From cf1b87c71d315d2df9b7f426cde2113c58400267 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sun, 23 Feb 2025 09:09:26 -0700 Subject: [PATCH] Sync sed scripts that add back troff conditionals. The sudo manuals contain conditional to avoid describing system-specific behavior on systems that don't support it. When we convert from mdoc to man format we lose those conditionals, these sed scripts add them back. Changes to the mdoc files can prevent the regexps from matching so they need to be updated periodically. --- docs/sudo.conf.man.in | 1 + docs/sudo.conf.man.in.sed | 4 ++-- docs/sudo.man.in | 8 +++++++ docs/sudo.man.in.sed | 34 +++++++++++++-------------- docs/sudoers.man.in | 25 ++++++++++++++++---- docs/sudoers.man.in.sed | 49 +++++++++++++++++++++++++++++++++++---- 6 files changed, 92 insertions(+), 29 deletions(-) diff --git a/docs/sudo.conf.man.in b/docs/sudo.conf.man.in index b1d80e78e..6f6127d45 100644 --- a/docs/sudo.conf.man.in +++ b/docs/sudo.conf.man.in @@ -375,6 +375,7 @@ The default directory to use when searching for plugins that are specified without a fully qualified path name. The default value is \fI@plugindir@\fR. +.if \n(SL \{\ .TP 6n sesh The fully-qualified path to the diff --git a/docs/sudo.conf.man.in.sed b/docs/sudo.conf.man.in.sed index 2534bc893..dbea8a1bb 100644 --- a/docs/sudo.conf.man.in.sed +++ b/docs/sudo.conf.man.in.sed @@ -1,9 +1,9 @@ s/^\(.TH .*\)/.nr SL @SEMAN@\ \1/ -/^\.TP 10n$/ { +/^\.TP 6n$/ { N - /^.TP 10n\nsesh$/ { + /^.TP 6n\nsesh$/ { i\ .if \\n(SL \\{\\ } diff --git a/docs/sudo.man.in b/docs/sudo.man.in index 3bb35940a..87bd2deef 100644 --- a/docs/sudo.man.in +++ b/docs/sudo.man.in @@ -214,6 +214,7 @@ If no askpass program is available, \fBsudo\fR will exit with an error. .RE +.if \n(BA \{\ .TP 8n \fB\-a\fR \fItype\fR, \fB\--auth-type\fR=\fItype\fR Use the specified @@ -230,6 +231,7 @@ entry in This option is only available on systems that support BSD authentication. +.\} .TP 8n \fB\-B\fR, \fB\--bell\fR Ring the bell as part of the password prompt when a terminal is present. @@ -265,6 +267,7 @@ policy only permits use of the option when the administrator has enabled the \fIclosefrom_override\fR option. +.if \n(LC \{\ .TP 8n \fB\-c\fR \fIclass\fR, \fB\--login-class\fR=\fIclass\fR Run the @@ -297,6 +300,7 @@ be applied, if present. This option is only available on systems with BSD login classes. +.\} .TP 8n \fB\-D\fR \fIdirectory\fR, \fB\--chdir\fR=\fIdirectory\fR Run the @@ -708,12 +712,14 @@ before running the \fIcommand\fR. The security policy may return an error if the user does not have permission to specify the root directory. +.if \n(SL \{\ .TP 8n \fB\-r\fR \fIrole\fR, \fB\--role\fR=\fIrole\fR Run the \fIcommand\fR with an SELinux security context that includes the specified \fIrole\fR. +.\} .TP 8n \fB\-S\fR, \fB\--stdin\fR Write the prompt to the standard error and read the password from the @@ -746,6 +752,7 @@ Most shells behave differently when a \fIcommand\fR is specified as compared to an interactive session; consult the shell's manual for details. +.if \n(SL \{\ .TP 8n \fB\-t\fR \fItype\fR, \fB\--type\fR=\fItype\fR Run the @@ -755,6 +762,7 @@ with an SELinux security context that includes the specified If no \fItype\fR is specified, the default type is derived from the role. +.\} .TP 8n \fB\-U\fR \fIuser\fR, \fB\--other-user\fR=\fIuser\fR Used in conjunction with the diff --git a/docs/sudo.man.in.sed b/docs/sudo.man.in.sed index 432dd7474..5659c98f7 100644 --- a/docs/sudo.man.in.sed +++ b/docs/sudo.man.in.sed @@ -9,37 +9,37 @@ s/^\(\[\\fB\\-c\\fR.*\\fIclass\\fR\]\) *$/.if \\n(LC \1/ s/^\(\[\\fB\\-r\\fR.*\\fIrole\\fR\]\) *$/.if \\n(SL \1/ s/^\(\[\\fB\\-t\\fR.*\\fItype\\fR\]\) *$/.if \\n(SL \1/ -/^\.TP 12n$/ { +/^\.TP 8n$/ { N - /^\.TP 12n\n\\fB\\-a\\fR.*\\fItype\\fR$/,/^\.TP 12n/ { - /^\.TP 12n/ { - /^\.TP 12n\n\\fB\\-a\\fR.*\\fItype\\fR$/i\ + /^\.TP 8n\n\\fB\\-a\\fR.*\\fItype\\fR$/,/^\.TP 8n/ { + /^\.TP 8n/ { + /^\.TP 8n\n\\fB\\-a\\fR.*\\fItype\\fR$/i\ .if \\n(BA \\{\\ - /^\.TP 12n\n\\fB\\-a\\fR.*\\fItype\\fR$/!i\ + /^\.TP 8n\n\\fB\\-a\\fR.*\\fItype\\fR$/!i\ .\\} } } - /^\.TP 12n\n\\fB\\-c\\fR.*\\fIclass\\fR$/,/^\.TP 12n/ { - /^\.TP 12n/ { - /^\.TP 12n\n\\fB\\-c\\fR.*\\fIclass\\fR$/i\ + /^\.TP 8n\n\\fB\\-c\\fR.*\\fIclass\\fR$/,/^\.TP 8n/ { + /^\.TP 8n/ { + /^\.TP 8n\n\\fB\\-c\\fR.*\\fIclass\\fR$/i\ .if \\n(LC \\{\\ - /^\.TP 12n\n\\fB\\-c\\fR.*\\fIclass\\fR$/!i\ + /^\.TP 8n\n\\fB\\-c\\fR.*\\fIclass\\fR$/!i\ .\\} } } - /^\.TP 12n\n\\fB\\-r\\fR.*\\fIrole\\fR$/,/^\.TP 12n/ { - /^\.TP 12n/ { - /^\.TP 12n\n\\fB\\-r\\fR.*\\fIrole\\fR$/i\ + /^\.TP 8n\n\\fB\\-r\\fR.*\\fIrole\\fR$/,/^\.TP 8n/ { + /^\.TP 8n/ { + /^\.TP 8n\n\\fB\\-r\\fR.*\\fIrole\\fR$/i\ .if \\n(SL \\{\\ - /^\.TP 12n\n\\fB\\-r\\fR.*\\fIrole\\fR$/!i\ + /^\.TP 8n\n\\fB\\-r\\fR.*\\fIrole\\fR$/!i\ .\\} } } - /^\.TP 12n\n\\fB\\-t\\fR.*\\fItype\\fR$/,/^\.TP 12n/ { - /^\.TP 12n/ { - /^\.TP 12n\n\\fB\\-t\\fR.*\\fItype\\fR$/i\ + /^\.TP 8n\n\\fB\\-t\\fR.*\\fItype\\fR$/,/^\.TP 8n/ { + /^\.TP 8n/ { + /^\.TP 8n\n\\fB\\-t\\fR.*\\fItype\\fR$/i\ .if \\n(SL \\{\\ - /^\.TP 12n\n\\fB\\-t\\fR.*\\fItype\\fR$/!i\ + /^\.TP 8n\n\\fB\\-t\\fR.*\\fItype\\fR$/!i\ .\\} } } diff --git a/docs/sudoers.man.in b/docs/sudoers.man.in index 2b4657ac3..7f7c8b986 100644 --- a/docs/sudoers.man.in +++ b/docs/sudoers.man.in @@ -22,6 +22,7 @@ .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" .nr SL @SEMAN@ +.nr AA @AAMAN@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ @@ -1387,20 +1388,28 @@ Cmnd_Spec ::= Runas_Spec? Option_Spec* (Tag_Spec ':')* Cmnd Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' .ie \n(SL \{\ -.ie \n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec) -.el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec) +.ie \n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec) +.el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec) .\} .el \{\ -.ie \n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec) -.el Option_Spec ::= (Date_Spec | Timeout_Spec) +.ie \n(AA \{\ +.ie \n(PS Option_Spec ::= (AppArmor_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec) +.el Option_Spec ::= (AppArmor_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec) +.\} +.el \{\ +.ie \n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec) +.el Option_Spec ::= (Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec) +.\} .\} .if \n(SL \{\ SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') .\} +.if \n(AA \{\ AppArmor_Spec ::= 'APPARMOR_PROFILE=profile' +.\} .if \n(PS \{\ Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset') @@ -1622,7 +1631,9 @@ Options may consist of .if \n(SL \{\ SELinux roles and/or types, .\} +.if \n(AA \{\ AppArmor profiles, +.\} .if \n(PS \{\ Solaris privileges sets, .\} @@ -1653,6 +1664,7 @@ A role or type specified on the command line, however, will supersede the values in \fIsudoers\fR. .\} +.if \n(AA \{\ .SS "AppArmor_Spec" On systems supporting AppArmor, \fIsudoers\fR @@ -1711,6 +1723,7 @@ and user to run \fI/bin/ls\fR without any confinement at all. +.\} .if \n(PS \{\ .SS "Solaris_Priv_Spec" On Solaris systems, @@ -4255,7 +4268,7 @@ will set the umask to be the union of the user's umask and what is specified in This flag is \fI@umask_override@\fR by default. -.if \n(BA \{\ +.if \n(LC \{\ .TP 18n use_loginclass If set, @@ -4519,6 +4532,7 @@ The umask setting in PAM is not used for which does not create a new PAM session. .PP \fBStrings\fR: +.if \n(AA \{\ .TP 18n apparmor_profile The default AppArmor profile to transition into when executing the @@ -4532,6 +4546,7 @@ entries by specifying the option. This option is only available when sudo is built with AppArmor support. +.\} .TP 18n cmddenial_message .br diff --git a/docs/sudoers.man.in.sed b/docs/sudoers.man.in.sed index eca83a306..b7cd2e4ea 100644 --- a/docs/sudoers.man.in.sed +++ b/docs/sudoers.man.in.sed @@ -1,4 +1,5 @@ s/^\(.TH .*\)/.nr SL @SEMAN@\ +.nr AA @AAMAN@\ .nr BA @BAMAN@\ .nr LC @LCMAN@\ .nr PS @PSMAN@\ @@ -21,6 +22,15 @@ s/^\(.TH .*\)/.nr SL @SEMAN@\ } } +/^\.SS "AppArmor_Spec"$/,/^\.SS/ { + /^\.SS / { + /^\.SS "AppArmor_Spec"$/i\ +.if \\n(AA \\{\\ + /^\.SS "AppArmor_Spec"$/!i\ +.\\} + } +} + /^\.SS "Solaris_Priv_Spec"$/,/^\.SS/ { /^\.SS / { /^\.SS "Solaris_Priv_Spec"$/i\ @@ -32,12 +42,18 @@ s/^\(.TH .*\)/.nr SL @SEMAN@\ /^Option_Spec ::= / { s/^.*$/.ie \\n(SL \\{\\\ -.ie \\n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec)\ -.el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec)\ +.ie \\n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)\ +.el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)\ .\\}\ .el \\{\\\ -.ie \\n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec)\ -.el Option_Spec ::= (Date_Spec | Timeout_Spec)\ +.ie \\n(AA \\{\\\ +.ie \\n(PS Option_Spec ::= (AppArmor_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)\ +.el Option_Spec ::= (AppArmor_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)\ +.\\}\ +.el \\{\\\ +.ie \\n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)\ +.el Option_Spec ::= (Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)\ +.\\}\ .\\}/ } @@ -49,6 +65,14 @@ s/^\(.TH .*\)/.nr SL @SEMAN@\ .\\} } +/^AppArmor_Spec ::=/ { + i\ +.if \\n(AA \\{\\ + N + a\ +.\\} +} + /^Solaris_Priv_Spec ::=/ { i\ .if \\n(PS \\{\\ @@ -64,6 +88,13 @@ s/^\(.TH .*\)/.nr SL @SEMAN@\ .\\} } +/^AppArmor profiles,/ { + i\ +.if \\n(AA \\{\\ + a\ +.\\} +} + /^Solaris privileges sets,/ { i\ .if \\n(PS \\{\\ @@ -76,8 +107,16 @@ s/^\(.TH .*\)/.nr SL @SEMAN@\ /^\.TP 18n\nuse_loginclass$/,/^\.TP 18n/ { /^\.TP 18n/ { /^\.TP 18n\nuse_loginclass$/i\ -.if \\n(BA \\{\\ +.if \\n(LC \\{\\ /^\.TP 18n\nuse_loginclass$/!i\ +.\\} + } + } + /^\.TP 18n\napparmor_profile$/,/^\.TP 18n/ { + /^\.TP 18n/ { + /^\.TP 18n\napparmor_profile$/i\ +.if \\n(AA \\{\\ + /^\.TP 18n\napparmor_profile$/!i\ .\\} } }