mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-29 13:28:10 +00:00
Code Issues Releases Wiki Activity

Build .man.in and .cat files from .mdoc.in files.

Browse Source 
Add new --with-man and --with-mdoc configure options.
This commit is contained in:
Todd C. Miller 2012-07-19 13:41:14 -04:00
parent 0d8aa46bb1
commit 90f2cfa589
24 changed files with 11796 additions and 8617 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
INSTALL
View File

@ -348,6 +348,16 @@ Special features/options:
Enable support for role based access control (RBAC) on
systems that support SELinux.
--with-man
Use the "man" macros for manual pages. By default, mdoc
versions of the manuals are installed. This can be used
to override configure's test for "nroff -mdoc" support.
--with-mdoc
Use the "mdoc" macros for manual pages. By default, mdoc
versions of the manuals are installed. This can be used
to override configure's test for "nroff -mdoc" support.
The following options are also configurable at runtime:
--with-long-otp-prompt

14
MANIFEST
View File

@ -81,24 +81,22 @@ doc/schema.OpenLDAP
doc/schema.iPlanet
doc/sudo.cat
doc/sudo.man.in
doc/sudo.man.pl
doc/sudo.pod
doc/sudo.mdoc.in
doc/sudo_plugin.cat
doc/sudo_plugin.man.in
doc/sudo_plugin.pod
doc/sudo_plugin.mdoc.in
doc/sudoers.cat
doc/sudoers.ldap.cat
doc/sudoers.ldap.man.in
doc/sudoers.ldap.pod
doc/sudoers.ldap.mdoc.in
doc/sudoers.man.in
doc/sudoers.man.pl
doc/sudoers.pod
doc/sudoers.mdoc.in
doc/sudoreplay.cat
doc/sudoreplay.man.in
doc/sudoreplay.pod
doc/sudoreplay.mdoc.in
doc/visudo.cat
doc/visudo.man.in
doc/visudo.pod
doc/visudo.mdoc.in
include/Makefile.in
include/alloc.h
include/error.h

3
NEWS
View File

@ -33,6 +33,9 @@ What's new in Sudo 1.8.6?
of "N incorrect password attempts". Likewise, the "mail_no_perms"
sudoers option now takes precedence over "mail_badpass".
* The sudo manuals are now formatted in mdoc. Versions using the
legacy man macros are provided for systems that lack mdoc.
What's new in Sudo 1.8.5p2?
* Fixed use of the SUDO_ASKPASS environment variable which was

70
configure vendored
View File

@ -731,6 +731,7 @@ SUDOERS_MODE
SHLIB_MODE
MANCOMPRESSEXT
MANCOMPRESS
MANDIRTYPE
MANTYPE
AUTH_OBJS
OSDEFS
@ -871,6 +872,8 @@ with_interfaces
with_stow
with_askpass
with_plugindir
with_man
with_mdoc
enable_authentication
enable_root_mailer
enable_setreuid
@ -1655,6 +1658,8 @@ Optional Packages:
--with-stow deprecated
--with-askpass=PATH Fully qualified pathname of askpass helper
--with-plugindir set directory to load plugins from
--with-man manual pages use man macros
--with-mdoc manual pages use mdoc macros
--with-selinux enable SELinux support
--with-pic[=PKGS] try to use only PIC/non-PIC objects [default=use
both]
@ -2899,6 +2904,7 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;}
#
@ -2946,7 +2952,7 @@ secure_path="not set"
INSTALL_NOEXEC=
devdir='$(srcdir)'
PROGS="sudo"
: ${MANTYPE='man'}
: ${MANDIRTYPE='man'}
: ${mansrcdir='.'}
: ${SHLIB_MODE='0644'}
: ${SUDOERS_MODE='0440'}
@ -5208,6 +5214,34 @@ fi
# Check whether --with-man was given.
if test "${with_man+set}" = set; then :
withval=$with_man; case $with_man in
yes) MANTYPE=man
;;
no) as_fn_error $? "\"--without-man not supported.\"" "$LINENO" 5
;;
*) as_fn_error $? "\"ignoring unknown argument to --with-man: $with_man.\"" "$LINENO" 5
;;
esac
fi
# Check whether --with-mdoc was given.
if test "${with_mdoc+set}" = set; then :
withval=$with_mdoc; case $with_mdoc in
yes) MANTYPE=mdoc
;;
no) as_fn_error $? "\"--without-mdoc not supported.\"" "$LINENO" 5
;;
*) as_fn_error $? "\"ignoring unknown argument to --with-mdoc: $with_mdoc.\"" "$LINENO" 5
;;
esac
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to do user authentication by default" >&5
$as_echo_n "checking whether to do user authentication by default... " >&6; }
# Check whether --enable-authentication was given.
@ -13649,7 +13683,7 @@ $as_echo "no" >&6; }
fi
for ac_prog in nroff mandoc
for ac_prog in mandoc nroff
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
@ -13692,6 +13726,29 @@ fi
done
if test -n "$NROFFPROG"; then
test -n "$MANTYPE" && sudo_cv_var_mantype="$MANTYPE"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking which macro set to use for manual pages" >&5
$as_echo_n "checking which macro set to use for manual pages... " >&6; }
if ${sudo_cv_var_mantype+:} false; then :
$as_echo_n "(cached) " >&6
else
sudo_cv_var_mantype="man"
if test "$NROFFPROG" != "no"; then
echo ".Sh NAME" > conftest
echo ".Nm sudo" >> conftest
echo ".Nd sudo" >> conftest
echo ".Sh DESCRIPTION" >> conftest
echo "sudo" >> conftest
if $NROFFPROG -mdoc conftest >/dev/null 2>&1; then
sudo_cv_var_mantype="mdoc"
fi
rm -f conftest
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_mantype" >&5
$as_echo "$sudo_cv_var_mantype" >&6; }
MANTYPE="$sudo_cv_var_mantype"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $NROFFPROG supports the -c option" >&5
$as_echo_n "checking whether $NROFFPROG supports the -c option... " >&6; }
if ${sudo_cv_var_nroff_opt_c+:} false; then :
@ -13719,15 +13776,16 @@ else
else
sudo_cv_var_nroff_opt_Tascii=no
fi
if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then
NROFFPROG="$NROFFPROG -Tascii"
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_nroff_opt_Tascii" >&5
$as_echo "$sudo_cv_var_nroff_opt_Tascii" >&6; }
if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then
NROFFPROG="$NROFFPROG -Tascii"
fi
else
MANTYPE="cat"
MANTYPE=cat
MANDIRTYPE=cat
mansrcdir='$(srcdir)'
fi

51
configure.in
View File

@ -38,6 +38,7 @@ AC_SUBST([GETGROUPS_LIB])
AC_SUBST([OSDEFS])
AC_SUBST([AUTH_OBJS])
AC_SUBST([MANTYPE])
AC_SUBST([MANDIRTYPE])
AC_SUBST([MANCOMPRESS])
AC_SUBST([MANCOMPRESSEXT])
AC_SUBST([SHLIB_MODE])
@ -164,7 +165,7 @@ dnl
INSTALL_NOEXEC=
devdir='$(srcdir)'
PROGS="sudo"
: ${MANTYPE='man'}
: ${MANDIRTYPE='man'}
: ${mansrcdir='.'}
: ${SHLIB_MODE='0644'}
: ${SUDOERS_MODE='0440'}
@ -1112,6 +1113,26 @@ AC_ARG_WITH(plugindir, [AS_HELP_STRING([--with-plugindir], [set directory to loa
*) ;;
esac], [with_plugindir="$libexecdir"])
AC_ARG_WITH(man, [AS_HELP_STRING([--with-man], [manual pages use man macros])],
[case $with_man in
yes) MANTYPE=man
;;
no) AC_MSG_ERROR(["--without-man not supported."])
;;
*) AC_MSG_ERROR(["ignoring unknown argument to --with-man: $with_man."])
;;
esac])
AC_ARG_WITH(mdoc, [AS_HELP_STRING([--with-mdoc], [manual pages use mdoc macros])],
[case $with_mdoc in
yes) MANTYPE=mdoc
;;
no) AC_MSG_ERROR(["--without-mdoc not supported."])
;;
*) AC_MSG_ERROR(["ignoring unknown argument to --with-mdoc: $with_mdoc."])
;;
esac])
dnl
dnl Options for --enable
dnl
@ -1428,8 +1449,25 @@ dnl Find programs we use
dnl
AC_CHECK_PROG(UNAMEPROG, [uname], [uname])
AC_CHECK_PROG(TRPROG, [tr], [tr])
AC_CHECK_PROGS(NROFFPROG, [nroff mandoc])
AC_CHECK_PROGS(NROFFPROG, [mandoc nroff])
if test -n "$NROFFPROG"; then
test -n "$MANTYPE" && sudo_cv_var_mantype="$MANTYPE"
AC_CACHE_CHECK([which macro set to use for manual pages],
[sudo_cv_var_mantype],
[sudo_cv_var_mantype="man"
if test "$NROFFPROG" != "no"; then
echo ".Sh NAME" > conftest
echo ".Nm sudo" >> conftest
echo ".Nd sudo" >> conftest
echo ".Sh DESCRIPTION" >> conftest
echo "sudo" >> conftest
if $NROFFPROG -mdoc conftest >/dev/null 2>&1; then
sudo_cv_var_mantype="mdoc"
fi
rm -f conftest
fi]
)
MANTYPE="$sudo_cv_var_mantype"
AC_CACHE_CHECK([whether $NROFFPROG supports the -c option],
[sudo_cv_var_nroff_opt_c],
[if $NROFFPROG -c </dev/null >/dev/null 2>&1; then
@ -1441,6 +1479,9 @@ if test -n "$NROFFPROG"; then
if test "$sudo_cv_var_nroff_opt_c" = "yes"; then
NROFFPROG="$NROFFPROG -c"
fi
dnl
dnl This test will fail for mandoc but it is the default anyway...
dnl
AC_CACHE_CHECK([whether $NROFFPROG supports the -Tascii option],
[sudo_cv_var_nroff_opt_Tascii],
[if $NROFFPROG -Tascii </dev/null >/dev/null 2>&1; then
@ -1448,12 +1489,13 @@ if test -n "$NROFFPROG"; then
else
sudo_cv_var_nroff_opt_Tascii=no
fi]
)
if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then
NROFFPROG="$NROFFPROG -Tascii"
fi
)
else
MANTYPE="cat"
MANTYPE=cat
MANDIRTYPE=cat
mansrcdir='$(srcdir)'
fi
@ -3451,7 +3493,6 @@ test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/
dnl
dnl Substitute into the Makefile and man pages
dnl
dnl AC_CONFIG_FILES([doc/sudo.man doc/visudo.man doc/sudoers.man doc/sudoers.ldap.man doc/sudoreplay.man src/Makefile src/sudo_usage.h])
AC_CONFIG_FILES([Makefile common/Makefile compat/Makefile doc/Makefile include/Makefile src/sudo_usage.h src/Makefile plugins/sample/Makefile plugins/sample_group/Makefile plugins/system_group/Makefile plugins/sudoers/Makefile plugins/sudoers/sudoers])
AC_OUTPUT

101
doc/Makefile.in
View File

@ -48,8 +48,8 @@ mandir = @mandir@
mantype = @MANTYPE@
mansectsu = @mansectsu@
mansectform = @mansectform@
mandirsu = $(mandir)/$(mantype)$(mansectsu)
mandirform = $(mandir)/$(mantype)$(mansectform)
mandirsu = $(mandir)/@MANDIRTYPE@$(mansectsu)
mandirform = $(mandir)/@MANDIRTYPE@$(mansectform)
# User and group ids the installed files should be "owned" by
install_uid = 0
@ -62,8 +62,9 @@ DEVEL = @DEVEL@
SHELL = @SHELL@
DOCS = sudo.man visudo.man sudoers.man sudoers.ldap.man sudoers.man \
sudoreplay.man sudo_plugin.man
DOCS = sudo.$(mantype) visudo.$(mantype) sudoers.$(mantype) \
sudoers.ldap.$(mantype) sudoers.$(mantype) \
sudoreplay.$(mantype) sudo_plugin.$(mantype)
DEVDOCS = $(srcdir)/sudo.man.in $(srcdir)/sudo.cat \
$(srcdir)/visudo.man.in $(srcdir)/visudo.cat \
@ -93,116 +94,146 @@ Makefile: $(srcdir)/Makefile.in
varsub: $(top_srcdir)/configure.in
@if [ -n "$(DEVEL)" ]; then \
printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#4#g\ns#@%s@#1m#g\n' SEMAN BAMAN LCMAN sysconfdir prefix mansectform mansectsu > $@; \
printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#5#g\ns#@%s@#8#g\ns#@%s@#%s#\n' SEMAN BAMAN LCMAN sysconfdir prefix mansectform mansectsu PACKAGE_VERSION $(VERSION) > $@; \
sed -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(top_srcdir)/configure.in | sed -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@; \
fi
$(srcdir)/sudo.man.in: $(srcdir)/sudo.pod
$(srcdir)/sudo.man.in: $(srcdir)/sudo.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \
sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudo.pod > $@; \
pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudo.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" | perl -p $(srcdir)/sudo.man.pl >> $@; \
printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in\n' >> $@; \
sed -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudo.mdoc.in >> $@; \
sed -e 's/^\.Os.*/.Os @PACKAGE_VERSION@/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.mdoc.in | mandoc -Tman | sed -e 's/^\(\.TH "SUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
fi
sudo.man: $(srcdir)/sudo.man.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudo.cat: varsub $(srcdir)/sudo.man.in
sudo.mdoc: $(srcdir)/sudo.mdoc.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudo.cat: varsub $(srcdir)/sudo.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
sed -f varsub $(srcdir)/sudo.man.in | $(NROFF) -man > $@; \
sed -f varsub $(srcdir)/sudo.mdoc.in | $(NROFF) -mdoc | sed -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
fi
$(srcdir)/visudo.man.in: $(srcdir)/visudo.pod
$(srcdir)/visudo.man.in: $(srcdir)/visudo.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \
sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/visudo.pod > $@; \
pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/visudo.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@; \
printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
printf '.\\" IT IS GENERATED AUTOMATICALLY FROM visudo.mdoc.in\n' >> $@; \
sed -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/visudo.mdoc.in >> $@; \
sed -e 's/^\.Os.*/.Os @PACKAGE_VERSION@/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/visudo.mdoc.in | mandoc -Tman | sed -e 's/^\(\.TH "VISUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
fi
visudo.man: $(srcdir)/visudo.man.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/visudo.cat: varsub $(srcdir)/visudo.man.in
visudo.mdoc: $(srcdir)/visudo.mdoc.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/visudo.cat: varsub $(srcdir)/visudo.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
sed -f varsub $(srcdir)/visudo.man.in | $(NROFF) -man > $@; \
sed -f varsub $(srcdir)/visudo.mdoc.in | $(NROFF) -mdoc | sed -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
fi
$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.pod
$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \
sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudoers.pod > $@; \
pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudoers.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" | perl -p $(srcdir)/sudoers.man.pl >> $@; \
printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in\n' >> $@; \
sed -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudoers.mdoc.in >> $@; \
sed -e 's/^\.Os.*/.Os @PACKAGE_VERSION@/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.mdoc.in | mandoc -Tman | sed -e 's/^\(\.TH "SUDOERS" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
fi
sudoers.man: $(srcdir)/sudoers.man.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.man.in
sudoers.mdoc: $(srcdir)/sudoers.mdoc.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
sed -f varsub $(srcdir)/sudoers.man.in | $(NROFF) -man > $@; \
sed -f varsub $(srcdir)/sudoers.mdoc.in | $(NROFF) -mdoc | sed -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
fi
$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.pod
$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.mdoc
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \
sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudoers.ldap.pod > $@; \
pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudoers.ldap.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@; \
printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in\n' >> $@; \
sed -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudoers.ldap.mdoc.in >> $@; \
sed -e 's/^\.Os.*/.Os @PACKAGE_VERSION@/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.ldap.mdoc.in | mandoc -Tman | sed -e 's/^\(\.TH "SUDOERS.LDAP" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
fi
sudoers.ldap.man: $(srcdir)/sudoers.ldap.man.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudoers.ldap.cat: varsub $(srcdir)/sudoers.ldap.man.in
sudoers.ldap.mdoc: $(srcdir)/sudoers.ldap.mdoc.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudoers.ldap.cat: varsub $(srcdir)/sudoers.ldap.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
sed -f varsub $(srcdir)/sudoers.ldap.man.in | $(NROFF) -man > $@; \
sed -f varsub $(srcdir)/sudoers.ldap.mdoc.in | $(NROFF) -mdoc | sed -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
fi
$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.pod
$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.mdoc
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \
sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudoreplay.pod > $@; \
pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudoreplay.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@; \
printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudoreplay.mdoc.in\n' >> $@; \
sed -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudoreplay.mdoc.in >> $@; \
sed -e 's/^\.Os.*/.Os @PACKAGE_VERSION@/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoreplay.mdoc.in | mandoc -Tman | sed -e 's/^\(\.TH "SUDOREPLAY" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
fi
sudoreplay.man: $(srcdir)/sudoreplay.man.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudoreplay.cat: varsub $(srcdir)/sudoreplay.man.in
sudoreplay.mdoc: $(srcdir)/sudoreplay.mdoc.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudoreplay.cat: varsub $(srcdir)/sudoreplay.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
sed -f varsub $(srcdir)/sudoreplay.man.in | $(NROFF) -man > $@; \
sed -f varsub $(srcdir)/sudoreplay.mdoc.in | $(NROFF) -mdoc | sed -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
fi
$(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.pod
$(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.mdoc
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \
mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \
sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudo_plugin.pod > $@; \
pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudo_plugin.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@; \
printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudo_plugin.mdoc.in\n' >> $@; \
sed -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudo_plugin.mdoc.in >> $@; \
sed -e 's/^\.Os.*/.Os @PACKAGE_VERSION@/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_plugin.mdoc.in | mandoc -Tman | sed -e 's/^\(\.TH "SUDO_PLUGIN" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
fi
sudo_plugin.man: $(srcdir)/sudo_plugin.man.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudo_plugin.cat: varsub $(srcdir)/sudo_plugin.man.in
sudo_plugin.mdoc: $(srcdir)/sudo_plugin.mdoc.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
$(srcdir)/sudo_plugin.cat: varsub $(srcdir)/sudo_plugin.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
sed -f varsub $(srcdir)/sudo_plugin.man.in | $(NROFF) -man > $@; \
sed -f varsub $(srcdir)/sudo_plugin.mdoc.in | $(NROFF) -mdoc | sed -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
fi
CONTRIBUTORS: $(srcdir)/contributors.pod

536
doc/sudo.cat
View File

@ -1,25 +1,20 @@
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO(1m) System Manager's Manual SUDO(1m)
NNAAMMEE
sudo, sudoedit - execute a command as another user
ssuuddoo, ssuuddooeeddiitt - execute a command as another user
SSYYNNOOPPSSIISS
ssuuddoo --hh | --KK | --kk | --VV
ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t]
[--uu _u_s_e_r _n_a_m_e | _#_u_i_d]
ssuuddoo --ll[[ll]] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t]
ssuuddoo --ll[_l] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t]
[--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] [_c_o_m_m_a_n_d]
ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s | _-]
[--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e]
[--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] [--ii | --ss] [_c_o_m_m_a_n_d]
[--uu _u_s_e_r _n_a_m_e | _#_u_i_d] [VVAARR=_v_a_l_u_e] --ii | --ss [_c_o_m_m_a_n_d]
ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s | _-]
[--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] file ...
[--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] file
...
DDEESSCCRRIIPPTTIIOONN
ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or
@ -29,98 +24,95 @@ DDEESSCCRRIIPPTTIIOONN
based on the group database (unless the --PP option was specified).
ssuuddoo supports a plugin architecture for security policies and
input/output logging. Third parties can develop and distribute their
own policy and I/O logging modules to work seamlessly with the ssuuddoo
front end. The default security policy is _s_u_d_o_e_r_s, which is configured
via the file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the PLUGINS section for
more information.
input/output logging. Third parties can develop and distribute their own
policy and I/O logging modules to work seamlessly with the ssuuddoo front
end. The default security policy is _s_u_d_o_e_r_s, which is configured via the
file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_L_U_G_I_N_S section for more
information.
The security policy determines what privileges, if any, a user has to
run ssuuddoo. The policy may require that users authenticate themselves
with a password or another authentication mechanism. If authentication
is required, ssuuddoo will exit if the user's password is not entered
within a configurable time limit. This limit is policy-specific; the
default password prompt timeout for the _s_u_d_o_e_r_s security policy is 5
minutes.
The security policy determines what privileges, if any, a user has to run
ssuuddoo. The policy may require that users authenticate themselves with a
password or another authentication mechanism. If authentication is
required, ssuuddoo will exit if the user's password is not entered within a
configurable time limit. This limit is policy-specific; the default
password prompt timeout for the _s_u_d_o_e_r_s security policy is 5 minutes.
Security policies may support credential caching to allow the user to
run ssuuddoo again for a period of time without requiring authentication.
The _s_u_d_o_e_r_s policy caches credentials for 5 minutes, unless overridden
in _s_u_d_o_e_r_s(4). By running ssuuddoo with the --vv option, a user can update
the cached credentials without running a _c_o_m_m_a_n_d.
Security policies may support credential caching to allow the user to run
ssuuddoo again for a period of time without requiring authentication. The
_s_u_d_o_e_r_s policy caches credentials for 5 minutes, unless overridden in
sudoers(4). By running ssuuddoo with the --vv option, a user can update the
cached credentials without running a _c_o_m_m_a_n_d.
When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied.
Security policies may log successful and failed attempts to use ssuuddoo.
If an I/O plugin is configured, the running command's input and output
may be logged as well.
Security policies may log successful and failed attempts to use ssuuddoo. If
an I/O plugin is configured, the running command's input and output may
be logged as well.
OOPPTTIIOONNSS
ssuuddoo accepts the following command line options:
-A Normally, if ssuuddoo requires a password, it will read it from
--AA Normally, if ssuuddoo requires a password, it will read it from
the user's terminal. If the --AA (_a_s_k_p_a_s_s) option is
specified, a (possibly graphical) helper program is
executed to read the user's password and output the
password to the standard output. If the SUDO_ASKPASS
environment variable is set, it specifies the path to the
helper program. Otherwise, if _/_e_t_c_/_s_u_d_o_._c_o_n_f contains a
line specifying the askpass program, that value will be
used. For example:
specified, a (possibly graphical) helper program is executed
to read the user's password and output the password to the
standard output. If the SUDO_ASKPASS environment variable is
set, it specifies the path to the helper program. Otherwise,
if _/_e_t_c_/_s_u_d_o_._c_o_n_f contains a line specifying the askpass
program, that value will be used. For example:
# Path to askpass helper program
Path askpass /usr/X11R6/bin/ssh-askpass
If no askpass program is available, sudo will exit with an
If no askpass program is available, ssuuddoo will exit with an
error.
-a _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the
--aa _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the
specified authentication type when validating the user, as
allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may
specify a list of sudo-specific authentication methods by
adding an "auth-sudo" entry in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This
adding an ``auth-sudo'' entry in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This
option is only available on systems that support BSD
authentication.
-b The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given
--bb The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given
command in the background. Note that if you use the --bb
option you cannot use shell job control to manipulate the
process. Most interactive commands will fail to work
properly in background mode.
-C _f_d Normally, ssuuddoo will close all open file descriptors other
than standard input, standard output and standard error.
The --CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a
starting point above the standard error (file descriptor
three). Values less than three are not permitted. The
security policy may restrict the user's ability to use the
--CC option. The _s_u_d_o_e_r_s policy only permits use of the --CC
option when the administrator has enabled the
_c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option.
--CC _f_d Normally, ssuuddoo will close all open file descriptors other
than standard input, standard output and standard error. The
--CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a starting
point above the standard error (file descriptor three).
Values less than three are not permitted. The security
policy may restrict the user's ability to use the --CC option.
The _s_u_d_o_e_r_s policy only permits use of the --CC option when the
administrator has enabled the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option.
-c _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified
command with resources limited by the specified login
class. The _c_l_a_s_s argument can be either a class name as
defined in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single '-' character.
Specifying a _c_l_a_s_s of - indicates that the command should
be run restricted by the default login capabilities for the
user the command is run as. If the _c_l_a_s_s argument
specifies an existing user class, the command must be run
as root, or the ssuuddoo command must be run from a shell that
is already root. This option is only available on systems
with BSD login classes.
--cc _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified
command with resources limited by the specified login class.
The _c_l_a_s_s argument can be either a class name as defined in
_/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single `-' character. Specifying a
_c_l_a_s_s of - indicates that the command should be run
restricted by the default login capabilities for the user the
command is run as. If the _c_l_a_s_s argument specifies an
existing user class, the command must be run as root, or the
ssuuddoo command must be run from a shell that is already root.
This option is only available on systems with BSD login
classes.
-E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option indicates to the
--EE The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option indicates to the
security policy that the user wishes to preserve their
existing environment variables. The security policy may
return an error if the --EE option is specified and the user
does not have permission to preserve the environment.
-e The --ee (_e_d_i_t) option indicates that, instead of running a
command, the user wishes to edit one or more files. In
lieu of a command, the string "sudoedit" is used when
consulting the security policy. If the user is authorized
by the policy, the following steps are taken:
--ee The --ee (_e_d_i_t) option indicates that, instead of running a
command, the user wishes to edit one or more files. In lieu
of a command, the string "sudoedit" is used when consulting
the security policy. If the user is authorized by the
policy, the following steps are taken:
1. Temporary copies are made of the files to be edited
with the owner set to the invoking user.
@ -130,197 +122,191 @@ OOPPTTIIOONNSS
SUDO_EDITOR, VISUAL and EDITOR environment variables
(in that order). If none of SUDO_EDITOR, VISUAL or
EDITOR are set, the first program listed in the _e_d_i_t_o_r
_s_u_d_o_e_r_s(4) option is used.
sudoers(4) option is used.
3. If they have been modified, the temporary files are
copied back to their original location and the
temporary versions are removed.
If the specified file does not exist, it will be created.
Note that unlike most commands run by ssuuddoo, the editor is
run with the invoking user's environment unmodified. If,
for some reason, ssuuddoo is unable to update a file with its
edited version, the user will receive a warning and the
edited copy will remain in a temporary file.
Note that unlike most commands run by _s_u_d_o, the editor is run
with the invoking user's environment unmodified. If, for
some reason, ssuuddoo is unable to update a file with its edited
version, the user will receive a warning and the edited copy
will remain in a temporary file.
-g _g_r_o_u_p Normally, ssuuddoo runs a command with the primary group set to
--gg _g_r_o_u_p Normally, ssuuddoo runs a command with the primary group set to
the one specified by the password database for the user the
command is being run as (by default, root). The --gg (_g_r_o_u_p)
option causes ssuuddoo to run the command with the primary
group set to _g_r_o_u_p instead. To specify a _g_i_d instead of a
_g_r_o_u_p _n_a_m_e, use _#_g_i_d. When running commands as a _g_i_d, many
shells require that the '#' be escaped with a backslash
('\'). If no --uu option is specified, the command will be
run as the invoking user (not root). In either case, the
primary group will be set to _g_r_o_u_p.
option causes ssuuddoo to run the command with the primary group
set to _g_r_o_u_p instead. To specify a _g_i_d instead of a _g_r_o_u_p
_n_a_m_e, use _#_g_i_d. When running commands as a _g_i_d, many shells
require that the `#' be escaped with a backslash (`\'). If
no --uu option is specified, the command will be run as the
invoking user (not root). In either case, the primary group
will be set to _g_r_o_u_p.
-H The --HH (_H_O_M_E) option requests that the security policy set
--HH The --HH (_H_O_M_E) option requests that the security policy set
the HOME environment variable to the home directory of the
target user (root by default) as specified by the password
database. Depending on the policy, this may be the default
behavior.
-h The --hh (_h_e_l_p) option causes ssuuddoo to print a short help
--hh The --hh (_h_e_l_p) option causes ssuuddoo to print a short help
message to the standard output and exit.
-i [command]
--ii [_c_o_m_m_a_n_d]
The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell
specified by the password database entry of the target user
as a login shell. This means that login-specific resource
files such as .profile or .login will be read by the shell.
files such as _._p_r_o_f_i_l_e or _._l_o_g_i_n will be read by the shell.
If a command is specified, it is passed to the shell for
execution via the shell's --cc option. If no command is
specified, an interactive shell is executed. ssuuddoo attempts
to change to that user's home directory before running the
shell. The security policy shall initialize the
environment to a minimal set of variables, similar to what
is present when a user logs in. The _C_o_m_m_a_n_d _E_n_v_i_r_o_n_m_e_n_t
section in the _s_u_d_o_e_r_s(4) manual documents how the --ii
option affects the environment in which a command is run
when the _s_u_d_o_e_r_s policy is in use.
shell. The security policy shall initialize the environment
to a minimal set of variables, similar to what is present
when a user logs in. The _C_o_m_m_a_n_d _E_n_v_i_r_o_n_m_e_n_t section in the
sudoers(4) manual documents how the --ii option affects the
environment in which a command is run when the _s_u_d_o_e_r_s policy
is in use.
-K The --KK (sure _k_i_l_l) option is like --kk except that it removes
the user's cached credentials entirely and may not be used
in conjunction with a command or other option. This option
does not require a password. Not all security policies
support credential caching.
--KK The --KK (sure _k_i_l_l) option is like --kk except that it removes
the user's cached credentials entirely and may not be used in
conjunction with a command or other option. This option does
not require a password. Not all security policies support
credential caching.
-k [command]
When used alone, the --kk (_k_i_l_l) option to ssuuddoo invalidates
the user's cached credentials. The next time ssuuddoo is run a
--kk [_c_o_m_m_a_n_d]
When used alone, the --kk (_k_i_l_l) option to ssuuddoo invalidates the
user's cached credentials. The next time ssuuddoo is run a
password will be required. This option does not require a
password and was added to allow a user to revoke ssuuddoo
permissions from a .logout file. Not all security policies
permissions from a _._l_o_g_o_u_t file. Not all security policies
support credential caching.
When used in conjunction with a command or an option that
may require a password, the --kk option will cause ssuuddoo to
ignore the user's cached credentials. As a result, ssuuddoo
will prompt for a password (if one is required by the
security policy) and will not update the user's cached
credentials.
When used in conjunction with a command or an option that may
require a password, the --kk option will cause ssuuddoo to ignore
the user's cached credentials. As a result, ssuuddoo will prompt
for a password (if one is required by the security policy)
and will not update the user's cached credentials.
-l[l] [_c_o_m_m_a_n_d]
--ll[ll] [_c_o_m_m_a_n_d]
If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list
the allowed (and forbidden) commands for the invoking user
(or the user specified by the --UU option) on the current
host. If a _c_o_m_m_a_n_d is specified and is permitted by the
security policy, the fully-qualified path to the command is
displayed along with any command line arguments. If
_c_o_m_m_a_n_d is specified but not allowed, ssuuddoo will exit with a
status value of 1. If the --ll option is specified with an ll
argument (i.e. --llll), or if --ll is specified multiple times,
a longer list format is used.
(or the user specified by the --UU option) on the current host.
If a _c_o_m_m_a_n_d is specified and is permitted by the security
policy, the fully-qualified path to the command is displayed
along with any command line arguments. If _c_o_m_m_a_n_d is
specified but not allowed, ssuuddoo will exit with a status value
of 1. If the --ll option is specified with an _l argument (i.e.
--llll), or if --ll is specified multiple times, a longer list
format is used.
-n The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from
prompting the user for a password. If a password is
required for the command to run, ssuuddoo will display an error
message and exit.
--nn The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from prompting
the user for a password. If a password is required for the
command to run, ssuuddoo will display an error message and exit.
-P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to
preserve the invoking user's group vector unaltered. By
default, the _s_u_d_o_e_r_s policy will initialize the group
vector to the list of groups the target user is in. The
real and effective group IDs, however, are still set to
match the target user.
--PP The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to preserve
the invoking user's group vector unaltered. By default, the
_s_u_d_o_e_r_s policy will initialize the group vector to the list
of groups the target user is in. The real and effective
group IDs, however, are still set to match the target user.
-p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default
password prompt and use a custom one. The following
percent (`%') escapes are supported by the _s_u_d_o_e_r_s policy:
--pp _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default
password prompt and use a custom one. The following percent
(`%') escapes are supported by the _s_u_d_o_e_r_s policy:
%H expanded to the host name including the domain name (on
if the machine's host name is fully qualified or the
_f_q_d_n option is set in _s_u_d_o_e_r_s(4))
if the machine's host name is fully qualified or the _f_q_d_n
option is set in sudoers(4))
%h expanded to the local host name without the domain name
%p expanded to the name of the user whose password is
being requested (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and
_r_u_n_a_s_p_w flags in _s_u_d_o_e_r_s(4))
%p expanded to the name of the user whose password is being
requested (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w, and _r_u_n_a_s_p_w
flags in sudoers(4))
%U expanded to the login name of the user the command will
be run as (defaults to root unless the --uu option is
also specified)
be run as (defaults to root unless the --uu option is also
specified)
%u expanded to the invoking user's login name
%% two consecutive % characters are collapsed into a
single % character
%% two consecutive % characters are collapsed into a single
% character
The prompt specified by the --pp option will override the
system password prompt on systems that support PAM unless
the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s.
system password prompt on systems that support PAM unless the
_p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s.
-r _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security
--rr _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security
context to have the role specified by _r_o_l_e.
-S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from
--SS The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from
the standard input instead of the terminal device. The
password must be followed by a newline character.
-s [command]
The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L
--ss [_c_o_m_m_a_n_d]
The --ss (_s_h_e_l_l) option runs the shell specified by the SHELL
environment variable if it is set or the shell as specified
in the password database. If a command is specified, it is
passed to the shell for execution via the shell's --cc
option. If no command is specified, an interactive shell
is executed.
passed to the shell for execution via the shell's --cc option.
If no command is specified, an interactive shell is executed.
-t _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security
--tt _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security
context to have the type specified by _t_y_p_e. If no type is
specified, the default type is derived from the specified
role.
-U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the
--ll option to specify the user whose privileges should be
listed. The security policy may restrict listing other
users' privileges. The _s_u_d_o_e_r_s policy only allows root or
a user with the ALL privilege on the current host to use
this option.
--UU _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the --ll
option to specify the user whose privileges should be listed.
The security policy may restrict listing other users'
privileges. The _s_u_d_o_e_r_s policy only allows root or a user
with the ALL privilege on the current host to use this
option.
-u _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified
command as a user other than _r_o_o_t. To specify a _u_i_d
instead of a _u_s_e_r _n_a_m_e, use _#_u_i_d. When running commands as
a _u_i_d, many shells require that the '#' be escaped with a
backslash ('\'). Security policies may restrict _u_i_ds to
those listed in the password database. The _s_u_d_o_e_r_s policy
allows _u_i_ds that are not in the password database as long
as the _t_a_r_g_e_t_p_w option is not set. Other security policies
may not support this.
--uu _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified command
as a user other than _r_o_o_t. To specify a _u_i_d instead of a
_u_s_e_r _n_a_m_e, _#_u_i_d. When running commands as a _u_i_d, many shells
require that the `#' be escaped with a backslash (`\').
Security policies may restrict _u_i_ds to those listed in the
password database. The _s_u_d_o_e_r_s policy allows _u_i_ds that are
not in the password database as long as the _t_a_r_g_e_t_p_w option
is not set. Other security policies may not support this.
-V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print its version
--VV The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print its version
string and the version string of the security policy plugin
and any I/O plugins. If the invoking user is already root
the --VV option will display the arguments passed to
configure when ssuuddoo was built and plugins may display more
verbose information such as default options.
the --VV option will display the arguments passed to configure
when ssuuddoo was built and plugins may display more verbose
information such as default options.
-v When given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the
user's cached credentials, authenticating the user's
password if necessary. For the _s_u_d_o_e_r_s plugin, this
extends the ssuuddoo timeout for another 5 minutes (or whatever
the timeout is set to by the security policy) but does not
run a command. Not all security policies support cached
credentials.
--vv When given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the
user's cached credentials, authenticating the user's password
if necessary. For the _s_u_d_o_e_r_s plugin, this extends the ssuuddoo
timeout for another 5 minutes (or whatever the timeout is set
to by the security policy) but does not run a command. Not
all security policies support cached credentials.
-- The ---- option indicates that ssuuddoo should stop processing
---- The ---- option indicates that ssuuddoo should stop processing
command line arguments.
Environment variables to be set for the command may also be passed on
the command line in the form of VVAARR=_v_a_l_u_e, e.g.
LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command
line are subject to the same restrictions as normal environment
variables with one important exception. If the _s_e_t_e_n_v option is set in
_s_u_d_o_e_r_s, the command to be run has the SETENV tag set or the command
matched is ALL, the user may set variables that would otherwise be
forbidden. See _s_u_d_o_e_r_s(4) for more information.
Environment variables to be set for the command may also be passed on the
command line in the form of VVAARR=_v_a_l_u_e, e.g.
LLDD__LLIIBBRRAARRYY__PPAATTHH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command line
are subject to the same restrictions as normal environment variables with
one important exception. If the _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s, the
command to be run has the SETENV tag set or the command matched is ALL,
the user may set variables that would otherwise be forbidden. See
sudoers(4) for more information.
PPLLUUGGIINNSS
Plugins are dynamically loaded based on the contents of the
_/_e_t_c_/_s_u_d_o_._c_o_n_f file. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it
contains no Plugin lines, ssuuddoo will use the traditional _s_u_d_o_e_r_s
security policy and I/O logging, which corresponds to the following
_/_e_t_c_/_s_u_d_o_._c_o_n_f file.
contains no Plugin lines, ssuuddoo will use the traditional _s_u_d_o_e_r_s security
policy and I/O logging, which corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f
file.
#
# Default /etc/sudo.conf file
@ -341,16 +327,16 @@ PPLLUUGGIINNSS
Plugin policy_plugin sudoers.so
Plugin io_plugin sudoers.so
A Plugin line consists of the Plugin keyword, followed by the
_s_y_m_b_o_l___n_a_m_e and the _p_a_t_h to the shared object containing the plugin.
The _s_y_m_b_o_l___n_a_m_e is the name of the struct policy_plugin or struct
io_plugin in the plugin shared object. The _p_a_t_h may be fully qualified
or relative. If not fully qualified it is relative to the
_/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any additional parameters after the _p_a_t_h
are passed as arguments to the plugin's _o_p_e_n function. Lines that
don't begin with Plugin, Path, Debug or Set are silently ignored.
A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e
and the _p_a_t_h to the shared object containing the plugin. The _s_y_m_b_o_l___n_a_m_e
is the name of the struct policy_plugin or struct io_plugin in the plugin
shared object. The _p_a_t_h may be fully qualified or relative. If not
fully qualified it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any
additional parameters after the _p_a_t_h are passed as arguments to the
plugin's _o_p_e_n function. Lines that don't begin with Plugin, Path, Debug,
or Set are silently ignored.
For more information, see the _s_u_d_o___p_l_u_g_i_n(1m) manual.
For more information, see the sudo_plugin(1m) manual.
PPAATTHHSS
A Path line consists of the Path keyword, followed by the name of the
@ -360,24 +346,22 @@ PPAATTHHSS
Path askpass /usr/X11R6/bin/ssh-askpass
The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
file.
file:
askpass The fully qualified path to a helper program used to
read the user's password when no terminal is available.
This may be the case when ssuuddoo is executed from a
graphical (as opposed to text-based) application. The
program specified by _a_s_k_p_a_s_s should display the
argument passed to it as the prompt and write the
user's password to the standard output. The value of
_a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS
environment variable.
askpass The fully qualified path to a helper program used to read the
user's password when no terminal is available. This may be the
case when ssuuddoo is executed from a graphical (as opposed to
text-based) application. The program specified by _a_s_k_p_a_s_s
should display the argument passed to it as the prompt and
write the user's password to the standard output. The value of
_a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment
variable.
noexec The fully-qualified path to a shared library containing
dummy versions of the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_e_c_v_e_(_)
library functions that just return an error. This is
used to implement the _n_o_e_x_e_c functionality on systems
that support LD_PRELOAD or its equivalent. Defaults to
_/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o.
noexec The fully-qualified path to a shared library containing dummy
versions of the eexxeeccvv(), eexxeeccvvee() and ffeexxeeccvvee() library
functions that just return an error. This is used to implement
the _n_o_e_x_e_c functionality on systems that support LD_PRELOAD or
its equivalent. Defaults to _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o.
DDEEBBUUGG FFLLAAGGSS
ssuuddoo versions 1.8.4 and higher support a flexible debugging framework
@ -386,10 +370,9 @@ DDEEBBUUGG FFLLAAGGSS
A Debug line consists of the Debug keyword, followed by the name of the
program to debug (ssuuddoo, vviissuuddoo, ssuuddoorreeppllaayy), the debug file name and a
comma-separated list of debug flags. The debug flag syntax used by
ssuuddoo and the _s_u_d_o_e_r_s plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is
free to use a different format so long as it does not include a comma
(`,').
comma-separated list of debug flags. The debug flag syntax used by ssuuddoo
and the _s_u_d_o_e_r_s plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is free to
use a different format so long as it does not include a comma (`,').
For instance:
@ -398,10 +381,10 @@ DDEEBBUUGG FFLLAAGGSS
would log all debugging statements at the _w_a_r_n level and higher in
addition to those at the _i_n_f_o level for the plugin subsystem.
Currently, only one Debug entry per program is supported. The sudo
Debug entry is shared by the ssuuddoo front end, ssuuddooeeddiitt and the plugins.
A future release may add support for per-plugin Debug lines and/or
support for multiple debugging files for a single program.
Currently, only one Debug entry per program is supported. The ssuuddoo Debug
entry is shared by the ssuuddoo front end, ssuuddooeeddiitt and the plugins. A
future release may add support for per-plugin Debug lines and/or support
for multiple debugging files for a single program.
The priorities used by the ssuuddoo front end, in order of decreasing
severity, are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g.
@ -409,7 +392,7 @@ DDEEBBUUGG FFLLAAGGSS
it. For example, a priority of _n_o_t_i_c_e would include debug messages
logged at _n_o_t_i_c_e and higher.
The following subsystems are used by ssuuddoo:
The following subsystems are used by the ssuuddoo front-end:
_a_l_l matches every subsystem
@ -438,19 +421,19 @@ DDEEBBUUGG FFLLAAGGSS
_u_t_m_p utmp handling
EEXXIITT VVAALLUUEE
Upon successful execution of a program, the exit status from ssuuddoo will
Upon successful execution of a program, the exit status from _s_u_d_o will
simply be the exit status of the program that was executed.
Otherwise, ssuuddoo exits with a value of 1 if there is a
configuration/permission problem or if ssuuddoo cannot execute the given
command. In the latter case the error string is printed to the
standard error. If ssuuddoo cannot _s_t_a_t(2) one or more entries in the
user's PATH, an error is printed on stderr. (If the directory does not
exist or if it is not really a directory, the entry is ignored and no
error is printed.) This should not happen under normal circumstances.
The most common reason for _s_t_a_t(2) to return "permission denied" is if
you are running an automounter and one of the directories in your PATH
is on a machine that is currently unreachable.
command. In the latter case the error string is printed to the standard
error. If ssuuddoo cannot stat(2) one or more entries in the user's PATH, an
error is printed on stderr. (If the directory does not exist or if it is
not really a directory, the entry is ignored and no error is printed.)
This should not happen under normal circumstances. The most common
reason for stat(2) to return ``permission denied'' is if you are running
an automounter and one of the directories in your PATH is on a machine
that is currently unreachable.
SSEECCUURRIITTYY NNOOTTEESS
ssuuddoo tries to be safe when executing external commands.
@ -465,31 +448,31 @@ SSEECCUURRIITTYY NNOOTTEESS
runs. If a user runs a command such as sudo su or sudo sh, subsequent
commands run from that shell are not subject to ssuuddoo's security policy.
The same is true for commands that offer shell escapes (including most
editors). If I/O logging is enabled, subsequent commands will have
their input and/or output logged, but there will not be traditional
logs for those commands. Because of this, care must be taken when
giving users access to commands via ssuuddoo to verify that the command
does not inadvertently give the user an effective root shell. For more
information, please see the PREVENTING SHELL ESCAPES section in
_s_u_d_o_e_r_s(4).
editors). If I/O logging is enabled, subsequent commands will have their
input and/or output logged, but there will not be traditional logs for
those commands. Because of this, care must be taken when giving users
access to commands via ssuuddoo to verify that the command does not
inadvertently give the user an effective root shell. For more
information, please see the _P_R_E_V_E_N_T_I_N_G _S_H_E_L_L _E_S_C_A_P_E_S section in
sudoers(4).
To prevent the disclosure of potentially sensitive information, ssuuddoo
disables core dumps by default while it is executing (they are re-
enabled for the command that is run). To aid in debugging ssuuddoo
crashes, you may wish to re-enable core dumps by setting
"disable_coredump" to false in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
disables core dumps by default while it is executing (they are re-enabled
for the command that is run). To aid in debugging ssuuddoo crashes, you may
wish to re-enable core dumps by setting ``disable_coredump'' to false in
the _/_e_t_c_/_s_u_d_o_._c_o_n_f file as follows:
Set disable_coredump false
Note that by default, most operating systems disable core dumps from
setuid programs, which includes ssuuddoo. To actually get a ssuuddoo core file
you may need to enable core dumps for setuid processes. On BSD and
Linux systems this is accomplished via the sysctl command, on Solaris
the coreadm command can be used.
you may need to enable core dumps for setuid processes. On BSD and Linux
systems this is accomplished via the sysctl command, on Solaris the
coreadm command can be used.
EENNVVIIRROONNMMEENNTT
ssuuddoo utilizes the following environment variables. The security policy
has control over the content of the command's environment.
has control over the actual content of the command's environment.
EDITOR Default editor to use in --ee (sudoedit) mode if neither
SUDO_EDITOR nor VISUAL is set.
@ -497,18 +480,18 @@ EENNVVIIRROONNMMEENNTT
MAIL In --ii mode or when _e_n_v___r_e_s_e_t is enabled in _s_u_d_o_e_r_s, set
to the mail spool of the target user.
HOME Set to the home directory of the target user if --ii or
--HH are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set
in _s_u_d_o_e_r_s, or when the --ss option is specified and
_s_e_t___h_o_m_e is set in _s_u_d_o_e_r_s.
HOME Set to the home directory of the target user if --ii or --HH
are specified, _e_n_v___r_e_s_e_t or _a_l_w_a_y_s___s_e_t___h_o_m_e are set in
_s_u_d_o_e_r_s, or when the --ss option is specified and _s_e_t___h_o_m_e
is set in _s_u_d_o_e_r_s.
PATH May be overridden by the security policy.
SHELL Used to determine shell to run with --ss option.
SUDO_ASKPASS Specifies the path to a helper program used to read the
password if no terminal is available or if the --AA
option is specified.
password if no terminal is available or if the --AA option
is specified.
SUDO_COMMAND Set to the command run by sudo.
@ -542,8 +525,8 @@ EEXXAAMMPPLLEESS
$ sudo ls /usr/local/protected
To list the home directory of user yaz on a machine where the file
system holding ~yaz is not exported as root:
To list the home directory of user yaz on a machine where the file system
holding ~yaz is not exported as root:
$ sudo -u yaz ls ~yaz
@ -563,23 +546,23 @@ EEXXAAMMPPLLEESS
$ sudo shutdown -r +15 "quick reboot"
To make a usage listing of the directories in the /home partition.
Note that this runs the commands in a sub-shell to make the cd and file
To make a usage listing of the directories in the /home partition. Note
that this runs the commands in a sub-shell to make the cd and file
redirection work.
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
SSEEEE AALLSSOO
_g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), _s_u_d_o_e_r_s(4),
_s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o_r_e_p_l_a_y(1m), _v_i_s_u_d_o(1m)
grep(1), su(1), stat(2), login_cap(3), passwd(4), sudoers(4),
sudo_plugin(1m), sudoreplay(1m), visudo(1m)
HHIISSTTOORRYY
See the HISTORY file in the ssuuddoo distribution
(http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
AAUUTTHHOORRSS
Many people have worked on ssuuddoo over the years; this version consists
of code written primarily by:
Many people have worked on ssuuddoo over the years; this version consists of
code written primarily by:
Todd C. Miller
@ -588,23 +571,22 @@ AAUUTTHHOORRSS
people who have contributed to ssuuddoo.
CCAAVVEEAATTSS
There is no easy way to prevent a user from gaining a root shell if
that user is allowed to run arbitrary commands via ssuuddoo. Also, many
programs (such as editors) allow the user to run commands via shell
escapes, thus avoiding ssuuddoo's checks. However, on most systems it is
possible to prevent shell escapes with the _s_u_d_o_e_r_s(4) module's _n_o_e_x_e_c
functionality.
There is no easy way to prevent a user from gaining a root shell if that
user is allowed to run arbitrary commands via ssuuddoo. Also, many programs
(such as editors) allow the user to run commands via shell escapes, thus
avoiding ssuuddoo's checks. However, on most systems it is possible to
prevent shell escapes with the sudoers(4) module's _n_o_e_x_e_c functionality.
It is not meaningful to run the cd command directly via sudo, e.g.,
$ sudo cd /usr/local/protected
since when the command exits the parent process (your shell) will still
be the same. Please see the EXAMPLES section for more information.
be the same. Please see the _E_X_A_M_P_L_E_S section for more information.
Running shell scripts via ssuuddoo can expose the same kernel bugs that
make setuid shell scripts unsafe on some operating systems (if your OS
has a /dev/fd/ directory, setuid shell scripts are generally safe).
Running shell scripts via ssuuddoo can expose the same kernel bugs that make
setuid shell scripts unsafe on some operating systems (if your OS has a
/dev/fd/ directory, setuid shell scripts are generally safe).
BBUUGGSS
If you feel you have found a bug in ssuuddoo, please submit a bug report at
@ -612,16 +594,14 @@ BBUUGGSS
SSUUPPPPOORRTT
Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
archives.
DDIISSCCLLAAIIMMEERR
ssuuddoo is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
See the LICENSE file distributed with ssuuddoo or
http://www.sudo.ws/sudo/license.html for complete details.
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the LICENSE
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details.
1.8.6 July 12, 2012 SUDO(1m)
Sudo 1.8.6 July 10, 2012 Sudo 1.8.6

1897
doc/sudo.man.in
View File

File diff suppressed because it is too large Load Diff

32
doc/sudo.mdoc.in
View File

@ -20,8 +20,8 @@
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.Dd July 10, 2012
.Dt SUDO 8
.Os
.Dt SUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudo ,
.Nm sudoedit
@ -172,7 +172,7 @@ The
policy caches credentials for
.Li @timeout@
minutes, unless overridden in
.Xr sudoers 5 .
.Xr sudoers @mansectform@ .
By running
.Nm sudo
with the
@ -332,7 +332,7 @@ or
.Ev EDITOR
are set, the first program listed in the
.Em editor
.Xr sudoers 5
.Xr sudoers @mansectform@
option is used.
.It
If they have been modified, the temporary files are copied back to
@ -416,7 +416,7 @@ set of variables, similar to what is present when a user logs in.
The
.Em Command Environment
section in the
.Xr sudoers 5
.Xr sudoers @mansectform@
manual documents how the
.Fl i
option affects the environment in which a command is run when the
@ -523,7 +523,7 @@ expanded to the host name including the domain name (on if the
machine's host name is fully qualified or the
.Em fqdn
option is set in
.Xr sudoers 5 )
.Xr sudoers @mansectform@ )
.It Li %h
expanded to the local host name without the domain name
.It Li %p
@ -534,7 +534,7 @@ expanded to the name of the user whose password is being requested
and
.Em runaspw
flags in
.Xr sudoers 5 )
.Xr sudoers @mansectform@ )
.It Li %U
expanded to the login name of the user the command will be run as
(defaults to root unless the
@ -687,7 +687,7 @@ tag set or the command matched is
.Li ALL ,
the user may set variables that would otherwise be forbidden.
See
.Xr sudoers 5
.Xr sudoers @mansectform@
for more information.
.Sh PLUGINS
Plugins are dynamically loaded based on the contents of the
@ -761,7 +761,7 @@ or
are silently ignored.
.Pp
For more information, see the
.Xr sudo_plugin 8
.Xr sudo_plugin @mansectsu@
manual.
.Sh PATHS
A
@ -976,7 +976,7 @@ effective root shell.
For more information, please see the
.Em PREVENTING SHELL ESCAPES
section in
.Xr sudoers 5 .
.Xr sudoers @mansectform@ .
.Pp
To prevent the disclosure of potentially sensitive information,
.Nm sudo
@ -1136,11 +1136,11 @@ $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
.Xr su 1 ,
.Xr stat 2 ,
.Xr login_cap 3 ,
.Xr passwd 5 ,
.Xr sudoers 5 ,
.Xr sudo_plugin 8 ,
.Xr sudoreplay 8 ,
.Xr visudo 8
.Xr passwd @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo_plugin @mansectsu@ ,
.Xr sudoreplay @mansectsu@ ,
.Xr visudo @mansectsu@
.Sh HISTORY
See the HISTORY file in the
.Nm sudo
@ -1168,7 +1168,7 @@ via shell escapes, thus avoiding
.Nm sudo No Ns 's
checks.
However, on most systems it is possible to prevent shell escapes with the
.Xr sudoers 5
.Xr sudoers @mansectform@
module's
.Em noexec
functionality.

924
doc/sudo_plugin.cat
View File

File diff suppressed because it is too large Load Diff

3681
doc/sudo_plugin.man.in
View File

File diff suppressed because it is too large Load Diff

8
doc/sudo_plugin.mdoc.in
View File

@ -15,8 +15,8 @@
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd July 16, 2012
.Dt SUDO_PLUGIN 5
.Os
.Dt SUDO_PLUGIN @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudo_plugin
.Nd Sudo Plugin API
@ -2133,8 +2133,8 @@ This can be used to merge in environment variables stored in the PAM
handle before a command is run.
.El
.Sh SEE ALSO
.Xr sudoers 5 ,
.Xr sudo 8
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@
.Sh BUGS
If you feel you have found a bug in
.Nm sudo ,

925
doc/sudoers.cat
View File

File diff suppressed because it is too large Load Diff

283
doc/sudoers.ldap.cat
View File

@ -1,9 +1,7 @@
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
SUDOERS.LDAP(1m) System Manager's Manual SUDOERS.LDAP(1m)
NNAAMMEE
sudoers.ldap - sudo LDAP configuration
ssuuddooeerrss..llddaapp - sudo LDAP configuration
DDEESSCCRRIIPPTTIIOONN
In addition to the standard _s_u_d_o_e_r_s file, ssuuddoo may be configured via
@ -12,28 +10,27 @@ DDEESSCCRRIIPPTTIIOONN
Using LDAP for _s_u_d_o_e_r_s has several benefits:
o ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is
used, there are only two or three LDAP queries per invocation.
This makes it especially fast and particularly usable in LDAP
oo ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is
used, there are only two or three LDAP queries per invocation. This
makes it especially fast and particularly usable in LDAP
environments.
o ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not
oo ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not
possible to load LDAP data into the server that does not conform to
the sudoers schema, so proper syntax is guaranteed. It is still
possible to have typos in a user or host name, but this will not
prevent ssuuddoo from running.
o It is possible to specify per-entry options that override the
global default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options
and limited options associated with user/host/commands/aliases.
The syntax is complicated and can be difficult for users to
understand. Placing the options directly in the entry is more
natural.
oo It is possible to specify per-entry options that override the global
default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options and
limited options associated with user/host/commands/aliases. The
syntax is complicated and can be difficult for users to understand.
Placing the options directly in the entry is more natural.
o The vviissuuddoo program is no longer needed. vviissuuddoo provides locking
and syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates
are atomic, locking is no longer necessary. Because syntax is
checked when the data is inserted into LDAP, there is no need for a
oo The vviissuuddoo program is no longer needed. vviissuuddoo provides locking and
syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates are
atomic, locking is no longer necessary. Because syntax is checked
when the data is inserted into LDAP, there is no need for a
specialized tool to check syntax.
Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in
@ -45,20 +42,19 @@ DDEESSCCRRIIPPTTIIOONN
Since Unix groups and netgroups can also be stored in LDAP there is no
real need for ssuuddoo-specific aliases.
Cmnd_Aliases are not really required either since it is possible to
have multiple users listed in a sudoRole. Instead of defining a
Cmnd_Alias that is referenced by multiple users, one can create a
sudoRole that contains the commands and assign multiple users to it.
Cmnd_Aliases are not really required either since it is possible to have
multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias
that is referenced by multiple users, one can create a sudoRole that
contains the commands and assign multiple users to it.
SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr
The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP
container.
The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP container.
Sudo first looks for the cn=default entry in the SUDOers container. If
found, the multi-valued sudoOption attribute is parsed in the same
manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following
example, the SSH_AUTH_SOCK variable will be preserved in the
environment for all users.
found, the multi-valued sudoOption attribute is parsed in the same manner
as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following example, the
SSH_AUTH_SOCK variable will be preserved in the environment for all
users.
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
objectClass: top
@ -71,19 +67,19 @@ DDEESSCCRRIIPPTTIIOONN
following attributes:
ssuuddooUUsseerr
A user name, user ID (prefixed with '#'), Unix group (prefixed with
'%'), Unix group ID (prefixed with '%#'), or user netgroup
(prefixed with '+').
A user name, user ID (prefixed with `#'), Unix group (prefixed with
`%'), Unix group ID (prefixed with `%#'), or user netgroup
(prefixed with `+').
ssuuddooHHoosstt
A host name, IP address, IP network, or host netgroup (prefixed
with a '+'). The special value ALL will match any host.
with a `+'). The special value ALL will match any host.
ssuuddooCCoommmmaanndd
A Unix command with optional command line arguments, potentially
including globbing characters (aka wild cards). The special value
ALL will match any command. If a command is prefixed with an
exclamation point '!', the user will be prohibited from running
exclamation point `!', the user will be prohibited from running
that command.
ssuuddooOOppttiioonn
@ -91,9 +87,9 @@ DDEESSCCRRIIPPTTIIOONN
specific to the sudoRole in which it resides.
ssuuddooRRuunnAAssUUsseerr
A user name or uid (prefixed with '#') that commands may be run as
or a Unix group (prefixed with a '%') or user netgroup (prefixed
with a '+') that contains a list of users that commands may be run
A user name or uid (prefixed with `#') that commands may be run as
or a Unix group (prefixed with a `%') or user netgroup (prefixed
with a `+') that contains a list of users that commands may be run
as. The special value ALL will match any user.
The sudoRunAsUser attribute is only available in ssuuddoo versions
@ -101,7 +97,7 @@ DDEESSCCRRIIPPTTIIOONN
attribute instead.
ssuuddooRRuunnAAssGGrroouupp
A Unix group or gid (prefixed with '#') that commands may be run
A Unix group or gid (prefixed with `#') that commands may be run
as. The special value ALL will match any group.
The sudoRunAsGroup attribute is only available in ssuuddoo versions
@ -141,15 +137,15 @@ DDEESSCCRRIIPPTTIIOONN
more closely mimic the behaviour of the sudoers file, where the of
the entries influences the result. If multiple entries match, the
entry with the highest sudoOrder attribute is chosen. This
corresponds to the "last match" behavior of the sudoers file. If
corresponds to the ``last match'' behavior of the sudoers file. If
the sudoOrder attribute is not present, a value of 0 is assumed.
The sudoOrder attribute is only available in ssuuddoo versions 1.7.5
and higher.
Each attribute listed above should contain a single value, but there
may be multiple instances of each attribute type. A sudoRole must
contain at least one sudoUser, sudoHost and sudoCommand.
Each attribute listed above should contain a single value, but there may
be multiple instances of each attribute type. A sudoRole must contain at
least one sudoUser, sudoHost and sudoCommand.
The following example allows users in group wheel to run any command on
any host via ssuuddoo:
@ -164,16 +160,16 @@ DDEESSCCRRIIPPTTIIOONN
AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp
When looking up a sudoer using LDAP there are only two or three LDAP
queries per invocation. The first query is to parse the global
options. The second is to match against the user's name and the groups
that the user belongs to. (The special ALL tag is matched in this
query too.) If no match is returned for the user's name and groups, a
third query returns all entries containing user netgroups and checks to
see if the user belongs to any of them.
queries per invocation. The first query is to parse the global options.
The second is to match against the user's name and the groups that the
user belongs to. (The special ALL tag is matched in this query too.) If
no match is returned for the user's name and groups, a third query
returns all entries containing user netgroups and checks to see if the
user belongs to any of them.
If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration
directive, the LDAP queries include a subfilter that limits retrieval
to entries that satisfy the time constraints, if any.
directive, the LDAP queries include a subfilter that limits retrieval to
entries that satisfy the time constraints, if any.
DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss
There are some subtle differences in the way sudoers is handled once in
@ -181,11 +177,11 @@ DDEESSCCRRIIPPTTIIOONN
is arbitrary and you cannot expect that Attributes and Entries are
returned in any specific order.
The order in which different entries are applied can be controlled
using the sudoOrder attribute, but there is no way to guarantee the
order of attributes within a specific entry. If there are conflicting
command rules in an entry, the negative takes precedence. This is
called paranoid behavior (not necessarily the most specific match).
The order in which different entries are applied can be controlled using
the sudoOrder attribute, but there is no way to guarantee the order of
attributes within a specific entry. If there are conflicting command
rules in an entry, the negative takes precedence. This is called
paranoid behavior (not necessarily the most specific match).
Here is an example:
@ -237,54 +233,53 @@ DDEESSCCRRIIPPTTIIOONN
sudoHost: !web01
SSuuddooeerrss SScchheemmaa
In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed
on your LDAP server. In addition, be sure to index the 'sudoUser'
attribute.
In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed on
your LDAP server. In addition, be sure to index the sudoUser attribute.
Three versions of the schema: one for OpenLDAP servers
(_s_c_h_e_m_a_._O_p_e_n_L_D_A_P), one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t),
and one for Microsoft Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be
found in the ssuuddoo distribution.
Three versions of the schema: one for OpenLDAP servers (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P),
one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t), and one for Microsoft
Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be found in the ssuuddoo
distribution.
The schema for ssuuddoo in OpenLDAP form is included in the EXAMPLES
The schema for ssuuddoo in OpenLDAP form is also included in the _E_X_A_M_P_L_E_S
section.
CCoonnffiigguurriinngg llddaapp..ccoonnff
Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo
parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from
those described in the system's _l_d_a_p_._c_o_n_f(4) manual.
Typically, this file is shared amongst different LDAP-aware clients. As
such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses
_/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from those
described in the system's ldap.conf(1m) manual.
Also note that on systems using the OpenLDAP libraries, default values
specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are
not used.
specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not
used.
Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being
supported by ssuuddoo are honored. Configuration options are listed below
in upper case but are parsed in a case-independent manner.
Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f as being supported
by ssuuddoo are honored. Configuration options are listed below in upper
case but are parsed in a case-independent manner.
UURRII ldap[s]://[hostname[:port]] ...
UURRII _l_d_a_p_[_s_]_:_/_/_[_h_o_s_t_n_a_m_e_[_:_p_o_r_t_]_] _._._.
Specifies a whitespace-delimited list of one or more URIs
describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be
either llddaapp or llddaappss, the latter being for servers that support TLS
either _l_d_a_p _l_d_a_p_s, the latter being for servers that support TLS
(SSL) encryption. If no _p_o_r_t is specified, the default is port 389
for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified,
ssuuddoo will connect to llooccaallhhoosstt. Multiple UURRII lines are treated
ssuuddoo will connect to _l_o_c_a_l_h_o_s_t. Multiple UURRII lines are treated
identically to a UURRII line containing multiple entries. Only
systems using the OpenSSL libraries support the mixing of ldap://
and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP
libraries used on most commercial versions of Unix are only capable
of supporting one or the other.
HHOOSSTT name[:port] ...
HHOOSSTT _n_a_m_e_[_:_p_o_r_t_] _._._.
If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace-
delimited list of LDAP servers to connect to. Each host may
include an optional _p_o_r_t separated by a colon (':'). The HHOOSSTT
include an optional _p_o_r_t separated by a colon (`:'). The HHOOSSTT
parameter is deprecated in favor of the UURRII specification and is
included for backwards compatibility.
PPOORRTT port_number
PPOORRTT _p_o_r_t___n_u_m_b_e_r
If no UURRII is specified, the PPOORRTT parameter specifies the default
port to connect to on the LDAP server if a HHOOSSTT parameter does not
specify the port itself. If no PPOORRTT parameter is used, the default
@ -292,40 +287,40 @@ DDEESSCCRRIIPPTTIIOONN
PPOORRTT parameter is deprecated in favor of the UURRII specification and
is included for backwards compatibility.
BBIINNDD__TTIIMMEELLIIMMIITT seconds
BBIINNDD__TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s
The BBIINNDD__TTIIMMEELLIIMMIITT parameter specifies the amount of time, in
seconds, to wait while trying to connect to an LDAP server. If
multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to
wait before trying the next one in the list.
NNEETTWWOORRKK__TTIIMMEEOOUUTT seconds
NNEETTWWOORRKK__TTIIMMEEOOUUTT _s_e_c_o_n_d_s
An alias for BBIINNDD__TTIIMMEELLIIMMIITT for OpenLDAP compatibility.
TTIIMMEELLIIMMIITT seconds
TTIIMMEELLIIMMIITT _s_e_c_o_n_d_s
The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds,
to wait for a response to an LDAP query.
TTIIMMEEOOUUTT seconds
TTIIMMEEOOUUTT _s_e_c_o_n_d_s
The TTIIMMEEOOUUTT parameter specifies the amount of time, in seconds, to
wait for a response from the various LDAP APIs.
SSUUDDOOEERRSS__BBAASSEE base
SSUUDDOOEERRSS__BBAASSEE _b_a_s_e
The base DN to use when performing ssuuddoo LDAP queries. Typically
this is of the form ou=SUDOers,dc=example,dc=com for the domain
example.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in
which case they are queried in the order specified.
SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR ldap_filter
SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR _l_d_a_p___f_i_l_t_e_r
An LDAP filter which is used to restrict the set of records
returned when performing a ssuuddoo LDAP query. Typically, this is of
the form attribute=value or
(&(attribute=value)(attribute2=value2)).
SSUUDDOOEERRSS__TTIIMMEEDD on/true/yes/off/false/no
SSUUDDOOEERRSS__TTIIMMEEDD _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
Whether or not to evaluate the sudoNotBefore and sudoNotAfter
attributes that implement time-dependent sudoers entries.
SSUUDDOOEERRSS__DDEEBBUUGG debug_level
SSUUDDOOEERRSS__DDEEBBUUGG _d_e_b_u_g___l_e_v_e_l
This sets the debug level for ssuuddoo LDAP queries. Debugging
information is printed to the standard error. A value of 1 results
in a moderate amount of debugging information. A value of 2 shows
@ -333,44 +328,45 @@ DDEESSCCRRIIPPTTIIOONN
be set in a production environment as the extra information is
likely to confuse users.
BBIINNDDDDNN DN
BBIINNDDDDNN _D_N
The BBIINNDDDDNN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing LDAP operations.
If not specified, LDAP operations are performed with an anonymous
identity. By default, most LDAP servers will allow anonymous
access.
BBIINNDDPPWW secret
BBIINNDDPPWW _s_e_c_r_e_t
The BBIINNDDPPWW parameter specifies the password to use when performing
LDAP operations. This is typically used in conjunction with the
BBIINNDDDDNN parameter.
RROOOOTTBBIINNDDDDNN DN
RROOOOTTBBIINNDDDDNN _D_N
The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing privileged LDAP
operations, such as _s_u_d_o_e_r_s queries. The password corresponding to
the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not
specified, the BBIINNDDDDNN identity is used (if any).
LLDDAAPP__VVEERRSSIIOONN number
LLDDAAPP__VVEERRSSIIOONN _n_u_m_b_e_r
The version of the LDAP protocol to use when connecting to the
server. The default value is protocol version 3.
SSSSLL on/true/yes/off/false/no
SSSSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
If the SSSSLL parameter is set to on, true or yes, TLS (SSL)
encryption is always used when communicating with the LDAP server.
Typically, this involves connecting to the server on port 636
(ldaps).
SSSSLL start_tls
SSSSLL _s_t_a_r_t___t_l_s
If the SSSSLL parameter is set to start_tls, the LDAP server
connection is initiated normally and TLS encryption is begun before
the bind credentials are sent. This has the advantage of not
requiring a dedicated port for encrypted communications. This
parameter is only supported by LDAP servers that honor the
start_tls extension, such as the OpenLDAP server.
_s_t_a_r_t___t_l_s extension, such as the OpenLDAP and Tivoli Directory
servers.
TTLLSS__CCHHEECCKKPPEEEERR on/true/yes/off/false/no
TTLLSS__CCHHEECCKKPPEEEERR _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS
certificated to be verified. If the server's TLS certificate
cannot be verified (usually because it is signed by an unknown
@ -382,10 +378,10 @@ DDEESSCCRRIIPPTTIIOONN
can be verified. This option is not supported by the Tivoli
Directory Server LDAP libraries.
TTLLSS__CCAACCEERRTT file name
TTLLSS__CCAACCEERRTT _f_i_l_e _n_a_m_e
An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility.
TTLLSS__CCAACCEERRTTFFIILLEE file name
TTLLSS__CCAACCEERRTTFFIILLEE _f_i_l_e _n_a_m_e
The path to a certificate authority bundle which contains the
certificates for all the Certificate Authorities the client knows
to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only
@ -393,14 +389,14 @@ DDEESSCCRRIIPPTTIIOONN
libraries use the same certificate database for CA and client
certificates (see TTLLSS__CCEERRTT).
TTLLSS__CCAACCEERRTTDDIIRR directory
TTLLSS__CCAACCEERRTTDDIIRR _d_i_r_e_c_t_o_r_y
Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory
containing individual Certificate Authority certificates, e.g.
_/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is
checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the
OpenLDAP libraries.
TTLLSS__CCEERRTT file name
TTLLSS__CCEERRTT _f_i_l_e _n_a_m_e
The path to a file containing the client certificate which can be
used to authenticate the client to the LDAP server. The
certificate type depends on the LDAP libraries used.
@ -415,10 +411,10 @@ DDEESSCCRRIIPPTTIIOONN
Unused, the key database specified by TTLLSS__KKEEYY contains both
keys and certificates.
When using Netscape-derived libraries, this file may also contain
Certificate Authority certificates.
When using Netscape-derived libraries, this file may also
contain Certificate Authority certificates.
TTLLSS__KKEEYY file name
TTLLSS__KKEEYY _f_i_l_e _n_a_m_e
The path to a file containing the private key which matches the
certificate specified by TTLLSS__CCEERRTT. The private key must not be
password-protected. The key type depends on the LDAP libraries
@ -432,11 +428,10 @@ DDEESSCCRRIIPPTTIIOONN
Tivoli Directory Server:
tls_cert /usr/ldap/ldapkey.kdb
When using Tivoli LDAP libraries, this file may also contain
Certificate Authority and client certificates and may be encrypted.
TTLLSS__KKEEYYPPWW secret
TTLLSS__KKEEYYPPWW _s_e_c_r_e_t
The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key
database on clients using the Tivoli Directory Server LDAP library.
If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it
@ -447,65 +442,63 @@ DDEESSCCRRIIPPTTIIOONN
ssl_password. This option is only supported by the Tivoli LDAP
libraries.
TTLLSS__RRAANNDDFFIILLEE file name
TTLLSS__RRAANNDDFFIILLEE _f_i_l_e _n_a_m_e
The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source
for systems that lack a random device. It is generally used in
conjunction with _p_r_n_g_d or _e_g_d. This option is only supported by
the OpenLDAP libraries.
TTLLSS__CCIIPPHHEERRSS cipher list
TTLLSS__CCIIPPHHEERRSS _c_i_p_h_e_r _l_i_s_t
The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which
encryption algorithms may be used for TLS (SSL) connections. See
the OpenLDAP or Tivoli Directory Server manual for a list of valid
ciphers. This option is not supported by Netscape-derived
libraries.
UUSSEE__SSAASSLL on/true/yes/off/false/no
UUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication.
SSAASSLL__AAUUTTHH__IIDD identity
SSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y
The SASL user name to use when connecting to the LDAP server. By
default, ssuuddoo will use an anonymous connection.
RROOOOTTUUSSEE__SSAASSLL on/true/yes/off/false/no
RROOOOTTUUSSEE__SSAASSLL _o_n_/_t_r_u_e_/_y_e_s_/_o_f_f_/_f_a_l_s_e_/_n_o
Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting
to an LDAP server from a privileged process, such as ssuuddoo.
RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity
RROOOOTTSSAASSLL__AAUUTTHH__IIDD _i_d_e_n_t_i_t_y
The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled.
SSAASSLL__SSEECCPPRROOPPSS none/properties
SSAASSLL__SSEECCPPRROOPPSS _n_o_n_e_/_p_r_o_p_e_r_t_i_e_s
SASL security properties or _n_o_n_e for no properties. See the SASL
programmer's manual for details.
KKRRBB55__CCCCNNAAMMEE file name
KKRRBB55__CCCCNNAAMMEE _f_i_l_e _n_a_m_e
The path to the Kerberos 5 credential cache to use when
authenticating with the remote server.
DDEERREEFF never/searching/finding/always
DDEERREEFF _n_e_v_e_r_/_s_e_a_r_c_h_i_n_g_/_f_i_n_d_i_n_g_/_a_l_w_a_y_s
How alias dereferencing is to be performed when searching. See the
_l_d_a_p_._c_o_n_f(4) manual for a full description of this option.
ldap.conf(1m) manual for a full description of this option.
See the ldap.conf entry in the EXAMPLES section.
See the _l_d_a_p_._c_o_n_f entry in the _E_X_A_M_P_L_E_S section.
CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff
Unless it is disabled at build time, ssuuddoo consults the Name Service
Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order.
Sudo looks for a line beginning with sudoers: and uses this to
determine the search order. Note that ssuuddoo does not stop searching
after the first match and later matches take precedence over earlier
ones.
Sudo looks for a line beginning with sudoers: and uses this to determine
the search order. Note that ssuuddoo does not stop searching after the first
match and later matches take precedence over earlier ones. The following
sources are recognized:
The following sources are recognized:
files read sudoers from F</etc/sudoers>
files read sudoers from _/_e_t_c_/_s_u_d_o_e_r_s
ldap read sudoers from LDAP
In addition, the entry [NOTFOUND=return] will short-circuit the search
if the user was not found in the preceding source.
In addition, the entry [NOTFOUND=return] will short-circuit the search if
the user was not found in the preceding source.
To consult LDAP first followed by the local sudoers file (if it
exists), use:
To consult LDAP first followed by the local sudoers file (if it exists),
use:
sudoers: ldap files
@ -525,11 +518,11 @@ DDEESSCCRRIIPPTTIIOONN
CCoonnffiigguurriinngg nneettssvvcc..ccoonnff
On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of
_/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of
_n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the
file format itself still applies.
_n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the file
format itself still applies.
To consult LDAP first followed by the local sudoers file (if it
exists), use:
To consult LDAP first followed by the local sudoers file (if it exists),
use:
sudoers = ldap, files
@ -537,16 +530,16 @@ DDEESSCCRRIIPPTTIIOONN
sudoers = ldap
To treat LDAP as authoratative and only use the local sudoers file if
the user is not present in LDAP, use:
To treat LDAP as authoratative and only use the local sudoers file if the
user is not present in LDAP, use:
sudoers = ldap = auth, files
Note that in the above example, the auth qualfier only affects user
lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries.
If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers
line, the following default is assumed:
If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers line,
the following default is assumed:
sudoers = files
@ -669,8 +662,8 @@ EEXXAAMMPPLLEESS
SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP
The following schema, in OpenLDAP format, is included with ssuuddoo source
and binary distributions as _s_c_h_e_m_a_._O_p_e_n_L_D_A_P. Simply copy it to the
schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include
line in slapd.conf and restart ssllaappdd.
schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include line
in _s_l_a_p_d_._c_o_n_f and restart ssllaappdd.
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
@ -746,12 +739,12 @@ EEXXAAMMPPLLEESS
)
SSEEEE AALLSSOO
_l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(4)
ldap.conf(1m), sudoers(1m)
CCAAVVEEAATTSS
Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is
parsed compared to file-based _s_u_d_o_e_r_s. See the "Differences between
LDAP and non-LDAP sudoers" section for more information.
parsed compared to file-based _s_u_d_o_e_r_s. See the _D_i_f_f_e_r_e_n_c_e_s _b_e_t_w_e_e_n _L_D_A_P
_a_n_d _n_o_n_-_L_D_A_P _s_u_d_o_e_r_s section for more information.
BBUUGGSS
If you feel you have found a bug in ssuuddoo, please submit a bug report at
@ -759,16 +752,14 @@ BBUUGGSS
SSUUPPPPOORRTT
Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
archives.
DDIISSCCLLAAIIMMEERR
ssuuddoo is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
See the LICENSE file distributed with ssuuddoo or
http://www.sudo.ws/sudo/license.html for complete details.
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the LICENSE
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details.
1.8.6 July 17, 2012 SUDOERS.LDAP(4)
Sudo 1.8.6 July 12, 2012 Sudo 1.8.6

1923
doc/sudoers.ldap.man.in
View File

File diff suppressed because it is too large Load Diff

12
doc/sudoers.ldap.mdoc.in
View File

@ -15,8 +15,8 @@
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd July 12, 2012
.Dt SUDOERS.LDAP 5
.Os
.Dt SUDOERS.LDAP @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudoers.ldap
.Nd sudo LDAP configuration
@ -412,7 +412,7 @@ parses
.Pa @ldap_conf@
itself and may support options that differ from those described in the
system's
.Xr ldap.conf 5
.Xr ldap.conf @mansectsu@
manual.
.Pp
Also note that on systems using the OpenLDAP libraries, default
@ -753,7 +753,7 @@ with the remote server.
.It Sy DEREF Ar never/searching/finding/always
How alias dereferencing is to be performed when searching.
See the
.Xr ldap.conf 5
.Xr ldap.conf @mansectsu@
manual for a full description of this option.
.El
.Pp
@ -1073,8 +1073,8 @@ objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
)
.Ed
.Sh SEE ALSO
.Xr ldap.conf 5 ,
.Xr sudoers 5
.Xr ldap.conf @mansectsu@ ,
.Xr sudoers @mansectsu@
.Sh CAVEATS
Note that there are differences in the way that LDAP-based
.Em sudoers

5303
doc/sudoers.man.in
View File

File diff suppressed because it is too large Load Diff

26
doc/sudoers.mdoc.in
View File

@ -20,8 +20,8 @@
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.Dd July 16, 2012
.Dt SUDOERS 5
.Os
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudoers
.Nd default sudo security policy module
@ -45,7 +45,7 @@ For information on storing
.Em sudoers
policy information
in LDAP, please see
.Xr sudoers.ldap 5 .
.Xr sudoers.ldap @mansectform@ .
.Ss Authentication and Logging
The
.Em sudoers
@ -1087,7 +1087,7 @@ regular expressions.
.Bl -tag -width 8n
.It Li *
Matches any set of zero or more characters.
.It Li \?
.It Li \&?
Matches any single character.
.It Li [...]
Matches any character in the specified range.
@ -1102,7 +1102,7 @@ evaluates to
.Sq x .
This is used to escape special characters such as:
.Ql * ,
.Ql \? ,
.Ql \&? ,
.Ql [\& ,
and
.Ql ]\& .
@ -1661,7 +1661,7 @@ The
option may be used to control the format of the session ID.
.Pp
Output logs may be viewed with the
.Xr sudoreplay 8
.Xr sudoreplay @mansectsu@
utility, which can also be used to list or search the available logs.
.It log_year
If set, the four-digit year will be logged in the (non-syslog)
@ -1820,7 +1820,7 @@ will only run when the user is logged in to a real tty.
When this flag is set,
.Nm sudo
can only be run from a login session and not via other means such as
.Xr cron 8
.Xr cron @mansectsu@
or cgi-bin scripts.
This flag is
.Em off
@ -2432,7 +2432,7 @@ Defaults group_plugin="sample_group.so /etc/sudo-group"
.Ed
.Pp
For more information see
.Xr sudo_plugin 5 .
.Xr sudo_plugin @mansectform@ .
.It lecture
This option controls when a short lecture will be printed along with
the password prompt.
@ -2783,7 +2783,7 @@ plugin is doing internally if there is a problem.
This can be configured in the
.Pa @sysconfdir@/sudo.conf
file as described in
.Xr sudo 8 .
.Xr sudo @mansectsu@ .
.Pp
The
.Em sudoers
@ -3451,10 +3451,10 @@ available.
.Xr glob 3 ,
.Xr mktemp 3 ,
.Xr strftime 3 ,
.Xr sudoers.ldap 5 ,
.Xr sudo_plugin 8 ,
.Xr sudo 8 ,
.Xr visudo 8
.Xr sudoers.ldap @mansectform@ ,
.Xr sudo_plugin @mansectsu@ ,
.Xr sudo @mansectsu@ ,
.Xr visudo @mansectsu@
.Sh CAVEATS
The
.Em sudoers

94
doc/sudoreplay.cat
View File

@ -1,15 +1,13 @@
SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
SUDOREPLAY(1m) System Manager's Manual SUDOREPLAY(1m)
NNAAMMEE
sudoreplay - replay sudo session logs
ssuuddoorreeppllaayy - replay sudo session logs
SSYYNNOOPPSSIISS
ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] [--ff _f_i_l_t_e_r] [--mm _m_a_x___w_a_i_t]
[--ss _s_p_e_e_d___f_a_c_t_o_r] ID
ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] -l [search expression]
ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] --ll [search expression]
DDEESSCCRRIIPPTTIIOONN
ssuuddoorreeppllaayy plays back or lists the output logs created by ssuuddoo. When
@ -17,44 +15,41 @@ DDEESSCCRRIIPPTTIIOONN
playback speed may be adjusted (faster or slower) based on the command
line options.
The _I_D should either be a six character sequence of digits and upper
case letters, e.g. 0100A5, or a pattern matching the _i_o_l_o_g___f_i_l_e option
in the _s_u_d_o_e_r_s file. When a command is run via ssuuddoo with _l_o_g___o_u_t_p_u_t
enabled in the _s_u_d_o_e_r_s file, a TSID=ID string is logged via syslog or
to the ssuuddoo log file. The _I_D may also be determined using ssuuddoorreeppllaayy's
list mode.
The _I_D should either be a six character sequence of digits and upper case
letters, e.g. 0100A5, or a pattern matching the _i_o_l_o_g___f_i_l_e option in the
_s_u_d_o_e_r_s file. When a command is run via ssuuddoo with _l_o_g___o_u_t_p_u_t enabled in
the _s_u_d_o_e_r_s file, a TSID=ID string is logged via syslog or to the ssuuddoo
log file. The _I_D may also be determined using ssuuddoorreeppllaayy's list mode.
In list mode, ssuuddoorreeppllaayy can be used to find the ID of a session based
on a number of criteria such as the user, tty or command run.
In list mode, ssuuddoorreeppllaayy can be used to find the ID of a session based on
a number of criteria such as the user, tty or command run.
In replay mode, if the standard output has not been redirected,
ssuuddoorreeppllaayy will act on the following keys:
' ' (space)
Pause output; press any key to resume.
` ' (space) Pause output; press any key to resume.
'<' Reduce the playback speed by one half.
`<' Reduce the playback speed by one half.
'>' Double the playback speed.
`>' Double the playback speed.
OOPPTTIIOONNSS
ssuuddoorreeppllaayy accepts the following command line options:
-d _d_i_r_e_c_t_o_r_y
Use _d_i_r_e_c_t_o_r_y to for the session logs instead of the
--dd _d_i_r_e_c_t_o_r_y Use _d_i_r_e_c_t_o_r_y to for the session logs instead of the
default, _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o.
-f _f_i_l_t_e_r By default, ssuuddoorreeppllaayy will play back the command's
standard output, standard error and tty output. The _-_f
--ff _f_i_l_t_e_r By default, ssuuddoorreeppllaayy will play back the command's
standard output, standard error and tty output. The --ff
option can be used to select which of these to output. The
_f_i_l_t_e_r argument is a comma-separated list, consisting of
one or more of following: _s_t_d_o_u_t, _s_t_d_e_r_r, and _t_t_y_o_u_t.
-h The --hh (_h_e_l_p) option causes ssuuddoorreeppllaayy to print a short
--hh The --hh (_h_e_l_p) option causes ssuuddoorreeppllaayy to print a short
help message to the standard output and exit.
-l [_s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n]
Enable "list mode". In this mode, ssuuddoorreeppllaayy will list
--ll [_s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n]
Enable ``list mode''. In this mode, ssuuddoorreeppllaayy will list
available sessions in a format similar to the ssuuddoo log file
format, sorted by file name (or sequence number). If a
_s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n is specified, it will be used to restrict
@ -75,7 +70,7 @@ OOPPTTIIOONNSS
fromdate _d_a_t_e
Evaluates to true if the command was run on or
after _d_a_t_e. See "Date and time format" for a
after _d_a_t_e. See _D_a_t_e _a_n_d _t_i_m_e _f_o_r_m_a_t for a
description of supported date and time formats.
group _r_u_n_a_s___g_r_o_u_p
@ -91,7 +86,7 @@ OOPPTTIIOONNSS
todate _d_a_t_e
Evaluates to true if the command was run on or
prior to _d_a_t_e. See "Date and time format" for a
prior to _d_a_t_e. See _D_a_t_e _a_n_d _t_i_m_e _f_o_r_m_a_t for a
description of supported date and time formats.
tty _t_t_y _n_a_m_e
@ -109,21 +104,21 @@ OOPPTTIIOONNSS
character).
Predicates may be combined using _a_n_d, _o_r and _! operators as
well as '(' and ')' for grouping (note that parentheses
must generally be escaped from the shell). The _a_n_d
operator is optional, adjacent predicates have an implied
_a_n_d unless separated by an _o_r.
well as `(' and `)' grouping (note that parentheses must
generally be escaped from the shell). The _a_n_d operator is
optional, adjacent predicates have an implied _a_n_d unless
separated by an _o_r.
-m _m_a_x___w_a_i_t Specify an upper bound on how long to wait between key
--mm _m_a_x___w_a_i_t Specify an upper bound on how long to wait between key
presses or output data. By default, ssuuddoorreeppllaayy will
accurately reproduce the delays between key presses or
program output. However, this can be tedious when the
session includes long pauses. When the _-_m option is
session includes long pauses. When the --mm option is
specified, ssuuddoorreeppllaayy will limit these pauses to at most
_m_a_x___w_a_i_t seconds. The value may be specified as a floating
point number, e.g. _2_._5.
-s _s_p_e_e_d___f_a_c_t_o_r
--ss _s_p_e_e_d___f_a_c_t_o_r
This option causes ssuuddoorreeppllaayy to adjust the number of
seconds it will wait between key presses or program output.
This can be used to slow down or speed up the display. For
@ -131,12 +126,11 @@ OOPPTTIIOONNSS
fast whereas a _s_p_e_e_d___f_a_c_t_o_r of _._5 would make the output
twice as slow.
-V The --VV (version) option causes ssuuddoorreeppllaayy to print its
--VV The --VV (_v_e_r_s_i_o_n) option causes ssuuddoorreeppllaayy to print its
version number and exit.
DDaattee aanndd ttiimmee ffoorrmmaatt
The time and date may be specified multiple ways, common formats
include:
The time and date may be specified multiple ways, common formats include:
HH:MM:SS am MM/DD/CCYY timezone
24 hour time may be used in place of am/pm.
@ -152,11 +146,11 @@ OOPPTTIIOONNSS
DD Month CCYY HH:MM:SS
The month name may be abbreviated.
Either time or date may be omitted, the am/pm and timezone are
optional. If no date is specified, the current day is assumed; if no
time is specified, the first second of the specified date is used. The
less significant parts of both time and date may also be omitted, in
which case zero is assumed.
Either time or date may be omitted, the am/pm and timezone are optional.
If no date is specified, the current day is assumed; if no time is
specified, the first second of the specified date is used. The less
significant parts of both time and date may also be omitted, in which
case zero is assumed.
The following are all valid time and date specifications:
@ -239,7 +233,7 @@ EEXXAAMMPPLLEESS
# sudoreplay -l ( user jeff or user bob ) tty console
SSEEEE AALLSSOO
_s_u_d_o(1m), _s_c_r_i_p_t(1)
sudo(1m), script(1)
AAUUTTHHOORRSS
Todd C. Miller
@ -250,16 +244,14 @@ BBUUGGSS
SSUUPPPPOORRTT
Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
archives.
DDIISSCCLLAAIIMMEERR
ssuuddoorreeppllaayy is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
See the LICENSE file distributed with ssuuddoo or
http://www.sudo.ws/sudo/license.html for complete details.
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the LICENSE
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details.
1.8.6 July 17, 2012 SUDOREPLAY(1m)
Sudo 1.8.6 July 12, 2012 Sudo 1.8.6

679
doc/sudoreplay.man.in
View File

@ -1,4 +1,7 @@
.\" Copyright (c) 2009-2011 Todd C. Miller <Todd.Miller@courtesan.com>
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudoreplay.mdoc.in
.\"
.\" Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -13,408 +16,398 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C`
. ds C'
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SUDOREPLAY @mansectsu@"
.TH SUDOREPLAY @mansectsu@ "July 17, 2012" "1.8.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.TH "SUDOREPLAY" "@mansectsu@" "July 12, 2012" "1.8.6" "System Manager's Manual"
.SH "NAME"
sudoreplay \- replay sudo session logs
\fBsudoreplay\fR
\- replay sudo session logs
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR\ \fIdirectory\fR] [\fB\-f\fR\ \fIfilter\fR] [\fB\-m\fR\ \fImax_wait\fR] [\fB\-s\fR\ \fIspeed_factor\fR] \s-1ID\s0
.PP
\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR\ \fIdirectory\fR] \-l [search\ expression]
.HP 11n
\fBsudoreplay\fR
[\fB-h\fR]
[\fB-d\fR\~\fIdirectory\fR]
[\fB-f\fR\~\fIfilter\fR]
[\fB-m\fR\~\fImax_wait\fR]
[\fB-s\fR\~\fIspeed_factor\fR]
ID
.HP 11n
\fBsudoreplay\fR
[\fB-h\fR]
[\fB-d\fR\~\fIdirectory\fR]
\fB-l\fR
[search expression]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBsudoreplay\fR plays back or lists the output logs created by \fBsudo\fR.
When replaying, \fBsudoreplay\fR can play the session back in real-time,
or the playback speed may be adjusted (faster or slower) based on
the command line options.
\fBsudoreplay\fR
plays back or lists the output logs created by
\fBsudo\fR.
When replaying,
\fBsudoreplay\fR
can play the session back in real-time, or the playback speed may be
adjusted (faster or slower) based on the command line options.
.PP
The \fI\s-1ID\s0\fR should either be a six character sequence of digits and
upper case letters, e.g. \f(CW\*(C`0100A5\*(C'\fR, or a pattern matching the
\&\fIiolog_file\fR option in the \fIsudoers\fR file. When a command is run
via \fBsudo\fR with \fIlog_output\fR enabled in the \fIsudoers\fR file, a
\&\f(CW\*(C`TSID=ID\*(C'\fR string is logged via syslog or to the \fBsudo\fR log file.
The \fI\s-1ID\s0\fR may also be determined using \fBsudoreplay\fR's list mode.
The
\fIID\fR
should either be a six character sequence of digits and
upper case letters, e.g.\&
\fR0100A5\fR,
or a pattern matching the
\fIiolog_file\fR
option in the
\fIsudoers\fR
file.
When a command is run via
\fBsudo\fR
with
\fIlog_output\fR
enabled in the
\fIsudoers\fR
file, a
\fRTSID=ID\fR
string is logged via syslog or to the
\fBsudo\fR
log file.
The
\fIID\fR
may also be determined using
\fBsudoreplay\fR's
list mode.
.PP
In list mode, \fBsudoreplay\fR can be used to find the \s-1ID\s0 of a session
based on a number of criteria such as the user, tty or command run.
In list mode,
\fBsudoreplay\fR
can be used to find the ID of a session based on a number of criteria
such as the user, tty or command run.
.PP
In replay mode, if the standard output has not been redirected,
\&\fBsudoreplay\fR will act on the following keys:
.IP "' ' (space)" 8
.IX Item "' ' (space)"
\fBsudoreplay\fR
will act on the following keys:
.TP 14n
`\fR\ \fR' (space)
Pause output; press any key to resume.
.IP "'<'" 8
.TP 14n
`<'
Reduce the playback speed by one half.
.IP "'>'" 8
.TP 14n
`>'
Double the playback speed.
.SH "OPTIONS"
.IX Header "OPTIONS"
\&\fBsudoreplay\fR accepts the following command line options:
.IP "\-d \fIdirectory\fR" 12
.IX Item "-d directory"
Use \fIdirectory\fR to for the session logs instead of the default,
\&\fI@iolog_dir@\fR.
.IP "\-f \fIfilter\fR" 12
.IX Item "-f filter"
By default, \fBsudoreplay\fR will play back the command's standard
output, standard error and tty output. The \fI\-f\fR option can be
used to select which of these to output. The \fIfilter\fR argument
is a comma-separated list, consisting of one or more of following:
\&\fIstdout\fR, \fIstderr\fR, and \fIttyout\fR.
.IP "\-h" 12
.IX Item "-h"
The \fB\-h\fR (\fIhelp\fR) option causes \fBsudoreplay\fR to print a short
help message to the standard output and exit.
.IP "\-l [\fIsearch expression\fR]" 12
.IX Item "-l [search expression]"
Enable \*(L"list mode\*(R". In this mode, \fBsudoreplay\fR will list available
sessions in a format similar to the \fBsudo\fR log file format, sorted
by file name (or sequence number). If a \fIsearch expression\fR is
specified, it will be used to restrict the IDs that are displayed.
\fBsudoreplay\fR
accepts the following command line options:
.TP 14n
\fB-d\fR \fIdirectory\fR
Use
\fIdirectory\fR
to for the session logs instead of the default,
\fI@iolog_dir@\fR.
.TP 14n
\fB-f\fR \fIfilter\fR
By default,
\fBsudoreplay\fR
will play back the command's standard output, standard error and tty output.
The
\fB-f\fR
option can be used to select which of these to output.
The
\fIfilter\fR
argument is a comma-separated list, consisting of one or more of following:
\fIstdout\fR,
\fIstderr\fR,
and
\fIttyout\fR.
.TP 14n
\fB-h\fR
The
\fB-h\fR (\fIhelp\fR)
option causes
\fBsudoreplay\fR
to print a short help message to the standard output and exit.
.TP 14n
\fB-l\fR [\fIsearch expression\fR]
Enable
``list mode''.
In this mode,
\fBsudoreplay\fR
will list available sessions in a format similar to the
\fBsudo\fR
log file format, sorted by file name (or sequence number).
If a
\fIsearch expression\fR
is specified, it will be used to restrict the IDs that are displayed.
An expression is composed of the following predicates:
.RS 12
.IP "command \fIpattern\fR" 8
.IX Item "command pattern"
Evaluates to true if the command run matches \fIpattern\fR.
On systems with \s-1POSIX\s0 regular expression support, the pattern may
be an extended regular expression. On systems without \s-1POSIX\s0 regular
expression support, a simple substring match is performed instead.
.IP "cwd \fIdirectory\fR" 8
.IX Item "cwd directory"
.RS
.TP 8n
command \fIpattern\fR
Evaluates to true if the command run matches
\fIpattern\fR.
On systems with POSIX regular expression support, the pattern may
be an extended regular expression.
On systems without POSIX regular expression support, a simple substring
match is performed instead.
.TP 8n
cwd \fIdirectory\fR
Evaluates to true if the command was run with the specified current
working directory.
.IP "fromdate \fIdate\fR" 8
.IX Item "fromdate date"
Evaluates to true if the command was run on or after \fIdate\fR.
See \*(L"Date and time format\*(R" for a description of supported
date and time formats.
.IP "group \fIrunas_group\fR" 8
.IX Item "group runas_group"
.TP 8n
fromdate \fIdate\fR
Evaluates to true if the command was run on or after
\fIdate\fR.
See
\fIDate and time format\fR
for a description of supported date and time formats.
.TP 8n
group \fIrunas_group\fR
Evaluates to true if the command was run with the specified
\&\fIrunas_group\fR. Note that unless a \fIrunas_group\fR was explicitly
specified when \fBsudo\fR was run this field will be empty in the log.
.IP "runas \fIrunas_user\fR" 8
.IX Item "runas runas_user"
Evaluates to true if the command was run as the specified \fIrunas_user\fR.
Note that \fBsudo\fR runs commands as user \fIroot\fR by default.
.IP "todate \fIdate\fR" 8
.IX Item "todate date"
Evaluates to true if the command was run on or prior to \fIdate\fR.
See \*(L"Date and time format\*(R" for a description of supported
date and time formats.
.IP "tty \fItty name\fR" 8
.IX Item "tty tty name"
Evaluates to true if the command was run on the specified terminal
device. The \fItty name\fR should be specified without the \fI/dev/\fR prefix,
e.g. \fItty01\fR instead of \fI/dev/tty01\fR.
.IP "user \fIuser name\fR" 8
.IX Item "user user name"
Evaluates to true if the \s-1ID\s0 matches a command run by \fIuser name\fR.
\fIrunas_group\fR.
Note that unless a
\fIrunas_group\fR
was explicitly specified when
\fBsudo\fR
was run this field will be empty in the log.
.TP 8n
runas \fIrunas_user\fR
Evaluates to true if the command was run as the specified
\fIrunas_user\fR.
Note that
\fBsudo\fR
runs commands as user
\fIroot\fR
by default.
.TP 8n
todate \fIdate\fR
Evaluates to true if the command was run on or prior to
\fIdate\fR.
See
\fIDate and time format\fR
for a description of supported date and time formats.
.TP 8n
tty \fItty name\fR
Evaluates to true if the command was run on the specified terminal device.
The
\fItty name\fR
should be specified without the
\fI/dev/\fR
prefix, e.g.\&
\fItty01\fR
instead of
\fI/dev/tty01\fR.
.TP 8n
user \fIuser name\fR
Evaluates to true if the ID matches a command run by
\fIuser name\fR.
.RE
.RS 12
.Sp
.RS
.PP
Predicates may be abbreviated to the shortest unique string (currently
all predicates may be shortened to a single character).
.Sp
Predicates may be combined using \fIand\fR, \fIor\fR and \fI!\fR operators
as well as \f(CW\*(Aq(\*(Aq\fR and \f(CW\*(Aq)\*(Aq\fR for grouping (note that parentheses
must generally be escaped from the shell). The \fIand\fR operator is
optional, adjacent predicates have an implied \fIand\fR unless separated
by an \fIor\fR.
.sp
Predicates may be combined using
\fIand\fR,
\fIor\fR
and
\fI\&!\fR
operators as well as
`\&('
and
`\&)'
grouping (note that parentheses must generally be escaped from the shell).
The
\fIand\fR
operator is optional, adjacent predicates have an implied
\fIand\fR
unless separated by an
\fIor\fR.
.PP
.RE
.IP "\-m \fImax_wait\fR" 12
.IX Item "-m max_wait"
Specify an upper bound on how long to wait between key presses or
output data. By default, \fBsudoreplay\fR will accurately reproduce
the delays between key presses or program output. However, this
can be tedious when the session includes long pauses. When the
\&\fI\-m\fR option is specified, \fBsudoreplay\fR will limit these pauses
to at most \fImax_wait\fR seconds. The value may be specified as a
floating point number, e.g. \fI2.5\fR.
.IP "\-s \fIspeed_factor\fR" 12
.IX Item "-s speed_factor"
This option causes \fBsudoreplay\fR to adjust the number of seconds
it will wait between key presses or program output. This can be
used to slow down or speed up the display. For example, a
\&\fIspeed_factor\fR of \fI2\fR would make the output twice as fast whereas
a \fIspeed_factor\fR of \fI.5\fR would make the output twice as slow.
.IP "\-V" 12
.IX Item "-V"
The \fB\-V\fR (version) option causes \fBsudoreplay\fR to print its version number
.sp -1v
.TP 14n
\fB-m\fR \fImax_wait\fR
Specify an upper bound on how long to wait between key presses or output data.
By default,
\fBsudoreplay\fR
will accurately reproduce the delays between key presses or program output.
However, this can be tedious when the session includes long pauses.
When the
\fB-m\fR
option is specified,
\fBsudoreplay\fR
will limit these pauses to at most
\fImax_wait\fR
seconds.
The value may be specified as a floating point number, e.g.\&
\fI2.5\fR.
.TP 14n
\fB-s\fR \fIspeed_factor\fR
This option causes
\fBsudoreplay\fR
to adjust the number of seconds it will wait between key presses or
program output.
This can be used to slow down or speed up the display.
For example, a
\fIspeed_factor\fR
of
\fI2\fR
would make the output twice as fast whereas a
\fIspeed_factor\fR
of
\fI.5\fR
would make the output twice as slow.
.TP 14n
\fB-V\fR
The
\fB-V\fR (\fIversion\fR)
option causes
\fBsudoreplay\fR
to print its version number
and exit.
.SS "Date and time format"
.IX Subsection "Date and time format"
The time and date may be specified multiple ways, common formats include:
.IP "\s-1HH:MM:SS\s0 am \s-1MM/DD/CCYY\s0 timezone" 8
.IX Item "HH:MM:SS am MM/DD/CCYY timezone"
.TP 8n
HH:MM:SS am MM/DD/CCYY timezone
24 hour time may be used in place of am/pm.
.IP "\s-1HH:MM:SS\s0 am Month, Day Year timezone" 8
.IX Item "HH:MM:SS am Month, Day Year timezone"
.TP 8n
HH:MM:SS am Month, Day Year timezone
24 hour time may be used in place of am/pm, and month and day names
may be abbreviated. Note that month and day of the week names must
be specified in English.
.IP "CCYY-MM-DD \s-1HH:MM:SS\s0" 8
.IX Item "CCYY-MM-DD HH:MM:SS"
\&\s-1ISO\s0 time format
.IP "\s-1DD\s0 Month \s-1CCYY\s0 \s-1HH:MM:SS\s0" 8
.IX Item "DD Month CCYY HH:MM:SS"
may be abbreviated.
Note that month and day of the week names must be specified in English.
.TP 8n
CCYY-MM-DD HH:MM:SS
ISO time format
.TP 8n
DD Month CCYY HH:MM:SS
The month name may be abbreviated.
.PP
Either time or date may be omitted, the am/pm and timezone are
optional. If no date is specified, the current day is assumed; if
no time is specified, the first second of the specified date is
used. The less significant parts of both time and date may also
be omitted, in which case zero is assumed.
Either time or date may be omitted, the am/pm and timezone are optional.
If no date is specified, the current day is assumed; if no time is
specified, the first second of the specified date is used.
The less significant parts of both time and date may also be omitted,
in which case zero is assumed.
.PP
The following are all valid time and date specifications:
.IP "now" 8
.IX Item "now"
.TP 8n
now
The current time and date.
.IP "tomorrow" 8
.IX Item "tomorrow"
.TP 8n
tomorrow
Exactly one day from now.
.IP "yesterday" 8
.IX Item "yesterday"
.TP 8n
yesterday
24 hours ago.
.IP "2 hours ago" 8
.IX Item "2 hours ago"
.TP 8n
2 hours ago
2 hours ago.
.IP "next Friday" 8
.IX Item "next Friday"
.TP 8n
next Friday
The first second of the next Friday.
.IP "this week" 8
.IX Item "this week"
.TP 8n
this week
The current time but the first day of the coming week.
.IP "a fortnight ago" 8
.IX Item "a fortnight ago"
.TP 8n
a fortnight ago
The current time but 14 days ago.
.IP "10:01 am 9/17/2009" 8
.IX Item "10:01 am 9/17/2009"
.TP 8n
10:01 am 9/17/2009
10:01 am, September 17, 2009.
.IP "10:01 am" 8
.IX Item "10:01 am"
.TP 8n
10:01 am
10:01 am on the current day.
.IP "10" 8
.IX Item "10"
.TP 8n
10
10:00 am on the current day.
.IP "9/17/2009" 8
.IX Item "9/17/2009"
.TP 8n
9/17/2009
00:00 am, September 17, 2009.
.IP "10:01 am Sep 17, 2009" 8
.IX Item "10:01 am Sep 17, 2009"
.TP 8n
10:01 am Sep 17, 2009
10:01 am, September 17, 2009.
.SH "FILES"
.IX Header "FILES"
.ie n .IP "\fI@iolog_dir@\fR" 24
.el .IP "\fI@iolog_dir@\fR" 24
.IX Item "@iolog_dir@"
.TP 26n
\fI@iolog_dir@\fR
The default I/O log directory.
.ie n .IP "\fI@iolog_dir@/00/00/01/log\fR" 24
.el .IP "\fI@iolog_dir@/00/00/01/log\fR" 24
.IX Item "@iolog_dir@/00/00/01/log"
.TP 26n
\fI@iolog_dir@/00/00/01/log\fR
Example session log info.
.ie n .IP "\fI@iolog_dir@/00/00/01/stdin\fR" 24
.el .IP "\fI@iolog_dir@/00/00/01/stdin\fR" 24
.IX Item "@iolog_dir@/00/00/01/stdin"
.TP 26n
\fI@iolog_dir@/00/00/01/stdin\fR
Example session standard input log.
.ie n .IP "\fI@iolog_dir@/00/00/01/stdout\fR" 24
.el .IP "\fI@iolog_dir@/00/00/01/stdout\fR" 24
.IX Item "@iolog_dir@/00/00/01/stdout"
.TP 26n
\fI@iolog_dir@/00/00/01/stdout\fR
Example session standard output log.
.ie n .IP "\fI@iolog_dir@/00/00/01/stderr\fR" 24
.el .IP "\fI@iolog_dir@/00/00/01/stderr\fR" 24
.IX Item "@iolog_dir@/00/00/01/stderr"
.TP 26n
\fI@iolog_dir@/00/00/01/stderr\fR
Example session standard error log.
.ie n .IP "\fI@iolog_dir@/00/00/01/ttyin\fR" 24
.el .IP "\fI@iolog_dir@/00/00/01/ttyin\fR" 24
.IX Item "@iolog_dir@/00/00/01/ttyin"
.TP 26n
\fI@iolog_dir@/00/00/01/ttyin\fR
Example session tty input file.
.ie n .IP "\fI@iolog_dir@/00/00/01/ttyout\fR" 24
.el .IP "\fI@iolog_dir@/00/00/01/ttyout\fR" 24
.IX Item "@iolog_dir@/00/00/01/ttyout"
.TP 26n
\fI@iolog_dir@/00/00/01/ttyout\fR
Example session tty output file.
.ie n .IP "\fI@iolog_dir@/00/00/01/timing\fR" 24
.el .IP "\fI@iolog_dir@/00/00/01/timing\fR" 24
.IX Item "@iolog_dir@/00/00/01/timing"
.TP 26n
\fI@iolog_dir@/00/00/01/timing\fR
Example session timing file.
.PP
Note that the \fIstdin\fR, \fIstdout\fR and \fIstderr\fR files will be empty
unless \fBsudo\fR was used as part of a pipeline for a particular
command.
Note that the
\fIstdin\fR,
\fIstdout\fR
and
\fIstderr\fR
files will be empty unless
\fBsudo\fR
was used as part of a pipeline for a particular command.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
List sessions run by user \fImillert\fR:
List sessions run by user
\fImillert\fR:
.nf
.sp
.RS 6n
# sudoreplay -l user millert
.RE
.fi
.PP
.Vb 1
\& # sudoreplay \-l user millert
.Ve
List sessions run by user
\fIbob\fR
with a command containing the string vi:
.nf
.sp
.RS 6n
# sudoreplay -l user bob command vi
.RE
.fi
.PP
List sessions run by user \fIbob\fR with a command containing the string vi:
.PP
.Vb 1
\& # sudoreplay \-l user bob command vi
.Ve
.PP
List sessions run by user \fIjeff\fR that match a regular expression:
.PP
.Vb 1
\& # sudoreplay \-l user jeff command \*(Aq/bin/[a\-z]*sh\*(Aq
.Ve
List sessions run by user
\fIjeff\fR
that match a regular expression:
.nf
.sp
.RS 6n
# sudoreplay -l user jeff command '/bin/[a-z]*sh'
.RE
.fi
.PP
List sessions run by jeff or bob on the console:
.PP
.Vb 1
\& # sudoreplay \-l ( user jeff or user bob ) tty console
.Ve
.nf
.sp
.RS 6n
# sudoreplay -l ( user jeff or user bob ) tty console
.RE
.fi
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIsudo\fR\|(@mansectsu@), \fIscript\fR\|(1)
sudo(@mansectsu@),
script(1)
.SH "AUTHORS"
.IX Header "AUTHORS"
Todd C. Miller
.SH "BUGS"
.IX Header "BUGS"
If you feel you have found a bug in \fBsudoreplay\fR, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
If you feel you have found a bug in
\fBsudoreplay\fR,
please submit a bug report at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
.IX Header "DISCLAIMER"
\&\fBsudoreplay\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
for complete details.
\fBsudoreplay\fR
is provided
``AS IS''
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
\fBsudo\fR
or http://www.sudo.ws/sudo/license.html for complete details.

6
doc/sudoreplay.mdoc.in
View File

@ -15,8 +15,8 @@
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd July 12, 2012
.Dt SUDOREPLAY 8
.Os
.Dt SUDOREPLAY @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudoreplay
.Nd replay sudo session logs
@ -350,7 +350,7 @@ List sessions run by jeff or bob on the console:
# sudoreplay -l ( user jeff or user bob ) tty console
.Ed
.Sh SEE ALSO
.Xr sudo 8 ,
.Xr sudo @mansectsu@ ,
.Xr script 1
.Sh AUTHORS
Todd C. Miller

125
doc/visudo.cat
View File

@ -1,86 +1,83 @@
VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
VISUDO(1m) System Manager's Manual VISUDO(1m)
NNAAMMEE
visudo - edit the sudoers file
vviissuuddoo - edit the sudoers file
SSYYNNOOPPSSIISS
vviissuuddoo [--cchhqqssVV] [--ff _s_u_d_o_e_r_s]
DDEESSCCRRIIPPTTIIOONN
vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to _v_i_p_w(1m).
vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to vipw(1m).
vviissuuddoo locks the _s_u_d_o_e_r_s file against multiple simultaneous edits,
provides basic sanity checks, and checks for parse errors. If the
_s_u_d_o_e_r_s file is currently being edited you will receive a message to
try again later.
_s_u_d_o_e_r_s file is currently being edited you will receive a message to try
again later.
There is a hard-coded list of one or more editors that vviissuuddoo will use
set at compile-time that may be overridden via the _e_d_i_t_o_r _s_u_d_o_e_r_s
Default variable. This list defaults to "vi". Normally, vviissuuddoo does
not honor the VISUAL or EDITOR environment variables unless they
contain an editor in the aforementioned editors list. However, if
vviissuuddoo is configured with the _-_-_w_i_t_h_-_e_n_v_-_e_d_i_t_o_r option or the
_e_n_v___e_d_i_t_o_r Default variable is set in _s_u_d_o_e_r_s, vviissuuddoo will use any the
editor defines by VISUAL or EDITOR. Note that this can be a security
hole since it allows the user to execute any program they wish simply
by setting VISUAL or EDITOR.
set at compile-time that may be overridden via the _e_d_i_t_o_r _s_u_d_o_e_r_s Default
variable. This list defaults to vi. Normally, vviissuuddoo does not honor the
VISUAL or EDITOR environment variables unless they contain an editor in
the aforementioned editors list. However, if vviissuuddoo is configured with
the --with-env-editor option or the _e_n_v___e_d_i_t_o_r Default variable is set in
_s_u_d_o_e_r_s, vviissuuddoo will use any the editor defines by VISUAL or EDITOR.
Note that this can be a security hole since it allows the user to execute
any program they wish simply by setting VISUAL or EDITOR.
vviissuuddoo parses the _s_u_d_o_e_r_s file after the edit and will not save the
changes if there is a syntax error. Upon finding an error, vviissuuddoo will
print a message stating the line number(s) where the error occurred and
the user will receive the "What now?" prompt. At this point the user
may enter "e" to re-edit the _s_u_d_o_e_r_s file, "x" to exit without saving
the changes, or "Q" to quit and save changes. The "Q" option should be
used with extreme care because if vviissuuddoo believes there to be a parse
error, so will ssuuddoo and no one will be able to ssuuddoo again until the
error is fixed. If "e" is typed to edit the _s_u_d_o_e_r_s file after a
parse error has been detected, the cursor will be placed on the line
where the error occurred (if the editor supports this feature).
the user will receive the ``What now?'' prompt. At this point the user
may enter `e' to re-edit the _s_u_d_o_e_r_s file, `x' to exit without saving the
changes, or `Q' to quit and save changes. The `Q' option should be used
with extreme care because if vviissuuddoo believes there to be a parse error,
so will ssuuddoo and no one will be able to ssuuddoo again until the error is
fixed. If `e' is typed to edit the _s_u_d_o_e_r_s file after a parse error has
been detected, the cursor will be placed on the line where the error
occurred (if the editor supports this feature).
OOPPTTIIOONNSS
vviissuuddoo accepts the following command line options:
vviissuuddoo accepts the following command line options: accepts the following
command line options:
-c Enable cchheecckk--oonnllyy mode. The existing _s_u_d_o_e_r_s file will be
checked for syntax errors, owner and mode. A message will
be printed to the standard output describing the status of
--cc Enable _c_h_e_c_k_-_o_n_l_y mode. The existing _s_u_d_o_e_r_s file will be
checked for syntax errors, owner and mode. A message will be
printed to the standard output describing the status of
_s_u_d_o_e_r_s unless the --qq option was specified. If the check
completes successfully, vviissuuddoo will exit with a value of 0.
If an error is encountered, vviissuuddoo will exit with a value
of 1.
If an error is encountered, vviissuuddoo will exit with a value of
1.
-f _s_u_d_o_e_r_s Specify and alternate _s_u_d_o_e_r_s file location. With this
--ff _s_u_d_o_e_r_s Specify and alternate _s_u_d_o_e_r_s file location. With this
option vviissuuddoo will edit (or check) the _s_u_d_o_e_r_s file of your
choice, instead of the default, _/_e_t_c_/_s_u_d_o_e_r_s. The lock
file used is the specified _s_u_d_o_e_r_s file with ".tmp"
appended to it. In cchheecckk--oonnllyy mode only, the argument to
--ff may be "-", indicating that _s_u_d_o_e_r_s will be read from
the standard input.
choice, instead of the default, _/_e_t_c_/_s_u_d_o_e_r_s. The lock file
used is the specified _s_u_d_o_e_r_s file with ``.tmp'' appended to
it. In _c_h_e_c_k_-_o_n_l_y mode only, the argument to --ff may be `-',
indicating that _s_u_d_o_e_r_s will be read from the standard input.
-h The --hh (_h_e_l_p) option causes vviissuuddoo to print a short help
--hh The --hh (_h_e_l_p) option causes vviissuuddoo to print a short help
message to the standard output and exit.
-q Enable qquuiieett mode. In this mode details about syntax
errors are not printed. This option is only useful when
combined with the --cc option.
--qq Enable _q_u_i_e_t mode. In this mode details about syntax errors
are not printed. This option is only useful when combined
with the --cc option.
-s Enable ssttrriicctt checking of the _s_u_d_o_e_r_s file. If an alias is
used before it is defined, vviissuuddoo will consider this a
parse error. Note that it is not possible to differentiate
between an alias and a host name or user name that consists
solely of uppercase letters, digits, and the underscore
('_') character.
--ss Enable _s_t_r_i_c_t checking of the _s_u_d_o_e_r_s file. If an alias is
used before it is defined, vviissuuddoo will consider this a parse
error. Note that it is not possible to differentiate between
an alias and a host name or user name that consists solely of
uppercase letters, digits, and the underscore (`_')
character.
-V The --VV (version) option causes vviissuuddoo to print its version
--VV The --VV (_v_e_r_s_i_o_n) option causes vviissuuddoo to print its version
number and exit.
EENNVVIIRROONNMMEENNTT
The following environment variables may be consulted depending on the
value of the _e_d_i_t_o_r and _e_n_v___e_d_i_t_o_r _s_u_d_o_e_r_s variables:
value of the _e_d_i_t_o_r and _e_n_v___e_d_i_t_o_r _s_u_d_o_e_r_s settings:
VISUAL Invoked by visudo as the editor to use
VISUAL Invoked by vviissuuddoo as the editor to use
EDITOR Used by visudo if VISUAL is not set
EDITOR Used by vviissuuddoo if VISUAL is not set
FFIILLEESS
_/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
@ -101,7 +98,7 @@ DDIIAAGGNNOOSSTTIICCSS
Either you are trying to use an undeclared
{User,Runas,Host,Cmnd}_Alias or you have a user or host name listed
that consists solely of uppercase letters, digits, and the
underscore ('_') character. In the latter case, you can ignore the
underscore (`_') character. In the latter case, you can ignore the
warnings (ssuuddoo will not complain). In --ss (strict) mode these are
errors, not warnings.
@ -117,11 +114,11 @@ DDIIAAGGNNOOSSTTIICCSS
the _s_u_d_o_e_r_s file.
SSEEEE AALLSSOO
_v_i(1), _s_u_d_o_e_r_s(4), _s_u_d_o(1m), _v_i_p_w(1m)
vi(1), sudoers(4), sudo(1m), vipw(1m)
AAUUTTHHOORRSS
Many people have worked on ssuuddoo over the years; this version of vviissuuddoo
was written by:
Many people have worked on ssuuddoo over the years; this version consists of
code written primarily by:
Todd C. Miller
@ -134,21 +131,19 @@ CCAAVVEEAATTSS
editor used by vviissuuddoo allows shell escapes.
BBUUGGSS
If you feel you have found a bug in vviissuuddoo, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
If you feel you have found a bug in vviissuuddoo, please submit a bug report at
http://www.sudo.ws/sudo/bugs/
SSUUPPPPOORRTT
Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
archives.
DDIISSCCLLAAIIMMEERR
vviissuuddoo is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
See the LICENSE file distributed with ssuuddoo or
http://www.sudo.ws/sudo/license.html for complete details.
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the LICENSE
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details.
1.8.6 July 13, 2012 VISUDO(1m)
Sudo 1.8.6 July 12, 2012 Sudo 1.8.6

538
doc/visudo.man.in
View File

@ -1,3 +1,6 @@
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM visudo.mdoc.in
.\"
.\" Copyright (c) 1996,1998-2005, 2007-2012
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
@ -18,297 +21,306 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C`
. ds C'
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
.TH VISUDO @mansectsu@ "July 13, 2012" "1.8.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.TH "VISUDO" "@mansectsu@" "July 12, 2012" "1.8.6" "System Manager's Manual"
.SH "NAME"
visudo \- edit the sudoers file
\fBvisudo\fR
\- edit the sudoers file
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBvisudo\fR [\fB\-chqsV\fR] [\fB\-f\fR \fIsudoers\fR]
.HP 7n
\fBvisudo\fR
[\fB-chqsV\fR]
[\fB-f\fR\~\fIsudoers\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBvisudo\fR edits the \fIsudoers\fR file in a safe fashion, analogous to
\&\fIvipw\fR\|(@mansectsu@). \fBvisudo\fR locks the \fIsudoers\fR file against multiple
simultaneous edits, provides basic sanity checks, and checks
for parse errors. If the \fIsudoers\fR file is currently being
edited you will receive a message to try again later.
\fBvisudo\fR
edits the
\fIsudoers\fR
file in a safe fashion, analogous to
vipw(@mansectsu@).
\fBvisudo\fR
locks the
\fIsudoers\fR
file against multiple simultaneous edits, provides basic sanity checks,
and checks for parse errors.
If the
\fIsudoers\fR
file is currently being edited you will receive a message to try again later.
.PP
There is a hard-coded list of one or more editors that \fBvisudo\fR will
use set at compile-time that may be overridden via the \fIeditor\fR \fIsudoers\fR
\&\f(CW\*(C`Default\*(C'\fR variable. This list defaults to \f(CW"@editor@"\fR. Normally,
\&\fBvisudo\fR does not honor the \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR environment
variables unless they contain an editor in the aforementioned editors
list. However, if \fBvisudo\fR is configured with the \fI\-\-with\-env\-editor\fR
option or the \fIenv_editor\fR \f(CW\*(C`Default\*(C'\fR variable is set in \fIsudoers\fR,
\&\fBvisudo\fR will use any the editor defines by \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR.
There is a hard-coded list of one or more editors that
\fBvisudo\fR
will use set at compile-time that may be overridden via the
\fIeditor\fR
\fIsudoers\fR
\fRDefault\fR
variable.
This list defaults to
\fR@editor@\fR.
Normally,
\fBvisudo\fR
does not honor the
\fRVISUAL\fR
or
\fREDITOR\fR
environment variables unless they contain an editor in the aforementioned
editors list.
However, if
\fBvisudo\fR
is configured with the
\fR--with-env-editor\fR
option or the
\fIenv_editor\fR
\fRDefault\fR
variable is set in
\fIsudoers\fR,
\fBvisudo\fR
will use any the editor defines by
\fRVISUAL\fR
or
\fREDITOR\fR.
Note that this can be a security hole since it allows the user to
execute any program they wish simply by setting \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR.
execute any program they wish simply by setting
\fRVISUAL\fR
or
\fREDITOR\fR.
.PP
\&\fBvisudo\fR parses the \fIsudoers\fR file after the edit and will
not save the changes if there is a syntax error. Upon finding
an error, \fBvisudo\fR will print a message stating the line number(s)
\fBvisudo\fR
parses the
\fIsudoers\fR
file after the edit and will
not save the changes if there is a syntax error.
Upon finding an error,
\fBvisudo\fR
will print a message stating the line number(s)
where the error occurred and the user will receive the
\&\*(L"What now?\*(R" prompt. At this point the user may enter \*(L"e\*(R"
to re-edit the \fIsudoers\fR file, \*(L"x\*(R" to exit without
saving the changes, or \*(L"Q\*(R" to quit and save changes. The
\&\*(L"Q\*(R" option should be used with extreme care because if \fBvisudo\fR
believes there to be a parse error, so will \fBsudo\fR and no one
will be able to \fBsudo\fR again until the error is fixed.
If \*(L"e\*(R" is typed to edit the \fIsudoers\fR file after a parse error
has been detected, the cursor will be placed on the line where the
error occurred (if the editor supports this feature).
``What now?''
prompt.
At this point the user may enter
`e'
to re-edit the
\fIsudoers\fR
file,
`x'
to exit without saving the changes, or
`Q'
to quit and save changes.
The
`Q'
option should be used with extreme care because if
\fBvisudo\fR
believes there to be a parse error, so will
\fBsudo\fR
and no one
will be able to
\fBsudo\fR
again until the error is fixed.
If
`e'
is typed to edit the
\fIsudoers\fR
file after a parse error has been detected, the cursor will be placed on
the line where the error occurred (if the editor supports this feature).
.SH "OPTIONS"
.IX Header "OPTIONS"
\&\fBvisudo\fR accepts the following command line options:
.IP "\-c" 12
.IX Item "-c"
Enable \fBcheck-only\fR mode. The existing \fIsudoers\fR file will be
checked for syntax errors, owner and mode. A message will be printed
to the standard output describing the status of \fIsudoers\fR unless
the \fB\-q\fR option was specified. If the check completes successfully,
\&\fBvisudo\fR will exit with a value of 0. If an error is encountered,
\&\fBvisudo\fR will exit with a value of 1.
.IP "\-f \fIsudoers\fR" 12
.IX Item "-f sudoers"
Specify and alternate \fIsudoers\fR file location. With this option
\&\fBvisudo\fR will edit (or check) the \fIsudoers\fR file of your choice,
instead of the default, \fI@sysconfdir@/sudoers\fR. The lock file used
is the specified \fIsudoers\fR file with \*(L".tmp\*(R" appended to it.
In \fBcheck-only\fR mode only, the argument to \fB\-f\fR may be \*(L"\-\*(R",
indicating that \fIsudoers\fR will be read from the standard input.
.IP "\-h" 12
.IX Item "-h"
The \fB\-h\fR (\fIhelp\fR) option causes \fBvisudo\fR to print a short help message
\fBvisudo\fR
accepts the following command line options:
accepts the following command line options:
.TP 12n
\fB-c\fR
Enable
\fIcheck-only\fR
mode.
The existing
\fIsudoers\fR
file will be
checked for syntax errors, owner and mode.
A message will be printed to the standard output describing the status of
\fIsudoers\fR
unless the
\fB-q\fR
option was specified.
If the check completes successfully,
\fBvisudo\fR
will exit with a value of 0.
If an error is encountered,
\fBvisudo\fR
will exit with a value of 1.
.TP 12n
\fB-f\fR \fIsudoers\fR
Specify and alternate
\fIsudoers\fR
file location.
With this option
\fBvisudo\fR
will edit (or check) the
\fIsudoers\fR
file of your choice,
instead of the default,
\fI@sysconfdir@/sudoers\fR.
The lock file used is the specified
\fIsudoers\fR
file with
``\.tmp''
appended to it.
In
\fIcheck-only\fR
mode only, the argument to
\fB-f\fR
may be
`-',
indicating that
\fIsudoers\fR
will be read from the standard input.
.TP 12n
\fB-h\fR
The
\fB-h\fR (\fIhelp\fR)
option causes
\fBvisudo\fR
to print a short help message
to the standard output and exit.
.IP "\-q" 12
.IX Item "-q"
Enable \fBquiet\fR mode. In this mode details about syntax errors
are not printed. This option is only useful when combined with
the \fB\-c\fR option.
.IP "\-s" 12
.IX Item "-s"
Enable \fBstrict\fR checking of the \fIsudoers\fR file. If an alias is
used before it is defined, \fBvisudo\fR will consider this a parse
error. Note that it is not possible to differentiate between an
.TP 12n
\fB-q\fR
Enable
\fIquiet\fR
mode.
In this mode details about syntax errors are not printed.
This option is only useful when combined with
the
\fB-c\fR
option.
.TP 12n
\fB-s\fR
Enable
\fIstrict\fR
checking of the
\fIsudoers\fR
file.
If an alias is used before it is defined,
\fBvisudo\fR
will consider this a parse error.
Note that it is not possible to differentiate between an
alias and a host name or user name that consists solely of uppercase
letters, digits, and the underscore ('_') character.
.IP "\-V" 12
.IX Item "-V"
The \fB\-V\fR (version) option causes \fBvisudo\fR to print its version number
letters, digits, and the underscore
(`_')
character.
.TP 12n
\fB-V\fR
The
\fB-V\fR (\fIversion\fR)
option causes
\fBvisudo\fR
to print its version number
and exit.
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
The following environment variables may be consulted depending on
the value of the \fIeditor\fR and \fIenv_editor\fR \fIsudoers\fR variables:
.ie n .IP "\*(C`VISUAL\*(C'" 16
.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16
.IX Item "VISUAL"
Invoked by visudo as the editor to use
.ie n .IP "\*(C`EDITOR\*(C'" 16
.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16
.IX Item "EDITOR"
Used by visudo if \s-1VISUAL\s0 is not set
the value of the
\fIeditor\fR
and
\fIenv_editor\fR
\fIsudoers\fR
settings:
.TP 17n
\fRVISUAL\fR
Invoked by
\fBvisudo\fR
as the editor to use
.TP 17n
\fREDITOR\fR
Used by
\fBvisudo\fR
if
\fRVISUAL\fR
is not set
.SH "FILES"
.IX Header "FILES"
.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
.el .IP "\fI@sysconfdir@/sudoers\fR" 24
.IX Item "@sysconfdir@/sudoers"
.TP 26n
\fI@sysconfdir@/sudoers\fR
List of who can run what
.ie n .IP "\fI@sysconfdir@/sudoers.tmp\fR" 24
.el .IP "\fI@sysconfdir@/sudoers.tmp\fR" 24
.IX Item "@sysconfdir@/sudoers.tmp"
.TP 26n
\fI@sysconfdir@/sudoers.tmp\fR
Lock file for visudo
.SH "DIAGNOSTICS"
.IX Header "DIAGNOSTICS"
.IP "sudoers file busy, try again later." 4
.IX Item "sudoers file busy, try again later."
Someone else is currently editing the \fIsudoers\fR file.
.ie n .IP "@sysconfdir@/sudoers.tmp: Permission denied" 4
.el .IP "\f(CW@sysconfdir\fR@/sudoers.tmp: Permission denied" 4
.IX Item "@sysconfdir@/sudoers.tmp: Permission denied"
You didn't run \fBvisudo\fR as root.
.IP "Can't find you in the passwd database" 4
.IX Item "Can't find you in the passwd database"
Your user \s-1ID\s0 does not appear in the system passwd file.
.IP "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" 4
.IX Item "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined"
.TP 6n
\fRsudoers file busy, try again later.\fR
Someone else is currently editing the
\fIsudoers\fR
file.
.TP 6n
\fR@sysconfdir@/sudoers.tmp: Permission denied\fR
You didn't run
\fBvisudo\fR
as root.
.TP 6n
\fRCan't find you in the passwd database\fR
Your user ID does not appear in the system passwd file.
.TP 6n
\fRWarning: {User,Runas,Host,Cmnd}_Alias referenced but not defined\fR
Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore ('_') character. In
the latter case, you can ignore the warnings (\fBsudo\fR will not
complain). In \fB\-s\fR (strict) mode these are errors, not warnings.
.IP "Warning: unused {User,Runas,Host,Cmnd}_Alias" 4
.IX Item "Warning: unused {User,Runas,Host,Cmnd}_Alias"
uppercase letters, digits, and the underscore
(`_')
character.
In the latter case, you can ignore the warnings
(\fBsudo\fR
will not complain)
\&.
In
\fB-s\fR
(strict) mode these are errors, not warnings.
.TP 6n
\fRWarning: unused {User,Runas,Host,Cmnd}_Alias\fR
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
used. You may wish to comment out or remove the unused alias. In
\&\fB\-s\fR (strict) mode this is an error, not a warning.
.IP "Warning: cycle in {User,Runas,Host,Cmnd}_Alias" 4
.IX Item "Warning: cycle in {User,Runas,Host,Cmnd}_Alias"
used.
You may wish to comment out or remove the unused alias.
In
\fB-s\fR
(strict) mode this is an error, not a warning.
.TP 6n
\fRWarning: cycle in {User,Runas,Host,Cmnd}_Alias\fR
The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
itself, either directly or through an alias it includes. This is
only a warning by default as \fBsudo\fR will ignore cycles when parsing
the \fIsudoers\fR file.
itself, either directly or through an alias it includes.
This is only a warning by default as
\fBsudo\fR
will ignore cycles when parsing
the
\fIsudoers\fR
file.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(@mansectsu@)
vi(1),
sudoers(@mansectform@),
sudo(@mansectsu@),
vipw(@mansectsu@)
.SH "AUTHORS"
.IX Header "AUTHORS"
Many people have worked on \fBsudo\fR over the years; this version of
\&\fBvisudo\fR was written by:
Many people have worked on
\fBsudo\fR
over the years; this version consists of code written primarily by:
.sp
.RS 6n
Todd C. Miller
.RE
.PP
.Vb 1
\& Todd C. Miller
.Ve
.PP
See the \s-1CONTRIBUTORS\s0 file in the \fBsudo\fR distribution
(http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of people
who have contributed to \fBsudo\fR.
See the CONTRIBUTORS file in the
\fBsudo\fR
distribution (http://www.sudo.ws/sudo/contributors.html) for an
exhaustive list of people who have contributed to
\fBsudo\fR.
.SH "CAVEATS"
.IX Header "CAVEATS"
There is no easy way to prevent a user from gaining a root shell if
the editor used by \fBvisudo\fR allows shell escapes.
the editor used by
\fBvisudo\fR
allows shell escapes.
.SH "BUGS"
.IX Header "BUGS"
If you feel you have found a bug in \fBvisudo\fR, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
If you feel you have found a bug in
\fBvisudo\fR,
please submit a bug report at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
.IX Header "DISCLAIMER"
\&\fBvisudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
for complete details.
\fBvisudo\fR
is provided
``AS IS''
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
See the LICENSE file distributed with
\fBsudo\fR
or http://www.sudo.ws/sudo/license.html for complete details.

12
doc/visudo.mdoc.in
View File

@ -20,8 +20,8 @@
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.Dd July 12, 2012
.Dt VISUDO 8
.Os
.Dt VISUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm visudo
.Nd edit the sudoers file
@ -36,7 +36,7 @@
edits the
.Em sudoers
file in a safe fashion, analogous to
.Xr vipw 8 .
.Xr vipw @mansectsu@ .
.Nm visudo
locks the
.Em sudoers
@ -278,9 +278,9 @@ file.
.El
.Sh SEE ALSO
.Xr vi 1 ,
.Xr sudoers 5 ,
.Xr sudo 8 ,
.Xr vipw 8
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@ ,
.Xr vipw @mansectsu@
.Sh AUTHORS
Many people have worked on
.Nm sudo