diff --git a/MANIFEST b/MANIFEST index ad7142f14..08d7f25d3 100644 --- a/MANIFEST +++ b/MANIFEST @@ -24,7 +24,7 @@ doc/cvtsudoers.cat doc/cvtsudoers.man.in doc/cvtsudoers.mdoc.in doc/fixman.sh -doc/fixmdoc.sh +doc/fixmdoc.sed doc/schema.ActiveDirectory doc/schema.OpenLDAP doc/schema.iPlanet @@ -34,6 +34,7 @@ doc/sudo.conf.cat doc/sudo.conf.man.in doc/sudo.conf.mdoc.in doc/sudo.man.in +doc/sudo.man.in.sed doc/sudo.mdoc.in doc/sudo_plugin.cat doc/sudo_plugin.man.in @@ -43,6 +44,7 @@ doc/sudoers.ldap.cat doc/sudoers.ldap.man.in doc/sudoers.ldap.mdoc.in doc/sudoers.man.in +doc/sudoers.man.in.sed doc/sudoers.mdoc.in doc/sudoers_timestamp.cat doc/sudoers_timestamp.man.in diff --git a/doc/Makefile.in b/doc/Makefile.in index b3456a30f..e94f499a1 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -132,25 +132,22 @@ varsub: $(top_srcdir)/configure.ac $(SED) -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(top_srcdir)/configure.ac | $(SED) -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@; \ fi -$(srcdir)/sudo.man.in: $(srcdir)/sudo.mdoc.in +$(srcdir)/sudo.man.in: $(srcdir)/sudo.mdoc.in $(srcdir)/sudo.man.in.sed @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \ mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \ - $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \ + $(SED) -e 's/^\(\.nr [A-Z][A-Z]\) .[A-Z][A-Z]MAN./\1 1/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -f $(srcdir)/sudo.man.in.sed > $@; \ fi -sudo.man.sed: $(srcdir)/fixman.sh - BAMAN=@BAMAN@ LCMAN=@LCMAN@ SEMAN=@SEMAN@ PSMAN=@PSMAN@ $(SHELL) $(srcdir)/fixman.sh $@ +fixman.sed: $(srcdir)/fixman.sh + $(SHELL) $(srcdir)/fixman.sh $@ -$(mansrcdir)/sudo.man: $(top_builddir)/config.status $(srcdir)/sudo.man.in sudo.man.sed - (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.man.in | $(SED) -f $@.sed > $@ +$(mansrcdir)/sudo.man: $(top_builddir)/config.status $(srcdir)/sudo.man.in fixman.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.man.in | $(SED) -f fixman.sed > $@ -sudo.mdoc.sed: $(srcdir)/fixmdoc.sh - BAMAN=@BAMAN@ LCMAN=@LCMAN@ SEMAN=@SEMAN@ PSMAN=@PSMAN@ $(SHELL) $(srcdir)/fixmdoc.sh $@ - -$(mansrcdir)/sudo.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.mdoc.in sudo.mdoc.sed - (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.mdoc.in | $(SED) -f $@.sed > $@ +$(mansrcdir)/sudo.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.mdoc.in + cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ $(srcdir)/sudo.cat: varsub $(srcdir)/sudo.mdoc.in @if [ -n "$(DEVEL)" ]; then \ @@ -166,8 +163,8 @@ $(srcdir)/visudo.man.in: $(srcdir)/visudo.mdoc.in $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/visudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "VISUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \ fi -$(mansrcdir)/visudo.man: $(top_builddir)/config.status $(srcdir)/visudo.man.in - cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ +$(mansrcdir)/visudo.man: $(top_builddir)/config.status $(srcdir)/visudo.man.in fixman.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/visudo.man.in | $(SED) -f fixman.sed > $@ $(mansrcdir)/visudo.mdoc: $(top_builddir)/config.status $(srcdir)/visudo.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ @@ -186,8 +183,8 @@ $(srcdir)/sudo.conf.man.in: $(srcdir)/sudo.conf.mdoc.in $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.conf.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "VISUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \ fi -$(mansrcdir)/sudo.conf.man: $(top_builddir)/config.status $(srcdir)/sudo.conf.man.in - cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ +$(mansrcdir)/sudo.conf.man: $(top_builddir)/config.status $(srcdir)/sudo.conf.man.in fixman.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.conf.man.in | $(SED) -f fixman.sed > $@ $(mansrcdir)/sudo.conf.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.conf.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ @@ -198,25 +195,19 @@ $(srcdir)/sudo.conf.cat: varsub $(srcdir)/sudo.conf.mdoc.in $(SED) -f varsub $(srcdir)/sudo.conf.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ fi -$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in +$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in $(srcdir)/sudoers.man.in.sed @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \ mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \ - $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \ + $(SED) -e 's/^\(\.nr [A-Z][A-Z]\) .[A-Z][A-Z]MAN./\1 1/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -f $(srcdir)/sudoers.man.in.sed> $@; \ fi -sudoers.man.sed: $(srcdir)/fixman.sh - LCMAN=@LCMAN@ SEMAN=@SEMAN@ PSMAN=@PSMAN@ $(SHELL) $(srcdir)/fixman.sh $@ +$(mansrcdir)/sudoers.man: $(top_builddir)/config.status $(srcdir)/sudoers.man.in fixman.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.man.in | $(SED) -f fixman.sed > $@ -$(mansrcdir)/sudoers.man: $(top_builddir)/config.status $(srcdir)/sudoers.man.in sudoers.man.sed - (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.man.in | $(SED) -f $@.sed > $@ - -sudoers.mdoc.sed: $(srcdir)/fixmdoc.sh - LCMAN=@LCMAN@ SEMAN=@SEMAN@ PSMAN=@PSMAN@ $(SHELL) $(srcdir)/fixmdoc.sh $@ - -$(mansrcdir)/sudoers.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.mdoc.in sudoers.mdoc.sed - (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.mdoc.in | $(SED) -f $@.sed > $@ +$(mansrcdir)/sudoers.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.mdoc.in $(srcdir)/fixmdoc.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.mdoc.in | $(SED) -f $(srcdir)/fixmdoc.sed > $@ $(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.mdoc.in @if [ -n "$(DEVEL)" ]; then \ @@ -232,8 +223,8 @@ $(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.mdoc.in $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.ldap.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS.LDAP" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \ fi -$(mansrcdir)/sudoers.ldap.man: $(top_builddir)/config.status $(srcdir)/sudoers.ldap.man.in - cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ +$(mansrcdir)/sudoers.ldap.man: $(top_builddir)/config.status $(srcdir)/sudoers.ldap.man.in fixman.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.ldap.man.in | $(SED) -f fixman.sed > $@ $(mansrcdir)/sudoers.ldap.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.ldap.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ @@ -252,8 +243,8 @@ $(srcdir)/sudoers_timestamp.man.in: $(srcdir)/sudoers_timestamp.mdoc.in $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers_timestamp.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS.LDAP" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \ fi -$(mansrcdir)/sudoers_timestamp.man: $(top_builddir)/config.status $(srcdir)/sudoers_timestamp.man.in - cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ +$(mansrcdir)/sudoers_timestamp.man: $(top_builddir)/config.status $(srcdir)/sudoers_timestamp.man.in fixman.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers_timestamp.man.in | $(SED) -f fixman.sed > $@ $(mansrcdir)/sudoers_timestamp.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers_timestamp.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ @@ -272,8 +263,8 @@ $(srcdir)/cvtsudoers.man.in: $(srcdir)/cvtsudoers.mdoc.in $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/cvtsudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \ fi -$(mansrcdir)/cvtsudoers.man: $(top_builddir)/config.status $(srcdir)/cvtsudoers.man.in - cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ +$(mansrcdir)/cvtsudoers.man: $(top_builddir)/config.status $(srcdir)/cvtsudoers.man.in fixman.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/cvtsudoers.man.in | $(SED) -f fixman.sed > $@ $(mansrcdir)/cvtsudoers.mdoc: $(top_builddir)/config.status $(srcdir)/cvtsudoers.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ @@ -292,8 +283,8 @@ $(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.mdoc.in $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoreplay.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOREPLAY" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \ fi -$(mansrcdir)/sudoreplay.man: $(top_builddir)/config.status $(srcdir)/sudoreplay.man.in - cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ +$(mansrcdir)/sudoreplay.man: $(top_builddir)/config.status $(srcdir)/sudoreplay.man.in fixman.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoreplay.man.in | $(SED) -f fixman.sed > $@ $(mansrcdir)/sudoreplay.mdoc: $(top_builddir)/config.status $(srcdir)/sudoreplay.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ @@ -312,8 +303,8 @@ $(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.mdoc.in $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_plugin.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_PLUGIN" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \ fi -$(mansrcdir)/sudo_plugin.man: $(top_builddir)/config.status $(srcdir)/sudo_plugin.man.in - cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ +$(mansrcdir)/sudo_plugin.man: $(top_builddir)/config.status $(srcdir)/sudo_plugin.man.in fixman.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_plugin.man.in | $(SED) -f fixman.sed > $@ $(mansrcdir)/sudo_plugin.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_plugin.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ @@ -390,7 +381,7 @@ pvs-studio: check: clean: - -rm -f varsub *.sed + -rm -f varsub fixman.sed mostlyclean: clean diff --git a/doc/fixman.sh b/doc/fixman.sh index bf4bd3257..f7ed1a8fc 100755 --- a/doc/fixman.sh +++ b/doc/fixman.sh @@ -28,130 +28,10 @@ if [ X"`uname 2>&1`" = X"HP-UX" ]; then EOF fi -# Page specific hacks -case "$OUTFILE" in - sudo.man.sed) - # Replace "0 minutes" with "unlimited" - cat >>"$OUTFILE" <<-'EOF' - /^\\fR0\\fR$/ { - N - s/^\\fR0\\fR\nminutes\.$/unlimited./ - } - EOF - - # BSD auth - if [ X"$BAMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-'EOF' - /^\[\\fB\\-a\\fR\\ \\fItype\\fR/d - /^\\fB\\-a\\fR \\fItype\\fR$/,/^\.TP 12n$/ { - /^\.PD$/!d - } - EOF - fi - - # BSD login class - if [ X"$LCMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-'EOF' - /^\[\\fB\\-c\\fR\\ \\fIclass\\fR/d - /^\\fB\\-c\\fR \\fIclass\\fR$/,/^\.TP 12n$/ { - /^\.PD$/!d - } - /^login_cap(3),$/d - /^BSD login class$/ { - N - N - /^BSD login class\n\.TP 4n\n\\fBo\\fR$/d - } - EOF - fi - - # SELinux - if [ X"$SEMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-'EOF' - /^\[\\fB\\-[rt]\\fR\\ \\fI[rt][oy][lp]e\\fR/d - /^\\fB\\-[rt]\\fR \\fI[rt][oy][lp]e\\fR$/,/^\.TP 12n$/ { - /^\.PD$/!d - } - /^SELinux role and type$/ { - N - N - /^SELinux role and type\n\.TP 4n\n\\fBo\\fR$/d - } - EOF - fi - - # Solaris privileges - if [ X"$PSMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-'EOF' - /^Solaris project$/ { - N - N - N - N - N - /^Solaris project\n\.TP 4n\n\\fBo\\fR\nSolaris privileges\n\.TP 4n\n\\fBo\\fR$/d - } - EOF - fi - ;; - sudoers.man.sed) - # Join tagged list line with the corresponding item and re-process - cat >>"$OUTFILE" <<-'EOF' - :again - /^\.TP 18n$/ { - N - bagain - } - EOF - - # Subsections to remove (SELinux and Solaris are adjacent) - RM_SS= - if [ X"$PSMAN" != X"1" ]; then - if [ X"$SEMAN" != X"1" ]; then - RM_SS='/^\.SS "SELinux_Spec"/,/^\.SS "[^S]/{;/^\.SS "[^S][^o][^l]/!d;};' - else - RM_SS='/^\.SS "Solaris_Priv_Spec"/,/^\.SS/{;/^\.SS "[^S][^o][^l]/!d;};' - fi - elif [ X"$SEMAN" != X"1" ]; then - RM_SS='/^\.SS "SELinux_Spec"/,/^\.SS/{;/^\.SS "[^S][^E][^L]/!d;};' - fi - if [ -n "$RM_SS" ]; then - cat >>"$OUTFILE" <<-EOF - $RM_SS - EOF - fi - - # BSD login class - if [ X"$LCMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-EOF - /^On BSD systems/,/\.$/d - /^\.TP 18n\nuse_loginclass$/,/^by default\./d - EOF - fi - - # Solaris PrivSpec - if [ X"$PSMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-EOF - s/Solaris_Priv_Spec | // - /^Solaris_Priv_Spec ::=/ { - N - d - } - /^\.TP 18n\n\(limit\)*privs$/,/^is built on Solaris 10 or higher\./d - /^On Solaris 10/,/^\.[sP][pP]/d - EOF - fi - - # SELinux - if [ X"$SEMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-EOF - s/SELinux_Spec | // - /^SELinux_Spec ::=/ { - N - d - } - /^\.TP 18n\n[rt][oy][lp]e$/,/^is built with SELinux support\.$/d - EOF - fi - ;; -esac +# Replace "0 minutes" with "unlimited" +cat >>"$OUTFILE" <<-'EOF' + /^\\fR0\\fR$/ { + N + s/^\\fR0\\fR\nminutes\.$/unlimited./ + } +EOF diff --git a/doc/fixmdoc.sed b/doc/fixmdoc.sed new file mode 100755 index 000000000..3d572166f --- /dev/null +++ b/doc/fixmdoc.sed @@ -0,0 +1,5 @@ +# Replace "0 minutes" with "unlimited" +/^\.Li 0$/ { + N + s/^\.Li 0\nminutes\.$/unlimited./ +} diff --git a/doc/fixmdoc.sh b/doc/fixmdoc.sh deleted file mode 100755 index 53bf64296..000000000 --- a/doc/fixmdoc.sh +++ /dev/null @@ -1,143 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2012-2014, 2017 Todd C. Miller -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# - -OUTFILE="$1" -rm -f "$OUTFILE" -> "$OUTFILE" - -# Page specific hacks -case "$OUTFILE" in - sudo.mdoc.sed) - # Replace "0 minutes" with "unlimited" - cat >>"$OUTFILE" <<-'EOF' - /^\.Li 0$/ { - N - s/^\.Li 0\nminutes\.$/unlimited./ - } - EOF - - # BSD auth - BA_FLAG= - if [ X"$BAMAN" != X"1" ]; then - BA_FLAG='/^.*\n\.Op Fl a Ar type/{;N;/^.*\n\.Ek$/d;};' - cat >>"$OUTFILE" <<-'EOF' - /^\.It Fl a Ar type/,/BSD authentication\.$/d - EOF - fi - - # BSD login class - LC_FLAG= - if [ X"$LCMAN" != X"1" ]; then - LC_FLAG='/^.*\n\.Op Fl c Ar class/{;N;/^.*\n\.Ek$/d;};' - cat >>"$OUTFILE" <<-'EOF' - /^\.It Fl c Ar class/,/BSD login classes\.$/d - /^\.Xr login_cap 3 ,$/d - /^BSD login class$/ { - N - /^BSD login class\n\.It$/d - } - EOF - fi - - # SELinux - SE_FLAG= - if [ X"$SEMAN" != X"1" ]; then - SE_FLAG='/^.*\n\.Op Fl r Ar role/{;N;/^.*\n\.Ek$/d;};/^.*\n\.Op Fl t Ar type/{;N;/^.*\n\.Ek$/d;};' - cat >>"$OUTFILE" <<-'EOF' - /^\.It Fl r Ar role/,/^\.Ar role \.$/d - /^\.It Fl t Ar type/,/derived from the role\.$/d - /^SELinux role and type$/ { - N - /^SELinux role and type\n\.It$/d - } - EOF - fi - - # Solaris privileges - if [ X"$PSMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-'EOF' - /^Solaris project$/ { - N - N - N - /^Solaris project\n\.It\nSolaris privileges\n\.It$/d - } - EOF - fi - - # Unsupported flags must be removed together - if [ -n "$BA_FLAG$LC_FLAG$SE_FLAG" ]; then - cat >>"$OUTFILE" <<-EOF - /^\.Bk -words\$/ { - N - $BA_FLAG$LC_FLAG$SE_FLAG - } - EOF - fi - ;; - sudoers.mdoc.sed) - # Subsections to remove (SELinux and Solaris are adjacent) - RM_SS= - if [ X"$PSMAN" != X"1" ]; then - if [ X"$SEMAN" != X"1" ]; then - RM_SS='/^\.Ss SELinux_Spec/,/^\.Ss [^S]/{;/^\.Ss [^S][^o][^l]/!d;};' - else - RM_SS='/^\.Ss Solaris_Priv_Spec/,/^\.Ss/{;/^\.Ss [^S][^o][^l]/!d;};' - fi - elif [ X"$SEMAN" != X"1" ]; then - RM_SS='/^\.Ss SELinux_Spec/,/^\.Ss/{;/^\.Ss [^S][^E][^L]/!d;};' - fi - if [ -n "$RM_SS" ]; then - cat >>"$OUTFILE" <<-EOF - $RM_SS - EOF - fi - - # BSD login class - if [ X"$LCMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-'EOF' - /^On BSD systems/,/\.$/d - /^\.It use_loginclass$/,/^by default\./d - EOF - fi - - # Solaris PrivSpec - if [ X"$PSMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-'EOF' - s/Solaris_Priv_Spec | // - /^Solaris_Priv_Spec ::=/ { - N - d - } - /^\.It \(limit\)*privs$/,/is built on Solaris 10 or higher\.$/d - /^On Solaris 10/,/^\.Pp/d - EOF - fi - - # SELinux - if [ X"$SEMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-'EOF' - s/SELinux_Spec | // - /^SELinux_Spec ::=/ { - N - d - } - /^\.It [rt][oy][lp]e$/,/is built with SELinux support\.$/d - EOF - fi - ;; -esac diff --git a/doc/sudo.cat b/doc/sudo.cat index eb679c1e2..6d7671bbe 100644 --- a/doc/sudo.cat +++ b/doc/sudo.cat @@ -738,4 +738,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.26 October 27, 2018 Sudo 1.8.26 +Sudo 1.8.26 November 25, 2018 Sudo 1.8.26 diff --git a/doc/sudo.man.in b/doc/sudo.man.in index aec771518..38d381523 100644 --- a/doc/sudo.man.in +++ b/doc/sudo.man.in @@ -19,7 +19,11 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDO" "8" "October 27, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" +.nr SL @SEMAN@ +.nr BA @BAMAN@ +.nr LC @LCMAN@ +.nr PS @PSMAN@ +.TH "SUDO" "8" "November 25, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh .if n .ad l .SH "NAME" @@ -36,7 +40,7 @@ \fBsudo\fR \fB\-v\fR [\fB\-AknS\fR] -[\fB\-a\fR\ \fItype\fR] +.if \n(BA [\fB\-a\fR\ \fItype\fR] [\fB\-g\fR\ \fIgroup\fR] [\fB\-h\fR\ \fIhost\fR] [\fB\-p\fR\ \fIprompt\fR] @@ -46,7 +50,7 @@ \fBsudo\fR \fB\-l\fR [\fB\-AknS\fR] -[\fB\-a\fR\ \fItype\fR] +.if \n(BA [\fB\-a\fR\ \fItype\fR] [\fB\-g\fR\ \fIgroup\fR] [\fB\-h\fR\ \fIhost\fR] [\fB\-p\fR\ \fIprompt\fR] @@ -57,14 +61,14 @@ .HP 5n \fBsudo\fR [\fB\-AbEHnPS\fR] -[\fB\-a\fR\ \fItype\fR] +.if \n(BA [\fB\-a\fR\ \fItype\fR] [\fB\-C\fR\ \fInum\fR] -[\fB\-c\fR\ \fIclass\fR] +.if \n(LC [\fB\-c\fR\ \fIclass\fR] [\fB\-g\fR\ \fIgroup\fR] [\fB\-h\fR\ \fIhost\fR] [\fB\-p\fR\ \fIprompt\fR] -[\fB\-r\fR\ \fIrole\fR] -[\fB\-t\fR\ \fItype\fR] +.if \n(SL [\fB\-r\fR\ \fIrole\fR] +.if \n(SL [\fB\-t\fR\ \fItype\fR] [\fB\-T\fR\ \fItimeout\fR] [\fB\-u\fR\ \fIuser\fR] [\fIVAR\fR=\fIvalue\fR] @@ -74,9 +78,9 @@ .HP 9n \fBsudoedit\fR [\fB\-AknS\fR] -[\fB\-a\fR\ \fItype\fR] +.if \n(BA [\fB\-a\fR\ \fItype\fR] [\fB\-C\fR\ \fInum\fR] -[\fB\-c\fR\ \fIclass\fR] +.if \n(LC [\fB\-c\fR\ \fIclass\fR] [\fB\-g\fR\ \fIgroup\fR] [\fB\-h\fR\ \fIhost\fR] [\fB\-p\fR\ \fIprompt\fR] @@ -188,9 +192,12 @@ If no askpass program is available, \fBsudo\fR will exit with an error. .RE +.if \n(BA \{\ .TP 12n \fB\-a\fR \fItype\fR, \fB\--auth-type\fR=\fItype\fR -Use the specified BSD authentication +Use the specified +BSD +authentication \fItype\fR when validating the user, if allowed by \fI/etc/login.conf\fR. @@ -199,7 +206,10 @@ authentication methods by adding an \(lqauth-sudo\(rq entry in \fI/etc/login.conf\fR. -This option is only available on systems that support BSD authentication. +This option is only available on systems that support +BSD +authentication. +.\} .TP 12n \fB\-b\fR, \fB\--background\fR Run the given command in the background. @@ -226,6 +236,7 @@ policy only permits use of the option when the administrator has enabled the \fIclosefrom_override\fR option. +.if \n(LC \{\ .TP 12n \fB\-c\fR \fIclass\fR, \fB\--login-class\fR=\fIclass\fR Run the command with resource limits and scheduling priority of @@ -250,7 +261,10 @@ If the command is being run as a login shell, additional \fI/etc/login.conf\fR settings, such as the umask and environment variables, will be applied, if present. -This option is only available on systems with BSD login classes. +This option is only available on systems with +BSD +login classes. +.\} .TP 12n \fB\-E\fR, \fB\--preserve-env\fR Indicates to the security policy that the user wishes to @@ -545,11 +559,13 @@ specified by a PAM module unless the flag is disabled in \fIsudoers\fR. .RE +.if \n(SL \{\ .TP 12n \fB\-r\fR \fIrole\fR, \fB\--role\fR=\fIrole\fR Run the command with an SELinux security context that includes the specified \fIrole\fR. +.\} .TP 12n \fB\-S\fR, \fB\--stdin\fR Write the prompt to the standard error and read the password from the @@ -568,6 +584,7 @@ If no command is specified, an interactive shell is executed. Note that most shells behave differently when a command is specified as compared to an interactive session; consult the shell's manual for details. +.if \n(SL \{\ .TP 12n \fB\-t\fR \fItype\fR, \fB\--type\fR=\fItype\fR Run the command with an SELinux security context that includes @@ -576,6 +593,7 @@ the specified If no \fItype\fR is specified, the default type is derived from the role. +.\} .TP 12n \fB\-U\fR \fIuser\fR, \fB\--other-user\fR=\fIuser\fR Used in conjunction with the @@ -711,18 +729,27 @@ current working directory .TP 3n \fB\(bu\fR file creation mode mask (umask) +.if \n(SL \{\ .TP 3n \fB\(bu\fR SELinux role and type +.\} +.if \n(PS \{\ .TP 3n \fB\(bu\fR Solaris project +.\} +.if \n(PS \{\ .TP 3n \fB\(bu\fR Solaris privileges +.\} +.if \n(LC \{\ .TP 3n \fB\(bu\fR -BSD login class +BSD +login class +.\} .TP 3n \fB\(bu\fR scheduling priority (aka nice value) diff --git a/doc/sudo.man.in.sed b/doc/sudo.man.in.sed new file mode 100644 index 000000000..432dd7474 --- /dev/null +++ b/doc/sudo.man.in.sed @@ -0,0 +1,76 @@ +s/^\(.TH .*\)/.nr SL @SEMAN@\ +.nr BA @BAMAN@\ +.nr LC @LCMAN@\ +.nr PS @PSMAN@\ +\1/ + +s/^\(\[\\fB\\-a\\fR.*\\fItype\\fR\]\) *$/.if \\n(BA \1/ +s/^\(\[\\fB\\-c\\fR.*\\fIclass\\fR\]\) *$/.if \\n(LC \1/ +s/^\(\[\\fB\\-r\\fR.*\\fIrole\\fR\]\) *$/.if \\n(SL \1/ +s/^\(\[\\fB\\-t\\fR.*\\fItype\\fR\]\) *$/.if \\n(SL \1/ + +/^\.TP 12n$/ { + N + /^\.TP 12n\n\\fB\\-a\\fR.*\\fItype\\fR$/,/^\.TP 12n/ { + /^\.TP 12n/ { + /^\.TP 12n\n\\fB\\-a\\fR.*\\fItype\\fR$/i\ +.if \\n(BA \\{\\ + /^\.TP 12n\n\\fB\\-a\\fR.*\\fItype\\fR$/!i\ +.\\} + } + } + /^\.TP 12n\n\\fB\\-c\\fR.*\\fIclass\\fR$/,/^\.TP 12n/ { + /^\.TP 12n/ { + /^\.TP 12n\n\\fB\\-c\\fR.*\\fIclass\\fR$/i\ +.if \\n(LC \\{\\ + /^\.TP 12n\n\\fB\\-c\\fR.*\\fIclass\\fR$/!i\ +.\\} + } + } + /^\.TP 12n\n\\fB\\-r\\fR.*\\fIrole\\fR$/,/^\.TP 12n/ { + /^\.TP 12n/ { + /^\.TP 12n\n\\fB\\-r\\fR.*\\fIrole\\fR$/i\ +.if \\n(SL \\{\\ + /^\.TP 12n\n\\fB\\-r\\fR.*\\fIrole\\fR$/!i\ +.\\} + } + } + /^\.TP 12n\n\\fB\\-t\\fR.*\\fItype\\fR$/,/^\.TP 12n/ { + /^\.TP 12n/ { + /^\.TP 12n\n\\fB\\-t\\fR.*\\fItype\\fR$/i\ +.if \\n(SL \\{\\ + /^\.TP 12n\n\\fB\\-t\\fR.*\\fItype\\fR$/!i\ +.\\} + } + } +} + +/^\.TP 3n$/ { + N + N + /^.TP 3n\n\\fB\\(bu\\fR\nSELinux role and type$/ { + i\ +.if \\n(SL \\{\\ + a\ +.\\} + } + /^.TP 3n\n\\fB\\(bu\\fR\nSolaris project$/ { + i\ +.if \\n(PS \\{\\ + a\ +.\\} + } + /^.TP 3n\n\\fB\\(bu\\fR\nSolaris privileges$/ { + i\ +.if \\n(PS \\{\\ + a\ +.\\} + } + /^.TP 3n\n\\fB\\(bu\\fR\nBSD$/ { + N + i\ +.if \\n(LC \\{\\ + a\ +.\\} + } +} diff --git a/doc/sudo.mdoc.in b/doc/sudo.mdoc.in index ebb05b146..c9b928e0c 100644 --- a/doc/sudo.mdoc.in +++ b/doc/sudo.mdoc.in @@ -18,7 +18,11 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd October 27, 2018 +.nr SL @SEMAN@ +.nr BA @BAMAN@ +.nr LC @LCMAN@ +.nr PS @PSMAN@ +.Dd November 25, 2018 .Dt SUDO @mansectsu@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -31,7 +35,9 @@ .Nm sudo .Fl v .Op Fl AknS +.if \n(BA \{\ .Op Fl a Ar type +.\} .Op Fl g Ar group .Op Fl h Ar host .Op Fl p Ar prompt @@ -39,7 +45,9 @@ .Nm sudo .Fl l .Op Fl AknS +.if \n(BA \{\ .Op Fl a Ar type +.\} .Op Fl g Ar group .Op Fl h Ar host .Op Fl p Ar prompt @@ -48,14 +56,20 @@ .Op Ar command .Nm sudo .Op Fl AbEHnPS +.if \n(BA \{\ .Op Fl a Ar type +.\} .Op Fl C Ar num +.if \n(LC \{\ .Op Fl c Ar class +.\} .Op Fl g Ar group .Op Fl h Ar host .Op Fl p Ar prompt +.if \n(SL \{\ .Op Fl r Ar role .Op Fl t Ar type +.\} .Op Fl T Ar timeout .Op Fl u Ar user .Op Ar VAR Ns = Ns Ar value @@ -63,9 +77,13 @@ .Op Ar command .Nm sudoedit .Op Fl AknS +.if \n(BA \{\ .Op Fl a Ar type +.\} .Op Fl C Ar num +.if \n(LC \{\ .Op Fl c Ar class +.\} .Op Fl g Ar group .Op Fl h Ar host .Op Fl p Ar prompt @@ -171,8 +189,11 @@ Path askpass /usr/X11R6/bin/ssh-askpass If no askpass program is available, .Nm will exit with an error. +.if \n(BA \{\ .It Fl a Ar type , Fl -auth-type Ns = Ns Ar type -Use the specified BSD authentication +Use the specified +.Bx +authentication .Ar type when validating the user, if allowed by .Pa /etc/login.conf . @@ -181,7 +202,10 @@ authentication methods by adding an .Dq auth-sudo entry in .Pa /etc/login.conf . -This option is only available on systems that support BSD authentication. +This option is only available on systems that support +.Bx +authentication. +.\} .It Fl b , -background Run the given command in the background. Note that it is not possible to use shell job control to manipulate @@ -206,6 +230,7 @@ policy only permits use of the option when the administrator has enabled the .Em closefrom_override option. +.if \n(LC \{\ .It Fl c Ar class , Fl -login-class Ns = Ns Ar class Run the command with resource limits and scheduling priority of the specified login @@ -229,7 +254,10 @@ If the command is being run as a login shell, additional .Pa /etc/login.conf settings, such as the umask and environment variables, will be applied, if present. -This option is only available on systems with BSD login classes. +This option is only available on systems with +.Bx +login classes. +.\} .It Fl E , -preserve-env Indicates to the security policy that the user wishes to preserve their existing environment variables. @@ -493,10 +521,12 @@ specified by a PAM module unless the .Em passprompt_override flag is disabled in .Em sudoers . +.if \n(SL \{\ .It Fl r Ar role , Fl -role Ns = Ns Ar role Run the command with an SELinux security context that includes the specified .Ar role . +.\} .It Fl S , -stdin Write the prompt to the standard error and read the password from the standard input instead of using the terminal device. @@ -513,6 +543,7 @@ If no command is specified, an interactive shell is executed. Note that most shells behave differently when a command is specified as compared to an interactive session; consult the shell's manual for details. +.if \n(SL \{\ .It Fl t Ar type , Fl -type Ns = Ns Ar type Run the command with an SELinux security context that includes the specified @@ -520,6 +551,7 @@ the specified If no .Ar type is specified, the default type is derived from the role. +.\} .It Fl U Ar user , Fl -other-user Ns = Ns Ar user Used in conjunction with the .Fl l @@ -645,14 +677,21 @@ the environment list current working directory .It file creation mode mask (umask) +.if \n(SL \{\ .It SELinux role and type +.\} +.if \n(PS \{\ .It Solaris project .It Solaris privileges +.\} +.if \n(LC \{\ .It -BSD login class +.Bx +login class +.\} .It scheduling priority (aka nice value) .El diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 9574f6d82..5574bcb30 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -596,9 +596,9 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT setting the group to operator or system. OOppttiioonn__SSppeecc - A Cmnd may have zero or more options associated with it. Depending on - the system, options may consist of SELinux roles and/or types, Solaris - privileges sets, and command timeouts. Once an option is set for a Cmnd, + A Cmnd may have zero or more options associated with it. Options may + consist of SELinux roles and/or types, Solaris privileges sets, start + and/or end dates and command timeouts. Once an option is set for a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit that option unless it is overridden by another option. @@ -2928,4 +2928,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.26 October 27, 2018 Sudo 1.8.26 +Sudo 1.8.26 November 25, 2018 Sudo 1.8.26 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index b345ec4b7..3db57071b 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -19,7 +19,11 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDOERS" "5" "October 27, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.nr SL @SEMAN@ +.nr BA @BAMAN@ +.nr LC @LCMAN@ +.nr PS @PSMAN@ +.TH "SUDOERS" "5" "November 25, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -292,7 +296,10 @@ systems without PAM), the environment is initialized with the contents of the \fI/etc/environment\fR file. -On BSD systems, if the +.if \n(LC \{\ +On +BSD +systems, if the \fIuse_loginclass\fR option is enabled, the environment is initialized based on the @@ -301,6 +308,7 @@ and \fIsetenv\fR settings in \fI/etc/login.conf\fR. +.\} The new environment contains the \fRTERM\fR, \fRPATH\fR, @@ -483,7 +491,10 @@ systems without PAM), the contents of \fI/etc/environment\fR are also included. -On BSD systems, if the +.if \n(LC \{\ +On +BSD +systems, if the \fIuse_loginclass\fR flag is enabled, the @@ -493,6 +504,7 @@ and variables in \fI/etc/login.conf\fR are also applied. +.\} All other environment variables are removed unless permitted by \fIenv_keep\fR or @@ -1037,12 +1049,23 @@ Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' -Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec) +.ie \n(SL \{\ +.ie \n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec) +.el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec) +.\} +.el \{\ +.ie \n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec) +.el Option_Spec ::= (Date_Spec | Timeout_Spec) +.\} +.if \n(SL \{\ SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') +.\} +.if \n(PS \{\ Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset') +.\} Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp') Timeout_Spec ::= 'TIMEOUT=timeout' @@ -1248,8 +1271,14 @@ optionally setting the group to operator or system. A \fRCmnd\fR may have zero or more options associated with it. -Depending on the system, options may consist of SELinux roles -and/or types, Solaris privileges sets, and command timeouts. +Options may consist of +.if \n(SL \{\ +SELinux roles and/or types, +.\} +.if \n(PS \{\ +Solaris privileges sets, +.\} +start and/or end dates and command timeouts. Once an option is set for a \fRCmnd\fR, subsequent @@ -1257,6 +1286,7 @@ subsequent in the \fRCmnd_Spec_List\fR, inherit that option unless it is overridden by another option. +.if \n(SL \{\ .SS "SELinux_Spec" On systems with SELinux support, \fIsudoers\fR @@ -1269,6 +1299,8 @@ specified in A role or type specified on the command line, however, will supersede the values in \fIsudoers\fR. +.\} +.if \n(PS \{\ .SS "Solaris_Priv_Spec" On Solaris systems, \fIsudoers\fR @@ -1312,6 +1344,7 @@ name with either an or \(oq\-\(cq character. +.\} .SS "Date_Spec" \fBsudoers\fR rules can be specified with a start and end date via the @@ -3086,6 +3119,7 @@ will set the umask to be the union of the user's umask and what is specified in This flag is \fI@umask_override@\fR by default. +.if \n(BA \{\ .TP 18n use_loginclass If set, @@ -3100,6 +3134,7 @@ option. This flag is \fIoff\fR by default. +.\} .TP 18n use_netgroups If set, netgroups (prefixed with @@ -3563,6 +3598,7 @@ This directory should be cleared when the system reboots. The default is \fI@vardir@/lectured\fR. +.if \n(PS \{\ .TP 18n limitprivs The default Solaris limit privileges to use when constructing a new @@ -3573,6 +3609,7 @@ The default limit privileges may be overridden on a per-command basis in This option is only available if \fBsudoers\fR is built on Solaris 10 or higher. +.\} .TP 18n mailsub Subject of the mail sent to the @@ -3681,6 +3718,7 @@ flag can be used to change this behavior. The default value is \(lq\fR@passprompt@\fR\(rq. .RE +.if \n(PS \{\ .TP 18n privs The default Solaris privileges to use when constructing a new @@ -3698,6 +3736,8 @@ The default privileges may be overridden on a per-command basis in This option is only available if \fBsudoers\fR is built on Solaris 10 or higher. +.\} +.if \n(SL \{\ .TP 18n role The default SELinux role to use when constructing a new security @@ -3708,6 +3748,7 @@ file or via command line options. This option is only available when \fBsudo\fR is built with SELinux support. +.\} .TP 18n runas_default The default user to run commands as if the @@ -3800,6 +3841,7 @@ The owner of the lecture status directory, time stamp directory and all files stored therein. The default is \fRroot\fR. +.if \n(SL \{\ .TP 18n type The default SELinux type to use when constructing a new security @@ -4199,6 +4241,7 @@ The default value is .RE .PP \fBLists that can be used in a boolean context\fR: +.\} .TP 18n env_check Environment variables to be removed from the user's environment diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index c78ac7fd2..b60c7b3bc 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -18,7 +18,11 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd October 27, 2018 +.nr SL @SEMAN@ +.nr BA @BAMAN@ +.nr LC @LCMAN@ +.nr PS @PSMAN@ +.Dd November 25, 2018 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -282,7 +286,10 @@ systems without PAM), the environment is initialized with the contents of the .Pa /etc/environment file. -On BSD systems, if the +.if \n(LC \{\ +On +.Bx +systems, if the .Em use_loginclass option is enabled, the environment is initialized based on the @@ -291,6 +298,7 @@ and .Em setenv settings in .Pa /etc/login.conf . +.\} The new environment contains the .Ev TERM , .Ev PATH , @@ -470,7 +478,10 @@ systems without PAM), the contents of .Pa /etc/environment are also included. -On BSD systems, if the +.if \n(LC \{\ +On +.Bx +systems, if the .Em use_loginclass flag is enabled, the @@ -480,6 +491,7 @@ and variables in .Pa /etc/login.conf are also applied. +.\} All other environment variables are removed unless permitted by .Em env_keep or @@ -991,12 +1003,23 @@ Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' -Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec) +.ie \n(SL \{\ +.ie \n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec) +.el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec) +.\} +.el \{\ +.ie \n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec) +.el Option_Spec ::= (Date_Spec | Timeout_Spec) +.\} +.if \n(SL \{\ SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') +.\} +.if \n(PS \{\ Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset') +.\} Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp') Timeout_Spec ::= 'TIMEOUT=timeout' @@ -1177,8 +1200,14 @@ optionally setting the group to operator or system. A .Li Cmnd may have zero or more options associated with it. -Depending on the system, options may consist of SELinux roles -and/or types, Solaris privileges sets, and command timeouts. +Options may consist of +.if \n(SL \{\ +SELinux roles and/or types, +.\} +.if \n(PS \{\ +Solaris privileges sets, +.\} +start and/or end dates and command timeouts. Once an option is set for a .Li Cmnd , subsequent @@ -1186,6 +1215,7 @@ subsequent in the .Li Cmnd_Spec_List , inherit that option unless it is overridden by another option. +.if \n(SL \{\ .Ss SELinux_Spec On systems with SELinux support, .Em sudoers @@ -1198,6 +1228,8 @@ specified in A role or type specified on the command line, however, will supersede the values in .Em sudoers . +.\} +.if \n(PS \{\ .Ss Solaris_Priv_Spec On Solaris systems, .Em sudoers @@ -1236,6 +1268,7 @@ name with either an or .Ql \- character. +.\} .Ss Date_Spec .Nm sudoers rules can be specified with a start and end date via the @@ -2902,6 +2935,7 @@ will set the umask to be the union of the user's umask and what is specified in This flag is .Em @umask_override@ by default. +.if \n(LC \{\ .It use_loginclass If set, .Nm sudo @@ -2915,6 +2949,7 @@ option. This flag is .Em off by default. +.\} .It use_netgroups If set, netgroups (prefixed with .Ql + ) , @@ -3349,6 +3384,7 @@ This directory should be cleared when the system reboots. The default is .Pa @vardir@/lectured . +.if \n(PS \{\ .It limitprivs The default Solaris limit privileges to use when constructing a new privilege set for a command. @@ -3358,6 +3394,7 @@ The default limit privileges may be overridden on a per-command basis in This option is only available if .Nm is built on Solaris 10 or higher. +.\} .It mailsub Subject of the mail sent to the .Em mailto @@ -3451,6 +3488,7 @@ flag can be used to change this behavior. .Pp The default value is .Dq Li "@passprompt@" . +.if \n(PS \{\ .It privs The default Solaris privileges to use when constructing a new privilege set for a command. @@ -3467,6 +3505,8 @@ The default privileges may be overridden on a per-command basis in This option is only available if .Nm is built on Solaris 10 or higher. +.\} +.if \n(SL \{\ .It role The default SELinux role to use when constructing a new security context to run the command. @@ -3476,6 +3516,7 @@ file or via command line options. This option is only available when .Nm sudo is built with SELinux support. +.\} .It runas_default The default user to run commands as if the .Fl u @@ -3558,6 +3599,7 @@ The owner of the lecture status directory, time stamp directory and all files stored therein. The default is .Li root . +.if \n(SL \{\ .It type The default SELinux type to use when constructing a new security context to run the command. @@ -3567,6 +3609,7 @@ file or via command line options. This option is only available when .Nm sudo is built with SELinux support. +.\} .El .Pp .Sy Strings that can be used in a boolean context :