mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 01:49:11 +00:00
Code Issues Releases Wiki Activity

username -> user name

Browse Source 
groupname -> group name
hostname -> host name
This commit is contained in:
Todd C. Miller 2009-12-19 21:44:06 +00:00
parent 00c89f0145
commit e007e2ad4d
15 changed files with 475 additions and 497 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
sudo.cat
View File

@ -10,16 +10,18 @@ NNAAMMEE
SSYYNNOOPPSSIISS
ssuuddoo --hh | --KK | --kk | --LL | --VV
ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--pp _p_r_o_m_p_t]
ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t]
[--uu _u_s_e_r_n_a_m_e|_#_u_i_d]
ssuuddoo --ll[[ll]] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t]
[--UU _u_s_e_r_n_a_m_e] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d]
ssuuddoo --ll[[ll]] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t]
[--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d]
ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d]
[--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] [--ii | --ss] [_c_o_m_m_a_n_d]
ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-]
[--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e]
[--ii | --ss] [_c_o_m_m_a_n_d]
ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d]
[--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] file ...
ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-]
[--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] file ...
DDEESSCCRRIIPPTTIIOONN
ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or
@ -56,12 +58,10 @@ DDEESSCCRRIIPPTTIIOONN
has been invoked. It also allows the --ee option to remain useful even
when being run via a sudo-run script or program. Note however, that
the sudoers lookup is still done for root, not the user specified by
SUDO_USER.
1.7.2 September 24, 2009 1
1.7.3b2 December 19, 2009 1
@ -70,6 +70,8 @@ DDEESSCCRRIIPPTTIIOONN
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO_USER.
ssuuddoo can log both successful and unsuccessful attempts (as well as
errors) to _s_y_s_l_o_g(3), a log file, or both. By default ssuuddoo will log
via _s_y_s_l_o_g(3) but this is changeable at configure time or via the
@ -122,12 +124,10 @@ OOPPTTIIOONNSS
-E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the
_e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(4)). It is only available when
either the matching command has the SETENV tag or the
_s_e_t_e_n_v option is set in _s_u_d_o_e_r_s(4).
1.7.2 September 24, 2009 2
1.7.3b2 December 19, 2009 2
@ -136,6 +136,9 @@ OOPPTTIIOONNSS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
either the matching command has the SETENV tag or the
_s_e_t_e_n_v option is set in _s_u_d_o_e_r_s(4).
-e The --ee (_e_d_i_t) option indicates that, instead of running a
command, the user wishes to edit one or more files. In
lieu of a command, the string "sudoedit" is used when
@ -187,13 +190,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
login shell. This means that login-specific resource files
such as .profile or .login will be read by the shell. If a
command is specified, it is passed to the shell for
execution. Otherwise, an interactive shell is executed.
ssuuddoo attempts to change to that user's home directory
before running the shell. It also initializes the
1.7.2 September 24, 2009 3
1.7.3b2 December 19, 2009 3
@ -202,6 +202,9 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
execution. Otherwise, an interactive shell is executed.
ssuuddoo attempts to change to that user's home directory
before running the shell. It also initializes the
environment, leaving _D_I_S_P_L_A_Y and _T_E_R_M unchanged, setting
_H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and _P_A_T_H, as well as the
contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t on Linux and AIX systems. All
@ -225,10 +228,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
prompt for a password (if one is required by _s_u_d_o_e_r_s) and
will not update the user's timestamp file.
-L The --LL (_l_i_s_t defaults) option will list out the parameters
that may be set in a _D_e_f_a_u_l_t_s line along with a short
description for each. This option is useful in conjunction
with _g_r_e_p(1).
-L The --LL (_l_i_s_t defaults) option will list the parameters that
may be set in a _D_e_f_a_u_l_t_s line along with a short
description for each. This option will be removed from a
future version of ssuuddoo.
-l[l] [_c_o_m_m_a_n_d]
If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list
@ -253,13 +256,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
of groups the target user is in. The real and effective
group IDs, however, are still set to match the target user.
-p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default
password prompt and use a custom one. The following
percent (`%') escapes are supported:
1.7.2 September 24, 2009 4
1.7.3b2 December 19, 2009 4
@ -268,11 +268,15 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
%H expanded to the local hostname including the domain
name (on if the machine's hostname is fully qualified
-p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default
password prompt and use a custom one. The following
percent (`%') escapes are supported:
%H expanded to the local host name including the domain
name (on if the machine's host name is fully qualified
or the _f_q_d_n _s_u_d_o_e_r_s option is set)
%h expanded to the local hostname without the domain name
%h expanded to the local host name without the domain name
%p expanded to the user whose password is being asked for
(respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w flags in
@ -318,14 +322,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
number and exit. If the invoking user is already root the
--VV option will print out a list of the defaults ssuuddoo was
compiled with as well as the machine's local network
addresses.
-v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the
user's timestamp, prompting for the user's password if
1.7.2 September 24, 2009 5
1.7.3b2 December 19, 2009 5
@ -334,6 +334,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
addresses.
-v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the
user's timestamp, prompting for the user's password if
necessary. This extends the ssuuddoo timeout for another 5
minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s) but
does not run a command.
@ -384,14 +388,10 @@ SSEECCUURRIITTYY NNOOTTEESS
default _e_n_v___r_e_s_e_t behavior is encouraged.
In all cases, environment variables with a value beginning with () are
removed as they could be interpreted as bbaasshh functions. The list of
environment variables that ssuuddoo allows or denies is contained in the
output of sudo -V when run as root.
1.7.2 September 24, 2009 6
1.7.3b2 December 19, 2009 6
@ -400,6 +400,10 @@ SSEECCUURRIITTYY NNOOTTEESS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
removed as they could be interpreted as bbaasshh functions. The list of
environment variables that ssuuddoo allows or denies is contained in the
output of sudo -V when run as root.
Note that the dynamic linker on most operating systems will remove
variables that can control dynamic linking from the environment of
setuid executables, including ssuuddoo. Depending on the operating system
@ -450,14 +454,10 @@ EENNVVIIRROONNMMEENNTT
ssuuddoo utilizes the following environment variables:
EDITOR Default editor to use in --ee (sudoedit) mode if neither
SUDO_EDITOR nor VISUAL is set
HOME In --ss or --HH mode (or if sudo was configured with the
--enable-shell-sets-home option), set to homedir of the
1.7.2 September 24, 2009 7
1.7.3b2 December 19, 2009 7
@ -466,6 +466,10 @@ EENNVVIIRROONNMMEENNTT
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO_EDITOR nor VISUAL is set
HOME In --ss or --HH mode (or if sudo was configured with the
--enable-shell-sets-home option), set to homedir of the
target user
PATH Set to a sane value if the _s_e_c_u_r_e___p_a_t_h sudoers option
@ -516,14 +520,10 @@ EEXXAAMMPPLLEESS
To list the home directory of user yaz on a machine where the file
system holding ~yaz is not exported as root:
$ sudo -u yaz ls ~yaz
To edit the _i_n_d_e_x_._h_t_m_l file as user www:
1.7.2 September 24, 2009 8
1.7.3b2 December 19, 2009 8
@ -532,6 +532,10 @@ EEXXAAMMPPLLEESS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
$ sudo -u yaz ls ~yaz
To edit the _i_n_d_e_x_._h_t_m_l file as user www:
$ sudo -u www vi ~www/htdocs/index.html
To view system logs only accessible to root and users in the adm group:
@ -582,14 +586,10 @@ CCAAVVEEAATTSS
If users have sudo ALL there is nothing to prevent them from creating
their own program that gives them a root shell regardless of any '!'
elements in the user specification.
Running shell scripts via ssuuddoo can expose the same kernel bugs that
make setuid shell scripts unsafe on some operating systems (if your OS
1.7.2 September 24, 2009 9
1.7.3b2 December 19, 2009 9
@ -598,6 +598,10 @@ CCAAVVEEAATTSS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
elements in the user specification.
Running shell scripts via ssuuddoo can expose the same kernel bugs that
make setuid shell scripts unsafe on some operating systems (if your OS
has a /dev/fd/ directory, setuid shell scripts are generally safe).
BBUUGGSS
@ -651,10 +655,6 @@ DDIISSCCLLAAIIMMEERR
1.7.2 September 24, 2009 10
1.7.3b2 December 19, 2009 10

41
sudo.man.in
View File

@ -19,18 +19,10 @@
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.\" $Sudo$
.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sh \" Subsection heading
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
@ -74,7 +66,7 @@
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
@ -153,7 +145,7 @@
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
.TH SUDO @mansectsu@ "September 24, 2009" "1.7.2" "MAINTENANCE COMMANDS"
.TH SUDO @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@ -166,28 +158,29 @@ sudo, sudoedit \- execute a command as another user
.PP
\&\fBsudo\fR \fB\-v\fR [\fB\-AknS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-p\fR\ \fIprompt\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
.PP
\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-U\fR\ \fIusername\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fIcommand\fR]
.PP
\&\fBsudo\fR [\fB\-AbEHnPS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
@SEMAN@[\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR]
[\fB\s-1VAR\s0\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] [\fIcommand\fR]
.PP
\&\fBsudoedit\fR [\fB\-AnS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] file ...
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] file ...
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the
@ -368,9 +361,9 @@ timestamp file. As a result, \fBsudo\fR will prompt for a password
timestamp file.
.IP "\-L" 12
.IX Item "-L"
The \fB\-L\fR (\fIlist\fR defaults) option will list out the parameters
that may be set in a \fIDefaults\fR line along with a short description
for each. This option is useful in conjunction with \fIgrep\fR\|(1).
The \fB\-L\fR (\fIlist\fR defaults) option will list the parameters that
may be set in a \fIDefaults\fR line along with a short description for
each. This option will be removed from a future version of \fBsudo\fR.
.IP "\-l[l] [\fIcommand\fR]" 12
.IX Item "-l[l] [command]"
If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list
@ -403,13 +396,13 @@ escapes are supported:
.ie n .IP "%H" 4
.el .IP "\f(CW%H\fR" 4
.IX Item "%H"
expanded to the local hostname including the domain name
(on if the machine's hostname is fully qualified or the \fIfqdn\fR
expanded to the local host name including the domain name
(on if the machine's host name is fully qualified or the \fIfqdn\fR
\&\fIsudoers\fR option is set)
.ie n .IP "%h" 4
.el .IP "\f(CW%h\fR" 4
.IX Item "%h"
expanded to the local hostname without the domain name
expanded to the local host name without the domain name
.ie n .IP "%p" 4
.el .IP "\f(CW%p\fR" 4
.IX Item "%p"

20
sudo.pod
View File

@ -31,29 +31,29 @@ B<sudo> B<-h> | B<-K> | B<-k> | B<-L> | B<-V>
B<sudo> B<-v> [B<-AknS>]
S<[B<-a> I<auth_type>]>
S<[B<-g> I<groupname>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<-u> I<username>|I<#uid>]>
B<sudo> B<-l[l]> [B<-AknS>]
S<[B<-a> I<auth_type>]>
S<[B<-g> I<groupname>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<-U> I<username>]> S<[B<-u> I<username>|I<#uid>]> [I<command>]
S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<-U> I<user name>]> S<[B<-u> I<user name>|I<#uid>]> [I<command>]
B<sudo> [B<-AbEHnPS>]
S<[B<-a> I<auth_type>]>
S<[B<-C> I<fd>]>
S<[B<-c> I<class>|I<->]>
S<[B<-g> I<groupname>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<-r> I<role>]> S<[B<-t> I<type>]>
S<[B<-u> I<username>|I<#uid>]>
S<[B<-u> I<user name>|I<#uid>]>
S<[B<VAR>=I<value>]> S<[B<-i> | B<-s>]> [I<command>]
B<sudoedit> [B<-AnS>]
S<[B<-a> I<auth_type>]>
S<[B<-C> I<fd>]>
S<[B<-c> I<class>|I<->]>
S<[B<-g> I<groupname>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<-u> I<username>|I<#uid>]> file ...
S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<-u> I<user name>|I<#uid>]> file ...
=head1 DESCRIPTION
@ -298,13 +298,13 @@ escapes are supported:
=item C<%H>
expanded to the local hostname including the domain name
(on if the machine's hostname is fully qualified or the I<fqdn>
expanded to the local host name including the domain name
(on if the machine's host name is fully qualified or the I<fqdn>
I<sudoers> option is set)
=item C<%h>
expanded to the local hostname without the domain name
expanded to the local host name without the domain name
=item C<%p>

380
sudoers.cat
View File

@ -20,8 +20,7 @@ DDEESSCCRRIIPPTTIIOONN
Form (EBNF). Don't despair if you don't know what EBNF is; it is
fairly simple, and the definitions below are annotated.
QQuuiicckk gguuiiddee ttoo EEBBNNFF
QQuuiicckk gguuiiddee ttoo EEBBNNFF
EBNF is a concise and exact way of describing the grammar of a
language. Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g.,
@ -45,8 +44,7 @@ DDEESSCCRRIIPPTTIIOONN
will use single quotes ('') to designate what is a verbatim character
string (as opposed to a symbol name).
AAlliiaasseess
AAlliiaasseess
There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
and Cmnd_Alias.
@ -59,9 +57,11 @@ DDEESSCCRRIIPPTTIIOONN
Runas_Alias ::= NAME '=' Runas_List
Host_Alias ::= NAME '=' Host_List
1.7.2 September 24, 2009 1
1.7.3b2 December 19, 2009 1
@ -71,8 +71,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Host_Alias ::= NAME '=' Host_List
Cmnd_Alias ::= NAME '=' Cmnd_List
NAME ::= [A-Z]([A-Z][0-9]_)*
@ -94,23 +92,23 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
User_List ::= User |
User ',' User_List
User ::= '!'* username |
User ::= '!'* user name |
'!'* '#'uid |
'!'* '%'group |
'!'* '+'netgroup |
'!'* '%:'nonunix_group |
'!'* User_Alias
A User_List is made up of one or more usernames, uids (prefixed with
A User_List is made up of one or more user names, uids (prefixed with
'#'), system groups (prefixed with '%'), netgroups (prefixed with '+')
and User_Aliases. Each list item may be prefixed with zero or more '!'
operators. An odd number of '!' operators negate the value of the
item; an even number just cancel each other out.
A username, group, netgroup and nonunix_groups may be enclosed in
double quotes to avoid the need for escaping special characters.
Alternately, special characters may be specified in escaped hex mode,
e.g. \x20 for space.
A user name, group, netgroup or nonunix_group may be enclosed in double
quotes to avoid the need for escaping special characters. Alternately,
special characters may be specified in escaped hex mode, e.g. \x20 for
space.
The nonunix_group syntax depends on the underlying implementation. For
instance, the QAS AD backend supports the following formats:
@ -124,10 +122,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Note that quotes around group names are optional. Unquoted strings
must use a backslash (\) to escape spaces and the '@' symbol.
Runas_List ::= Runas_Member |
Runas_Member ',' Runas_List
1.7.2 September 24, 2009 2
1.7.3b2 December 19, 2009 2
@ -136,32 +136,30 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Runas_List ::= Runas_Member |
Runas_Member ',' Runas_List
Runas_Member ::= '!'* username |
Runas_Member ::= '!'* user name |
'!'* '#'uid |
'!'* '%'group |
'!'* +netgroup |
'!'* Runas_Alias
A Runas_List is similar to a User_List except that instead of
User_Aliases it can contain Runas_Aliases. Note that usernames and
User_Aliases it can contain Runas_Aliases. Note that user names and
groups are matched as strings. In other words, two users (groups) with
the same uid (gid) are considered to be distinct. If you wish to match
all usernames with the same uid (e.g. root and toor), you can use a uid
instead (#0 in the example given).
all user names with the same uid (e.g. root and toor), you can use a
uid instead (#0 in the example given).
Host_List ::= Host |
Host ',' Host_List
Host ::= '!'* hostname |
Host ::= '!'* host name |
'!'* ip_addr |
'!'* network(/netmask)? |
'!'* '+'netgroup |
'!'* Host_Alias
A Host_List is made up of one or more hostnames, IP addresses, network
A Host_List is made up of one or more host names, IP addresses, network
numbers, netgroups (prefixed with '+') and other aliases. Again, the
value of an item may be negated with the '!' operator. If you do not
specify a netmask along with the network number, ssuuddoo will query each
@ -169,17 +167,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
corresponds to one of the hosts's network interfaces, the corresponding
netmask will be used. The netmask may be specified either in standard
IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
CIDR notation (number of bits, e.g. 24 or 64). A hostname may include
CIDR notation (number of bits, e.g. 24 or 64). A host name may include
shell-style wildcards (see the Wildcards section below), but unless the
hostname command on your machine returns the fully qualified hostname,
you'll need to use the _f_q_d_n option for wildcards to be useful.
host name command on your machine returns the fully qualified host
name, you'll need to use the _f_q_d_n option for wildcards to be useful.
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
commandname ::= filename |
filename args |
filename '""'
commandname ::= file name |
file name args |
file name '""'
Cmnd ::= '!'* commandname |
'!'* directory |
@ -187,13 +185,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
'!'* Cmnd_Alias
A Cmnd_List is a list of one or more commandnames, directories, and
other aliases. A commandname is a fully qualified filename which may
other aliases. A commandname is a fully qualified file name which may
include shell-style wildcards (see the Wildcards section below). A
simple filename allows the user to run the command with any arguments
simple file name allows the user to run the command with any arguments
he/she wishes. However, you may also specify command line arguments
(including wildcards). Alternately, you can specify "" to indicate
1.7.2 September 24, 2009 3
1.7.3b2 December 19, 2009 3
@ -202,10 +202,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
he/she wishes. However, you may also specify command line arguments
(including wildcards). Alternately, you can specify "" to indicate
that the command may only be run wwiitthhoouutt command line arguments. A
directory is a fully qualified pathname ending in a '/'. When you
directory is a fully qualified path name ending in a '/'. When you
specify a directory in a Cmnd_List, the user will be able to run any
file within that directory (but not in any subdirectories therein).
@ -217,8 +215,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It
may take command line arguments just as a normal command does.
DDeeffaauullttss
DDeeffaauullttss
Certain configuration options may be changed from their default values
at runtime via one or more Default_Entry lines. These may affect all
users on any host, all users on a specific host, a specific user, a
@ -256,10 +253,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
not exist in a list.
Defaults entries are parsed in the following order: generic, host and
user Defaults first, then runas Defaults and finally command defaults.
See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
1.7.2 September 24, 2009 4
1.7.3b2 December 19, 2009 4
@ -268,12 +268,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
user Defaults first, then runas Defaults and finally command defaults.
See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
UUsseerr SSppeecciiffiiccaattiioonn
UUsseerr SSppeecciiffiiccaattiioonn
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
(':' Host_List '=' Cmnd_Spec_List)*
@ -294,8 +289,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The basic structure of a user specification is `who = where (as_whom)
what'. Let's break that down into its constituent parts:
RRuunnaass__SSppeecc
RRuunnaass__SSppeecc
A Runas_Spec determines the user and/or the group that a command may be
run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
defined above) separated by a colon (':') and enclosed in a set of
@ -323,9 +317,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
It is also possible to override a Runas_Spec later on in an entry. If
we modify the entry like so:
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l
and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
1.7.2 September 24, 2009 5
1.7.3b2 December 19, 2009 5
@ -334,11 +334,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l
and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
We can extend this to allow ddggbb to run /bin/ls with either the user or
group set to ooppeerraattoorr:
@ -352,8 +347,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
TTaagg__SSppeecc
TTaagg__SSppeecc
A command may have zero or more tags associated with it. There are
eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
NOSETENV, TRANSCRIPT and NOTRANSCRIPT. Once a tag is set on a Cmnd,
@ -388,10 +382,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
pertain to the current host. This behavior may be overridden via the
verifypw and listpw options.
_N_O_E_X_E_C _a_n_d _E_X_E_C
If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying
operating system supports it, the NOEXEC tag can be used to prevent a
dynamically-linked executable from running further commands itself.
1.7.2 September 24, 2009 6
1.7.3b2 December 19, 2009 6
@ -400,12 +400,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_N_O_E_X_E_C _a_n_d _E_X_E_C
If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying
operating system supports it, the NOEXEC tag can be used to prevent a
dynamically-linked executable from running further commands itself.
In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and
_/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
@ -430,12 +424,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
basis. For more information, see the description of _t_r_a_n_s_c_r_i_p_t in the
"SUDOERS OPTIONS" section below.
WWiillddccaarrddss
WWiillddccaarrddss
ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be
used in hostnames, pathnames and command line arguments in the _s_u_d_o_e_r_s
file. Wildcard matching is done via the PPOOSSIIXX _g_l_o_b(3) and _f_n_m_a_t_c_h(3)
routines. Note that these are _n_o_t regular expressions.
used in host names, path names and command line arguments in the
_s_u_d_o_e_r_s file. Wildcard matching is done via the PPOOSSIIXX _g_l_o_b(3) and
_f_n_m_a_t_c_h(3) routines. Note that these are _n_o_t regular expressions.
* Matches any set of zero or more characters.
@ -454,10 +447,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
/bin/ls [[\:alpha\:]]*
Would match any file name beginning with a letter.
Note that a forward slash ('/') will nnoott be matched by wildcards used
in the path name. When matching the command line arguments, however, a
slash ddooeess get matched by wildcards. This is to make a path like:
/usr/bin/*
1.7.2 September 24, 2009 7
1.7.3b2 December 19, 2009 7
@ -466,26 +466,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Would match any filename beginning with a letter.
Note that a forward slash ('/') will nnoott be matched by wildcards used
in the pathname. When matching the command line arguments, however, a
slash ddooeess get matched by wildcards. This is to make a path like:
/usr/bin/*
match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m.
EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
The following exceptions apply to the above rules:
"" If the empty string "" is the only command line argument in the
_s_u_d_o_e_r_s entry it means that command is not allowed to be run
with aannyy arguments.
IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss
IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss
It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s
file currently being parsed using the #include and #includedir
directives.
@ -505,8 +495,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
A hard limit of 128 nested include files is enforced to prevent include
file loops.
The filename may include the %h escape, signifying the short form of
the hostname. I.e., if the machine's hostname is "xerxes", then
The file name may include the %h escape, signifying the short form of
the host name. I.e., if the machine's host name is "xerxes", then
#include /etc/sudoers.%h
@ -520,18 +510,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that
end in ~ or contain a . character to avoid causing problems with
1.7.2 September 24, 2009 8
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
package manager or editor temporary/backup files. Files are parsed in
sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed
before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is
@ -542,10 +520,21 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Note that unlike files included via #include, vviissuuddoo will not edit the
files in a #includedir directory unless one of them contains a syntax
error. It is still possible to run vviissuuddoo with the -f flag to edit the
1.7.3b2 December 19, 2009 8
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
files directly.
OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss
OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss
The pound sign ('#') is used to indicate a comment (unless it is part
of a #include directive or unless it occurs in the context of a user
name and is followed by one or more digits, in which case it is treated
@ -573,7 +562,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional.
The following characters must be escaped with a backslash ('\') when
used as part of a word (e.g. a username or hostname): '@', '!', '=',
used as part of a word (e.g. a user name or host name): '@', '!', '=',
':', ',', '(', ')', '\'.
SSUUDDOOEERRSS OOPPTTIIOONNSS
@ -586,18 +575,6 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
always_set_home If set, ssuuddoo will set the HOME environment variable to
the home directory of the target user (which is root
unless the --uu option is used). This effectively means
1.7.2 September 24, 2009 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
that the --HH option is always implied. This flag is _o_f_f
by default.
@ -609,10 +586,27 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
closefrom_override
If set, the user may use ssuuddoo's --CC option which
1.7.3b2 December 19, 2009 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
overrides the default starting point at which ssuuddoo
begins closing open file descriptors. This flag is _o_f_f
by default.
compress_transcript
If set, and the _t_r_a_n_s_c_r_i_p_t flag is also set, ssuuddoo will
compress the transcript logs using zzlliibb. This flag is
_o_n by default when ssuuddoo is compiled with zzlliibb support.
env_editor If set, vviissuuddoo will use the value of the EDITOR or
VISUAL environment variables before falling back on the
default editor list. Note that this may create a
@ -634,28 +628,34 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
variable. This flag is _o_n by default.
fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell-
style globbing when matching pathnames. However, since
it accesses the file system, _g_l_o_b(3) can take a long
time to complete for some patterns, especially when the
pattern references a network file system that is
mounted on demand (automounted). The _f_a_s_t___g_l_o_b option
causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function, which does
not access the file system to do its matching. The
disadvantage of _f_a_s_t___g_l_o_b is that it is unable to match
relative pathnames such as _._/_l_s or _._._/_b_i_n_/_l_s. This
flag is _o_f_f by default.
style globbing when matching path names. However,
since it accesses the file system, _g_l_o_b(3) can take a
long time to complete for some patterns, especially
when the pattern references a network file system that
is mounted on demand (automounted). The _f_a_s_t___g_l_o_b
option causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function,
which does not access the file system to do its
matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is
unable to match relative path names such as _._/_l_s or
_._._/_b_i_n_/_l_s. This flag is _o_f_f by default.
fqdn Set this flag if you want to put fully qualified
hostnames in the _s_u_d_o_e_r_s file. I.e., instead of myhost
you would use myhost.mydomain.edu. You may still use
the short form if you wish (and even mix the two).
Beware that turning on _f_q_d_n requires ssuuddoo to make DNS
lookups which may make ssuuddoo unusable if DNS stops
working (for example if the machine is not plugged into
fqdn Set this flag if you want to put fully qualified host
names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you
would use myhost.mydomain.edu. You may still use the
short form if you wish (and even mix the two). Beware
that turning on _f_q_d_n requires ssuuddoo to make DNS lookups
which may make ssuuddoo unusable if DNS stops working (for
example if the machine is not plugged into the
network). Also note that you must use the host's
official name as DNS knows it. That is, you may not
use a host alias (CNAME entry) due to performance
issues and the fact that there is no way to get all
aliases from DNS. If your machine's host name (as
returned by the hostname command) is already fully
1.7.2 September 24, 2009 10
1.7.3b2 December 19, 2009 10
@ -664,12 +664,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
the network). Also note that you must use the host's
official name as DNS knows it. That is, you may not
use a host alias (CNAME entry) due to performance
issues and the fact that there is no way to get all
aliases from DNS. If your machine's hostname (as
returned by the hostname command) is already fully
qualified you shouldn't need to set _f_q_d_n. This flag is
_o_f_f by default.
@ -693,8 +687,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
insults If set, ssuuddoo will insult users when they enter an
incorrect password. This flag is _o_f_f by default.
log_host If set, the hostname will be logged in the (non-syslog)
ssuuddoo log file. This flag is _o_f_f by default.
log_host If set, the host name will be logged in the (non-
syslog) ssuuddoo log file. This flag is _o_f_f by default.
log_year If set, the four-digit year will be logged in the (non-
syslog) ssuuddoo log file. This flag is _o_f_f by default.
@ -718,10 +712,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
allowed to run commands on the current host. This flag
is _o_f_f by default.
mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the
invoking user is allowed to use ssuuddoo but the command
they are trying is not listed in their _s_u_d_o_e_r_s file
entry or is explicitly denied. This flag is _o_f_f by
default.
1.7.2 September 24, 2009 11
1.7.3b2 December 19, 2009 11
@ -730,12 +730,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the
invoking user is allowed to use ssuuddoo but the command
they are trying is not listed in their _s_u_d_o_e_r_s file
entry or is explicitly denied. This flag is _o_f_f by
default.
mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the
invoking user is not in the _s_u_d_o_e_r_s file. This flag is
_o_n by default.
@ -784,10 +778,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to a real tty. When this flag is set, ssuuddoo can only be
run from a login session and not via other means such
as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by
default.
root_sudo If set, root is allowed to run ssuuddoo too. Disabling
this prevents users from "chaining" ssuuddoo commands to
get a root shell by doing something like "sudo sudo
/bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o
1.7.2 September 24, 2009 12
1.7.3b2 December 19, 2009 12
@ -796,12 +796,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
default.
root_sudo If set, root is allowed to run ssuuddoo too. Disabling
this prevents users from "chaining" ssuuddoo commands to
get a root shell by doing something like "sudo sudo
/bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o
will also prevent root and from running ssuuddooeeddiitt.
Disabling _r_o_o_t___s_u_d_o provides no real additional
security; it exists purely for historical reasons.
@ -850,10 +844,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
stay_setuid Normally, when ssuuddoo executes a command the real and
effective UIDs are set to the target user (root by
default). This option changes that behavior such that
the real UID is left as the invoking user's UID. In
other words, this makes ssuuddoo act as a setuid wrapper.
This can be useful on systems that disable some
potentially dangerous functionality when a program is
run setuid. This option is only effective on systems
1.7.2 September 24, 2009 13
1.7.3b2 December 19, 2009 13
@ -862,21 +862,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
default). This option changes that behavior such that
the real UID is left as the invoking user's UID. In
other words, this makes ssuuddoo act as a setuid wrapper.
This can be useful on systems that disable some
potentially dangerous functionality when a program is
run setuid. This option is only effective on systems
with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function.
This flag is _o_f_f by default.
targetpw If set, ssuuddoo will prompt for the password of the user
specified by the --uu option (defaults to root) instead
of the password of the invoking user. Note that this
precludes the use of a uid not listed in the passwd
database as an argument to the --uu option. This flag is
_o_f_f by default.
of the password of the invoking user. In addition, the
timestamp file name will include the target user's
name. Note that this flag precludes the use of a uid
not listed in the passwd database as an argument to the
--uu option. This flag is _o_f_f by default.
transcript If set, ssuuddoo will log a transcript of the command being
run, similar to the _s_c_r_i_p_t(1) command. In this mode
@ -916,10 +911,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
use_loginclass If set, ssuuddoo will apply the defaults specified for the
target user's login class if one exists. Only
available if ssuuddoo is configured with the
--with-logincap option. This flag is _o_f_f by default.
visiblepw By default, ssuuddoo will refuse to run if the user must
enter a password but it is not possible to disable echo
on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo
1.7.2 September 24, 2009 14
1.7.3b2 December 19, 2009 14
@ -928,11 +928,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
--with-logincap option. This flag is _o_f_f by default.
visiblepw By default, ssuuddoo will refuse to run if the user must
enter a password but it is not possible to disable echo
on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo
will prompt for a password even when it would be
visible on the screen. This makes it possible to run
things like "rsh somehost sudo ls" since _r_s_h(1) does
@ -960,16 +955,20 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
the option to disable word wrap).
passwd_timeout Number of minutes before the ssuuddoo password prompt times
out. The default is 5; set this to 0 for no password
out. The timeout may include a fractional component if
minute granularity is insufficient, for example 2.5.
The default is 5; set this to 0 for no password
timeout.
timestamp_timeout
Number of minutes that can elapse before ssuuddoo will ask
for a passwd again. The default is 5. Set this to 0
to always prompt for a password. If set to a value
less than 0 the user's timestamp will never expire.
This can be used to allow users to create or delete
their own timestamps via sudo -v and sudo -k
for a passwd again. The timeout may include a
fractional component if minute granularity is
insufficient, for example 2.5. The default is 5. Set
this to 0 to always prompt for a password. If set to a
value less than 0 the user's timestamp will never
expire. This can be used to allow users to create or
delete their own timestamps via sudo -v and sudo -k
respectively.
umask Umask to use when running the command. Negate this
@ -985,7 +984,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7.2 September 24, 2009 15
1.7.3b2 December 19, 2009 15
@ -1006,8 +1006,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
your system.
mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The escape
%h will expand to the hostname of the machine. Default
is *** SECURITY information for %h ***.
%h will expand to the host name of the machine.
Default is *** SECURITY information for %h ***.
noexec_file Path to a shared library containing dummy versions of
the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_e_c_v_e_(_) library functions
@ -1021,11 +1021,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
environment variable. The following percent (`%')
escapes are supported:
%H expanded to the local hostname including the domain
name (on if the machine's hostname is fully
%H expanded to the local host name including the
domain name (on if the machine's host name is fully
qualified or the _f_q_d_n option is set)
%h expanded to the local hostname without the domain
%h expanded to the local host name without the domain
name
%p expanded to the user whose password is being asked
@ -1051,7 +1051,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7.2 September 24, 2009 16
1.7.3b2 December 19, 2009 16
@ -1117,7 +1117,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7.2 September 24, 2009 17
1.7.3b2 December 19, 2009 17
@ -1177,13 +1177,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
is if you want to have the "root path" be separate from the
"user path." Users in the group specified by the
_e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This
option is @secure_path@ by default.
option is not set by default.
syslog Syslog facility if syslog is being used for logging (negate
1.7.2 September 24, 2009 18
1.7.3b2 December 19, 2009 18
@ -1249,7 +1249,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7.2 September 24, 2009 19
1.7.3b2 December 19, 2009 19
@ -1315,7 +1315,7 @@ EEXXAAMMPPLLEESS
1.7.2 September 24, 2009 20
1.7.3b2 December 19, 2009 20
@ -1381,7 +1381,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7.2 September 24, 2009 21
1.7.3b2 December 19, 2009 21
@ -1419,7 +1419,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The user ppeettee is allowed to change anyone's password except for root on
the _H_P_P_A machines. Note that this assumes _p_a_s_s_w_d(1) does not take
multiple usernames on the command line.
multiple user names on the command line.
bob SPARC = (OP) ALL : SGI = (OP) ALL
@ -1447,7 +1447,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7.2 September 24, 2009 22
1.7.3b2 December 19, 2009 22
@ -1513,7 +1513,7 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
1.7.2 September 24, 2009 23
1.7.3b2 December 19, 2009 23
@ -1579,7 +1579,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.7.2 September 24, 2009 24
1.7.3b2 December 19, 2009 24
@ -1608,8 +1608,8 @@ CCAAVVEEAATTSS
syntactically incorrect _s_u_d_o_e_r_s file.
When using netgroups of machines (as opposed to users), if you store
fully qualified hostnames in the netgroup (as is usually the case), you
either need to have the machine's hostname be fully qualified as
fully qualified host name in the netgroup (as is usually the case), you
either need to have the machine's host name be fully qualified as
returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s.
BBUUGGSS
@ -1645,6 +1645,6 @@ DDIISSCCLLAAIIMMEERR
1.7.2 September 24, 2009 25
1.7.3b2 December 19, 2009 25

132
sudoers.ldap.cat
View File

@ -52,16 +52,16 @@ DDEESSCCRRIIPPTTIIOONN
Cmnd_Alias that is referenced by multiple users, one can create a
sudoRole that contains the commands and assign multiple users to it.
SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr
SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr
The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP
container.
Sudo first looks for the cn=default entry in the SUDOers container. If
found, the multi-valued sudoOption attribute is parsed in the same
1.7.2 June 11, 2009 1
1.7.3b2 December 19, 2009 1
@ -70,7 +70,6 @@ DDEESSCCRRIIPPTTIIOONN
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
found, the multi-valued sudoOption attribute is parsed in the same
manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following
example, the SSH_AUTH_SOCK variable will be preserved in the
environment for all users.
@ -127,7 +126,8 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.7.2 June 11, 2009 2
1.7.3b2 December 19, 2009 2
@ -144,8 +144,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
sudoHost: ALL
sudoCommand: ALL
AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp
AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp
When looking up a sudoer using LDAP there are only two or three LDAP
queries per invocation. The first query is to parse the global
options. The second is to match against the user's name and the groups
@ -154,8 +153,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
third query returns all entries containing user netgroups and checks to
see if the user belongs to any of them.
DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss
DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss
There are some subtle differences in the way sudoers is handled once in
LDAP. Probably the biggest is that according to the RFC, LDAP ordering
is arbitrary and you cannot expect that Attributes and Entries are
@ -190,10 +188,12 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
objectClass: top
cn: role2
sudoUser: puddles
sudoHost: ALL
sudoCommand: !/bin/sh
1.7.2 June 11, 2009 3
1.7.3b2 December 19, 2009 3
@ -202,8 +202,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
sudoHost: ALL
sudoCommand: !/bin/sh
sudoCommand: ALL
Another difference is that negations on the Host, User or Runas are
@ -224,8 +222,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
sudoHost: ALL
sudoHost: !web01
SSuuddooeerrss SScchheemmaa
SSuuddooeerrss SScchheemmaa
In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed
on your LDAP server. In addition, be sure to index the 'sudoUser'
attribute.
@ -238,8 +235,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
The schema for ssuuddoo in OpenLDAP form is included in the EXAMPLES
section.
CCoonnffiigguurriinngg llddaapp..ccoonnff
CCoonnffiigguurriinngg llddaapp..ccoonnff
Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo
@ -256,10 +252,14 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
UURRII ldap[s]://[hostname[:port]] ...
Specifies a whitespace-delimited list of one or more URIs
describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be
either llddaapp or llddaappss, the latter being for servers that support TLS
(SSL) encryption. If no _p_o_r_t is specified, the default is port 389
for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified,
1.7.2 June 11, 2009 4
1.7.3b2 December 19, 2009 4
@ -268,10 +268,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be
either llddaapp or llddaappss, the latter being for servers that support TLS
(SSL) encryption. If no _p_o_r_t is specified, the default is port 389
for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified,
ssuuddoo will connect to llooccaallhhoosstt. Only systems using the OpenSSL
libraries support the mixing of ldap:// and ldaps:// URIs. The
Netscape-derived libraries used on most commercial versions of Unix
@ -322,10 +318,14 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
identity. By default, most LDAP servers will allow anonymous
access.
BBIINNDDPPWW secret
The BBIINNDDPPWW parameter specifies the password to use when performing
LDAP operations. This is typically used in conjunction with the
BBIINNDDDDNN parameter.
1.7.2 June 11, 2009 5
1.7.3b2 December 19, 2009 5
@ -334,11 +334,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
BBIINNDDPPWW secret
The BBIINNDDPPWW parameter specifies the password to use when performing
LDAP operations. This is typically used in conjunction with the
BBIINNDDDDNN parameter.
RROOOOTTBBIINNDDDDNN DN
The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing privileged LDAP
@ -389,9 +384,14 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
used to authenticate the client to the LDAP server. The
certificate type depends on the LDAP libraries used.
OpenLDAP:
tls_cert /etc/ssl/client_cert.pem
Netscape-derived:
1.7.2 June 11, 2009 6
1.7.3b2 December 19, 2009 6
@ -400,10 +400,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
OpenLDAP:
tls_cert /etc/ssl/client_cert.pem
Netscape-derived:
tls_cert /var/ldap/cert7.db
When using Netscape-derived libraries, this file may also contain
@ -455,9 +451,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
The path to the Kerberos 5 credential cache to use when
authenticating with the remote server.
See the ldap.conf entry in the EXAMPLES section.
1.7.2 June 11, 2009 7
1.7.3b2 December 19, 2009 7
@ -466,10 +466,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
See the ldap.conf entry in the EXAMPLES section.
CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff
CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff
Unless it is disabled at build time, ssuuddoo consults the Name Service
Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order.
Sudo looks for a line beginning with sudoers: and uses this to
@ -502,8 +499,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying
operating system does not use an nsswitch.conf file.
CCoonnffiigguurriinngg nneettssvvcc..ccoonnff
CCoonnffiigguurriinngg nneettssvvcc..ccoonnff
On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of
_/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of
_n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the
@ -521,9 +517,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
To treat LDAP as authoratative and only use the local sudoers file if
the user is not present in LDAP, use:
sudoers = ldap = auth, files
Note that in the above example, the auth qualfier only affects user
1.7.2 June 11, 2009 8
1.7.3b2 December 19, 2009 8
@ -532,9 +532,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
sudoers = ldap = auth, files
Note that in the above example, the auth qualfier only affects user
lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries.
If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers
@ -550,8 +547,7 @@ FFIILLEESS
_/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX
EEXXAAMMPPLLEESS
EExxaammppllee llddaapp..ccoonnff
EExxaammppllee llddaapp..ccoonnff
# Either specify one or more URIs or one or more host:port pairs.
# If neither is specified sudo will default to localhost, port 389.
#
@ -586,10 +582,14 @@ EEXXAAMMPPLLEESS
#
# LDAP protocol version, defaults to 3
#ldap_version 3
#
# Define if you want to use an encrypted LDAP connection.
# Typically, you must also set the port to 636 (ldaps).
#ssl on
1.7.2 June 11, 2009 9
1.7.3b2 December 19, 2009 9
@ -598,10 +598,6 @@ EEXXAAMMPPLLEESS
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
#
# Define if you want to use an encrypted LDAP connection.
# Typically, you must also set the port to 636 (ldaps).
#ssl on
#
# Define if you want to use port 389 and switch to
# encryption before the bind credentials are sent.
@ -652,10 +648,14 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
# SDK will prevent specific file names from working. For this reason
# it is suggested that tls_cert and tls_key be set to a directory,
# not a file name.
#
# The certificate database specified by tls_cert may contain CA certs
# and/or the client's cert. If the client's cert is included, tls_key
# should be specified as well.
1.7.2 June 11, 2009 10
1.7.3b2 December 19, 2009 10
@ -664,24 +664,19 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
#
# The certificate database specified by tls_cert may contain CA certs
# and/or the client's cert. If the client's cert is included, tls_key
# should be specified as well.
# For backward compatibility, "sslpath" may be used in place of tls_cert.
#tls_cert /var/ldap
#tls_key /var/ldap
#
# If using SASL authentication for LDAP (OpenSSL)
# use_sasl yes
# sasl_auth_id <SASL username>
# sasl_auth_id <SASL user name>
# rootuse_sasl yes
# rootsasl_auth_id <SASL username for root access>
# rootsasl_auth_id <SASL user name for root access>
# sasl_secprops none
# krb5_ccname /etc/.ldapcache
SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP
SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP
The following schema is in OpenLDAP format. Simply copy it to the
schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include
line in slapd.conf and restart ssllaappdd.
@ -718,10 +713,15 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.6
NAME 'sudoRunAsUser'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1.7.2 June 11, 2009 11
1.7.3b2 December 19, 2009 11
@ -730,11 +730,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
attributetype ( 1.3.6.1.4.1.15953.9.1.6
NAME 'sudoRunAsUser'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
@ -787,6 +782,11 @@ DDIISSCCLLAAIIMMEERR
1.7.2 June 11, 2009 12
1.7.3b2 December 19, 2009 12

36
sudoers.ldap.man.in
View File

@ -15,18 +15,10 @@
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $Sudo$
.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sh \" Subsection heading
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
@ -70,7 +62,7 @@
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
@ -149,7 +141,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
.TH SUDOERS.LDAP @mansectform@ "June 11, 2009" "1.7.2" "MAINTENANCE COMMANDS"
.TH SUDOERS.LDAP @mansectform@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@ -201,7 +193,7 @@ to have multiple users listed in a sudoRole. Instead of defining
a Cmnd_Alias that is referenced by multiple users, one can create
a sudoRole that contains the commands and assign multiple users
to it.
.Sh "SUDOers \s-1LDAP\s0 container"
.SS "SUDOers \s-1LDAP\s0 container"
.IX Subsection "SUDOers LDAP container"
The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0
container.
@ -271,7 +263,7 @@ on any host via \fBsudo\fR:
\& sudoHost: ALL
\& sudoCommand: ALL
.Ve
.Sh "Anatomy of \s-1LDAP\s0 sudoers lookup"
.SS "Anatomy of \s-1LDAP\s0 sudoers lookup"
.IX Subsection "Anatomy of LDAP sudoers lookup"
When looking up a sudoer using \s-1LDAP\s0 there are only two or three
\&\s-1LDAP\s0 queries per invocation. The first query is to parse the global
@ -280,7 +272,7 @@ groups that the user belongs to. (The special \s-1ALL\s0 tag is matched
in this query too.) If no match is returned for the user's name
and groups, a third query returns all entries containing user
netgroups and checks to see if the user belongs to any of them.
.Sh "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
.SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
.IX Subsection "Differences between LDAP and non-LDAP sudoers"
There are some subtle differences in the way sudoers is handled
once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0,
@ -342,7 +334,7 @@ behave the way one might expect.
\& sudoHost: ALL
\& sudoHost: !web01
.Ve
.Sh "Sudoers Schema"
.SS "Sudoers Schema"
.IX Subsection "Sudoers Schema"
In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be
installed on your \s-1LDAP\s0 server. In addition, be sure to index the
@ -355,7 +347,7 @@ be found in the \fBsudo\fR distribution.
.PP
The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0
section.
.Sh "Configuring ldap.conf"
.SS "Configuring ldap.conf"
.IX Subsection "Configuring ldap.conf"
Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
@ -538,7 +530,7 @@ The path to the Kerberos 5 credential cache to use when authenticating
with the remote server.
.PP
See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section.
.Sh "Configuring nsswitch.conf"
.SS "Configuring nsswitch.conf"
.IX Subsection "Configuring nsswitch.conf"
Unless it is disabled at build time, \fBsudo\fR consults the Name
Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR
@ -579,7 +571,7 @@ sudoers line, the following default is assumed:
.PP
Note that \fI@nsswitch_conf@\fR is supported even when the underlying
operating system does not use an nsswitch.conf file.
.Sh "Configuring netsvc.conf"
.SS "Configuring netsvc.conf"
.IX Subsection "Configuring netsvc.conf"
On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of
\&\fI@nsswitch_conf@\fR. \fBsudo\fR simply treats \fInetsvc.conf\fR as a
@ -632,7 +624,7 @@ determines sudoers source order
determines sudoers source order on \s-1AIX\s0
.SH "EXAMPLES"
.IX Header "EXAMPLES"
.Sh "Example ldap.conf"
.SS "Example ldap.conf"
.IX Subsection "Example ldap.conf"
.Vb 10
\& # Either specify one or more URIs or one or more host:port pairs.
@ -733,13 +725,13 @@ determines sudoers source order on \s-1AIX\s0
\& #
\& # If using SASL authentication for LDAP (OpenSSL)
\& # use_sasl yes
\& # sasl_auth_id <SASL username>
\& # sasl_auth_id <SASL user name>
\& # rootuse_sasl yes
\& # rootsasl_auth_id <SASL username for root access>
\& # rootsasl_auth_id <SASL user name for root access>
\& # sasl_secprops none
\& # krb5_ccname /etc/.ldapcache
.Ve
.Sh "Sudo schema for OpenLDAP"
.SS "Sudo schema for OpenLDAP"
.IX Subsection "Sudo schema for OpenLDAP"
The following schema is in OpenLDAP format. Simply copy it to the
schema directory (e.g. \fI/etc/openldap/schema\fR), add the proper

4
sudoers.ldap.pod
View File

@ -637,9 +637,9 @@ determines sudoers source order on AIX
#
# If using SASL authentication for LDAP (OpenSSL)
# use_sasl yes
# sasl_auth_id <SASL username>
# sasl_auth_id <SASL user name>
# rootuse_sasl yes
# rootsasl_auth_id <SASL username for root access>
# rootsasl_auth_id <SASL user name for root access>
# sasl_secprops none
# krb5_ccname /etc/.ldapcache

129
sudoers.man.in
View File

@ -19,18 +19,10 @@
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.\" $Sudo$
.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sh \" Subsection heading
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
@ -74,7 +66,7 @@
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
@ -153,7 +145,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
.TH SUDOERS @mansectform@ "September 24, 2009" "1.7.2" "MAINTENANCE COMMANDS"
.TH SUDOERS @mansectform@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@ -173,7 +165,7 @@ not necessarily the most specific match).
The \fIsudoers\fR grammar will be described below in Extended Backus-Naur
Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is
fairly simple, and the definitions below are annotated.
.Sh "Quick guide to \s-1EBNF\s0"
.SS "Quick guide to \s-1EBNF\s0"
.IX Subsection "Quick guide to EBNF"
\&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
@ -206,7 +198,7 @@ one or more times.
Parentheses may be used to group symbols together. For clarity,
we will use single quotes ('') to designate what is a verbatim character
string (as opposed to a symbol name).
.Sh "Aliases"
.SS "Aliases"
.IX Subsection "Aliases"
There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR,
\&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
@ -250,7 +242,7 @@ The definitions of what constitutes a valid \fIalias\fR member follow.
\& User_List ::= User |
\& User \*(Aq,\*(Aq User_List
\&
\& User ::= \*(Aq!\*(Aq* username |
\& User ::= \*(Aq!\*(Aq* user name |
\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
@ -258,13 +250,13 @@ The definitions of what constitutes a valid \fIalias\fR member follow.
\& \*(Aq!\*(Aq* User_Alias
.Ve
.PP
A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, uids (prefixed
A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, uids (prefixed
with '#'), system groups (prefixed with '%'), netgroups (prefixed
with '+') and \f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with
zero or more '!' operators. An odd number of '!' operators negate
the value of the item; an even number just cancel each other out.
.PP
A \f(CW\*(C`username\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR and \f(CW\*(C`nonunix_groups\*(C'\fR may
A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR or \f(CW\*(C`nonunix_group\*(C'\fR may
be enclosed in double quotes to avoid the need for escaping special
characters. Alternately, special characters may be specified in
escaped hex mode, e.g. \ex20 for space.
@ -285,7 +277,7 @@ use a backslash (\e) to escape spaces and the '@' symbol.
\& Runas_List ::= Runas_Member |
\& Runas_Member \*(Aq,\*(Aq Runas_List
\&
\& Runas_Member ::= \*(Aq!\*(Aq* username |
\& Runas_Member ::= \*(Aq!\*(Aq* user name |
\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
\& \*(Aq!\*(Aq* +netgroup |
@ -294,23 +286,23 @@ use a backslash (\e) to escape spaces and the '@' symbol.
.PP
A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that
usernames and groups are matched as strings. In other words, two
user names and groups are matched as strings. In other words, two
users (groups) with the same uid (gid) are considered to be distinct.
If you wish to match all usernames with the same uid (e.g.\ root
If you wish to match all user names with the same uid (e.g.\ root
and toor), you can use a uid instead (#0 in the example given).
.PP
.Vb 2
\& Host_List ::= Host |
\& Host \*(Aq,\*(Aq Host_List
\&
\& Host ::= \*(Aq!\*(Aq* hostname |
\& Host ::= \*(Aq!\*(Aq* host name |
\& \*(Aq!\*(Aq* ip_addr |
\& \*(Aq!\*(Aq* network(/netmask)? |
\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
\& \*(Aq!\*(Aq* Host_Alias
.Ve
.PP
A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more hostnames, \s-1IP\s0 addresses,
A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more host names, \s-1IP\s0 addresses,
network numbers, netgroups (prefixed with '+') and other aliases.
Again, the value of an item may be negated with the '!' operator.
If you do not specify a netmask along with the network number,
@ -319,19 +311,19 @@ if the network number corresponds to one of the hosts's network
interfaces, the corresponding netmask will be used. The netmask
may be specified either in standard \s-1IP\s0 address notation
(e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::),
or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A hostname may
or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may
include shell-style wildcards (see the Wildcards section below),
but unless the \f(CW\*(C`hostname\*(C'\fR command on your machine returns the fully
qualified hostname, you'll need to use the \fIfqdn\fR option for
but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully
qualified host name, you'll need to use the \fIfqdn\fR option for
wildcards to be useful.
.PP
.Vb 2
\& Cmnd_List ::= Cmnd |
\& Cmnd \*(Aq,\*(Aq Cmnd_List
\&
\& commandname ::= filename |
\& filename args |
\& filename \*(Aq""\*(Aq
\& commandname ::= file name |
\& file name args |
\& file name \*(Aq""\*(Aq
\&
\& Cmnd ::= \*(Aq!\*(Aq* commandname |
\& \*(Aq!\*(Aq* directory |
@ -340,13 +332,13 @@ wildcards to be useful.
.Ve
.PP
A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
aliases. A commandname is a fully qualified filename which may include
aliases. A commandname is a fully qualified file name which may include
shell-style wildcards (see the Wildcards section below). A simple
filename allows the user to run the command with any arguments he/she
file name allows the user to run the command with any arguments he/she
wishes. However, you may also specify command line arguments (including
wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command
may only be run \fBwithout\fR command line arguments. A directory is a
fully qualified pathname ending in a '/'. When you specify a directory
fully qualified path name ending in a '/'. When you specify a directory
in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory
(but not in any subdirectories therein).
.PP
@ -358,7 +350,7 @@ arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR
is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or
as \fBsudoedit\fR). It may take command line arguments just as
a normal command does.
.Sh "Defaults"
.SS "Defaults"
.IX Subsection "Defaults"
Certain configuration options may be changed from their default
values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
@ -403,7 +395,7 @@ and user Defaults first, then runas Defaults and finally command
defaults.
.PP
See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
.Sh "User Specification"
.SS "User Specification"
.IX Subsection "User Specification"
.Vb 2
\& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e
@ -426,7 +418,7 @@ run as \fBroot\fR, but this can be changed on a per-command basis.
.PP
The basic structure of a user specification is `who = where (as_whom)
what'. Let's break that down into its constituent parts:
.Sh "Runas_Spec"
.SS "Runas_Spec"
.IX Subsection "Runas_Spec"
A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command
may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two
@ -484,7 +476,7 @@ only the group will be set, the command still runs as user \fBtcm\fR.
\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
\& /usr/local/bin/minicom
.Ve
.Sh "Tag_Spec"
.SS "Tag_Spec"
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR,
@ -562,10 +554,10 @@ be overridden by use of the \f(CW\*(C`UNSETENV\*(C'\fR tag.
These tags override the value of the \fItranscript\fR option on a
per-command basis. For more information, see the description of
\&\fItranscript\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
.Sh "Wildcards"
.SS "Wildcards"
.IX Subsection "Wildcards"
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
to be used in hostnames, pathnames and command line arguments in
to be used in host names, path names and command line arguments in
the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
\&\fIglob\fR\|(3) and \fIfnmatch\fR\|(3) routines. Note that these are \fInot\fR
regular expressions.
@ -600,10 +592,10 @@ escaped. For example:
\& /bin/ls [[\e:alpha\e:]]*
.Ve
.PP
Would match any filename beginning with a letter.
Would match any file name beginning with a letter.
.PP
Note that a forward slash ('/') will \fBnot\fR be matched by
wildcards used in the pathname. When matching the command
wildcards used in the path name. When matching the command
line arguments, however, a slash \fBdoes\fR get matched by
wildcards. This is to make a path like:
.PP
@ -612,7 +604,7 @@ wildcards. This is to make a path like:
.Ve
.PP
match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
.Sh "Exceptions to wildcard rules"
.SS "Exceptions to wildcard rules"
.IX Subsection "Exceptions to wildcard rules"
The following exceptions apply to the above rules:
.ie n .IP """""" 8
@ -621,7 +613,7 @@ The following exceptions apply to the above rules:
If the empty string \f(CW""\fR is the only command line argument in the
\&\fIsudoers\fR entry it means that command is not allowed to be run
with \fBany\fR arguments.
.Sh "Including other files from within sudoers"
.SS "Including other files from within sudoers"
.IX Subsection "Including other files from within sudoers"
It is possible to include other \fIsudoers\fR files from within the
\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR and
@ -645,8 +637,8 @@ Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
themselves include other files. A hard limit of 128 nested include
files is enforced to prevent include file loops.
.PP
The filename may include the \f(CW%h\fR escape, signifying the short form
of the hostname. I.e., if the machine's hostname is \*(L"xerxes\*(R", then
The file name may include the \f(CW%h\fR escape, signifying the short form
of the host name. I.e., if the machine's host name is \*(L"xerxes\*(R", then
.PP
\&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR
.PP
@ -673,7 +665,7 @@ Note that unlike files included via \f(CW\*(C`#include\*(C'\fR, \fBvisudo\fR wil
edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them
contains a syntax error. It is still possible to run \fBvisudo\fR
with the \f(CW\*(C`\-f\*(C'\fR flag to edit the files directly.
.Sh "Other special characters and reserved words"
.SS "Other special characters and reserved words"
.IX Subsection "Other special characters and reserved words"
The pound sign ('#') is used to indicate a comment (unless it is
part of a #include directive or unless it occurs in the context of
@ -703,7 +695,7 @@ Whitespace between elements in a list as well as special syntactic
characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
.PP
The following characters must be escaped with a backslash ('\e') when
used as part of a word (e.g.\ a username or hostname):
used as part of a word (e.g.\ a user name or host name):
\&'@', '!', '=', ':', ',', '(', ')', '\e'.
.SH "SUDOERS OPTIONS"
.IX Header "SUDOERS OPTIONS"
@ -729,6 +721,11 @@ This flag is \fIon\fR by default.
If set, the user may use \fBsudo\fR's \fB\-C\fR option which
overrides the default starting point at which \fBsudo\fR begins
closing open file descriptors. This flag is \fIoff\fR by default.
.IP "compress_transcript" 16
.IX Item "compress_transcript"
If set, and the \fItranscript\fR flag is also set, \fBsudo\fR will compress
the transcript logs using \fBzlib\fR. This flag is \fIon\fR by default
when \fBsudo\fR is compiled with \fBzlib\fR support.
.IP "env_editor" 16
.IX Item "env_editor"
If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
@ -752,17 +749,17 @@ This flag is \fIon\fR by default.
.IP "fast_glob" 16
.IX Item "fast_glob"
Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
globbing when matching pathnames. However, since it accesses the
globbing when matching path names. However, since it accesses the
file system, \fIglob\fR\|(3) can take a long time to complete for some
patterns, especially when the pattern references a network file
system that is mounted on demand (automounted). The \fIfast_glob\fR
option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
not access the file system to do its matching. The disadvantage
of \fIfast_glob\fR is that it is unable to match relative pathnames
of \fIfast_glob\fR is that it is unable to match relative path names
such as \fI./ls\fR or \fI../bin/ls\fR. This flag is \fIoff\fR by default.
.IP "fqdn" 16
.IX Item "fqdn"
Set this flag if you want to put fully qualified hostnames in the
Set this flag if you want to put fully qualified host names in the
\&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
@ -771,7 +768,7 @@ if the machine is not plugged into the network). Also note that
you must use the host's official name as \s-1DNS\s0 knows it. That is,
you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
issues and the fact that there is no way to get all aliases from
\&\s-1DNS\s0. If your machine's hostname (as returned by the \f(CW\*(C`hostname\*(C'\fR
\&\s-1DNS\s0. If your machine's host name (as returned by the \f(CW\*(C`hostname\*(C'\fR
command) is already fully qualified you shouldn't need to set
\&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default.
.IP "ignore_dot" 16
@ -795,7 +792,7 @@ If set, \fBsudo\fR will insult users when they enter an incorrect
password. This flag is \fI@insults@\fR by default.
.IP "log_host" 16
.IX Item "log_host"
If set, the hostname will be logged in the (non-syslog) \fBsudo\fR log file.
If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file.
This flag is \fIoff\fR by default.
.IP "log_year" 16
.IX Item "log_year"
@ -939,11 +936,12 @@ is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\
function. This flag is \fIoff\fR by default.
.IP "targetpw" 16
.IX Item "targetpw"
If set, \fBsudo\fR will prompt for the password of the user specified by
the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the
invoking user. Note that this precludes the use of a uid not listed
in the passwd database as an argument to the \fB\-u\fR option.
This flag is \fIoff\fR by default.
If set, \fBsudo\fR will prompt for the password of the user specified
by the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password
of the invoking user. In addition, the timestamp file name will
include the target user's name. Note that this flag precludes the
use of a uid not listed in the passwd database as an argument to
the \fB\-u\fR option. This flag is \fIoff\fR by default.
.IP "transcript" 16
.IX Item "transcript"
If set, \fBsudo\fR will log a transcript of the command being run,
@ -1014,12 +1012,15 @@ effect on the syslog log file, only the file log. The default is
.IP "passwd_timeout" 16
.IX Item "passwd_timeout"
Number of minutes before the \fBsudo\fR password prompt times out.
The default is \f(CW\*(C`@password_timeout@\*(C'\fR; set this to \f(CW0\fR for no password timeout.
The timeout may include a fractional component if minute granularity
is insufficient, for example \f(CW2.5\fR. The default is \f(CW\*(C`@password_timeout@\*(C'\fR;
set this to \f(CW0\fR for no password timeout.
.IP "timestamp_timeout" 16
.IX Item "timestamp_timeout"
Number of minutes that can elapse before \fBsudo\fR will ask for a
passwd again. The default is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always
prompt for a password.
passwd again. The timeout may include a fractional component if
minute granularity is insufficient, for example \f(CW2.5\fR. The default
is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always prompt for a password.
If set to a value less than \f(CW0\fR the user's timestamp will never
expire. This can be used to allow users to create or delete their
own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively.
@ -1048,7 +1049,7 @@ on your system.
.IP "mailsub" 16
.IX Item "mailsub"
Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
will expand to the hostname of the machine.
will expand to the host name of the machine.
Default is \f(CW\*(C`@mailsub@\*(C'\fR.
.IP "noexec_file" 16
.IX Item "noexec_file"
@ -1065,13 +1066,13 @@ The following percent (`\f(CW\*(C`%\*(C'\fR') escapes are supported:
.ie n .IP "%H" 4
.el .IP "\f(CW%H\fR" 4
.IX Item "%H"
expanded to the local hostname including the domain name
(on if the machine's hostname is fully qualified or the \fIfqdn\fR
expanded to the local host name including the domain name
(on if the machine's host name is fully qualified or the \fIfqdn\fR
option is set)
.ie n .IP "%h" 4
.el .IP "\f(CW%h\fR" 4
.IX Item "%h"
expanded to the local hostname without the domain name
expanded to the local host name without the domain name
.ie n .IP "%p" 4
.el .IP "\f(CW%p\fR" 4
.IX Item "%p"
@ -1468,7 +1469,7 @@ groups).
.PP
The user \fBpete\fR is allowed to change anyone's password except for
root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1)
does not take multiple usernames on the command line.
does not take multiple user names on the command line.
.PP
.Vb 1
\& bob SPARC = (OP) ALL : SGI = (OP) ALL
@ -1651,8 +1652,8 @@ imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
will not run with a syntactically incorrect \fIsudoers\fR file.
.PP
When using netgroups of machines (as opposed to users), if you
store fully qualified hostnames in the netgroup (as is usually the
case), you either need to have the machine's hostname be fully qualified
store fully qualified host name in the netgroup (as is usually the
case), you either need to have the machine's host name be fully qualified
as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
\&\fIsudoers\fR.
.SH "BUGS"

56
sudoers.pod
View File

@ -112,20 +112,20 @@ The definitions of what constitutes a valid I<alias> member follow.
User_List ::= User |
User ',' User_List
User ::= '!'* username |
User ::= '!'* user name |
'!'* '#'uid |
'!'* '%'group |
'!'* '+'netgroup |
'!'* '%:'nonunix_group |
'!'* User_Alias
A C<User_List> is made up of one or more usernames, uids (prefixed
A C<User_List> is made up of one or more user names, uids (prefixed
with '#'), system groups (prefixed with '%'), netgroups (prefixed
with '+') and C<User_Alias>es. Each list item may be prefixed with
zero or more '!' operators. An odd number of '!' operators negate
the value of the item; an even number just cancel each other out.
A C<username>, C<group>, C<netgroup> and C<nonunix_groups> may
A C<user name>, C<group>, C<netgroup> or C<nonunix_group> may
be enclosed in double quotes to avoid the need for escaping special
characters. Alternately, special characters may be specified in
escaped hex mode, e.g. \x20 for space.
@ -155,7 +155,7 @@ use a backslash (\) to escape spaces and the '@' symbol.
Runas_List ::= Runas_Member |
Runas_Member ',' Runas_List
Runas_Member ::= '!'* username |
Runas_Member ::= '!'* user name |
'!'* '#'uid |
'!'* '%'group |
'!'* +netgroup |
@ -163,21 +163,21 @@ use a backslash (\) to escape spaces and the '@' symbol.
A C<Runas_List> is similar to a C<User_List> except that instead
of C<User_Alias>es it can contain C<Runas_Alias>es. Note that
usernames and groups are matched as strings. In other words, two
user names and groups are matched as strings. In other words, two
users (groups) with the same uid (gid) are considered to be distinct.
If you wish to match all usernames with the same uid (e.g.E<nbsp>root
If you wish to match all user names with the same uid (e.g.E<nbsp>root
and toor), you can use a uid instead (#0 in the example given).
Host_List ::= Host |
Host ',' Host_List
Host ::= '!'* hostname |
Host ::= '!'* host name |
'!'* ip_addr |
'!'* network(/netmask)? |
'!'* '+'netgroup |
'!'* Host_Alias
A C<Host_List> is made up of one or more hostnames, IP addresses,
A C<Host_List> is made up of one or more host names, IP addresses,
network numbers, netgroups (prefixed with '+') and other aliases.
Again, the value of an item may be negated with the '!' operator.
If you do not specify a netmask along with the network number,
@ -186,10 +186,10 @@ if the network number corresponds to one of the hosts's network
interfaces, the corresponding netmask will be used. The netmask
may be specified either in standard IP address notation
(e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::),
or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A hostname may
or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A host name may
include shell-style wildcards (see the L<Wildcards> section below),
but unless the C<hostname> command on your machine returns the fully
qualified hostname, you'll need to use the I<fqdn> option for
but unless the C<host name> command on your machine returns the fully
qualified host name, you'll need to use the I<fqdn> option for
wildcards to be useful.
Cmnd_List ::= Cmnd |
@ -211,7 +211,7 @@ file name allows the user to run the command with any arguments he/she
wishes. However, you may also specify command line arguments (including
wildcards). Alternately, you can specify C<""> to indicate that the command
may only be run B<without> command line arguments. A directory is a
fully qualified pathname ending in a '/'. When you specify a directory
fully qualified path name ending in a '/'. When you specify a directory
in a C<Cmnd_List>, the user will be able to run any file within that directory
(but not in any subdirectories therein).
@ -411,7 +411,7 @@ I<transcript> in the L<"SUDOERS OPTIONS"> section below.
=head2 Wildcards
B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
to be used in hostnames, pathnames and command line arguments in
to be used in host names, path names and command line arguments in
the I<sudoers> file. Wildcard matching is done via the B<POSIX>
L<glob(3)> and L<fnmatch(3)> routines. Note that these are I<not>
regular expressions.
@ -451,7 +451,7 @@ escaped. For example:
Would match any file name beginning with a letter.
Note that a forward slash ('/') will B<not> be matched by
wildcards used in the pathname. When matching the command
wildcards used in the path name. When matching the command
line arguments, however, a slash B<does> get matched by
wildcards. This is to make a path like:
@ -500,7 +500,7 @@ themselves include other files. A hard limit of 128 nested include
files is enforced to prevent include file loops.
The file name may include the C<%h> escape, signifying the short form
of the hostname. I.e., if the machine's hostname is "xerxes", then
of the host name. I.e., if the machine's host name is "xerxes", then
C<#include /etc/sudoers.%h>
@ -558,7 +558,7 @@ Whitespace between elements in a list as well as special syntactic
characters in a I<User Specification> ('=', ':', '(', ')') is optional.
The following characters must be escaped with a backslash ('\') when
used as part of a word (e.g.E<nbsp>a username or hostname):
used as part of a word (e.g.E<nbsp>a user name or host name):
'@', '!', '=', ':', ',', '(', ')', '\'.
=head1 SUDOERS OPTIONS
@ -622,18 +622,18 @@ This flag is I<on> by default.
=item fast_glob
Normally, B<sudo> uses the L<glob(3)> function to do shell-style
globbing when matching pathnames. However, since it accesses the
globbing when matching path names. However, since it accesses the
file system, L<glob(3)> can take a long time to complete for some
patterns, especially when the pattern references a network file
system that is mounted on demand (automounted). The I<fast_glob>
option causes B<sudo> to use the L<fnmatch(3)> function, which does
not access the file system to do its matching. The disadvantage
of I<fast_glob> is that it is unable to match relative pathnames
of I<fast_glob> is that it is unable to match relative path names
such as F<./ls> or F<../bin/ls>. This flag is I<off> by default.
=item fqdn
Set this flag if you want to put fully qualified hostnames in the
Set this flag if you want to put fully qualified host names in the
I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
@ -642,7 +642,7 @@ if the machine is not plugged into the network). Also note that
you must use the host's official name as DNS knows it. That is,
you may not use a host alias (C<CNAME> entry) due to performance
issues and the fact that there is no way to get all aliases from
DNS. If your machine's hostname (as returned by the C<hostname>
DNS. If your machine's host name (as returned by the C<hostname>
command) is already fully qualified you shouldn't need to set
I<fqdn>. This flag is I<@fqdn@> by default.
@ -670,7 +670,7 @@ password. This flag is I<@insults@> by default.
=item log_host
If set, the hostname will be logged in the (non-syslog) B<sudo> log file.
If set, the host name will be logged in the (non-syslog) B<sudo> log file.
This flag is I<off> by default.
=item log_year
@ -975,7 +975,7 @@ on your system.
=item mailsub
Subject of the mail sent to the I<mailto> user. The escape C<%h>
will expand to the hostname of the machine.
will expand to the host name of the machine.
Default is C<@mailsub@>.
=item noexec_file
@ -995,13 +995,13 @@ The following percent (`C<%>') escapes are supported:
=item C<%H>
expanded to the local hostname including the domain name
(on if the machine's hostname is fully qualified or the I<fqdn>
expanded to the local host name including the domain name
(on if the machine's host name is fully qualified or the I<fqdn>
option is set)
=item C<%h>
expanded to the local hostname without the domain name
expanded to the local host name without the domain name
=item C<%p>
@ -1431,7 +1431,7 @@ groups).
The user B<pete> is allowed to change anyone's password except for
root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
does not take multiple usernames on the command line.
does not take multiple user names on the command line.
bob SPARC = (OP) ALL : SGI = (OP) ALL
@ -1594,8 +1594,8 @@ imperative that I<sudoers> be free of syntax errors since B<sudo>
will not run with a syntactically incorrect I<sudoers> file.
When using netgroups of machines (as opposed to users), if you
store fully qualified hostnames in the netgroup (as is usually the
case), you either need to have the machine's hostname be fully qualified
store fully qualified host name in the netgroup (as is usually the
case), you either need to have the machine's host name be fully qualified
as returned by the C<hostname> command or use the I<fqdn> option in
I<sudoers>.

14
sudoreplay.cat
View File

@ -61,7 +61,7 @@ OOPPTTIIOONNSS
1.7.2 October 6, 2009 1
1.7.3b2 December 19, 2009 1
@ -96,9 +96,9 @@ SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
specified without the _/_d_e_v_/ prefix, e.g. _t_t_y_0_1
instead of _/_d_e_v_/_t_t_y_0_1.
user _u_s_e_r_n_a_m_e
user _u_s_e_r _n_a_m_e
Evaluates to true if the ID matches a command run
by _u_s_e_r_n_a_m_e.
by _u_s_e_r _n_a_m_e.
Predicates may be abbreviated to the shortest unique string
(currently all predicates may be shortened to a single
@ -127,7 +127,7 @@ SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
1.7.2 October 6, 2009 2
1.7.3b2 December 19, 2009 2
@ -193,7 +193,7 @@ SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
1.7.2 October 6, 2009 3
1.7.3b2 December 19, 2009 3
@ -259,7 +259,7 @@ SSUUPPPPOORRTT
1.7.2 October 6, 2009 4
1.7.3b2 December 19, 2009 4
@ -325,6 +325,6 @@ DDIISSCCLLAAIIMMEERR
1.7.2 October 6, 2009 5
1.7.3b2 December 19, 2009 5

8
sudoreplay.man.in
View File

@ -140,7 +140,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOREPLAY @mansectsu@"
.TH SUDOREPLAY @mansectsu@ "October 6, 2009" "1.7.2" "MAINTENANCE COMMANDS"
.TH SUDOREPLAY @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@ -222,9 +222,9 @@ date and time formats.
Evaluates to true if the command was run on the specified terminal
device. The \fItty\fR should be specified without the \fI/dev/\fR prefix,
e.g. \fItty01\fR instead of \fI/dev/tty01\fR.
.IP "user \fIusername\fR" 8
.IX Item "user username"
Evaluates to true if the \s-1ID\s0 matches a command run by \fIusername\fR.
.IP "user \fIuser name\fR" 8
.IX Item "user user name"
Evaluates to true if the \s-1ID\s0 matches a command run by \fIuser name\fR.
.RE
.RS 12
.Sp

4
sudoreplay.pod
View File

@ -119,9 +119,9 @@ Evaluates to true if the command was run on the specified terminal
device. The I<tty> should be specified without the F</dev/> prefix,
e.g. F<tty01> instead of F</dev/tty01>.
=item user I<username>
=item user I<user name>
Evaluates to true if the ID matches a command run by I<username>.
Evaluates to true if the ID matches a command run by I<user name>.
=back

10
visudo.cat
View File

@ -61,7 +61,7 @@ OOPPTTIIOONNSS
1.7.2 June 11, 2009 1
1.7.3b2 December 19, 2009 1
@ -76,7 +76,7 @@ VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
-s Enable ssttrriicctt checking of the _s_u_d_o_e_r_s file. If an alias is
used before it is defined, vviissuuddoo will consider this a
parse error. Note that it is not possible to differentiate
between an alias and a hostname or username that consists
between an alias and a host name or user name that consists
solely of uppercase letters, digits, and the underscore
('_') character.
@ -108,7 +108,7 @@ DDIIAAGGNNOOSSTTIICCSS
Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
Either you are trying to use an undeclare
{User,Runas,Host,Cmnd}_Alias or you have a user or hostname listed
{User,Runas,Host,Cmnd}_Alias or you have a user or host name listed
that consists solely of uppercase letters, digits, and the
underscore ('_') character. In the latter case, you can ignore the
warnings (ssuuddoo will not complain). In --ss (strict) mode these are
@ -127,7 +127,7 @@ AAUUTTHHOORR
1.7.2 June 11, 2009 2
1.7.3b2 December 19, 2009 2
@ -193,6 +193,6 @@ DDIISSCCLLAAIIMMEERR
1.7.2 June 11, 2009 3
1.7.3b2 December 19, 2009 3

18
visudo.man.in
View File

@ -19,18 +19,10 @@
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.\" $Sudo$
.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sh \" Subsection heading
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
@ -74,7 +66,7 @@
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
@ -153,7 +145,7 @@
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
.TH VISUDO @mansectsu@ "June 11, 2009" "1.7.2" "MAINTENANCE COMMANDS"
.TH VISUDO @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@ -223,7 +215,7 @@ the \fB\-c\fR option.
Enable \fBstrict\fR checking of the \fIsudoers\fR file. If an alias is
used before it is defined, \fBvisudo\fR will consider this a parse
error. Note that it is not possible to differentiate between an
alias and a hostname or username that consists solely of uppercase
alias and a host name or user name that consists solely of uppercase
letters, digits, and the underscore ('_') character.
.IP "\-V" 12
.IX Item "-V"
@ -266,7 +258,7 @@ Your userid does not appear in the system passwd file.
.IP "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" 4
.IX Item "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined"
Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias
or you have a user or hostname listed that consists solely of
or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore ('_') character. In
the latter case, you can ignore the warnings (\fBsudo\fR will not
complain). In \fB\-s\fR (strict) mode these are errors, not warnings.

4
visudo.pod
View File

@ -96,7 +96,7 @@ the B<-c> option.
Enable B<strict> checking of the I<sudoers> file. If an alias is
used before it is defined, B<visudo> will consider this a parse
error. Note that it is not possible to differentiate between an
alias and a hostname or username that consists solely of uppercase
alias and a host name or user name that consists solely of uppercase
letters, digits, and the underscore ('_') character.
=item -V
@ -156,7 +156,7 @@ Your userid does not appear in the system passwd file.
=item Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias
or you have a user or hostname listed that consists solely of
or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore ('_') character. In
the latter case, you can ignore the warnings (B<sudo> will not
complain). In B<-s> (strict) mode these are errors, not warnings.