-1.7.1 March 11, 2009 1
+1.7.2 June 11, 2009 1
-1.7.1 March 11, 2009 2
+1.7.2 June 11, 2009 2
-1.7.1 March 11, 2009 3
+1.7.2 June 11, 2009 3
-1.7.1 March 11, 2009 4
+1.7.2 June 11, 2009 4
-1.7.1 March 11, 2009 5
+1.7.2 June 11, 2009 5
-1.7.1 March 11, 2009 6
+1.7.2 June 11, 2009 6
-1.7.1 March 11, 2009 7
+1.7.2 June 11, 2009 7
-1.7.1 March 11, 2009 8
+1.7.2 June 11, 2009 8
-1.7.1 March 11, 2009 9
+1.7.2 June 11, 2009 9
-1.7.1 March 11, 2009 10
+1.7.2 June 11, 2009 10
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2008
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2009
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "March 11, 2009" "1.7.1" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "June 11, 2009" "1.7.2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
-1.7.1 April 18, 2009 1
+1.7.2 June 11, 2009 1
-1.7.1 April 18, 2009 2
+1.7.2 June 11, 2009 2
-1.7.1 April 18, 2009 3
+1.7.2 June 11, 2009 3
-1.7.1 April 18, 2009 4
+1.7.2 June 11, 2009 4
what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
but this can be changed on a per-command basis.
- Let's break that down into its constituent parts:
+ The basic structure of a user specification is `who = where (as_whom)
+ what'. Let's break that down into its constituent parts:
R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
-
-1.7.1 April 18, 2009 5
+1.7.2 June 11, 2009 5
-1.7.1 April 18, 2009 6
+1.7.2 June 11, 2009 6
-1.7.1 April 18, 2009 7
+1.7.2 June 11, 2009 7
The filename may include the %h escape, signifying the short form of
the hostname. I.e., if the machine's hostname is "xerxes", then
- #include /etc/sudoers.%h
+ #include /etc/sudoers.%h
will cause s\bsu\bud\bdo\bo to include the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bx_\be_\br_\bx_\be_\bs.
the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs rules into as part of
package installation. For example, given:
- #includedir /etc/sudoers.d
+ #includedir /etc/sudoers.d
- s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping files that contain
- a . character to avoid causing problems with package manager, v\bvi\bis\bsu\bud\bdo\bo or
- editor temporary files. Files are parsed in sorted lexical order.
- That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed before
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
+ s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that
+ end in ~ or contain a . character to avoid causing problems with
+ package manager or editor temporary/backup files. Files are parsed in
+ sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
+ before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
in the file names can be used to avoid such problems.
-1.7.1 April 18, 2009 8
+1.7.2 June 11, 2009 8
-1.7.1 April 18, 2009 9
+1.7.2 June 11, 2009 9
-1.7.1 April 18, 2009 10
+1.7.2 June 11, 2009 10
-1.7.1 April 18, 2009 11
+1.7.2 June 11, 2009 11
-1.7.1 April 18, 2009 12
+1.7.2 June 11, 2009 12
-1.7.1 April 18, 2009 13
+1.7.2 June 11, 2009 13
-1.7.1 April 18, 2009 14
+1.7.2 June 11, 2009 14
-1.7.1 April 18, 2009 15
+1.7.2 June 11, 2009 15
-1.7.1 April 18, 2009 16
+1.7.2 June 11, 2009 16
-1.7.1 April 18, 2009 17
+1.7.2 June 11, 2009 17
-1.7.1 April 18, 2009 18
+1.7.2 June 11, 2009 18
-1.7.1 April 18, 2009 19
+1.7.2 June 11, 2009 19
-1.7.1 April 18, 2009 20
+1.7.2 June 11, 2009 20
-1.7.1 April 18, 2009 21
+1.7.2 June 11, 2009 21
-1.7.1 April 18, 2009 22
+1.7.2 June 11, 2009 22
-1.7.1 April 18, 2009 23
+1.7.2 June 11, 2009 23
-1.7.1 April 18, 2009 24
+1.7.2 June 11, 2009 24
-1.7.1 March 11, 2009 1
+1.7.2 June 11, 2009 1
-1.7.1 March 11, 2009 2
+1.7.2 June 11, 2009 2
-1.7.1 March 11, 2009 3
+1.7.2 June 11, 2009 3
-1.7.1 March 11, 2009 4
+1.7.2 June 11, 2009 4
-1.7.1 March 11, 2009 5
+1.7.2 June 11, 2009 5
-1.7.1 March 11, 2009 6
+1.7.2 June 11, 2009 6
-1.7.1 March 11, 2009 7
+1.7.2 June 11, 2009 7
-1.7.1 March 11, 2009 8
+1.7.2 June 11, 2009 8
-1.7.1 March 11, 2009 9
+1.7.2 June 11, 2009 9
#tls_cert /etc/certs/client_cert.pem
#tls_key /etc/certs/client_key.pem
#
- # For SunONE or iPlanet LDAP, the file specified by tls_cert may
- # contain CA certs and/or the client's cert. If the client's
- # cert is included, tls_key should be specified as well.
- # For backward compatibility, sslpath may be used in place of tls_cert.
- #tls_cert /var/ldap/cert7.db
- #tls_key /var/ldap/key3.db
- #
+ # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
+ # a directory, in which case the files in the directory must have the
+ # default names (e.g. cert8.db and key4.db), or the path to the cert
+ # and key files themselves. However, a bug in version 5.0 of the LDAP
+ # SDK will prevent specific file names from working. For this reason
+ # it is suggested that tls_cert and tls_key be set to a directory,
+ # not a file name.
-1.7.1 March 11, 2009 10
+1.7.2 June 11, 2009 10
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ #
+ # The certificate database specified by tls_cert may contain CA certs
+ # and/or the client's cert. If the client's cert is included, tls_key
+ # should be specified as well.
+ # For backward compatibility, "sslpath" may be used in place of tls_cert.
+ #tls_cert /var/ldap
+ #tls_key /var/ldap
+ #
# If using SASL authentication for LDAP (OpenSSL)
# use_sasl yes
# sasl_auth_id <SASL username>
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
- attributetype ( 1.3.6.1.4.1.15953.9.1.6
- NAME 'sudoRunAsUser'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.7
- NAME 'sudoRunAsGroup'
-1.7.1 March 11, 2009 11
+1.7.2 June 11, 2009 11
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ attributetype ( 1.3.6.1.4.1.15953.9.1.6
+ NAME 'sudoRunAsUser'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.7
+ NAME 'sudoRunAsGroup'
DESC 'Group(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
-
-
-
-
-
-
-
-1.7.1 March 11, 2009 12
+1.7.2 June 11, 2009 12
-.\" Copyright (c) 2003-2008
+.\" Copyright (c) 2003-2009
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "March 11, 2009" "1.7.1" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "June 11, 2009" "1.7.2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
\& #tls_cert /etc/certs/client_cert.pem
\& #tls_key /etc/certs/client_key.pem
\& #
-\& # For SunONE or iPlanet LDAP, the file specified by tls_cert may
-\& # contain CA certs and/or the client\*(Aqs cert. If the client\*(Aqs
-\& # cert is included, tls_key should be specified as well.
-\& # For backward compatibility, sslpath may be used in place of tls_cert.
-\& #tls_cert /var/ldap/cert7.db
-\& #tls_key /var/ldap/key3.db
+\& # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
+\& # a directory, in which case the files in the directory must have the
+\& # default names (e.g. cert8.db and key4.db), or the path to the cert
+\& # and key files themselves. However, a bug in version 5.0 of the LDAP
+\& # SDK will prevent specific file names from working. For this reason
+\& # it is suggested that tls_cert and tls_key be set to a directory,
+\& # not a file name.
+\& #
+\& # The certificate database specified by tls_cert may contain CA certs
+\& # and/or the client\*(Aqs cert. If the client\*(Aqs cert is included, tls_key
+\& # should be specified as well.
+\& # For backward compatibility, "sslpath" may be used in place of tls_cert.
+\& #tls_cert /var/ldap
+\& #tls_key /var/ldap
\& #
\& # If using SASL authentication for LDAP (OpenSSL)
\& # use_sasl yes
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2008
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2009
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "April 18, 2009" "1.7.1" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "June 11, 2009" "1.7.2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
(and as what user) on specified hosts. By default, commands are
run as \fBroot\fR, but this can be changed on a per-command basis.
.PP
-Let's break that down into its constituent parts:
+The basic structure of a user specification is `who = where (as_whom)
+what'. Let's break that down into its constituent parts:
.Sh "Runas_Spec"
.IX Subsection "Runas_Spec"
A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command
The filename may include the \f(CW%h\fR escape, signifying the short form
of the hostname. I.e., if the machine's hostname is \*(L"xerxes\*(R", then
.PP
-.Vb 1
-\& #include /etc/sudoers.%h
-.Ve
+\&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR
.PP
will cause \fBsudo\fR to include the file \fI/etc/sudoers.xerxes\fR.
.PP
directory that the system package manager can drop \fIsudoers\fR rules
into as part of package installation. For example, given:
.PP
-.Vb 1
-\& #includedir /etc/sudoers.d
-.Ve
-.PP
-\&\fBsudo\fR will read each file in \fI/etc/sudoers.d\fR, skipping files
-that contain a \f(CW\*(C`.\*(C'\fR character to avoid causing problems with package
-manager, \fBvisudo\fR or editor temporary files. Files are parsed in
-sorted lexical order. That is, \fI/etc/sudoers.d/01_first\fR will be
-parsed before \fI/etc/sudoers.d/10_second\fR. Be aware that because
-the sorting is lexical, not numeric, \fI/etc/sudoers.d/1_whoops\fR
-would be loaded \fBafter\fR \fI/etc/sudoers.d/10_second\fR. Using a
-consistent number of leading zeroes in the file names can be used
-to avoid such problems.
+\&\f(CW\*(C`#includedir /etc/sudoers.d\*(C'\fR
+.PP
+\&\fBsudo\fR will read each file in \fI/etc/sudoers.d\fR, skipping file
+names that end in \f(CW\*(C`~\*(C'\fR or contain a \f(CW\*(C`.\*(C'\fR character to avoid causing
+problems with package manager or editor temporary/backup files.
+Files are parsed in sorted lexical order. That is,
+\&\fI/etc/sudoers.d/01_first\fR will be parsed before
+\&\fI/etc/sudoers.d/10_second\fR. Be aware that because the sorting is
+lexical, not numeric, \fI/etc/sudoers.d/1_whoops\fR would be loaded
+\&\fBafter\fR \fI/etc/sudoers.d/10_second\fR. Using a consistent number
+of leading zeroes in the file names can be used to avoid such
+problems.
.PP
Note that unlike files included via \f(CW\*(C`#include\*(C'\fR, \fBvisudo\fR will not
edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them
-1.7.1 March 11, 2009 1
+1.7.2 June 11, 2009 1
-1.7.1 March 11, 2009 2
+1.7.2 June 11, 2009 2
-1.7.1 March 11, 2009 3
+1.7.2 June 11, 2009 3
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "March 11, 2009" "1.7.1" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "June 11, 2009" "1.7.2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
projects / sudo / commitdiff