Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or l\bli\bis\bst\bts\bs. Flags are
implicitly boolean and can be turned off via the '!' operator. Some
integer, string and list parameters may also be used in a boolean
- context to disable them. Values may be enclosed in double quotes (")
+ context to disable them. Values may be enclosed in double quotes ("")
when they contain multiple words. Special characters may be escaped
with a backslash (\).
We can extend this to allow d\bdg\bgb\bb to run /bin/ls with either the user or
group set to o\bop\bpe\ber\bra\bat\bto\bor\br:
- dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
+ dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
/usr/bin/lprm
Note that while the group portion of the Runas_Spec permits the user to
In the following example, user t\btc\bcm\bm may run commands that access a modem
device file with the dialer group.
- tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
+ tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
/usr/local/bin/minicom
Note that in this example only the group will be set, the command still
however, will supercede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
- A command may have zero or more tags associated with it. There are
- eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
- NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
- tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
- the tag unless it is overridden by the opposite tag (i.e.: PASSWD
+ A command may have zero or more tags associated with it. There are ten
+ possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV,
+ LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set
+ on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag
+ unless it is overridden by the opposite tag (in other words, PASSWD
overrides NOPASSWD and NOEXEC overrides EXEC).
_\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
[!...] Matches any character n\bno\bot\bt in the specified range.
\x For any character "x", evaluates to "x". This is used to
- escape special characters such as: "*", "?", "[", and "}".
+ escape special characters such as: "*", "?", "[", and "]".
POSIX character classes may also be used if your system's _\bg_\bl_\bo_\bb(3) and
_\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) functions support them. However, because the ':' character
file loops.
If the path to the include file is not fully-qualified (does not begin
- with a _\b/), it must be located in the same directory as the sudoers file
+ with a /), it must be located in the same directory as the sudoers file
it was included from. For example, if _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs contains the line:
#include sudoers.local
the file that will be included is _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl.
The file name may also include the %h escape, signifying the short form
- of the host name. I.e., if the machine's host name is "xerxes", then
+ of the host name. In other words, if the machine's host name is
+ "xerxes", then
#include /etc/sudoers.%h
Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
files in a #includedir directory unless one of them contains a syntax
- error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
+ error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -\b-f\bf flag to edit the
files directly.
O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
followed by any variables present in the file specified
by the _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option (if any). The default contents
of the env_keep and env_check lists are displayed when
- s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option. If the
+ s\bsu\bud\bdo\bo is run by root with the -\b-V\bV option. If the
_\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set, its value will be used for
the PATH environment variable. This flag is _\bo_\bn by
default.
flag is _\bo_\bf_\bf by default.
fqdn Set this flag if you want to put fully qualified host
- names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
- would use myhost.mydomain.edu. You may still use the
- short form if you wish (and even mix the two). Beware
- that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS lookups
- which may make s\bsu\bud\bdo\bo unusable if DNS stops working (for
- example if the machine is not plugged into the
- network). Also note that you must use the host's
- official name as DNS knows it. That is, you may not
- use a host alias (CNAME entry) due to performance
- issues and the fact that there is no way to get all
- aliases from DNS. If your machine's host name (as
- returned by the hostname command) is already fully
+ names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. In other words, instead of
+ myhost you would use myhost.mydomain.edu. You may
+ still use the short form if you wish (and even mix the
+ two). Beware that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to
+ make DNS lookups which may make s\bsu\bud\bdo\bo unusable if DNS
+ stops working (for example if the machine is not
+ plugged into the network). Also note that you must use
+ the host's official name as DNS knows it. That is, you
+ may not use a host alias (CNAME entry) due to
+ performance issues and the fact that there is no way to
+ get all aliases from DNS. If your machine's host name
+ (as returned by the hostname command) is already fully
qualified you shouldn't need to set _\bf_\bq_\bd_\bn. This flag is
_\bo_\bf_\bf by default.
- ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current dir) in the
+ ignore_dot If set, s\bsu\bud\bdo\bo will ignore "." or "" (current dir) in the
PATH environment variable; the PATH itself is not
modified. This flag is _\bo_\bf_\bf by default.
Input is logged to the directory specified by the
_\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
unique session ID that is included in the normal s\bsu\bud\bdo\bo
- log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
+ log line, prefixed with "TSID=".
Note that user input may contain sensitive information
such as passwords (even if they are not echoed to the
Output is logged to the directory specified by the
_\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
unique session ID that is included in the normal s\bsu\bud\bdo\bo
- log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
+ log line, prefixed with "TSID=".
Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
utility, which can also be used to list or search the
on the terminal. If the _\bv_\bi_\bs_\bi_\bb_\bl_\be_\bp_\bw flag is set, s\bsu\bud\bdo\bo
will prompt for a password even when it would be
visible on the screen. This makes it possible to run
- things like "rsh somehost sudo ls" since _\br_\bs_\bh(1) does
- not allocate a tty. This flag is _\bo_\bf_\bf by default.
+ things like "ssh somehost sudo ls" since by default,
+ _\bs_\bs_\bh(1) does not allocate a tty when running a command.
+ This flag is _\bo_\bf_\bf by default.
I\bIn\bnt\bte\beg\bge\ber\brs\bs:
mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The escape
%h will expand to the host name of the machine.
- Default is *** SECURITY information for %h ***.
+ Default is "*** SECURITY information for %h ***".
noexec_file Path to a shared library containing dummy versions of
the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b) library functions
%% two consecutive % characters are collapsed into a
single % character
- The default value is Password:.
+ The default value is "Password:".
role The default SELinux role to use when constructing a new
security context to run the command. The default role
mailfrom Address to use for the "from" address when sending warning
and error mail. The address should be enclosed in double
- quotes (") to protect against s\bsu\bud\bdo\bo interpreting the @ sign.
- Defaults to the name of the user running s\bsu\bud\bdo\bo.
+ quotes ("") to protect against s\bsu\bud\bdo\bo interpreting the @
+ sign. Defaults to the name of the user running s\bsu\bud\bdo\bo.
mailto Address to send warning and error mail to. The address
- should be enclosed in double quotes (") to protect against
+ should be enclosed in double quotes ("") to protect against
s\bsu\bud\bdo\bo interpreting the @ sign. Defaults to root.
secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
env_check will be preserved in the environment if they
pass the aforementioned check. The default list of
environment variables to check is displayed when s\bsu\bud\bdo\bo
- is run by root with the _\b-_\bV option.
+ is run by root with the -\b-V\bV option.
env_delete Environment variables to be removed from the user's
environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is not in effect.
can be replaced, added to, deleted from, or disabled by
using the =, +=, -=, and ! operators respectively. The
default list of environment variables to remove is
- displayed when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option.
+ displayed when s\bsu\bud\bdo\bo is run by root with the -\b-V\bV option.
Note that many operating systems will remove
potentially dangerous variables from the environment of
any setuid process (such as s\bsu\bud\bdo\bo).
added to, deleted from, or disabled by using the =, +=,
-=, and ! operators respectively. The default list of
variables to keep is displayed when s\bsu\bud\bdo\bo is run by root
- with the _\b-_\bV option.
+ with the -\b-V\bV option.
F\bFI\bIL\bLE\bES\bS
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Cmnd_Alias REBOOT = /usr/sbin/reboot
- Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
- /usr/local/bin/tcsh, /usr/bin/rsh, \
+ Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
+ /usr/local/bin/tcsh, /usr/bin/rsh,\
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
- john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
+ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
-1.7.10 June 8, 2012 SUDOERS(4)
+1.7.10 July 18, 2012 SUDOERS(4)
sudoers: files
Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the underlying
- operating system does not use an nsswitch.conf file.
+ operating system does not use an nsswitch.conf file, except on AIX (see
+ below).
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bne\bet\bts\bsv\bvc\bc.\b.c\bco\bon\bnf\bf
On AIX systems, the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is consulted instead of
-1.7.10 June 29, 2012 SUDOERS.LDAP(4)
+1.7.10 July 18, 2012 SUDOERS.LDAP(4)
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "June 29, 2012" "1.7.10" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "July 18, 2012" "1.7.10" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.Ve
.PP
Note that \fI@nsswitch_conf@\fR is supported even when the underlying
-operating system does not use an nsswitch.conf file.
+operating system does not use an nsswitch.conf file, except on \s-1AIX\s0 (see below).
.SS "Configuring netsvc.conf"
.IX Subsection "Configuring netsvc.conf"
On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of
sudoers: files
Note that F<@nsswitch_conf@> is supported even when the underlying
-operating system does not use an nsswitch.conf file.
+operating system does not use an nsswitch.conf file, except on AIX (see below).
=head2 Configuring netsvc.conf
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "June 8, 2012" "1.7.10" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "July 18, 2012" "1.7.10" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
Flags are implicitly boolean and can be turned off via the '!'
operator. Some integer, string and list parameters may also be
used in a boolean context to disable them. Values may be enclosed
-in double quotes (\f(CW\*(C`"\*(C'\fR) when they contain multiple words. Special
+in double quotes (\f(CW""\fR) when they contain multiple words. Special
characters may be escaped with a backslash (\f(CW\*(C`\e\*(C'\fR).
.PP
Lists have two additional assignment operators, \f(CW\*(C`+=\*(C'\fR and \f(CW\*(C`\-=\*(C'\fR.
the user or group set to \fBoperator\fR:
.PP
.Vb 2
-\& dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \e
+\& dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
\& /usr/bin/lprm
.Ve
.PP
a modem device file with the dialer group.
.PP
.Vb 2
-\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
+\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
\& /usr/local/bin/minicom
.Ve
.PP
.SS "Tag_Spec"
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
-eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR,
+ten possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR,
\&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`LOG_INPUT\*(C'\fR, \f(CW\*(C`NOLOG_INPUT\*(C'\fR,
\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR and \f(CW\*(C`NOLOG_OUTPUT\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR,
subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless
-it is overridden by the opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides
+it is overridden by the opposite tag (in other words, \f(CW\*(C`PASSWD\*(C'\fR overrides
\&\f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR overrides \f(CW\*(C`EXEC\*(C'\fR).
.PP
\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
.el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
.IX Item "x"
For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
-escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
+escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"]\*(R".
.PP
\&\s-1POSIX\s0 character classes may also be used if your system's \fIglob\fR\|(3)
and \fIfnmatch\fR\|(3) functions support them. However, because the
files is enforced to prevent include file loops.
.PP
If the path to the include file is not fully-qualified (does not
-begin with a \fI/\fR), it must be located in the same directory as the
+begin with a \f(CW\*(C`/\*(C'\fR), it must be located in the same directory as the
sudoers file it was included from. For example, if \fI/etc/sudoers\fR
contains the line:
.Sp
the file that will be included is \fI/etc/sudoers.local\fR.
.PP
The file name may also include the \f(CW%h\fR escape, signifying the short form
-of the host name. I.e., if the machine's host name is \*(L"xerxes\*(R", then
+of the host name. In other words, if the machine's host name is \*(L"xerxes\*(R", then
.PP
\&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR
.PP
Note that unlike files included via \f(CW\*(C`#include\*(C'\fR, \fBvisudo\fR will not
edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them
contains a syntax error. It is still possible to run \fBvisudo\fR
-with the \f(CW\*(C`\-f\*(C'\fR flag to edit the files directly.
+with the \fB\-f\fR flag to edit the files directly.
.SS "Other special characters and reserved words"
.IX Subsection "Other special characters and reserved words"
The pound sign ('#') is used to indicate a comment (unless it is
and \f(CW\*(C`env_check\*(C'\fR lists are then added, followed by any variables
present in the file specified by the \fIenv_file\fR option (if any).
The default contents of the \f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are
-displayed when \fBsudo\fR is run by root with the \fI\-V\fR option. If
+displayed when \fBsudo\fR is run by root with the \fB\-V\fR option. If
the \fIsecure_path\fR option is set, its value will be used for the
\&\f(CW\*(C`PATH\*(C'\fR environment variable. This flag is \fI@env_reset@\fR by
default.
.IP "fqdn" 16
.IX Item "fqdn"
Set this flag if you want to put fully qualified host names in the
-\&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu.
+\&\fIsudoers\fR file.
+In other words, instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
\&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default.
.IP "ignore_dot" 16
.IX Item "ignore_dot"
-If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR
+If set, \fBsudo\fR will ignore \*(L".\*(R" or "" (current dir) in the \f(CW\*(C`PATH\*(C'\fR
environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This
flag is \fI@ignore_dot@\fR by default.
.IP "ignore_local_sudoers" 16
.Sp
Input is logged to the directory specified by the \fIiolog_dir\fR
option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
-is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
+is included in the normal \fBsudo\fR log line, prefixed with "\f(CW\*(C`TSID=\*(C'\fR".
.Sp
Note that user input may contain sensitive information such as
passwords (even if they are not echoed to the screen), which will
.Sp
Output is logged to the directory specified by the \fIiolog_dir\fR
option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
-is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
+is included in the normal \fBsudo\fR log line, prefixed with "\f(CW\*(C`TSID=\*(C'\fR".
.Sp
Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
can also be used to list or search the available logs.
password but it is not possible to disable echo on the terminal.
If the \fIvisiblepw\fR flag is set, \fBsudo\fR will prompt for a password
even when it would be visible on the screen. This makes it possible
-to run things like \f(CW"rsh somehost sudo ls"\fR since \fIrsh\fR\|(1) does
-not allocate a tty. This flag is \fIoff\fR by default.
+to run things like \f(CW"ssh somehost sudo ls"\fR since by default, \fIssh\fR\|(1) does
+not allocate a tty when running a command. This flag is \fIoff\fR by default.
.PP
\&\fBIntegers\fR:
.IP "closefrom" 16
.IX Item "mailsub"
Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
will expand to the host name of the machine.
-Default is \f(CW\*(C`@mailsub@\*(C'\fR.
+Default is "\f(CW\*(C`@mailsub@\*(C'\fR".
.IP "noexec_file" 16
.IX Item "noexec_file"
Path to a shared library containing dummy versions of the \fIexecv()\fR,
.RE
.RS 16
.Sp
-The default value is \f(CW\*(C`@passprompt@\*(C'\fR.
+The default value is "\f(CW\*(C`@passprompt@\*(C'\fR".
.RE
.if \n(SL \{\
.IP "role" 16
.IP "mailfrom" 12
.IX Item "mailfrom"
Address to use for the \*(L"from\*(R" address when sending warning and error
-mail. The address should be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to
+mail. The address should be enclosed in double quotes (\f(CW""\fR) to
protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to
the name of the user running \fBsudo\fR.
.IP "mailto" 12
.IX Item "mailto"
Address to send warning and error mail to. The address should
-be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR
+be enclosed in double quotes (\f(CW""\fR) to protect against \fBsudo\fR
interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR.
.IP "secure_path" 12
.IX Item "secure_path"
specified by \f(CW\*(C`env_check\*(C'\fR will be preserved in the environment if
they pass the aforementioned check. The default list of environment
variables to check is displayed when \fBsudo\fR is run by root with
-the \fI\-V\fR option.
+the \fB\-V\fR option.
.IP "env_delete" 16
.IX Item "env_delete"
Environment variables to be removed from the user's environment
double-quotes. The list can be replaced, added to, deleted from,
or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators
respectively. The default list of environment variables to remove
-is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
+is displayed when \fBsudo\fR is run by root with the \fB\-V\fR option.
Note that many operating systems will remove potentially dangerous
variables from the environment of any setuid process (such as
\&\fBsudo\fR).
single value without double-quotes. The list can be replaced, added
to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep
-is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
+is displayed when \fBsudo\fR is run by root with the \fB\-V\fR option.
.SH "FILES"
.IX Header "FILES"
.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
\& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
\& Cmnd_Alias HALT = /usr/sbin/halt
\& Cmnd_Alias REBOOT = /usr/sbin/reboot
-\& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e
-\& /usr/local/bin/tcsh, /usr/bin/rsh, \e
+\& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
+\& /usr/local/bin/tcsh, /usr/bin/rsh,\e
\& /usr/local/bin/zsh
\& Cmnd_Alias SU = /usr/bin/su
\& Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
For example, given the following \fIsudoers\fR entry:
.PP
.Vb 2
-\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,
+\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,\e
\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
.Ve
.PP
Flags are implicitly boolean and can be turned off via the '!'
operator. Some integer, string and list parameters may also be
used in a boolean context to disable them. Values may be enclosed
-in double quotes (C<">) when they contain multiple words. Special
+in double quotes (C<"">) when they contain multiple words. Special
characters may be escaped with a backslash (C<\>).
Lists have two additional assignment operators, C<+=> and C<-=>.
We can extend this to allow B<dgb> to run C</bin/ls> with either
the user or group set to B<operator>:
- dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
+ dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
/usr/bin/lprm
Note that while the group portion of the C<Runas_Spec> permits the
In the following example, user B<tcm> may run commands that access
a modem device file with the dialer group.
- tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
+ tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
/usr/local/bin/minicom
Note that in this example only the group will be set, the command
=head2 Tag_Spec
A command may have zero or more tags associated with it. There are
-
eight possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>,
+
ten possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>,
C<EXEC>, C<SETENV>, C<NOSETENV>, C<LOG_INPUT>, C<NOLOG_INPUT>,
C<LOG_OUTPUT> and C<NOLOG_OUTPUT>. Once a tag is set on a C<Cmnd>,
subsequent C<Cmnd>s in the C<Cmnd_Spec_List>, inherit the tag unless
-it is overridden by the opposite tag (i
.e.: C<PASSWD> overrides
+it is overridden by the opposite tag (i
n other words, C<PASSWD> overrides
C<NOPASSWD> and C<NOEXEC> overrides C<EXEC>).
=head3 NOPASSWD and PASSWD
=item C<\x>
For any character "x", evaluates to "x". This is used to
-escape special characters such as: "*", "?", "[", and "}".
+escape special characters such as: "*", "?", "[", and "]".
=back
files is enforced to prevent include file loops.
If the path to the include file is not fully-qualified (does not
-begin with a F</>), it must be located in the same directory as the
+begin with a C</>), it must be located in the same directory as the
sudoers file it was included from. For example, if F</etc/sudoers>
contains the line:
the file that will be included is F</etc/sudoers.local>.
The file name may also include the C<%h> escape, signifying the short form
-of the host name. I.e., if the machine's host name is "xerxes", then
+of the host name. In other words, if the machine's host name is "xerxes", then
C<#include /etc/sudoers.%h>
Note that unlike files included via C<#include>, B<visudo> will not
edit the files in a C<#includedir> directory unless one of them
contains a syntax error. It is still possible to run B<visudo>
-with the C<-f> flag to edit the files directly.
+with the B<-f> flag to edit the files directly.
=head2 Other special characters and reserved words
and C<env_check> lists are then added, followed by any variables
present in the file specified by the I<env_file> option (if any).
The default contents of the C<env_keep> and C<env_check> lists are
-displayed when B<sudo> is run by root with the I<-V> option. If
+displayed when B<sudo> is run by root with the B<-V> option. If
the I<secure_path> option is set, its value will be used for the
C<PATH> environment variable. This flag is I<@env_reset@> by
default.
=item fqdn
Set this flag if you want to put fully qualified host names in the
-I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
+I<sudoers> file.
+In other words, instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
which may make B<sudo> unusable if DNS stops working (for example
=item ignore_dot
-If set, B<sudo> will ignore
'.' or '' (current dir) in the C<PATH>
+If set, B<sudo> will ignore
"." or "" (current dir) in the C<PATH>
environment variable; the C<PATH> itself is not modified. This
flag is I<@ignore_dot@> by default.
Input is logged to the directory specified by the I<iolog_dir>
option (F<@iolog_dir@> by default) using a unique session ID that
-is included in the normal B<sudo> log line, prefixed with I<TSID=>.
+is included in the normal B<sudo> log line, prefixed with "C<TSID=>".
Note that user input may contain sensitive information such as
passwords (even if they are not echoed to the screen), which will
Output is logged to the directory specified by the I<iolog_dir>
option (F<@iolog_dir@> by default) using a unique session ID that
-is included in the normal B<sudo> log line, prefixed with I<TSID=>.
+is included in the normal B<sudo> log line, prefixed with "C<TSID=>".
Output logs may be viewed with the L<sudoreplay(8)> utility, which
can also be used to list or search the available logs.
password but it is not possible to disable echo on the terminal.
If the I<visiblepw> flag is set, B<sudo> will prompt for a password
even when it would be visible on the screen. This makes it possible
-to run things like C<"rsh somehost sudo ls"> since L<rsh(1)> does
-not allocate a tty. This flag is I<off> by default.
+to run things like C<"ssh somehost sudo ls"> since by default, L<ssh(1)> does
+not allocate a tty when running a command. This flag is I<off> by default.
=back
Subject of the mail sent to the I<mailto> user. The escape C<%h>
will expand to the host name of the machine.
-Default is C<@mailsub@>.
+Default is "C<@mailsub@>".
=item noexec_file
=back
-The default value is C<@passprompt@>.
+The default value is "C<@passprompt@>".
=item role
=item mailfrom
Address to use for the "from" address when sending warning and error
-mail. The address should be enclosed in double quotes (C<">) to
+mail. The address should be enclosed in double quotes (C<"">) to
protect against B<sudo> interpreting the C<@> sign. Defaults to
the name of the user running B<sudo>.
=item mailto
Address to send warning and error mail to. The address should
-be enclosed in double quotes (C<">) to protect against B<sudo>
+be enclosed in double quotes (C<"">) to protect against B<sudo>
interpreting the C<@> sign. Defaults to C<@mailto@>.
=item secure_path
specified by C<env_check> will be preserved in the environment if
they pass the aforementioned check. The default list of environment
variables to check is displayed when B<sudo> is run by root with
-the I<-V> option.
+the B<-V> option.
=item env_delete
double-quotes. The list can be replaced, added to, deleted from,
or disabled by using the C<=>, C<+=>, C<-=>, and C<!> operators
respectively. The default list of environment variables to remove
-is displayed when B<sudo> is run by root with the I<-V> option.
+is displayed when B<sudo> is run by root with the B<-V> option.
Note that many operating systems will remove potentially dangerous
variables from the environment of any setuid process (such as
B<sudo>).
single value without double-quotes. The list can be replaced, added
to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
C<!> operators respectively. The default list of variables to keep
-is displayed when B<sudo> is run by root with the I<-V> option.
+is displayed when B<sudo> is run by root with the B<-V> option.
=back
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Cmnd_Alias REBOOT = /usr/sbin/reboot
- Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
- /usr/local/bin/tcsh, /usr/bin/rsh, \
+ Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
+ /usr/local/bin/tcsh, /usr/bin/rsh,\
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
For example, given the following I<sudoers> entry:
- john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
+ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is
sudoreplay - replay sudo session logs
S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-h\bh] [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] [-\b-f\bf _\bf_\bi_\bl_\bt_\be_\br] [-\b-m\bm _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt] [-\b-s\bs
- _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br] ID
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-h\bh] [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] [-\b-f\bf _\bf_\bi_\bl_\bt_\be_\br] [-\b-m\bm _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt]
+ [-\b-s\bs _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br] ID
s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-h\bh] [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] -l [search expression]
the IDs that are displayed. An expression is composed of
the following predicates:
- command _\bc_\bo_\bm_\bm_\ba_\bn_\bd _\bp_\ba_\bt_\bt_\be_\br_\bn
+ command _\bp_\ba_\bt_\bt_\be_\br_\bn
Evaluates to true if the command run matches
- _\bc_\bo_\bm_\bm_\ba_\bn_\bd _\bp_\ba_\bt_\bt_\be_\br_\bn. On systems with POSIX regular
- expression support, the pattern may be an extended
- regular expression. On systems without POSIX
- regular expression support, a simple substring
- match is performed instead.
+ _\bp_\ba_\bt_\bt_\be_\br_\bn. On systems with POSIX regular expression
+ support, the pattern may be an extended regular
+ expression. On systems without POSIX regular
+ expression support, a simple substring match is
+ performed instead.
cwd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by
Evaluates to true if the command was run with the
prior to _\bd_\ba_\bt_\be. See "Date and time format" for a
description of supported date and time formats.
- tty _\bt_\bt_\by Evaluates to true if the command was run on the
- specified terminal device. The _\bt_\bt_\by should be
+ tty _\bt_\bt_\by _\bn_\ba_\bm_\be
+ Evaluates to true if the command was run on the
+ specified terminal device. The _\bt_\bt_\by _\bn_\ba_\bm_\be should be
specified without the _\b/_\bd_\be_\bv_\b/ prefix, e.g. _\bt_\bt_\by_\b0_\b1
instead of _\b/_\bd_\be_\bv_\b/_\bt_\bt_\by_\b0_\b1.
_\ba_\bn_\bd unless separated by an _\bo_\br.
-m _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt Specify an upper bound on how long to wait between key
- presses or output data. By default, s\bsu\bud\bdo\bo_\b_r\bre\bep\bpl\bla\bay\by will
+ presses or output data. By default, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will
accurately reproduce the delays between key presses or
program output. However, this can be tedious when the
session includes long pauses. When the _\b-_\bm option is
specified, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will limit these pauses to at most
_\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt seconds. The value may be specified as a floating
- point number, .e.g. _\b2_\b._\b5.
+ point number, e.g. _\b2_\b._\b5.
-s _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br
This option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to adjust the number of
seconds it will wait between key presses or program output.
This can be used to slow down or speed up the display. For
example, a _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br of _\b2 would make the output twice as
- fast whereas a _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br of <.5> would make the output
+ fast whereas a _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br of _\b._\b5 would make the output
twice as slow.
-V The -\b-V\bV (version) option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to print its
optional. If no date is specified, the current day is assumed; if no
time is specified, the first second of the specified date is used. The
less significant parts of both time and date may also be omitted, in
- which case zero is assumed. For example, the following are all valid:
+ which case zero is assumed.
The following are all valid time and date specifications:
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
List sessions run by user _\bm_\bi_\bl_\bl_\be_\br_\bt:
- sudoreplay -l user millert
+ # sudoreplay -l user millert
List sessions run by user _\bb_\bo_\bb with a command containing the string vi:
- sudoreplay -l user bob command vi
+ # sudoreplay -l user bob command vi
List sessions run by user _\bj_\be_\bf_\bf that match a regular expression:
- sudoreplay -l user jeff command '/bin/[a-z]*sh'
+ # sudoreplay -l user jeff command '/bin/[a-z]*sh'
List sessions run by jeff or bob on the console:
- sudoreplay -l ( user jeff or user bob ) tty console
+ # sudoreplay -l ( user jeff or user bob ) tty console
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
_\bs_\bu_\bd_\bo(1m), _\bs_\bc_\br_\bi_\bp_\bt(1)
-A\bAU\bUT\bTH\bHO\bOR\bR
+A\bAU\bUT\bTH\bHO\bOR\bRS\bS
Todd C. Miller
B\bBU\bUG\bGS\bS
-1.7.10 May 23, 2012 SUDOREPLAY(1m)
+1.7.10 July 18, 2012 SUDOREPLAY(1m)
.\" ========================================================================
.\"
.IX Title "SUDOREPLAY @mansectsu@"
-.TH SUDOREPLAY @mansectsu@ "May 23, 2012" "1.7.10" "MAINTENANCE COMMANDS"
+.TH SUDOREPLAY @mansectsu@ "July 18, 2012" "1.7.10" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
sudoreplay \- replay sudo session logs
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
-\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR \fIdirectory\fR] [\fB\-f\fR \fIfilter\fR] [\fB\-m\fR \fImax_wait\fR] [\fB\-s\fR \fIspeed_factor\fR] \s-1ID\s0
+\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR\ \fIdirectory\fR] [\fB\-f\fR\ \fIfilter\fR] [\fB\-m\fR\ \fImax_wait\fR] [\fB\-s\fR\ \fIspeed_factor\fR] \s-1ID\s0
.PP
-\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR \fIdirectory\fR] \-l [search expression]
+\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR\ \fIdirectory\fR] \-l [search\ expression]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBsudoreplay\fR plays back or lists the session logs created by
.IP "\-d \fIdirectory\fR" 12
.IX Item "-d directory"
Use \fIdirectory\fR to for the session logs instead of the default,
-\&\fI/var/log/sudo\-io\fR.
+\&\fI@iolog_dir@\fR.
.IP "\-f \fIfilter\fR" 12
.IX Item "-f filter"
By default, \fBsudoreplay\fR will play back the command's standard
specified, it will be used to restrict the IDs that are displayed.
An expression is composed of the following predicates:
.RS 12
-.IP "command \fIcommand pattern\fR" 8
-.IX Item "command command pattern"
-Evaluates to true if the command run matches \fIcommand pattern\fR.
+.IP "command \fIpattern\fR" 8
+.IX Item "command pattern"
+Evaluates to true if the command run matches \fIpattern\fR.
On systems with \s-1POSIX\s0 regular expression support, the pattern may
be an extended regular expression. On systems without \s-1POSIX\s0 regular
expression support, a simple substring match is performed instead.
Evaluates to true if the command was run on or prior to \fIdate\fR.
See \*(L"Date and time format\*(R" for a description of supported
date and time formats.
-.IP "tty \fItty\fR" 8
-.IX Item "tty tty"
+.IP "tty \fItty name\fR" 8
+.IX Item "tty tty name"
Evaluates to true if the command was run on the specified terminal
-device. The \fItty\fR should be specified without the \fI/dev/\fR prefix,
+device. The \fItty name\fR should be specified without the \fI/dev/\fR prefix,
e.g. \fItty01\fR instead of \fI/dev/tty01\fR.
.IP "user \fIuser name\fR" 8
.IX Item "user user name"
.IP "\-m \fImax_wait\fR" 12
.IX Item "-m max_wait"
Specify an upper bound on how long to wait between key presses or
-output data. By default, \fBsudo_replay\fR will accurately reproduce
+output data. By default, \fBsudoreplay\fR will accurately reproduce
the delays between key presses or program output. However, this
can be tedious when the session includes long pauses. When the
\&\fI\-m\fR option is specified, \fBsudoreplay\fR will limit these pauses
to at most \fImax_wait\fR seconds. The value may be specified as a
-floating point number, .e.g. \fI2.5\fR.
+floating point number, e.g. \fI2.5\fR.
.IP "\-s \fIspeed_factor\fR" 12
.IX Item "-s speed_factor"
This option causes \fBsudoreplay\fR to adjust the number of seconds
it will wait between key presses or program output. This can be
used to slow down or speed up the display. For example, a
\&\fIspeed_factor\fR of \fI2\fR would make the output twice as fast whereas
-a \fIspeed_factor\fR of <.5> would make the output twice as slow.
+a \fIspeed_factor\fR of \fI.5\fR would make the output twice as slow.
.IP "\-V" 12
.IX Item "-V"
The \fB\-V\fR (version) option causes \fBsudoreplay\fR to print its version number
optional. If no date is specified, the current day is assumed; if
no time is specified, the first second of the specified date is
used. The less significant parts of both time and date may also
-be omitted, in which case zero is assumed. For example, the following
-are all valid:
+be omitted, in which case zero is assumed.
.PP
The following are all valid time and date specifications:
.IP "now" 8
10:01 am, September 17, 2009.
.SH "FILES"
.IX Header "FILES"
-.IP "\fI/var/log/sudo\-io\fR" 24
-.IX Item "/var/log/sudo-io"
+.ie n .IP "\fI@iolog_dir@\fR" 24
+.el .IP "\fI@iolog_dir@\fR" 24
+.IX Item "@iolog_dir@"
The default I/O log directory.
-.IP "\fI/var/log/sudo\-io/00/00/01/log\fR" 24
-.IX Item "/var/log/sudo-io/00/00/01/log"
+.ie n .IP "\fI@iolog_dir@/00/00/01/log\fR" 24
+.el .IP "\fI@iolog_dir@/00/00/01/log\fR" 24
+.IX Item "@iolog_dir@/00/00/01/log"
Example session log info.
-.IP "\fI/var/log/sudo\-io/00/00/01/stdin\fR" 24
-.IX Item "/var/log/sudo-io/00/00/01/stdin"
+.ie n .IP "\fI@iolog_dir@/00/00/01/stdin\fR" 24
+.el .IP "\fI@iolog_dir@/00/00/01/stdin\fR" 24
+.IX Item "@iolog_dir@/00/00/01/stdin"
Example session standard input log.
-.IP "\fI/var/log/sudo\-io/00/00/01/stdout\fR" 24
-.IX Item "/var/log/sudo-io/00/00/01/stdout"
+.ie n .IP "\fI@iolog_dir@/00/00/01/stdout\fR" 24
+.el .IP "\fI@iolog_dir@/00/00/01/stdout\fR" 24
+.IX Item "@iolog_dir@/00/00/01/stdout"
Example session standard output log.
-.IP "\fI/var/log/sudo\-io/00/00/01/stderr\fR" 24
-.IX Item "/var/log/sudo-io/00/00/01/stderr"
+.ie n .IP "\fI@iolog_dir@/00/00/01/stderr\fR" 24
+.el .IP "\fI@iolog_dir@/00/00/01/stderr\fR" 24
+.IX Item "@iolog_dir@/00/00/01/stderr"
Example session standard error log.
-.IP "\fI/var/log/sudo\-io/00/00/01/ttyin\fR" 24
-.IX Item "/var/log/sudo-io/00/00/01/ttyin"
+.ie n .IP "\fI@iolog_dir@/00/00/01/ttyin\fR" 24
+.el .IP "\fI@iolog_dir@/00/00/01/ttyin\fR" 24
+.IX Item "@iolog_dir@/00/00/01/ttyin"
Example session tty input file.
-.IP "\fI/var/log/sudo\-io/00/00/01/ttyout\fR" 24
-.IX Item "/var/log/sudo-io/00/00/01/ttyout"
+.ie n .IP "\fI@iolog_dir@/00/00/01/ttyout\fR" 24
+.el .IP "\fI@iolog_dir@/00/00/01/ttyout\fR" 24
+.IX Item "@iolog_dir@/00/00/01/ttyout"
Example session tty output file.
-.IP "\fI/var/log/sudo\-io/00/00/01/timing\fR" 24
-.IX Item "/var/log/sudo-io/00/00/01/timing"
+.ie n .IP "\fI@iolog_dir@/00/00/01/timing\fR" 24
+.el .IP "\fI@iolog_dir@/00/00/01/timing\fR" 24
+.IX Item "@iolog_dir@/00/00/01/timing"
Example session timing file.
.PP
Note that the \fIstdin\fR, \fIstdout\fR and \fIstderr\fR files will be empty
List sessions run by user \fImillert\fR:
.PP
.Vb 1
-\& sudoreplay \-l user millert
+\& # sudoreplay \-l user millert
.Ve
.PP
List sessions run by user \fIbob\fR with a command containing the string vi:
.PP
.Vb 1
-\& sudoreplay \-l user bob command vi
+\& # sudoreplay \-l user bob command vi
.Ve
.PP
List sessions run by user \fIjeff\fR that match a regular expression:
.PP
.Vb 1
-\& sudoreplay \-l user jeff command \*(Aq/bin/[a\-z]*sh\*(Aq
+\& # sudoreplay \-l user jeff command \*(Aq/bin/[a\-z]*sh\*(Aq
.Ve
.PP
List sessions run by jeff or bob on the console:
.PP
.Vb 1
-\& sudoreplay \-l ( user jeff or user bob ) tty console
+\& # sudoreplay \-l ( user jeff or user bob ) tty console
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIsudo\fR\|(@mansectsu@), \fIscript\fR\|(1)
-.SH "AUTHOR"
-.IX Header "AUTHOR"
+.SH "AUTHORS"
+.IX Header "AUTHORS"
Todd C. Miller
.SH "BUGS"
.IX Header "BUGS"
=head1 SYNOPSIS
-B<sudoreplay> [B<-h>] [B<-d> I<directory>] [B<-f> I<filter>] [B<-m> I<max_wait>] [B<-s> I<speed_factor>] ID
+B<sudoreplay> [B<-h>] S<[B<-d> I<directory>]> S<[B<-f> I<filter>]> S<[B<-m> I<max_wait>]> S<[B<-s> I<speed_factor>]> ID
-B<sudoreplay> [B<-h>] [B<-d> I<directory>] -l [search expression]
+B<sudoreplay> [B<-h>] S<[B<-d> I<directory>]> -l S<[search expression]>
=head1 DESCRIPTION
=item -d I<directory>
Use I<directory> to for the session logs instead of the default,
-F</var/log/sudo-io>.
+F<@iolog_dir@>.
=item -f I<filter>
=over 8
-=item command I<command pattern>
+=item command I<pattern>
-Evaluates to true if the command run matches I<command pattern>.
+Evaluates to true if the command run matches I<pattern>.
On systems with POSIX regular expression support, the pattern may
be an extended regular expression. On systems without POSIX regular
expression support, a simple substring match is performed instead.
See L<"Date and time format"> for a description of supported
date and time formats.
-=item tty I<tty>
+=item tty I<tty name>
Evaluates to true if the command was run on the specified terminal
-device. The I<tty> should be specified without the F</dev/> prefix,
+device. The I<tty name> should be specified without the F</dev/> prefix,
e.g. F<tty01> instead of F</dev/tty01>.
=item user I<user name>
=item -m I<max_wait>
Specify an upper bound on how long to wait between key presses or
-output data. By default, B<sudo_replay> will accurately reproduce
+output data. By default, B<sudoreplay> will accurately reproduce
the delays between key presses or program output. However, this
can be tedious when the session includes long pauses. When the
I<-m> option is specified, B<sudoreplay> will limit these pauses
to at most I<max_wait> seconds. The value may be specified as a
-floating point number, .e.g. I<2.5>.
+floating point number, e.g. I<2.5>.
=item -s I<speed_factor>
it will wait between key presses or program output. This can be
used to slow down or speed up the display. For example, a
I<speed_factor> of I<2> would make the output twice as fast whereas
-a I<speed_factor> of <.5> would make the output twice as slow.
+a I<speed_factor> of I<.5> would make the output twice as slow.
=item -V
optional. If no date is specified, the current day is assumed; if
no time is specified, the first second of the specified date is
used. The less significant parts of both time and date may also
-be omitted, in which case zero is assumed. For example, the following
-are all valid:
+be omitted, in which case zero is assumed.
The following are all valid time and date specifications:
=over 24
-=item F</var/log/sudo-io>
+=item F<@iolog_dir@>
The default I/O log directory.
-=item F</var/log/sudo-io/00/00/01/log>
+=item F<@iolog_dir@/00/00/01/log>
Example session log info.
-=item F</var/log/sudo-io/00/00/01/stdin>
+=item F<@iolog_dir@/00/00/01/stdin>
Example session standard input log.
-=item F</var/log/sudo-io/00/00/01/stdout>
+=item F<@iolog_dir@/00/00/01/stdout>
Example session standard output log.
-=item F</var/log/sudo-io/00/00/01/stderr>
+=item F<@iolog_dir@/00/00/01/stderr>
Example session standard error log.
-=item F</var/log/sudo-io/00/00/01/ttyin>
+=item F<@iolog_dir@/00/00/01/ttyin>
Example session tty input file.
-=item F</var/log/sudo-io/00/00/01/ttyout>
+=item F<@iolog_dir@/00/00/01/ttyout>
Example session tty output file.
-=item F</var/log/sudo-io/00/00/01/timing>
+=item F<@iolog_dir@/00/00/01/timing>
Example session timing file.
List sessions run by user I<millert>:
- sudoreplay -l user millert
+ # sudoreplay -l user millert
List sessions run by user I<bob> with a command containing the string vi:
- sudoreplay -l user bob command vi
+ # sudoreplay -l user bob command vi
List sessions run by user I<jeff> that match a regular expression:
- sudoreplay -l user jeff command '/bin/[a-z]*sh'
+ # sudoreplay -l user jeff command '/bin/[a-z]*sh'
List sessions run by jeff or bob on the console:
- sudoreplay -l ( user jeff or user bob ) tty console
+ # sudoreplay -l ( user jeff or user bob ) tty console
=head1 SEE ALSO
L<sudo(8)>, L<script(1)>
-=head1 AUTHOR
+=head1 AUTHORS
Todd C. Miller
You didn't run v\bvi\bis\bsu\bud\bdo\bo as root.
Can't find you in the passwd database
- Your userid does not appear in the system passwd file.
+ Your user ID does not appear in the system passwd file.
Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
- Either you are trying to use an undeclare
+ Either you are trying to use an undeclared
{User,Runas,Host,Cmnd}_Alias or you have a user or host name listed
that consists solely of uppercase letters, digits, and the
underscore ('_') character. In the latter case, you can ignore the
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
_\bv_\bi(1), _\bs_\bu_\bd_\bo_\be_\br_\bs(4), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bp_\bw(8)
-A\bAU\bUT\bTH\bHO\bOR\bR
+A\bAU\bUT\bTH\bHO\bOR\bRS\bS
Many people have worked on _\bs_\bu_\bd_\bo over the years; this version of v\bvi\bis\bsu\bud\bdo\bo
was written by:
- Todd Miller
+ Todd C. Miller
See the HISTORY file in the sudo distribution or visit
http://www.sudo.ws/sudo/history.html for more details.
-1.7.10 May 23, 2012 VISUDO(1m)
+1.7.10 July 18, 2012 VISUDO(1m)
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "May 23, 2012" "1.7.10" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "July 18, 2012" "1.7.10" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
You didn't run \fBvisudo\fR as root.
.IP "Can't find you in the passwd database" 4
.IX Item "Can't find you in the passwd database"
-Your userid does not appear in the system passwd file.
+Your user \s-1ID\s0 does not appear in the system passwd file.
.IP "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" 4
.IX Item "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined"
-Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias
+Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore ('_') character. In
the latter case, you can ignore the warnings (\fBsudo\fR will not
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(8)
-.SH "AUTHOR"
-.IX Header "AUTHOR"
+.SH "AUTHORS"
+.IX Header "AUTHORS"
Many people have worked on \fIsudo\fR over the years; this version of
\&\fBvisudo\fR was written by:
.PP
.Vb 1
-\& Todd Miller
+\& Todd C. Miller
.Ve
.PP
See the \s-1HISTORY\s0 file in the sudo distribution or visit
=item Can't find you in the passwd database
-Your userid does not appear in the system passwd file.
+Your user ID does not appear in the system passwd file.
=item Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
-Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias
+Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore ('_') character. In
the latter case, you can ignore the warnings (B<sudo> will not
L<vi(1)>, L<sudoers(5)>, L<sudo(8)>, L<vipw(8)>
-=head1 AUTHOR
+=head1 AUTHORS
Many people have worked on I<sudo> over the years; this version of
B<visudo> was written by:
- Todd Miller
+ Todd C. Miller
See the HISTORY file in the sudo distribution or visit
http://www.sudo.ws/sudo/history.html for more details.
projects / sudo / commitdiff