Add warning about using ALL in a command context.

diff --git a/sudoers.cat b/sudoers.cat
index 8e177315d56c95c9cb33a157db3101c7c7fce0a4..56dbf0b4d5e196c6dbcbca1ed696369df48d8624 100644 (file)
--- a/sudoers.cat
+++ b/sudoers.cat
@@ -61,7 +61,7 @@ D\bD\bD\bDE\bE\bE\bES\bS\bS\bSC\bC\bC\bCR\bR\bR\bRI\bI\bI\bIP\bP\bP\bPT\bT\bT\bTI\bI\bI\bIO\bO\bO\bON\bN\bN\bN
 
 
 
-8/Nov/1999                     1.6                              1
+15/Nov/1999                    1.6                              1
 
 
 
@@ -127,7 +127,7 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
 
-8/Nov/1999                     1.6                              2
+15/Nov/1999                    1.6                              2
 
 
 
@@ -193,7 +193,7 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
 
-8/Nov/1999                     1.6                              3
+15/Nov/1999                    1.6                              3
 
 
 
@@ -259,7 +259,7 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
 
-8/Nov/1999                     1.6                              4
+15/Nov/1999                    1.6                              4
 
 
 
@@ -325,7 +325,7 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
 
-8/Nov/1999                     1.6                              5
+15/Nov/1999                    1.6                              5
 
 
 
@@ -391,7 +391,7 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
 
-8/Nov/1999                     1.6                              6
+15/Nov/1999                    1.6                              6
 
 
 
@@ -457,7 +457,7 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
 
-8/Nov/1999                     1.6                              7
+15/Nov/1999                    1.6                              7
 
 
 
@@ -503,7 +503,9 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
        might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
        or Host_Alias.  You should not try to define your own
        _\ba_\bl_\bi_\ba_\bs called A\bA\bA\bAL\bL\bL\bLL\bL\bL\bL as the built in alias will be used in
-       preference to your own.
+       preference to your own.  Please note that using A\bA\bA\bAL\bL\bL\bLL\bL\bL\bL can be
+       dangerous since in a command context, it allows the user
+       to run a\ba\ba\ban\bn\bn\bny\by\by\by command on the system.
 
        An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
        operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd.  This
@@ -519,11 +521,9 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
        syntactic characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':',
        '(', ')') is optional.
 
-       The following characters must be escaped with a backslash
-
 
 
-8/Nov/1999                     1.6                              8
+15/Nov/1999                    1.6                              8
 
 
 
@@ -532,6 +532,7 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
+       The following characters must be escaped with a backslash
        ('\') when used as part of a word (eg. a username or
        hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
 
@@ -588,8 +589,7 @@ E\bE\bE\bEX\bX\bX\bXA\bA\bA\bAM\bM\bM\bMP\bP\bP\bPL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
 
 
 
-
-8/Nov/1999                     1.6                              9
+15/Nov/1999                    1.6                              9
 
 
 
@@ -655,7 +655,7 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
 
-8/Nov/1999                     1.6                             10
+15/Nov/1999                    1.6                             10
 
 
 
@@ -721,7 +721,7 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
 
-8/Nov/1999                     1.6                             11
+15/Nov/1999                    1.6                             11
 
 
 
@@ -787,7 +787,7 @@ S\bS\bS\bSE\bE\bE\bEE\bE\bE\bE A\bA\bA\bAL\bL\bL\bLS\bS\bS\bSO\bO\bO\bO
 
 
 
-8/Nov/1999                     1.6                             12
+15/Nov/1999                    1.6                             12
 
 
 
@@ -853,6 +853,6 @@ sudoers(5)                 FILE FORMATS                sudoers(5)
 
 
 
-8/Nov/1999                     1.6                             13
+15/Nov/1999                    1.6                             13
 
 

diff --git a/sudoers.html b/sudoers.html
index c34f50e6a74a1c98bc5da2a69eb9dadfa6582f65..9dcd4eb97c4c20fdd7f817b0f522f92404068d6b 100644 (file)
--- a/sudoers.html
+++ b/sudoers.html
@@ -555,7 +555,8 @@ up to the end of the line, are ignored.
 
 <P>
 The reserved word <STRONG>ALL</STRONG> is a a built in <EM>alias</EM> that always causes a match to succeed. It can be used wherever one might
-otherwise use a <CODE>Cmnd_Alias</CODE>, <CODE>User_Alias</CODE>, <CODE>Runas_Alias</CODE>, or <CODE>Host_Alias</CODE>. You should not try to define your own <EM>alias</EM> called <STRONG>ALL</STRONG> as the built in alias will be used in preference to your own.
+otherwise use a <CODE>Cmnd_Alias</CODE>, <CODE>User_Alias</CODE>, <CODE>Runas_Alias</CODE>, or <CODE>Host_Alias</CODE>. You should not try to define your own <EM>alias</EM> called <STRONG>ALL</STRONG> as the built in alias will be used in preference to your own. Please note
+that using <STRONG>ALL</STRONG> can be dangerous since in a command context, it allows the user to run <STRONG>any</STRONG> command on the system.
 
 <P>
 An exclamation point ('!') can be used as a logical <EM>not</EM> operator both in an <EM>alias</EM> and in front of a <CODE>Cmnd</CODE>. This allows one to exclude certain values. Note, however, that using a <CODE>!</CODE> in conjunction with the built in <CODE>ALL</CODE> alias to allow a user to run ``all but a few'' commands rarely works as

diff --git a/sudoers.man b/sudoers.man
index 46572187bb3f9670791daf9c0e86edd121af6633..241e3cab02a291871df306aa4d4ab08fc4bc3b3e 100644 (file)
--- a/sudoers.man
+++ b/sudoers.man
@@ -2,8 +2,8 @@
 ''' $RCSfile$$Revision$$Date$
 '''
 ''' $Log$
-''' Revision 1.14  1999/11/09 00:00:29  millert
-''' Mention what characters need to be escaped in names.
+''' Revision 1.15  1999/11/16 05:23:41  millert
+''' Add warning about using ALL in a command context.
 '''
 '''
 .de Sh
@@ -96,7 +96,7 @@
 .nr % 0
 .rr F
 .\}
-.TH sudoers 5 "1.6" "8/Nov/1999" "FILE FORMATS"
+.TH sudoers 5 "1.6" "15/Nov/1999" "FILE FORMATS"
 .UC
 .if n .hy 0
 .if n .na
@@ -568,7 +568,9 @@ The reserved word \fB\s-1ALL\s0\fR is a a built in \fIalias\fR that always cause
 a match to succeed.  It can be used wherever one might otherwise
 use a \f(CWCmnd_Alias\fR, \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, or \f(CWHost_Alias\fR.
 You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
-built in alias will be used in preference to your own.
+built in alias will be used in preference to your own.  Please note
+that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
+allows the user to run \fBany\fR command on the system.
 .PP
 An exclamation point (\*(R'!') can be used as a logical \fInot\fR operator
 both in an \fIalias\fR and in front of a \f(CWCmnd\fR.  This allows one to

diff --git a/sudoers.pod b/sudoers.pod
index d7ad822dc64c2535a0eb9c8200edd6bc9321d717..3dfb773c49f1b1dd7c2443924b592eeea98f820c 100644 (file)
--- a/sudoers.pod
+++ b/sudoers.pod
@@ -523,7 +523,9 @@ The reserved word B<ALL> is a a built in I<alias> that always causes
 a match to succeed.  It can be used wherever one might otherwise
 use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
 You should not try to define your own I<alias> called B<ALL> as the
-built in alias will be used in preference to your own.
+built in alias will be used in preference to your own.  Please note
+that using B<ALL> can be dangerous since in a command context, it
+allows the user to run B<any> command on the system.
 
 An exclamation point ('!') can be used as a logical I<not> operator
 both in an I<alias> and in front of a C<Cmnd>.  This allows one to