Fix typos reported by aspell.
s\bsu\bud\bdo\boe\ber\brs\bs uses per-user time stamp files for credential caching. Once a
user has been authenticated, a record is written containing the user ID
that was used to authenticate, the terminal session ID, the start time of
- the session leader (or parent proccess) and a time stamp (using a
+ the session leader (or parent process) and a time stamp (using a
monotonic clock if one is available). The user may then use s\bsu\bud\bdo\bo without
a password for a short period of time (5 minutes unless overridden by the
_\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\bi_\bm_\be_\bo_\bu_\bt option). By default, s\bsu\bud\bdo\boe\ber\brs\bs uses a separate record
PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in
addition to variables from the invoking process permitted by the
_\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp options. This is effectively a whitelist for
- environment variables. Environment variables with a value beginning with
- () are removed unless both the name and value parts are matched by
- _\be_\bn_\bv_\b__\bk_\be_\be_\bp or _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, as they may be interpreted as functions by the
- b\bba\bas\bsh\bh shell. Prior to version 1.8.11, such variables were always removed.
+ environment variables. The environment variables LOGNAME, USER and
+ USERNAME are treated specially. If one or more variables are preserved
+ from the invoking process, any of the three remaining variables (that
+ were not explicitly preserved) will be set to the same value as the first
+ one in the list that was preserved. This avoids an inconsistent
+ environment where some of the variables describing the user name are set
+ to the invoking user and some are set to the target user. () are removed
+ unless both the name and value parts are matched by _\be_\bn_\bv_\b__\bk_\be_\be_\bp or
+ _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, as they may be interpreted as functions by the b\bba\bas\bsh\bh shell.
+ Prior to version 1.8.11, such variables were always removed.
If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled, any variables not
explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are inherited
case_insensitive_group
If enabled, group names in _\bs_\bu_\bd_\bo_\be_\br_\bs will be matched in a
- case insentive manner. This may be necessary when
+ case insensitive manner. This may be necessary when
users are stored in LDAP or AD. This flag is _\bo_\bn by
default.
case_insensitive_user
If enabled, user names in _\bs_\bu_\bd_\bo_\be_\br_\bs will be matched in a
- case insentive manner. This may be necessary when
+ case insensitive manner. This may be necessary when
groups are stored in LDAP or AD. This flag is _\bo_\bn by
default.
in the time stamp file for each terminal. If disabled,
a single record is used for all login sessions.
- This option has been superceded by the _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\by_\bp_\be
+ This option has been superseded by the _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\by_\bp_\be
option.
umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified in the
use_netgroups If set, netgroups (prefixed with `+'), may be used in
place of a user or host. For LDAP-based sudoers,
- netgroup support requires an expensive substring match
+ netgroup support requires an expensive sub-string match
on the server unless the N\bNE\bET\bTG\bGR\bRO\bOU\bUP\bP_\b_B\bBA\bAS\bSE\bE directive is
present in the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file. If netgroups are
not needed, this option can be disabled to reduce the
file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
complete details.
-Sudo 1.8.23 April 17, 2018 Sudo 1.8.23
+Sudo 1.8.23 April 18, 2018 Sudo 1.8.23
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDOERS" "5" "April 17, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "April 18, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
Once a user has been authenticated, a record is written
containing the user ID that was used to authenticate, the
terminal session ID, the start time of the session leader
-(or parent proccess) and a time stamp
+(or parent process) and a time stamp
(using a monotonic clock if one is available).
The user may then use
\fBsudo\fR
options.
This is effectively a whitelist
for environment variables.
-Environment variables with a value beginning with
+The environment variables
+\fRLOGNAME\fR,
+\fRUSER\fR
+and
+\fRUSERNAME\fR
+are treated specially.
+If one or more variables are preserved from the invoking process,
+any of the three remaining variables (that were not explicitly
+preserved) will be set to the same value as the first one in the
+list that was preserved.
+This avoids an inconsistent environment where some of the variables
+describing the user name are set to the invoking user and some are
+set to the target user.
\fR()\fR
are removed unless both the name and value parts are matched by
\fIenv_keep\fR
case_insensitive_group
If enabled, group names in
\fIsudoers\fR
-will be matched in a case insentive manner.
+will be matched in a case insensitive manner.
This may be necessary when users are stored in LDAP or AD.
This flag is
\fIon\fR
case_insensitive_user
If enabled, user names in
\fIsudoers\fR
-will be matched in a case insentive manner.
+will be matched in a case insensitive manner.
This may be necessary when groups are stored in LDAP or AD.
This flag is
\fIon\fR
will use a separate record in the time stamp file for each terminal.
If disabled, a single record is used for all login sessions.
.sp
-This option has been superceded by the
+This option has been superseded by the
\fItimestamp_type\fR
option.
.TP 18n
\(oq+\(cq),
may be used in place of a user or host.
For LDAP-based sudoers, netgroup support requires an expensive
-substring match on the server unless the
+sub-string match on the server unless the
\fBNETGROUP_BASE\fR
directive is present in the
\fI@ldap_conf@\fR
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.Dd April 17, 2018
+.Dd April 18, 2018
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
Once a user has been authenticated, a record is written
containing the user ID that was used to authenticate, the
terminal session ID, the start time of the session leader
-(or parent proccess) and a time stamp
+(or parent process) and a time stamp
(using a monotonic clock if one is available).
The user may then use
.Nm sudo
options.
This is effectively a whitelist
for environment variables.
-Environment variables with a value beginning with
+The environment variables
+.Ev LOGNAME ,
+.Ev USER
+and
+.Ev USERNAME
+are treated specially.
+If one or more variables are preserved from the invoking process,
+any of the three remaining variables (that were not explicitly
+preserved) will be set to the same value as the first one in the
+list that was preserved.
+This avoids an inconsistent environment where some of the variables
+describing the user name are set to the invoking user and some are
+set to the target user.
.Li ()
are removed unless both the name and value parts are matched by
.Em env_keep
.It case_insensitive_group
If enabled, group names in
.Em sudoers
-will be matched in a case insentive manner.
+will be matched in a case insensitive manner.
This may be necessary when users are stored in LDAP or AD.
This flag is
.Em on
.It case_insensitive_user
If enabled, user names in
.Em sudoers
-will be matched in a case insentive manner.
+will be matched in a case insensitive manner.
This may be necessary when groups are stored in LDAP or AD.
This flag is
.Em on
will use a separate record in the time stamp file for each terminal.
If disabled, a single record is used for all login sessions.
.Pp
-This option has been superceded by the
+This option has been superseded by the
.Em timestamp_type
option.
.It umask_override
.Ql + ) ,
may be used in place of a user or host.
For LDAP-based sudoers, netgroup support requires an expensive
-substring match on the server unless the
+sub-string match on the server unless the
.Sy NETGROUP_BASE
directive is present in the
.Pa @ldap_conf@
projects / sudo / commitdiff