to do it all with text processing.
: ${SUDOERS_GID='0'}
DEV="#"
LDAP="#"
-BAMAN='.\" '
-LCMAN='.\" '
-SEMAN='.\" '
+BAMAN=0
+LCMAN=0
+SEMAN=0
ZLIB=
AUTH_OBJS=
AUTH_REG=
SUDO_LIBS="${SUDO_LIBS} -lselinux"
SUDO_OBJS="${SUDO_OBJS} selinux.o"
PROGS="${PROGS} sesh"
- SEMAN=""
+ SEMAN=1
;;
no) ;;
*) as_fn_error "\"--with-selinux does not take an argument.\"" "$LINENO" 5
cat >>confdefs.h <<_ACEOF
#define HAVE_LOGIN_CAP_H 1
_ACEOF
- LOGINCAP_USAGE='[-c class|-] '; LCMAN=""
+ LOGINCAP_USAGE='[-c class|-] '; LCMAN=1
case "$OS" in
freebsd|netbsd) SUDO_LIBS="${SUDO_LIBS} -lutil"
;;
AUTH_OBJS="$AUTH_OBJS bsdauth.lo"
BSDAUTH_USAGE='[-a auth_type] '
- AUTH_EXCL=BSD_AUTH; BAMAN=""
+ AUTH_EXCL=BSD_AUTH; BAMAN=1
else
as_fn_error "BSD authentication was specified but bsd_auth.h could not be found" "$LINENO" 5
fi
: ${SUDOERS_GID='0'}
DEV="#"
LDAP="#"
-BAMAN='.\" '
-LCMAN='.\" '
-SEMAN='.\" '
+BAMAN=0
+LCMAN=0
+SEMAN=0
ZLIB=
AUTH_OBJS=
AUTH_REG=
SUDO_LIBS="${SUDO_LIBS} -lselinux"
SUDO_OBJS="${SUDO_OBJS} selinux.o"
PROGS="${PROGS} sesh"
- SEMAN=""
+ SEMAN=1
;;
no) ;;
*) AC_MSG_ERROR(["--with-selinux does not take an argument."])
AC_CHECK_HEADERS(termio.h, [], [AC_MSG_ERROR([Must have either termios.h or termio.h to build sudo])])
fi
if test ${with_logincap-'no'} != "no"; then
- AC_CHECK_HEADERS(login_cap.h, [LOGINCAP_USAGE='[[-c class|-]] '; LCMAN=""
+ AC_CHECK_HEADERS(login_cap.h, [LOGINCAP_USAGE='[[-c class|-]] '; LCMAN=1
case "$OS" in
freebsd|netbsd) SUDO_LIBS="${SUDO_LIBS} -lutil"
;;
AC_CHECK_HEADER(bsd_auth.h, AC_DEFINE(HAVE_BSD_AUTH_H)
[AUTH_OBJS="$AUTH_OBJS bsdauth.lo"]
[BSDAUTH_USAGE='[[-a auth_type]] ']
- [AUTH_EXCL=BSD_AUTH; BAMAN=""],
+ [AUTH_EXCL=BSD_AUTH; BAMAN=1],
[AC_MSG_ERROR([BSD authentication was specified but bsd_auth.h could not be found])])
fi
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
+.nr SL @SEMAN@
+.nr BA @BAMAN@
+.nr LC @LCMAN@
+.\"
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "May 11, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
\&\fBsudo\fR [\fB\-D\fR\ \fIlevel\fR] \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR
.PP
\&\fBsudo\fR \fB\-v\fR [\fB\-AknS\fR]
-@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
+.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
[\fB\-D\fR\ \fIlevel\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
.PP
\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR]
-@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
+.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
[\fB\-D\fR\ \fIlevel\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fIcommand\fR]
.PP
\&\fBsudo\fR [\fB\-AbEHnPS\fR]
-@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
+.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
[\fB\-D\fR\ \fIlevel\fR]
-@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
+.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
-@SEMAN@[\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
+.if \n(SL [\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR]
[\fB\s-1VAR\s0\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] [\fIcommand\fR]
.PP
\&\fBsudoedit\fR [\fB\-AnS\fR]
-@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
+.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
-@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
+.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
[\fB\-D\fR\ \fIlevel\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] file ...
the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the
path to the helper program. Otherwise, the value specified by the
\&\fIaskpass\fR option in \fIsudoers\fR\|(@mansectform@) is used.
-@BAMAN@.IP "\-a \fItype\fR" 12
-@BAMAN@.IX Item "-a type"
-@BAMAN@The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
-@BAMAN@specified authentication type when validating the user, as allowed
-@BAMAN@by \fI/etc/login.conf\fR. The system administrator may specify a list
-@BAMAN@of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R"
-@BAMAN@entry in \fI/etc/login.conf\fR. This option is only available on systems
-@BAMAN@that support \s-1BSD\s0 authentication.
+.if \n(BA \{\
+.IP "\-a \fItype\fR" 12
+.IX Item "-a type"
+The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
+specified authentication type when validating the user, as allowed
+by \fI/etc/login.conf\fR. The system administrator may specify a list
+of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R"
+entry in \fI/etc/login.conf\fR. This option is only available on systems
+that support \s-1BSD\s0 authentication.
+\}
.IP "\-b" 12
.IX Item "-b"
The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given
three are not permitted. This option is only available if the
administrator has enabled the \fIclosefrom_override\fR option in
\&\fIsudoers\fR\|(@mansectform@).
-@LCMAN@.IP "\-c \fIclass\fR" 12
-@LCMAN@.IX Item "-c class"
-@LCMAN@The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
-@LCMAN@with resources limited by the specified login class. The \fIclass\fR
-@LCMAN@argument can be either a class name as defined in \fI/etc/login.conf\fR,
-@LCMAN@or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
-@LCMAN@that the command should be run restricted by the default login
-@LCMAN@capabilities for the user the command is run as. If the \fIclass\fR
-@LCMAN@argument specifies an existing user class, the command must be run
-@LCMAN@as root, or the \fBsudo\fR command must be run from a shell that is already
-@LCMAN@root. This option is only available on systems with \s-1BSD\s0 login classes.
+.if \n(LC \{\
+.IP "\-c \fIclass\fR" 12
+.IX Item "-c class"
+The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
+with resources limited by the specified login class. The \fIclass\fR
+argument can be either a class name as defined in \fI/etc/login.conf\fR,
+or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
+that the command should be run restricted by the default login
+capabilities for the user the command is run as. If the \fIclass\fR
+argument specifies an existing user class, the command must be run
+as root, or the \fBsudo\fR command must be run from a shell that is already
+root. This option is only available on systems with \s-1BSD\s0 login classes.
+\}
.IP "\-D \fIlevel\fR" 12
.IX Item "-D level"
Enable debugging of \fBsudo\fR plugins and \fBsudo\fR itself. The \fIlevel\fR
password prompt on systems that support \s-1PAM\s0 unless the
\&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR.
.RE
-@SEMAN@.IP "\-r \fIrole\fR" 12
-@SEMAN@.IX Item "-r role"
-@SEMAN@The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
-@SEMAN@have the role specified by \fIrole\fR.
+.if \n(SL \{\
+.IP "\-r \fIrole\fR" 12
+.IX Item "-r role"
+The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
+have the role specified by \fIrole\fR.
+\}
.IP "\-S" 12
.IX Item "-S"
The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
environment variable if it is set or the shell as specified in
\&\fIpasswd\fR\|(@mansectform@). If a command is specified, it is passed to the shell
for execution. Otherwise, an interactive shell is executed.
-@SEMAN@.IP "\-t \fItype\fR" 12
-@SEMAN@.IX Item "-t type"
-@SEMAN@The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
-@SEMAN@have the type specified by \fItype\fR. If no type is specified, the default
-@SEMAN@type is derived from the specified role.
+.if \n(SL \{\
+.IP "\-t \fItype\fR" 12
+.IX Item "-t type"
+The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
+have the type specified by \fItype\fR. If no type is specified, the default
+type is derived from the specified role.
+\}
.IP "\-U \fIuser\fR" 12
.IX Item "-U user"
The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2),
-@LCMAN@\&\fIlogin_cap\fR\|(3),
+.if \n(LC \&\fIlogin_cap\fR\|(3),
\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@), \fIvisudo\fR\|(@mansectsu@)
.SH "AUTHORS"
.IX Header "AUTHORS"
#!/usr/bin/perl -p
BEGIN {
- %tags = ( 'a', '@BAMAN@', 'c', '@LCMAN@', 'r', '@SEMAN@', 't', '@SEMAN@');
- $t = undef;
+ %tags = ( 'a', 'BA', 'c', 'LC', 'r', 'SL', 't', 'SL');
+ $cond = -1;
}
-if (/^\.IP(.*-([acrt]))?/) {
- $t = $1 ? $tags{$2} : undef;
-} elsif (/-a.*auth_type/) {
- $_ = $tags{'a'} . $_;
+
+# Initialize the numeric register we use for conditionals
+if ($cond == -1) {
+ $_ = ".nr SL \@SEMAN\@\n.nr BA \@BAMAN\@\n.nr LC \@LCMAN\@\n.\\\"\n$_";
+ $cond = 0;
+}
+
+# Add conditionals
+if (/^\.IP.*-([acrt])/) {
+ $_ = ".if \\n($tags{$1} \\{\\\n$_";
+ $cond = 1;
+} elsif ($cond && /^\.(Sh|SS|IP|PP)/) {
+ $_ = "\\}\n$_";
+ $cond = 0;
+}
+
+if (/-a.*auth_type/) {
+ $_ = ".if \\n($tags{'a'} $_";
} elsif (/(-c.*class.*\||login_cap)/) {
- $_ = $tags{'c'} . $_;
+ $_ = ".if \\n($tags{'c'} $_";
} elsif (/-r.*role.*-t.*type/) {
- $_ = $tags{'r'} . $_;
+ $_ = ".if \\n($tags{'r'} $_";
}
# Fix up broken pod2man formatting of F<@foo@/bar>
s/\\fI\\f(\(C)?I\@([^\@]*)\\fI\@/\\fI\@$2\@/g;
-
-# comment out Compile-time-specific lines in DESCRIPTION
-if ($t) {
- $_ = $t . $_;
-}
-1.8.0a1 April 7, 2010 1
+1.8.0a1 May 25, 2010 1
-1.8.0a1 April 7, 2010 2
+1.8.0a1 May 25, 2010 2
-1.8.0a1 April 7, 2010 3
+1.8.0a1 May 25, 2010 3
-1.8.0a1 April 7, 2010 4
+1.8.0a1 May 25, 2010 4
-1.8.0a1 April 7, 2010 5
+1.8.0a1 May 25, 2010 5
-1.8.0a1 April 7, 2010 6
+1.8.0a1 May 25, 2010 6
-1.8.0a1 April 7, 2010 7
+1.8.0a1 May 25, 2010 7
-1.8.0a1 April 7, 2010 8
+1.8.0a1 May 25, 2010 8
-1.8.0a1 April 7, 2010 9
+1.8.0a1 May 25, 2010 9
alternative is to place a colon-separated list of
editors in the editor variable. v\bvi\bis\bsu\bud\bdo\bo will then only
use the EDITOR or VISUAL if they match a value
- specified in editor. This flag is _\bo_\bn by default.
+ specified in editor. This flag is _\bo_\bf_\bf by default.
env_reset If set, s\bsu\bud\bdo\bo will reset the environment to only contain
the LOGNAME, SHELL, USER, USERNAME and the SUDO_*
-1.8.0a1 April 7, 2010 10
+1.8.0a1 May 25, 2010 10
ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current dir) in the
PATH environment variable; the PATH itself is not
- modified. This flag is _\bo_\bn by default.
+ modified. This flag is _\bo_\bf_\bf by default.
ignore_local_sudoers
If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
_\bo_\bf_\bf by default.
insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
- incorrect password. This flag is _\bo_\bn by default.
+ incorrect password. This flag is _\bo_\bf_\bf by default.
log_host If set, the host name will be logged in the (non-
syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
-1.8.0a1 April 7, 2010 11
+1.8.0a1 May 25, 2010 11
passprompt_override
The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
- normally only be used if the password prompt provided by
- systems such as PAM matches the string "Password:". If
- _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always be
- used. This flag is _\bo_\bf_\bf by default.
+ normally only be used if the password prompt provided
+ by systems such as PAM matches the string "Password:".
+ If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always
+ be used. This flag is _\bo_\bf_\bf by default.
preserve_groups By default, s\bsu\bud\bdo\bo will initialize the group vector to
the list of groups the target user is in. When
-1.8.0a1 April 7, 2010 12
+1.8.0a1 May 25, 2010 12
-1.8.0a1 April 7, 2010 13
+1.8.0a1 May 25, 2010 13
-1.8.0a1 April 7, 2010 14
+1.8.0a1 May 25, 2010 14
-1.8.0a1 April 7, 2010 15
+1.8.0a1 May 25, 2010 15
-1.8.0a1 April 7, 2010 16
+1.8.0a1 May 25, 2010 16
-1.8.0a1 April 7, 2010 17
+1.8.0a1 May 25, 2010 17
-1.8.0a1 April 7, 2010 18
+1.8.0a1 May 25, 2010 18
option is not set by default.
syslog Syslog facility if syslog is being used for logging (negate
- to disable syslog logging). Defaults to authpriv.
+ to disable syslog logging). Defaults to local2.
verifypw This option controls when a password will be required when
a user runs s\bsu\bud\bdo\bo with the -\b-v\bv option. It has the following
-1.8.0a1 April 7, 2010 19
+1.8.0a1 May 25, 2010 19
-1.8.0a1 April 7, 2010 20
+1.8.0a1 May 25, 2010 20
-1.8.0a1 April 7, 2010 21
+1.8.0a1 May 25, 2010 21
-1.8.0a1 April 7, 2010 22
+1.8.0a1 May 25, 2010 22
-1.8.0a1 April 7, 2010 23
+1.8.0a1 May 25, 2010 23
-1.8.0a1 April 7, 2010 24
+1.8.0a1 May 25, 2010 24
approach is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bg_\bl_\bo_\bb(3), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(8)
+ _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bg_\bl_\bo_\bb(3), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(1m)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
-1.8.0a1 April 7, 2010 25
+1.8.0a1 May 25, 2010 25
-1.8.0a1 April 7, 2010 26
+1.8.0a1 May 25, 2010 26
-1.7.3b2 December 19, 2009 1
+1.8.0a1 May 25, 2010 1
-1.7.3b2 December 19, 2009 2
+1.8.0a1 May 25, 2010 2
-1.7.3b2 December 19, 2009 3
+1.8.0a1 May 25, 2010 3
-1.7.3b2 December 19, 2009 4
+1.8.0a1 May 25, 2010 4
-1.7.3b2 December 19, 2009 5
+1.8.0a1 May 25, 2010 5
-1.7.3b2 December 19, 2009 6
+1.8.0a1 May 25, 2010 6
-1.7.3b2 December 19, 2009 7
+1.8.0a1 May 25, 2010 7
-1.7.3b2 December 19, 2009 8
+1.8.0a1 May 25, 2010 8
-1.7.3b2 December 19, 2009 9
+1.8.0a1 May 25, 2010 9
-1.7.3b2 December 19, 2009 10
+1.8.0a1 May 25, 2010 10
-1.7.3b2 December 19, 2009 11
+1.8.0a1 May 25, 2010 11
)
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5)
+ _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(4)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The way that _\bs_\bu_\bd_\bo_\be_\br_\bs is parsed differs between Note that there are
-1.7.3b2 December 19, 2009 12
+1.8.0a1 May 25, 2010 12
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
-\&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(5)
+\&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@)
.SH "CAVEATS"
.IX Header "CAVEATS"
The way that \fIsudoers\fR is parsed differs between Note that there
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
+.nr SL @SEMAN@
+.nr BA @BAMAN@
+.nr LC @LCMAN@
+.\"
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "April 7, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
\& Cmnd_Spec_List ::= Cmnd_Spec |
\& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List
\&
-\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
+.ie \n(SL \& Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
+.el \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
\&
\& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq
\&
+.if \n(SL \{\
+\& SELinux_Spec ::= (\*(AqROLE=role\*(Aq | \*(AqTYPE=type\*(Aq)
+\&
+\}
\& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqTRANSCRIPT:\*(Aq | \*(AqNOTRANSCRIPT:\*(Aq)
.Ve
\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
\& /usr/local/bin/minicom
.Ve
+.if \n(SL \{\
+.SS "SELinux_Spec"
+.IX Subsection "SELinux_Spec"
+On systems with SELinux support, \fIsudoers\fR entries may optionally have
+an SELinux role and/or type associated with a command. If a role or
+type is specified with the command it will override any default values
+specified in \fIsudoers\fR. A role or type specified on the command line,
+however, will supercede the values in \fIsudoers\fR.
+\}
.SS "Tag_Spec"
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the
umask to be the union of the user's umask and what is specified in
\&\fIsudoers\fR. This flag is \fIoff\fR by default.
-@LCMAN@.IP "use_loginclass" 16
-@LCMAN@.IX Item "use_loginclass"
-@LCMAN@If set, \fBsudo\fR will apply the defaults specified for the target user's
-@LCMAN@login class if one exists. Only available if \fBsudo\fR is configured with
-@LCMAN@the \-\-with\-logincap option. This flag is \fIoff\fR by default.
+.if \n(LC \{\
+.IP "use_loginclass" 16
+.IX Item "use_loginclass"
+If set, \fBsudo\fR will apply the defaults specified for the target user's
+login class if one exists. Only available if \fBsudo\fR is configured with
+the \-\-with\-logincap option. This flag is \fIoff\fR by default.
+\}
.IP "visiblepw" 16
.IX Item "visiblepw"
By default, \fBsudo\fR will refuse to run if the user must enter a
.Sp
The default value is \f(CW\*(C`@passprompt@\*(C'\fR.
.RE
-@SEMAN@.IP "role" 16
-@SEMAN@.IX Item "role"
-@SEMAN@The default SELinux role to use when constructing a new security
-@SEMAN@context to run the command. The default role may be overridden on
-@SEMAN@a per-command basis in \fIsudoers\fR or via command line options.
-@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support.
+.if \n(SL \{\
+.IP "role" 16
+.IX Item "role"
+The default SELinux role to use when constructing a new security
+context to run the command. The default role may be overridden on
+a per-command basis in \fIsudoers\fR or via command line options.
+This option is only available whe \fBsudo\fR is built with SELinux support.
+\}
.IP "runas_default" 16
.IX Item "runas_default"
The default user to run commands as if the \fB\-u\fR option is not specified
.IX Item "timestampowner"
The owner of the timestamp directory and the timestamps stored therein.
The default is \f(CW\*(C`root\*(C'\fR.
-@SEMAN@.IP "type" 16
-@SEMAN@.IX Item "type"
-@SEMAN@The default SELinux type to use when constructing a new security
-@SEMAN@context to run the command. The default type may be overridden on
-@SEMAN@a per-command basis in \fIsudoers\fR or via command line options.
-@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support.
+.if \n(SL \{\
+.IP "type" 16
+.IX Item "type"
+The default SELinux type to use when constructing a new security
+context to run the command. The default type may be overridden on
+a per-command basis in \fIsudoers\fR or via command line options.
+This option is only available whe \fBsudo\fR is built with SELinux support.
+\}
.PP
\&\fBStrings that can be used in a boolean context\fR:
.IP "askpass" 12
\&\fBsudoedit\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
-\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(8)
+\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@)
.SH "CAVEATS"
.IX Header "CAVEATS"
The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
#!/usr/bin/perl -p
BEGIN {
- $t = undef;
+ $cond = -1;
}
-if (/^\./) {
- if (/^\.I[PX].*use_loginclass/) {
- $t = '@LCMAN@';
- } elsif (/^\.I[PX].*(role|type)/) {
- $t = '@SEMAN@';
- } else {
- $t = undef;
- }
+# Initialize the numeric register we use for conditionals
+if ($cond == -1) {
+ $_ = ".nr SL \@SEMAN\@\n.nr BA \@BAMAN\@\n.nr LC \@LCMAN\@\n.\\\"\n$_";
+ $cond = 0;
+}
+
+# Make SELinux_Spec conditional
+if (/(.*)SELinux_Spec\? (.*)$/) {
+ $_ = ".ie \\n(SL $_.el $1$2\n";
+} elsif (/^(.*SELinux_Spec ::=)/) {
+ $_ = ".if \\n(SL \\{\\\n$_";
+} elsif (/^(.*Tag_Spec ::=)/) {
+ $_ = "\\}\n$_";
+}
+
+if (/^\.S[Sh] "SELinux_Spec"/) {
+ $_ = ".if \\n(SL \\{\\\n$_";
+ $cond = 1;
+} elsif (/^\.IP "(role|type)"/) {
+ $_ = ".if \\n(SL \\{\\\n$_";
+ $cond = 1;
+} elsif (/^\.IP "use_loginclass"/) {
+ $_ = ".if \\n(LC \\{\\\n$_";
+ $cond = 1;
+} elsif ($cond && /^\.(Sh|SS|IP|PP)/) {
+ $_ = "\\}\n$_";
+ $cond = 0;
}
# Fix up broken pod2man formatting of F<@foo@/bar>
s/\\fI\\f(\(C)?I\@([^\@]*)\\fI\@/\\fI\@$2\@/g;
s/\\f\(\CW\@([^\@]*)\\fR\@/\@$1\@/g;
#\f(CW@secure_path\fR@
-
-# Comment out Compile-time-specific lines in DESCRIPTION
-if ($t) {
- $_ = $t . $_;
-}
-1.7.3b2 December 19, 2009 1
+1.8.0a1 May 25, 2010 1
-1.7.3b2 December 19, 2009 2
+1.8.0a1 May 25, 2010 2
-1.7.3b2 December 19, 2009 3
+1.8.0a1 May 25, 2010 3
-1.7.3b2 December 19, 2009 4
+1.8.0a1 May 25, 2010 4
-1.7.3b2 December 19, 2009 5
+1.8.0a1 May 25, 2010 5
.\" ========================================================================
.\"
.IX Title "SUDOREPLAY @mansectsu@"
-.TH SUDOREPLAY @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
+.TH SUDOREPLAY @mansectsu@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
-1.7.3b2 December 19, 2009 1
+1.8.0a1 May 25, 2010 1
-\b-s\bs (strict) mode this is an error, not a warning.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bv_\bi(1), _\bs_\bu_\bd_\bo_\be_\br_\bs(4), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bp_\bw(8)
+ _\bv_\bi(1), _\bs_\bu_\bd_\bo_\be_\br_\bs(4), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bp_\bw(1m)
A\bAU\bUT\bTH\bHO\bOR\bR
Many people have worked on _\bs_\bu_\bd_\bo over the years; this version of v\bvi\bis\bsu\bud\bdo\bo
-1.7.3b2 December 19, 2009 2
+1.8.0a1 May 25, 2010 2
-1.7.3b2 December 19, 2009 3
+1.8.0a1 May 25, 2010 3
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
\&\fB\-s\fR (strict) mode this is an error, not a warning.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
-\&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(8)
+\&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(@mansectsu@)
.SH "AUTHOR"
.IX Header "AUTHOR"
Many people have worked on \fIsudo\fR over the years; this version of
projects / sudo / commitdiff