NROFFPROG -c </dev/null >/dev/null 2>&1; then
@ -1441,6 +1479,9 @@ if test -n "$NROFFPROG"; then
if test "$sudo_cv_var_nroff_opt_c" = "yes"; then if test "$sudo_cv_var_nroff_opt_c" = "yes"; then
NROFFPROG="$NROFFPROG -c" NROFFPROG="$NROFFPROG -c"
fi fi
dnl
dnl This test will fail for mandoc but it is the default anyway...
dnl
AC_CACHE_CHECK([whether $NROFFPROG supports the -Tascii option], AC_CACHE_CHECK([whether $NROFFPROG supports the -Tascii option],
[sudo_cv_var_nroff_opt_Tascii], [sudo_cv_var_nroff_opt_Tascii],
[if $NROFFPROG -Tascii </dev/null >/dev/null 2>&1; then [if $NROFFPROG -Tascii </dev/null >/dev/null 2>&1; then
@ -1448,12 +1489,13 @@ if test -n "$NROFFPROG"; then
else else
sudo_cv_var_nroff_opt_Tascii=no sudo_cv_var_nroff_opt_Tascii=no
fi] fi]
)
if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then
NROFFPROG="$NROFFPROG -Tascii" NROFFPROG="$NROFFPROG -Tascii"
fi fi
)
else else
MANTYPE="cat" MANTYPE=cat
MANDIRTYPE=cat
mansrcdir='$(srcdir)' mansrcdir='$(srcdir)'
fi fi
@ -3451,7 +3493,6 @@ test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/
dnl dnl
dnl Substitute into the Makefile and man pages dnl Substitute into the Makefile and man pages
dnl dnl
dnl AC_CONFIG_FILES([doc/sudo.man doc/visudo.man doc/sudoers.man doc/sudoers.ldap.man doc/sudoreplay.man src/Makefile src/sudo_usage.h])
AC_CONFIG_FILES([Makefile common/Makefile compat/Makefile doc/Makefile include/Makefile src/sudo_usage.h src/Makefile plugins/sample/Makefile plugins/sample_group/Makefile plugins/system_group/Makefile plugins/sudoers/Makefile plugins/sudoers/sudoers]) AC_CONFIG_FILES([Makefile common/Makefile compat/Makefile doc/Makefile include/Makefile src/sudo_usage.h src/Makefile plugins/sample/Makefile plugins/sample_group/Makefile plugins/system_group/Makefile plugins/sudoers/Makefile plugins/sudoers/sudoers])
AC_OUTPUT AC_OUTPUT

101
doc/Makefile.in
View File

@ -48,8 +48,8 @@ mandir = @mandir@
mantype = @MANTYPE@ mantype = @MANTYPE@
mansectsu = @mansectsu@ mansectsu = @mansectsu@
mansectform = @mansectform@ mansectform = @mansectform@
mandirsu = $(mandir)/$(mantype)$(mansectsu) mandirsu = $(mandir)/@MANDIRTYPE@$(mansectsu)
mandirform = $(mandir)/$(mantype)$(mansectform) mandirform = $(mandir)/@MANDIRTYPE@$(mansectform)
# User and group ids the installed files should be "owned" by # User and group ids the installed files should be "owned" by
install_uid = 0 install_uid = 0
@ -62,8 +62,9 @@ DEVEL = @DEVEL@
SHELL = @SHELL@ SHELL = @SHELL@
DOCS = sudo.man visudo.man sudoers.man sudoers.ldap.man sudoers.man \ DOCS = sudo.$(mantype) visudo.$(mantype) sudoers.$(mantype) \
sudoreplay.man sudo_plugin.man sudoers.ldap.$(mantype) sudoers.$(mantype) \
sudoreplay.$(mantype) sudo_plugin.$(mantype)
DEVDOCS = $(srcdir)/sudo.man.in $(srcdir)/sudo.cat \ DEVDOCS = $(srcdir)/sudo.man.in $(srcdir)/sudo.cat \
$(srcdir)/visudo.man.in $(srcdir)/visudo.cat \ $(srcdir)/visudo.man.in $(srcdir)/visudo.cat \
@ -93,116 +94,146 @@ Makefile: $(srcdir)/Makefile.in
varsub: $(top_srcdir)/configure.in varsub: $(top_srcdir)/configure.in
@if [ -n "$(DEVEL)" ]; then \ @if [ -n "$(DEVEL)" ]; then \
printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#4#g\ns#@%s@#1m#g\n' SEMAN BAMAN LCMAN sysconfdir prefix mansectform mansectsu > $@; \ printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#5#g\ns#@%s@#8#g\ns#@%s@#%s#\n' SEMAN BAMAN LCMAN sysconfdir prefix mansectform mansectsu PACKAGE_VERSION $(VERSION) > $@; \
sed -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(top_srcdir)/configure.in | sed -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@; \ sed -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(top_srcdir)/configure.in | sed -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@; \
fi fi
$(srcdir)/sudo.man.in: $(srcdir)/sudo.pod $(srcdir)/sudo.man.in: $(srcdir)/sudo.mdoc.in
@if [ -n "$(DEVEL)" ]; then \ @if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \ echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \ mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \
sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudo.pod > $@; \ printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudo.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" | perl -p $(srcdir)/sudo.man.pl >> $@; \ printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in\n' >> $@; \
sed -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudo.mdoc.in >> $@; \
sed -e 's/^\.Os.*/.Os @PACKAGE_VERSION@/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.mdoc.in | mandoc -Tman | sed -e 's/^\(\.TH "SUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
fi fi
sudo.man: $(srcdir)/sudo.man.in sudo.man: $(srcdir)/sudo.man.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudo.cat: varsub $(srcdir)/sudo.man.in sudo.mdoc: $(srcdir)/sudo.mdoc.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudo.cat: varsub $(srcdir)/sudo.mdoc.in
@if [ -n "$(DEVEL)" ]; then \ @if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \ echo "Generating $@"; \
sed -f varsub $(srcdir)/sudo.man.in | $(NROFF) -man > $@; \ sed -f varsub $(srcdir)/sudo.mdoc.in | $(NROFF) -mdoc | sed -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
fi fi
$(srcdir)/visudo.man.in: $(srcdir)/visudo.pod $(srcdir)/visudo.man.in: $(srcdir)/visudo.mdoc.in
@if [ -n "$(DEVEL)" ]; then \ @if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \ echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \ mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \
sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/visudo.pod > $@; \ printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/visudo.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@; \ printf '.\\" IT IS GENERATED AUTOMATICALLY FROM visudo.mdoc.in\n' >> $@; \
sed -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/visudo.mdoc.in >> $@; \
sed -e 's/^\.Os.*/.Os @PACKAGE_VERSION@/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/visudo.mdoc.in | mandoc -Tman | sed -e 's/^\(\.TH "VISUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
fi fi
visudo.man: $(srcdir)/visudo.man.in visudo.man: $(srcdir)/visudo.man.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/visudo.cat: varsub $(srcdir)/visudo.man.in visudo.mdoc: $(srcdir)/visudo.mdoc.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/visudo.cat: varsub $(srcdir)/visudo.mdoc.in
@if [ -n "$(DEVEL)" ]; then \ @if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \ echo "Generating $@"; \
sed -f varsub $(srcdir)/visudo.man.in | $(NROFF) -man > $@; \ sed -f varsub $(srcdir)/visudo.mdoc.in | $(NROFF) -mdoc | sed -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
fi fi
$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.pod $(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in
@if [ -n "$(DEVEL)" ]; then \ @if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \ echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \ mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \
sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudoers.pod > $@; \ printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudoers.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" | perl -p $(srcdir)/sudoers.man.pl >> $@; \ printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in\n' >> $@; \
sed -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudoers.mdoc.in >> $@; \
sed -e 's/^\.Os.*/.Os @PACKAGE_VERSION@/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.mdoc.in | mandoc -Tman | sed -e 's/^\(\.TH "SUDOERS" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
fi fi
sudoers.man: $(srcdir)/sudoers.man.in sudoers.man: $(srcdir)/sudoers.man.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.man.in sudoers.mdoc: $(srcdir)/sudoers.mdoc.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.mdoc.in
@if [ -n "$(DEVEL)" ]; then \ @if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \ echo "Generating $@"; \
sed -f varsub $(srcdir)/sudoers.man.in | $(NROFF) -man > $@; \ sed -f varsub $(srcdir)/sudoers.mdoc.in | $(NROFF) -mdoc | sed -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
fi fi
$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.pod $(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.mdoc
@if [ -n "$(DEVEL)" ]; then \ @if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \ echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \ mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \
sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudoers.ldap.pod > $@; \ printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudoers.ldap.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@; \ printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in\n' >> $@; \
sed -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudoers.ldap.mdoc.in >> $@; \
sed -e 's/^\.Os.*/.Os @PACKAGE_VERSION@/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.ldap.mdoc.in | mandoc -Tman | sed -e 's/^\(\.TH "SUDOERS.LDAP" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
fi fi
sudoers.ldap.man: $(srcdir)/sudoers.ldap.man.in sudoers.ldap.man: $(srcdir)/sudoers.ldap.man.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudoers.ldap.cat: varsub $(srcdir)/sudoers.ldap.man.in sudoers.ldap.mdoc: $(srcdir)/sudoers.ldap.mdoc.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudoers.ldap.cat: varsub $(srcdir)/sudoers.ldap.mdoc.in
@if [ -n "$(DEVEL)" ]; then \ @if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \ echo "Generating $@"; \
sed -f varsub $(srcdir)/sudoers.ldap.man.in | $(NROFF) -man > $@; \ sed -f varsub $(srcdir)/sudoers.ldap.mdoc.in | $(NROFF) -mdoc | sed -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
fi fi
$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.pod $(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.mdoc
@if [ -n "$(DEVEL)" ]; then \ @if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \ echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \ mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \
sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudoreplay.pod > $@; \ printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudoreplay.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@; \ printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudoreplay.mdoc.in\n' >> $@; \
sed -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudoreplay.mdoc.in >> $@; \
sed -e 's/^\.Os.*/.Os @PACKAGE_VERSION@/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoreplay.mdoc.in | mandoc -Tman | sed -e 's/^\(\.TH "SUDOREPLAY" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
fi fi
sudoreplay.man: $(srcdir)/sudoreplay.man.in sudoreplay.man: $(srcdir)/sudoreplay.man.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudoreplay.cat: varsub $(srcdir)/sudoreplay.man.in sudoreplay.mdoc: $(srcdir)/sudoreplay.mdoc.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudoreplay.cat: varsub $(srcdir)/sudoreplay.mdoc.in
@if [ -n "$(DEVEL)" ]; then \ @if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \ echo "Generating $@"; \
sed -f varsub $(srcdir)/sudoreplay.man.in | $(NROFF) -man > $@; \ sed -f varsub $(srcdir)/sudoreplay.mdoc.in | $(NROFF) -mdoc | sed -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
fi fi
$(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.pod $(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.mdoc
@if [ -n "$(DEVEL)" ]; then \ @if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \ echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \ mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \
sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudo_plugin.pod > $@; \ printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudo_plugin.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@; \ printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudo_plugin.mdoc.in\n' >> $@; \
sed -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudo_plugin.mdoc.in >> $@; \
sed -e 's/^\.Os.*/.Os @PACKAGE_VERSION@/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_plugin.mdoc.in | mandoc -Tman | sed -e 's/^\(\.TH "SUDO_PLUGIN" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
fi fi
sudo_plugin.man: $(srcdir)/sudo_plugin.man.in sudo_plugin.man: $(srcdir)/sudo_plugin.man.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@) (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudo_plugin.cat: varsub $(srcdir)/sudo_plugin.man.in sudo_plugin.mdoc: $(srcdir)/sudo_plugin.mdoc.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudo_plugin.cat: varsub $(srcdir)/sudo_plugin.mdoc.in
@if [ -n "$(DEVEL)" ]; then \ @if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \ echo "Generating $@"; \
sed -f varsub $(srcdir)/sudo_plugin.man.in | $(NROFF) -man > $@; \ sed -f varsub $(srcdir)/sudo_plugin.mdoc.in | $(NROFF) -mdoc | sed -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
fi fi
CONTRIBUTORS: $(srcdir)/contributors.pod CONTRIBUTORS: $(srcdir)/contributors.pod

536
doc/sudo.cat
View File

@ -1,25 +1,20 @@
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) System Manager's Manual SUDO(1m)
NNAAMMEE NNAAMMEE
sudo, sudoedit - execute a command as another user ssuuddoo, ssuuddooeeddiitt - execute a command as another user
SSYYNNOOPPSSIISS SSYYNNOOPPSSIISS
ssuuddoo --hh | --KK | --kk | --VV ssuuddoo --hh | --KK | --kk | --VV
ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t]
[--uu _u_s_e_r _n_a_m_e | _#_u_i_d] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d]
ssuuddoo --ll[_l] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t]
ssuuddoo --ll[[ll]] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t]
[--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] [_c_o_m_m_a_n_d] [--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] [_c_o_m_m_a_n_d]
ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s | _-] ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s | _-]
[--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e]
[--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] [--ii | --ss] [_c_o_m_m_a_n_d] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] [VVAARR=_v_a_l_u_e] --ii | --ss [_c_o_m_m_a_n_d]
ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s | _-] ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s | _-]
[--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] file ... [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] file
...
DDEESSCCRRIIPPTTIIOONN DDEESSCCRRIIPPTTIIOONN
ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or
@ -29,98 +24,95 @@ DDEESSCCRRIIPPTTIIOONN
based on the group database (unless the --PP option was specified). based on the group database (unless the --PP option was specified).
ssuuddoo supports a plugin architecture for security policies and ssuuddoo supports a plugin architecture for security policies and
input/output logging. Third parties can develop and distribute their input/output logging. Third parties can develop and distribute their own
own policy and I/O logging modules to work seamlessly with the ssuuddoo policy and I/O logging modules to work seamlessly with the ssuuddoo front
front end. The default security policy is _s_u_d_o_e_r_s, which is configured end. The default security policy is _s_u_d_o_e_r_s, which is configured via the
via the file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the PLUGINS section for file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_L_U_G_I_N_S section for more
more information. information.
The security policy determines what privileges, if any, a user has to The security policy determines what privileges, if any, a user has to run
run ssuuddoo. The policy may require that users authenticate themselves ssuuddoo. The policy may require that users authenticate themselves with a
with a password or another authentication mechanism. If authentication password or another authentication mechanism. If authentication is
is required, ssuuddoo will exit if the user's password is not entered required, ssuuddoo will exit if the user's password is not entered within a
within a configurable time limit. This limit is policy-specific; the configurable time limit. This limit is policy-specific; the default
default password prompt timeout for the _s_u_d_o_e_r_s security policy is 5 password prompt timeout for the _s_u_d_o_e_r_s security policy is 5 minutes.
minutes.
Security policies may support credential caching to allow the user to Security policies may support credential caching to allow the user to run
run ssuuddoo again for a period of time without requiring authentication. ssuuddoo again for a period of time without requiring authentication. The
The _s_u_d_o_e_r_s policy caches credentials for 5 minutes, unless overridden _s_u_d_o_e_r_s policy caches credentials for 5 minutes, unless overridden in
in _s_u_d_o_e_r_s(4). By running ssuuddoo with the --vv option, a user can update sudoers(4). By running ssuuddoo with the --vv option, a user can update the
the cached credentials without running a _c_o_m_m_a_n_d. cached credentials without running a _c_o_m_m_a_n_d.
When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied. When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied.
Security policies may log successful and failed attempts to use ssuuddoo. Security policies may log successful and failed attempts to use ssuuddoo. If
If an I/O plugin is configured, the running command's input and output an I/O plugin is configured, the running command's input and output may
may be logged as well. be logged as well.
OOPPTTIIOONNSS OOPPTTIIOONNSS
ssuuddoo accepts the following command line options: ssuuddoo accepts the following command line options:
-A Normally, if ssuuddoo requires a password, it will read it from --AA Normally, if ssuuddoo requires a password, it will read it from
the user's terminal. If the --AA (_a_s_k_p_a_s_s) option is the user's terminal. If the --AA (_a_s_k_p_a_s_s) option is
specified, a (possibly graphical) helper program is specified, a (possibly graphical) helper program is executed
executed to read the user's password and output the to read the user's password and output the password to the
password to the standard output. If the SUDO_ASKPASS standard output. If the SUDO_ASKPASS environment variable is
environment variable is set, it specifies the path to the set, it specifies the path to the helper program. Otherwise,
helper program. Otherwise, if _/_e_t_c_/_s_u_d_o_._c_o_n_f contains a if _/_e_t_c_/_s_u_d_o_._c_o_n_f contains a line specifying the askpass
line specifying the askpass program, that value will be program, that value will be used. For example:
used. For example:
# Path to askpass helper program # Path to askpass helper program
Path askpass /usr/X11R6/bin/ssh-askpass Path askpass /usr/X11R6/bin/ssh-askpass
If no askpass program is available, sudo will exit with an If no askpass program is available, ssuuddoo will exit with an
error. error.
-a _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the --aa _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the
specified authentication type when validating the user, as specified authentication type when validating the user, as
allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may
specify a list of sudo-specific authentication methods by specify a list of sudo-specific authentication methods by
adding an "auth-sudo" entry in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This adding an ``auth-sudo'' entry in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This
option is only available on systems that support BSD option is only available on systems that support BSD
authentication. authentication.
-b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given --bb The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given
command in the background. Note that if you use the --bb command in the background. Note that if you use the --bb
option you cannot use shell job control to manipulate the option you cannot use shell job control to manipulate the
process. Most interactive commands will fail to work process. Most interactive commands will fail to work
properly in background mode. properly in background mode.
-C _f_d Normally, ssuuddoo will close all open file descriptors other --CC _f_d Normally, ssuuddoo will close all open file descriptors other
than standard input, standard output and standard error. than standard input, standard output and standard error. The
The --CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a --CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a starting
starting point above the standard error (file descriptor point above the standard error (file descriptor three).
three). Values less than three are not permitted. The Values less than three are not permitted. The security
security policy may restrict the user's ability to use the policy may restrict the user's ability to use the --CC option.
--CC option. The _s_u_d_o_e_r_s policy only permits use of the --CC The _s_u_d_o_e_r_s policy only permits use of the --CC option when the
option when the administrator has enabled the administrator has enabled the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option.
_c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option.
-c _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified --cc _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified
command with resources limited by the specified login command with resources limited by the specified login class.
class. The _c_l_a_s_s argument can be either a class name as The _c_l_a_s_s argument can be either a class name as defined in
defined in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single '-' character. _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single `-' character. Specifying a
Specifying a _c_l_a_s_s of - indicates that the command should _c_l_a_s_s of - indicates that the command should be run
be run restricted by the default login capabilities for the restricted by the default login capabilities for the user the
user the command is run as. If the _c_l_a_s_s argument command is run as. If the _c_l_a_s_s argument specifies an
specifies an existing user class, the command must be run existing user class, the command must be run as root, or the
as root, or the ssuuddoo command must be run from a shell that ssuuddoo command must be run from a shell that is already root.
is already root. This option is only available on systems This option is only available on systems with BSD login
with BSD login classes. classes.
-E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option indicates to the --EE The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option indicates to the
security policy that the user wishes to preserve their security policy that the user wishes to preserve their
existing environment variables. The security policy may existing environment variables. The security policy may
return an error if the --EE option is specified and the user return an error if the --EE option is specified and the user
does not have permission to preserve the environment. does not have permission to preserve the environment.
-e The --ee (_e_d_i_t) option indicates that, instead of running a --ee The --ee (_e_d_i_t) option indicates that, instead of running a
command, the user wishes to edit one or more files. In command, the user wishes to edit one or more files. In lieu
lieu of a command, the string "sudoedit" is used when of a command, the string "sudoedit" is used when consulting
consulting the security policy. If the user is authorized the security policy. If the user is authorized by the
by the policy, the following steps are taken: policy, the following steps are taken:
1. Temporary copies are made of the files to be edited 1. Temporary copies are made of the files to be edited
with the owner set to the invoking user. with the owner set to the invoking user.
@ -130,197 +122,191 @@ OOPPTTIIOONNSS
SUDO_EDITOR, VISUAL and EDITOR environment variables SUDO_EDITOR, VISUAL and EDITOR environment variables
(in that order). If none of SUDO_EDITOR, VISUAL or (in that order). If none of SUDO_EDITOR, VISUAL or
EDITOR are set, the first program listed in the _e_d_i_t_o_r EDITOR are set, the first program listed in the _e_d_i_t_o_r
_s_u_d_o_e_r_s(4) option is used. sudoers(4) option is used.
3. If they have been modified, the temporary files are 3. If they have been modified, the temporary files are
copied back to their original location and the copied back to their original location and the
temporary versions are removed. temporary versions are removed.
If the specified file does not exist, it will be created. If the specified file does not exist, it will be created.
Note that unlike most commands run by ssuuddoo, the editor is Note that unlike most commands run by _s_u_d_o, the editor is run
run with the invoking user's environment unmodified. If, with the invoking user's environment unmodified. If, for
for some reason, ssuuddoo is unable to update a file with its some reason, ssuuddoo is unable to update a file with its edited
edited version, the user will receive a warning and the version, the user will receive a warning and the edited copy
edited copy will remain in a temporary file. will remain in a temporary file.
-g _g_r_o_u_p Normally, ssuuddoo runs a command with the primary group set to --gg _g_r_o_u_p Normally, ssuuddoo runs a command with the primary group set to
the one specified by the password database for the user the the one specified by the password database for the user the
command is being run as (by default, root). The --gg (_g_r_o_u_p) command is being run as (by default, root). The --gg (_g_r_o_u_p)
option causes ssuuddoo to run the command with the primary option causes ssuuddoo to run the command with the primary group
group set to _g_r_o_u_p instead. To specify a _g_i_d instead of a set to _g_r_o_u_p instead. To specify a _g_i_d instead of a _g_r_o_u_p
_g_r_o_u_p _n_a_m_e, use _#_g_i_d. When running commands as a _g_i_d, many _n_a_m_e, use _#_g_i_d. When running commands as a _g_i_d, many shells
shells require that the '#' be escaped with a backslash require that the `#' be escaped with a backslash (`\'). If
('\'). If no --uu option is specified, the command will be no --uu option is specified, the command will be run as the
run as the invoking user (not root). In either case, the invoking user (not root). In either case, the primary group
primary group will be set to _g_r_o_u_p. will be set to _g_r_o_u_p.
-H The --HH (_H_O_M_E) option requests that the security policy set --HH The --HH (_H_O_M_E) option requests that the security policy set
the HOME environment variable to the home directory of the the HOME environment variable to the home directory of the
target user (root by default) as specified by the password target user (root by default) as specified by the password
database. Depending on the policy, this may be the default database. Depending on the policy, this may be the default
behavior. behavior.
-h The --hh (_h_e_l_p) option causes ssuuddoo to print a short help --hh The --hh (_h_e_l_p) option causes ssuuddoo to print a short help
message to the standard output and exit. message to the standard output and exit.
-i [command] --ii [_c_o_m_m_a_n_d]
The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell
specified by the password database entry of the target user specified by the password database entry of the target user
as a login shell. This means that login-specific resource as a login shell. This means that login-specific resource
files such as .profile or .login will be read by the shell. files such as _._p_r_o_f_i_l_e or _._l_o_g_i_n will be read by the shell.
If a command is specified, it is passed to the shell for If a command is specified, it is passed to the shell for
execution via the shell's --cc option. If no command is execution via the shell's --cc option. If no command is
specified, an interactive shell is executed. ssuuddoo attempts specified, an interactive shell is executed. ssuuddoo attempts
to change to that user's home directory before running the to change to that user's home directory before running the
shell. The security policy shall initialize the shell. The security policy shall initialize the environment
environment to a minimal set of variables, similar to what to a minimal set of variables, similar to what is present
is present when a user logs in. The _C_o_m_m_a_n_d _E_n_v_i_r_o_n_m_e_n_t when a user logs in. The _C_o_m_m_a_n_d _E_n_v_i_r_o_n_m_e_n_t section in the
section in the _s_u_d_o_e_r_s(4) manual documents how the --ii sudoers(4) manual documents how the --ii option affects the
option affects the environment in which a command is run environment in which a command is run when the _s_u_d_o_e_r_s policy
when the _s_u_d_o_e_r_s policy is in use. is in use.
-K The --KK (sure _k_i_l_l) option is like --kk except that it removes --KK The --KK (sure _k_i_l_l) option is like --kk except that it removes
the user's cached credentials entirely and may not be used the user's cached credentials entirely and may not be used in
in conjunction with a command or other option. This option conjunction with a command or other option. This option does
does not require a password. Not all security policies not require a password. Not all security policies support
support credential caching. credential caching.
-k [command] --kk [_c_o_m_m_a_n_d]
When used alone, the --kk (_k_i_l_l) option to ssuuddoo invalidates When used alone, the --kk (_k_i_l_l) option to ssuuddoo invalidates the
the user's cached credentials. The next time ssuuddoo is run a user's cached credentials. The next time ssuuddoo is run a
password will be required. This option does not require a password will be required. This option does not require a
password and was added to allow a user to revoke ssuuddoo password and was added to allow a user to revoke ssuuddoo
permissions from a .logout file. Not all security policies permissions from a _._l_o_g_o_u_t file. Not all security policies
support credential caching. support credential caching.
When used in conjunction with a command or an option that When used in conjunction with a command or an option that may
may require a password, the --kk option will cause ssuuddoo to require a password, the --kk option will cause ssuuddoo to ignore
ignore the user's cached credentials. As a result, ssuuddoo the user's cached credentials. As a result, ssuuddoo will prompt
will prompt for a password (if one is required by the for a password (if one is required by the security policy)
security policy) and will not update the user's cached and will not update the user's cached credentials.
credentials.
-l[l] [_c_o_m_m_a_n_d] --ll[ll] [_c_o_m_m_a_n_d]
If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list
the allowed (and forbidden) commands for the invoking user the allowed (and forbidden) commands for the invoking user
(or the user specified by the --UU option) on the current (or the user specified by the --UU option) on the current host.
host. If a _c_o_m_m_a_n_d is specified and is permitted by the If a _c_o_m_m_a_n_d is specified and is permitted by the security
security policy, the fully-qualified path to the command is policy, the fully-qualified path to the command is displayed
displayed along with any command line arguments. If along with any command line arguments. If _c_o_m_m_a_n_d is
_c_o_m_m_a_n_d is specified but not allowed, ssuuddoo will exit with a specified but not allowed, ssuuddoo will exit with a status value
status value of 1. If the --ll option is specified with an ll of 1. If the --ll option is specified with an _l argument (i.e.
argument (i.e. --llll), or if --ll is specified multiple times, --llll), or if --ll is specified multiple times, a longer list
a longer list format is used. format is used.
-n The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from --nn The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from prompting
prompting the user for a password. If a password is the user for a password. If a password is required for the
required for the command to run, ssuuddoo will display an error command to run, ssuuddoo will display an error message and exit.
message and exit.
-P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to --PP The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to preserve
preserve the invoking user's group vector unaltered. By the invoking user's group vector unaltered. By default, the
default, the _s_u_d_o_e_r_s policy will initialize the group _s_u_d_o_e_r_s policy will initialize the group vector to the list
vector to the list of groups the target user is in. The of groups the target user is in. The real and effective
real and effective group IDs, however, are still set to group IDs, however, are still set to match the target user.
match the target user.
-p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default --pp _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default
password prompt and use a custom one. The following password prompt and use a custom one. The following percent
percent (`%') escapes are supported by the _s_u_d_o_e_r_s policy: (`%') escapes are supported by the _s_u_d_o_e_r_s policy:
%H expanded to the host name including the domain name (on %H expanded to the host name including the domain name (on
if the machine's host name is fully qualified or the if the machine's host name is fully qualified or the _f_q_d_n
_f_q_d_n option is set in _s_u_d_o_e_r_s(4)) option is set in sudoers(4))
%h expanded to the local host name without the domain name %h expanded to the local host name without the domain name
%p expanded to the name of the user whose password is %p expanded to the name of the user whose password is being
being requested (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and requested (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w, and _r_u_n_a_s_p_w
_r_u_n_a_s_p_w flags in _s_u_d_o_e_r_s(4)) flags in sudoers(4))
%U expanded to the login name of the user the command will %U expanded to the login name of the user the command will
be run as (defaults to root unless the --uu option is be run as (defaults to root unless the --uu option is also
also specified) specified)
%u expanded to the invoking user's login name %u expanded to the invoking user's login name
%% two consecutive % characters are collapsed into a %% two consecutive % characters are collapsed into a single
single % character % character
The prompt specified by the --pp option will override the The prompt specified by the --pp option will override the
system password prompt on systems that support PAM unless system password prompt on systems that support PAM unless the
the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s.
-r _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security --rr _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security
context to have the role specified by _r_o_l_e. context to have the role specified by _r_o_l_e.
-S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from --SS The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from
the standard input instead of the terminal device. The the standard input instead of the terminal device. The
password must be followed by a newline character. password must be followed by a newline character.
-s [command] --ss [_c_o_m_m_a_n_d]
The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L The --ss (_s_h_e_l_l) option runs the shell specified by the SHELL
environment variable if it is set or the shell as specified environment variable if it is set or the shell as specified
in the password database. If a command is specified, it is in the password database. If a command is specified, it is
passed to the shell for execution via the shell's --cc passed to the shell for execution via the shell's --cc option.
option. If no command is specified, an interactive shell If no command is specified, an interactive shell is executed.
is executed.
-t _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security --tt _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security
context to have the type specified by _t_y_p_e. If no type is context to have the type specified by _t_y_p_e. If no type is
specified, the default type is derived from the specified specified, the default type is derived from the specified
role. role.
-U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the --UU _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the --ll
--ll option to specify the user whose privileges should be option to specify the user whose privileges should be listed.
listed. The security policy may restrict listing other The security policy may restrict listing other users'
users' privileges. The _s_u_d_o_e_r_s policy only allows root or privileges. The _s_u_d_o_e_r_s policy only allows root or a user
a user with the ALL privilege on the current host to use with the ALL privilege on the current host to use this
this option. option.
-u _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified --uu _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified command
command as a user other than _r_o_o_t. To specify a _u_i_d as a user other than _r_o_o_t. To specify a _u_i_d instead of a
instead of a _u_s_e_r _n_a_m_e, use _#_u_i_d. When running commands as _u_s_e_r _n_a_m_e, _#_u_i_d. When running commands as a _u_i_d, many shells
a _u_i_d, many shells require that the '#' be escaped with a require that the `#' be escaped with a backslash (`\').
backslash ('\'). Security policies may restrict _u_i_ds to Security policies may restrict _u_i_ds to those listed in the
those listed in the password database. The _s_u_d_o_e_r_s policy password database. The _s_u_d_o_e_r_s policy allows _u_i_ds that are
allows _u_i_ds that are not in the password database as long not in the password database as long as the _t_a_r_g_e_t_p_w option
as the _t_a_r_g_e_t_p_w option is not set. Other security policies is not set. Other security policies may not support this.
may not support this.
-V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print its version --VV The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print its version
string and the version string of the security policy plugin string and the version string of the security policy plugin
and any I/O plugins. If the invoking user is already root and any I/O plugins. If the invoking user is already root
the --VV option will display the arguments passed to the --VV option will display the arguments passed to configure
configure when ssuuddoo was built and plugins may display more when ssuuddoo was built and plugins may display more verbose
verbose information such as default options. information such as default options.
-v When given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the --vv When given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the
user's cached credentials, authenticating the user's user's cached credentials, authenticating the user's password
password if necessary. For the _s_u_d_o_e_r_s plugin, this if necessary. For the _s_u_d_o_e_r_s plugin, this extends the ssuuddoo
extends the ssuuddoo timeout for another 5 minutes (or whatever timeout for another 5 minutes (or whatever the timeout is set
the timeout is set to by the security policy) but does not to by the security policy) but does not run a command. Not
run a command. Not all security policies support cached all security policies support cached credentials.
credentials.
-- The ---- option indicates that ssuuddoo should stop processing ---- The ---- option indicates that ssuuddoo should stop processing
command line arguments. command line arguments.
Environment variables to be set for the command may also be passed on Environment variables to be set for the command may also be passed on the
the command line in the form of VVAARR=_v_a_l_u_e, e.g. command line in the form of VVAARR=_v_a_l_u_e, e.g.
LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command line
line are subject to the same restrictions as normal environment are subject to the same restrictions as normal environment variables with
variables with one important exception. If the _s_e_t_e_n_v option is set in one important exception. If the _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s, the
_s_u_d_o_e_r_s, the command to be run has the SETENV tag set or the command command to be run has the SETENV tag set or the command matched is ALL,
matched is ALL, the user may set variables that would otherwise be the user may set variables that would otherwise be forbidden. See
forbidden. See _s_u_d_o_e_r_s(4) for more information. sudoers(4) for more information.
PPLLUUGGIINNSS PPLLUUGGIINNSS
Plugins are dynamically loaded based on the contents of the Plugins are dynamically loaded based on the contents of the
_/_e_t_c_/_s_u_d_o_._c_o_n_f file. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it _/_e_t_c_/_s_u_d_o_._c_o_n_f file. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it
contains no Plugin lines, ssuuddoo will use the traditional _s_u_d_o_e_r_s contains no Plugin lines, ssuuddoo will use the traditional _s_u_d_o_e_r_s security
security policy and I/O logging, which corresponds to the following policy and I/O logging, which corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f
_/_e_t_c_/_s_u_d_o_._c_o_n_f file. file.
# #
# Default /etc/sudo.conf file # Default /etc/sudo.conf file
@ -341,16 +327,16 @@ PPLLUUGGIINNSS
Plugin policy_plugin sudoers.so Plugin policy_plugin sudoers.so
Plugin io_plugin sudoers.so Plugin io_plugin sudoers.so
A Plugin line consists of the Plugin keyword, followed by the A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e
_s_y_m_b_o_l___n_a_m_e and the _p_a_t_h to the shared object containing the plugin. and the _p_a_t_h to the shared object containing the plugin. The _s_y_m_b_o_l___n_a_m_e
The _s_y_m_b_o_l___n_a_m_e is the name of the struct policy_plugin or struct is the name of the struct policy_plugin or struct io_plugin in the plugin
io_plugin in the plugin shared object. The _p_a_t_h may be fully qualified shared object. The _p_a_t_h may be fully qualified or relative. If not
or relative. If not fully qualified it is relative to the fully qualified it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any
_/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any additional parameters after the _p_a_t_h additional parameters after the _p_a_t_h are passed as arguments to the
are passed as arguments to the plugin's _o_p_e_n function. Lines that plugin's _o_p_e_n function. Lines that don't begin with Plugin, Path, Debug,
don't begin with Plugin, Path, Debug or Set are silently ignored. or Set are silently ignored.
For more information, see the _s_u_d_o___p_l_u_g_i_n(1m) manual. For more information, see the sudo_plugin(1m) manual.
PPAATTHHSS PPAATTHHSS
A Path line consists of the Path keyword, followed by the name of the A Path line consists of the Path keyword, followed by the name of the
@ -360,24 +346,22 @@ PPAATTHHSS
Path askpass /usr/X11R6/bin/ssh-askpass Path askpass /usr/X11R6/bin/ssh-askpass
The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
file. file:
askpass The fully qualified path to a helper program used to askpass The fully qualified path to a helper program used to read the
read the user's password when no terminal is available. user's password when no terminal is available. This may be the
This may be the case when ssuuddoo is executed from a case when ssuuddoo is executed from a graphical (as opposed to
graphical (as opposed to text-based) application. The text-based) application. The program specified by _a_s_k_p_a_s_s
program specified by _a_s_k_p_a_s_s should display the should display the argument passed to it as the prompt and
argument passed to it as the prompt and write the write the user's password to the standard output. The value of
user's password to the standard output. The value of _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment
_a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS variable.
environment variable.
noexec The fully-qualified path to a shared library containing noexec The fully-qualified path to a shared library containing dummy
dummy versions of the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_e_c_v_e_(_) versions of the eexxeeccvv(), eexxeeccvvee() and ffeexxeeccvvee() library
library functions that just return an error. This is functions that just return an error. This is used to implement
used to implement the _n_o_e_x_e_c functionality on systems the _n_o_e_x_e_c functionality on systems that support LD_PRELOAD or
that support LD_PRELOAD or its equivalent. Defaults to its equivalent. Defaults to _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o.
_/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o.
DDEEBBUUGG FFLLAAGGSS DDEEBBUUGG FFLLAAGGSS
ssuuddoo versions 1.8.4 and higher support a flexible debugging framework ssuuddoo versions 1.8.4 and higher support a flexible debugging framework
@ -386,10 +370,9 @@ DDEEBBUUGG FFLLAAGGSS
A Debug line consists of the Debug keyword, followed by the name of the A Debug line consists of the Debug keyword, followed by the name of the
program to debug (ssuuddoo, vviissuuddoo, ssuuddoorreeppllaayy), the debug file name and a program to debug (ssuuddoo, vviissuuddoo, ssuuddoorreeppllaayy), the debug file name and a
comma-separated list of debug flags. The debug flag syntax used by comma-separated list of debug flags. The debug flag syntax used by ssuuddoo
ssuuddoo and the _s_u_d_o_e_r_s plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is and the _s_u_d_o_e_r_s plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is free to
free to use a different format so long as it does not include a comma use a different format so long as it does not include a comma (`,').
(`,').
For instance: For instance:
@ -398,10 +381,10 @@ DDEEBBUUGG FFLLAAGGSS
would log all debugging statements at the _w_a_r_n level and higher in would log all debugging statements at the _w_a_r_n level and higher in
addition to those at the _i_n_f_o level for the plugin subsystem. addition to those at the _i_n_f_o level for the plugin subsystem.
Currently, only one Debug entry per program is supported. The sudo Currently, only one Debug entry per program is supported. The ssuuddoo Debug
Debug entry is shared by the ssuuddoo front end, ssuuddooeeddiitt and the plugins. entry is shared by the ssuuddoo front end, ssuuddooeeddiitt and the plugins. A
A future release may add support for per-plugin Debug lines and/or future release may add support for per-plugin Debug lines and/or support
support for multiple debugging files for a single program. for multiple debugging files for a single program.
The priorities used by the ssuuddoo front end, in order of decreasing The priorities used by the ssuuddoo front end, in order of decreasing
severity, are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. severity, are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g.
@ -409,7 +392,7 @@ DDEEBBUUGG FFLLAAGGSS
it. For example, a priority of _n_o_t_i_c_e would include debug messages it. For example, a priority of _n_o_t_i_c_e would include debug messages
logged at _n_o_t_i_c_e and higher. logged at _n_o_t_i_c_e and higher.
The following subsystems are used by ssuuddoo: The following subsystems are used by the ssuuddoo front-end:
_a_l_l matches every subsystem _a_l_l matches every subsystem
@ -438,19 +421,19 @@ DDEEBBUUGG FFLLAAGGSS
_u_t_m_p utmp handling _u_t_m_p utmp handling
EEXXIITT VVAALLUUEE EEXXIITT VVAALLUUEE
Upon successful execution of a program, the exit status from ssuuddoo will Upon successful execution of a program, the exit status from _s_u_d_o will
simply be the exit status of the program that was executed. simply be the exit status of the program that was executed.
Otherwise, ssuuddoo exits with a value of 1 if there is a Otherwise, ssuuddoo exits with a value of 1 if there is a
configuration/permission problem or if ssuuddoo cannot execute the given configuration/permission problem or if ssuuddoo cannot execute the given
command. In the latter case the error string is printed to the command. In the latter case the error string is printed to the standard
standard error. If ssuuddoo cannot _s_t_a_t(2) one or more entries in the error. If ssuuddoo cannot stat(2) one or more entries in the user's PATH, an
user's PATH, an error is printed on stderr. (If the directory does not error is printed on stderr. (If the directory does not exist or if it is
exist or if it is not really a directory, the entry is ignored and no not really a directory, the entry is ignored and no error is printed.)
error is printed.) This should not happen under normal circumstances. This should not happen under normal circumstances. The most common
The most common reason for _s_t_a_t(2) to return "permission denied" is if reason for stat(2) to return ``permission denied'' is if you are running
you are running an automounter and one of the directories in your PATH an automounter and one of the directories in your PATH is on a machine
is on a machine that is currently unreachable. that is currently unreachable.
SSEECCUURRIITTYY NNOOTTEESS SSEECCUURRIITTYY NNOOTTEESS
ssuuddoo tries to be safe when executing external commands. ssuuddoo tries to be safe when executing external commands.
@ -465,31 +448,31 @@ SSEECCUURRIITTYY NNOOTTEESS
runs. If a user runs a command such as sudo su or sudo sh, subsequent runs. If a user runs a command such as sudo su or sudo sh, subsequent
commands run from that shell are not subject to ssuuddoo's security policy. commands run from that shell are not subject to ssuuddoo's security policy.
The same is true for commands that offer shell escapes (including most The same is true for commands that offer shell escapes (including most
editors). If I/O logging is enabled, subsequent commands will have editors). If I/O logging is enabled, subsequent commands will have their
their input and/or output logged, but there will not be traditional input and/or output logged, but there will not be traditional logs for
logs for those commands. Because of this, care must be taken when those commands. Because of this, care must be taken when giving users
giving users access to commands via ssuuddoo to verify that the command access to commands via ssuuddoo to verify that the command does not
does not inadvertently give the user an effective root shell. For more inadvertently give the user an effective root shell. For more
information, please see the PREVENTING SHELL ESCAPES section in information, please see the _P_R_E_V_E_N_T_I_N_G _S_H_E_L_L _E_S_C_A_P_E_S section in
_s_u_d_o_e_r_s(4). sudoers(4).
To prevent the disclosure of potentially sensitive information, ssuuddoo To prevent the disclosure of potentially sensitive information, ssuuddoo
disables core dumps by default while it is executing (they are re- disables core dumps by default while it is executing (they are re-enabled
enabled for the command that is run). To aid in debugging ssuuddoo for the command that is run). To aid in debugging ssuuddoo crashes, you may
crashes, you may wish to re-enable core dumps by setting wish to re-enable core dumps by setting ``disable_coredump'' to false in
"disable_coredump" to false in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. the _/_e_t_c_/_s_u_d_o_._c_o_n_f file as follows:
Set disable_coredump false Set disable_coredump false
Note that by default, most operating systems disable core dumps from Note that by default, most operating systems disable core dumps from
setuid programs, which includes ssuuddoo. To actually get a ssuuddoo core file setuid programs, which includes ssuuddoo. To actually get a ssuuddoo core file
you may need to enable core dumps for setuid processes. On BSD and you may need to enable core dumps for setuid processes. On BSD and Linux
Linux systems this is accomplished via the sysctl command, on Solaris systems this is accomplished via the sysctl command, on Solaris the
the coreadm command can be used. coreadm command can be used.
EENNVVIIRROONNMMEENNTT EENNVVIIRROONNMMEENNTT
ssuuddoo utilizes the following environment variables. The security policy ssuuddoo utilizes the following environment variables. The security policy
has control over the content of the command's environment. has control over the actual content of the command's environment.
EDITOR Default editor to use in --ee (sudoedit) mode if neither EDITOR Default editor to use in --ee (sudoedit) mode if neither
SUDO_EDITOR nor VISUAL is set. SUDO_EDITOR nor VISUAL is set.
@ -497,18 +480,18 @@ EENNVVIIRROONNMMEENNTT
MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set
to the mail spool of the target user. to the mail spool of the target user.
HOME Set to the home directory of the target user if --ii or HOME Set to the home directory of the target user if --ii or --HH
--HH are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set in
in _s_u_d_o_e_r_s, or when the --ss option is specified and _s_u_d_o_e_r_s, or when the --ss option is specified and _s_e_t___h_o_m_e
_s_e_t___h_o_m_e is set in _s_u_d_o_e_r_s. is set in _s_u_d_o_e_r_s.
PATH May be overridden by the security policy. PATH May be overridden by the security policy.
SHELL Used to determine shell to run with --ss option. SHELL Used to determine shell to run with --ss option.
SUDO_ASKPASS Specifies the path to a helper program used to read the SUDO_ASKPASS Specifies the path to a helper program used to read the
password if no terminal is available or if the --AA password if no terminal is available or if the --AA option
option is specified. is specified.
SUDO_COMMAND Set to the command run by sudo. SUDO_COMMAND Set to the command run by sudo.
@ -542,8 +525,8 @@ EEXXAAMMPPLLEESS
$ sudo ls /usr/local/protected $ sudo ls /usr/local/protected
To list the home directory of user yaz on a machine where the file To list the home directory of user yaz on a machine where the file system
system holding ~yaz is not exported as root: holding ~yaz is not exported as root:
$ sudo -u yaz ls ~yaz $ sudo -u yaz ls ~yaz
@ -563,23 +546,23 @@ EEXXAAMMPPLLEESS
$ sudo shutdown -r +15 "quick reboot" $ sudo shutdown -r +15 "quick reboot"
To make a usage listing of the directories in the /home partition. To make a usage listing of the directories in the /home partition. Note
Note that this runs the commands in a sub-shell to make the cd and file that this runs the commands in a sub-shell to make the cd and file
redirection work. redirection work.
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
SSEEEE AALLSSOO SSEEEE AALLSSOO
_g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), _s_u_d_o_e_r_s(4), grep(1), su(1), stat(2), login_cap(3), passwd(4), sudoers(4),
_s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o_r_e_p_l_a_y(1m), _v_i_s_u_d_o(1m) sudo_plugin(1m), sudoreplay(1m), visudo(1m)
HHIISSTTOORRYY HHIISSTTOORRYY
See the HISTORY file in the ssuuddoo distribution See the HISTORY file in the ssuuddoo distribution
(http://www.sudo.ws/sudo/history.html) for a brief history of sudo. (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
AAUUTTHHOORRSS AAUUTTHHOORRSS
Many people have worked on ssuuddoo over the years; this version consists Many people have worked on ssuuddoo over the years; this version consists of
of code written primarily by: code written primarily by:
Todd C. Miller Todd C. Miller
@ -588,23 +571,22 @@ AAUUTTHHOORRSS
people who have contributed to ssuuddoo. people who have contributed to ssuuddoo.
CCAAVVEEAATTSS CCAAVVEEAATTSS
There is no easy way to prevent a user from gaining a root shell if There is no easy way to prevent a user from gaining a root shell if that
that user is allowed to run arbitrary commands via ssuuddoo. Also, many user is allowed to run arbitrary commands via ssuuddoo. Also, many programs
programs (such as editors) allow the user to run commands via shell (such as editors) allow the user to run commands via shell escapes, thus
escapes, thus avoiding ssuuddoo's checks. However, on most systems it is avoiding ssuuddoo's checks. However, on most systems it is possible to
possible to prevent shell escapes with the _s_u_d_o_e_r_s(4) module's _n_o_e_x_e_c prevent shell escapes with the sudoers(4) module's _n_o_e_x_e_c functionality.
functionality.
It is not meaningful to run the cd command directly via sudo, e.g., It is not meaningful to run the cd command directly via sudo, e.g.,
$ sudo cd /usr/local/protected $ sudo cd /usr/local/protected
since when the command exits the parent process (your shell) will still since when the command exits the parent process (your shell) will still
be the same. Please see the EXAMPLES section for more information. be the same. Please see the _E_X_A_M_P_L_E_S section for more information.
Running shell scripts via ssuuddoo can expose the same kernel bugs that Running shell scripts via ssuuddoo can expose the same kernel bugs that make
make setuid shell scripts unsafe on some operating systems (if your OS setuid shell scripts unsafe on some operating systems (if your OS has a
has a /dev/fd/ directory, setuid shell scripts are generally safe). /dev/fd/ directory, setuid shell scripts are generally safe).
BBUUGGSS BBUUGGSS
If you feel you have found a bug in ssuuddoo, please submit a bug report at If you feel you have found a bug in ssuuddoo, please submit a bug report at
@ -612,16 +594,14 @@ BBUUGGSS
SSUUPPPPOORRTT SSUUPPPPOORRTT
Limited free support is available via the sudo-users mailing list, see Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
the archives. archives.
DDIISSCCLLAAIIMMEERR DDIISSCCLLAAIIMMEERR
ssuuddoo is provided ``AS IS'' and any express or implied warranties, ssuuddoo is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of including, but not limited to, the implied warranties of merchantability
merchantability and fitness for a particular purpose are disclaimed. and fitness for a particular purpose are disclaimed. See the LICENSE
See the LICENSE file distributed with ssuuddoo or file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
http://www.sudo.ws/sudo/license.html for complete details. complete details.
Sudo 1.8.6 July 10, 2012 Sudo 1.8.6
1.8.6 July 12, 2012 SUDO(1m)

1897
doc/sudo.man.in
View File

File diff suppressed because it is too large Load Diff

32
doc/sudo.mdoc.in
View File

@ -20,8 +20,8 @@
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.Dd July 10, 2012 .Dd July 10, 2012
.Dt SUDO 8 .Dt SUDO @mansectsu@
.Os .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
.Nm sudo , .Nm sudo ,
.Nm sudoedit .Nm sudoedit
@ -172,7 +172,7 @@ The
policy caches credentials for policy caches credentials for
.Li @timeout@ .Li @timeout@
minutes, unless overridden in minutes, unless overridden in
.Xr sudoers 5 . .Xr sudoers @mansectform@ .
By running By running
.Nm sudo .Nm sudo
with the with the
@ -332,7 +332,7 @@ or
.Ev EDITOR .Ev EDITOR
are set, the first program listed in the are set, the first program listed in the
.Em editor .Em editor
.Xr sudoers 5 .Xr sudoers @mansectform@
option is used. option is used.
.It .It
If they have been modified, the temporary files are copied back to If they have been modified, the temporary files are copied back to
@ -416,7 +416,7 @@ set of variables, similar to what is present when a user logs in.
The The
.Em Command Environment .Em Command Environment
section in the section in the
.Xr sudoers 5 .Xr sudoers @mansectform@
manual documents how the manual documents how the
.Fl i .Fl i
option affects the environment in which a command is run when the option affects the environment in which a command is run when the
@ -523,7 +523,7 @@ expanded to the host name including the domain name (on if the
machine's host name is fully qualified or the machine's host name is fully qualified or the
.Em fqdn .Em fqdn
option is set in option is set in
.Xr sudoers 5 ) .Xr sudoers @mansectform@ )
.It Li %h .It Li %h
expanded to the local host name without the domain name expanded to the local host name without the domain name
.It Li %p .It Li %p
@ -534,7 +534,7 @@ expanded to the name of the user whose password is being requested
and and
.Em runaspw .Em runaspw
flags in flags in
.Xr sudoers 5 ) .Xr sudoers @mansectform@ )
.It Li %U .It Li %U
expanded to the login name of the user the command will be run as expanded to the login name of the user the command will be run as
(defaults to root unless the (defaults to root unless the
@ -687,7 +687,7 @@ tag set or the command matched is
.Li ALL , .Li ALL ,
the user may set variables that would otherwise be forbidden. the user may set variables that would otherwise be forbidden.
See See
.Xr sudoers 5 .Xr sudoers @mansectform@
for more information. for more information.
.Sh PLUGINS .Sh PLUGINS
Plugins are dynamically loaded based on the contents of the Plugins are dynamically loaded based on the contents of the
@ -761,7 +761,7 @@ or
are silently ignored. are silently ignored.
.Pp .Pp
For more information, see the For more information, see the
.Xr sudo_plugin 8 .Xr sudo_plugin @mansectsu@
manual. manual.
.Sh PATHS .Sh PATHS
A A
@ -976,7 +976,7 @@ effective root shell.
For more information, please see the For more information, please see the
.Em PREVENTING SHELL ESCAPES .Em PREVENTING SHELL ESCAPES
section in section in
.Xr sudoers 5 . .Xr sudoers @mansectform@ .
.Pp .Pp
To prevent the disclosure of potentially sensitive information, To prevent the disclosure of potentially sensitive information,
.Nm sudo .Nm sudo
@ -1136,11 +1136,11 @@ $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
.Xr su 1 , .Xr su 1 ,
.Xr stat 2 , .Xr stat 2 ,
.Xr login_cap 3 , .Xr login_cap 3 ,
.Xr passwd 5 , .Xr passwd @mansectform@ ,
.Xr sudoers 5 , .Xr sudoers @mansectform@ ,
.Xr sudo_plugin 8 , .Xr sudo_plugin @mansectsu@ ,
.Xr sudoreplay 8 , .Xr sudoreplay @mansectsu@ ,
.Xr visudo 8 .Xr visudo @mansectsu@
.Sh HISTORY .Sh HISTORY
See the HISTORY file in the See the HISTORY file in the
.Nm sudo .Nm sudo
@ -1168,7 +1168,7 @@ via shell escapes, thus avoiding
.Nm sudo No Ns 's .Nm sudo No Ns 's
checks. checks.
However, on most systems it is possible to prevent shell escapes with the However, on most systems it is possible to prevent shell escapes with the
.Xr sudoers 5 .Xr sudoers @mansectform@
module's module's
.Em noexec .Em noexec
functionality. functionality.

924
doc/sudo_plugin.cat
View File

File diff suppressed because it is too large Load Diff

3681
doc/sudo_plugin.man.in
View File

File diff suppressed because it is too large Load Diff

8
doc/sudo_plugin.mdoc.in
View File

@ -15,8 +15,8 @@
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd July 16, 2012 .Dd July 16, 2012
.Dt SUDO_PLUGIN 5 .Dt SUDO_PLUGIN @mansectform@
.Os .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
.Nm sudo_plugin .Nm sudo_plugin
.Nd Sudo Plugin API .Nd Sudo Plugin API
@ -2133,8 +2133,8 @@ This can be used to merge in environment variables stored in the PAM
handle before a command is run. handle before a command is run.
.El .El
.Sh SEE ALSO .Sh SEE ALSO
.Xr sudoers 5 , .Xr sudoers @mansectform@ ,
.Xr sudo 8 .Xr sudo @mansectsu@
.Sh BUGS .Sh BUGS
If you feel you have found a bug in If you feel you have found a bug in
.Nm sudo , .Nm sudo ,

925
doc/sudoers.cat
View File

File diff suppressed because it is too large Load Diff

283
doc/sudoers.ldap.cat
View File

@ -1,9 +1,7 @@
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(1m) System Manager's Manual SUDOERS.LDAP(1m)
NNAAMMEE NNAAMMEE
sudoers.ldap - sudo LDAP configuration ssuuddooeerrss..llddaapp - sudo LDAP configuration
DDEESSCCRRIIPPTTIIOONN DDEESSCCRRIIPPTTIIOONN
In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via
@ -12,28 +10,27 @@ DDEESSCCRRIIPPTTIIOONN
Using LDAP for _s_u_d_o_e_r_s has several benefits: Using LDAP for _s_u_d_o_e_r_s has several benefits:
o ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is oo ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is
used, there are only two or three LDAP queries per invocation. used, there are only two or three LDAP queries per invocation. This
This makes it especially fast and particularly usable in LDAP makes it especially fast and particularly usable in LDAP
environments. environments.
o ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not oo ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not
possible to load LDAP data into the server that does not conform to possible to load LDAP data into the server that does not conform to
the sudoers schema, so proper syntax is guaranteed. It is still the sudoers schema, so proper syntax is guaranteed. It is still
possible to have typos in a user or host name, but this will not possible to have typos in a user or host name, but this will not
prevent ssuuddoo from running. prevent ssuuddoo from running.
o It is possible to specify per-entry options that override the oo It is possible to specify per-entry options that override the global
global default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options and
and limited options associated with user/host/commands/aliases. limited options associated with user/host/commands/aliases. The
The syntax is complicated and can be difficult for users to syntax is complicated and can be difficult for users to understand.
understand. Placing the options directly in the entry is more Placing the options directly in the entry is more natural.
natural.
o The vviissuuddoo program is no longer needed. vviissuuddoo provides locking oo The vviissuuddoo program is no longer needed. vviissuuddoo provides locking and
and syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates are
are atomic, locking is no longer necessary. Because syntax is atomic, locking is no longer necessary. Because syntax is checked
checked when the data is inserted into LDAP, there is no need for a when the data is inserted into LDAP, there is no need for a
specialized tool to check syntax. specialized tool to check syntax.
Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in
@ -45,20 +42,19 @@ DDEESSCCRRIIPPTTIIOONN
Since Unix groups and netgroups can also be stored in LDAP there is no Since Unix groups and netgroups can also be stored in LDAP there is no
real need for ssuuddoo-specific aliases. real need for ssuuddoo-specific aliases.
Cmnd_Aliases are not really required either since it is possible to Cmnd_Aliases are not really required either since it is possible to have
have multiple users listed in a sudoRole. Instead of defining a multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias
Cmnd_Alias that is referenced by multiple users, one can create a that is referenced by multiple users, one can create a sudoRole that
sudoRole that contains the commands and assign multiple users to it. contains the commands and assign multiple users to it.
SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr
The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP container.
container.
Sudo first looks for the cn=default entry in the SUDOers container. If Sudo first looks for the cn=default entry in the SUDOers container. If
found, the multi-valued sudoOption attribute is parsed in the same found, the multi-valued sudoOption attribute is parsed in the same manner
manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following example, the
example, the SSH_AUTH_SOCK variable will be preserved in the SSH_AUTH_SOCK variable will be preserved in the environment for all
environment for all users. users.
dn: cn=defaults,ou=SUDOers,dc=example,dc=com dn: cn=defaults,ou=SUDOers,dc=example,dc=com
objectClass: top objectClass: top
@ -71,19 +67,19 @@ DDEESSCCRRIIPPTTIIOONN
following attributes: following attributes:
ssuuddooUUsseerr ssuuddooUUsseerr
A user name, user ID (prefixed with '#'), Unix group (prefixed with A user name, user ID (prefixed with `#'), Unix group (prefixed with
'%'), Unix group ID (prefixed with '%#'), or user netgroup `%'), Unix group ID (prefixed with `%#'), or user netgroup
(prefixed with '+'). (prefixed with `+').
ssuuddooHHoosstt ssuuddooHHoosstt
A host name, IP address, IP network, or host netgroup (prefixed A host name, IP address, IP network, or host netgroup (prefixed
with a '+'). The special value ALL will match any host. with a `+'). The special value ALL will match any host.
ssuuddooCCoommmmaanndd ssuuddooCCoommmmaanndd
A Unix command with optional command line arguments, potentially A Unix command with optional command line arguments, potentially
including globbing characters (aka wild cards). The special value including globbing characters (aka wild cards). The special value
ALL will match any command. If a command is prefixed with an ALL will match any command. If a command is prefixed with an
exclamation point '!', the user will be prohibited from running exclamation point `!', the user will be prohibited from running
that command. that command.
ssuuddooOOppttiioonn ssuuddooOOppttiioonn
@ -91,9 +87,9 @@ DDEESSCCRRIIPPTTIIOONN
specific to the sudoRole in which it resides. specific to the sudoRole in which it resides.
ssuuddooRRuunnAAssUUsseerr ssuuddooRRuunnAAssUUsseerr
A user name or uid (prefixed with '#') that commands may be run as A user name or uid (prefixed with `#') that commands may be run as
or a Unix group (prefixed with a '%') or user netgroup (prefixed or a Unix group (prefixed with a `%') or user netgroup (prefixed
with a '+') that contains a list of users that commands may be run with a `+') that contains a list of users that commands may be run
as. The special value ALL will match any user. as. The special value ALL will match any user.
The sudoRunAsUser attribute is only available in ssuuddoo versions The sudoRunAsUser attribute is only available in ssuuddoo versions
@ -101,7 +97,7 @@ DDEESSCCRRIIPPTTIIOONN
attribute instead. attribute instead.
ssuuddooRRuunnAAssGGrroouupp ssuuddooRRuunnAAssGGrroouupp
A Unix group or gid (prefixed with '#') that commands may be run A Unix group or gid (prefixed with `#') that commands may be run
as. The special value ALL will match any group. as. The special value ALL will match any group.
The sudoRunAsGroup attribute is only available in ssuuddoo versions The sudoRunAsGroup attribute is only available in ssuuddoo versions
@ -141,15 +137,15 @@ DDEESSCCRRIIPPTTIIOONN
more closely mimic the behaviour of the sudoers file, where the of more closely mimic the behaviour of the sudoers file, where the of
the entries influences the result. If multiple entries match, the the entries influences the result. If multiple entries match, the
entry with the highest sudoOrder attribute is chosen. This entry with the highest sudoOrder attribute is chosen. This
corresponds to the "last match" behavior of the sudoers file. If corresponds to the ``last match'' behavior of the sudoers file. If
the sudoOrder attribute is not present, a value of 0 is assumed. the sudoOrder attribute is not present, a value of 0 is assumed.
The sudoOrder attribute is only available in ssuuddoo versions 1.7.5 The sudoOrder attribute is only available in ssuuddoo versions 1.7.5
and higher. and higher.
Each attribute listed above should contain a single value, but there Each attribute listed above should contain a single value, but there may
may be multiple instances of each attribute type. A sudoRole must be multiple instances of each attribute type. A sudoRole must contain at
contain at least one sudoUser, sudoHost and sudoCommand. least one sudoUser, sudoHost and sudoCommand.
The following example allows users in group wheel to run any command on The following example allows users in group wheel to run any command on
any host via ssuuddoo: any host via ssuuddoo:
@ -164,16 +160,16 @@ DDEESSCCRRIIPPTTIIOONN
AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp
When looking up a sudoer using LDAP there are only two or three LDAP When looking up a sudoer using LDAP there are only two or three LDAP
queries per invocation. The first query is to parse the global queries per invocation. The first query is to parse the global options.
options. The second is to match against the user's name and the groups The second is to match against the user's name and the groups that the
that the user belongs to. (The special ALL tag is matched in this user belongs to. (The special ALL tag is matched in this query too.) If
query too.) If no match is returned for the user's name and groups, a no match is returned for the user's name and groups, a third query
third query returns all entries containing user netgroups and checks to returns all entries containing user netgroups and checks to see if the
see if the user belongs to any of them. user belongs to any of them.
If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration
directive, the LDAP queries include a subfilter that limits retrieval directive, the LDAP queries include a subfilter that limits retrieval to
to entries that satisfy the time constraints, if any. entries that satisfy the time constraints, if any.
DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss
There are some subtle differences in the way sudoers is handled once in There are some subtle differences in the way sudoers is handled once in
@ -181,11 +177,11 @@ DDEESSCCRRIIPPTTIIOONN
is arbitrary and you cannot expect that Attributes and Entries are is arbitrary and you cannot expect that Attributes and Entries are
returned in any specific order. returned in any specific order.
The order in which different entries are applied can be controlled The order in which different entries are applied can be controlled using
using the sudoOrder attribute, but there is no way to guarantee the the sudoOrder attribute, but there is no way to guarantee the order of
order of attributes within a specific entry. If there are conflicting attributes within a specific entry. If there are conflicting command
command rules in an entry, the negative takes precedence. This is rules in an entry, the negative takes precedence. This is called
called paranoid behavior (not necessarily the most specific match). paranoid behavior (not necessarily the most specific match).
Here is an example: Here is an example:
@ -237,54 +233,53 @@ DDEESSCCRRIIPPTTIIOONN
sudoHost: !web01 sudoHost: !web01
SSuuddooeerrss SScchheemmaa SSuuddooeerrss SScchheemmaa
In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed on
on your LDAP server. In addition, be sure to index the 'sudoUser' your LDAP server. In addition, be sure to index the sudoUser attribute.
attribute.
Three versions of the schema: one for OpenLDAP servers Three versions of the schema: one for OpenLDAP servers (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P),
(_s_c_h_e_m_a_._O_p_e_n_L_D_A_P), one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t), one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t), and one for Microsoft
and one for Microsoft Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be found in the ssuuddoo
found in the ssuuddoo distribution. distribution.
The schema for ssuuddoo in OpenLDAP form is included in the EXAMPLES The schema for ssuuddoo in OpenLDAP form is also included in the _E_X_A_M_P_L_E_S
section. section.
CCoonnffiigguurriinngg llddaapp..ccoonnff CCoonnffiigguurriinngg llddaapp..ccoonnff
Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration. Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients. Typically, this file is shared amongst different LDAP-aware clients. As
As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses
parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from those
those described in the system's _l_d_a_p_._c_o_n_f(4) manual. described in the system's ldap.conf(1m) manual.
Also note that on systems using the OpenLDAP libraries, default values Also note that on systems using the OpenLDAP libraries, default values
specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not
not used. used.
Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being supported
supported by ssuuddoo are honored. Configuration options are listed below by ssuuddoo are honored. Configuration options are listed below in upper
in upper case but are parsed in a case-independent manner. case but are parsed in a case-independent manner.
UURRII ldap[s]://[hostname[:port]] ... UURRII _l_d_a_p_[_s_]_:_/_/_[_h_o_s_t_n_a_m_e_[_:_p_o_r_t_]_] _._._.
Specifies a whitespace-delimited list of one or more URIs Specifies a whitespace-delimited list of one or more URIs
describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be
either llddaapp or llddaappss, the latter being for servers that support TLS either _l_d_a_p _l_d_a_p_s, the latter being for servers that support TLS
(SSL) encryption. If no _p_o_r_t is specified, the default is port 389 (SSL) encryption. If no _p_o_r_t is specified, the default is port 389
for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified, for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified,
ssuuddoo will connect to llooccaallhhoosstt. Multiple UURRII lines are treated ssuuddoo will connect to _l_o_c_a_l_h_o_s_t. Multiple UURRII lines are treated
identically to a UURRII line containing multiple entries. Only identically to a UURRII line containing multiple entries. Only
systems using the OpenSSL libraries support the mixing of ldap:// systems using the OpenSSL libraries support the mixing of ldap://
and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP
libraries used on most commercial versions of Unix are only capable libraries used on most commercial versions of Unix are only capable
of supporting one or the other. of supporting one or the other.
HHOOSSTT name[:port] ... HHOOSSTT _n_a_m_e_[_:_p_o_r_t_] _._._.
If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace- If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace-
delimited list of LDAP servers to connect to. Each host may delimited list of LDAP servers to connect to. Each host may
include an optional _p_o_r_t separated by a colon (':'). The HHOOSSTT include an optional _p_o_r_t separated by a colon (`:'). The HHOOSSTT
parameter is deprecated in favor of the UURRII specification and is parameter is deprecated in favor of the UURRII specification and is
included for backwards compatibility. included for backwards compatibility.
PPOORRTT port_number PPOORRTT _p_o_r_t___n_u_m_b_e_r
If no UURRII is specified, the PPOORRTT parameter specifies the default If no UURRII is specified, the PPOORRTT parameter specifies the default
port to connect to on the LDAP server if a HHOOSSTT parameter does not port to connect to on the LDAP server if a HHOOSSTT parameter does not
specify the port itself. If no PPOORRTT parameter is used, the default specify the port itself. If no PPOORRTT parameter is used, the default
@ -292,40 +287,40 @@ DDEESSCCRRIIPPTTIIOONN
PPOORRTT parameter is deprecated in favor of the UURRII specification and PPOORRTT parameter is deprecated in favor of the UURRII specification and
is included for backwards compatibility. is included for backwards compatibility.
BBIINNDD__TTIIMMEELLIIMMIITT seconds BBIINNDD__TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s
The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in
seconds, to wait while trying to connect to an LDAP server. If seconds, to wait while trying to connect to an LDAP server. If
multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to
wait before trying the next one in the list. wait before trying the next one in the list.
NNEETTWWOORRKK__TTIIMMEEOOUUTT seconds NNEETTWWOORRKK__TTIIMMEEOOUUTT _s_e_c_o_n_d_s
An alias for BBIINNDD__TTIIMMEELLIIMMIITT for OpenLDAP compatibility. An alias for BBIINNDD__TTIIMMEELLIIMMIITT for OpenLDAP compatibility.
TTIIMMEELLIIMMIITT seconds TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s
The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds, The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds,
to wait for a response to an LDAP query. to wait for a response to an LDAP query.
TTIIMMEEOOUUTT seconds TTIIMMEEOOUUTT _s_e_c_o_n_d_s
The TTIIMMEEOOUUTT parameter specifies the amount of time, in seconds, to The TTIIMMEEOOUUTT parameter specifies the amount of time, in seconds, to
wait for a response from the various LDAP APIs. wait for a response from the various LDAP APIs.
SSUUDDOOEERRSS__BBAASSEE base SSUUDDOOEERRSS__BBAASSEE _b_a_s_e
The base DN to use when performing ssuuddoo LDAP queries. Typically The base DN to use when performing ssuuddoo LDAP queries. Typically
this is of the form ou=SUDOers,dc=example,dc=com for the domain this is of the form ou=SUDOers,dc=example,dc=com for the domain
example.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in example.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in
which case they are queried in the order specified. which case they are queried in the order specified.
SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR ldap_filter SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR _l_d_a_p___f_i_l_t_e_r
An LDAP filter which is used to restrict the set of records An LDAP filter which is used to restrict the set of records
returned when performing a ssuuddoo LDAP query. Typically, this is of returned when performing a ssuuddoo LDAP query. Typically, this is of
the form attribute=value or the form attribute=value or
(&(attribute=value)(attribute2=value2)). (&(attribute=value)(attribute2=value2)).
SSUUDDOOEERRSS__TTIIMMEEDD on/true/yes/off/false/no SSUUDDOOEERRSS__TTIIMMEEDD _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
Whether or not to evaluate the sudoNotBefore and sudoNotAfter Whether or not to evaluate the sudoNotBefore and sudoNotAfter
attributes that implement time-dependent sudoers entries. attributes that implement time-dependent sudoers entries.
SSUUDDOOEERRSS__DDEEBBUUGG debug_level SSUUDDOOEERRSS__DDEEBBUUGG _d_e_b_u_g___l_e_v_e_l
This sets the debug level for ssuuddoo LDAP queries. Debugging This sets the debug level for ssuuddoo LDAP queries. Debugging
information is printed to the standard error. A value of 1 results information is printed to the standard error. A value of 1 results
in a moderate amount of debugging information. A value of 2 shows in a moderate amount of debugging information. A value of 2 shows
@ -333,44 +328,45 @@ DDEESSCCRRIIPPTTIIOONN
be set in a production environment as the extra information is be set in a production environment as the extra information is
likely to confuse users. likely to confuse users.
BBIINNDDDDNN DN BBIINNDDDDNN _D_N
The BBIINNDDDDNN parameter specifies the identity, in the form of a The BBIINNDDDDNN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing LDAP operations. Distinguished Name (DN), to use when performing LDAP operations.
If not specified, LDAP operations are performed with an anonymous If not specified, LDAP operations are performed with an anonymous
identity. By default, most LDAP servers will allow anonymous identity. By default, most LDAP servers will allow anonymous
access. access.
BBIINNDDPPWW secret BBIINNDDPPWW _s_e_c_r_e_t
The BBIINNDDPPWW parameter specifies the password to use when performing The BBIINNDDPPWW parameter specifies the password to use when performing
LDAP operations. This is typically used in conjunction with the LDAP operations. This is typically used in conjunction with the
BBIINNDDDDNN parameter. BBIINNDDDDNN parameter.
RROOOOTTBBIINNDDDDNN DN RROOOOTTBBIINNDDDDNN _D_N
The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing privileged LDAP Distinguished Name (DN), to use when performing privileged LDAP
operations, such as _s_u_d_o_e_r_s queries. The password corresponding to operations, such as _s_u_d_o_e_r_s queries. The password corresponding to
the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not
specified, the BBIINNDDDDNN identity is used (if any). specified, the BBIINNDDDDNN identity is used (if any).
LLDDAAPP__VVEERRSSIIOONN number LLDDAAPP__VVEERRSSIIOONN _n_u_m_b_e_r
The version of the LDAP protocol to use when connecting to the The version of the LDAP protocol to use when connecting to the
server. The default value is protocol version 3. server. The default value is protocol version 3.
SSSSLL on/true/yes/off/false/no SSSSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
If the SSSSLL parameter is set to on, true or yes, TLS (SSL) If the SSSSLL parameter is set to on, true or yes, TLS (SSL)
encryption is always used when communicating with the LDAP server. encryption is always used when communicating with the LDAP server.
Typically, this involves connecting to the server on port 636 Typically, this involves connecting to the server on port 636
(ldaps). (ldaps).
SSSSLL start_tls SSSSLL _s_t_a_r_t___t_l_s
If the SSSSLL parameter is set to start_tls, the LDAP server If the SSSSLL parameter is set to start_tls, the LDAP server
connection is initiated normally and TLS encryption is begun before connection is initiated normally and TLS encryption is begun before
the bind credentials are sent. This has the advantage of not the bind credentials are sent. This has the advantage of not
requiring a dedicated port for encrypted communications. This requiring a dedicated port for encrypted communications. This
parameter is only supported by LDAP servers that honor the parameter is only supported by LDAP servers that honor the
start_tls extension, such as the OpenLDAP server. _s_t_a_r_t___t_l_s extension, such as the OpenLDAP and Tivoli Directory
servers.
TTLLSS__CCHHEECCKKPPEEEERR on/true/yes/off/false/no TTLLSS__CCHHEECCKKPPEEEERR _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS
certificated to be verified. If the server's TLS certificate certificated to be verified. If the server's TLS certificate
cannot be verified (usually because it is signed by an unknown cannot be verified (usually because it is signed by an unknown
@ -382,10 +378,10 @@ DDEESSCCRRIIPPTTIIOONN
can be verified. This option is not supported by the Tivoli can be verified. This option is not supported by the Tivoli
Directory Server LDAP libraries. Directory Server LDAP libraries.
TTLLSS__CCAACCEERRTT file name TTLLSS__CCAACCEERRTT _f_i_l_e _n_a_m_e
An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility. An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility.
TTLLSS__CCAACCEERRTTFFIILLEE file name TTLLSS__CCAACCEERRTTFFIILLEE _f_i_l_e _n_a_m_e
The path to a certificate authority bundle which contains the The path to a certificate authority bundle which contains the
certificates for all the Certificate Authorities the client knows certificates for all the Certificate Authorities the client knows
to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only
@ -393,14 +389,14 @@ DDEESSCCRRIIPPTTIIOONN
libraries use the same certificate database for CA and client libraries use the same certificate database for CA and client
certificates (see TTLLSS__CCEERRTT). certificates (see TTLLSS__CCEERRTT).
TTLLSS__CCAACCEERRTTDDIIRR directory TTLLSS__CCAACCEERRTTDDIIRR _d_i_r_e_c_t_o_r_y
Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory
containing individual Certificate Authority certificates, e.g. containing individual Certificate Authority certificates, e.g.
_/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is _/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is
checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the
OpenLDAP libraries. OpenLDAP libraries.
TTLLSS__CCEERRTT file name TTLLSS__CCEERRTT _f_i_l_e _n_a_m_e
The path to a file containing the client certificate which can be The path to a file containing the client certificate which can be
used to authenticate the client to the LDAP server. The used to authenticate the client to the LDAP server. The
certificate type depends on the LDAP libraries used. certificate type depends on the LDAP libraries used.
@ -415,10 +411,10 @@ DDEESSCCRRIIPPTTIIOONN
Unused, the key database specified by TTLLSS__KKEEYY contains both Unused, the key database specified by TTLLSS__KKEEYY contains both
keys and certificates. keys and certificates.
When using Netscape-derived libraries, this file may also contain When using Netscape-derived libraries, this file may also
Certificate Authority certificates. contain Certificate Authority certificates.
TTLLSS__KKEEYY file name TTLLSS__KKEEYY _f_i_l_e _n_a_m_e
The path to a file containing the private key which matches the The path to a file containing the private key which matches the
certificate specified by TTLLSS__CCEERRTT. The private key must not be certificate specified by TTLLSS__CCEERRTT. The private key must not be
password-protected. The key type depends on the LDAP libraries password-protected. The key type depends on the LDAP libraries
@ -432,11 +428,10 @@ DDEESSCCRRIIPPTTIIOONN
Tivoli Directory Server: Tivoli Directory Server:
tls_cert /usr/ldap/ldapkey.kdb tls_cert /usr/ldap/ldapkey.kdb
When using Tivoli LDAP libraries, this file may also contain When using Tivoli LDAP libraries, this file may also contain
Certificate Authority and client certificates and may be encrypted. Certificate Authority and client certificates and may be encrypted.
TTLLSS__KKEEYYPPWW secret TTLLSS__KKEEYYPPWW _s_e_c_r_e_t
The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key
database on clients using the Tivoli Directory Server LDAP library. database on clients using the Tivoli Directory Server LDAP library.
If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it
@ -447,65 +442,63 @@ DDEESSCCRRIIPPTTIIOONN
ssl_password. This option is only supported by the Tivoli LDAP ssl_password. This option is only supported by the Tivoli LDAP
libraries. libraries.
TTLLSS__RRAANNDDFFIILLEE file name TTLLSS__RRAANNDDFFIILLEE _f_i_l_e _n_a_m_e
The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source
for systems that lack a random device. It is generally used in for systems that lack a random device. It is generally used in
conjunction with _p_r_n_g_d or _e_g_d. This option is only supported by conjunction with _p_r_n_g_d or _e_g_d. This option is only supported by
the OpenLDAP libraries. the OpenLDAP libraries.
TTLLSS__CCIIPPHHEERRSS cipher list TTLLSS__CCIIPPHHEERRSS _c_i_p_h_e_r _l_i_s_t
The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which
encryption algorithms may be used for TLS (SSL) connections. See encryption algorithms may be used for TLS (SSL) connections. See
the OpenLDAP or Tivoli Directory Server manual for a list of valid the OpenLDAP or Tivoli Directory Server manual for a list of valid
ciphers. This option is not supported by Netscape-derived ciphers. This option is not supported by Netscape-derived
libraries. libraries.
UUSSEE__SSAASSLL on/true/yes/off/false/no UUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication. Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication.
SSAASSLL__AAUUTTHH__IIDD identity SSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y
The SASL user name to use when connecting to the LDAP server. By The SASL user name to use when connecting to the LDAP server. By
default, ssuuddoo will use an anonymous connection. default, ssuuddoo will use an anonymous connection.
RROOOOTTUUSSEE__SSAASSLL on/true/yes/off/false/no RROOOOTTUUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting
to an LDAP server from a privileged process, such as ssuuddoo. to an LDAP server from a privileged process, such as ssuuddoo.
RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity RROOOOTTSSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y
The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled. The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled.
SSAASSLL__SSEECCPPRROOPPSS none/properties SSAASSLL__SSEECCPPRROOPPSS _n_o_n_e_/_p_r_o_p_e_r_t_i_e_s
SASL security properties or _n_o_n_e for no properties. See the SASL SASL security properties or _n_o_n_e for no properties. See the SASL
programmer's manual for details. programmer's manual for details.
KKRRBB55__CCCCNNAAMMEE file name KKRRBB55__CCCCNNAAMMEE _f_i_l_e _n_a_m_e
The path to the Kerberos 5 credential cache to use when The path to the Kerberos 5 credential cache to use when
authenticating with the remote server. authenticating with the remote server.
DDEERREEFF never/searching/finding/always DDEERREEFF _n_e_v_e_r_/_s_e_a_r_c_h_i_n_g_/_f_i_n_d_i_n_g_/_a_l_w_a_y_s
How alias dereferencing is to be performed when searching. See the How alias dereferencing is to be performed when searching. See the
_l_d_a_p_._c_o_n_f(4) manual for a full description of this option. ldap.conf(1m) manual for a full description of this option.
See the ldap.conf entry in the EXAMPLES section. See the _l_d_a_p_._c_o_n_f entry in the _E_X_A_M_P_L_E_S section.
CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff
Unless it is disabled at build time, ssuuddoo consults the Name Service Unless it is disabled at build time, ssuuddoo consults the Name Service
Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order. Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order.
Sudo looks for a line beginning with sudoers: and uses this to Sudo looks for a line beginning with sudoers: and uses this to determine
determine the search order. Note that ssuuddoo does not stop searching the search order. Note that ssuuddoo does not stop searching after the first
after the first match and later matches take precedence over earlier match and later matches take precedence over earlier ones. The following
ones. sources are recognized:
The following sources are recognized: files read sudoers from _/_e_t_c_/_s_u_d_o_e_r_s
files read sudoers from F</etc/sudoers>
ldap read sudoers from LDAP ldap read sudoers from LDAP
In addition, the entry [NOTFOUND=return] will short-circuit the search In addition, the entry [NOTFOUND=return] will short-circuit the search if
if the user was not found in the preceding source. the user was not found in the preceding source.
To consult LDAP first followed by the local sudoers file (if it To consult LDAP first followed by the local sudoers file (if it exists),
exists), use: use:
sudoers: ldap files sudoers: ldap files
@ -525,11 +518,11 @@ DDEESSCCRRIIPPTTIIOONN
CCoonnffiigguurriinngg nneettssvvcc..ccoonnff CCoonnffiigguurriinngg nneettssvvcc..ccoonnff
On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of
_/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of
_n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the file
file format itself still applies. format itself still applies.
To consult LDAP first followed by the local sudoers file (if it To consult LDAP first followed by the local sudoers file (if it exists),
exists), use: use:
sudoers = ldap, files sudoers = ldap, files
@ -537,16 +530,16 @@ DDEESSCCRRIIPPTTIIOONN
sudoers = ldap sudoers = ldap
To treat LDAP as authoratative and only use the local sudoers file if To treat LDAP as authoratative and only use the local sudoers file if the
the user is not present in LDAP, use: user is not present in LDAP, use:
sudoers = ldap = auth, files sudoers = ldap = auth, files
Note that in the above example, the auth qualfier only affects user Note that in the above example, the auth qualfier only affects user
lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries. lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries.
If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers line,
line, the following default is assumed: the following default is assumed:
sudoers = files sudoers = files
@ -669,8 +662,8 @@ EEXXAAMMPPLLEESS
SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP
The following schema, in OpenLDAP format, is included with ssuuddoo source The following schema, in OpenLDAP format, is included with ssuuddoo source
and binary distributions as _s_c_h_e_m_a_._O_p_e_n_L_D_A_P. Simply copy it to the and binary distributions as _s_c_h_e_m_a_._O_p_e_n_L_D_A_P. Simply copy it to the
schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include line
line in slapd.conf and restart ssllaappdd. in _s_l_a_p_d_._c_o_n_f and restart ssllaappdd.
attributetype ( 1.3.6.1.4.1.15953.9.1.1 attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser' NAME 'sudoUser'
@ -746,12 +739,12 @@ EEXXAAMMPPLLEESS
) )
SSEEEE AALLSSOO SSEEEE AALLSSOO
_l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(4) ldap.conf(1m), sudoers(1m)
CCAAVVEEAATTSS CCAAVVEEAATTSS
Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is
parsed compared to file-based _s_u_d_o_e_r_s. See the "Differences between parsed compared to file-based _s_u_d_o_e_r_s. See the _D_i_f_f_e_r_e_n_c_e_s _b_e_t_w_e_e_n _L_D_A_P
LDAP and non-LDAP sudoers" section for more information. _a_n_d _n_o_n_-_L_D_A_P _s_u_d_o_e_r_s section for more information.
BBUUGGSS BBUUGGSS
If you feel you have found a bug in ssuuddoo, please submit a bug report at If you feel you have found a bug in ssuuddoo, please submit a bug report at
@ -759,16 +752,14 @@ BBUUGGSS
SSUUPPPPOORRTT SSUUPPPPOORRTT
Limited free support is available via the sudo-users mailing list, see Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
the archives. archives.
DDIISSCCLLAAIIMMEERR DDIISSCCLLAAIIMMEERR
ssuuddoo is provided ``AS IS'' and any express or implied warranties, ssuuddoo is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of including, but not limited to, the implied warranties of merchantability
merchantability and fitness for a particular purpose are disclaimed. and fitness for a particular purpose are disclaimed. See the LICENSE
See the LICENSE file distributed with ssuuddoo or file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
http://www.sudo.ws/sudo/license.html for complete details. complete details.
Sudo 1.8.6 July 12, 2012 Sudo 1.8.6
1.8.6 July 17, 2012 SUDOERS.LDAP(4)

1923
doc/sudoers.ldap.man.in
View File

File diff suppressed because it is too large Load Diff

12
doc/sudoers.ldap.mdoc.in
View File

@ -15,8 +15,8 @@
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd July 12, 2012 .Dd July 12, 2012
.Dt SUDOERS.LDAP 5 .Dt SUDOERS.LDAP @mansectsu@
.Os .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
.Nm sudoers.ldap .Nm sudoers.ldap
.Nd sudo LDAP configuration .Nd sudo LDAP configuration
@ -412,7 +412,7 @@ parses
.Pa @ldap_conf@ .Pa @ldap_conf@
itself and may support options that differ from those described in the itself and may support options that differ from those described in the
system's system's
.Xr ldap.conf 5 .Xr ldap.conf @mansectsu@
manual. manual.
.Pp .Pp
Also note that on systems using the OpenLDAP libraries, default Also note that on systems using the OpenLDAP libraries, default
@ -753,7 +753,7 @@ with the remote server.
.It Sy DEREF Ar never/searching/finding/always .It Sy DEREF Ar never/searching/finding/always
How alias dereferencing is to be performed when searching. How alias dereferencing is to be performed when searching.
See the See the
.Xr ldap.conf 5 .Xr ldap.conf @mansectsu@
manual for a full description of this option. manual for a full description of this option.
.El .El
.Pp .Pp
@ -1073,8 +1073,8 @@ objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
) )
.Ed .Ed
.Sh SEE ALSO .Sh SEE ALSO
.Xr ldap.conf 5 , .Xr ldap.conf @mansectsu@ ,
.Xr sudoers 5 .Xr sudoers @mansectsu@
.Sh CAVEATS .Sh CAVEATS
Note that there are differences in the way that LDAP-based Note that there are differences in the way that LDAP-based
.Em sudoers .Em sudoers

5303
doc/sudoers.man.in
View File

File diff suppressed because it is too large Load Diff

26
doc/sudoers.mdoc.in
View File

@ -20,8 +20,8 @@
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.Dd July 16, 2012 .Dd July 16, 2012
.Dt SUDOERS 5 .Dt SUDOERS @mansectform@
.Os .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
.Nm sudoers .Nm sudoers
.Nd default sudo security policy module .Nd default sudo security policy module
@ -45,7 +45,7 @@ For information on storing
.Em sudoers .Em sudoers
policy information policy information
in LDAP, please see in LDAP, please see
.Xr sudoers.ldap 5 . .Xr sudoers.ldap @mansectform@ .
.Ss Authentication and Logging .Ss Authentication and Logging
The The
.Em sudoers .Em sudoers
@ -1087,7 +1087,7 @@ regular expressions.
.Bl -tag -width 8n .Bl -tag -width 8n
.It Li * .It Li *
Matches any set of zero or more characters. Matches any set of zero or more characters.
.It Li \? .It Li \&?
Matches any single character. Matches any single character.
.It Li [...] .It Li [...]
Matches any character in the specified range. Matches any character in the specified range.
@ -1102,7 +1102,7 @@ evaluates to
.Sq x . .Sq x .
This is used to escape special characters such as: This is used to escape special characters such as:
.Ql * , .Ql * ,
.Ql \? , .Ql \&? ,
.Ql [\& , .Ql [\& ,
and and
.Ql ]\& . .Ql ]\& .
@ -1661,7 +1661,7 @@ The
option may be used to control the format of the session ID. option may be used to control the format of the session ID.
.Pp .Pp
Output logs may be viewed with the Output logs may be viewed with the
.Xr sudoreplay 8 .Xr sudoreplay @mansectsu@
utility, which can also be used to list or search the available logs. utility, which can also be used to list or search the available logs.
.It log_year .It log_year
If set, the four-digit year will be logged in the (non-syslog) If set, the four-digit year will be logged in the (non-syslog)
@ -1820,7 +1820,7 @@ will only run when the user is logged in to a real tty.
When this flag is set, When this flag is set,
.Nm sudo .Nm sudo
can only be run from a login session and not via other means such as can only be run from a login session and not via other means such as
.Xr cron 8 .Xr cron @mansectsu@
or cgi-bin scripts. or cgi-bin scripts.
This flag is This flag is
.Em off .Em off
@ -2432,7 +2432,7 @@ Defaults group_plugin="sample_group.so /etc/sudo-group"
.Ed .Ed
.Pp .Pp
For more information see For more information see
.Xr sudo_plugin 5 . .Xr sudo_plugin @mansectform@ .
.It lecture .It lecture
This option controls when a short lecture will be printed along with This option controls when a short lecture will be printed along with
the password prompt. the password prompt.
@ -2783,7 +2783,7 @@ plugin is doing internally if there is a problem.
This can be configured in the This can be configured in the
.Pa @sysconfdir@/sudo.conf .Pa @sysconfdir@/sudo.conf
file as described in file as described in
.Xr sudo 8 . .Xr sudo @mansectsu@ .
.Pp .Pp
The The
.Em sudoers .Em sudoers
@ -3451,10 +3451,10 @@ available.
.Xr glob 3 , .Xr glob 3 ,
.Xr mktemp 3 , .Xr mktemp 3 ,
.Xr strftime 3 , .Xr strftime 3 ,
.Xr sudoers.ldap 5 , .Xr sudoers.ldap @mansectform@ ,
.Xr sudo_plugin 8 , .Xr sudo_plugin @mansectsu@ ,
.Xr sudo 8 , .Xr sudo @mansectsu@ ,
.Xr visudo 8 .Xr visudo @mansectsu@
.Sh CAVEATS .Sh CAVEATS
The The
.Em sudoers .Em sudoers

94
doc/sudoreplay.cat
View File

@ -1,15 +1,13 @@
SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) SUDOREPLAY(1m) System Manager's Manual SUDOREPLAY(1m)
NNAAMMEE NNAAMMEE
sudoreplay - replay sudo session logs ssuuddoorreeppllaayy - replay sudo session logs
SSYYNNOOPPSSIISS SSYYNNOOPPSSIISS
ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] [--ff _f_i_l_t_e_r] [--mm _m_a_x___w_a_i_t] ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] [--ff _f_i_l_t_e_r] [--mm _m_a_x___w_a_i_t]
[--ss _s_p_e_e_d___f_a_c_t_o_r] ID [--ss _s_p_e_e_d___f_a_c_t_o_r] ID
ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] -l [search expression] ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] --ll [search expression]
DDEESSCCRRIIPPTTIIOONN DDEESSCCRRIIPPTTIIOONN
ssuuddoorreeppllaayy plays back or lists the output logs created by ssuuddoo. When ssuuddoorreeppllaayy plays back or lists the output logs created by ssuuddoo. When
@ -17,44 +15,41 @@ DDEESSCCRRIIPPTTIIOONN
playback speed may be adjusted (faster or slower) based on the command playback speed may be adjusted (faster or slower) based on the command
line options. line options.
The _I_D should either be a six character sequence of digits and upper The _I_D should either be a six character sequence of digits and upper case
case letters, e.g. 0100A5, or a pattern matching the _i_o_l_o_g___f_i_l_e option letters, e.g. 0100A5, or a pattern matching the _i_o_l_o_g___f_i_l_e option in the
in the _s_u_d_o_e_r_s file. When a command is run via ssuuddoo with _l_o_g___o_u_t_p_u_t _s_u_d_o_e_r_s file. When a command is run via ssuuddoo with _l_o_g___o_u_t_p_u_t enabled in
enabled in the _s_u_d_o_e_r_s file, a TSID=ID string is logged via syslog or the _s_u_d_o_e_r_s file, a TSID=ID string is logged via syslog or to the ssuuddoo
to the ssuuddoo log file. The _I_D may also be determined using ssuuddoorreeppllaayy's log file. The _I_D may also be determined using ssuuddoorreeppllaayy's list mode.
list mode.
In list mode, ssuuddoorreeppllaayy can be used to find the ID of a session based In list mode, ssuuddoorreeppllaayy can be used to find the ID of a session based on
on a number of criteria such as the user, tty or command run. a number of criteria such as the user, tty or command run.
In replay mode, if the standard output has not been redirected, In replay mode, if the standard output has not been redirected,
ssuuddoorreeppllaayy will act on the following keys: ssuuddoorreeppllaayy will act on the following keys:
' ' (space) ` ' (space) Pause output; press any key to resume.
Pause output; press any key to resume.
'<' Reduce the playback speed by one half. `<' Reduce the playback speed by one half.
'>' Double the playback speed. `>' Double the playback speed.
OOPPTTIIOONNSS OOPPTTIIOONNSS
ssuuddoorreeppllaayy accepts the following command line options: ssuuddoorreeppllaayy accepts the following command line options:
-d _d_i_r_e_c_t_o_r_y --dd _d_i_r_e_c_t_o_r_y Use _d_i_r_e_c_t_o_r_y to for the session logs instead of the
Use _d_i_r_e_c_t_o_r_y to for the session logs instead of the
default, _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o. default, _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o.
-f _f_i_l_t_e_r By default, ssuuddoorreeppllaayy will play back the command's --ff _f_i_l_t_e_r By default, ssuuddoorreeppllaayy will play back the command's
standard output, standard error and tty output. The _-_f standard output, standard error and tty output. The --ff
option can be used to select which of these to output. The option can be used to select which of these to output. The
_f_i_l_t_e_r argument is a comma-separated list, consisting of _f_i_l_t_e_r argument is a comma-separated list, consisting of
one or more of following: _s_t_d_o_u_t, _s_t_d_e_r_r, and _t_t_y_o_u_t. one or more of following: _s_t_d_o_u_t, _s_t_d_e_r_r, and _t_t_y_o_u_t.
-h The --hh (_h_e_l_p) option causes ssuuddoorreeppllaayy to print a short --hh The --hh (_h_e_l_p) option causes ssuuddoorreeppllaayy to print a short
help message to the standard output and exit. help message to the standard output and exit.
-l [_s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n] --ll [_s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n]
Enable "list mode". In this mode, ssuuddoorreeppllaayy will list Enable ``list mode''. In this mode, ssuuddoorreeppllaayy will list
available sessions in a format similar to the ssuuddoo log file available sessions in a format similar to the ssuuddoo log file
format, sorted by file name (or sequence number). If a format, sorted by file name (or sequence number). If a
_s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n is specified, it will be used to restrict _s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n is specified, it will be used to restrict
@ -75,7 +70,7 @@ OOPPTTIIOONNSS
fromdate _d_a_t_e fromdate _d_a_t_e
Evaluates to true if the command was run on or Evaluates to true if the command was run on or
after _d_a_t_e. See "Date and time format" for a after _d_a_t_e. See _D_a_t_e _a_n_d _t_i_m_e _f_o_r_m_a_t for a
description of supported date and time formats. description of supported date and time formats.
group _r_u_n_a_s___g_r_o_u_p group _r_u_n_a_s___g_r_o_u_p
@ -91,7 +86,7 @@ OOPPTTIIOONNSS
todate _d_a_t_e todate _d_a_t_e
Evaluates to true if the command was run on or Evaluates to true if the command was run on or
prior to _d_a_t_e. See "Date and time format" for a prior to _d_a_t_e. See _D_a_t_e _a_n_d _t_i_m_e _f_o_r_m_a_t for a
description of supported date and time formats. description of supported date and time formats.
tty _t_t_y _n_a_m_e tty _t_t_y _n_a_m_e
@ -109,21 +104,21 @@ OOPPTTIIOONNSS
character). character).
Predicates may be combined using _a_n_d, _o_r and _! operators as Predicates may be combined using _a_n_d, _o_r and _! operators as
well as '(' and ')' for grouping (note that parentheses well as `(' and `)' grouping (note that parentheses must
must generally be escaped from the shell). The _a_n_d generally be escaped from the shell). The _a_n_d operator is
operator is optional, adjacent predicates have an implied optional, adjacent predicates have an implied _a_n_d unless
_a_n_d unless separated by an _o_r. separated by an _o_r.
-m _m_a_x___w_a_i_t Specify an upper bound on how long to wait between key --mm _m_a_x___w_a_i_t Specify an upper bound on how long to wait between key
presses or output data. By default, ssuuddoorreeppllaayy will presses or output data. By default, ssuuddoorreeppllaayy will
accurately reproduce the delays between key presses or accurately reproduce the delays between key presses or
program output. However, this can be tedious when the program output. However, this can be tedious when the
session includes long pauses. When the _-_m option is session includes long pauses. When the --mm option is
specified, ssuuddoorreeppllaayy will limit these pauses to at most specified, ssuuddoorreeppllaayy will limit these pauses to at most
_m_a_x___w_a_i_t seconds. The value may be specified as a floating _m_a_x___w_a_i_t seconds. The value may be specified as a floating
point number, e.g. _2_._5. point number, e.g. _2_._5.
-s _s_p_e_e_d___f_a_c_t_o_r --ss _s_p_e_e_d___f_a_c_t_o_r
This option causes ssuuddoorreeppllaayy to adjust the number of This option causes ssuuddoorreeppllaayy to adjust the number of
seconds it will wait between key presses or program output. seconds it will wait between key presses or program output.
This can be used to slow down or speed up the display. For This can be used to slow down or speed up the display. For
@ -131,12 +126,11 @@ OOPPTTIIOONNSS
fast whereas a _s_p_e_e_d___f_a_c_t_o_r of _._5 would make the output fast whereas a _s_p_e_e_d___f_a_c_t_o_r of _._5 would make the output
twice as slow. twice as slow.
-V The --VV (version) option causes ssuuddoorreeppllaayy to print its --VV The --VV (_v_e_r_s_i_o_n) option causes ssuuddoorreeppllaayy to print its
version number and exit. version number and exit.
DDaattee aanndd ttiimmee ffoorrmmaatt DDaattee aanndd ttiimmee ffoorrmmaatt
The time and date may be specified multiple ways, common formats The time and date may be specified multiple ways, common formats include:
include:
HH:MM:SS am MM/DD/CCYY timezone HH:MM:SS am MM/DD/CCYY timezone
24 hour time may be used in place of am/pm. 24 hour time may be used in place of am/pm.
@ -152,11 +146,11 @@ OOPPTTIIOONNSS
DD Month CCYY HH:MM:SS DD Month CCYY HH:MM:SS
The month name may be abbreviated. The month name may be abbreviated.
Either time or date may be omitted, the am/pm and timezone are Either time or date may be omitted, the am/pm and timezone are optional.
optional. If no date is specified, the current day is assumed; if no If no date is specified, the current day is assumed; if no time is
time is specified, the first second of the specified date is used. The specified, the first second of the specified date is used. The less
less significant parts of both time and date may also be omitted, in significant parts of both time and date may also be omitted, in which
which case zero is assumed. case zero is assumed.
The following are all valid time and date specifications: The following are all valid time and date specifications:
@ -239,7 +233,7 @@ EEXXAAMMPPLLEESS
# sudoreplay -l ( user jeff or user bob ) tty console # sudoreplay -l ( user jeff or user bob ) tty console
SSEEEE AALLSSOO SSEEEE AALLSSOO
_s_u_d_o(1m), _s_c_r_i_p_t(1) sudo(1m), script(1)
AAUUTTHHOORRSS AAUUTTHHOORRSS
Todd C. Miller Todd C. Miller
@ -250,16 +244,14 @@ BBUUGGSS
SSUUPPPPOORRTT SSUUPPPPOORRTT
Limited free support is available via the sudo-users mailing list, see Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
the archives. archives.
DDIISSCCLLAAIIMMEERR DDIISSCCLLAAIIMMEERR
ssuuddoorreeppllaayy is provided ``AS IS'' and any express or implied warranties, ssuuddoorreeppllaayy is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of including, but not limited to, the implied warranties of merchantability
merchantability and fitness for a particular purpose are disclaimed. and fitness for a particular purpose are disclaimed. See the LICENSE
See the LICENSE file distributed with ssuuddoo or file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
http://www.sudo.ws/sudo/license.html for complete details. complete details.
Sudo 1.8.6 July 12, 2012 Sudo 1.8.6
1.8.6 July 17, 2012 SUDOREPLAY(1m)

679
doc/sudoreplay.man.in
View File

@ -1,4 +1,7 @@
.\" Copyright (c) 2009-2011 Todd C. Miller <Todd.Miller@courtesan.com> .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudoreplay.mdoc.in
.\"
.\" Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above .\" purpose with or without fee is hereby granted, provided that the above
@ -13,408 +16,398 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) .TH "SUDOREPLAY" "@mansectsu@" "July 12, 2012" "1.8.6" "System Manager's Manual"
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C`
. ds C'
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SUDOREPLAY @mansectsu@"
.TH SUDOREPLAY @mansectsu@ "July 17, 2012" "1.8.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME" .SH "NAME"
sudoreplay \- replay sudo session logs \fBsudoreplay\fR
\- replay sudo session logs
.SH "SYNOPSIS" .SH "SYNOPSIS"
.IX Header "SYNOPSIS" .HP 11n
\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR\ \fIdirectory\fR] [\fB\-f\fR\ \fIfilter\fR] [\fB\-m\fR\ \fImax_wait\fR] [\fB\-s\fR\ \fIspeed_factor\fR] \s-1ID\s0 \fBsudoreplay\fR
.PP [\fB-h\fR]
\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR\ \fIdirectory\fR] \-l [search\ expression] [\fB-d\fR\~\fIdirectory\fR]
[\fB-f\fR\~\fIfilter\fR]
[\fB-m\fR\~\fImax_wait\fR]
[\fB-s\fR\~\fIspeed_factor\fR]
ID
.HP 11n
\fBsudoreplay\fR
[\fB-h\fR]
[\fB-d\fR\~\fIdirectory\fR]
\fB-l\fR
[search expression]
.SH "DESCRIPTION" .SH "DESCRIPTION"
.IX Header "DESCRIPTION" \fBsudoreplay\fR
\&\fBsudoreplay\fR plays back or lists the output logs created by \fBsudo\fR. plays back or lists the output logs created by
When replaying, \fBsudoreplay\fR can play the session back in real-time, \fBsudo\fR.
or the playback speed may be adjusted (faster or slower) based on When replaying,
the command line options. \fBsudoreplay\fR
can play the session back in real-time, or the playback speed may be
adjusted (faster or slower) based on the command line options.
.PP .PP
The \fI\s-1ID\s0\fR should either be a six character sequence of digits and The
upper case letters, e.g. \f(CW\*(C`0100A5\*(C'\fR, or a pattern matching the \fIID\fR
\&\fIiolog_file\fR option in the \fIsudoers\fR file. When a command is run should either be a six character sequence of digits and
via \fBsudo\fR with \fIlog_output\fR enabled in the \fIsudoers\fR file, a upper case letters, e.g.\&
\&\f(CW\*(C`TSID=ID\*(C'\fR string is logged via syslog or to the \fBsudo\fR log file. \fR0100A5\fR,
The \fI\s-1ID\s0\fR may also be determined using \fBsudoreplay\fR's list mode. or a pattern matching the
\fIiolog_file\fR
option in the
\fIsudoers\fR
file.
When a command is run via
\fBsudo\fR
with
\fIlog_output\fR
enabled in the
\fIsudoers\fR
file, a
\fRTSID=ID\fR
string is logged via syslog or to the
\fBsudo\fR
log file.
The
\fIID\fR
may also be determined using
\fBsudoreplay\fR's
list mode.
.PP .PP
In list mode, \fBsudoreplay\fR can be used to find the \s-1ID\s0 of a session In list mode,
based on a number of criteria such as the user, tty or command run. \fBsudoreplay\fR
can be used to find the ID of a session based on a number of criteria
such as the user, tty or command run.
.PP .PP
In replay mode, if the standard output has not been redirected, In replay mode, if the standard output has not been redirected,
\&\fBsudoreplay\fR will act on the following keys: \fBsudoreplay\fR
.IP "' ' (space)" 8 will act on the following keys:
.IX Item "' ' (space)" .TP 14n
`\fR\ \fR' (space)
Pause output; press any key to resume. Pause output; press any key to resume.
.IP "'<'" 8 .TP 14n
`<'
Reduce the playback speed by one half. Reduce the playback speed by one half.
.IP "'>'" 8 .TP 14n
`>'
Double the playback speed. Double the playback speed.
.SH "OPTIONS" .SH "OPTIONS"
.IX Header "OPTIONS" \fBsudoreplay\fR
\&\fBsudoreplay\fR accepts the following command line options: accepts the following command line options:
.IP "\-d \fIdirectory\fR" 12 .TP 14n
.IX Item "-d directory" \fB-d\fR \fIdirectory\fR
Use \fIdirectory\fR to for the session logs instead of the default, Use
\&\fI@iolog_dir@\fR. \fIdirectory\fR
.IP "\-f \fIfilter\fR" 12 to for the session logs instead of the default,
.IX Item "-f filter" \fI@iolog_dir@\fR.
By default, \fBsudoreplay\fR will play back the command's standard .TP 14n
output, standard error and tty output. The \fI\-f\fR option can be \fB-f\fR \fIfilter\fR
used to select which of these to output. The \fIfilter\fR argument By default,
is a comma-separated list, consisting of one or more of following: \fBsudoreplay\fR
\&\fIstdout\fR, \fIstderr\fR, and \fIttyout\fR. will play back the command's standard output, standard error and tty output.
.IP "\-h" 12 The
.IX Item "-h" \fB-f\fR
The \fB\-h\fR (\fIhelp\fR) option causes \fBsudoreplay\fR to print a short option can be used to select which of these to output.
help message to the standard output and exit. The
.IP "\-l [\fIsearch expression\fR]" 12 \fIfilter\fR
.IX Item "-l [search expression]" argument is a comma-separated list, consisting of one or more of following:
Enable \*(L"list mode\*(R". In this mode, \fBsudoreplay\fR will list available \fIstdout\fR,
sessions in a format similar to the \fBsudo\fR log file format, sorted \fIstderr\fR,
by file name (or sequence number). If a \fIsearch expression\fR is and
specified, it will be used to restrict the IDs that are displayed. \fIttyout\fR.
.TP 14n
\fB-h\fR
The
\fB-h\fR (\fIhelp\fR)
option causes
\fBsudoreplay\fR
to print a short help message to the standard output and exit.
.TP 14n
\fB-l\fR [\fIsearch expression\fR]
Enable
``list mode''.
In this mode,
\fBsudoreplay\fR
will list available sessions in a format similar to the
\fBsudo\fR
log file format, sorted by file name (or sequence number).
If a
\fIsearch expression\fR
is specified, it will be used to restrict the IDs that are displayed.
An expression is composed of the following predicates: An expression is composed of the following predicates:
.RS 12 .RS
.IP "command \fIpattern\fR" 8 .TP 8n
.IX Item "command pattern" command \fIpattern\fR
Evaluates to true if the command run matches \fIpattern\fR. Evaluates to true if the command run matches
On systems with \s-1POSIX\s0 regular expression support, the pattern may \fIpattern\fR.
be an extended regular expression. On systems without \s-1POSIX\s0 regular On systems with POSIX regular expression support, the pattern may
expression support, a simple substring match is performed instead. be an extended regular expression.
.IP "cwd \fIdirectory\fR" 8 On systems without POSIX regular expression support, a simple substring
.IX Item "cwd directory" match is performed instead.
.TP 8n
cwd \fIdirectory\fR
Evaluates to true if the command was run with the specified current Evaluates to true if the command was run with the specified current
working directory. working directory.
.IP "fromdate \fIdate\fR" 8 .TP 8n
.IX Item "fromdate date" fromdate \fIdate\fR
Evaluates to true if the command was run on or after \fIdate\fR. Evaluates to true if the command was run on or after
See \*(L"Date and time format\*(R" for a description of supported \fIdate\fR.
date and time formats. See
.IP "group \fIrunas_group\fR" 8 \fIDate and time format\fR
.IX Item "group runas_group" for a description of supported date and time formats.
.TP 8n
group \fIrunas_group\fR
Evaluates to true if the command was run with the specified Evaluates to true if the command was run with the specified
\&\fIrunas_group\fR. Note that unless a \fIrunas_group\fR was explicitly \fIrunas_group\fR.
specified when \fBsudo\fR was run this field will be empty in the log. Note that unless a
.IP "runas \fIrunas_user\fR" 8 \fIrunas_group\fR
.IX Item "runas runas_user" was explicitly specified when
Evaluates to true if the command was run as the specified \fIrunas_user\fR. \fBsudo\fR
Note that \fBsudo\fR runs commands as user \fIroot\fR by default. was run this field will be empty in the log.
.IP "todate \fIdate\fR" 8 .TP 8n
.IX Item "todate date" runas \fIrunas_user\fR
Evaluates to true if the command was run on or prior to \fIdate\fR. Evaluates to true if the command was run as the specified
See \*(L"Date and time format\*(R" for a description of supported \fIrunas_user\fR.
date and time formats. Note that
.IP "tty \fItty name\fR" 8 \fBsudo\fR
.IX Item "tty tty name" runs commands as user
Evaluates to true if the command was run on the specified terminal \fIroot\fR
device. The \fItty name\fR should be specified without the \fI/dev/\fR prefix, by default.
e.g. \fItty01\fR instead of \fI/dev/tty01\fR. .TP 8n
.IP "user \fIuser name\fR" 8 todate \fIdate\fR
.IX Item "user user name" Evaluates to true if the command was run on or prior to
Evaluates to true if the \s-1ID\s0 matches a command run by \fIuser name\fR. \fIdate\fR.
See
\fIDate and time format\fR
for a description of supported date and time formats.
.TP 8n
tty \fItty name\fR
Evaluates to true if the command was run on the specified terminal device.
The
\fItty name\fR
should be specified without the
\fI/dev/\fR
prefix, e.g.\&
\fItty01\fR
instead of
\fI/dev/tty01\fR.
.TP 8n
user \fIuser name\fR
Evaluates to true if the ID matches a command run by
\fIuser name\fR.
.RE .RE
.RS 12 .RS
.Sp .PP
Predicates may be abbreviated to the shortest unique string (currently Predicates may be abbreviated to the shortest unique string (currently
all predicates may be shortened to a single character). all predicates may be shortened to a single character).
.Sp .sp
Predicates may be combined using \fIand\fR, \fIor\fR and \fI!\fR operators Predicates may be combined using
as well as \f(CW\*(Aq(\*(Aq\fR and \f(CW\*(Aq)\*(Aq\fR for grouping (note that parentheses \fIand\fR,
must generally be escaped from the shell). The \fIand\fR operator is \fIor\fR
optional, adjacent predicates have an implied \fIand\fR unless separated and
by an \fIor\fR. \fI\&!\fR
operators as well as
`\&('
and
`\&)'
grouping (note that parentheses must generally be escaped from the shell).
The
\fIand\fR
operator is optional, adjacent predicates have an implied
\fIand\fR
unless separated by an
\fIor\fR.
.PP
.RE .RE
.IP "\-m \fImax_wait\fR" 12 .sp -1v
.IX Item "-m max_wait" .TP 14n
Specify an upper bound on how long to wait between key presses or \fB-m\fR \fImax_wait\fR
output data. By default, \fBsudoreplay\fR will accurately reproduce Specify an upper bound on how long to wait between key presses or output data.
the delays between key presses or program output. However, this By default,
can be tedious when the session includes long pauses. When the \fBsudoreplay\fR
\&\fI\-m\fR option is specified, \fBsudoreplay\fR will limit these pauses will accurately reproduce the delays between key presses or program output.
to at most \fImax_wait\fR seconds. The value may be specified as a However, this can be tedious when the session includes long pauses.
floating point number, e.g. \fI2.5\fR. When the
.IP "\-s \fIspeed_factor\fR" 12 \fB-m\fR
.IX Item "-s speed_factor" option is specified,
This option causes \fBsudoreplay\fR to adjust the number of seconds \fBsudoreplay\fR
it will wait between key presses or program output. This can be will limit these pauses to at most
used to slow down or speed up the display. For example, a \fImax_wait\fR
\&\fIspeed_factor\fR of \fI2\fR would make the output twice as fast whereas seconds.
a \fIspeed_factor\fR of \fI.5\fR would make the output twice as slow. The value may be specified as a floating point number, e.g.\&
.IP "\-V" 12 \fI2.5\fR.
.IX Item "-V" .TP 14n
The \fB\-V\fR (version) option causes \fBsudoreplay\fR to print its version number \fB-s\fR \fIspeed_factor\fR
This option causes
\fBsudoreplay\fR
to adjust the number of seconds it will wait between key presses or
program output.
This can be used to slow down or speed up the display.
For example, a
\fIspeed_factor\fR
of
\fI2\fR
would make the output twice as fast whereas a
\fIspeed_factor\fR
of
\fI.5\fR
would make the output twice as slow.
.TP 14n
\fB-V\fR
The
\fB-V\fR (\fIversion\fR)
option causes
\fBsudoreplay\fR
to print its version number
and exit. and exit.
.SS "Date and time format" .SS "Date and time format"
.IX Subsection "Date and time format"
The time and date may be specified multiple ways, common formats include: The time and date may be specified multiple ways, common formats include:
.IP "\s-1HH:MM:SS\s0 am \s-1MM/DD/CCYY\s0 timezone" 8 .TP 8n
.IX Item "HH:MM:SS am MM/DD/CCYY timezone" HH:MM:SS am MM/DD/CCYY timezone
24 hour time may be used in place of am/pm. 24 hour time may be used in place of am/pm.
.IP "\s-1HH:MM:SS\s0 am Month, Day Year timezone" 8 .TP 8n
.IX Item "HH:MM:SS am Month, Day Year timezone" HH:MM:SS am Month, Day Year timezone
24 hour time may be used in place of am/pm, and month and day names 24 hour time may be used in place of am/pm, and month and day names
may be abbreviated. Note that month and day of the week names must may be abbreviated.
be specified in English. Note that month and day of the week names must be specified in English.
.IP "CCYY-MM-DD \s-1HH:MM:SS\s0" 8 .TP 8n
.IX Item "CCYY-MM-DD HH:MM:SS" CCYY-MM-DD HH:MM:SS
\&\s-1ISO\s0 time format ISO time format
.IP "\s-1DD\s0 Month \s-1CCYY\s0 \s-1HH:MM:SS\s0" 8 .TP 8n
.IX Item "DD Month CCYY HH:MM:SS" DD Month CCYY HH:MM:SS
The month name may be abbreviated. The month name may be abbreviated.
.PP .PP
Either time or date may be omitted, the am/pm and timezone are Either time or date may be omitted, the am/pm and timezone are optional.
optional. If no date is specified, the current day is assumed; if If no date is specified, the current day is assumed; if no time is
no time is specified, the first second of the specified date is specified, the first second of the specified date is used.
used. The less significant parts of both time and date may also The less significant parts of both time and date may also be omitted,
be omitted, in which case zero is assumed. in which case zero is assumed.
.PP .PP
The following are all valid time and date specifications: The following are all valid time and date specifications:
.IP "now" 8 .TP 8n
.IX Item "now" now
The current time and date. The current time and date.
.IP "tomorrow" 8 .TP 8n
.IX Item "tomorrow" tomorrow
Exactly one day from now. Exactly one day from now.
.IP "yesterday" 8 .TP 8n
.IX Item "yesterday" yesterday
24 hours ago. 24 hours ago.
.IP "2 hours ago" 8 .TP 8n
.IX Item "2 hours ago" 2 hours ago
2 hours ago. 2 hours ago.
.IP "next Friday" 8 .TP 8n
.IX Item "next Friday" next Friday
The first second of the next Friday. The first second of the next Friday.
.IP "this week" 8 .TP 8n
.IX Item "this week" this week
The current time but the first day of the coming week. The current time but the first day of the coming week.
.IP "a fortnight ago" 8 .TP 8n
.IX Item "a fortnight ago" a fortnight ago
The current time but 14 days ago. The current time but 14 days ago.
.IP "10:01 am 9/17/2009" 8 .TP 8n
.IX Item "10:01 am 9/17/2009" 10:01 am 9/17/2009
10:01 am, September 17, 2009. 10:01 am, September 17, 2009.
.IP "10:01 am" 8 .TP 8n
.IX Item "10:01 am" 10:01 am
10:01 am on the current day. 10:01 am on the current day.
.IP "10" 8 .TP 8n
.IX Item "10" 10
10:00 am on the current day. 10:00 am on the current day.
.IP "9/17/2009" 8 .TP 8n
.IX Item "9/17/2009" 9/17/2009
00:00 am, September 17, 2009. 00:00 am, September 17, 2009.
.IP "10:01 am Sep 17, 2009" 8 .TP 8n
.IX Item "10:01 am Sep 17, 2009" 10:01 am Sep 17, 2009
10:01 am, September 17, 2009. 10:01 am, September 17, 2009.
.SH "FILES" .SH "FILES"
.IX Header "FILES" .TP 26n
.ie n .IP "\fI@iolog_dir@\fR" 24 \fI@iolog_dir@\fR
.el .IP "\fI@iolog_dir@\fR" 24
.IX Item "@iolog_dir@"
The default I/O log directory. The default I/O log directory.
.ie n .IP "\fI@iolog_dir@/00/00/01/log\fR" 24 .TP 26n
.el .IP "\fI@iolog_dir@/00/00/01/log\fR" 24 \fI@iolog_dir@/00/00/01/log\fR
.IX Item "@iolog_dir@/00/00/01/log"
Example session log info. Example session log info.
.ie n .IP "\fI@iolog_dir@/00/00/01/stdin\fR" 24 .TP 26n
.el .IP "\fI@iolog_dir@/00/00/01/stdin\fR" 24 \fI@iolog_dir@/00/00/01/stdin\fR
.IX Item "@iolog_dir@/00/00/01/stdin"
Example session standard input log. Example session standard input log.
.ie n .IP "\fI@iolog_dir@/00/00/01/stdout\fR" 24 .TP 26n
.el .IP "\fI@iolog_dir@/00/00/01/stdout\fR" 24 \fI@iolog_dir@/00/00/01/stdout\fR
.IX Item "@iolog_dir@/00/00/01/stdout"
Example session standard output log. Example session standard output log.
.ie n .IP "\fI@iolog_dir@/00/00/01/stderr\fR" 24 .TP 26n
.el .IP "\fI@iolog_dir@/00/00/01/stderr\fR" 24 \fI@iolog_dir@/00/00/01/stderr\fR
.IX Item "@iolog_dir@/00/00/01/stderr"
Example session standard error log. Example session standard error log.
.ie n .IP "\fI@iolog_dir@/00/00/01/ttyin\fR" 24 .TP 26n
.el .IP "\fI@iolog_dir@/00/00/01/ttyin\fR" 24 \fI@iolog_dir@/00/00/01/ttyin\fR
.IX Item "@iolog_dir@/00/00/01/ttyin"
Example session tty input file. Example session tty input file.
.ie n .IP "\fI@iolog_dir@/00/00/01/ttyout\fR" 24 .TP 26n
.el .IP "\fI@iolog_dir@/00/00/01/ttyout\fR" 24 \fI@iolog_dir@/00/00/01/ttyout\fR
.IX Item "@iolog_dir@/00/00/01/ttyout"
Example session tty output file. Example session tty output file.
.ie n .IP "\fI@iolog_dir@/00/00/01/timing\fR" 24 .TP 26n
.el .IP "\fI@iolog_dir@/00/00/01/timing\fR" 24 \fI@iolog_dir@/00/00/01/timing\fR
.IX Item "@iolog_dir@/00/00/01/timing"
Example session timing file. Example session timing file.
.PP .PP
Note that the \fIstdin\fR, \fIstdout\fR and \fIstderr\fR files will be empty Note that the
unless \fBsudo\fR was used as part of a pipeline for a particular \fIstdin\fR,
command. \fIstdout\fR
and
\fIstderr\fR
files will be empty unless
\fBsudo\fR
was used as part of a pipeline for a particular command.
.SH "EXAMPLES" .SH "EXAMPLES"
.IX Header "EXAMPLES" List sessions run by user
List sessions run by user \fImillert\fR: \fImillert\fR:
.nf
.sp
.RS 6n
# sudoreplay -l user millert
.RE
.fi
.PP .PP
.Vb 1 List sessions run by user
\& # sudoreplay \-l user millert \fIbob\fR
.Ve with a command containing the string vi:
.nf
.sp
.RS 6n
# sudoreplay -l user bob command vi
.RE
.fi
.PP .PP
List sessions run by user \fIbob\fR with a command containing the string vi: List sessions run by user
.PP \fIjeff\fR
.Vb 1 that match a regular expression:
\& # sudoreplay \-l user bob command vi .nf
.Ve .sp
.PP .RS 6n
List sessions run by user \fIjeff\fR that match a regular expression: # sudoreplay -l user jeff command '/bin/[a-z]*sh'
.PP .RE
.Vb 1 .fi
\& # sudoreplay \-l user jeff command \*(Aq/bin/[a\-z]*sh\*(Aq
.Ve
.PP .PP
List sessions run by jeff or bob on the console: List sessions run by jeff or bob on the console:
.PP .nf
.Vb 1 .sp
\& # sudoreplay \-l ( user jeff or user bob ) tty console .RS 6n
.Ve # sudoreplay -l ( user jeff or user bob ) tty console
.RE
.fi
.SH "SEE ALSO" .SH "SEE ALSO"
.IX Header "SEE ALSO" sudo(@mansectsu@),
\&\fIsudo\fR\|(@mansectsu@), \fIscript\fR\|(1) script(1)
.SH "AUTHORS" .SH "AUTHORS"
.IX Header "AUTHORS"
Todd C. Miller Todd C. Miller
.SH "BUGS" .SH "BUGS"
.IX Header "BUGS" If you feel you have found a bug in
If you feel you have found a bug in \fBsudoreplay\fR, please submit a bug report \fBsudoreplay\fR,
at http://www.sudo.ws/sudo/bugs/ please submit a bug report at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT" .SH "SUPPORT"
.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list, Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives. search the archives.
.SH "DISCLAIMER" .SH "DISCLAIMER"
.IX Header "DISCLAIMER" \fBsudoreplay\fR
\&\fBsudoreplay\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, is provided
including, but not limited to, the implied warranties of merchantability ``AS IS''
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 and any express or implied warranties, including, but not limited
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html to, the implied warranties of merchantability and fitness for a
for complete details. particular purpose are disclaimed.
See the LICENSE file distributed with
\fBsudo\fR
or http://www.sudo.ws/sudo/license.html for complete details.

6
doc/sudoreplay.mdoc.in
View File

@ -15,8 +15,8 @@
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd July 12, 2012 .Dd July 12, 2012
.Dt SUDOREPLAY 8 .Dt SUDOREPLAY @mansectsu@
.Os .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
.Nm sudoreplay .Nm sudoreplay
.Nd replay sudo session logs .Nd replay sudo session logs
@ -350,7 +350,7 @@ List sessions run by jeff or bob on the console:
# sudoreplay -l ( user jeff or user bob ) tty console # sudoreplay -l ( user jeff or user bob ) tty console
.Ed .Ed
.Sh SEE ALSO .Sh SEE ALSO
.Xr sudo 8 , .Xr sudo @mansectsu@ ,
.Xr script 1 .Xr script 1
.Sh AUTHORS .Sh AUTHORS
Todd C. Miller Todd C. Miller

125
doc/visudo.cat
View File

@ -1,86 +1,83 @@
VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) VISUDO(1m) System Manager's Manual VISUDO(1m)
NNAAMMEE NNAAMMEE
visudo - edit the sudoers file vviissuuddoo - edit the sudoers file
SSYYNNOOPPSSIISS SSYYNNOOPPSSIISS
vviissuuddoo [--cchhqqssVV] [--ff _s_u_d_o_e_r_s] vviissuuddoo [--cchhqqssVV] [--ff _s_u_d_o_e_r_s]
DDEESSCCRRIIPPTTIIOONN DDEESSCCRRIIPPTTIIOONN
vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to _v_i_p_w(1m). vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to vipw(1m).
vviissuuddoo locks the _s_u_d_o_e_r_s file against multiple simultaneous edits, vviissuuddoo locks the _s_u_d_o_e_r_s file against multiple simultaneous edits,
provides basic sanity checks, and checks for parse errors. If the provides basic sanity checks, and checks for parse errors. If the
_s_u_d_o_e_r_s file is currently being edited you will receive a message to _s_u_d_o_e_r_s file is currently being edited you will receive a message to try
try again later. again later.
There is a hard-coded list of one or more editors that vviissuuddoo will use There is a hard-coded list of one or more editors that vviissuuddoo will use
set at compile-time that may be overridden via the _e_d_i_t_o_r _s_u_d_o_e_r_s set at compile-time that may be overridden via the _e_d_i_t_o_r _s_u_d_o_e_r_s Default
Default variable. This list defaults to "vi". Normally, vviissuuddoo does variable. This list defaults to vi. Normally, vviissuuddoo does not honor the
not honor the VISUAL or EDITOR environment variables unless they VISUAL or EDITOR environment variables unless they contain an editor in
contain an editor in the aforementioned editors list. However, if the aforementioned editors list. However, if vviissuuddoo is configured with
vviissuuddoo is configured with the _-_-_w_i_t_h_-_e_n_v_-_e_d_i_t_o_r option or the the --with-env-editor option or the _e_n_v___e_d_i_t_o_r Default variable is set in
_e_n_v___e_d_i_t_o_r Default variable is set in _s_u_d_o_e_r_s, vviissuuddoo will use any the _s_u_d_o_e_r_s, vviissuuddoo will use any the editor defines by VISUAL or EDITOR.
editor defines by VISUAL or EDITOR. Note that this can be a security Note that this can be a security hole since it allows the user to execute
hole since it allows the user to execute any program they wish simply any program they wish simply by setting VISUAL or EDITOR.
by setting VISUAL or EDITOR.
vviissuuddoo parses the _s_u_d_o_e_r_s file after the edit and will not save the vviissuuddoo parses the _s_u_d_o_e_r_s file after the edit and will not save the
changes if there is a syntax error. Upon finding an error, vviissuuddoo will changes if there is a syntax error. Upon finding an error, vviissuuddoo will
print a message stating the line number(s) where the error occurred and print a message stating the line number(s) where the error occurred and
the user will receive the "What now?" prompt. At this point the user the user will receive the ``What now?'' prompt. At this point the user
may enter "e" to re-edit the _s_u_d_o_e_r_s file, "x" to exit without saving may enter `e' to re-edit the _s_u_d_o_e_r_s file, `x' to exit without saving the
the changes, or "Q" to quit and save changes. The "Q" option should be changes, or `Q' to quit and save changes. The `Q' option should be used
used with extreme care because if vviissuuddoo believes there to be a parse with extreme care because if vviissuuddoo believes there to be a parse error,
error, so will ssuuddoo and no one will be able to ssuuddoo again until the so will ssuuddoo and no one will be able to ssuuddoo again until the error is
error is fixed. If "e" is typed to edit the _s_u_d_o_e_r_s file after a fixed. If `e' is typed to edit the _s_u_d_o_e_r_s file after a parse error has
parse error has been detected, the cursor will be placed on the line been detected, the cursor will be placed on the line where the error
where the error occurred (if the editor supports this feature). occurred (if the editor supports this feature).
OOPPTTIIOONNSS OOPPTTIIOONNSS
vviissuuddoo accepts the following command line options: vviissuuddoo accepts the following command line options: accepts the following
command line options:
-c Enable cchheecckk--oonnllyy mode. The existing _s_u_d_o_e_r_s file will be --cc Enable _c_h_e_c_k_-_o_n_l_y mode. The existing _s_u_d_o_e_r_s file will be
checked for syntax errors, owner and mode. A message will checked for syntax errors, owner and mode. A message will be
be printed to the standard output describing the status of printed to the standard output describing the status of
_s_u_d_o_e_r_s unless the --qq option was specified. If the check _s_u_d_o_e_r_s unless the --qq option was specified. If the check
completes successfully, vviissuuddoo will exit with a value of 0. completes successfully, vviissuuddoo will exit with a value of 0.
If an error is encountered, vviissuuddoo will exit with a value If an error is encountered, vviissuuddoo will exit with a value of
of 1. 1.
-f _s_u_d_o_e_r_s Specify and alternate _s_u_d_o_e_r_s file location. With this --ff _s_u_d_o_e_r_s Specify and alternate _s_u_d_o_e_r_s file location. With this
option vviissuuddoo will edit (or check) the _s_u_d_o_e_r_s file of your option vviissuuddoo will edit (or check) the _s_u_d_o_e_r_s file of your
choice, instead of the default, _/_e_t_c_/_s_u_d_o_e_r_s. The lock choice, instead of the default, _/_e_t_c_/_s_u_d_o_e_r_s. The lock file
file used is the specified _s_u_d_o_e_r_s file with ".tmp" used is the specified _s_u_d_o_e_r_s file with ``.tmp'' appended to
appended to it. In cchheecckk--oonnllyy mode only, the argument to it. In _c_h_e_c_k_-_o_n_l_y mode only, the argument to --ff may be `-',
--ff may be "-", indicating that _s_u_d_o_e_r_s will be read from indicating that _s_u_d_o_e_r_s will be read from the standard input.
the standard input.
-h The --hh (_h_e_l_p) option causes vviissuuddoo to print a short help --hh The --hh (_h_e_l_p) option causes vviissuuddoo to print a short help
message to the standard output and exit. message to the standard output and exit.
-q Enable qquuiieett mode. In this mode details about syntax --qq Enable _q_u_i_e_t mode. In this mode details about syntax errors
errors are not printed. This option is only useful when are not printed. This option is only useful when combined
combined with the --cc option. with the --cc option.
-s Enable ssttrriicctt checking of the _s_u_d_o_e_r_s file. If an alias is --ss Enable _s_t_r_i_c_t checking of the _s_u_d_o_e_r_s file. If an alias is
used before it is defined, vviissuuddoo will consider this a used before it is defined, vviissuuddoo will consider this a parse
parse error. Note that it is not possible to differentiate error. Note that it is not possible to differentiate between
between an alias and a host name or user name that consists an alias and a host name or user name that consists solely of
solely of uppercase letters, digits, and the underscore uppercase letters, digits, and the underscore (`_')
('_') character. character.
-V The --VV (version) option causes vviissuuddoo to print its version --VV The --VV (_v_e_r_s_i_o_n) option causes vviissuuddoo to print its version
number and exit. number and exit.
EENNVVIIRROONNMMEENNTT EENNVVIIRROONNMMEENNTT
The following environment variables may be consulted depending on the The following environment variables may be consulted depending on the
value of the _e_d_i_t_o_r and _e_n_v___e_d_i_t_o_r _s_u_d_o_e_r_s variables: value of the _e_d_i_t_o_r and _e_n_v___e_d_i_t_o_r _s_u_d_o_e_r_s settings:
VISUAL Invoked by visudo as the editor to use VISUAL Invoked by vviissuuddoo as the editor to use
EDITOR Used by visudo if VISUAL is not set EDITOR Used by vviissuuddoo if VISUAL is not set
FFIILLEESS FFIILLEESS
_/_e_t_c_/_s_u_d_o_e_r_s List of who can run what _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
@ -101,7 +98,7 @@ DDIIAAGGNNOOSSTTIICCSS
Either you are trying to use an undeclared Either you are trying to use an undeclared
{User,Runas,Host,Cmnd}_Alias or you have a user or host name listed {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed
that consists solely of uppercase letters, digits, and the that consists solely of uppercase letters, digits, and the
underscore ('_') character. In the latter case, you can ignore the underscore (`_') character. In the latter case, you can ignore the
warnings (ssuuddoo will not complain). In --ss (strict) mode these are warnings (ssuuddoo will not complain). In --ss (strict) mode these are
errors, not warnings. errors, not warnings.
@ -117,11 +114,11 @@ DDIIAAGGNNOOSSTTIICCSS
the _s_u_d_o_e_r_s file. the _s_u_d_o_e_r_s file.
SSEEEE AALLSSOO SSEEEE AALLSSOO
_v_i(1), _s_u_d_o_e_r_s(4), _s_u_d_o(1m), _v_i_p_w(1m) vi(1), sudoers(4), sudo(1m), vipw(1m)
AAUUTTHHOORRSS AAUUTTHHOORRSS
Many people have worked on ssuuddoo over the years; this version of vviissuuddoo Many people have worked on ssuuddoo over the years; this version consists of
was written by: code written primarily by:
Todd C. Miller Todd C. Miller
@ -134,21 +131,19 @@ CCAAVVEEAATTSS
editor used by vviissuuddoo allows shell escapes. editor used by vviissuuddoo allows shell escapes.
BBUUGGSS BBUUGGSS
If you feel you have found a bug in vviissuuddoo, please submit a bug report If you feel you have found a bug in vviissuuddoo, please submit a bug report at
at http://www.sudo.ws/sudo/bugs/ http://www.sudo.ws/sudo/bugs/
SSUUPPPPOORRTT SSUUPPPPOORRTT
Limited free support is available via the sudo-users mailing list, see Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
the archives. archives.
DDIISSCCLLAAIIMMEERR DDIISSCCLLAAIIMMEERR
vviissuuddoo is provided ``AS IS'' and any express or implied warranties, vviissuuddoo is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of including, but not limited to, the implied warranties of merchantability
merchantability and fitness for a particular purpose are disclaimed. and fitness for a particular purpose are disclaimed. See the LICENSE
See the LICENSE file distributed with ssuuddoo or file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
http://www.sudo.ws/sudo/license.html for complete details. complete details.
Sudo 1.8.6 July 12, 2012 Sudo 1.8.6
1.8.6 July 13, 2012 VISUDO(1m)

538
doc/visudo.man.in
View File

@ -1,3 +1,6 @@
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM visudo.mdoc.in
.\"
.\" Copyright (c) 1996,1998-2005, 2007-2012 .\" Copyright (c) 1996,1998-2005, 2007-2012
.\" Todd C. Miller <Todd.Miller@courtesan.com> .\" Todd C. Miller <Todd.Miller@courtesan.com>
.\" .\"
@ -18,297 +21,306 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) .TH "VISUDO" "@mansectsu@" "July 12, 2012" "1.8.6" "System Manager's Manual"
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C`
. ds C'
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
.TH VISUDO @mansectsu@ "July 13, 2012" "1.8.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME" .SH "NAME"
visudo \- edit the sudoers file \fBvisudo\fR
\- edit the sudoers file
.SH "SYNOPSIS" .SH "SYNOPSIS"
.IX Header "SYNOPSIS" .HP 7n
\&\fBvisudo\fR [\fB\-chqsV\fR] [\fB\-f\fR \fIsudoers\fR] \fBvisudo\fR
[\fB-chqsV\fR]
[\fB-f\fR\~\fIsudoers\fR]
.SH "DESCRIPTION" .SH "DESCRIPTION"
.IX Header "DESCRIPTION" \fBvisudo\fR
\&\fBvisudo\fR edits the \fIsudoers\fR file in a safe fashion, analogous to edits the
\&\fIvipw\fR\|(@mansectsu@). \fBvisudo\fR locks the \fIsudoers\fR file against multiple \fIsudoers\fR
simultaneous edits, provides basic sanity checks, and checks file in a safe fashion, analogous to
for parse errors. If the \fIsudoers\fR file is currently being vipw(@mansectsu@).
edited you will receive a message to try again later. \fBvisudo\fR
locks the
\fIsudoers\fR
file against multiple simultaneous edits, provides basic sanity checks,
and checks for parse errors.
If the
\fIsudoers\fR
file is currently being edited you will receive a message to try again later.
.PP .PP
There is a hard-coded list of one or more editors that \fBvisudo\fR will There is a hard-coded list of one or more editors that
use set at compile-time that may be overridden via the \fIeditor\fR \fIsudoers\fR \fBvisudo\fR
\&\f(CW\*(C`Default\*(C'\fR variable. This list defaults to \f(CW"@editor@"\fR. Normally, will use set at compile-time that may be overridden via the
\&\fBvisudo\fR does not honor the \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR environment \fIeditor\fR
variables unless they contain an editor in the aforementioned editors \fIsudoers\fR
list. However, if \fBvisudo\fR is configured with the \fI\-\-with\-env\-editor\fR \fRDefault\fR
option or the \fIenv_editor\fR \f(CW\*(C`Default\*(C'\fR variable is set in \fIsudoers\fR, variable.
\&\fBvisudo\fR will use any the editor defines by \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR. This list defaults to
\fR@editor@\fR.
Normally,
\fBvisudo\fR
does not honor the
\fRVISUAL\fR
or
\fREDITOR\fR
environment variables unless they contain an editor in the aforementioned
editors list.
However, if
\fBvisudo\fR
is configured with the
\fR--with-env-editor\fR
option or the
\fIenv_editor\fR
\fRDefault\fR
variable is set in
\fIsudoers\fR,
\fBvisudo\fR
will use any the editor defines by
\fRVISUAL\fR
or
\fREDITOR\fR.
Note that this can be a security hole since it allows the user to Note that this can be a security hole since it allows the user to
execute any program they wish simply by setting \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR. execute any program they wish simply by setting
\fRVISUAL\fR
or
\fREDITOR\fR.
.PP .PP
\&\fBvisudo\fR parses the \fIsudoers\fR file after the edit and will \fBvisudo\fR
not save the changes if there is a syntax error. Upon finding parses the
an error, \fBvisudo\fR will print a message stating the line number(s) \fIsudoers\fR
file after the edit and will
not save the changes if there is a syntax error.
Upon finding an error,
\fBvisudo\fR
will print a message stating the line number(s)
where the error occurred and the user will receive the where the error occurred and the user will receive the
\&\*(L"What now?\*(R" prompt. At this point the user may enter \*(L"e\*(R" ``What now?''
to re-edit the \fIsudoers\fR file, \*(L"x\*(R" to exit without prompt.
saving the changes, or \*(L"Q\*(R" to quit and save changes. The At this point the user may enter
\&\*(L"Q\*(R" option should be used with extreme care because if \fBvisudo\fR `e'
believes there to be a parse error, so will \fBsudo\fR and no one to re-edit the
will be able to \fBsudo\fR again until the error is fixed. \fIsudoers\fR
If \*(L"e\*(R" is typed to edit the \fIsudoers\fR file after a parse error file,
has been detected, the cursor will be placed on the line where the `x'
error occurred (if the editor supports this feature). to exit without saving the changes, or
`Q'
to quit and save changes.
The
`Q'
option should be used with extreme care because if
\fBvisudo\fR
believes there to be a parse error, so will
\fBsudo\fR
and no one
will be able to
\fBsudo\fR
again until the error is fixed.
If
`e'
is typed to edit the
\fIsudoers\fR
file after a parse error has been detected, the cursor will be placed on
the line where the error occurred (if the editor supports this feature).
.SH "OPTIONS" .SH "OPTIONS"
.IX Header "OPTIONS" \fBvisudo\fR
\&\fBvisudo\fR accepts the following command line options: accepts the following command line options:
.IP "\-c" 12 accepts the following command line options:
.IX Item "-c" .TP 12n
Enable \fBcheck-only\fR mode. The existing \fIsudoers\fR file will be \fB-c\fR
checked for syntax errors, owner and mode. A message will be printed Enable
to the standard output describing the status of \fIsudoers\fR unless \fIcheck-only\fR
the \fB\-q\fR option was specified. If the check completes successfully, mode.
\&\fBvisudo\fR will exit with a value of 0. If an error is encountered, The existing
\&\fBvisudo\fR will exit with a value of 1. \fIsudoers\fR
.IP "\-f \fIsudoers\fR" 12 file will be
.IX Item "-f sudoers" checked for syntax errors, owner and mode.
Specify and alternate \fIsudoers\fR file location. With this option A message will be printed to the standard output describing the status of
\&\fBvisudo\fR will edit (or check) the \fIsudoers\fR file of your choice, \fIsudoers\fR
instead of the default, \fI@sysconfdir@/sudoers\fR. The lock file used unless the
is the specified \fIsudoers\fR file with \*(L".tmp\*(R" appended to it. \fB-q\fR
In \fBcheck-only\fR mode only, the argument to \fB\-f\fR may be \*(L"\-\*(R", option was specified.
indicating that \fIsudoers\fR will be read from the standard input. If the check completes successfully,
.IP "\-h" 12 \fBvisudo\fR
.IX Item "-h" will exit with a value of 0.
The \fB\-h\fR (\fIhelp\fR) option causes \fBvisudo\fR to print a short help message If an error is encountered,
\fBvisudo\fR
will exit with a value of 1.
.TP 12n
\fB-f\fR \fIsudoers\fR
Specify and alternate
\fIsudoers\fR
file location.
With this option
\fBvisudo\fR
will edit (or check) the
\fIsudoers\fR
file of your choice,
instead of the default,
\fI@sysconfdir@/sudoers\fR.
The lock file used is the specified
\fIsudoers\fR
file with
``\.tmp''
appended to it.
In
\fIcheck-only\fR
mode only, the argument to
\fB-f\fR
may be
`-',
indicating that
\fIsudoers\fR
will be read from the standard input.
.TP 12n
\fB-h\fR
The
\fB-h\fR (\fIhelp\fR)
option causes
\fBvisudo\fR
to print a short help message
to the standard output and exit. to the standard output and exit.
.IP "\-q" 12 .TP 12n
.IX Item "-q" \fB-q\fR
Enable \fBquiet\fR mode. In this mode details about syntax errors Enable
are not printed. This option is only useful when combined with \fIquiet\fR
the \fB\-c\fR option. mode.
.IP "\-s" 12 In this mode details about syntax errors are not printed.
.IX Item "-s" This option is only useful when combined with
Enable \fBstrict\fR checking of the \fIsudoers\fR file. If an alias is the
used before it is defined, \fBvisudo\fR will consider this a parse \fB-c\fR
error. Note that it is not possible to differentiate between an option.
.TP 12n
\fB-s\fR
Enable
\fIstrict\fR
checking of the
\fIsudoers\fR
file.
If an alias is used before it is defined,
\fBvisudo\fR
will consider this a parse error.
Note that it is not possible to differentiate between an
alias and a host name or user name that consists solely of uppercase alias and a host name or user name that consists solely of uppercase
letters, digits, and the underscore ('_') character. letters, digits, and the underscore
.IP "\-V" 12 (`_')
.IX Item "-V" character.
The \fB\-V\fR (version) option causes \fBvisudo\fR to print its version number .TP 12n
\fB-V\fR
The
\fB-V\fR (\fIversion\fR)
option causes
\fBvisudo\fR
to print its version number
and exit. and exit.
.SH "ENVIRONMENT" .SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
The following environment variables may be consulted depending on The following environment variables may be consulted depending on
the value of the \fIeditor\fR and \fIenv_editor\fR \fIsudoers\fR variables: the value of the
.ie n .IP "\*(C`VISUAL\*(C'" 16 \fIeditor\fR
.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16 and
.IX Item "VISUAL" \fIenv_editor\fR
Invoked by visudo as the editor to use \fIsudoers\fR
.ie n .IP "\*(C`EDITOR\*(C'" 16 settings:
.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16 .TP 17n
.IX Item "EDITOR" \fRVISUAL\fR
Used by visudo if \s-1VISUAL\s0 is not set Invoked by
\fBvisudo\fR
as the editor to use
.TP 17n
\fREDITOR\fR
Used by
\fBvisudo\fR
if
\fRVISUAL\fR
is not set
.SH "FILES" .SH "FILES"
.IX Header "FILES" .TP 26n
.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24 \fI@sysconfdir@/sudoers\fR
.el .IP "\fI@sysconfdir@/sudoers\fR" 24
.IX Item "@sysconfdir@/sudoers"
List of who can run what List of who can run what
.ie n .IP "\fI@sysconfdir@/sudoers.tmp\fR" 24 .TP 26n
.el .IP "\fI@sysconfdir@/sudoers.tmp\fR" 24 \fI@sysconfdir@/sudoers.tmp\fR
.IX Item "@sysconfdir@/sudoers.tmp"
Lock file for visudo Lock file for visudo
.SH "DIAGNOSTICS" .SH "DIAGNOSTICS"
.IX Header "DIAGNOSTICS" .TP 6n
.IP "sudoers file busy, try again later." 4 \fRsudoers file busy, try again later.\fR
.IX Item "sudoers file busy, try again later." Someone else is currently editing the
Someone else is currently editing the \fIsudoers\fR file. \fIsudoers\fR
.ie n .IP "@sysconfdir@/sudoers.tmp: Permission denied" 4 file.
.el .IP "\f(CW@sysconfdir\fR@/sudoers.tmp: Permission denied" 4 .TP 6n
.IX Item "@sysconfdir@/sudoers.tmp: Permission denied" \fR@sysconfdir@/sudoers.tmp: Permission denied\fR
You didn't run \fBvisudo\fR as root. You didn't run
.IP "Can't find you in the passwd database" 4 \fBvisudo\fR
.IX Item "Can't find you in the passwd database" as root.
Your user \s-1ID\s0 does not appear in the system passwd file. .TP 6n
.IP "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" 4 \fRCan't find you in the passwd database\fR
.IX Item "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" Your user ID does not appear in the system passwd file.
.TP 6n
\fRWarning: {User,Runas,Host,Cmnd}_Alias referenced but not defined\fR
Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
or you have a user or host name listed that consists solely of or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore ('_') character. In uppercase letters, digits, and the underscore
the latter case, you can ignore the warnings (\fBsudo\fR will not (`_')
complain). In \fB\-s\fR (strict) mode these are errors, not warnings. character.
.IP "Warning: unused {User,Runas,Host,Cmnd}_Alias" 4 In the latter case, you can ignore the warnings
.IX Item "Warning: unused {User,Runas,Host,Cmnd}_Alias" (\fBsudo\fR
will not complain)
\&.
In
\fB-s\fR
(strict) mode these are errors, not warnings.
.TP 6n
\fRWarning: unused {User,Runas,Host,Cmnd}_Alias\fR
The specified {User,Runas,Host,Cmnd}_Alias was defined but never The specified {User,Runas,Host,Cmnd}_Alias was defined but never
used. You may wish to comment out or remove the unused alias. In used.
\&\fB\-s\fR (strict) mode this is an error, not a warning. You may wish to comment out or remove the unused alias.
.IP "Warning: cycle in {User,Runas,Host,Cmnd}_Alias" 4 In
.IX Item "Warning: cycle in {User,Runas,Host,Cmnd}_Alias" \fB-s\fR
(strict) mode this is an error, not a warning.
.TP 6n
\fRWarning: cycle in {User,Runas,Host,Cmnd}_Alias\fR
The specified {User,Runas,Host,Cmnd}_Alias includes a reference to The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
itself, either directly or through an alias it includes. This is itself, either directly or through an alias it includes.
only a warning by default as \fBsudo\fR will ignore cycles when parsing This is only a warning by default as
the \fIsudoers\fR file. \fBsudo\fR
will ignore cycles when parsing
the
\fIsudoers\fR
file.
.SH "SEE ALSO" .SH "SEE ALSO"
.IX Header "SEE ALSO" vi(1),
\&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(@mansectsu@) sudoers(@mansectform@),
sudo(@mansectsu@),
vipw(@mansectsu@)
.SH "AUTHORS" .SH "AUTHORS"
.IX Header "AUTHORS" Many people have worked on
Many people have worked on \fBsudo\fR over the years; this version of \fBsudo\fR
\&\fBvisudo\fR was written by: over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP .PP
.Vb 1 See the CONTRIBUTORS file in the
\& Todd C. Miller \fBsudo\fR
.Ve distribution (http://www.sudo.ws/sudo/contributors.html) for an
.PP exhaustive list of people who have contributed to
See the \s-1CONTRIBUTORS\s0 file in the \fBsudo\fR distribution \fBsudo\fR.
(http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of people
who have contributed to \fBsudo\fR.
.SH "CAVEATS" .SH "CAVEATS"
.IX Header "CAVEATS"
There is no easy way to prevent a user from gaining a root shell if There is no easy way to prevent a user from gaining a root shell if
the editor used by \fBvisudo\fR allows shell escapes. the editor used by
\fBvisudo\fR
allows shell escapes.
.SH "BUGS" .SH "BUGS"
.IX Header "BUGS" If you feel you have found a bug in
If you feel you have found a bug in \fBvisudo\fR, please submit a bug report \fBvisudo\fR,
at http://www.sudo.ws/sudo/bugs/ please submit a bug report at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT" .SH "SUPPORT"
.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list, Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives. search the archives.
.SH "DISCLAIMER" .SH "DISCLAIMER"
.IX Header "DISCLAIMER" \fBvisudo\fR
\&\fBvisudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, is provided
including, but not limited to, the implied warranties of merchantability ``AS IS''
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 and any express or implied warranties, including, but not limited
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html to, the implied warranties of merchantability and fitness for a
for complete details. particular purpose are disclaimed.
See the LICENSE file distributed with
\fBsudo\fR
or http://www.sudo.ws/sudo/license.html for complete details.

12
doc/visudo.mdoc.in
View File

@ -20,8 +20,8 @@
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.Dd July 12, 2012 .Dd July 12, 2012
.Dt VISUDO 8 .Dt VISUDO @mansectsu@
.Os .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
.Nm visudo .Nm visudo
.Nd edit the sudoers file .Nd edit the sudoers file
@ -36,7 +36,7 @@
edits the edits the
.Em sudoers .Em sudoers
file in a safe fashion, analogous to file in a safe fashion, analogous to
.Xr vipw 8 . .Xr vipw @mansectsu@ .
.Nm visudo .Nm visudo
locks the locks the
.Em sudoers .Em sudoers
@ -278,9 +278,9 @@ file.
.El .El
.Sh SEE ALSO .Sh SEE ALSO
.Xr vi 1 , .Xr vi 1 ,
.Xr sudoers 5 , .Xr sudoers @mansectform@ ,
.Xr sudo 8 , .Xr sudo @mansectsu@ ,
.Xr vipw 8 .Xr vipw @mansectsu@
.Sh AUTHORS .Sh AUTHORS
Many people have worked on Many people have worked on
.Nm sudo .Nm sudo