From b04386f63163d99eb67a78f9af8515b3af13c8b0 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 14 Feb 2025 09:29:37 -0700 Subject: [PATCH] Most Defaults entries are applied in order. The exceptions are command-specific Defaults (which cannot be applied until the command's path is resolved) and a small number of "early" defaults that affect other entries. --- docs/sudoers.man.in | 18 ++++++++++-------- docs/sudoers.mdoc.in | 18 ++++++++++-------- 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/docs/sudoers.man.in b/docs/sudoers.man.in index a9b2b6eb5..95c7b1246 100644 --- a/docs/sudoers.man.in +++ b/docs/sudoers.man.in @@ -2,7 +2,7 @@ .\" .\" SPDX-License-Identifier: ISC .\" -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2024 +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2025 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.TH "SUDOERS" "@mansectform@" "November 11, 2024" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "@mansectform@" "February 14, 2025" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -1357,14 +1357,16 @@ It is not an error to use the operator to remove an element that does not exist in a list. .PP -Defaults entries are parsed in the following order: global, host, -user, and runas Defaults first, then command defaults. -If there are multiple Defaults settings of the same type, the last -matching setting is used. -The following Defaults settings are parsed before all others since -they may affect subsequent entries: +In general Defaults settings are applied in order, later entries +will override earlier ones. +However, command-specific Defaults settings are applied later, once +the command's path is known. +In addition, the following Defaults settings must be applied before +all others since they may affect subsequent entries: \fIfqdn\fR, \fIgroup_plugin\fR, +\fIignore_unknown_defaults\fR, +\fImatch_group_by_gid\fR, \fIrunas_default\fR, \fIsudoers_locale\fR. .PP diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in index f291d48d3..9bfbb0695 100644 --- a/docs/sudoers.mdoc.in +++ b/docs/sudoers.mdoc.in @@ -1,7 +1,7 @@ .\" .\" SPDX-License-Identifier: ISC .\" -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2024 +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2025 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.Dd November 11, 2024 +.Dd February 14, 2025 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -1302,14 +1302,16 @@ It is not an error to use the operator to remove an element that does not exist in a list. .Pp -Defaults entries are parsed in the following order: global, host, -user, and runas Defaults first, then command defaults. -If there are multiple Defaults settings of the same type, the last -matching setting is used. -The following Defaults settings are parsed before all others since -they may affect subsequent entries: +In general Defaults settings are applied in order, later entries +will override earlier ones. +However, command-specific Defaults settings are applied later, once +the command's path is known. +In addition, the following Defaults settings must be applied before +all others since they may affect subsequent entries: .Em fqdn , .Em group_plugin , +.Em ignore_unknown_defaults , +.Em match_group_by_gid , .Em runas_default , .Em sudoers_locale . .Pp