From d324a530656ba18927f918b7e73a82970f6ed9e1 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 6 Dec 2021 09:27:54 -0700 Subject: [PATCH] Minor formatting tweaks. --- README.LDAP.md | 24 +++++--------- docs/CONTRIBUTING.md | 3 +- docs/TROUBLESHOOTING.md | 4 +-- docs/UPGRADE.md | 72 ++++++++++++++++++++--------------------- 4 files changed, 48 insertions(+), 55 deletions(-) diff --git a/README.LDAP.md b/README.LDAP.md index 9e6397f8a..c17e83a9f 100644 --- a/README.LDAP.md +++ b/README.LDAP.md @@ -9,8 +9,7 @@ The sudo binary compiled with LDAP support should be totally backward compatible and be syntactically and source code equivalent to its non LDAP-enabled build. -LDAP philosophy -=============== +## LDAP philosophy As times change and servers become cheap, an enterprise can easily have 500+ UNIX servers. Using LDAP to synchronize Users, Groups, Hosts, Mounts, and @@ -26,8 +25,7 @@ available configuration source for sudo. For information on OpenLDAP, please see http://www.openldap.org/. -Definitions -=========== +## Definitions Many times the word 'Directory' is used in the document to refer to the LDAP server, structure and contents. @@ -35,8 +33,7 @@ server, structure and contents. Many times 'options' are used in this document to refer to sudoer 'defaults'. They are one and the same. -Build instructions -================== +## Build instructions The simplest way to build sudo with LDAP support is to include the `--with-ldap` option. @@ -55,8 +52,7 @@ Your mileage may vary. Please let the sudo workers mailing list sudo-workers@sudo.ws know if special configuration was required to build an LDAP-enabled sudo so we can improve sudo. -Schema Changes -============== +## Schema Changes You must add the appropriate schema to your LDAP server before it can store sudoers content. @@ -114,8 +110,7 @@ to your Windows domain controller and run the following command: ldifde -i -f schema.ActiveDirectory -c dc=X dc=example,dc=com -Importing /etc/sudoers into LDAP -================================ +## Importing /etc/sudoers into LDAP Importing sudoers is a two-step process. @@ -149,8 +144,7 @@ convert your sudoers file into LDIF format. # ldapsearch -b "$SUDOERS_BASE" -D cn=Manager,dc=example,dc=com -W -x ``` -Managing LDAP entries -===================== +## Managing LDAP entries Doing a one-time bulk load of your ldap entries is fine. However what if you need to make minor changes on a daily basis? It doesn't make sense to delete @@ -185,8 +179,7 @@ I recommend using any of the following LDAP browsers to administer your SUDOers. There are dozens of others, some Open Source, some free, some not. -Configure your /etc/ldap.conf and /etc/nsswitch.conf -==================================================== +## Configure your /etc/ldap.conf and /etc/nsswitch.conf The /etc/ldap.conf file is meant to be shared between sudo, pam_ldap, nss_ldap and other ldap applications and modules. IBM Secureway unfortunately uses @@ -208,8 +201,7 @@ To disable nsswitch support, run configure with the `--with-nsswitch=no` option. This will cause sudo to consult LDAP first and /etc/sudoers second, unless the ignore_sudoers_file flag is set in the global LDAP options. -Debugging your LDAP configuration -================================= +## Debugging your LDAP configuration Enable debugging if you believe sudo is not parsing LDAP the way you think it should. Setting the 'sudoers_debug' parameter to a value of 1 shows moderate diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index ead78b975..92aeae01c 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -1,4 +1,5 @@ -# Contributing to Sudo +Contributing to Sudo +==================== Thank you for your interest in contributing to Sudo! There are a number of way you can help make Sudo better. diff --git a/docs/TROUBLESHOOTING.md b/docs/TROUBLESHOOTING.md index aace4cb6c..dbd803926 100644 --- a/docs/TROUBLESHOOTING.md +++ b/docs/TROUBLESHOOTING.md @@ -22,7 +22,7 @@ Troubleshooting tips and FAQ for Sudo /usr/local/bin/sudo must be owned by uid 0 and have the setuid bit set -> Sudo must be setuid root to do its work. Either /usr/local/bin/sudo +> Sudo must be setuid root to do its work. Either `/usr/local/bin/sudo` > is not owned by uid 0 or the setuid bit is not set. This should have > been done for you by `make install` but you can fix it manually by > running the following as root: @@ -76,7 +76,7 @@ It just says "Sorry, try again." three times and exits. > Don't forget to send a SIGHUP to your syslogd so that it re-reads > its conf file. Also, remember that syslogd does *not* create > log files, you need to create the file before syslogd will log -> to it (ie: touch /var/log/sudo). +> to it (e.g.: touch /var/log/sudo). > Note: the facility (e.g. 'auth.debug') must be separated from > the destination (e.g. '/var/log/auth' or '@loghost') by tabs, diff --git a/docs/UPGRADE.md b/docs/UPGRADE.md index d04ca7c42..e3d29293e 100644 --- a/docs/UPGRADE.md +++ b/docs/UPGRADE.md @@ -44,7 +44,7 @@ Notes on upgrading from an older release a syntax error in the sudoers file by discarding the portion of the line that contains the error until the end of the line. To restore the historic behavior of refusing to run when a - syntax error is encountered, add "error_recovery=false" as a + syntax error is encountered, add `error_recovery=false` as a plugin option in sudo.conf for the "sudoers_audit" plugin, (or "sudoers_policy" if there is no "sudoers_audit" plugin configured). @@ -66,7 +66,7 @@ Notes on upgrading from an older release to be run as a user or group ID that is not in the password or group databases by default. Previously, sudo would always allow unknown user or group IDs if the sudoers entry permitted it, - including via the "ALL" alias. The old behavior can be restored + including via the _ALL_ alias. The old behavior can be restored by setting the new "allow_unknown_runas_id" Defaults setting in the sudoers file. @@ -107,7 +107,7 @@ Notes on upgrading from an older release * Upgrading from a version prior to 1.8.23: - In sudo 1.8.23 the "sudoers2ldif" script and the "visudo -x" + In sudo 1.8.23 the "sudoers2ldif" script and the `visudo -x` functionality has been superseded by the "cvtsudoers" utility. The cvtsudoers utility is intended to be a drop-in replacement for "sudoers2ldif". Because it uses the same parser as sudo @@ -230,8 +230,8 @@ Notes on upgrading from an older release time is stored instead of wall clock time. As a result, it is important that the time stamp files not persist when the system reboots. For this reason, the default location for the time - stamp files has changed back to a directory located in /var/run. - Systems that do not have /var/run (e.g. AIX) or that do not clear + stamp files has changed back to a directory located in `/var/run`. + Systems that do not have `/var/run` (e.g. AIX) or that do not clear it on boot (e.g. HP-UX) will need to clear the time stamp directory via a start up script. Such a script is installed by default on AIX and HP-UX systems. @@ -240,10 +240,9 @@ Notes on upgrading from an older release option will remove all of the user's time stamps, not just the time stamp for the current terminal. - Lecture status is now stored separately from the time stamps - in a separate directory: /var/db/sudo/lectured, /var/lib/sudo/lectured - or /var/adm/sudo/lectured depending on what is present on the - system. + Lecture status is now stored separately from the time stamps in a + separate directory: `/var/db/sudo/lectured`, `/var/lib/sudo/lectured` + or `/var/adm/sudo/lectured` depending on what is present on the system. LDAP-based sudoers now uses a default search filter of (objectClass=sudoRole) for more efficient queries. It is @@ -255,7 +254,7 @@ Notes on upgrading from an older release Sudo now stores its libexec files in a "sudo" sub-directory instead of in libexec itself. For backward compatibility, if the plugin is not found in the default plugin directory, sudo - will check the parent directory default directory ends in "/sudo". + will check the parent directory default directory ends in `/sudo`. The default sudo plugins now all use the .so extension, regardless of the extension used by system shared libraries. For backward @@ -334,11 +333,11 @@ Notes on upgrading from an older release that uses the "noexec_file" option, you will need to move the definition to the sudo.conf file instead. - Old style in /etc/sudoers: + Old style in `/etc/sudoers`: Defaults noexec_file=/usr/local/libexec/sudo_noexec.so - New style in /etc/sudo.conf: + New style in `/etc/sudo.conf`: Path noexec /usr/local/libexec/sudo_noexec.so @@ -348,10 +347,10 @@ Notes on upgrading from an older release support policy and I/O logging plugins. The default policy plugin is "sudoers" which provides the traditional sudoers evaluation and I/O logging. Plugins are typically located in - /usr/libexec or /usr/local/libexec, though this is system-dependent. + `/usr/libexec` or `/usr/local/libexec`, though this is system-dependent. The sudoers plugin is named "sudoers.so" on most systems. - The sudo.conf file, usually stored in /etc, is used to configure + The sudo.conf file, usually stored in `/etc`, is used to configure plugins. This file is optional--if no plugins are specified in sudo.conf, the "sudoers" plugin is used. See the example sudo.conf file in the docs directory or refer to the updated @@ -362,11 +361,11 @@ Notes on upgrading from an older release "askpass" option, you will need to move the definition to the sudo.conf file. - Old style in /etc/sudoers: + Old style in `/etc/sudoers`: Defaults askpass=/usr/X11R6/bin/ssh-askpass - New style in /etc/sudo.conf: + New style in `/etc/sudo.conf`: Path askpass /usr/X11R6/bin/ssh-askpass @@ -395,11 +394,12 @@ Notes on upgrading from an older release * Upgrading from a version prior to 1.7.4: Starting with sudo 1.7.4, the time stamp files have moved from - /var/run/sudo to either /var/db/sudo, /var/lib/sudo or /var/adm/sudo. - The directories are checked for existence in that order. This - prevents users from receiving the sudo lecture every time the - system reboots. Time stamp files older than the boot time are - ignored on systems where it is possible to determine this. + `/var/run/sudo` to either `/var/db/sudo`, `/var/lib/sudo` or + `/var/adm/sudo`. The directories are checked for existence in + that order. This prevents users from receiving the sudo lecture + every time the system reboots. Time stamp files older than the + boot time are ignored on systems where it is possible to determine + this. Additionally, the tty_tickets sudoers option is now enabled by default. To restore the old behavior (single time stamp per user), @@ -438,9 +438,9 @@ Notes on upgrading from an older release ('#'). Otherwise, the comment may be interpreted as a user or group-ID. - When sudo is build with LDAP support the /etc/nsswitch.conf file is + When sudo is build with LDAP support the `/etc/nsswitch.conf` file is now used to determine the sudoers sea ch order. sudo will default to - only using /etc/sudoers unless /etc/nsswitch.conf says otherwise. + only using `/etc/sudoers` unless `/etc/nsswitch.conf` says otherwise. This can be changed with an nsswitch.conf line, e.g.: sudoers: ldap files @@ -450,7 +450,7 @@ Notes on upgrading from an older release `--with-nsswitch=no` flag. Sudo now ignores user .ldaprc files as well as system LDAP defaults. - All LDAP configuration is now in /etc/ldap.conf (or whichever file + All LDAP configuration is now in `/etc/ldap.conf` (or whichever file was specified by configure's `--with-ldap-conf-file` option). If you are using TLS, you may now need to specify: @@ -506,10 +506,10 @@ Notes on upgrading from an older release * Upgrading from a version prior to 1.6.8: - Prior to sudo 1.6.8, if /var/run did not exist, sudo would put - the time stamp files in /tmp/.odus. As of sudo 1.6.8, the - time stamp files will be placed in /var/adm/sudo or /usr/adm/sudo - if there is no /var/run directory. This directory will be + Prior to sudo 1.6.8, if `/var/run` did not exist, sudo would put + the time stamp files in `/tmp/.odus`. As of sudo 1.6.8, the + time stamp files will be placed in `/var/adm/sudo` or `/usr/adm/sudo` + if there is no `/var/run directory`. This directory will be created if it does not already exist. Previously, a sudoers entry that explicitly prohibited running @@ -530,22 +530,22 @@ Notes on upgrading from an older release millert ALL=(daemon) NOPASSWD:/usr/bin/whoami,/bin/ls - millert would be able to run /usr/bin/whoami as user daemon - without a password and /bin/ls as root with a password. + millert would be able to run `/usr/bin/whoami` as user daemon + without a password and `/bin/ls` as root with a password. As of sudo 1.6, the same line now means that millert is able - to run run both /usr/bin/whoami and /bin/ls as user daemon + to run run both `/usr/bin/whoami` and `/bin/ls` as user daemon without a password. To expand on this, take the following example: millert ALL=(daemon) NOPASSWD:/usr/bin/whoami, (root) /bin/ls, \ /sbin/dump - millert can run /usr/bin/whoami as daemon and /bin/ls and - /sbin/dump as root. No password need be given for either + millert can run `/usr/bin/whoami` as daemon and `/bin/ls` and + `/sbin/dump` as root. No password need be given for either command. In other words, the "(root)" sets the default runas user to root for the rest of the list. If we wanted to require - a password for /bin/ls and /sbin/dump the line could be written + a password for `/bin/ls` and `/sbin/dump` the line could be written as: millert ALL=(daemon) NOPASSWD:/usr/bin/whoami, \ @@ -557,9 +557,9 @@ Notes on upgrading from an older release default, non-tty case, the time stamp on the directory itself is used. - Also, the temporary file used by visudo is now /etc/sudoers.tmp + Also, the temporary file used by visudo is now `/etc/sudoers.tmp` since some versions of vipw on systems with shadow passwords use - /etc/stmp for the temporary shadow file. + `/etc/stmp` for the temporary shadow file. * Upgrading from a version prior to 1.5: