mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-28 12:57:50 +00:00
Code Issues Releases Wiki Activity

Fix problems found by igor. Bug #854

Browse Source
This commit is contained in:
Todd C. Miller 2018-10-06 06:00:56 -06:00
parent a814da673f
commit dd6a6e4013
18 changed files with 101 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
doc/sudo.cat
View File

@ -162,7 +162,7 @@ DDEESSCCRRIIPPTTIIOONN
Run the command with the primary group set to _g_r_o_u_p instead Run the command with the primary group set to _g_r_o_u_p instead
of the primary group specified by the target user's password of the primary group specified by the target user's password
database entry. The _g_r_o_u_p may be either a group name or a database entry. The _g_r_o_u_p may be either a group name or a
numeric group ID (GID) prefixed with the `#' character (e.g. numeric group ID (GID) prefixed with the `#' character (e.g.,
#0 for GID 0). When running a command as a GID, many shells #0 for GID 0). When running a command as a GID, many shells
require that the `#' be escaped with a backslash (`\'). If require that the `#' be escaped with a backslash (`\'). If
no --uu option is specified, the command will be run as the no --uu option is specified, the command will be run as the
@ -318,7 +318,7 @@ DDEESSCCRRIIPPTTIIOONN
--uu _u_s_e_r, ----uusseerr=_u_s_e_r --uu _u_s_e_r, ----uusseerr=_u_s_e_r
Run the command as a user other than the default target user Run the command as a user other than the default target user
(usually _r_o_o_t). The _u_s_e_r may be either a user name or a (usually _r_o_o_t). The _u_s_e_r may be either a user name or a
numeric user ID (UID) prefixed with the `#' character (e.g. numeric user ID (UID) prefixed with the `#' character (e.g.,
#0 for UID 0). When running commands as a UID, many shells #0 for UID 0). When running commands as a UID, many shells
require that the `#' be escaped with a backslash (`\'). Some require that the `#' be escaped with a backslash (`\'). Some
security policies may restrict UIDs to those listed in the security policies may restrict UIDs to those listed in the
@ -344,7 +344,7 @@ DDEESSCCRRIIPPTTIIOONN
command line arguments. command line arguments.
Environment variables to be set for the command may also be passed on the Environment variables to be set for the command may also be passed on the
command line in the form of _V_A_R=_v_a_l_u_e, e.g. command line in the form of _V_A_R=_v_a_l_u_e, e.g.,
LD_LIBRARY_PATH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command line LD_LIBRARY_PATH=_/_u_s_r_/_l_o_c_a_l_/_p_k_g_/_l_i_b. Variables passed on the command line
are subject to restrictions imposed by the security policy plugin. The are subject to restrictions imposed by the security policy plugin. The
_s_u_d_o_e_r_s policy subjects variables passed on the command line to the same _s_u_d_o_e_r_s policy subjects variables passed on the command line to the same
@ -659,4 +659,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.25 March 21, 2018 Sudo 1.8.25 Sudo 1.8.26 October 6, 2018 Sudo 1.8.26

8
doc/sudo.man.in
View File

@ -20,7 +20,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.TH "SUDO" "8" "March 21, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .TH "SUDO" "8" "October 6, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -346,7 +346,7 @@ may be either a group name or a numeric group ID
(GID) (GID)
prefixed with the prefixed with the
\(oq#\(cq \(oq#\(cq
character (e.g. character (e.g.,
\fR#0\fR \fR#0\fR
for GID 0). for GID 0).
When running a command as a GID, many shells require that the When running a command as a GID, many shells require that the
@ -603,7 +603,7 @@ may be either a user name or a numeric user ID
(UID) (UID)
prefixed with the prefixed with the
\(oq#\(cq \(oq#\(cq
character (e.g. character (e.g.,
\fR#0\fR \fR#0\fR
for UID 0). for UID 0).
When running commands as a UID, many shells require that the When running commands as a UID, many shells require that the
@ -653,7 +653,7 @@ should stop processing command line arguments.
Environment variables to be set for the command may also be passed Environment variables to be set for the command may also be passed
on the command line in the form of on the command line in the form of
\fIVAR\fR=\fIvalue\fR, \fIVAR\fR=\fIvalue\fR,
e.g.\& e.g.,
\fRLD_LIBRARY_PATH\fR=\fI/usr/local/pkg/lib\fR. \fRLD_LIBRARY_PATH\fR=\fI/usr/local/pkg/lib\fR.
Variables passed on the command line are subject to restrictions Variables passed on the command line are subject to restrictions
imposed by the security policy plugin. imposed by the security policy plugin.

8
doc/sudo.mdoc.in
View File

@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.Dd March 21, 2018 .Dd October 6, 2018
.Dt SUDO @mansectsu@ .Dt SUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -313,7 +313,7 @@ may be either a group name or a numeric group ID
.Pq GID .Pq GID
prefixed with the prefixed with the
.Ql # .Ql #
character (e.g. character (e.g.,
.Li #0 .Li #0
for GID 0). for GID 0).
When running a command as a GID, many shells require that the When running a command as a GID, many shells require that the
@ -544,7 +544,7 @@ may be either a user name or a numeric user ID
.Pq UID .Pq UID
prefixed with the prefixed with the
.Ql # .Ql #
character (e.g. character (e.g.,
.Li #0 .Li #0
for UID 0). for UID 0).
When running commands as a UID, many shells require that the When running commands as a UID, many shells require that the
@ -592,7 +592,7 @@ should stop processing command line arguments.
Environment variables to be set for the command may also be passed Environment variables to be set for the command may also be passed
on the command line in the form of on the command line in the form of
.Ar VAR Ns = Ns Ar value , .Ar VAR Ns = Ns Ar value ,
e.g.\& e.g.,
.Ev LD_LIBRARY_PATH Ns = Ns Pa /usr/local/pkg/lib . .Ev LD_LIBRARY_PATH Ns = Ns Pa /usr/local/pkg/lib .
Variables passed on the command line are subject to restrictions Variables passed on the command line are subject to restrictions
imposed by the security policy plugin. imposed by the security policy plugin.

16
doc/sudo_plugin.cat
View File

@ -164,7 +164,7 @@ DDEESSCCRRIIPPTTIIOONN
network_addrs=list network_addrs=list
A space-separated list of IP network addresses and A space-separated list of IP network addresses and
netmasks in the form "addr/netmask", e.g. netmasks in the form "addr/netmask", e.g.,
"192.168.1.2/255.255.255.0". The address and netmask "192.168.1.2/255.255.255.0". The address and netmask
pairs may be either IPv4 or IPv6, depending on what the pairs may be either IPv4 or IPv6, depending on what the
operating system supports. If the address contains a operating system supports. If the address contains a
@ -241,12 +241,12 @@ DDEESSCCRRIIPPTTIIOONN
user's home directory. user's home directory.
sudoedit=bool sudoedit=bool
Set to true when the --ee flag is is specified or if Set to true when the --ee flag is specified or if invoked
invoked as ssuuddooeeddiitt. The plugin shall substitute an as ssuuddooeeddiitt. The plugin shall substitute an editor
editor into _a_r_g_v in the cchheecckk__ppoolliiccyy() function or into _a_r_g_v in the cchheecckk__ppoolliiccyy() function or return -2
return -2 with a usage error if the plugin does not with a usage error if the plugin does not support
support _s_u_d_o_e_d_i_t. For more information, see the _s_u_d_o_e_d_i_t. For more information, see the _c_h_e_c_k___p_o_l_i_c_y
_c_h_e_c_k___p_o_l_i_c_y section. section.
timeout=string timeout=string
User-specified command timeout. Not all plugins User-specified command timeout. Not all plugins
@ -1648,4 +1648,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.25 June 1, 2018 Sudo 1.8.25 Sudo 1.8.26 October 6, 2018 Sudo 1.8.26

6
doc/sudo_plugin.man.in
View File

@ -15,7 +15,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.TH "SUDO_PLUGIN" "5" "June 1, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDO_PLUGIN" "5" "October 6, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -290,7 +290,7 @@ network_addrs=list
A space-separated list of IP network addresses and netmasks in the A space-separated list of IP network addresses and netmasks in the
form form
\(lqaddr/netmask\(rq, \(lqaddr/netmask\(rq,
e.g.\& e.g.,
\(lq192.168.1.2/255.255.255.0\(rq. \(lq192.168.1.2/255.255.255.0\(rq.
The address and netmask pairs may be either IPv4 or IPv6, depending on The address and netmask pairs may be either IPv4 or IPv6, depending on
what the operating system supports. what the operating system supports.
@ -399,7 +399,7 @@ environment variable to the target user's home directory.
sudoedit=bool sudoedit=bool
Set to true when the Set to true when the
\fB\-e\fR \fB\-e\fR
flag is is specified or if invoked as flag is specified or if invoked as
\fBsudoedit\fR. \fBsudoedit\fR.
The plugin shall substitute an editor into The plugin shall substitute an editor into
\fIargv\fR \fIargv\fR

6
doc/sudo_plugin.mdoc.in
View File

@ -14,7 +14,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd June 1, 2018 .Dd October 6, 2018
.Dt SUDO_PLUGIN @mansectform@ .Dt SUDO_PLUGIN @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -265,7 +265,7 @@ This will only be present if there is a corresponding setting in
A space-separated list of IP network addresses and netmasks in the A space-separated list of IP network addresses and netmasks in the
form form
.Dq addr/netmask , .Dq addr/netmask ,
e.g.\& e.g.,
.Dq 192.168.1.2/255.255.255.0 . .Dq 192.168.1.2/255.255.255.0 .
The address and netmask pairs may be either IPv4 or IPv6, depending on The address and netmask pairs may be either IPv4 or IPv6, depending on
what the operating system supports. what the operating system supports.
@ -359,7 +359,7 @@ environment variable to the target user's home directory.
.It sudoedit=bool .It sudoedit=bool
Set to true when the Set to true when the
.Fl e .Fl e
flag is is specified or if invoked as flag is specified or if invoked as
.Nm sudoedit . .Nm sudoedit .
The plugin shall substitute an editor into The plugin shall substitute an editor into
.Em argv .Em argv

40
doc/sudoers.cat
View File

@ -11,7 +11,7 @@ DDEESSCCRRIIPPTTIIOONN
policy information in LDAP, please see sudoers.ldap(4). policy information in LDAP, please see sudoers.ldap(4).
CCoonnffiigguurriinngg ssuuddoo..ccoonnff ffoorr ssuuddooeerrss CCoonnffiigguurriinngg ssuuddoo..ccoonnff ffoorr ssuuddooeerrss
ssuuddoo consults the sudo.conf(4) file to determine which policy and and I/O ssuuddoo consults the sudo.conf(4) file to determine which policy and I/O
logging plugins to load. If no sudo.conf(4) file is present, or if it logging plugins to load. If no sudo.conf(4) file is present, or if it
contains no Plugin lines, ssuuddooeerrss will be used for policy decisions and contains no Plugin lines, ssuuddooeerrss will be used for policy decisions and
I/O logging. To explicitly configure sudo.conf(4) to use the ssuuddooeerrss I/O logging. To explicitly configure sudo.conf(4) to use the ssuuddooeerrss
@ -22,7 +22,7 @@ DDEESSCCRRIIPPTTIIOONN
Starting with ssuuddoo 1.8.5, it is possible to specify optional arguments to Starting with ssuuddoo 1.8.5, it is possible to specify optional arguments to
the ssuuddooeerrss plugin in the sudo.conf(4) file. These arguments, if the ssuuddooeerrss plugin in the sudo.conf(4) file. These arguments, if
present, should be listed after the path to the plugin (i.e. after present, should be listed after the path to the plugin (i.e., after
_s_u_d_o_e_r_s_._s_o). Multiple arguments may be specified, separated by white _s_u_d_o_e_r_s_._s_o). Multiple arguments may be specified, separated by white
space. For example: space. For example:
@ -309,7 +309,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
be enclosed in double quotes to avoid the need for escaping special be enclosed in double quotes to avoid the need for escaping special
characters. Alternately, special characters may be specified in escaped characters. Alternately, special characters may be specified in escaped
hex mode, e.g. \x20 for space. When using double quotes, any prefix hex mode, e.g., \x20 for space. When using double quotes, any prefix
characters must be included inside the quotes. characters must be included inside the quotes.
The actual nonunix_group and nonunix_gid syntax depends on the underlying The actual nonunix_group and nonunix_gid syntax depends on the underlying
@ -345,7 +345,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
User_Aliases it can contain Runas_Aliases. Note that user names and User_Aliases it can contain Runas_Aliases. Note that user names and
groups are matched as strings. In other words, two users (groups) with groups are matched as strings. In other words, two users (groups) with
the same uid (gid) are considered to be distinct. If you wish to match the same uid (gid) are considered to be distinct. If you wish to match
all user names with the same uid (e.g. root and toor), you can use a uid all user names with the same uid (e.g., root and toor), you can use a uid
instead (#0 in the example given). instead (#0 in the example given).
Host_List ::= Host | Host_List ::= Host |
@ -366,8 +366,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
host's network interfaces and, if the network number corresponds to one host's network interfaces and, if the network number corresponds to one
of the hosts's network interfaces, will use the netmask of that of the hosts's network interfaces, will use the netmask of that
interface. The netmask may be specified either in standard IP address interface. The netmask may be specified either in standard IP address
notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation notation (e.g., 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation
(number of bits, e.g. 24 or 64). A host name may include shell-style (number of bits, e.g., 24 or 64). A host name may include shell-style
wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host name wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host name
command on your machine returns the fully qualified host name, you'll command on your machine returns the fully qualified host name, you'll
need to use the _f_q_d_n option for wildcards to be useful. Note that ssuuddoo need to use the _f_q_d_n option for wildcards to be useful. Note that ssuuddoo
@ -931,7 +931,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n (`=', `:', `(', `)') is optional. characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n (`=', `:', `(', `)') is optional.
The following characters must be escaped with a backslash (`\') when used The following characters must be escaped with a backslash (`\') when used
as part of a word (e.g. a user name or host name): `!', `=', `:', `,', as part of a word (e.g., a user name or host name): `!', `=', `:', `,',
`(', `)', `\'. `(', `)', `\'.
SSUUDDOOEERRSS OOPPTTIIOONNSS SSUUDDOOEERRSS OOPPTTIIOONNSS
@ -1504,10 +1504,10 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
terminal, _u_s_e___p_t_y has no effect. terminal, _u_s_e___p_t_y has no effect.
A malicious program run under ssuuddoo may be capable of A malicious program run under ssuuddoo may be capable of
injecting injecting commands into the user's terminal injecting commands into the user's terminal or running
or running a background process that retains access to a background process that retains access to the user's
the user's terminal device even after the main program terminal device even after the main program has
has finished executing. By running the command in a finished executing. By running the command in a
separate pseudo-pty, this attack is no longer possible. separate pseudo-pty, this attack is no longer possible.
This flag is _o_f_f by default. This flag is _o_f_f by default.
@ -1665,7 +1665,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
%{seq} %{seq}
expanded to a monotonically increasing base-36 expanded to a monotonically increasing base-36
sequence number, such as 0100A5, where every two sequence number, such as 0100A5, where every two
digits are used to form a new directory, e.g. digits are used to form a new directory, e.g.,
_0_1_/_0_0_/_A_5 _0_1_/_0_0_/_A_5
%{user} %{user}
@ -1677,11 +1677,11 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
%{runas_user} %{runas_user}
expanded to the login name of the user the expanded to the login name of the user the
command will be run as (e.g. root) command will be run as (e.g., root)
%{runas_group} %{runas_group}
expanded to the group name of the user the expanded to the group name of the user the
command will be run as (e.g. wheel) command will be run as (e.g., wheel)
%{hostname} %{hostname}
expanded to the local host name without the expanded to the local host name without the
@ -1743,9 +1743,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
file permissions will always include the owner read and file permissions will always include the owner read and
write bits, even if they are not present in the write bits, even if they are not present in the
specified mode. When creating I/O log directories, specified mode. When creating I/O log directories,
search (execute) bits are added to to match the read search (execute) bits are added to match the read and
and write bits specified by _i_o_l_o_g___m_o_d_e. Defaults to write bits specified by _i_o_l_o_g___m_o_d_e. Defaults to 0600
0600 (read and write by user only). (read and write by user only).
This setting is only supported by version 1.8.19 or This setting is only supported by version 1.8.19 or
higher. higher.
@ -2232,8 +2232,8 @@ LLOOGG FFOORRMMAATT
username The login name of the user who ran ssuuddoo. username The login name of the user who ran ssuuddoo.
ttyname The short name of the terminal (e.g. "console", "tty01", or ttyname The short name of the terminal (e.g., "console", "tty01",
"pts/0") ssuuddoo was run on, or "unknown" if there was no or "pts/0") ssuuddoo was run on, or "unknown" if there was no
terminal present. terminal present.
cwd The current working directory that ssuuddoo was run in. cwd The current working directory that ssuuddoo was run in.
@ -2927,4 +2927,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.26 September 24, 2018 Sudo 1.8.26 Sudo 1.8.26 October 6, 2018 Sudo 1.8.26

28
doc/sudoers.man.in
View File

@ -20,7 +20,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.TH "SUDOERS" "5" "September 24, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "5" "October 6, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -51,7 +51,7 @@ sudoers.ldap(@mansectform@).
\fBsudo\fR \fBsudo\fR
consults the consults the
sudo.conf(@mansectform@) sudo.conf(@mansectform@)
file to determine which policy and and I/O logging plugins to load. file to determine which policy and I/O logging plugins to load.
If no If no
sudo.conf(@mansectform@) sudo.conf(@mansectform@)
file is present, or if it contains no file is present, or if it contains no
@ -80,7 +80,7 @@ plugin in the
sudo.conf(@mansectform@) sudo.conf(@mansectform@)
file. file.
These arguments, if present, should be listed after the path to the plugin These arguments, if present, should be listed after the path to the plugin
(i.e.\& after (i.e., after
\fIsudoers.so\fR). \fIsudoers.so\fR).
Multiple arguments may be specified, separated by white space. Multiple arguments may be specified, separated by white space.
For example: For example:
@ -707,7 +707,7 @@ or
may be enclosed in double quotes to avoid the may be enclosed in double quotes to avoid the
need for escaping special characters. need for escaping special characters.
Alternately, special characters Alternately, special characters
may be specified in escaped hex mode, e.g.\& \ex20 for space. may be specified in escaped hex mode, e.g., \ex20 for space.
When When
using double quotes, any prefix characters must be included inside using double quotes, any prefix characters must be included inside
the quotes. the quotes.
@ -771,7 +771,7 @@ Note that
user names and groups are matched as strings. user names and groups are matched as strings.
In other words, two In other words, two
users (groups) with the same uid (gid) are considered to be distinct. users (groups) with the same uid (gid) are considered to be distinct.
If you wish to match all user names with the same uid (e.g.\& If you wish to match all user names with the same uid (e.g.,
root and toor), you can use a uid instead (#0 in the example given). root and toor), you can use a uid instead (#0 in the example given).
.nf .nf
.sp .sp
@ -804,8 +804,8 @@ will query each of the local host's network interfaces and,
if the network number corresponds to one of the hosts's network if the network number corresponds to one of the hosts's network
interfaces, will use the netmask of that interface. interfaces, will use the netmask of that interface.
The netmask may be specified either in standard IP address notation The netmask may be specified either in standard IP address notation
(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::), (e.g., 255.255.255.0 or ffff:ffff:ffff:ffff::),
or CIDR notation (number of bits, e.g.\& 24 or 64). or CIDR notation (number of bits, e.g., 24 or 64).
A host name may include shell-style wildcards (see the A host name may include shell-style wildcards (see the
\fIWildcards\fR \fIWildcards\fR
section below), section below),
@ -1994,7 +1994,7 @@ is optional.
.PP .PP
The following characters must be escaped with a backslash The following characters must be escaped with a backslash
(\(oq\e\(cq) (\(oq\e\(cq)
when used as part of a word (e.g.\& a user name or host name): when used as part of a word (e.g., a user name or host name):
\(oq\&!\(cq, \(oq\&!\(cq,
\(oq=\&\(cq, \(oq=\&\(cq,
\(oq:\&\(cq, \(oq:\&\(cq,
@ -3129,7 +3129,7 @@ has no effect.
.sp .sp
A malicious program run under A malicious program run under
\fBsudo\fR \fBsudo\fR
may be capable of injecting injecting commands into the user's may be capable of injecting commands into the user's
terminal or running a background process that retains access to the terminal or running a background process that retains access to the
user's terminal device even after the main program has finished user's terminal device even after the main program has finished
executing. executing.
@ -3407,7 +3407,7 @@ escape sequences are supported:
.TP 6n .TP 6n
\fR%{seq}\fR \fR%{seq}\fR
expanded to a monotonically increasing base-36 sequence number, such as 0100A5, expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
where every two digits are used to form a new directory, e.g.\& where every two digits are used to form a new directory, e.g.,
\fI01/00/A5\fR \fI01/00/A5\fR
.PD .PD
.TP 6n .TP 6n
@ -3419,11 +3419,11 @@ expanded to the name of the invoking user's real group ID
.TP 6n .TP 6n
\fR%{runas_user}\fR \fR%{runas_user}\fR
expanded to the login name of the user the command will expanded to the login name of the user the command will
be run as (e.g.\& root) be run as (e.g., root)
.TP 6n .TP 6n
\fR%{runas_group}\fR \fR%{runas_group}\fR
expanded to the group name of the user the command will expanded to the group name of the user the command will
be run as (e.g.\& wheel) be run as (e.g., wheel)
.TP 6n .TP 6n
\fR%{hostname}\fR \fR%{hostname}\fR
expanded to the local host name without the domain name expanded to the local host name without the domain name
@ -3523,7 +3523,7 @@ are honored, everything else is ignored.
The file permissions will always include the owner read and The file permissions will always include the owner read and
write bits, even if they are not present in the specified mode. write bits, even if they are not present in the specified mode.
When creating I/O log directories, search (execute) bits are added When creating I/O log directories, search (execute) bits are added
to to match the read and write bits specified by to match the read and write bits specified by
\fIiolog_mode\fR. \fIiolog_mode\fR.
Defaults to 0600 (read and write by user only). Defaults to 0600 (read and write by user only).
.sp .sp
@ -4418,7 +4418,7 @@ The login name of the user who ran
\fBsudo\fR. \fBsudo\fR.
.TP 14n .TP 14n
ttyname ttyname
The short name of the terminal (e.g.\& The short name of the terminal (e.g.,
\(lqconsole\(rq, \(lqconsole\(rq,
\(lqtty01\(rq, \(lqtty01\(rq,
or or

28
doc/sudoers.mdoc.in
View File

@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.Dd September 24, 2018 .Dd October 6, 2018
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -50,7 +50,7 @@ in LDAP, please see
.Nm sudo .Nm sudo
consults the consults the
.Xr sudo.conf @mansectform@ .Xr sudo.conf @mansectform@
file to determine which policy and and I/O logging plugins to load. file to determine which policy and I/O logging plugins to load.
If no If no
.Xr sudo.conf @mansectform@ .Xr sudo.conf @mansectform@
file is present, or if it contains no file is present, or if it contains no
@ -76,7 +76,7 @@ plugin in the
.Xr sudo.conf @mansectform@ .Xr sudo.conf @mansectform@
file. file.
These arguments, if present, should be listed after the path to the plugin These arguments, if present, should be listed after the path to the plugin
(i.e.\& after (i.e., after
.Pa sudoers.so ) . .Pa sudoers.so ) .
Multiple arguments may be specified, separated by white space. Multiple arguments may be specified, separated by white space.
For example: For example:
@ -681,7 +681,7 @@ or
may be enclosed in double quotes to avoid the may be enclosed in double quotes to avoid the
need for escaping special characters. need for escaping special characters.
Alternately, special characters Alternately, special characters
may be specified in escaped hex mode, e.g.\& \ex20 for space. may be specified in escaped hex mode, e.g., \ex20 for space.
When When
using double quotes, any prefix characters must be included inside using double quotes, any prefix characters must be included inside
the quotes. the quotes.
@ -741,7 +741,7 @@ Note that
user names and groups are matched as strings. user names and groups are matched as strings.
In other words, two In other words, two
users (groups) with the same uid (gid) are considered to be distinct. users (groups) with the same uid (gid) are considered to be distinct.
If you wish to match all user names with the same uid (e.g.\& If you wish to match all user names with the same uid (e.g.,
root and toor), you can use a uid instead (#0 in the example given). root and toor), you can use a uid instead (#0 in the example given).
.Bd -literal .Bd -literal
Host_List ::= Host | Host_List ::= Host |
@ -771,8 +771,8 @@ will query each of the local host's network interfaces and,
if the network number corresponds to one of the hosts's network if the network number corresponds to one of the hosts's network
interfaces, will use the netmask of that interface. interfaces, will use the netmask of that interface.
The netmask may be specified either in standard IP address notation The netmask may be specified either in standard IP address notation
(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::), (e.g., 255.255.255.0 or ffff:ffff:ffff:ffff::),
or CIDR notation (number of bits, e.g.\& 24 or 64). or CIDR notation (number of bits, e.g., 24 or 64).
A host name may include shell-style wildcards (see the A host name may include shell-style wildcards (see the
.Sx Wildcards .Sx Wildcards
section below), section below),
@ -1867,7 +1867,7 @@ is optional.
.Pp .Pp
The following characters must be escaped with a backslash The following characters must be escaped with a backslash
.Pq Ql \e .Pq Ql \e
when used as part of a word (e.g.\& a user name or host name): when used as part of a word (e.g., a user name or host name):
.Ql \&! , .Ql \&! ,
.Ql =\& , .Ql =\& ,
.Ql :\& , .Ql :\& ,
@ -2942,7 +2942,7 @@ has no effect.
.Pp .Pp
A malicious program run under A malicious program run under
.Nm sudo .Nm sudo
may be capable of injecting injecting commands into the user's may be capable of injecting commands into the user's
terminal or running a background process that retains access to the terminal or running a background process that retains access to the
user's terminal device even after the main program has finished user's terminal device even after the main program has finished
executing. executing.
@ -3206,7 +3206,7 @@ escape sequences are supported:
.Bl -tag -width 4n .Bl -tag -width 4n
.It Li %{seq} .It Li %{seq}
expanded to a monotonically increasing base-36 sequence number, such as 0100A5, expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
where every two digits are used to form a new directory, e.g.\& where every two digits are used to form a new directory, e.g.,
.Pa 01/00/A5 .Pa 01/00/A5
.It Li %{user} .It Li %{user}
expanded to the invoking user's login name expanded to the invoking user's login name
@ -3214,10 +3214,10 @@ expanded to the invoking user's login name
expanded to the name of the invoking user's real group ID expanded to the name of the invoking user's real group ID
.It Li %{runas_user} .It Li %{runas_user}
expanded to the login name of the user the command will expanded to the login name of the user the command will
be run as (e.g.\& root) be run as (e.g., root)
.It Li %{runas_group} .It Li %{runas_group}
expanded to the group name of the user the command will expanded to the group name of the user the command will
be run as (e.g.\& wheel) be run as (e.g., wheel)
.It Li %{hostname} .It Li %{hostname}
expanded to the local host name without the domain name expanded to the local host name without the domain name
.It Li %{command} .It Li %{command}
@ -3311,7 +3311,7 @@ are honored, everything else is ignored.
The file permissions will always include the owner read and The file permissions will always include the owner read and
write bits, even if they are not present in the specified mode. write bits, even if they are not present in the specified mode.
When creating I/O log directories, search (execute) bits are added When creating I/O log directories, search (execute) bits are added
to to match the read and write bits specified by to match the read and write bits specified by
.Em iolog_mode . .Em iolog_mode .
Defaults to 0600 (read and write by user only). Defaults to 0600 (read and write by user only).
.Pp .Pp
@ -4112,7 +4112,7 @@ This field is only present when logging via
The login name of the user who ran The login name of the user who ran
.Nm sudo . .Nm sudo .
.It ttyname .It ttyname
The short name of the terminal (e.g.\& The short name of the terminal (e.g.,
.Dq console , .Dq console ,
.Dq tty01 , .Dq tty01 ,
or or

6
doc/sudoers_timestamp.cat
View File

@ -115,8 +115,8 @@ LLOOCCKKIINNGG
Records of type TS_GLOBAL cannot be locked for a long period of time Records of type TS_GLOBAL cannot be locked for a long period of time
since doing so would interfere with other ssuuddoo processes. Instead, a since doing so would interfere with other ssuuddoo processes. Instead, a
separate lock record is used to prevent multiple ssuuddoo processes using the separate lock record is used to prevent multiple ssuuddoo processes using the
same terminal (or parent process ID) from from prompting for a password same terminal (or parent process ID) from prompting for a password as the
as the same time. same time.
SSEEEE AALLSSOO SSEEEE AALLSSOO
sudoers(4), sudo(1m) sudoers(4), sudo(1m)
@ -198,4 +198,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.25 December 21, 2017 Sudo 1.8.25 Sudo 1.8.26 October 6, 2018 Sudo 1.8.26

6
doc/sudoers_timestamp.man.in
View File

@ -1,6 +1,6 @@
.\" Automatically generated from an mdoc input file. Do not edit. .\" Automatically generated from an mdoc input file. Do not edit.
.\" .\"
.\" Copyright (c) 2017 Todd C. Miller <Todd.Miller@sudo.ws> .\" Copyright (c) 2017-2018 Todd C. Miller <Todd.Miller@sudo.ws>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above .\" purpose with or without fee is hereby granted, provided that the above
@ -15,7 +15,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.TH "SUDOERS_TIMESTAMP" "5" "December 21, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS_TIMESTAMP" "5" "October 6, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -211,7 +211,7 @@ processes.
Instead, a separate lock record is used to prevent multiple Instead, a separate lock record is used to prevent multiple
\fBsudo\fR \fBsudo\fR
processes using the same terminal (or parent process ID) from processes using the same terminal (or parent process ID) from
from prompting for a password as the same time. prompting for a password as the same time.
.SH "SEE ALSO" .SH "SEE ALSO"
sudoers(@mansectform@), sudoers(@mansectform@),
sudo(@mansectsu@) sudo(@mansectsu@)

6
doc/sudoers_timestamp.mdoc.in
View File

@ -1,5 +1,5 @@
.\" .\"
.\" Copyright (c) 2017 Todd C. Miller <Todd.Miller@sudo.ws> .\" Copyright (c) 2017-2018 Todd C. Miller <Todd.Miller@sudo.ws>
.\" .\"
.\" Permission to use, copy, modify, and distribute this software for any .\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above .\" purpose with or without fee is hereby granted, provided that the above
@ -14,7 +14,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd December 21, 2017 .Dd October 6, 2018
.Dt SUDOERS_TIMESTAMP @mansectform@ .Dt SUDOERS_TIMESTAMP @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -199,7 +199,7 @@ processes.
Instead, a separate lock record is used to prevent multiple Instead, a separate lock record is used to prevent multiple
.Nm sudo .Nm sudo
processes using the same terminal (or parent process ID) from processes using the same terminal (or parent process ID) from
from prompting for a password as the same time. prompting for a password as the same time.
.Sh SEE ALSO .Sh SEE ALSO
.Xr sudoers @mansectform@ , .Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@ .Xr sudo @mansectsu@

8
doc/sudoreplay.cat
View File

@ -15,7 +15,7 @@ DDEESSCCRRIIPPTTIIOONN
line options. line options.
The _I_D should either be a six character sequence of digits and upper case The _I_D should either be a six character sequence of digits and upper case
letters, e.g. 0100A5, or a pattern matching the _i_o_l_o_g___f_i_l_e option in the letters, e.g., 0100A5, or a pattern matching the _i_o_l_o_g___f_i_l_e option in the
_s_u_d_o_e_r_s file. When a command is run via ssuuddoo with _l_o_g___o_u_t_p_u_t enabled in _s_u_d_o_e_r_s file. When a command is run via ssuuddoo with _l_o_g___o_u_t_p_u_t enabled in
the _s_u_d_o_e_r_s file, a TSID=ID string is logged via syslog or to the ssuuddoo the _s_u_d_o_e_r_s file, a TSID=ID string is logged via syslog or to the ssuuddoo
log file. The _I_D may also be determined using ssuuddoorreeppllaayy's list mode. log file. The _I_D may also be determined using ssuuddoorreeppllaayy's list mode.
@ -97,7 +97,7 @@ DDEESSCCRRIIPPTTIIOONN
tty _t_t_y _n_a_m_e tty _t_t_y _n_a_m_e
Evaluates to true if the command was run on the Evaluates to true if the command was run on the
specified terminal device. The _t_t_y _n_a_m_e should be specified terminal device. The _t_t_y _n_a_m_e should be
specified without the _/_d_e_v_/ prefix, e.g. _t_t_y_0_1 specified without the _/_d_e_v_/ prefix, e.g., _t_t_y_0_1
instead of _/_d_e_v_/_t_t_y_0_1. instead of _/_d_e_v_/_t_t_y_0_1.
user _u_s_e_r _n_a_m_e user _u_s_e_r _n_a_m_e
@ -120,7 +120,7 @@ DDEESSCCRRIIPPTTIIOONN
session includes long pauses. When the --mm option is session includes long pauses. When the --mm option is
specified, ssuuddoorreeppllaayy will limit these pauses to at most specified, ssuuddoorreeppllaayy will limit these pauses to at most
_m_a_x___w_a_i_t seconds. The value may be specified as a floating _m_a_x___w_a_i_t seconds. The value may be specified as a floating
point number, e.g. _2_._5. A _m_a_x___w_a_i_t of zero or less will point number, e.g., _2_._5. A _m_a_x___w_a_i_t of zero or less will
eliminate the pauses entirely. eliminate the pauses entirely.
--nn, ----nnoonn--iinntteerraaccttiivvee --nn, ----nnoonn--iinntteerraaccttiivvee
@ -300,4 +300,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.26 October 5, 2018 Sudo 1.8.26 Sudo 1.8.26 October 6, 2018 Sudo 1.8.26

8
doc/sudoreplay.man.in
View File

@ -15,7 +15,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.TH "SUDOREPLAY" "8" "October 5, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .TH "SUDOREPLAY" "8" "October 6, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -48,7 +48,7 @@ adjusted (faster or slower) based on the command line options.
The The
\fIID\fR \fIID\fR
should either be a six character sequence of digits and should either be a six character sequence of digits and
upper case letters, e.g.\& upper case letters, e.g.,
\fR0100A5\fR, \fR0100A5\fR,
or a pattern matching the or a pattern matching the
\fIiolog_file\fR \fIiolog_file\fR
@ -195,7 +195,7 @@ The
\fItty name\fR \fItty name\fR
should be specified without the should be specified without the
\fI/dev/\fR \fI/dev/\fR
prefix, e.g.\& prefix, e.g.,
\fItty01\fR \fItty01\fR
instead of instead of
\fI/dev/tty01\fR. \fI/dev/tty01\fR.
@ -237,7 +237,7 @@ option is specified,
will limit these pauses to at most will limit these pauses to at most
\fImax_wait\fR \fImax_wait\fR
seconds. seconds.
The value may be specified as a floating point number, e.g.\& The value may be specified as a floating point number, e.g.,
\fI2.5\fR. \fI2.5\fR.
A A
\fImax_wait\fR \fImax_wait\fR

8
doc/sudoreplay.mdoc.in
View File

@ -14,7 +14,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd October 5, 2018 .Dd October 6, 2018
.Dt SUDOREPLAY @mansectsu@ .Dt SUDOREPLAY @mansectsu@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -46,7 +46,7 @@ adjusted (faster or slower) based on the command line options.
The The
.Em ID .Em ID
should either be a six character sequence of digits and should either be a six character sequence of digits and
upper case letters, e.g.\& upper case letters, e.g.,
.Li 0100A5 , .Li 0100A5 ,
or a pattern matching the or a pattern matching the
.Em iolog_file .Em iolog_file
@ -178,7 +178,7 @@ The
.Ar tty name .Ar tty name
should be specified without the should be specified without the
.Pa /dev/ .Pa /dev/
prefix, e.g.\& prefix, e.g.,
.Pa tty01 .Pa tty01
instead of instead of
.Pa /dev/tty01 . .Pa /dev/tty01 .
@ -218,7 +218,7 @@ option is specified,
will limit these pauses to at most will limit these pauses to at most
.Em max_wait .Em max_wait
seconds. seconds.
The value may be specified as a floating point number, e.g.\& The value may be specified as a floating point number, e.g.,
.Em 2.5 . .Em 2.5 .
A A
.Em max_wait .Em max_wait

4
doc/visudo.cat
View File

@ -102,7 +102,7 @@ DDEESSCCRRIIPPTTIIOONN
Starting with ssuuddoo 1.8.12, vviissuuddoo will also parse the arguments to the Starting with ssuuddoo 1.8.12, vviissuuddoo will also parse the arguments to the
_s_u_d_o_e_r_s plugin to override the default _s_u_d_o_e_r_s path name, UID, GID and _s_u_d_o_e_r_s plugin to override the default _s_u_d_o_e_r_s path name, UID, GID and
file mode. These arguments, if present, should be listed after the path file mode. These arguments, if present, should be listed after the path
to the plugin (i.e. after _s_u_d_o_e_r_s_._s_o). Multiple arguments may be to the plugin (i.e., after _s_u_d_o_e_r_s_._s_o). Multiple arguments may be
specified, separated by white space. For example: specified, separated by white space. For example:
Plugin sudoers_policy sudoers.so sudoers_mode=0400 Plugin sudoers_policy sudoers.so sudoers_mode=0400
@ -222,4 +222,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.25 January 26, 2018 Sudo 1.8.25 Sudo 1.8.26 October 6, 2018 Sudo 1.8.26

4
doc/visudo.man.in
View File

@ -20,7 +20,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.TH "VISUDO" "8" "January 26, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .TH "VISUDO" "8" "October 6, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -273,7 +273,7 @@ plugin to override the default
\fIsudoers\fR \fIsudoers\fR
path name, UID, GID and file mode. path name, UID, GID and file mode.
These arguments, if present, should be listed after the path to the plugin These arguments, if present, should be listed after the path to the plugin
(i.e.\& after (i.e., after
\fIsudoers.so\fR). \fIsudoers.so\fR).
Multiple arguments may be specified, separated by white space. Multiple arguments may be specified, separated by white space.
For example: For example:

4
doc/visudo.mdoc.in
View File

@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.Dd January 26, 2018 .Dd October 6, 2018
.Dt VISUDO @mansectsu@ .Dt VISUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -267,7 +267,7 @@ plugin to override the default
.Em sudoers .Em sudoers
path name, UID, GID and file mode. path name, UID, GID and file mode.
These arguments, if present, should be listed after the path to the plugin These arguments, if present, should be listed after the path to the plugin
(i.e.\& after (i.e., after
.Pa sudoers.so ) . .Pa sudoers.so ) .
Multiple arguments may be specified, separated by white space. Multiple arguments may be specified, separated by white space.
For example: For example: