From e007e2ad4dbdf8327d91b2451e5653373b46ce16 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sat, 19 Dec 2009 21:44:06 +0000 Subject: [PATCH] username -> user name groupname -> group name hostname -> host name --- sudo.cat | 116 +++++++------- sudo.man.in | 41 ++--- sudo.pod | 20 +-- sudoers.cat | 380 ++++++++++++++++++++++---------------------- sudoers.ldap.cat | 132 +++++++-------- sudoers.ldap.man.in | 36 ++--- sudoers.ldap.pod | 4 +- sudoers.man.in | 129 +++++++-------- sudoers.pod | 56 +++---- sudoreplay.cat | 14 +- sudoreplay.man.in | 8 +- sudoreplay.pod | 4 +- visudo.cat | 10 +- visudo.man.in | 18 +-- visudo.pod | 4 +- 15 files changed, 475 insertions(+), 497 deletions(-) diff --git a/sudo.cat b/sudo.cat index a2f3bc153..1b33f2ce2 100644 --- a/sudo.cat +++ b/sudo.cat @@ -10,16 +10,18 @@ NNAAMMEE SSYYNNOOPPSSIISS ssuuddoo --hh | --KK | --kk | --LL | --VV - ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--pp _p_r_o_m_p_t] + ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] + [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] - ssuuddoo --ll[[ll]] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] - [--UU _u_s_e_r_n_a_m_e] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d] + ssuuddoo --ll[[ll]] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] + [--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d] - ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] - [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] [--ii | --ss] [_c_o_m_m_a_n_d] + ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] + [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] + [--ii | --ss] [_c_o_m_m_a_n_d] - ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] - [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] file ... + ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] + [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] file ... DDEESSCCRRIIPPTTIIOONN ssuuddoo allows a permitted user to execute a _c_o_m_m_a_n_d as the superuser or @@ -56,12 +58,10 @@ DDEESSCCRRIIPPTTIIOONN has been invoked. It also allows the --ee option to remain useful even when being run via a sudo-run script or program. Note however, that the sudoers lookup is still done for root, not the user specified by - SUDO_USER. - -1.7.2 September 24, 2009 1 +1.7.3b2 December 19, 2009 1 @@ -70,6 +70,8 @@ DDEESSCCRRIIPPTTIIOONN SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + SUDO_USER. + ssuuddoo can log both successful and unsuccessful attempts (as well as errors) to _s_y_s_l_o_g(3), a log file, or both. By default ssuuddoo will log via _s_y_s_l_o_g(3) but this is changeable at configure time or via the @@ -122,12 +124,10 @@ OOPPTTIIOONNSS -E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the _e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(4)). It is only available when - either the matching command has the SETENV tag or the - _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s(4). -1.7.2 September 24, 2009 2 +1.7.3b2 December 19, 2009 2 @@ -136,6 +136,9 @@ OOPPTTIIOONNSS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + either the matching command has the SETENV tag or the + _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s(4). + -e The --ee (_e_d_i_t) option indicates that, instead of running a command, the user wishes to edit one or more files. In lieu of a command, the string "sudoedit" is used when @@ -187,13 +190,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) login shell. This means that login-specific resource files such as .profile or .login will be read by the shell. If a command is specified, it is passed to the shell for - execution. Otherwise, an interactive shell is executed. - ssuuddoo attempts to change to that user's home directory - before running the shell. It also initializes the -1.7.2 September 24, 2009 3 +1.7.3b2 December 19, 2009 3 @@ -202,6 +202,9 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + execution. Otherwise, an interactive shell is executed. + ssuuddoo attempts to change to that user's home directory + before running the shell. It also initializes the environment, leaving _D_I_S_P_L_A_Y and _T_E_R_M unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and _P_A_T_H, as well as the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t on Linux and AIX systems. All @@ -225,10 +228,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) prompt for a password (if one is required by _s_u_d_o_e_r_s) and will not update the user's timestamp file. - -L The --LL (_l_i_s_t defaults) option will list out the parameters - that may be set in a _D_e_f_a_u_l_t_s line along with a short - description for each. This option is useful in conjunction - with _g_r_e_p(1). + -L The --LL (_l_i_s_t defaults) option will list the parameters that + may be set in a _D_e_f_a_u_l_t_s line along with a short + description for each. This option will be removed from a + future version of ssuuddoo. -l[l] [_c_o_m_m_a_n_d] If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list @@ -253,13 +256,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) of groups the target user is in. The real and effective group IDs, however, are still set to match the target user. - -p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default - password prompt and use a custom one. The following - percent (`%') escapes are supported: -1.7.2 September 24, 2009 4 +1.7.3b2 December 19, 2009 4 @@ -268,11 +268,15 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - %H expanded to the local hostname including the domain - name (on if the machine's hostname is fully qualified + -p _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default + password prompt and use a custom one. The following + percent (`%') escapes are supported: + + %H expanded to the local host name including the domain + name (on if the machine's host name is fully qualified or the _f_q_d_n _s_u_d_o_e_r_s option is set) - %h expanded to the local hostname without the domain name + %h expanded to the local host name without the domain name %p expanded to the user whose password is being asked for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w flags in @@ -318,14 +322,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) number and exit. If the invoking user is already root the --VV option will print out a list of the defaults ssuuddoo was compiled with as well as the machine's local network - addresses. - - -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the - user's timestamp, prompting for the user's password if -1.7.2 September 24, 2009 5 +1.7.3b2 December 19, 2009 5 @@ -334,6 +334,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + addresses. + + -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the + user's timestamp, prompting for the user's password if necessary. This extends the ssuuddoo timeout for another 5 minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s) but does not run a command. @@ -384,14 +388,10 @@ SSEECCUURRIITTYY NNOOTTEESS default _e_n_v___r_e_s_e_t behavior is encouraged. In all cases, environment variables with a value beginning with () are - removed as they could be interpreted as bbaasshh functions. The list of - environment variables that ssuuddoo allows or denies is contained in the - output of sudo -V when run as root. - -1.7.2 September 24, 2009 6 +1.7.3b2 December 19, 2009 6 @@ -400,6 +400,10 @@ SSEECCUURRIITTYY NNOOTTEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + removed as they could be interpreted as bbaasshh functions. The list of + environment variables that ssuuddoo allows or denies is contained in the + output of sudo -V when run as root. + Note that the dynamic linker on most operating systems will remove variables that can control dynamic linking from the environment of setuid executables, including ssuuddoo. Depending on the operating system @@ -450,14 +454,10 @@ EENNVVIIRROONNMMEENNTT ssuuddoo utilizes the following environment variables: EDITOR Default editor to use in --ee (sudoedit) mode if neither - SUDO_EDITOR nor VISUAL is set - - HOME In --ss or --HH mode (or if sudo was configured with the - --enable-shell-sets-home option), set to homedir of the -1.7.2 September 24, 2009 7 +1.7.3b2 December 19, 2009 7 @@ -466,6 +466,10 @@ EENNVVIIRROONNMMEENNTT SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + SUDO_EDITOR nor VISUAL is set + + HOME In --ss or --HH mode (or if sudo was configured with the + --enable-shell-sets-home option), set to homedir of the target user PATH Set to a sane value if the _s_e_c_u_r_e___p_a_t_h sudoers option @@ -516,14 +520,10 @@ EEXXAAMMPPLLEESS To list the home directory of user yaz on a machine where the file system holding ~yaz is not exported as root: - $ sudo -u yaz ls ~yaz - - To edit the _i_n_d_e_x_._h_t_m_l file as user www: - -1.7.2 September 24, 2009 8 +1.7.3b2 December 19, 2009 8 @@ -532,6 +532,10 @@ EEXXAAMMPPLLEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + $ sudo -u yaz ls ~yaz + + To edit the _i_n_d_e_x_._h_t_m_l file as user www: + $ sudo -u www vi ~www/htdocs/index.html To view system logs only accessible to root and users in the adm group: @@ -582,14 +586,10 @@ CCAAVVEEAATTSS If users have sudo ALL there is nothing to prevent them from creating their own program that gives them a root shell regardless of any '!' - elements in the user specification. - - Running shell scripts via ssuuddoo can expose the same kernel bugs that - make setuid shell scripts unsafe on some operating systems (if your OS -1.7.2 September 24, 2009 9 +1.7.3b2 December 19, 2009 9 @@ -598,6 +598,10 @@ CCAAVVEEAATTSS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + elements in the user specification. + + Running shell scripts via ssuuddoo can expose the same kernel bugs that + make setuid shell scripts unsafe on some operating systems (if your OS has a /dev/fd/ directory, setuid shell scripts are generally safe). BBUUGGSS @@ -651,10 +655,6 @@ DDIISSCCLLAAIIMMEERR - - - - -1.7.2 September 24, 2009 10 +1.7.3b2 December 19, 2009 10 diff --git a/sudo.man.in b/sudo.man.in index dbfca4727..4104157f7 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -19,18 +19,10 @@ .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" .\" $Sudo$ -.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05) +.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) .\" .\" Standard preamble: .\" ======================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp @@ -74,7 +66,7 @@ .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ @@ -153,7 +145,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "September 24, 2009" "1.7.2" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -166,28 +158,29 @@ sudo, sudoedit \- execute a command as another user .PP \&\fBsudo\fR \fB\-v\fR [\fB\-AknS\fR] @BAMAN@[\fB\-a\fR\ \fIauth_type\fR] -[\fB\-p\fR\ \fIprompt\fR] +[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] +[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] .PP \&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR] @BAMAN@[\fB\-a\fR\ \fIauth_type\fR] -[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] -[\fB\-U\fR\ \fIusername\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR] +[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] +[\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fIcommand\fR] .PP \&\fBsudo\fR [\fB\-AbEHnPS\fR] @BAMAN@[\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] @LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] -[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] +[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] @SEMAN@[\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR] -[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] +[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fB\s-1VAR\s0\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] [\fIcommand\fR] .PP \&\fBsudoedit\fR [\fB\-AnS\fR] @BAMAN@[\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] @LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] -[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] -[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] file ... +[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] +[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] file ... .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the @@ -368,9 +361,9 @@ timestamp file. As a result, \fBsudo\fR will prompt for a password timestamp file. .IP "\-L" 12 .IX Item "-L" -The \fB\-L\fR (\fIlist\fR defaults) option will list out the parameters -that may be set in a \fIDefaults\fR line along with a short description -for each. This option is useful in conjunction with \fIgrep\fR\|(1). +The \fB\-L\fR (\fIlist\fR defaults) option will list the parameters that +may be set in a \fIDefaults\fR line along with a short description for +each. This option will be removed from a future version of \fBsudo\fR. .IP "\-l[l] [\fIcommand\fR]" 12 .IX Item "-l[l] [command]" If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list @@ -403,13 +396,13 @@ escapes are supported: .ie n .IP "%H" 4 .el .IP "\f(CW%H\fR" 4 .IX Item "%H" -expanded to the local hostname including the domain name -(on if the machine's hostname is fully qualified or the \fIfqdn\fR +expanded to the local host name including the domain name +(on if the machine's host name is fully qualified or the \fIfqdn\fR \&\fIsudoers\fR option is set) .ie n .IP "%h" 4 .el .IP "\f(CW%h\fR" 4 .IX Item "%h" -expanded to the local hostname without the domain name +expanded to the local host name without the domain name .ie n .IP "%p" 4 .el .IP "\f(CW%p\fR" 4 .IX Item "%p" diff --git a/sudo.pod b/sudo.pod index f7c57f645..bb04234c5 100644 --- a/sudo.pod +++ b/sudo.pod @@ -31,29 +31,29 @@ B B<-h> | B<-K> | B<-k> | B<-L> | B<-V> B B<-v> [B<-AknS>] S<[B<-a> I]> -S<[B<-g> I|I<#gid>]> S<[B<-p> I]> +S<[B<-g> I|I<#gid>]> S<[B<-p> I]> S<[B<-u> I|I<#uid>]> B B<-l[l]> [B<-AknS>] S<[B<-a> I]> -S<[B<-g> I|I<#gid>]> S<[B<-p> I]> -S<[B<-U> I]> S<[B<-u> I|I<#uid>]> [I] +S<[B<-g> I|I<#gid>]> S<[B<-p> I]> +S<[B<-U> I]> S<[B<-u> I|I<#uid>]> [I] B [B<-AbEHnPS>] S<[B<-a> I]> S<[B<-C> I]> S<[B<-c> I|I<->]> -S<[B<-g> I|I<#gid>]> S<[B<-p> I]> +S<[B<-g> I|I<#gid>]> S<[B<-p> I]> S<[B<-r> I]> S<[B<-t> I]> -S<[B<-u> I|I<#uid>]> +S<[B<-u> I|I<#uid>]> S<[B=I]> S<[B<-i> | B<-s>]> [I] B [B<-AnS>] S<[B<-a> I]> S<[B<-C> I]> S<[B<-c> I|I<->]> -S<[B<-g> I|I<#gid>]> S<[B<-p> I]> -S<[B<-u> I|I<#uid>]> file ... +S<[B<-g> I|I<#gid>]> S<[B<-p> I]> +S<[B<-u> I|I<#uid>]> file ... =head1 DESCRIPTION @@ -298,13 +298,13 @@ escapes are supported: =item C<%H> -expanded to the local hostname including the domain name -(on if the machine's hostname is fully qualified or the I +expanded to the local host name including the domain name +(on if the machine's host name is fully qualified or the I I option is set) =item C<%h> -expanded to the local hostname without the domain name +expanded to the local host name without the domain name =item C<%p> diff --git a/sudoers.cat b/sudoers.cat index 03ec402cd..2bdffdb13 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -20,8 +20,7 @@ DDEESSCCRRIIPPTTIIOONN Form (EBNF). Don't despair if you don't know what EBNF is; it is fairly simple, and the definitions below are annotated. - QQuuiicckk gguuiiddee ttoo EEBBNNFF - + QQuuiicckk gguuiiddee ttoo EEBBNNFF EBNF is a concise and exact way of describing the grammar of a language. Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g., @@ -45,8 +44,7 @@ DDEESSCCRRIIPPTTIIOONN will use single quotes ('') to designate what is a verbatim character string (as opposed to a symbol name). - AAlliiaasseess - + AAlliiaasseess There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias. @@ -59,9 +57,11 @@ DDEESSCCRRIIPPTTIIOONN Runas_Alias ::= NAME '=' Runas_List + Host_Alias ::= NAME '=' Host_List -1.7.2 September 24, 2009 1 + +1.7.3b2 December 19, 2009 1 @@ -71,8 +71,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - Host_Alias ::= NAME '=' Host_List - Cmnd_Alias ::= NAME '=' Cmnd_List NAME ::= [A-Z]([A-Z][0-9]_)* @@ -94,23 +92,23 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) User_List ::= User | User ',' User_List - User ::= '!'* username | + User ::= '!'* user name | '!'* '#'uid | '!'* '%'group | '!'* '+'netgroup | '!'* '%:'nonunix_group | '!'* User_Alias - A User_List is made up of one or more usernames, uids (prefixed with + A User_List is made up of one or more user names, uids (prefixed with '#'), system groups (prefixed with '%'), netgroups (prefixed with '+') and User_Aliases. Each list item may be prefixed with zero or more '!' operators. An odd number of '!' operators negate the value of the item; an even number just cancel each other out. - A username, group, netgroup and nonunix_groups may be enclosed in - double quotes to avoid the need for escaping special characters. - Alternately, special characters may be specified in escaped hex mode, - e.g. \x20 for space. + A user name, group, netgroup or nonunix_group may be enclosed in double + quotes to avoid the need for escaping special characters. Alternately, + special characters may be specified in escaped hex mode, e.g. \x20 for + space. The nonunix_group syntax depends on the underlying implementation. For instance, the QAS AD backend supports the following formats: @@ -124,10 +122,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Note that quotes around group names are optional. Unquoted strings must use a backslash (\) to escape spaces and the '@' symbol. + Runas_List ::= Runas_Member | + Runas_Member ',' Runas_List -1.7.2 September 24, 2009 2 +1.7.3b2 December 19, 2009 2 @@ -136,32 +136,30 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - Runas_List ::= Runas_Member | - Runas_Member ',' Runas_List - Runas_Member ::= '!'* username | + Runas_Member ::= '!'* user name | '!'* '#'uid | '!'* '%'group | '!'* +netgroup | '!'* Runas_Alias A Runas_List is similar to a User_List except that instead of - User_Aliases it can contain Runas_Aliases. Note that usernames and + User_Aliases it can contain Runas_Aliases. Note that user names and groups are matched as strings. In other words, two users (groups) with the same uid (gid) are considered to be distinct. If you wish to match - all usernames with the same uid (e.g. root and toor), you can use a uid - instead (#0 in the example given). + all user names with the same uid (e.g. root and toor), you can use a + uid instead (#0 in the example given). Host_List ::= Host | Host ',' Host_List - Host ::= '!'* hostname | + Host ::= '!'* host name | '!'* ip_addr | '!'* network(/netmask)? | '!'* '+'netgroup | '!'* Host_Alias - A Host_List is made up of one or more hostnames, IP addresses, network + A Host_List is made up of one or more host names, IP addresses, network numbers, netgroups (prefixed with '+') and other aliases. Again, the value of an item may be negated with the '!' operator. If you do not specify a netmask along with the network number, ssuuddoo will query each @@ -169,17 +167,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) corresponds to one of the hosts's network interfaces, the corresponding netmask will be used. The netmask may be specified either in standard IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or - CIDR notation (number of bits, e.g. 24 or 64). A hostname may include + CIDR notation (number of bits, e.g. 24 or 64). A host name may include shell-style wildcards (see the Wildcards section below), but unless the - hostname command on your machine returns the fully qualified hostname, - you'll need to use the _f_q_d_n option for wildcards to be useful. + host name command on your machine returns the fully qualified host + name, you'll need to use the _f_q_d_n option for wildcards to be useful. Cmnd_List ::= Cmnd | Cmnd ',' Cmnd_List - commandname ::= filename | - filename args | - filename '""' + commandname ::= file name | + file name args | + file name '""' Cmnd ::= '!'* commandname | '!'* directory | @@ -187,13 +185,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) '!'* Cmnd_Alias A Cmnd_List is a list of one or more commandnames, directories, and - other aliases. A commandname is a fully qualified filename which may + other aliases. A commandname is a fully qualified file name which may include shell-style wildcards (see the Wildcards section below). A - simple filename allows the user to run the command with any arguments + simple file name allows the user to run the command with any arguments + he/she wishes. However, you may also specify command line arguments + (including wildcards). Alternately, you can specify "" to indicate -1.7.2 September 24, 2009 3 +1.7.3b2 December 19, 2009 3 @@ -202,10 +202,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - he/she wishes. However, you may also specify command line arguments - (including wildcards). Alternately, you can specify "" to indicate that the command may only be run wwiitthhoouutt command line arguments. A - directory is a fully qualified pathname ending in a '/'. When you + directory is a fully qualified path name ending in a '/'. When you specify a directory in a Cmnd_List, the user will be able to run any file within that directory (but not in any subdirectories therein). @@ -217,8 +215,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may take command line arguments just as a normal command does. - DDeeffaauullttss - + DDeeffaauullttss Certain configuration options may be changed from their default values at runtime via one or more Default_Entry lines. These may affect all users on any host, all users on a specific host, a specific user, a @@ -256,10 +253,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) not exist in a list. Defaults entries are parsed in the following order: generic, host and + user Defaults first, then runas Defaults and finally command defaults. + + See "SUDOERS OPTIONS" for a list of supported Defaults parameters. -1.7.2 September 24, 2009 4 +1.7.3b2 December 19, 2009 4 @@ -268,12 +268,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - user Defaults first, then runas Defaults and finally command defaults. - - See "SUDOERS OPTIONS" for a list of supported Defaults parameters. - - UUsseerr SSppeecciiffiiccaattiioonn - + UUsseerr SSppeecciiffiiccaattiioonn User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ (':' Host_List '=' Cmnd_Spec_List)* @@ -294,8 +289,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The basic structure of a user specification is `who = where (as_whom) what'. Let's break that down into its constituent parts: - RRuunnaass__SSppeecc - + RRuunnaass__SSppeecc A Runas_Spec determines the user and/or the group that a command may be run as. A fully-specified Runas_Spec consists of two Runas_Lists (as defined above) separated by a colon (':') and enclosed in a set of @@ -323,9 +317,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) It is also possible to override a Runas_Spec later on in an entry. If we modify the entry like so: + dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm + + Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l + and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. -1.7.2 September 24, 2009 5 + + +1.7.3b2 December 19, 2009 5 @@ -334,11 +334,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm - - Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l - and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. - We can extend this to allow ddggbb to run /bin/ls with either the user or group set to ooppeerraattoorr: @@ -352,8 +347,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ /usr/local/bin/minicom - TTaagg__SSppeecc - + TTaagg__SSppeecc A command may have zero or more tags associated with it. There are eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV, TRANSCRIPT and NOTRANSCRIPT. Once a tag is set on a Cmnd, @@ -388,10 +382,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) pertain to the current host. This behavior may be overridden via the verifypw and listpw options. + _N_O_E_X_E_C _a_n_d _E_X_E_C + + If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying + operating system supports it, the NOEXEC tag can be used to prevent a + dynamically-linked executable from running further commands itself. -1.7.2 September 24, 2009 6 + +1.7.3b2 December 19, 2009 6 @@ -400,12 +400,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - _N_O_E_X_E_C _a_n_d _E_X_E_C - - If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying - operating system supports it, the NOEXEC tag can be used to prevent a - dynamically-linked executable from running further commands itself. - In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. @@ -430,12 +424,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) basis. For more information, see the description of _t_r_a_n_s_c_r_i_p_t in the "SUDOERS OPTIONS" section below. - WWiillddccaarrddss - + WWiillddccaarrddss ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be - used in hostnames, pathnames and command line arguments in the _s_u_d_o_e_r_s - file. Wildcard matching is done via the PPOOSSIIXX _g_l_o_b(3) and _f_n_m_a_t_c_h(3) - routines. Note that these are _n_o_t regular expressions. + used in host names, path names and command line arguments in the + _s_u_d_o_e_r_s file. Wildcard matching is done via the PPOOSSIIXX _g_l_o_b(3) and + _f_n_m_a_t_c_h(3) routines. Note that these are _n_o_t regular expressions. * Matches any set of zero or more characters. @@ -454,10 +447,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) /bin/ls [[\:alpha\:]]* + Would match any file name beginning with a letter. + + Note that a forward slash ('/') will nnoott be matched by wildcards used + in the path name. When matching the command line arguments, however, a + slash ddooeess get matched by wildcards. This is to make a path like: + + /usr/bin/* -1.7.2 September 24, 2009 7 +1.7.3b2 December 19, 2009 7 @@ -466,26 +466,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - Would match any filename beginning with a letter. - - Note that a forward slash ('/') will nnoott be matched by wildcards used - in the pathname. When matching the command line arguments, however, a - slash ddooeess get matched by wildcards. This is to make a path like: - - /usr/bin/* - match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. - EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess - + EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess The following exceptions apply to the above rules: "" If the empty string "" is the only command line argument in the _s_u_d_o_e_r_s entry it means that command is not allowed to be run with aannyy arguments. - IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss - + IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s file currently being parsed using the #include and #includedir directives. @@ -505,8 +495,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) A hard limit of 128 nested include files is enforced to prevent include file loops. - The filename may include the %h escape, signifying the short form of - the hostname. I.e., if the machine's hostname is "xerxes", then + The file name may include the %h escape, signifying the short form of + the host name. I.e., if the machine's host name is "xerxes", then #include /etc/sudoers.%h @@ -520,18 +510,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that end in ~ or contain a . character to avoid causing problems with - - - -1.7.2 September 24, 2009 8 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - package manager or editor temporary/backup files. Files are parsed in sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is @@ -542,10 +520,21 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Note that unlike files included via #include, vviissuuddoo will not edit the files in a #includedir directory unless one of them contains a syntax error. It is still possible to run vviissuuddoo with the -f flag to edit the + + + +1.7.3b2 December 19, 2009 8 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + files directly. - OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss - + OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss The pound sign ('#') is used to indicate a comment (unless it is part of a #include directive or unless it occurs in the context of a user name and is followed by one or more digits, in which case it is treated @@ -573,7 +562,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional. The following characters must be escaped with a backslash ('\') when - used as part of a word (e.g. a username or hostname): '@', '!', '=', + used as part of a word (e.g. a user name or host name): '@', '!', '=', ':', ',', '(', ')', '\'. SSUUDDOOEERRSS OOPPTTIIOONNSS @@ -586,18 +575,6 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS always_set_home If set, ssuuddoo will set the HOME environment variable to the home directory of the target user (which is root unless the --uu option is used). This effectively means - - - -1.7.2 September 24, 2009 9 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - that the --HH option is always implied. This flag is _o_f_f by default. @@ -609,10 +586,27 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) closefrom_override If set, the user may use ssuuddoo's --CC option which + + + +1.7.3b2 December 19, 2009 9 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + overrides the default starting point at which ssuuddoo begins closing open file descriptors. This flag is _o_f_f by default. + compress_transcript + If set, and the _t_r_a_n_s_c_r_i_p_t flag is also set, ssuuddoo will + compress the transcript logs using zzlliibb. This flag is + _o_n by default when ssuuddoo is compiled with zzlliibb support. + env_editor If set, vviissuuddoo will use the value of the EDITOR or VISUAL environment variables before falling back on the default editor list. Note that this may create a @@ -634,28 +628,34 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) variable. This flag is _o_n by default. fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell- - style globbing when matching pathnames. However, since - it accesses the file system, _g_l_o_b(3) can take a long - time to complete for some patterns, especially when the - pattern references a network file system that is - mounted on demand (automounted). The _f_a_s_t___g_l_o_b option - causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function, which does - not access the file system to do its matching. The - disadvantage of _f_a_s_t___g_l_o_b is that it is unable to match - relative pathnames such as _._/_l_s or _._._/_b_i_n_/_l_s. This - flag is _o_f_f by default. + style globbing when matching path names. However, + since it accesses the file system, _g_l_o_b(3) can take a + long time to complete for some patterns, especially + when the pattern references a network file system that + is mounted on demand (automounted). The _f_a_s_t___g_l_o_b + option causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function, + which does not access the file system to do its + matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is + unable to match relative path names such as _._/_l_s or + _._._/_b_i_n_/_l_s. This flag is _o_f_f by default. - fqdn Set this flag if you want to put fully qualified - hostnames in the _s_u_d_o_e_r_s file. I.e., instead of myhost - you would use myhost.mydomain.edu. You may still use - the short form if you wish (and even mix the two). - Beware that turning on _f_q_d_n requires ssuuddoo to make DNS - lookups which may make ssuuddoo unusable if DNS stops - working (for example if the machine is not plugged into + fqdn Set this flag if you want to put fully qualified host + names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you + would use myhost.mydomain.edu. You may still use the + short form if you wish (and even mix the two). Beware + that turning on _f_q_d_n requires ssuuddoo to make DNS lookups + which may make ssuuddoo unusable if DNS stops working (for + example if the machine is not plugged into the + network). Also note that you must use the host's + official name as DNS knows it. That is, you may not + use a host alias (CNAME entry) due to performance + issues and the fact that there is no way to get all + aliases from DNS. If your machine's host name (as + returned by the hostname command) is already fully -1.7.2 September 24, 2009 10 +1.7.3b2 December 19, 2009 10 @@ -664,12 +664,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - the network). Also note that you must use the host's - official name as DNS knows it. That is, you may not - use a host alias (CNAME entry) due to performance - issues and the fact that there is no way to get all - aliases from DNS. If your machine's hostname (as - returned by the hostname command) is already fully qualified you shouldn't need to set _f_q_d_n. This flag is _o_f_f by default. @@ -693,8 +687,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) insults If set, ssuuddoo will insult users when they enter an incorrect password. This flag is _o_f_f by default. - log_host If set, the hostname will be logged in the (non-syslog) - ssuuddoo log file. This flag is _o_f_f by default. + log_host If set, the host name will be logged in the (non- + syslog) ssuuddoo log file. This flag is _o_f_f by default. log_year If set, the four-digit year will be logged in the (non- syslog) ssuuddoo log file. This flag is _o_f_f by default. @@ -718,10 +712,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) allowed to run commands on the current host. This flag is _o_f_f by default. + mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the + invoking user is allowed to use ssuuddoo but the command + they are trying is not listed in their _s_u_d_o_e_r_s file + entry or is explicitly denied. This flag is _o_f_f by + default. -1.7.2 September 24, 2009 11 + +1.7.3b2 December 19, 2009 11 @@ -730,12 +730,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the - invoking user is allowed to use ssuuddoo but the command - they are trying is not listed in their _s_u_d_o_e_r_s file - entry or is explicitly denied. This flag is _o_f_f by - default. - mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the invoking user is not in the _s_u_d_o_e_r_s file. This flag is _o_n by default. @@ -784,10 +778,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) to a real tty. When this flag is set, ssuuddoo can only be run from a login session and not via other means such as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by + default. + + root_sudo If set, root is allowed to run ssuuddoo too. Disabling + this prevents users from "chaining" ssuuddoo commands to + get a root shell by doing something like "sudo sudo + /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o -1.7.2 September 24, 2009 12 +1.7.3b2 December 19, 2009 12 @@ -796,12 +796,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - default. - - root_sudo If set, root is allowed to run ssuuddoo too. Disabling - this prevents users from "chaining" ssuuddoo commands to - get a root shell by doing something like "sudo sudo - /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o will also prevent root and from running ssuuddooeeddiitt. Disabling _r_o_o_t___s_u_d_o provides no real additional security; it exists purely for historical reasons. @@ -850,10 +844,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) stay_setuid Normally, when ssuuddoo executes a command the real and effective UIDs are set to the target user (root by + default). This option changes that behavior such that + the real UID is left as the invoking user's UID. In + other words, this makes ssuuddoo act as a setuid wrapper. + This can be useful on systems that disable some + potentially dangerous functionality when a program is + run setuid. This option is only effective on systems -1.7.2 September 24, 2009 13 +1.7.3b2 December 19, 2009 13 @@ -862,21 +862,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - default). This option changes that behavior such that - the real UID is left as the invoking user's UID. In - other words, this makes ssuuddoo act as a setuid wrapper. - This can be useful on systems that disable some - potentially dangerous functionality when a program is - run setuid. This option is only effective on systems with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. This flag is _o_f_f by default. targetpw If set, ssuuddoo will prompt for the password of the user specified by the --uu option (defaults to root) instead - of the password of the invoking user. Note that this - precludes the use of a uid not listed in the passwd - database as an argument to the --uu option. This flag is - _o_f_f by default. + of the password of the invoking user. In addition, the + timestamp file name will include the target user's + name. Note that this flag precludes the use of a uid + not listed in the passwd database as an argument to the + --uu option. This flag is _o_f_f by default. transcript If set, ssuuddoo will log a transcript of the command being run, similar to the _s_c_r_i_p_t(1) command. In this mode @@ -916,10 +911,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) use_loginclass If set, ssuuddoo will apply the defaults specified for the target user's login class if one exists. Only available if ssuuddoo is configured with the + --with-logincap option. This flag is _o_f_f by default. + + visiblepw By default, ssuuddoo will refuse to run if the user must + enter a password but it is not possible to disable echo + on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo -1.7.2 September 24, 2009 14 +1.7.3b2 December 19, 2009 14 @@ -928,11 +928,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - --with-logincap option. This flag is _o_f_f by default. - - visiblepw By default, ssuuddoo will refuse to run if the user must - enter a password but it is not possible to disable echo - on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo will prompt for a password even when it would be visible on the screen. This makes it possible to run things like "rsh somehost sudo ls" since _r_s_h(1) does @@ -960,16 +955,20 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the option to disable word wrap). passwd_timeout Number of minutes before the ssuuddoo password prompt times - out. The default is 5; set this to 0 for no password + out. The timeout may include a fractional component if + minute granularity is insufficient, for example 2.5. + The default is 5; set this to 0 for no password timeout. timestamp_timeout Number of minutes that can elapse before ssuuddoo will ask - for a passwd again. The default is 5. Set this to 0 - to always prompt for a password. If set to a value - less than 0 the user's timestamp will never expire. - This can be used to allow users to create or delete - their own timestamps via sudo -v and sudo -k + for a passwd again. The timeout may include a + fractional component if minute granularity is + insufficient, for example 2.5. The default is 5. Set + this to 0 to always prompt for a password. If set to a + value less than 0 the user's timestamp will never + expire. This can be used to allow users to create or + delete their own timestamps via sudo -v and sudo -k respectively. umask Umask to use when running the command. Negate this @@ -985,7 +984,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.2 September 24, 2009 15 + +1.7.3b2 December 19, 2009 15 @@ -1006,8 +1006,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) your system. mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The escape - %h will expand to the hostname of the machine. Default - is *** SECURITY information for %h ***. + %h will expand to the host name of the machine. + Default is *** SECURITY information for %h ***. noexec_file Path to a shared library containing dummy versions of the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_e_c_v_e_(_) library functions @@ -1021,11 +1021,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) environment variable. The following percent (`%') escapes are supported: - %H expanded to the local hostname including the domain - name (on if the machine's hostname is fully + %H expanded to the local host name including the + domain name (on if the machine's host name is fully qualified or the _f_q_d_n option is set) - %h expanded to the local hostname without the domain + %h expanded to the local host name without the domain name %p expanded to the user whose password is being asked @@ -1051,7 +1051,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.2 September 24, 2009 16 +1.7.3b2 December 19, 2009 16 @@ -1117,7 +1117,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.2 September 24, 2009 17 +1.7.3b2 December 19, 2009 17 @@ -1177,13 +1177,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) is if you want to have the "root path" be separate from the "user path." Users in the group specified by the _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This - option is @secure_path@ by default. + option is not set by default. syslog Syslog facility if syslog is being used for logging (negate -1.7.2 September 24, 2009 18 +1.7.3b2 December 19, 2009 18 @@ -1249,7 +1249,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.2 September 24, 2009 19 +1.7.3b2 December 19, 2009 19 @@ -1315,7 +1315,7 @@ EEXXAAMMPPLLEESS -1.7.2 September 24, 2009 20 +1.7.3b2 December 19, 2009 20 @@ -1381,7 +1381,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.2 September 24, 2009 21 +1.7.3b2 December 19, 2009 21 @@ -1419,7 +1419,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The user ppeettee is allowed to change anyone's password except for root on the _H_P_P_A machines. Note that this assumes _p_a_s_s_w_d(1) does not take - multiple usernames on the command line. + multiple user names on the command line. bob SPARC = (OP) ALL : SGI = (OP) ALL @@ -1447,7 +1447,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.2 September 24, 2009 22 +1.7.3b2 December 19, 2009 22 @@ -1513,7 +1513,7 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS -1.7.2 September 24, 2009 23 +1.7.3b2 December 19, 2009 23 @@ -1579,7 +1579,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.2 September 24, 2009 24 +1.7.3b2 December 19, 2009 24 @@ -1608,8 +1608,8 @@ CCAAVVEEAATTSS syntactically incorrect _s_u_d_o_e_r_s file. When using netgroups of machines (as opposed to users), if you store - fully qualified hostnames in the netgroup (as is usually the case), you - either need to have the machine's hostname be fully qualified as + fully qualified host name in the netgroup (as is usually the case), you + either need to have the machine's host name be fully qualified as returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. BBUUGGSS @@ -1645,6 +1645,6 @@ DDIISSCCLLAAIIMMEERR -1.7.2 September 24, 2009 25 +1.7.3b2 December 19, 2009 25 diff --git a/sudoers.ldap.cat b/sudoers.ldap.cat index 234931dea..1b5b1e271 100644 --- a/sudoers.ldap.cat +++ b/sudoers.ldap.cat @@ -52,16 +52,16 @@ DDEESSCCRRIIPPTTIIOONN Cmnd_Alias that is referenced by multiple users, one can create a sudoRole that contains the commands and assign multiple users to it. - SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr - + SSUUDDOOeerrss LLDDAAPP ccoonnttaaiinneerr The _s_u_d_o_e_r_s configuration is contained in the ou=SUDOers LDAP container. Sudo first looks for the cn=default entry in the SUDOers container. If + found, the multi-valued sudoOption attribute is parsed in the same -1.7.2 June 11, 2009 1 +1.7.3b2 December 19, 2009 1 @@ -70,7 +70,6 @@ DDEESSCCRRIIPPTTIIOONN SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - found, the multi-valued sudoOption attribute is parsed in the same manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following example, the SSH_AUTH_SOCK variable will be preserved in the environment for all users. @@ -127,7 +126,8 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.2 June 11, 2009 2 + +1.7.3b2 December 19, 2009 2 @@ -144,8 +144,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoHost: ALL sudoCommand: ALL - AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp - + AAnnaattoommyy ooff LLDDAAPP ssuuddooeerrss llooookkuupp When looking up a sudoer using LDAP there are only two or three LDAP queries per invocation. The first query is to parse the global options. The second is to match against the user's name and the groups @@ -154,8 +153,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) third query returns all entries containing user netgroups and checks to see if the user belongs to any of them. - DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss - + DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss There are some subtle differences in the way sudoers is handled once in LDAP. Probably the biggest is that according to the RFC, LDAP ordering is arbitrary and you cannot expect that Attributes and Entries are @@ -190,10 +188,12 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) objectClass: top cn: role2 sudoUser: puddles + sudoHost: ALL + sudoCommand: !/bin/sh -1.7.2 June 11, 2009 3 +1.7.3b2 December 19, 2009 3 @@ -202,8 +202,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - sudoHost: ALL - sudoCommand: !/bin/sh sudoCommand: ALL Another difference is that negations on the Host, User or Runas are @@ -224,8 +222,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoHost: ALL sudoHost: !web01 - SSuuddooeerrss SScchheemmaa - + SSuuddooeerrss SScchheemmaa In order to use ssuuddoo's LDAP support, the ssuuddoo schema must be installed on your LDAP server. In addition, be sure to index the 'sudoUser' attribute. @@ -238,8 +235,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) The schema for ssuuddoo in OpenLDAP form is included in the EXAMPLES section. - CCoonnffiigguurriinngg llddaapp..ccoonnff - + CCoonnffiigguurriinngg llddaapp..ccoonnff Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration. Typically, this file is shared amongst different LDAP-aware clients. As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo @@ -256,10 +252,14 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) UURRII ldap[s]://[hostname[:port]] ... Specifies a whitespace-delimited list of one or more URIs + describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be + either llddaapp or llddaappss, the latter being for servers that support TLS + (SSL) encryption. If no _p_o_r_t is specified, the default is port 389 + for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified, -1.7.2 June 11, 2009 4 +1.7.3b2 December 19, 2009 4 @@ -268,10 +268,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - describing the LDAP server(s) to connect to. The _p_r_o_t_o_c_o_l may be - either llddaapp or llddaappss, the latter being for servers that support TLS - (SSL) encryption. If no _p_o_r_t is specified, the default is port 389 - for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified, ssuuddoo will connect to llooccaallhhoosstt. Only systems using the OpenSSL libraries support the mixing of ldap:// and ldaps:// URIs. The Netscape-derived libraries used on most commercial versions of Unix @@ -322,10 +318,14 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) identity. By default, most LDAP servers will allow anonymous access. + BBIINNDDPPWW secret + The BBIINNDDPPWW parameter specifies the password to use when performing + LDAP operations. This is typically used in conjunction with the + BBIINNDDDDNN parameter. -1.7.2 June 11, 2009 5 +1.7.3b2 December 19, 2009 5 @@ -334,11 +334,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - BBIINNDDPPWW secret - The BBIINNDDPPWW parameter specifies the password to use when performing - LDAP operations. This is typically used in conjunction with the - BBIINNDDDDNN parameter. - RROOOOTTBBIINNDDDDNN DN The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a Distinguished Name (DN), to use when performing privileged LDAP @@ -389,9 +384,14 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) used to authenticate the client to the LDAP server. The certificate type depends on the LDAP libraries used. + OpenLDAP: + tls_cert /etc/ssl/client_cert.pem + + Netscape-derived: -1.7.2 June 11, 2009 6 + +1.7.3b2 December 19, 2009 6 @@ -400,10 +400,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - OpenLDAP: - tls_cert /etc/ssl/client_cert.pem - - Netscape-derived: tls_cert /var/ldap/cert7.db When using Netscape-derived libraries, this file may also contain @@ -455,9 +451,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) The path to the Kerberos 5 credential cache to use when authenticating with the remote server. + See the ldap.conf entry in the EXAMPLES section. -1.7.2 June 11, 2009 7 + + + +1.7.3b2 December 19, 2009 7 @@ -466,10 +466,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - See the ldap.conf entry in the EXAMPLES section. - - CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff - + CCoonnffiigguurriinngg nnsssswwiittcchh..ccoonnff Unless it is disabled at build time, ssuuddoo consults the Name Service Switch file, _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, to specify the _s_u_d_o_e_r_s search order. Sudo looks for a line beginning with sudoers: and uses this to @@ -502,8 +499,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying operating system does not use an nsswitch.conf file. - CCoonnffiigguurriinngg nneettssvvcc..ccoonnff - + CCoonnffiigguurriinngg nneettssvvcc..ccoonnff On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the @@ -521,9 +517,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) To treat LDAP as authoratative and only use the local sudoers file if the user is not present in LDAP, use: + sudoers = ldap = auth, files + + Note that in the above example, the auth qualfier only affects user -1.7.2 June 11, 2009 8 + +1.7.3b2 December 19, 2009 8 @@ -532,9 +532,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - sudoers = ldap = auth, files - - Note that in the above example, the auth qualfier only affects user lookups; both LDAP and _s_u_d_o_e_r_s will be queried for Defaults entries. If the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is not present or there is no sudoers @@ -550,8 +547,7 @@ FFIILLEESS _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX EEXXAAMMPPLLEESS - EExxaammppllee llddaapp..ccoonnff - + EExxaammppllee llddaapp..ccoonnff # Either specify one or more URIs or one or more host:port pairs. # If neither is specified sudo will default to localhost, port 389. # @@ -586,10 +582,14 @@ EEXXAAMMPPLLEESS # # LDAP protocol version, defaults to 3 #ldap_version 3 + # + # Define if you want to use an encrypted LDAP connection. + # Typically, you must also set the port to 636 (ldaps). + #ssl on -1.7.2 June 11, 2009 9 +1.7.3b2 December 19, 2009 9 @@ -598,10 +598,6 @@ EEXXAAMMPPLLEESS SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - # - # Define if you want to use an encrypted LDAP connection. - # Typically, you must also set the port to 636 (ldaps). - #ssl on # # Define if you want to use port 389 and switch to # encryption before the bind credentials are sent. @@ -652,10 +648,14 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # SDK will prevent specific file names from working. For this reason # it is suggested that tls_cert and tls_key be set to a directory, # not a file name. + # + # The certificate database specified by tls_cert may contain CA certs + # and/or the client's cert. If the client's cert is included, tls_key + # should be specified as well. -1.7.2 June 11, 2009 10 +1.7.3b2 December 19, 2009 10 @@ -664,24 +664,19 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - # - # The certificate database specified by tls_cert may contain CA certs - # and/or the client's cert. If the client's cert is included, tls_key - # should be specified as well. # For backward compatibility, "sslpath" may be used in place of tls_cert. #tls_cert /var/ldap #tls_key /var/ldap # # If using SASL authentication for LDAP (OpenSSL) # use_sasl yes - # sasl_auth_id + # sasl_auth_id # rootuse_sasl yes - # rootsasl_auth_id + # rootsasl_auth_id # sasl_secprops none # krb5_ccname /etc/.ldapcache - SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP - + SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP The following schema is in OpenLDAP format. Simply copy it to the schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include line in slapd.conf and restart ssllaappdd. @@ -718,10 +713,15 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + attributetype ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -1.7.2 June 11, 2009 11 +1.7.3b2 December 19, 2009 11 @@ -730,11 +730,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - attributetype ( 1.3.6.1.4.1.15953.9.1.6 - NAME 'sudoRunAsUser' - DESC 'User(s) impersonated by sudo' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' @@ -787,6 +782,11 @@ DDIISSCCLLAAIIMMEERR -1.7.2 June 11, 2009 12 + + + + + +1.7.3b2 December 19, 2009 12 diff --git a/sudoers.ldap.man.in b/sudoers.ldap.man.in index 4b22d79b8..f9a37ddbd 100644 --- a/sudoers.ldap.man.in +++ b/sudoers.ldap.man.in @@ -15,18 +15,10 @@ .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .\" $Sudo$ -.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05) +.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) .\" .\" Standard preamble: .\" ======================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp @@ -70,7 +62,7 @@ .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ @@ -149,7 +141,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "June 11, 2009" "1.7.2" "MAINTENANCE COMMANDS" +.TH SUDOERS.LDAP @mansectform@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -201,7 +193,7 @@ to have multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias that is referenced by multiple users, one can create a sudoRole that contains the commands and assign multiple users to it. -.Sh "SUDOers \s-1LDAP\s0 container" +.SS "SUDOers \s-1LDAP\s0 container" .IX Subsection "SUDOers LDAP container" The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0 container. @@ -271,7 +263,7 @@ on any host via \fBsudo\fR: \& sudoHost: ALL \& sudoCommand: ALL .Ve -.Sh "Anatomy of \s-1LDAP\s0 sudoers lookup" +.SS "Anatomy of \s-1LDAP\s0 sudoers lookup" .IX Subsection "Anatomy of LDAP sudoers lookup" When looking up a sudoer using \s-1LDAP\s0 there are only two or three \&\s-1LDAP\s0 queries per invocation. The first query is to parse the global @@ -280,7 +272,7 @@ groups that the user belongs to. (The special \s-1ALL\s0 tag is matched in this query too.) If no match is returned for the user's name and groups, a third query returns all entries containing user netgroups and checks to see if the user belongs to any of them. -.Sh "Differences between \s-1LDAP\s0 and non-LDAP sudoers" +.SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers" .IX Subsection "Differences between LDAP and non-LDAP sudoers" There are some subtle differences in the way sudoers is handled once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0, @@ -342,7 +334,7 @@ behave the way one might expect. \& sudoHost: ALL \& sudoHost: !web01 .Ve -.Sh "Sudoers Schema" +.SS "Sudoers Schema" .IX Subsection "Sudoers Schema" In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be installed on your \s-1LDAP\s0 server. In addition, be sure to index the @@ -355,7 +347,7 @@ be found in the \fBsudo\fR distribution. .PP The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0 section. -.Sh "Configuring ldap.conf" +.SS "Configuring ldap.conf" .IX Subsection "Configuring ldap.conf" Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration. Typically, this file is shared amongst different LDAP-aware clients. @@ -538,7 +530,7 @@ The path to the Kerberos 5 credential cache to use when authenticating with the remote server. .PP See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section. -.Sh "Configuring nsswitch.conf" +.SS "Configuring nsswitch.conf" .IX Subsection "Configuring nsswitch.conf" Unless it is disabled at build time, \fBsudo\fR consults the Name Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR @@ -579,7 +571,7 @@ sudoers line, the following default is assumed: .PP Note that \fI@nsswitch_conf@\fR is supported even when the underlying operating system does not use an nsswitch.conf file. -.Sh "Configuring netsvc.conf" +.SS "Configuring netsvc.conf" .IX Subsection "Configuring netsvc.conf" On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of \&\fI@nsswitch_conf@\fR. \fBsudo\fR simply treats \fInetsvc.conf\fR as a @@ -632,7 +624,7 @@ determines sudoers source order determines sudoers source order on \s-1AIX\s0 .SH "EXAMPLES" .IX Header "EXAMPLES" -.Sh "Example ldap.conf" +.SS "Example ldap.conf" .IX Subsection "Example ldap.conf" .Vb 10 \& # Either specify one or more URIs or one or more host:port pairs. @@ -733,13 +725,13 @@ determines sudoers source order on \s-1AIX\s0 \& # \& # If using SASL authentication for LDAP (OpenSSL) \& # use_sasl yes -\& # sasl_auth_id +\& # sasl_auth_id \& # rootuse_sasl yes -\& # rootsasl_auth_id +\& # rootsasl_auth_id \& # sasl_secprops none \& # krb5_ccname /etc/.ldapcache .Ve -.Sh "Sudo schema for OpenLDAP" +.SS "Sudo schema for OpenLDAP" .IX Subsection "Sudo schema for OpenLDAP" The following schema is in OpenLDAP format. Simply copy it to the schema directory (e.g. \fI/etc/openldap/schema\fR), add the proper diff --git a/sudoers.ldap.pod b/sudoers.ldap.pod index 4e686f383..9da13cc85 100644 --- a/sudoers.ldap.pod +++ b/sudoers.ldap.pod @@ -637,9 +637,9 @@ determines sudoers source order on AIX # # If using SASL authentication for LDAP (OpenSSL) # use_sasl yes - # sasl_auth_id + # sasl_auth_id # rootuse_sasl yes - # rootsasl_auth_id + # rootsasl_auth_id # sasl_secprops none # krb5_ccname /etc/.ldapcache diff --git a/sudoers.man.in b/sudoers.man.in index 958299395..6df75dd95 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -19,18 +19,10 @@ .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" .\" $Sudo$ -.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05) +.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) .\" .\" Standard preamble: .\" ======================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp @@ -74,7 +66,7 @@ .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ @@ -153,7 +145,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "September 24, 2009" "1.7.2" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -173,7 +165,7 @@ not necessarily the most specific match). The \fIsudoers\fR grammar will be described below in Extended Backus-Naur Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is fairly simple, and the definitions below are annotated. -.Sh "Quick guide to \s-1EBNF\s0" +.SS "Quick guide to \s-1EBNF\s0" .IX Subsection "Quick guide to EBNF" \&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language. Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g., @@ -206,7 +198,7 @@ one or more times. Parentheses may be used to group symbols together. For clarity, we will use single quotes ('') to designate what is a verbatim character string (as opposed to a symbol name). -.Sh "Aliases" +.SS "Aliases" .IX Subsection "Aliases" There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR. @@ -250,7 +242,7 @@ The definitions of what constitutes a valid \fIalias\fR member follow. \& User_List ::= User | \& User \*(Aq,\*(Aq User_List \& -\& User ::= \*(Aq!\*(Aq* username | +\& User ::= \*(Aq!\*(Aq* user name | \& \*(Aq!\*(Aq* \*(Aq#\*(Aquid | \& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup | \& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup | @@ -258,13 +250,13 @@ The definitions of what constitutes a valid \fIalias\fR member follow. \& \*(Aq!\*(Aq* User_Alias .Ve .PP -A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, uids (prefixed +A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, uids (prefixed with '#'), system groups (prefixed with '%'), netgroups (prefixed with '+') and \f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with zero or more '!' operators. An odd number of '!' operators negate the value of the item; an even number just cancel each other out. .PP -A \f(CW\*(C`username\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR and \f(CW\*(C`nonunix_groups\*(C'\fR may +A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR or \f(CW\*(C`nonunix_group\*(C'\fR may be enclosed in double quotes to avoid the need for escaping special characters. Alternately, special characters may be specified in escaped hex mode, e.g. \ex20 for space. @@ -285,7 +277,7 @@ use a backslash (\e) to escape spaces and the '@' symbol. \& Runas_List ::= Runas_Member | \& Runas_Member \*(Aq,\*(Aq Runas_List \& -\& Runas_Member ::= \*(Aq!\*(Aq* username | +\& Runas_Member ::= \*(Aq!\*(Aq* user name | \& \*(Aq!\*(Aq* \*(Aq#\*(Aquid | \& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup | \& \*(Aq!\*(Aq* +netgroup | @@ -294,23 +286,23 @@ use a backslash (\e) to escape spaces and the '@' symbol. .PP A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that -usernames and groups are matched as strings. In other words, two +user names and groups are matched as strings. In other words, two users (groups) with the same uid (gid) are considered to be distinct. -If you wish to match all usernames with the same uid (e.g.\ root +If you wish to match all user names with the same uid (e.g.\ root and toor), you can use a uid instead (#0 in the example given). .PP .Vb 2 \& Host_List ::= Host | \& Host \*(Aq,\*(Aq Host_List \& -\& Host ::= \*(Aq!\*(Aq* hostname | +\& Host ::= \*(Aq!\*(Aq* host name | \& \*(Aq!\*(Aq* ip_addr | \& \*(Aq!\*(Aq* network(/netmask)? | \& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup | \& \*(Aq!\*(Aq* Host_Alias .Ve .PP -A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more hostnames, \s-1IP\s0 addresses, +A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more host names, \s-1IP\s0 addresses, network numbers, netgroups (prefixed with '+') and other aliases. Again, the value of an item may be negated with the '!' operator. If you do not specify a netmask along with the network number, @@ -319,19 +311,19 @@ if the network number corresponds to one of the hosts's network interfaces, the corresponding netmask will be used. The netmask may be specified either in standard \s-1IP\s0 address notation (e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::), -or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A hostname may +or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may include shell-style wildcards (see the Wildcards section below), -but unless the \f(CW\*(C`hostname\*(C'\fR command on your machine returns the fully -qualified hostname, you'll need to use the \fIfqdn\fR option for +but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully +qualified host name, you'll need to use the \fIfqdn\fR option for wildcards to be useful. .PP .Vb 2 \& Cmnd_List ::= Cmnd | \& Cmnd \*(Aq,\*(Aq Cmnd_List \& -\& commandname ::= filename | -\& filename args | -\& filename \*(Aq""\*(Aq +\& commandname ::= file name | +\& file name args | +\& file name \*(Aq""\*(Aq \& \& Cmnd ::= \*(Aq!\*(Aq* commandname | \& \*(Aq!\*(Aq* directory | @@ -340,13 +332,13 @@ wildcards to be useful. .Ve .PP A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other -aliases. A commandname is a fully qualified filename which may include +aliases. A commandname is a fully qualified file name which may include shell-style wildcards (see the Wildcards section below). A simple -filename allows the user to run the command with any arguments he/she +file name allows the user to run the command with any arguments he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command may only be run \fBwithout\fR command line arguments. A directory is a -fully qualified pathname ending in a '/'. When you specify a directory +fully qualified path name ending in a '/'. When you specify a directory in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory (but not in any subdirectories therein). .PP @@ -358,7 +350,7 @@ arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or as \fBsudoedit\fR). It may take command line arguments just as a normal command does. -.Sh "Defaults" +.SS "Defaults" .IX Subsection "Defaults" Certain configuration options may be changed from their default values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These @@ -403,7 +395,7 @@ and user Defaults first, then runas Defaults and finally command defaults. .PP See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters. -.Sh "User Specification" +.SS "User Specification" .IX Subsection "User Specification" .Vb 2 \& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e @@ -426,7 +418,7 @@ run as \fBroot\fR, but this can be changed on a per-command basis. .PP The basic structure of a user specification is `who = where (as_whom) what'. Let's break that down into its constituent parts: -.Sh "Runas_Spec" +.SS "Runas_Spec" .IX Subsection "Runas_Spec" A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two @@ -484,7 +476,7 @@ only the group will be set, the command still runs as user \fBtcm\fR. \& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e \& /usr/local/bin/minicom .Ve -.Sh "Tag_Spec" +.SS "Tag_Spec" .IX Subsection "Tag_Spec" A command may have zero or more tags associated with it. There are eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, @@ -562,10 +554,10 @@ be overridden by use of the \f(CW\*(C`UNSETENV\*(C'\fR tag. These tags override the value of the \fItranscript\fR option on a per-command basis. For more information, see the description of \&\fItranscript\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below. -.Sh "Wildcards" +.SS "Wildcards" .IX Subsection "Wildcards" \&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters) -to be used in hostnames, pathnames and command line arguments in +to be used in host names, path names and command line arguments in the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR \&\fIglob\fR\|(3) and \fIfnmatch\fR\|(3) routines. Note that these are \fInot\fR regular expressions. @@ -600,10 +592,10 @@ escaped. For example: \& /bin/ls [[\e:alpha\e:]]* .Ve .PP -Would match any filename beginning with a letter. +Would match any file name beginning with a letter. .PP Note that a forward slash ('/') will \fBnot\fR be matched by -wildcards used in the pathname. When matching the command +wildcards used in the path name. When matching the command line arguments, however, a slash \fBdoes\fR get matched by wildcards. This is to make a path like: .PP @@ -612,7 +604,7 @@ wildcards. This is to make a path like: .Ve .PP match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR. -.Sh "Exceptions to wildcard rules" +.SS "Exceptions to wildcard rules" .IX Subsection "Exceptions to wildcard rules" The following exceptions apply to the above rules: .ie n .IP """""" 8 @@ -621,7 +613,7 @@ The following exceptions apply to the above rules: If the empty string \f(CW""\fR is the only command line argument in the \&\fIsudoers\fR entry it means that command is not allowed to be run with \fBany\fR arguments. -.Sh "Including other files from within sudoers" +.SS "Including other files from within sudoers" .IX Subsection "Including other files from within sudoers" It is possible to include other \fIsudoers\fR files from within the \&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR and @@ -645,8 +637,8 @@ Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops. .PP -The filename may include the \f(CW%h\fR escape, signifying the short form -of the hostname. I.e., if the machine's hostname is \*(L"xerxes\*(R", then +The file name may include the \f(CW%h\fR escape, signifying the short form +of the host name. I.e., if the machine's host name is \*(L"xerxes\*(R", then .PP \&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR .PP @@ -673,7 +665,7 @@ Note that unlike files included via \f(CW\*(C`#include\*(C'\fR, \fBvisudo\fR wil edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them contains a syntax error. It is still possible to run \fBvisudo\fR with the \f(CW\*(C`\-f\*(C'\fR flag to edit the files directly. -.Sh "Other special characters and reserved words" +.SS "Other special characters and reserved words" .IX Subsection "Other special characters and reserved words" The pound sign ('#') is used to indicate a comment (unless it is part of a #include directive or unless it occurs in the context of @@ -703,7 +695,7 @@ Whitespace between elements in a list as well as special syntactic characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional. .PP The following characters must be escaped with a backslash ('\e') when -used as part of a word (e.g.\ a username or hostname): +used as part of a word (e.g.\ a user name or host name): \&'@', '!', '=', ':', ',', '(', ')', '\e'. .SH "SUDOERS OPTIONS" .IX Header "SUDOERS OPTIONS" @@ -729,6 +721,11 @@ This flag is \fIon\fR by default. If set, the user may use \fBsudo\fR's \fB\-C\fR option which overrides the default starting point at which \fBsudo\fR begins closing open file descriptors. This flag is \fIoff\fR by default. +.IP "compress_transcript" 16 +.IX Item "compress_transcript" +If set, and the \fItranscript\fR flag is also set, \fBsudo\fR will compress +the transcript logs using \fBzlib\fR. This flag is \fIon\fR by default +when \fBsudo\fR is compiled with \fBzlib\fR support. .IP "env_editor" 16 .IX Item "env_editor" If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0 @@ -752,17 +749,17 @@ This flag is \fIon\fR by default. .IP "fast_glob" 16 .IX Item "fast_glob" Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style -globbing when matching pathnames. However, since it accesses the +globbing when matching path names. However, since it accesses the file system, \fIglob\fR\|(3) can take a long time to complete for some patterns, especially when the pattern references a network file system that is mounted on demand (automounted). The \fIfast_glob\fR option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does not access the file system to do its matching. The disadvantage -of \fIfast_glob\fR is that it is unable to match relative pathnames +of \fIfast_glob\fR is that it is unable to match relative path names such as \fI./ls\fR or \fI../bin/ls\fR. This flag is \fIoff\fR by default. .IP "fqdn" 16 .IX Item "fqdn" -Set this flag if you want to put fully qualified hostnames in the +Set this flag if you want to put fully qualified host names in the \&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups @@ -771,7 +768,7 @@ if the machine is not plugged into the network). Also note that you must use the host's official name as \s-1DNS\s0 knows it. That is, you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance issues and the fact that there is no way to get all aliases from -\&\s-1DNS\s0. If your machine's hostname (as returned by the \f(CW\*(C`hostname\*(C'\fR +\&\s-1DNS\s0. If your machine's host name (as returned by the \f(CW\*(C`hostname\*(C'\fR command) is already fully qualified you shouldn't need to set \&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default. .IP "ignore_dot" 16 @@ -795,7 +792,7 @@ If set, \fBsudo\fR will insult users when they enter an incorrect password. This flag is \fI@insults@\fR by default. .IP "log_host" 16 .IX Item "log_host" -If set, the hostname will be logged in the (non-syslog) \fBsudo\fR log file. +If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file. This flag is \fIoff\fR by default. .IP "log_year" 16 .IX Item "log_year" @@ -939,11 +936,12 @@ is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\ function. This flag is \fIoff\fR by default. .IP "targetpw" 16 .IX Item "targetpw" -If set, \fBsudo\fR will prompt for the password of the user specified by -the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the -invoking user. Note that this precludes the use of a uid not listed -in the passwd database as an argument to the \fB\-u\fR option. -This flag is \fIoff\fR by default. +If set, \fBsudo\fR will prompt for the password of the user specified +by the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password +of the invoking user. In addition, the timestamp file name will +include the target user's name. Note that this flag precludes the +use of a uid not listed in the passwd database as an argument to +the \fB\-u\fR option. This flag is \fIoff\fR by default. .IP "transcript" 16 .IX Item "transcript" If set, \fBsudo\fR will log a transcript of the command being run, @@ -1014,12 +1012,15 @@ effect on the syslog log file, only the file log. The default is .IP "passwd_timeout" 16 .IX Item "passwd_timeout" Number of minutes before the \fBsudo\fR password prompt times out. -The default is \f(CW\*(C`@password_timeout@\*(C'\fR; set this to \f(CW0\fR for no password timeout. +The timeout may include a fractional component if minute granularity +is insufficient, for example \f(CW2.5\fR. The default is \f(CW\*(C`@password_timeout@\*(C'\fR; +set this to \f(CW0\fR for no password timeout. .IP "timestamp_timeout" 16 .IX Item "timestamp_timeout" Number of minutes that can elapse before \fBsudo\fR will ask for a -passwd again. The default is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always -prompt for a password. +passwd again. The timeout may include a fractional component if +minute granularity is insufficient, for example \f(CW2.5\fR. The default +is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always prompt for a password. If set to a value less than \f(CW0\fR the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively. @@ -1048,7 +1049,7 @@ on your system. .IP "mailsub" 16 .IX Item "mailsub" Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR -will expand to the hostname of the machine. +will expand to the host name of the machine. Default is \f(CW\*(C`@mailsub@\*(C'\fR. .IP "noexec_file" 16 .IX Item "noexec_file" @@ -1065,13 +1066,13 @@ The following percent (`\f(CW\*(C`%\*(C'\fR') escapes are supported: .ie n .IP "%H" 4 .el .IP "\f(CW%H\fR" 4 .IX Item "%H" -expanded to the local hostname including the domain name -(on if the machine's hostname is fully qualified or the \fIfqdn\fR +expanded to the local host name including the domain name +(on if the machine's host name is fully qualified or the \fIfqdn\fR option is set) .ie n .IP "%h" 4 .el .IP "\f(CW%h\fR" 4 .IX Item "%h" -expanded to the local hostname without the domain name +expanded to the local host name without the domain name .ie n .IP "%p" 4 .el .IP "\f(CW%p\fR" 4 .IX Item "%p" @@ -1468,7 +1469,7 @@ groups). .PP The user \fBpete\fR is allowed to change anyone's password except for root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1) -does not take multiple usernames on the command line. +does not take multiple user names on the command line. .PP .Vb 1 \& bob SPARC = (OP) ALL : SGI = (OP) ALL @@ -1651,8 +1652,8 @@ imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR will not run with a syntactically incorrect \fIsudoers\fR file. .PP When using netgroups of machines (as opposed to users), if you -store fully qualified hostnames in the netgroup (as is usually the -case), you either need to have the machine's hostname be fully qualified +store fully qualified host name in the netgroup (as is usually the +case), you either need to have the machine's host name be fully qualified as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in \&\fIsudoers\fR. .SH "BUGS" diff --git a/sudoers.pod b/sudoers.pod index b38ed6567..d23396993 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -112,20 +112,20 @@ The definitions of what constitutes a valid I member follow. User_List ::= User | User ',' User_List - User ::= '!'* username | + User ::= '!'* user name | '!'* '#'uid | '!'* '%'group | '!'* '+'netgroup | '!'* '%:'nonunix_group | '!'* User_Alias -A C is made up of one or more usernames, uids (prefixed +A C is made up of one or more user names, uids (prefixed with '#'), system groups (prefixed with '%'), netgroups (prefixed with '+') and Ces. Each list item may be prefixed with zero or more '!' operators. An odd number of '!' operators negate the value of the item; an even number just cancel each other out. -A C, C, C and C may +A C, C, C or C may be enclosed in double quotes to avoid the need for escaping special characters. Alternately, special characters may be specified in escaped hex mode, e.g. \x20 for space. @@ -155,7 +155,7 @@ use a backslash (\) to escape spaces and the '@' symbol. Runas_List ::= Runas_Member | Runas_Member ',' Runas_List - Runas_Member ::= '!'* username | + Runas_Member ::= '!'* user name | '!'* '#'uid | '!'* '%'group | '!'* +netgroup | @@ -163,21 +163,21 @@ use a backslash (\) to escape spaces and the '@' symbol. A C is similar to a C except that instead of Ces it can contain Ces. Note that -usernames and groups are matched as strings. In other words, two +user names and groups are matched as strings. In other words, two users (groups) with the same uid (gid) are considered to be distinct. -If you wish to match all usernames with the same uid (e.g.Eroot +If you wish to match all user names with the same uid (e.g.Eroot and toor), you can use a uid instead (#0 in the example given). Host_List ::= Host | Host ',' Host_List - Host ::= '!'* hostname | + Host ::= '!'* host name | '!'* ip_addr | '!'* network(/netmask)? | '!'* '+'netgroup | '!'* Host_Alias -A C is made up of one or more hostnames, IP addresses, +A C is made up of one or more host names, IP addresses, network numbers, netgroups (prefixed with '+') and other aliases. Again, the value of an item may be negated with the '!' operator. If you do not specify a netmask along with the network number, @@ -186,10 +186,10 @@ if the network number corresponds to one of the hosts's network interfaces, the corresponding netmask will be used. The netmask may be specified either in standard IP address notation (e.g.E255.255.255.0 or ffff:ffff:ffff:ffff::), -or CIDR notation (number of bits, e.g.E24 or 64). A hostname may +or CIDR notation (number of bits, e.g.E24 or 64). A host name may include shell-style wildcards (see the L section below), -but unless the C command on your machine returns the fully -qualified hostname, you'll need to use the I option for +but unless the C command on your machine returns the fully +qualified host name, you'll need to use the I option for wildcards to be useful. Cmnd_List ::= Cmnd | @@ -211,7 +211,7 @@ file name allows the user to run the command with any arguments he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify C<""> to indicate that the command may only be run B command line arguments. A directory is a -fully qualified pathname ending in a '/'. When you specify a directory +fully qualified path name ending in a '/'. When you specify a directory in a C, the user will be able to run any file within that directory (but not in any subdirectories therein). @@ -411,7 +411,7 @@ I in the L<"SUDOERS OPTIONS"> section below. =head2 Wildcards B allows shell-style I (aka meta or glob characters) -to be used in hostnames, pathnames and command line arguments in +to be used in host names, path names and command line arguments in the I file. Wildcard matching is done via the B L and L routines. Note that these are I regular expressions. @@ -451,7 +451,7 @@ escaped. For example: Would match any file name beginning with a letter. Note that a forward slash ('/') will B be matched by -wildcards used in the pathname. When matching the command +wildcards used in the path name. When matching the command line arguments, however, a slash B get matched by wildcards. This is to make a path like: @@ -500,7 +500,7 @@ themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops. The file name may include the C<%h> escape, signifying the short form -of the hostname. I.e., if the machine's hostname is "xerxes", then +of the host name. I.e., if the machine's host name is "xerxes", then C<#include /etc/sudoers.%h> @@ -558,7 +558,7 @@ Whitespace between elements in a list as well as special syntactic characters in a I ('=', ':', '(', ')') is optional. The following characters must be escaped with a backslash ('\') when -used as part of a word (e.g.Ea username or hostname): +used as part of a word (e.g.Ea user name or host name): '@', '!', '=', ':', ',', '(', ')', '\'. =head1 SUDOERS OPTIONS @@ -622,18 +622,18 @@ This flag is I by default. =item fast_glob Normally, B uses the L function to do shell-style -globbing when matching pathnames. However, since it accesses the +globbing when matching path names. However, since it accesses the file system, L can take a long time to complete for some patterns, especially when the pattern references a network file system that is mounted on demand (automounted). The I option causes B to use the L function, which does not access the file system to do its matching. The disadvantage -of I is that it is unable to match relative pathnames +of I is that it is unable to match relative path names such as F<./ls> or F<../bin/ls>. This flag is I by default. =item fqdn -Set this flag if you want to put fully qualified hostnames in the +Set this flag if you want to put fully qualified host names in the I file. I.e., instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). Beware that turning on I requires B to make DNS lookups @@ -642,7 +642,7 @@ if the machine is not plugged into the network). Also note that you must use the host's official name as DNS knows it. That is, you may not use a host alias (C entry) due to performance issues and the fact that there is no way to get all aliases from -DNS. If your machine's hostname (as returned by the C +DNS. If your machine's host name (as returned by the C command) is already fully qualified you shouldn't need to set I. This flag is I<@fqdn@> by default. @@ -670,7 +670,7 @@ password. This flag is I<@insults@> by default. =item log_host -If set, the hostname will be logged in the (non-syslog) B log file. +If set, the host name will be logged in the (non-syslog) B log file. This flag is I by default. =item log_year @@ -975,7 +975,7 @@ on your system. =item mailsub Subject of the mail sent to the I user. The escape C<%h> -will expand to the hostname of the machine. +will expand to the host name of the machine. Default is C<@mailsub@>. =item noexec_file @@ -995,13 +995,13 @@ The following percent (`C<%>') escapes are supported: =item C<%H> -expanded to the local hostname including the domain name -(on if the machine's hostname is fully qualified or the I +expanded to the local host name including the domain name +(on if the machine's host name is fully qualified or the I option is set) =item C<%h> -expanded to the local hostname without the domain name +expanded to the local host name without the domain name =item C<%p> @@ -1431,7 +1431,7 @@ groups). The user B is allowed to change anyone's password except for root on the I machines. Note that this assumes L -does not take multiple usernames on the command line. +does not take multiple user names on the command line. bob SPARC = (OP) ALL : SGI = (OP) ALL @@ -1594,8 +1594,8 @@ imperative that I be free of syntax errors since B will not run with a syntactically incorrect I file. When using netgroups of machines (as opposed to users), if you -store fully qualified hostnames in the netgroup (as is usually the -case), you either need to have the machine's hostname be fully qualified +store fully qualified host name in the netgroup (as is usually the +case), you either need to have the machine's host name be fully qualified as returned by the C command or use the I option in I. diff --git a/sudoreplay.cat b/sudoreplay.cat index 56dc10a83..f32100b06 100644 --- a/sudoreplay.cat +++ b/sudoreplay.cat @@ -61,7 +61,7 @@ OOPPTTIIOONNSS -1.7.2 October 6, 2009 1 +1.7.3b2 December 19, 2009 1 @@ -96,9 +96,9 @@ SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) specified without the _/_d_e_v_/ prefix, e.g. _t_t_y_0_1 instead of _/_d_e_v_/_t_t_y_0_1. - user _u_s_e_r_n_a_m_e + user _u_s_e_r _n_a_m_e Evaluates to true if the ID matches a command run - by _u_s_e_r_n_a_m_e. + by _u_s_e_r _n_a_m_e. Predicates may be abbreviated to the shortest unique string (currently all predicates may be shortened to a single @@ -127,7 +127,7 @@ SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) -1.7.2 October 6, 2009 2 +1.7.3b2 December 19, 2009 2 @@ -193,7 +193,7 @@ SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) -1.7.2 October 6, 2009 3 +1.7.3b2 December 19, 2009 3 @@ -259,7 +259,7 @@ SSUUPPPPOORRTT -1.7.2 October 6, 2009 4 +1.7.3b2 December 19, 2009 4 @@ -325,6 +325,6 @@ DDIISSCCLLAAIIMMEERR -1.7.2 October 6, 2009 5 +1.7.3b2 December 19, 2009 5 diff --git a/sudoreplay.man.in b/sudoreplay.man.in index 6ff18363d..40ba8ddfc 100644 --- a/sudoreplay.man.in +++ b/sudoreplay.man.in @@ -140,7 +140,7 @@ .\" ======================================================================== .\" .IX Title "SUDOREPLAY @mansectsu@" -.TH SUDOREPLAY @mansectsu@ "October 6, 2009" "1.7.2" "MAINTENANCE COMMANDS" +.TH SUDOREPLAY @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -222,9 +222,9 @@ date and time formats. Evaluates to true if the command was run on the specified terminal device. The \fItty\fR should be specified without the \fI/dev/\fR prefix, e.g. \fItty01\fR instead of \fI/dev/tty01\fR. -.IP "user \fIusername\fR" 8 -.IX Item "user username" -Evaluates to true if the \s-1ID\s0 matches a command run by \fIusername\fR. +.IP "user \fIuser name\fR" 8 +.IX Item "user user name" +Evaluates to true if the \s-1ID\s0 matches a command run by \fIuser name\fR. .RE .RS 12 .Sp diff --git a/sudoreplay.pod b/sudoreplay.pod index 42c12187b..fb3bef399 100644 --- a/sudoreplay.pod +++ b/sudoreplay.pod @@ -119,9 +119,9 @@ Evaluates to true if the command was run on the specified terminal device. The I should be specified without the F prefix, e.g. F instead of F. -=item user I +=item user I -Evaluates to true if the ID matches a command run by I. +Evaluates to true if the ID matches a command run by I. =back diff --git a/visudo.cat b/visudo.cat index 51c822e7a..74deba8c6 100644 --- a/visudo.cat +++ b/visudo.cat @@ -61,7 +61,7 @@ OOPPTTIIOONNSS -1.7.2 June 11, 2009 1 +1.7.3b2 December 19, 2009 1 @@ -76,7 +76,7 @@ VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) -s Enable ssttrriicctt checking of the _s_u_d_o_e_r_s file. If an alias is used before it is defined, vviissuuddoo will consider this a parse error. Note that it is not possible to differentiate - between an alias and a hostname or username that consists + between an alias and a host name or user name that consists solely of uppercase letters, digits, and the underscore ('_') character. @@ -108,7 +108,7 @@ DDIIAAGGNNOOSSTTIICCSS Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined Either you are trying to use an undeclare - {User,Runas,Host,Cmnd}_Alias or you have a user or hostname listed + {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed that consists solely of uppercase letters, digits, and the underscore ('_') character. In the latter case, you can ignore the warnings (ssuuddoo will not complain). In --ss (strict) mode these are @@ -127,7 +127,7 @@ AAUUTTHHOORR -1.7.2 June 11, 2009 2 +1.7.3b2 December 19, 2009 2 @@ -193,6 +193,6 @@ DDIISSCCLLAAIIMMEERR -1.7.2 June 11, 2009 3 +1.7.3b2 December 19, 2009 3 diff --git a/visudo.man.in b/visudo.man.in index 1463ce3a1..509020ccc 100644 --- a/visudo.man.in +++ b/visudo.man.in @@ -19,18 +19,10 @@ .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" .\" $Sudo$ -.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05) +.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) .\" .\" Standard preamble: .\" ======================================================================== -.de Sh \" Subsection heading -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp @@ -74,7 +66,7 @@ .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ @@ -153,7 +145,7 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "June 11, 2009" "1.7.2" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -223,7 +215,7 @@ the \fB\-c\fR option. Enable \fBstrict\fR checking of the \fIsudoers\fR file. If an alias is used before it is defined, \fBvisudo\fR will consider this a parse error. Note that it is not possible to differentiate between an -alias and a hostname or username that consists solely of uppercase +alias and a host name or user name that consists solely of uppercase letters, digits, and the underscore ('_') character. .IP "\-V" 12 .IX Item "-V" @@ -266,7 +258,7 @@ Your userid does not appear in the system passwd file. .IP "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" 4 .IX Item "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias -or you have a user or hostname listed that consists solely of +or you have a user or host name listed that consists solely of uppercase letters, digits, and the underscore ('_') character. In the latter case, you can ignore the warnings (\fBsudo\fR will not complain). In \fB\-s\fR (strict) mode these are errors, not warnings. diff --git a/visudo.pod b/visudo.pod index 2f82746e2..37953718f 100644 --- a/visudo.pod +++ b/visudo.pod @@ -96,7 +96,7 @@ the B<-c> option. Enable B checking of the I file. If an alias is used before it is defined, B will consider this a parse error. Note that it is not possible to differentiate between an -alias and a hostname or username that consists solely of uppercase +alias and a host name or user name that consists solely of uppercase letters, digits, and the underscore ('_') character. =item -V @@ -156,7 +156,7 @@ Your userid does not appear in the system passwd file. =item Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias -or you have a user or hostname listed that consists solely of +or you have a user or host name listed that consists solely of uppercase letters, digits, and the underscore ('_') character. In the latter case, you can ignore the warnings (B will not complain). In B<-s> (strict) mode these are errors, not warnings.