There are two distinct ways to deal with environment variables. By
default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt _\bs_\bu_\bd_\bo_\be_\br_\bs option is enabled. This causes commands
- to be executed with a minimal environment containing the TERM, PATH,
- HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in
- addition to variables from the invoking process permitted by the
- _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp _\bs_\bu_\bd_\bo_\be_\br_\bs options. This is effectively a
- whitelist for environment variables.
+ to be executed with a new, minimal environment containing. On AIX (and
+ Linux systems without PAM), the environment is initialized with the
+ contents of the _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt file. On BSD systems, if the
+ _\bu_\bs_\be_\b__\bl_\bo_\bg_\bi_\bn_\bc_\bl_\ba_\bs_\bs option is enabled, the environment is initialized based
+ on the _\bp_\ba_\bt_\bh and _\bs_\be_\bt_\be_\bn_\bv settings in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The new
+ environment contains the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER,
+ USERNAME and SUDO_* variables in addition to variables from the
+ invoking process permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp options. This
+ is effectively a whitelist for environment variables.
If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, any variables
not explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are
_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo Directory containing time stamps
- _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on Linux and
- AIX
+ _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on AIX and
+ Linux systems
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(4) entries.
-1.7.9 January 12, 2012 SUDO(1m)
+1.7.10 May 23, 2012 SUDO(1m)
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "January 12, 2012" "1.7.9" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "May 23, 2012" "1.7.10" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.PP
There are two distinct ways to deal with environment variables. By
default, the \fIenv_reset\fR \fIsudoers\fR option is enabled. This causes
-commands to be executed with a minimal environment containing the
-\&\f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR,
-\&\f(CW\*(C`USERNAME\*(C'\fR and \f(CW\*(C`SUDO_*\*(C'\fR variables in addition to variables from
-the invoking process permitted by the \fIenv_check\fR and \fIenv_keep\fR
-\&\fIsudoers\fR options. This is effectively a whitelist for environment
-variables.
+commands to be executed with a new, minimal environment containing.
+On \s-1AIX\s0 (and Linux systems without \s-1PAM\s0), the environment is initialized
+with the contents of the \fI/etc/environment\fR file. On \s-1BSD\s0 systems,
+if the \fIuse_loginclass\fR option is enabled, the environment is
+initialized based on the \fIpath\fR and \fIsetenv\fR settings in
+\&\fI/etc/login.conf\fR. The new environment contains the \f(CW\*(C`TERM\*(C'\fR,
+\&\f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR, \f(CW\*(C`USERNAME\*(C'\fR
+and \f(CW\*(C`SUDO_*\*(C'\fR variables in addition to variables from the invoking
+process permitted by the \fIenv_check\fR and \fIenv_keep\fR options. This
+is effectively a whitelist for environment variables.
.PP
If, however, the \fIenv_reset\fR option is disabled in \fIsudoers\fR, any
variables not explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR
Directory containing time stamps
.IP "\fI/etc/environment\fR" 24
.IX Item "/etc/environment"
-Initial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0
+Initial environment for \fB\-i\fR mode on \s-1AIX\s0 and Linux systems
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Note: the following examples assume suitable \fIsudoers\fR\|(@mansectform@) entries.
implementation. For instance, the QAS AD backend supports the
following formats:
- +\bo Group in the same domain: "Group Name"
+ o Group in the same domain: "Group Name"
- +\bo Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
+ o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
- +\bo Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
+ o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
Note that quotes around group names are optional. Unquoted strings
must use a backslash (\) to escape spaces and special characters. See
-1.7.9 January 12, 2012 SUDOERS(4)
+1.7.10 May 23, 2012 SUDOERS(4)
Using LDAP for _\bs_\bu_\bd_\bo_\be_\br_\bs has several benefits:
- +\bo s\bsu\bud\bdo\bo no longer needs to read _\bs_\bu_\bd_\bo_\be_\br_\bs in its entirety. When LDAP is
+ o s\bsu\bud\bdo\bo no longer needs to read _\bs_\bu_\bd_\bo_\be_\br_\bs in its entirety. When LDAP is
used, there are only two or three LDAP queries per invocation.
This makes it especially fast and particularly usable in LDAP
environments.
- +\bo s\bsu\bud\bdo\bo no longer exits if there is a typo in _\bs_\bu_\bd_\bo_\be_\br_\bs. It is not
+ o s\bsu\bud\bdo\bo no longer exits if there is a typo in _\bs_\bu_\bd_\bo_\be_\br_\bs. It is not
possible to load LDAP data into the server that does not conform to
the sudoers schema, so proper syntax is guaranteed. It is still
possible to have typos in a user or host name, but this will not
prevent s\bsu\bud\bdo\bo from running.
- +\bo It is possible to specify per-entry options that override the
+ o It is possible to specify per-entry options that override the
global default options. _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs only supports default options
and limited options associated with user/host/commands/aliases.
The syntax is complicated and can be difficult for users to
understand. Placing the options directly in the entry is more
natural.
- +\bo The v\bvi\bis\bsu\bud\bdo\bo program is no longer needed. v\bvi\bis\bsu\bud\bdo\bo provides locking
+ o The v\bvi\bis\bsu\bud\bdo\bo program is no longer needed. v\bvi\bis\bsu\bud\bdo\bo provides locking
and syntax checking of the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file. Since LDAP updates
are atomic, locking is no longer necessary. Because syntax is
checked when the data is inserted into LDAP, there is no need for a
-1.7.9 January 12, 2012 SUDOERS.LDAP(4)
+1.7.10 May 23, 2012 SUDOERS.LDAP(4)
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "January 12, 2012" "1.7.9" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "May 23, 2012" "1.7.10" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "January 12, 2012" "1.7.9" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "May 23, 2012" "1.7.10" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
-l [_\bs_\be_\ba_\br_\bc_\bh _\be_\bx_\bp_\br_\be_\bs_\bs_\bi_\bo_\bn]
Enable "list mode". In this mode, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will list
- available session IDs. If a _\bs_\be_\ba_\br_\bc_\bh _\be_\bx_\bp_\br_\be_\bs_\bs_\bi_\bo_\bn is
- specified, it will be used to restrict the IDs that are
- displayed. An expression is composed of the following
- predicates:
+ available sessions in a format similar to the s\bsu\bud\bdo\bo log file
+ format, sorted by file name (or sequence number). If a
+ _\bs_\be_\ba_\br_\bc_\bh _\be_\bx_\bp_\br_\be_\bs_\bs_\bi_\bo_\bn is specified, it will be used to restrict
+ the IDs that are displayed. An expression is composed of
+ the following predicates:
command _\bc_\bo_\bm_\bm_\ba_\bn_\bd _\bp_\ba_\bt_\bt_\be_\br_\bn
Evaluates to true if the command run matches
-1.7.9 January 12, 2012 SUDOREPLAY(1m)
+1.7.10 May 23, 2012 SUDOREPLAY(1m)
.\" ========================================================================
.\"
.IX Title "SUDOREPLAY @mansectsu@"
-.TH SUDOREPLAY @mansectsu@ "January 12, 2012" "1.7.9" "MAINTENANCE COMMANDS"
+.TH SUDOREPLAY @mansectsu@ "May 23, 2012" "1.7.10" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.IP "\-l [\fIsearch expression\fR]" 12
.IX Item "-l [search expression]"
Enable \*(L"list mode\*(R". In this mode, \fBsudoreplay\fR will list available
-session IDs. If a \fIsearch expression\fR is specified, it will be
-used to restrict the IDs that are displayed. An expression is
-composed of the following predicates:
+sessions in a format similar to the \fBsudo\fR log file format, sorted
+by file name (or sequence number). If a \fIsearch expression\fR is
+specified, it will be used to restrict the IDs that are displayed.
+An expression is composed of the following predicates:
.RS 12
.IP "command \fIcommand pattern\fR" 8
.IX Item "command command pattern"
-1.7.9 January 12, 2012 VISUDO(1m)
+1.7.10 May 23, 2012 VISUDO(1m)
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "January 12, 2012" "1.7.9" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "May 23, 2012" "1.7.10" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
projects / sudo / commitdiff