From: Todd C. Miller Date: Fri, 29 Jun 2012 20:11:27 +0000 (-0400) Subject: Regen for sudo 1.8.6 X-Git-Tag: SUDO_1_8_6^2~107 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2e36b1ef2be04ac5a69114d9cff705fc79df0d90;p=sudo Regen for sudo 1.8.6 --- diff --git a/doc/sudo.cat b/doc/sudo.cat index c32092bee..c137a4b61 100644 --- a/doc/sudo.cat +++ b/doc/sudo.cat @@ -624,4 +624,4 @@ DDIISSCCLLAAIIMMEERR -1.8.5 March 15, 2012 SUDO(1m) +1.8.6 June 29, 2012 SUDO(1m) diff --git a/doc/sudo.man.in b/doc/sudo.man.in index 856164e35..e5c61c1da 100644 --- a/doc/sudo.man.in +++ b/doc/sudo.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "March 15, 2012" "1.8.5" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/doc/sudo_plugin.cat b/doc/sudo_plugin.cat index 1d9a9963f..5c56469b0 100644 --- a/doc/sudo_plugin.cat +++ b/doc/sudo_plugin.cat @@ -1355,4 +1355,4 @@ DDIISSCCLLAAIIMMEERR -1.8.5 April 23, 2012 SUDO_PLUGIN(1m) +1.8.6 June 29, 2012 SUDO_PLUGIN(1m) diff --git a/doc/sudo_plugin.man.in b/doc/sudo_plugin.man.in index ca9589f7b..ce3856ad0 100644 --- a/doc/sudo_plugin.man.in +++ b/doc/sudo_plugin.man.in @@ -139,7 +139,7 @@ .\" ======================================================================== .\" .IX Title "SUDO_PLUGIN @mansectsu@" -.TH SUDO_PLUGIN @mansectsu@ "April 23, 2012" "1.8.5" "MAINTENANCE COMMANDS" +.TH SUDO_PLUGIN @mansectsu@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 6033d16fb..b70ee5210 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -210,11 +210,11 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT below). For instance, the QAS AD plugin supports the following formats: - o Group in the same domain: "Group Name" + o Group in the same domain: "%:Group Name" - o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN" + o Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN" - o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567" + o Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" Note that quotes around group names are optional. Unquoted strings must use a backslash (\) to escape spaces and special characters. See @@ -1814,4 +1814,4 @@ DDIISSCCLLAAIIMMEERR -1.8.5 March 28, 2012 SUDOERS(4) +1.8.6 June 29, 2012 SUDOERS(4) diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat index 67d6d863f..6dd010709 100644 --- a/doc/sudoers.ldap.cat +++ b/doc/sudoers.ldap.cat @@ -254,7 +254,7 @@ DDEESSCCRRIIPPTTIIOONN Typically, this file is shared amongst different LDAP-aware clients. As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from - those described in the _l_d_a_p_._c_o_n_f(4) manual. + those described in the system's _l_d_a_p_._c_o_n_f(4) manual. Also note that on systems using the OpenLDAP libraries, default values specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are @@ -273,9 +273,9 @@ DDEESSCCRRIIPPTTIIOONN ssuuddoo will connect to llooccaallhhoosstt. Multiple UURRII lines are treated identically to a UURRII line containing multiple entries. Only systems using the OpenSSL libraries support the mixing of ldap:// - and ldaps:// URIs. The Netscape-derived libraries used on most - commercial versions of Unix are only capable of supporting one or - the other. + and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP + libraries used on most commercial versions of Unix are only capable + of supporting one or the other. HHOOSSTT name[:port] ... If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace- @@ -379,7 +379,8 @@ DDEESSCCRRIIPPTTIIOONN the check creates an opportunity for man-in-the-middle attacks since the server's identity will not be authenticated. If possible, the CA's certificate should be installed locally so it - can be verified. + can be verified. This option is not supported by the Tivoli + Directory Server LDAP libraries. TTLLSS__CCAACCEERRTT file name An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility. @@ -410,6 +411,10 @@ DDEESSCCRRIIPPTTIIOONN Netscape-derived: tls_cert /var/ldap/cert7.db + Tivoli Directory Server: + Unused, the key database specified by TTLLSS__KKEEYY contains both + keys and certificates. + When using Netscape-derived libraries, this file may also contain Certificate Authority certificates. @@ -425,6 +430,23 @@ DDEESSCCRRIIPPTTIIOONN Netscape-derived: tls_key /var/ldap/key3.db + Tivoli Directory Server: + tls_cert /usr/ldap/ldapkey.kdb + + When using Tivoli LDAP libraries, this file may also contain + Certificate Authority and client certificates and may be encrypted. + + TTLLSS__KKEEYYPPWW secret + The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key + database on clients using the Tivoli Directory Server LDAP library. + If no TTLLSS__KKEEYYPPWW is specified, a _s_t_a_s_h _f_i_l_e will be used if it + exists. The _s_t_a_s_h _f_i_l_e must have the same path as the file + specified by TTLLSS__KKEEYY, but use a .sth file extension instead of + .kdb, e.g. ldapkey.sth. The default ldapkey.kdb that ships with + Tivoli Directory Server is encrypted with the password + ssl_password. This option is only supported by the Tivoli LDAP + libraries. + TTLLSS__RRAANNDDFFIILLEE file name The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source for systems that lack a random device. It is generally used in @@ -434,8 +456,9 @@ DDEESSCCRRIIPPTTIIOONN TTLLSS__CCIIPPHHEERRSS cipher list The TTLLSS__CCIIPPHHEERRSS parameter allows the administer to restrict which encryption algorithms may be used for TLS (SSL) connections. See - the OpenSSL manual for a list of valid ciphers. This option is - only supported by the OpenLDAP libraries. + the OpenLDAP or Tivoli Directory Server manual for a list of valid + ciphers. This option is not supported by Netscape-derived + libraries. UUSSEE__SSAASSLL on/true/yes/off/false/no Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication. @@ -747,4 +770,4 @@ DDIISSCCLLAAIIMMEERR -1.8.5 March 14, 2012 SUDOERS.LDAP(4) +1.8.6 June 29, 2012 SUDOERS.LDAP(4) diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in index 7ec639e9f..71b60a96e 100644 --- a/doc/sudoers.ldap.man.in +++ b/doc/sudoers.ldap.man.in @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003-2011 +.\" Copyright (c) 2003-2012 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -140,7 +140,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "March 14, 2012" "1.8.5" "MAINTENANCE COMMANDS" +.TH SUDOERS.LDAP @mansectform@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -405,8 +405,8 @@ section. Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration. Typically, this file is shared amongst different LDAP-aware clients. As such, most of the settings are not \fBsudo\fR\-specific. Note that -\&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options -that differ from those described in the \fIldap.conf\fR\|(@mansectform@) manual. +\&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options that +differ from those described in the system's \fIldap.conf\fR\|(@mansectform@) manual. .PP Also note that on systems using the OpenLDAP libraries, default values specified in \fI/etc/openldap/ldap.conf\fR or the user's @@ -425,9 +425,9 @@ the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple entries. Only systems using the OpenSSL libraries support the -mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. The Netscape-derived -libraries used on most commercial versions of Unix are only capable -of supporting one or the other. +mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. Both the Netscape-derived +and Tivoli \s-1LDAP\s0 libraries used on most commercial versions of Unix +are only capable of supporting one or the other. .IP "\fB\s-1HOST\s0\fR name[:port] ..." 4 .IX Item "HOST name[:port] ..." If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a @@ -528,7 +528,8 @@ authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER is disabled, no check is made. Note that disabling the check creates an opportunity for man-in-the-middle attacks since the server's identity will not be authenticated. If possible, the \s-1CA\s0's certificate -should be installed locally so it can be verified. +should be installed locally so it can be verified. This option is +not supported by the Tivoli Directory Server \s-1LDAP\s0 libraries. .IP "\fB\s-1TLS_CACERT\s0\fR file name" 4 .IX Item "TLS_CACERT file name" An alias for \fB\s-1TLS_CACERTFILE\s0\fR for OpenLDAP compatibility. @@ -560,6 +561,10 @@ OpenLDAP: Netscape-derived: \f(CW\*(C`tls_cert /var/ldap/cert7.db\*(C'\fR .Sp +Tivoli Directory Server: + Unused, the key database specified by \fB\s-1TLS_KEY\s0\fR contains both + keys and certificates. +.Sp When using Netscape-derived libraries, this file may also contain Certificate Authority certificates. .IP "\fB\s-1TLS_KEY\s0\fR file name" 4 @@ -574,6 +579,23 @@ OpenLDAP: .Sp Netscape-derived: \f(CW\*(C`tls_key /var/ldap/key3.db\*(C'\fR +.Sp +Tivoli Directory Server: + \f(CW\*(C`tls_cert /usr/ldap/ldapkey.kdb\*(C'\fR +.Sp +When using Tivoli \s-1LDAP\s0 libraries, this file may also contain +Certificate Authority and client certificates and may be encrypted. +.IP "\fB\s-1TLS_KEYPW\s0\fR secret" 4 +.IX Item "TLS_KEYPW secret" +The \fB\s-1TLS_KEYPW\s0\fR contains the password used to decrypt the key +database on clients using the Tivoli Directory Server \s-1LDAP\s0 library. +If no \fB\s-1TLS_KEYPW\s0\fR is specified, a \fIstash file\fR will be used if +it exists. The \fIstash file\fR must have the same path as the file +specified by \fB\s-1TLS_KEY\s0\fR, but use a \f(CW\*(C`.sth\*(C'\fR file extension instead +of \f(CW\*(C`.kdb\*(C'\fR, e.g. \f(CW\*(C`ldapkey.sth\*(C'\fR. The default \f(CW\*(C`ldapkey.kdb\*(C'\fR that +ships with Tivoli Directory Server is encrypted with the password +\&\f(CW\*(C`ssl_password\*(C'\fR. This option is only supported by the Tivoli \s-1LDAP\s0 +libraries. .IP "\fB\s-1TLS_RANDFILE\s0\fR file name" 4 .IX Item "TLS_RANDFILE file name" The \fB\s-1TLS_RANDFILE\s0\fR parameter specifies the path to an entropy @@ -582,10 +604,10 @@ in conjunction with \fIprngd\fR or \fIegd\fR. This option is only supported by the OpenLDAP libraries. .IP "\fB\s-1TLS_CIPHERS\s0\fR cipher list" 4 .IX Item "TLS_CIPHERS cipher list" -The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict -which encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections. -See the OpenSSL manual for a list of valid ciphers. -This option is only supported by the OpenLDAP libraries. +The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict which +encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections. See +the OpenLDAP or Tivoli Directory Server manual for a list of valid +ciphers. This option is not supported by Netscape-derived libraries. .IP "\fB\s-1USE_SASL\s0\fR on/true/yes/off/false/no" 4 .IX Item "USE_SASL on/true/yes/off/false/no" Enable \fB\s-1USE_SASL\s0\fR for \s-1LDAP\s0 servers that support \s-1SASL\s0 authentication. diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 6801a5740..565e5059a 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -148,7 +148,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "March 28, 2012" "1.8.5" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -382,11 +382,11 @@ the underlying group provider plugin (see the \fIgroup_plugin\fR description below). For instance, the \s-1QAS\s0 \s-1AD\s0 plugin supports the following formats: .IP "\(bu" 4 -Group in the same domain: \*(L"Group Name\*(R" +Group in the same domain: \*(L"%:Group Name\*(R" .IP "\(bu" 4 -Group in any domain: \*(L"Group Name@FULLY.QUALIFIED.DOMAIN\*(R" +Group in any domain: \*(L"%:Group Name@FULLY.QUALIFIED.DOMAIN\*(R" .IP "\(bu" 4 -Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R" +Group \s-1SID:\s0 \*(L"%:S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R" .PP Note that quotes around group names are optional. Unquoted strings must use a backslash (\e) to escape spaces and special characters. diff --git a/doc/sudoreplay.cat b/doc/sudoreplay.cat index 0f4816ed3..8fb58d8c3 100644 --- a/doc/sudoreplay.cat +++ b/doc/sudoreplay.cat @@ -261,4 +261,4 @@ DDIISSCCLLAAIIMMEERR -1.8.5 April 16, 2012 SUDOREPLAY(1m) +1.8.6 June 29, 2012 SUDOREPLAY(1m) diff --git a/doc/sudoreplay.man.in b/doc/sudoreplay.man.in index df52ebeb6..37b2e592c 100644 --- a/doc/sudoreplay.man.in +++ b/doc/sudoreplay.man.in @@ -139,7 +139,7 @@ .\" ======================================================================== .\" .IX Title "SUDOREPLAY @mansectsu@" -.TH SUDOREPLAY @mansectsu@ "April 16, 2012" "1.8.5" "MAINTENANCE COMMANDS" +.TH SUDOREPLAY @mansectsu@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/doc/visudo.cat b/doc/visudo.cat index b1a4e99ad..b7b0d695c 100644 --- a/doc/visudo.cat +++ b/doc/visudo.cat @@ -151,4 +151,4 @@ DDIISSCCLLAAIIMMEERR -1.8.5 March 14, 2012 VISUDO(1m) +1.8.6 June 29, 2012 VISUDO(1m) diff --git a/doc/visudo.man.in b/doc/visudo.man.in index 20a1e110b..60718bb6e 100644 --- a/doc/visudo.man.in +++ b/doc/visudo.man.in @@ -144,7 +144,7 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "March 14, 2012" "1.8.5" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "June 29, 2012" "1.8.6" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l