-1.7.5b2 November 13, 2010 1
+1.7.5b2 December 17, 2010 1
-1.7.5b2 November 13, 2010 2
+1.7.5b2 December 17, 2010 2
-1.7.5b2 November 13, 2010 3
+1.7.5b2 December 17, 2010 3
-1.7.5b2 November 13, 2010 4
+1.7.5b2 December 17, 2010 4
-1.7.5b2 November 13, 2010 5
+1.7.5b2 December 17, 2010 5
-1.7.5b2 November 13, 2010 6
+1.7.5b2 December 17, 2010 6
-1.7.5b2 November 13, 2010 7
+1.7.5b2 December 17, 2010 7
-1.7.5b2 November 13, 2010 8
+1.7.5b2 December 17, 2010 8
-1.7.5b2 November 13, 2010 9
+1.7.5b2 December 17, 2010 9
-1.7.5b2 November 13, 2010 10
+1.7.5b2 December 17, 2010 10
-1.7.5b2 November 13, 2010 11
+1.7.5b2 December 17, 2010 11
-1.7.5b2 November 13, 2010 12
+1.7.5b2 December 17, 2010 12
-1.7.5b2 November 13, 2010 13
+1.7.5b2 December 17, 2010 13
-1.7.5b2 November 13, 2010 14
+1.7.5b2 December 17, 2010 14
-1.7.5b2 November 13, 2010 15
+1.7.5b2 December 17, 2010 15
-1.7.5b2 November 13, 2010 16
+1.7.5b2 December 17, 2010 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ iolog_dir The directory in which to store input/output logs when
+ the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt or _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt options are enabled or when
+ the <LOG_INPUT> or LOG_OUTPUT tags are present for a
+ command. The default is "/var/log/sudo-io".
+
mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The escape
%h will expand to the host name of the machine.
Default is *** SECURITY information for %h ***.
before any Runas_Alias specifications.
syslog_badpri Syslog priority to use when user authenticates
- unsuccessfully. Defaults to alert.
- syslog_goodpri Syslog priority to use when user authenticates
- successfully. Defaults to notice.
+1.7.5b2 December 17, 2010 17
-1.7.5b2 November 13, 2010 17
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ unsuccessfully. Defaults to alert.
+ syslog_goodpri Syslog priority to use when user authenticates
+ successfully. Defaults to notice.
sudoers_locale Locale to use when parsing the sudoers file. Note that
changing the locale may affect how sudoers is
once Only lecture the user the first time they run s\bsu\bud\bdo\bo.
- If no value is specified, a value of _\bo_\bn_\bc_\be is implied.
- Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
- The default value is _\bo_\bn_\bc_\be.
-
-
-1.7.5b2 November 13, 2010 18
+1.7.5b2 December 17, 2010 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ If no value is specified, a value of _\bo_\bn_\bc_\be is implied.
+ Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
+ The default value is _\bo_\bn_\bc_\be.
+
lecture_file
Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
will be used in place of the standard lecture if the named
environment variable you may want to use this. Another use
is if you want to have the "root path" be separate from the
"user path." Users in the group specified by the
- _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
- option is not set by default.
- syslog Syslog facility if syslog is being used for logging (negate
-
-1.7.5b2 November 13, 2010 19
+1.7.5b2 December 17, 2010 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
+ option is not set by default.
+
+ syslog Syslog facility if syslog is being used for logging (negate
to disable syslog logging). Defaults to auth.
verifypw This option controls when a password will be required when
default list of environment variables to remove is
displayed when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option.
Note that many operating systems will remove
- potentially dangerous variables from the environment of
- any setuid process (such as s\bsu\bud\bdo\bo).
-
- env_keep Environment variables to be preserved in the user's
-1.7.5b2 November 13, 2010 20
+1.7.5b2 December 17, 2010 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ potentially dangerous variables from the environment of
+ any setuid process (such as s\bsu\bud\bdo\bo).
+
+ env_keep Environment variables to be preserved in the user's
environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
This allows fine-grained control over the environment
s\bsu\bud\bdo\bo-spawned processes will receive. The argument may
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
SGI = grolsch, dandelion, black :\
ALPHA = widget, thalamus, foobar :\
- HPPA = boa, nag, python
- Host_Alias CUNETS = 128.138.0.0/255.255.0.0
- Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
- Host_Alias SERVERS = master, mail, www, ns
-1.7.5b2 November 13, 2010 21
+1.7.5b2 December 17, 2010 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ HPPA = boa, nag, python
+ Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+ Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+ Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
# Cmnd alias specification
PARTTIMERS ALL = ALL
- Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on
- any host but they must authenticate themselves first (since the entry
- lacks the NOPASSWD tag).
-
-1.7.5b2 November 13, 2010 22
+1.7.5b2 December 17, 2010 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on
+ any host but they must authenticate themselves first (since the entry
+ lacks the NOPASSWD tag).
+
jack CSNETS = ALL
The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
well as add and remove users, so they are allowed to run those commands
- on all machines.
- fred ALL = (DB) NOPASSWD: ALL
+1.7.5b2 December 17, 2010 23
-1.7.5b2 November 13, 2010 23
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ on all machines.
+ fred ALL = (DB) NOPASSWD: ALL
The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias
(o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
bill ALL = ALL, !SU, !SHELLS
- Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
- _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
- use a shell escape from an editor or other program. Therefore, these
-
-1.7.5b2 November 13, 2010 24
+1.7.5b2 December 17, 2010 24
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
+ _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
+ use a shell escape from an editor or other program. Therefore, these
kind of restrictions should be considered advisory at best (and
reinforced by policy).
where shell escapes are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better
solution to running editors via s\bsu\bud\bdo\bo. Due to the large
number of programs that offer shell escapes, restricting
- users to the set of programs that do not if often unworkable.
+ users to the set of programs that do not is often unworkable.
noexec Many systems that support shared libraries have the ability
to override default library functions by pointing an
If the resulting output contains a line that begins with:
- File containing dummy exec functions:
-
-
-1.7.5b2 November 13, 2010 25
+1.7.5b2 December 17, 2010 25
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ File containing dummy exec functions:
+
then s\bsu\bud\bdo\bo may be able to replace the exec family of functions
in the standard library with its own that simply return an
error. Unfortunately, there is no foolproof way to know
-
-
-1.7.5b2 November 13, 2010 26
+1.7.5b2 December 17, 2010 26
-1.7.5b2 November 13, 2010 27
+1.7.5b2 December 17, 2010 27
-1.7.5b2 November 13, 2010 1
+1.7.5b2 January 10, 2011 1
-1.7.5b2 November 13, 2010 2
+1.7.5b2 January 10, 2011 2
s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br
The sudoRole entries retrieved from the LDAP directory have no
- inherent order. The s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br attribute is an integer that will be
- used to sort the matching entries. This allows to more closely
- mimic the behaviour of the sudoers file, where the of the entries
- does have an influence on the result. If the s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br attribute
- is not present, a value of 0 is assumed.
+ inherent order. The s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br attribute is an integer (or floating
+ point value for LDAP servers that support it) that is used to sort
+ the matching entries. This allows LDAP-based sudoers entries to
+ more closely mimic the behaviour of the sudoers file, where the of
+ the entries influences the result. If multiple entries match, the
+ entry with the highest s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br attribute is chosen. This
+ corresponds to the "last match" behavior of the sudoers file. If
+ the s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br attribute is not present, a value of 0 is assumed.
Each component listed above should contain a single value, but there
may be multiple instances of each component type. A sudoRole must
There are some subtle differences in the way sudoers is handled once in
LDAP. Probably the biggest is that according to the RFC, LDAP ordering
is arbitrary and you cannot expect that Attributes and Entries are
- returned in any specific order. If there are conflicting command rules
- on an entry, the negative takes precedence. This is called paranoid
- behavior (not necessarily the most specific match).
+ returned in any specific order.
+
+ The order in which different entries are applied can be controlled
+ using the s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br attribute, but there is no way to guarantee the
+ order of attributes within a specific entry. If there are conflicting
+ command rules in an entry, the negative takes precedence. This is
+ called paranoid behavior (not necessarily the most specific match).
Here is an example:
- # /etc/sudoers:
- # Allow all commands except shell
- johnny ALL=(root) ALL,!/bin/sh
- # Always allows all commands because ALL is matched last
- puddles ALL=(root) !/bin/sh,ALL
- # LDAP equivalent of johnny
- # Allows all commands except shell
-1.7.5b2 November 13, 2010 3
+1.7.5b2 January 10, 2011 3
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ # /etc/sudoers:
+ # Allow all commands except shell
+ johnny ALL=(root) ALL,!/bin/sh
+ # Always allows all commands because ALL is matched last
+ puddles ALL=(root) !/bin/sh,ALL
+
+ # LDAP equivalent of johnny
+ # Allows all commands except shell
dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
objectClass: sudoRole
objectClass: top
sudoCommand: ALL
Another difference is that negations on the Host, User or Runas are
- currently ignorred. For example, the following attributes do not
- behave the way one might expect.
+ currently ignored. For example, the following attributes do not behave
+ the way one might expect.
# does not match all but joe
# rather, does not match anyone
Three versions of the schema: one for OpenLDAP servers
(_\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP), one for Netscape-derived servers (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bi_\bP_\bl_\ba_\bn_\be_\bt),
- and one for Microsoft Active Directory (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bA_\bc_\bt_\bi_\bv_\be_\bD_\bi_\br_\be_\bc_\bt_\bo_\br_\by) may be
- found in the s\bsu\bud\bdo\bo distribution.
- The schema for s\bsu\bud\bdo\bo in OpenLDAP form is included in the EXAMPLES
- section.
- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
- Sudo reads the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file for LDAP-specific configuration.
+1.7.5b2 January 10, 2011 4
-1.7.5b2 November 13, 2010 4
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ and one for Microsoft Active Directory (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bA_\bc_\bt_\bi_\bv_\be_\bD_\bi_\br_\be_\bc_\bt_\bo_\br_\by) may be
+ found in the s\bsu\bud\bdo\bo distribution.
+ The schema for s\bsu\bud\bdo\bo in OpenLDAP form is included in the EXAMPLES
+ section.
+ C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
+ Sudo reads the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not s\bsu\bud\bdo\bo-specific. Note that s\bsu\bud\bdo\bo
parses _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf itself and may support options that differ from
multiple U\bUR\bRI\bIs or H\bHO\bOS\bST\bTs are specified, this is the amount of time to
wait before trying the next one in the list.
- T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT seconds
- The T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in seconds,
- to wait for a response to an LDAP query.
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE base
- The base DN to use when performing s\bsu\bud\bdo\bo LDAP queries. Typically
- this is of the form ou=SUDOers,dc=example,dc=com for the domain
+1.7.5b2 January 10, 2011 5
-1.7.5b2 November 13, 2010 5
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ N\bNE\bET\bTW\bWO\bOR\bRK\bK_\b_T\bTI\bIM\bME\bEO\bOU\bUT\bT seconds
+ An alias for B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT.
+ T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT seconds
+ The T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in seconds,
+ to wait for a response to an LDAP query.
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE base
+ The base DN to use when performing s\bsu\bud\bdo\bo LDAP queries. Typically
+ this is of the form ou=SUDOers,dc=example,dc=com for the domain
example.com. Multiple S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE lines may be specified, in
which case they are queried in the order specified.
Typically, this involves connecting to the server on port 636
(ldaps).
- S\bSS\bSL\bL start_tls
- If the S\bSS\bSL\bL parameter is set to start_tls, the LDAP server
- connection is initiated normally and TLS encryption is begun before
- the bind credentials are sent. This has the advantage of not
- requiring a dedicated port for encrypted communications. This
- parameter is only supported by LDAP servers that honor the
- start_tls extension, such as the OpenLDAP server.
-
- T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR on/true/yes/off/false/no
- If enabled, T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR will cause the LDAP server's TLS
-1.7.5b2 November 13, 2010 6
+1.7.5b2 January 10, 2011 6
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ S\bSS\bSL\bL start_tls
+ If the S\bSS\bSL\bL parameter is set to start_tls, the LDAP server
+ connection is initiated normally and TLS encryption is begun before
+ the bind credentials are sent. This has the advantage of not
+ requiring a dedicated port for encrypted communications. This
+ parameter is only supported by LDAP servers that honor the
+ start_tls extension, such as the OpenLDAP server.
+
+ T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR on/true/yes/off/false/no
+ If enabled, T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR will cause the LDAP server's TLS
certificated to be verified. If the server's TLS certificate
cannot be verified (usually because it is signed by an unknown
certificate authority), s\bsu\bud\bdo\bo will be unable to connect to it. If
T\bTL\bLS\bS_\b_K\bKE\bEY\bY file name
The path to a file containing the private key which matches the
certificate specified by T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT. The private key must not be
- password-protected. The key type depends on the LDAP libraries
- used.
- OpenLDAP:
- tls_key /etc/ssl/client_key.pem
- Netscape-derived:
- tls_key /var/ldap/key3.db
+1.7.5b2 January 10, 2011 7
-1.7.5b2 November 13, 2010 7
-
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ password-protected. The key type depends on the LDAP libraries
+ used.
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ OpenLDAP:
+ tls_key /etc/ssl/client_key.pem
+ Netscape-derived:
+ tls_key /var/ldap/key3.db
T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE file name
The T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE parameter specifies the path to an entropy source
The following sources are recognized:
- files read sudoers from F</etc/sudoers>
- ldap read sudoers from LDAP
- In addition, the entry [NOTFOUND=return] will short-circuit the search
- if the user was not found in the preceding source.
- To consult LDAP first followed by the local sudoers file (if it
- exists), use:
+1.7.5b2 January 10, 2011 8
-1.7.5b2 November 13, 2010 8
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ files read sudoers from F</etc/sudoers>
+ ldap read sudoers from LDAP
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ In addition, the entry [NOTFOUND=return] will short-circuit the search
+ if the user was not found in the preceding source.
+ To consult LDAP first followed by the local sudoers file (if it
+ exists), use:
sudoers: ldap files
F\bFI\bIL\bLE\bES\bS
_\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf LDAP configuration file
- _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf determines sudoers source order
-
- _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf determines sudoers source order on AIX
-
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- E\bEx\bxa\bam\bmp\bpl\ble\be l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
-
+1.7.5b2 January 10, 2011 9
-1.7.5b2 November 13, 2010 9
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf determines sudoers source order
+ _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf determines sudoers source order on AIX
+E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
+ E\bEx\bxa\bam\bmp\bpl\ble\be l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
# Either specify one or more URIs or one or more host:port pairs.
# If neither is specified sudo will default to localhost, port 389.
#
# extension such as OpenLDAP.
#ssl start_tls
#
- # Additional TLS options follow that allow tweaking of the
- # SSL/TLS connection.
- #
- #tls_checkpeer yes # verify server SSL certificate
- #tls_checkpeer no # ignore server SSL certificate
- #
-1.7.5b2 November 13, 2010 10
+1.7.5b2 January 10, 2011 10
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ # Additional TLS options follow that allow tweaking of the
+ # SSL/TLS connection.
+ #
+ #tls_checkpeer yes # verify server SSL certificate
+ #tls_checkpeer no # ignore server SSL certificate
+ #
# If you enable tls_checkpeer, specify either tls_cacertfile
# or tls_cacertdir. Only supported when using OpenLDAP.
#
# If using SASL authentication for LDAP (OpenSSL)
# use_sasl yes
# sasl_auth_id <SASL user name>
- # rootuse_sasl yes
- # rootsasl_auth_id <SASL user name for root access>
- # sasl_secprops none
- # krb5_ccname /etc/.ldapcache
-
-
-1.7.5b2 November 13, 2010 11
+1.7.5b2 January 10, 2011 11
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ # rootuse_sasl yes
+ # rootsasl_auth_id <SASL user name for root access>
+ # sasl_secprops none
+ # krb5_ccname /etc/.ldapcache
+
S\bSu\bud\bdo\bo s\bsc\bch\bhe\bem\bma\ba f\bfo\bor\br O\bOp\bpe\ben\bnL\bLD\bDA\bAP\bP
The following schema is in OpenLDAP format. Simply copy it to the
schema directory (e.g. _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bs_\bc_\bh_\be_\bm_\ba), add the proper include
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
- attributetype ( 1.3.6.1.4.1.15953.9.1.8
- NAME 'sudoNotBefore'
- DESC 'Start of time interval for which the entry is valid'
- EQUALITY generalizedTimeMatch
- ORDERING generalizedTimeOrderingMatch
-1.7.5b2 November 13, 2010 12
+1.7.5b2 January 10, 2011 12
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ attributetype ( 1.3.6.1.4.1.15953.9.1.8
+ NAME 'sudoNotBefore'
+ DESC 'Start of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributetype ( 1.3.6.1.4.1.15953.9.1.9
_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- The way that _\bs_\bu_\bd_\bo_\be_\br_\bs is parsed differs between Note that there are
- differences in the way that LDAP-based _\bs_\bu_\bd_\bo_\be_\br_\bs is parsed compared to
- file-based _\bs_\bu_\bd_\bo_\be_\br_\bs. See the "Differences between LDAP and non-LDAP
- sudoers" section for more information.
+ Note that there are differences in the way that LDAP-based _\bs_\bu_\bd_\bo_\be_\br_\bs is
+ parsed compared to file-based _\bs_\bu_\bd_\bo_\be_\br_\bs. See the "Differences between
+ LDAP and non-LDAP sudoers" section for more information.
B\bBU\bUG\bGS\bS
If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
-
-
-
-
-1.7.5b2 November 13, 2010 13
+1.7.5b2 January 10, 2011 13
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "November 13, 2010" "1.7.5b2" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "January 10, 2011" "1.7.5b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.IP "\fBsudoOrder\fR" 4
.IX Item "sudoOrder"
The sudoRole entries retrieved from the \s-1LDAP\s0 directory have no
-inherent order. The \fBsudoOrder\fR attribute is an integer that will
-be used to sort the matching entries. This allows to more closely
-mimic the behaviour of the sudoers file, where the of the entries
-does have an influence on the result. If the \fBsudoOrder\fR attribute
-is not present, a value of 0 is assumed.
+inherent order. The \fBsudoOrder\fR attribute is an integer (or
+floating point value for \s-1LDAP\s0 servers that support it) that is used
+to sort the matching entries. This allows LDAP-based sudoers entries
+to more closely mimic the behaviour of the sudoers file, where the
+of the entries influences the result. If multiple entries match,
+the entry with the highest \fBsudoOrder\fR attribute is chosen. This
+corresponds to the \*(L"last match\*(R" behavior of the sudoers file. If
+the \fBsudoOrder\fR attribute is not present, a value of 0 is assumed.
.PP
Each component listed above should contain a single value, but there
may be multiple instances of each component type. A sudoRole must
There are some subtle differences in the way sudoers is handled
once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0,
\&\s-1LDAP\s0 ordering is arbitrary and you cannot expect that Attributes
-and Entries are returned in any specific order. If there are
-conflicting command rules on an entry, the negative takes precedence.
+and Entries are returned in any specific order.
+.PP
+The order in which different entries are applied can be controlled
+using the \fBsudoOrder\fR attribute, but there is no way to guarantee
+the order of attributes within a specific entry. If there are
+conflicting command rules in an entry, the negative takes precedence.
This is called paranoid behavior (not necessarily the most specific
match).
.PP
.Ve
.PP
Another difference is that negations on the Host, User or Runas are
-currently ignorred. For example, the following attributes do not
+currently ignored. For example, the following attributes do not
behave the way one might expect.
.PP
.Vb 3
to wait while trying to connect to an \s-1LDAP\s0 server. If multiple \fB\s-1URI\s0\fRs or
\&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying
the next one in the list.
+.IP "\fB\s-1NETWORK_TIMEOUT\s0\fR seconds" 4
+.IX Item "NETWORK_TIMEOUT seconds"
+An alias for \fB\s-1BIND_TIMELIMIT\s0\fR.
.IP "\fB\s-1TIMELIMIT\s0\fR seconds" 4
.IX Item "TIMELIMIT seconds"
The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
\&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(5)
.SH "CAVEATS"
.IX Header "CAVEATS"
-The way that \fIsudoers\fR is parsed differs between Note that there
-are differences in the way that LDAP-based \fIsudoers\fR is parsed
-compared to file-based \fIsudoers\fR. See the \*(L"Differences between
-\&\s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information.
+Note that there are differences in the way that LDAP-based \fIsudoers\fR
+is parsed compared to file-based \fIsudoers\fR. See the \*(L"Differences
+between \s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information.
.SH "BUGS"
.IX Header "BUGS"
If you feel you have found a bug in \fBsudo\fR, please submit a bug report
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "November 13, 2010" "1.7.5b2" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "December 17, 2010" "1.7.5b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the
list that exists and is executable. The default is \f(CW"@editor@"\fR.
+.IP "iolog_dir" 16
+.IX Item "iolog_dir"
+The directory in which to store input/output logs when the \fIlog_input\fR
+or \fIlog_output\fR options are enabled or when the <\s-1LOG_INPUT\s0> or
+\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command.
+The default is \f(CW"@iolog_dir@"\fR.
.IP "mailsub" 16
.IX Item "mailsub"
Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
.IP "\fI/etc/netgroup\fR" 24
.IX Item "/etc/netgroup"
List of network groups
-.IP "\fI/var/log/sudo\-io\fR" 24
-.IX Item "/var/log/sudo-io"
+.ie n .IP "\fI@iolog_dir@\fR" 24
+.el .IP "\fI@iolog_dir@\fR" 24
+.IX Item "@iolog_dir@"
I/O log files
.SH "EXAMPLES"
.IX Header "EXAMPLES"
escapes are disabled, though \fBsudoedit\fR is a better solution to
running editors via \fBsudo\fR. Due to the large number of programs that
offer shell escapes, restricting users to the set of programs that
-do not if often unworkable.
+do not is often unworkable.
.IP "noexec" 10
.IX Item "noexec"
Many systems that support shared libraries have the ability to
projects / sudo / commitdiff