from most other netgroup consumers.
IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
list item may be prefixed with zero or more `!' operators. An odd number
of `!' operators negate the value of the item; an even number just cancel
- each other out.
+ each other out. User netgroups are matched using the user and domain
+ members only; the host member is not used when matching.
A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
be enclosed in double quotes to avoid the need for escaping special
A Host_List is made up of one or more host names, IP addresses, network
numbers, netgroups (prefixed with `+') and other aliases. Again, the
- value of an item may be negated with the `!' operator. If you do not
- specify a netmask along with the network number, s\bsu\bud\bdo\bo will query each of
- the local host's network interfaces and, if the network number
- corresponds to one of the hosts's network interfaces, the corresponding
- netmask will be used. The netmask may be specified either in standard IP
- address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR
- notation (number of bits, e.g. 24 or 64). A host name may include shell-
- style wildcards (see the _\bW_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs section below), but unless the host
- name command on your machine returns the fully qualified host name,
- you'll need to use the _\bf_\bq_\bd_\bn option for wildcards to be useful. Note that
- s\bsu\bud\bdo\bo only inspects actual network interfaces; this means that IP address
+ value of an item may be negated with the `!' operator. Host netgroups
+ are matched using the host (both qualified and unqualified) and domain
+ members only; the user member is not used when matching. If you specify
+ a network number without a netmask, s\bsu\bud\bdo\bo will query each of the local
+ host's network interfaces and, if the network number corresponds to one
+ of the hosts's network interfaces, will use the netmask of that
+ interface. The netmask may be specified either in standard IP address
+ notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation
+ (number of bits, e.g. 24 or 64). A host name may include shell-style
+ wildcards (see the _\bW_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs section below), but unless the host name
+ command on your machine returns the fully qualified host name, you'll
+ need to use the _\bf_\bq_\bd_\bn option for wildcards to be useful. Note that s\bsu\bud\bdo\bo
+ only inspects actual network interfaces; this means that IP address
127.0.0.1 (localhost) will never match. Also, the host name
``localhost'' will only match if that is the actual host name, which is
usually only the case for non-networked systems.
use_netgroups If set, netgroups (prefixed with `+'), may be used in
place of a user or host. For LDAP-based sudoers,
netgroup support requires an expensive substring match
- on the server. If netgroups are not needed, this
- option can be disabled to reduce the load on the LDAP
- server. This flag is _\bo_\bn by default.
+ on the server unless the N\bNE\bET\bTG\bGR\bRO\bOU\bUP\bP_\b_B\bBA\bAS\bSE\bE directive is
+ present in the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file. If netgroups are
+ not needed, this option can be disabled to reduce the
+ load on the LDAP server. This flag is _\bo_\bn by default.
exec_background By default, s\bsu\bud\bdo\bo runs a command as the foreground
process as long as s\bsu\bud\bdo\bo itself is running in the
file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/license.html for
complete details.
-Sudo 1.8.15 August 7, 2015 Sudo 1.8.15
+Sudo 1.8.15 September 21, 2015 Sudo 1.8.15
A user name, user ID (prefixed with `#'), Unix group name or ID
(prefixed with `%' or `%#' respectively), user netgroup (prefixed
with `+'), or non-Unix group name or ID (prefixed with `%:' or
- `%:#' respectively). Non-Unix group support is only available when
- an appropriate _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn is defined in the global _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs
- sudoRole object.
+ `%:#' respectively). User netgroups are matched using the user and
+ domain members only; the host member is not used when matching.
+ Non-Unix group support is only available when an appropriate
+ _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn is defined in the global _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs sudoRole object.
s\bsu\bud\bdo\boH\bHo\bos\bst\bt
A host name, IP address, IP network, or host netgroup (prefixed
- with a `+'). The special value ALL will match any host.
+ with a `+'). The special value ALL will match any host. Host
+ netgroups are matched using the host (both qualified and
+ unqualified) and domain members only; the user member is not used
+ when matching.
s\bsu\bud\bdo\boC\bCo\bom\bmm\bma\ban\bnd\bd
A fully-qualified Unix command name with optional command line
file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/license.html for
complete details.
-Sudo 1.8.15 January 30, 2015 Sudo 1.8.15
+Sudo 1.8.15 September 21, 2015 Sudo 1.8.15
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.TH "SUDOERS.LDAP" "8" "January 30, 2015" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "SUDOERS.LDAP" "8" "September 21, 2015" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
or
\(oq%:#\(cq
respectively).
+User netgroups are matched using the user and domain members only;
+the host member is not used when matching.
Non-Unix group support is only available when an appropriate
\fIgroup_plugin\fR
is defined in the global
The special value
\fRALL\fR
will match any host.
+Host netgroups are matched using the host (both qualified and unqualified)
+and domain members only; the user member is not used when matching.
.TP 6n
\fBsudoCommand\fR
A fully-qualified Unix command name with optional command line arguments,
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd January 30, 2015
+.Dd September 21, 2015
.Dt SUDOERS.LDAP @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
or
.Ql %:#
respectively).
+User netgroups are matched using the user and domain members only;
+the host member is not used when matching.
Non-Unix group support is only available when an appropriate
.Em group_plugin
is defined in the global
The special value
.Li ALL
will match any host.
+Host netgroups are matched using the host (both qualified and unqualified)
+and domain members only; the user member is not used when matching.
.It Sy sudoCommand
A fully-qualified Unix command name with optional command line arguments,
potentially including globbing characters (aka wild cards).
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDOERS" "5" "August 7, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "September 21, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
\(oq\&!\(cq
operators negate the value of
the item; an even number just cancel each other out.
+User netgroups are matched using the user and domain members only;
+the host member is not used when matching.
.PP
A
\fRuser name\fR,
Again, the value of an item may be negated with the
\(oq\&!\(cq
operator.
-If you do not specify a netmask along with the network number,
+Host netgroups are matched using the host (both qualified and unqualified)
+and domain members only; the user member is not used when matching.
+If you specify a network number without a netmask,
\fBsudo\fR
will query each of the local host's network interfaces and,
if the network number corresponds to one of the hosts's network
-interfaces, the corresponding netmask will be used.
-The netmask
-may be specified either in standard IP address notation
+interfaces, will use the netmask of that interface.
+The netmask may be specified either in standard IP address notation
(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
or CIDR notation (number of bits, e.g.\& 24 or 64).
A host name may include shell-style wildcards (see the
\(oq+\(cq),
may be used in place of a user or host.
For LDAP-based sudoers, netgroup support requires an expensive
-substring match on the server.
+substring match on the server unless the
+\fBNETGROUP_BASE\fR
+directive is present in the
+\fI@ldap_conf@\fR
+file.
If netgroups are not needed, this option can be disabled to reduce the
load on the LDAP server.
This flag is
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.Dd August 7, 2015
+.Dd September 21, 2015
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Ql \&!
operators negate the value of
the item; an even number just cancel each other out.
+User netgroups are matched using the user and domain members only;
+the host member is not used when matching.
.Pp
A
.Li user name ,
Again, the value of an item may be negated with the
.Ql \&!
operator.
-If you do not specify a netmask along with the network number,
+Host netgroups are matched using the host (both qualified and unqualified)
+and domain members only; the user member is not used when matching.
+If you specify a network number without a netmask,
.Nm sudo
will query each of the local host's network interfaces and,
if the network number corresponds to one of the hosts's network
-interfaces, the corresponding netmask will be used.
-The netmask
-may be specified either in standard IP address notation
+interfaces, will use the netmask of that interface.
+The netmask may be specified either in standard IP address notation
(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
or CIDR notation (number of bits, e.g.\& 24 or 64).
A host name may include shell-style wildcards (see the
.Ql + ) ,
may be used in place of a user or host.
For LDAP-based sudoers, netgroup support requires an expensive
-substring match on the server.
+substring match on the server unless the
+.Sy NETGROUP_BASE
+directive is present in the
+.Pa @ldap_conf@
+file.
If netgroups are not needed, this option can be disabled to reduce the
load on the LDAP server.
This flag is
projects / sudo / commitdiff