OCTET (1?[0-9]{1,2})|(2[0-4][0-9])|(25[0-5])
DOTTEDQUAD {OCTET}(\.{OCTET}){3}
HOSTNAME [[:alnum:]_-]+
-WORD ([^#@!=:,\(\) \t\n\\]|\\[^\n])+
+WORD ([^#>@!=:,\(\) \t\n\\]|\\[^\n])+
ENVAR ([^#!=, \t\n\\]|\\[^\n])([^#=, \t\n\\]|\\[^\n])*
DEFVAR [a-z_]+
} /* a command line arg */
}
-<INITIAL>^Defaults[:@]? {
+<INITIAL>^Defaults[:@>]? {
BEGIN GOTDEFS;
switch (yytext[8]) {
case ':':
LEXTRACE("DEFAULTS_USER ");
return(DEFAULTS_USER);
+ case '>':
+ LEXTRACE("DEFAULTS_RUNAS ");
+ return(DEFAULTS_RUNAS);
case '@':
LEXTRACE("DEFAULTS_HOST ");
return(DEFAULTS_HOST);
%token <tok> DEFAULTS /* Defaults entry */
%token <tok> DEFAULTS_HOST /* Host-specific defaults entry */
%token <tok> DEFAULTS_USER /* User-specific defaults entry */
+%token <tok> DEFAULTS_RUNAS /* Runas-specific defaults entry */
%token <tok> RUNAS /* ( runas_list ) */
%token <tok> NOPASSWD /* no passwd req for command */
%token <tok> PASSWD /* passwd req for command (default) */
defaults_matches = user_matches;
pop;
}
+ | DEFAULTS_RUNAS { push; } runaslist {
+ defaults_matches = $3 == TRUE;
+ pop;
+ }
| DEFAULTS_HOST { push; } hostlist {
defaults_matches = host_matches;
pop;
Certain configuration options may be changed from their default
values at runtime via one or more C<Default_Entry> lines. These
-may affect all users on any host, all users on a specific host,
-or just a specific user. When multiple entries match, they are
-applied in order. Where there are conflicting values, the last
-value on a matching line takes effect.
+may affect all users on any host, all users on a specific host, a
+specific user, or commands being run as a specific user. When
+multiple entries match, they are applied in order. Where there are
+conflicting values, the last value on a matching line takes effect.
Default_Type ::= 'Defaults' ||
+ 'Defaults' '@' Host ||
'Defaults' ':' User ||
- 'Defaults' '@' Host
+ 'Defaults' '>' RunasUser
Default_Entry ::= Default_Type Parameter_List
Cmnd_Alias SU = /usr/bin/su
Here we override some of the compiled in default values. We want
-B<sudo> to log via syslog(3) using the I<auth> facility in all cases.
-We don't want to subject the full time staff to the B<sudo> lecture,
-and user B<millert> need not give a password. In addition, on the
-machines in the I<SERVERS> C<Host_Alias>, we keep an additional
-local log file and make sure we log the year in each log line since
-the log entries will be kept around for several years.
+B<sudo> to log via syslog(3) using the I<auth> facility in all
+cases. We don't want to subject the full time staff to the B<sudo>
+lecture, user B<millert> need not give a password, and we don't
+want to set the C<LOGNAME> or C<USER> environment variables when
+running commands as root. Additionally, on the machines in the
+I<SERVERS> C<Host_Alias>, we keep an additional local log file and
+make sure we log the year in each log line since the log entries
+will be kept around for several years.
# Override built in defaults
Defaults syslog=auth
+ Defaults>root !set_logname
Defaults:FULLTIMERS !lecture
Defaults:millert !authenticate
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
projects / sudo / commitdiff