them part of the "all" rule in devel mode.
Generate .cat files directly from .man.in instead of .man using default
values in configure.in
+#
+# Begin initial values for man page substitution
+#
+timedir=/var/run/sudo
timeout=5
password_timeout=5
sudo_umask=0022
mail_no_host=off
mail_no_perms=off
mailto=root
-mailsub='*** SECURITY information for %h ***'
-badpass_message='Sorry, try again.'
+mailsub="*** SECURITY information for %h ***"
+badpass_message="Sorry, try again."
fqdn=off
runas_default=root
env_editor=off
insults=off
root_sudo=on
path_info=on
+ldap_conf=/etc/ldap.conf
+ldap_secret=/etc/ldap.secret
+netsvc_conf=/etc/netsvc.conf
+noexec_file=/usr/local/libexec/sudo_noexec.so
+nsswitch_conf=/etc/nsswitch.conf
secure_path="not set"
+#
+# End initial values for man page substitution
+#
INSTALL_NOEXEC=
devdir='$(srcdir)'
PROGS="sudo"
withval=$with_ldap_conf_file;
fi
+test -n "$with_ldap_conf_file" && ldap_conf="$with_ldap_conf_file"
cat >>confdefs.h <<EOF
-#define _PATH_LDAP_CONF "${with_ldap_conf_file-/etc/ldap.conf}"
+#define _PATH_LDAP_CONF "$ldap_conf"
EOF
-ldap_conf=${with_ldap_conf_file-'/etc/ldap.conf'}
# Check whether --with-ldap-secret-file was given.
withval=$with_ldap_secret_file;
fi
+test -n "$with_ldap_secret_file" && ldap_secret="$with_ldap_secret_file"
cat >>confdefs.h <<EOF
-#define _PATH_LDAP_SECRET "${with_ldap_secret_file-/etc/ldap.secret}"
+#define _PATH_LDAP_SECRET "$ldap_secret"
EOF
-ldap_secret=${with_ldap_secret_file-'/etc/ldap.secret'}
# Check whether --with-pc-insults was given.
else
lt_cv_nm_interface="BSD nm"
echo "int some_variable = 0;" > conftest.$ac_ext
- (eval echo "\"\$as_me:6599: $ac_compile\"" >&5)
+ (eval echo "\"\$as_me:6611: $ac_compile\"" >&5)
(eval "$ac_compile" 2>conftest.err)
cat conftest.err >&5
- (eval echo "\"\$as_me:6602: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+ (eval echo "\"\$as_me:6614: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
(eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
cat conftest.err >&5
- (eval echo "\"\$as_me:6605: output\"" >&5)
+ (eval echo "\"\$as_me:6617: output\"" >&5)
cat conftest.out >&5
if $GREP 'External.*some_variable' conftest.out > /dev/null; then
lt_cv_nm_interface="MS dumpbin"
;;
*-*-irix6*)
# Find out which ABI we are using.
- echo '#line 7810 "configure"' > conftest.$ac_ext
+ echo '#line 7822 "configure"' > conftest.$ac_ext
if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
(eval $ac_compile) 2>&5
ac_status=$?
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9202: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9214: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:9206: \$? = $ac_status" >&5
+ echo "$as_me:9218: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9541: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9553: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:9545: \$? = $ac_status" >&5
+ echo "$as_me:9557: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9646: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9658: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:9650: \$? = $ac_status" >&5
+ echo "$as_me:9662: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9701: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9713: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:9705: \$? = $ac_status" >&5
+ echo "$as_me:9717: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 12068 "configure"
+#line 12080 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 12164 "configure"
+#line 12176 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
done
-netsvc_conf='/etc/netsvc.conf'
-nsswitch_conf='/etc/nsswitch.conf'
if test ${with_netsvc-"no"} != "no"; then
cat >>confdefs.h <<EOF
#define _PATH_NETSVC_CONF "${with_netsvc-/etc/netsvc.conf}"
dnl
dnl Variables that get substituted in docs (not overridden by environment)
dnl
-AC_SUBST([timedir])dnl initial value from SUDO_TIMEDIR
+AC_SUBST([timedir])dnl real initial value from SUDO_TIMEDIR
AC_SUBST([timeout])
AC_SUBST([password_timeout])
AC_SUBST([sudo_umask])
AC_SUBST([nsswitch_conf])
AC_SUBST([netsvc_conf])
AC_SUBST([secure_path])
-dnl
-dnl Initial values for above
-dnl
+#
+# Begin initial values for man page substitution
+#
+timedir=/var/run/sudo
timeout=5
password_timeout=5
sudo_umask=0022
mail_no_host=off
mail_no_perms=off
mailto=root
-mailsub='*** SECURITY information for %h ***'
-badpass_message='Sorry, try again.'
+mailsub="*** SECURITY information for %h ***"
+badpass_message="Sorry, try again."
fqdn=off
runas_default=root
env_editor=off
insults=off
root_sudo=on
path_info=on
+ldap_conf=/etc/ldap.conf
+ldap_secret=/etc/ldap.secret
+netsvc_conf=/etc/netsvc.conf
+noexec_file=/usr/local/libexec/sudo_noexec.so
+nsswitch_conf=/etc/nsswitch.conf
secure_path="not set"
-INSTALL_NOEXEC=
-devdir='$(srcdir)'
+#
+# End initial values for man page substitution
+#
dnl
dnl Initial values for Makefile variables listed above
dnl May be overridden by environment variables..
dnl
+INSTALL_NOEXEC=
+devdir='$(srcdir)'
PROGS="sudo"
: ${MANTYPE='man'}
: ${mansrcdir='.'}
esac])
AC_ARG_WITH(ldap-conf-file, [AS_HELP_STRING([--with-ldap-conf-file], [path to LDAP configuration file])])
-SUDO_DEFINE_UNQUOTED(_PATH_LDAP_CONF, "${with_ldap_conf_file-/etc/ldap.conf}", [Path to the ldap.conf file])
-ldap_conf=${with_ldap_conf_file-'/etc/ldap.conf'}
+test -n "$with_ldap_conf_file" && ldap_conf="$with_ldap_conf_file"
+SUDO_DEFINE_UNQUOTED(_PATH_LDAP_CONF, "$ldap_conf", [Path to the ldap.conf file])
AC_ARG_WITH(ldap-secret-file, [AS_HELP_STRING([--with-ldap-secret-file], [path to LDAP secret password file])])
-SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "${with_ldap_secret_file-/etc/ldap.secret}", [Path to the ldap.secret file])
-ldap_secret=${with_ldap_secret_file-'/etc/ldap.secret'}
+test -n "$with_ldap_secret_file" && ldap_secret="$with_ldap_secret_file"
+SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$ldap_secret", [Path to the ldap.secret file])
AC_ARG_WITH(pc-insults, [AS_HELP_STRING([--with-pc-insults], [replace politically incorrect insults with less offensive ones])],
[case $with_pc_insults in
dnl
dnl nsswitch.conf and its equivalents
dnl
-netsvc_conf='/etc/netsvc.conf'
-nsswitch_conf='/etc/nsswitch.conf'
if test ${with_netsvc-"no"} != "no"; then
SUDO_DEFINE_UNQUOTED(_PATH_NETSVC_CONF, "${with_netsvc-/etc/netsvc.conf}")
netsvc_conf=${with_netsvc-/etc/netsvc.conf}
DOCS = sudo.man visudo.man sudoers.man sudoers.ldap.man sudoers.man \
sudoreplay.man sudo_plugin.man
-VERSION = @PACKAGE_VERSION@
+@DEV@DEVDOCS = $(srcdir)/sudo.man.in $(srcdir)/sudo.cat \
+ $(srcdir)/visudo.man.in $(srcdir)/visudo.cat \
+ $(srcdir)/sudoers.man.in $(srcdir)/sudoers.cat \
+ $(srcdir)/sudoers.ldap.man.in $(srcdir)/sudoers.ldap.cat \
+ $(srcdir)/sudoers.man.in $(srcdir)/sudoers.cat \
+ $(srcdir)/sudoreplay.man.in $(srcdir)/sudoreplay.cat \
+ $(srcdir)/sudo_plugin.man.in $(srcdir)/sudo_plugin.cat \
+ $(srcdir)/HISTORY $(srcdir)/LICENSE
-all: $(DOCS)
+VERSION = @PACKAGE_VERSION@
-.SUFFIXES: .man .cat
+all: $(DEVDOCS) $(DOCS)
-.man.cat:
- @rm -f $@
- sed '1s/^/.if n .ll 78n/' $< | $(NROFF) -man > $@
+.SUFFIXES:
-@DEV@sudo.man.in: $(srcdir)/sudo.man.in
+varsub: $(top_srcdir)/configure.in
+ printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#4#g\ns#@%s@#1m#g\n' SEMAN BAMAN LCMAN sysconfdir prefix mansectform mansectsu > $@; sed -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(top_srcdir)/configure.in | sed -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@
-@DEV@$(srcdir)/sudo.man.in: $(srcdir)/sudo.pod
-@DEV@ @rm -f $(srcdir)/$@
-@DEV@ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" | perl -p sudo.man.pl >> $@ )
+$(srcdir)/sudo.man.in: $(srcdir)/sudo.pod
+ @rm -f $(srcdir)/$@
+ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" | perl -p sudo.man.pl >> $@ )
sudo.man: $(srcdir)/sudo.man.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
-@DEV@sudo.cat: $(srcdir)/sudo.cat
+$(srcdir)/sudo.cat: varsub $(srcdir)/sudo.man.in
+ sed -f varsub $(srcdir)/sudo.man.in | $(NROFF) -man > $@
-@DEV@$(srcdir)/sudo.cat: sudo.man
+visudo.man.in: $(srcdir)/visudo.man.in
-@DEV@visudo.man.in: $(srcdir)/visudo.man.in
-
-@DEV@$(srcdir)/visudo.man.in: $(srcdir)/visudo.pod
-@DEV@ @rm -f $(srcdir)/$@
-@DEV@ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' visudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" visudo.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
+$(srcdir)/visudo.man.in: $(srcdir)/visudo.pod
+ @rm -f $(srcdir)/$@
+ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' visudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" visudo.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
visudo.man: $(srcdir)/visudo.man.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
-@DEV@visudo.cat: $(srcdir)/visudo.cat
-
-@DEV@$(srcdir)/visudo.cat: visudo.man
+$(srcdir)/visudo.cat: varsub $(srcdir)/visudo.man.in
+ sed -f varsub $(srcdir)/visudo.man.in | $(NROFF) -man > $@
-@DEV@sudoers.man.in: $(srcdir)/sudoers.man.in
+sudoers.man.in: $(srcdir)/sudoers.man.in
-@DEV@$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.pod
-@DEV@ @rm -f $(srcdir)/$@
-@DEV@ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" | perl -p sudoers.man.pl >> $@ )
+$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.pod
+ @rm -f $(srcdir)/$@
+ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" | perl -p sudoers.man.pl >> $@ )
-sudoers.man:: $(srcdir)/sudoers.man.in
+sudoers.man: $(srcdir)/sudoers.man.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
-@DEV@sudoers.cat: $(srcdir)/sudoers.cat
+$(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.man.in
+ sed -f varsub $(srcdir)/sudoers.man.in | $(NROFF) -man > $@
-@DEV@$(srcdir)/sudoers.cat: sudoers.man
+sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.man.in
-@DEV@sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.man.in
+$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.pod
+ @rm -f $(srcdir)/$@
+ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.ldap.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.ldap.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
-@DEV@$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.pod
-@DEV@ @rm -f $(srcdir)/$@
-@DEV@ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.ldap.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.ldap.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
-
-sudoers.ldap.man:: $(srcdir)/sudoers.ldap.man.in
+sudoers.ldap.man: $(srcdir)/sudoers.ldap.man.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
-@DEV@sudoers.ldap.cat: $(srcdir)/sudoers.ldap.cat
-
-@DEV@$(srcdir)/sudoers.ldap.cat: sudoers.ldap.man
+$(srcdir)/sudoers.ldap.cat: varsub $(srcdir)/sudoers.ldap.man.in
+ sed -f varsub $(srcdir)/sudoers.ldap.man.in | $(NROFF) -man > $@
-@DEV@sudoreplay.man.in: $(srcdir)/sudoreplay.man.in
+sudoreplay.man.in: $(srcdir)/sudoreplay.man.in
-@DEV@$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.pod
-@DEV@ @rm -f $(srcdir)/$@
-@DEV@ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoreplay.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoreplay.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
+$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.pod
+ @rm -f $(srcdir)/$@
+ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoreplay.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoreplay.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
-sudoreplay.man:: $(srcdir)/sudoreplay.man.in
+sudoreplay.man: $(srcdir)/sudoreplay.man.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
-@DEV@sudoreplay.cat: $(srcdir)/sudoreplay.cat
-
-@DEV@$(srcdir)/sudoreplay.cat: sudoreplay.man
+$(srcdir)/sudoreplay.cat: varsub $(srcdir)/sudoreplay.man.in
+ sed -f varsub $(srcdir)/sudoreplay.man.in | $(NROFF) -man > $@
-@DEV@sudo_plugin.man.in: $(srcdir)/sudo_plugin.man.in
+sudo_plugin.man.in: $(srcdir)/sudo_plugin.man.in
-@DEV@$(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.pod
-@DEV@ @rm -f $(srcdir)/$@
-@DEV@ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo_plugin.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo_plugin.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
+$(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.pod
+ @rm -f $(srcdir)/$@
+ ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo_plugin.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo_plugin.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
-sudo_plugin.man:: $(srcdir)/sudo_plugin.man.in
+sudo_plugin.man: $(srcdir)/sudo_plugin.man.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
-@DEV@sudo_plugin.cat: $(srcdir)/sudo_plugin.cat
+$(srcdir)/sudo_plugin.cat: varsub $(srcdir)/sudo_plugin.man.in
+ sed -f varsub $(srcdir)/sudo_plugin.man.in | $(NROFF) -man > $@
-@DEV@$(srcdir)/sudo_plugin.cat: sudo_plugin.man
+HISTORY: history.pod
+ pod2text -l -i0 $> > $@
-@DEV@HISTORY: history.pod
-@DEV@ pod2text -l -i0 $> > $@
-@DEV@
-@DEV@LICENSE: license.pod
-@DEV@ pod2text -l -i0 $> | sed '1,2d' > $@
+LICENSE: license.pod
+ pod2text -l -i0 $> | sed '1,2d' > $@
install: install-dirs install-man
@echo nothing to check
clean:
+ -rm -f varsub
mostlyclean: clean
[-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-U\bU _\bu_\bs_\be_\br _\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHn\bnP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-D\bD _\bl_\be_\bv_\be_\bl] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
- [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be]
- [-\b-i\bi | -\b-s\bs] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-r\br _\br_\bo_\bl_\be] [-\b-t\bt _\bt_\by_\bp_\be]
+ [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] [-\b-i\bi | -\b-s\bs] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-D\bD _\bl_\be_\bv_\be_\bl]
[-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
s\bsu\bud\bdo\bo determines who is an authorized user by consulting the file
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. By running s\bsu\bud\bdo\bo with the -\b-v\bv option, a user can update
- the time stamp without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd. The password prompt itself
- will also time out if the user's password is not entered within 5
- minutes (unless overridden via _\bs_\bu_\bd_\bo_\be_\br_\bs).
+ the time stamp without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd. If a password is required,
+ s\bsu\bud\bdo\bo will exit if the user's password is not entered within a
+ configurable time limit. The default password prompt timeout is 5
+ minutes.
If a user who is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file tries to run a command
via s\bsu\bud\bdo\bo, mail is sent to the proper authorities, as defined at
be used by a user to log commands through sudo even when a root shell
has been invoked. It also allows the -\b-e\be option to remain useful even
when being run via a sudo-run script or program. Note however, that
- the sudoers lookup is still done for root, not the user specified by
-1.8.0a2 June 9, 2010 1
+1.8.0b1 June 11, 2010 1
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ the sudoers lookup is still done for root, not the user specified by
SUDO_USER.
s\bsu\bud\bdo\bo can log both successful and unsuccessful attempts (as well as
defined in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf, or a single '-' character.
Specifying a _\bc_\bl_\ba_\bs_\bs of - indicates that the command should
be run restricted by the default login capabilities for the
- user the command is run as. If the _\bc_\bl_\ba_\bs_\bs argument
-1.8.0a2 June 9, 2010 2
+1.8.0b1 June 11, 2010 2
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ user the command is run as. If the _\bc_\bl_\ba_\bs_\bs argument
specifies an existing user class, the command must be run
as root, or the s\bsu\bud\bdo\bo command must be run from a shell that
is already root. This option is only available on systems
-H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment variable to
the homedir of the target user (root by default) as
specified in _\bp_\ba_\bs_\bs_\bw_\bd(4). By default, s\bsu\bud\bdo\bo does not modify
- HOME (see _\bs_\be_\bt_\b__\bh_\bo_\bm_\be and _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)).
-1.8.0a2 June 9, 2010 3
+1.8.0b1 June 11, 2010 3
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ HOME (see _\bs_\be_\bt_\b__\bh_\bo_\bm_\be and _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)).
+
-h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a usage message
and exit.
required for the command to run, s\bsu\bud\bdo\bo will display an error
messages and exit.
- -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
- preserve the invoking user's group vector unaltered. By
-1.8.0a2 June 9, 2010 4
+1.8.0b1 June 11, 2010 4
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
+ preserve the invoking user's group vector unaltered. By
default, s\bsu\bud\bdo\bo will initialize the group vector to the list
of groups the target user is in. The real and effective
group IDs, however, are still set to match the target user.
system password prompt on systems that support PAM unless
the _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ -r _\br_\bo_\bl_\be The -\b-r\br (_\br_\bo_\bl_\be) option causes the new (SELinux) security
+ context to have the role specified by _\br_\bo_\bl_\be.
+
-S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password from
the standard input instead of the terminal device. The
password must be followed by a newline character.
the shell for execution. Otherwise, an interactive shell
is executed.
+ -t _\bt_\by_\bp_\be The -\b-t\bt (_\bt_\by_\bp_\be) option causes the new (SELinux) security
+ context to have the type specified by _\bt_\by_\bp_\be. If no type is
+ specified, the default type is derived from the specified
+ role.
+
-U _\bu_\bs_\be_\br The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with the
-\b-l\bl option to specify the user whose privileges should be
listed. Only root or a user with s\bsu\bud\bdo\bo ALL on the current
- host may use this option.
- -u _\bu_\bs_\be_\br The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified
- command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
- instead of a _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. When running commands as
- a _\bu_\bi_\bd, many shells require that the '#' be escaped with a
- backslash ('\'). Note that if the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option
- is set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(4)) it is not possible to run commands
- with a uid not listed in the password database.
+1.8.0b1 June 11, 2010 5
-1.8.0a2 June 9, 2010 5
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ host may use this option.
+ -u _\bu_\bs_\be_\br The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified
+ command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
+ instead of a _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. When running commands as
+ a _\bu_\bi_\bd, many shells require that the '#' be escaped with a
+ backslash ('\'). Note that if the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option
+ is set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(4)) it is not possible to run commands
+ with a uid not listed in the password database.
-V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the version
number and exit. If the invoking user is already root the
use the traditional _\bs_\bu_\bd_\bo_\be_\br_\bs security policy and I/O logging, which
corresponds to the following _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+
+
+
+
+
+
+
+
+
+
+
+1.8.0b1 June 11, 2010 6
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
#
# Default /etc/sudo.conf file
#
A Plugin line consists of the Plugin keyword, followed by the
_\bs_\by_\bm_\bb_\bo_\bl_\b__\bn_\ba_\bm_\be and the _\bp_\ba_\bt_\bh to the shared object containing the plugin.
The _\bs_\by_\bm_\bb_\bo_\bl_\b__\bn_\ba_\bm_\be is the name of the struct policy_plugin or struct
-
-
-
-1.8.0a2 June 9, 2010 6
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
io_plugin in the plugin shared object. The _\bp_\ba_\bt_\bh may be fully qualified
or relative. If not fully qualified it is relative to the
_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc directory. Any additional parameters after the _\bp_\ba_\bt_\bh
If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, any variables
not explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are
inherited from the invoking process. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and
+
+
+
+1.8.0b1 June 11, 2010 7
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
_\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave like a blacklist. Since it is not possible to
blacklist all potentially dangerous environment variables, use of the
default _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is encouraged.
s\bsu\bud\bdo\bo to preserve them.
To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both denoting
-
-
-
-1.8.0a2 June 9, 2010 7
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
current directory) last when searching for a command in the user's PATH
(if one or both are in the PATH). Note, however, that the actual PATH
environment variable is _\bn_\bo_\bt modified and is passed unchanged to the
command with s\bsu\bud\bdo\bo after authenticating, logout, login again, and run
s\bsu\bud\bdo\bo without authenticating so long as the time stamp file's
modification time is within 5 minutes (or whatever the timeout is set
+
+
+
+1.8.0b1 June 11, 2010 8
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
to in _\bs_\bu_\bd_\bo_\be_\br_\bs). When the _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, the
time stamp has per-tty granularity but still may outlive the user's
session. On Linux systems where the devpts filesystem is used, Solaris
when giving users access to commands via s\bsu\bud\bdo\bo to verify that the
command does not inadvertently give the user an effective root shell.
For more information, please see the PREVENTING SHELL ESCAPES section
-
-
-
-1.8.0a2 June 9, 2010 8
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
SUDO_USER Set to the login of the user who invoked sudo
+
+
+
+1.8.0b1 June 11, 2010 9
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
USER Set to the target user (root unless the -\b-u\bu option is
specified)
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(4) entries.
-
-
-1.8.0a2 June 9, 2010 9
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
To get a file listing of an unreadable directory:
$ sudo ls /usr/local/protected
_\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(4),
_\bs_\bu_\bd_\bo_\b__\bp_\bl_\bu_\bg_\bi_\bn(1m), _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m), _\bv_\bi_\bs_\bu_\bd_\bo(1m)
+
+
+
+1.8.0b1 June 11, 2010 10
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
A\bAU\bUT\bTH\bHO\bOR\bRS\bS
Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists
of code written primarily by:
It is not meaningful to run the cd command directly via sudo, e.g.,
-
-
-
-1.8.0a2 June 9, 2010 10
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
$ sudo cd /usr/local/protected
since when the command exits the parent process (your shell) will still
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.8.0a2 June 9, 2010 11
+1.8.0b1 June 11, 2010 11
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "June 10, 2010" "1.8.0a2" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "June 11, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
-1.8.0a2 June 9, 2010 1
+1.8.0b1 June 11, 2010 1
-1.8.0a2 June 9, 2010 2
+1.8.0b1 June 11, 2010 2
-1.8.0a2 June 9, 2010 3
+1.8.0b1 June 11, 2010 3
-1.8.0a2 June 9, 2010 4
+1.8.0b1 June 11, 2010 4
-1.8.0a2 June 9, 2010 5
+1.8.0b1 June 11, 2010 5
-1.8.0a2 June 9, 2010 6
+1.8.0b1 June 11, 2010 6
-1.8.0a2 June 9, 2010 7
+1.8.0b1 June 11, 2010 7
-1.8.0a2 June 9, 2010 8
+1.8.0b1 June 11, 2010 8
-1.8.0a2 June 9, 2010 9
+1.8.0b1 June 11, 2010 9
-1.8.0a2 June 9, 2010 10
+1.8.0b1 June 11, 2010 10
-1.8.0a2 June 9, 2010 11
+1.8.0b1 June 11, 2010 11
-1.8.0a2 June 9, 2010 12
+1.8.0b1 June 11, 2010 12
-1.8.0a2 June 9, 2010 13
+1.8.0b1 June 11, 2010 13
-1.8.0a2 June 9, 2010 14
+1.8.0b1 June 11, 2010 14
-1.8.0a2 June 9, 2010 15
+1.8.0b1 June 11, 2010 15
-1.8.0a2 June 9, 2010 16
+1.8.0b1 June 11, 2010 16
.\" ========================================================================
.\"
.IX Title "SUDO_PLUGIN @mansectsu@"
-.TH SUDO_PLUGIN @mansectsu@ "June 9, 2010" "1.8.0a2" "MAINTENANCE COMMANDS"
+.TH SUDO_PLUGIN @mansectsu@ "June 11, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
-1.8.0a2 June 8, 2010 1
+1.8.0b1 June 11, 2010 1
-1.8.0a2 June 8, 2010 2
+1.8.0b1 June 11, 2010 2
-1.8.0a2 June 8, 2010 3
+1.8.0b1 June 11, 2010 3
-1.8.0a2 June 8, 2010 4
+1.8.0b1 June 11, 2010 4
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
- Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
+ Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
+ SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
+
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
- Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
- and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
-1.8.0a2 June 8, 2010 5
+1.8.0b1 June 11, 2010 5
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
+ and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
+
We can extend this to allow d\bdg\bgb\bb to run /bin/ls with either the user or
group set to o\bop\bpe\ber\bra\bat\bto\bor\br:
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
+ S\bSE\bEL\bLi\bin\bnu\bux\bx_\b_S\bSp\bpe\bec\bc
+ On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally have an
+ SELinux role and/or type associated with a command. If a role or type
+ is specified with the command it will override any default values
+ specified in _\bs_\bu_\bd_\bo_\be_\br_\bs. A role or type specified on the command line,
+ however, will supercede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+
T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
A command may have zero or more tags associated with it. There are
eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
By default, if the NOPASSWD tag is applied to any of the entries for a
user on the current host, he or she will be able to run sudo -l without
a password. Additionally, a user may only run sudo -v without a
- password if the NOPASSWD tag is present for all a user's entries that
- pertain to the current host. This behavior may be overridden via the
- verifypw and listpw options.
- _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
- operating system supports it, the NOEXEC tag can be used to prevent a
- dynamically-linked executable from running further commands itself.
+1.8.0b1 June 11, 2010 6
-1.8.0a2 June 8, 2010 6
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ password if the NOPASSWD tag is present for all a user's entries that
+ pertain to the current host. This behavior may be overridden via the
+ verifypw and listpw options.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
+ operating system supports it, the NOEXEC tag can be used to prevent a
+ dynamically-linked executable from running further commands itself.
In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
[!...] Matches any character n\bno\bot\bt in the specified range.
- \x For any character "x", evaluates to "x". This is used to
- escape special characters such as: "*", "?", "[", and "}".
- POSIX character classes may also be used if your system's _\bg_\bl_\bo_\bb(3) and
- _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) functions support them. However, because the ':' character
- has special meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
- /bin/ls [[\:alpha\:]]*
- Would match any file name beginning with a letter.
+1.8.0b1 June 11, 2010 7
-1.8.0a2 June 8, 2010 7
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ \x For any character "x", evaluates to "x". This is used to
+ escape special characters such as: "*", "?", "[", and "}".
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ POSIX character classes may also be used if your system's _\bg_\bl_\bo_\bb(3) and
+ _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) functions support them. However, because the ':' character
+ has special meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
+ /bin/ls [[\:alpha\:]]*
+
+ Would match any file name beginning with a letter.
Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
in the path name. When matching the command line arguments, however, a
will cause s\bsu\bud\bdo\bo to include the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bx_\be_\br_\bx_\be_\bs.
The #includedir directive can be used to create a _\bs_\bu_\bd_\bo_\b._\bd directory that
- the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs rules into as part of
- package installation. For example, given:
- #includedir /etc/sudoers.d
- s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that
- end in ~ or contain a . character to avoid causing problems with
- package manager or editor temporary/backup files. Files are parsed in
- sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
- before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
- lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
+1.8.0b1 June 11, 2010 8
-1.8.0a2 June 8, 2010 8
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs rules into as part of
+ package installation. For example, given:
+ #includedir /etc/sudoers.d
+ s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that
+ end in ~ or contain a . character to avoid causing problems with
+ package manager or editor temporary/backup files. Files are parsed in
+ sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
+ before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
+ lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
in the file names can be used to avoid such problems.
earlier. A list of all supported Defaults parameters, grouped by type,
are listed below.
- B\bBo\boo\bol\ble\bea\ban\bn F\bFl\bla\bag\bgs\bs:
-
- always_set_home If set, s\bsu\bud\bdo\bo will set the HOME environment variable to
- the home directory of the target user (which is root
- unless the -\b-u\bu option is used). This effectively means
- that the -\b-H\bH option is always implied. This flag is _\bo_\bf_\bf
- by default.
- authenticate If set, users must authenticate themselves via a
- password (or other means of authentication) before they
+1.8.0b1 June 11, 2010 9
-1.8.0a2 June 8, 2010 9
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ B\bBo\boo\bol\ble\bea\ban\bn F\bFl\bla\bag\bgs\bs:
+ always_set_home If set, s\bsu\bud\bdo\bo will set the HOME environment variable to
+ the home directory of the target user (which is root
+ unless the -\b-u\bu option is used). This effectively means
+ that the -\b-H\bH option is always implied. This flag is _\bo_\bf_\bf
+ by default.
+ authenticate If set, users must authenticate themselves via a
+ password (or other means of authentication) before they
may run commands. This default may be overridden via
the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
default.
option causes s\bsu\bud\bdo\bo to use the _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function,
which does not access the file system to do its
matching. The disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is
- unable to match relative path names such as _\b._\b/_\bl_\bs or
- _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This has security implications when path
- names that include globbing characters are used with
- the negation operator, '!', as such rules can be
- trivially bypassed. As such, this option should not be
- used when _\bs_\bu_\bd_\bo_\be_\br_\bs contains rules that contain negated
- path names which include globbing characters. This
- flag is _\bo_\bf_\bf by default.
-
- fqdn Set this flag if you want to put fully qualified host
-1.8.0a2 June 8, 2010 10
+1.8.0b1 June 11, 2010 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ unable to match relative path names such as _\b._\b/_\bl_\bs or
+ _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This has security implications when path
+ names that include globbing characters are used with
+ the negation operator, '!', as such rules can be
+ trivially bypassed. As such, this option should not be
+ used when _\bs_\bu_\bd_\bo_\be_\br_\bs contains rules that contain negated
+ path names which include globbing characters. This
+ flag is _\bo_\bf_\bf by default.
+
+ fqdn Set this flag if you want to put fully qualified host
names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
would use myhost.mydomain.edu. You may still use the
short form if you wish (and even mix the two). Beware
long_otp_prompt When validating with a One Time Password (OPT) scheme
such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-line prompt is used to
make it easier to cut and paste the challenge to a
- local window. It's not as pretty as the default but
- some people find it more convenient. This flag is _\bo_\bf_\bf
- by default.
- mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a users runs
- s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
- mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user running s\bsu\bud\bdo\bo
- does not enter the correct password. This flag is _\bo_\bf_\bf
- by default.
+1.8.0b1 June 11, 2010 11
-1.8.0a2 June 8, 2010 11
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ local window. It's not as pretty as the default but
+ some people find it more convenient. This flag is _\bo_\bf_\bf
+ by default.
+ mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a users runs
+ s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
+
+ mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user running s\bsu\bud\bdo\bo
+ does not enter the correct password. This flag is _\bo_\bf_\bf
+ by default.
mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not
_\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's existing group
vector is left unaltered. The real and effective group
IDs, however, are still set to match the target user.
+
+
+
+1.8.0b1 June 11, 2010 12
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
This flag is _\bo_\bf_\bf by default.
pwfeedback By default, s\bsu\bud\bdo\bo reads the password like most other
able to determine the length of the password being
entered. This flag is _\bo_\bf_\bf by default.
-
-
-1.8.0a2 June 8, 2010 12
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
to a real tty. When this flag is set, s\bsu\bud\bdo\bo can only be
run from a login session and not via other means such
the value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is _\bo_\bf_\bf by default.
setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
+
+
+
+1.8.0b1 June 11, 2010 13
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
command line. Additionally, environment variables set
via the command line are not subject to the
restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
shell as root (the shell is determined by the SHELL
environment variable if it is set, falling back on the
shell listed in the invoking user's /etc/passwd entry
-
-
-
-1.8.0a2 June 8, 2010 13
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
if not). This flag is _\bo_\bf_\bf by default.
stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
using a unique session ID that is included in the
normal s\bsu\bud\bdo\bo log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
- Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
- utility, which can also be used to list or search the
- available logs.
-
- tty_tickets If set, users must authenticate on a per-tty basis.
- Normally, s\bsu\bud\bdo\bo uses a directory in the ticket dir with
- the same name as the user running it. With this flag
- enabled, s\bsu\bud\bdo\bo will use a file named for the tty the
- user is logged in on in that directory. This flag is
- _\bo_\bf_\bf by default.
+1.8.0b1 June 11, 2010 14
-1.8.0a2 June 8, 2010 14
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
+ utility, which can also be used to list or search the
+ available logs.
+ tty_tickets If set, users must authenticate on a per-tty basis.
+ Normally, s\bsu\bud\bdo\bo uses a directory in the ticket dir with
+ the same name as the user running it. With this flag
+ enabled, s\bsu\bud\bdo\bo will use a file named for the tty the
+ user is logged in on in that directory. This flag is
+ _\bo_\bf_\bf by default.
umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
without modification. This makes it possible to
I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- loglinelen Number of characters per line for the file log. This
- value is used to decide when to wrap lines for nicer
- log files. This has no effect on the syslog log file,
- only the file log. The default is 80 (use 0 or negate
- the option to disable word wrap).
-
- passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
- out. The timeout may include a fractional component if
- minute granularity is insufficient, for example 2.5.
- The default is 5; set this to 0 for no password
- timeout.
-1.8.0a2 June 8, 2010 15
+1.8.0b1 June 11, 2010 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ loglinelen Number of characters per line for the file log. This
+ value is used to decide when to wrap lines for nicer
+ log files. This has no effect on the syslog log file,
+ only the file log. The default is 80 (use 0 or negate
+ the option to disable word wrap).
+
+ passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
+ out, or 0 for no timeout. The timeout may include a
+ fractional component if minute granularity is
+ insufficient, for example 2.5. The default is 5.
+
timestamp_timeout
Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
for a passwd again. The timeout may include a
LD_PRELOAD or its equivalent. Defaults to
_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
- passprompt The default prompt to use when asking for a password;
- can be overridden via the -\b-p\bp option or the SUDO_PROMPT
- environment variable. The following percent (`%')
- escapes are supported:
-
- %H expanded to the local host name including the
- domain name (on if the machine's host name is fully
- qualified or the _\bf_\bq_\bd_\bn option is set)
- %h expanded to the local host name without the domain
+1.8.0b1 June 11, 2010 16
-1.8.0a2 June 8, 2010 16
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ passprompt The default prompt to use when asking for a password;
+ can be overridden via the -\b-p\bp option or the SUDO_PROMPT
+ environment variable. The following percent (`%')
+ escapes are supported:
+ %H expanded to the local host name including the
+ domain name (on if the machine's host name is fully
+ qualified or the _\bf_\bq_\bd_\bn option is set)
+ %h expanded to the local host name without the domain
name
%p expanded to the user whose password is being asked
The default value is Password:.
+ role The default SELinux role to use when constructing a new
+ security context to run the command. The default role
+ may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
+ via command line options. This option is only
+ available whe s\bsu\bud\bdo\bo is built with SELinux support.
+
runas_default The default user to run commands as if the -\b-u\bu option is
not specified on the command line. This defaults to
root. Note that if _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur
timestampowner The owner of the timestamp directory and the timestamps
stored therein. The default is root.
+ type The default SELinux type to use when constructing a new
+
+
+
+1.8.0b1 June 11, 2010 17
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+ security context to run the command. The default type
+ may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
+ via command line options. This option is only
+ available whe s\bsu\bud\bdo\bo is built with SELinux support.
+
S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
askpass The _\ba_\bs_\bk_\bp_\ba_\bs_\bs option specifies the fully qualified path to a
the program being run. Entries in this file should either
be of the form VARIABLE=value or export VARIABLE=value.
The value may optionally be surrounded by single or double
-
-
-
-1.8.0a2 June 8, 2010 17
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
quotes. Variables in this file are subject to other s\bsu\bud\bdo\bo
environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
must have the NOPASSWD flag set to avoid entering a
+
+
+
+1.8.0b1 June 11, 2010 18
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
password.
always The user must always enter a password to use the -\b-l\bl
mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
-
-
-
-1.8.0a2 June 8, 2010 18
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
mailerpath Path to mail program used to send warning mail. Defaults
to the path to sendmail found at configure time.
password.
always The user must always enter a password to use the -\b-v\bv
+
+
+
+1.8.0b1 June 11, 2010 19
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
option.
any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
programs. The argument may be a double-quoted, space-
separated list or a single value without double-quotes.
The list can be replaced, added to, deleted from, or
-
-
-
-1.8.0a2 June 8, 2010 19
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
disabled by using the =, +=, -=, and ! operators
respectively. Regardless of whether the env_reset
option is enabled or disabled, variables specified by
with the _\b-_\bV option.
When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following values for the
+
+
+
+1.8.0b1 June 11, 2010 20
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg Parameter): a\bau\but\bth\bhp\bpr\bri\biv\bv (if your
OS supports it), a\bau\but\bth\bh, d\bda\bae\bem\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1, l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3,
l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5, l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7. The following syslog priorities
Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
-
-
-
-
-
-
-1.8.0a2 June 8, 2010 20
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
Here we override some of the compiled in default values. We want s\bsu\bud\bdo\bo
+
+
+
+1.8.0b1 June 11, 2010 21
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility in all cases. We don't
want to subject the full time staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt
need not give a password, and we don't want to reset the LOGNAME, USER
Defaults!PAGERS noexec
The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
-
-
-
-1.8.0a2 June 8, 2010 21
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
what.
root ALL = (ALL) ALL
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/
+
+
+
+1.8.0b1 June 11, 2010 22
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple maintenance.
Here, those are commands related to backups, killing processes, the
printing system, shutting down the system, and any commands in the
the _\bH_\bP_\bP_\bA machines. Note that this assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take
multiple user names on the command line.
-
-
-1.8.0a2 June 8, 2010 22
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
bob SPARC = (OP) ALL : SGI = (OP) ALL
The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
jill SERVERS = /usr/bin/, !SU, !SHELLS
For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run any commands in
+
+
+
+1.8.0b1 June 11, 2010 23
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those commands belonging to the _\bS_\bU
and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
and wim), may run any command as user www (which owns the web pages) or
simply _\bs_\bu(1) to www.
-
-
-
-
-1.8.0a2 June 8, 2010 23
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
+
+
+
+1.8.0b1 June 11, 2010 24
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
changing to _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and running ./passwd root instead.
P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
number of programs that offer shell escapes, restricting
users to the set of programs that do not if often unworkable.
-
-
-
-1.8.0a2 June 8, 2010 24
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
noexec Many systems that support shared libraries have the ability
to override default library functions by pointing an
environment variable (usually LD_PRELOAD) to an alternate
documented in the User Specification section above. Here is
that example again:
+
+
+
+1.8.0b1 June 11, 2010 25
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
-
-
-
-1.8.0a2 June 8, 2010 25
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
locks the file and does grammatical checking. It is imperative that
_\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax errors since s\bsu\bud\bdo\bo will not run with a
syntactically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.8.0a2 June 8, 2010 26
+1.8.0b1 June 11, 2010 26
-1.8.0a1 May 25, 2010 1
+1.8.0b1 June 11, 2010 1
-1.8.0a1 May 25, 2010 2
+1.8.0b1 June 11, 2010 2
-1.8.0a1 May 25, 2010 3
+1.8.0b1 June 11, 2010 3
-1.8.0a1 May 25, 2010 4
+1.8.0b1 June 11, 2010 4
-1.8.0a1 May 25, 2010 5
+1.8.0b1 June 11, 2010 5
-1.8.0a1 May 25, 2010 6
+1.8.0b1 June 11, 2010 6
-1.8.0a1 May 25, 2010 7
+1.8.0b1 June 11, 2010 7
-1.8.0a1 May 25, 2010 8
+1.8.0b1 June 11, 2010 8
-1.8.0a1 May 25, 2010 9
+1.8.0b1 June 11, 2010 9
-1.8.0a1 May 25, 2010 10
+1.8.0b1 June 11, 2010 10
-1.8.0a1 May 25, 2010 11
+1.8.0b1 June 11, 2010 11
-1.8.0a1 May 25, 2010 12
+1.8.0b1 June 11, 2010 12
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "June 11, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "June 8, 2010" "1.8.0a2" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "June 11, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
\&\f(CW\*(C`@loglen@\*(C'\fR (use 0 or negate the option to disable word wrap).
.IP "passwd_timeout" 16
.IX Item "passwd_timeout"
-Number of minutes before the \fBsudo\fR password prompt times out.
-The timeout may include a fractional component if minute granularity
-is insufficient, for example \f(CW2.5\fR. The default is \f(CW\*(C`@password_timeout@\*(C'\fR;
-set this to \f(CW0\fR for no password timeout.
+Number of minutes before the \fBsudo\fR password prompt times out, or
+\&\f(CW0\fR for no timeout. The timeout may include a fractional component
+if minute granularity is insufficient, for example \f(CW2.5\fR. The
+default is \f(CW\*(C`@password_timeout@\*(C'\fR.
.IP "timestamp_timeout" 16
.IX Item "timestamp_timeout"
Number of minutes that can elapse before \fBsudo\fR will ask for a
-1.8.0a2 May 30, 2010 1
+1.8.0b1 June 11, 2010 1
-1.8.0a2 May 30, 2010 2
+1.8.0b1 June 11, 2010 2
-1.8.0a2 May 30, 2010 3
+1.8.0b1 June 11, 2010 3
-1.8.0a2 May 30, 2010 4
+1.8.0b1 June 11, 2010 4
-1.8.0a2 May 30, 2010 5
+1.8.0b1 June 11, 2010 5
.\" ========================================================================
.\"
.IX Title "SUDOREPLAY @mansectsu@"
-.TH SUDOREPLAY @mansectsu@ "May 30, 2010" "1.8.0a2" "MAINTENANCE COMMANDS"
+.TH SUDOREPLAY @mansectsu@ "June 11, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
-1.8.0a1 May 25, 2010 1
+1.8.0b1 June 11, 2010 1
-1.8.0a1 May 25, 2010 2
+1.8.0b1 June 11, 2010 2
-1.8.0a1 May 25, 2010 3
+1.8.0b1 June 11, 2010 3
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "June 11, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
projects / sudo / commitdiff