From: Todd C. Miller Date: Tue, 12 Oct 1999 00:05:39 +0000 (+0000) Subject: document -L flag X-Git-Tag: SUDO_1_6_0~36 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=421aca163ccea6606ad2a887b43ef27844f7142c;p=sudo document -L flag --- diff --git a/sudo.cat b/sudo.cat index 8929dac4d..639a88cf8 100644 --- a/sudo.cat +++ b/sudo.cat @@ -8,8 +8,8 @@ NNNNAAAAMMMMEEEE sudo - execute a command as another user SSSSYYYYNNNNOOOOPPPPSSSSIIIISSSS - ssssuuuuddddoooo ----VVVV | ----hhhh | ----llll | ----vvvv | ----kkkk | ----KKKK | ----ssss | ----HHHH | [ ----bbbb ] | [ ----rrrr - realm ] | [ ----pppp prompt ] [ ----uuuu username/#uid] _c_o_m_m_a_n_d + ssssuuuuddddoooo ----VVVV | ----hhhh | ----llll | ----LLLL | ----vvvv | ----kkkk | ----KKKK | ----ssss | ----HHHH | [ ----bbbb ] | + [ ----rrrr realm ] | [ ----pppp prompt ] [ ----uuuu username/#uid] _c_o_m_m_a_n_d DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN ssssuuuuddddoooo allows a permitted user to execute a _c_o_m_m_a_n_d as the @@ -48,20 +48,20 @@ OOOOPPPPTTTTIIIIOOOONNNNSSSS -l The -l (_l_i_s_t) option will list out the allowed (and forbidden) commands for the user on the current host. + -L The -L (_l_i_s_t defaults) option will list out the + parameters that may be set in a _D_e_f_a_u_l_t_s line along + with a short description for each. This option is + useful in conjunction with _g_r_e_p(1). + -h The -h (_h_e_l_p) option causes ssssuuuuddddoooo to print a usage message and exit. -v If given the -v (_v_a_l_i_d_a_t_e) option, ssssuuuuddddoooo will update the user's timestamp, prompting for the user's - password if necessary. This extends the ssssuuuuddddoooo timeout - to for another N minutes (where N is defined at - installation time and defaults to 5 minutes) but does - not run a command. - -25/Aug/1999 1.6 1 +11/Oct/1999 1.6 1 @@ -70,6 +70,11 @@ OOOOPPPPTTTTIIIIOOOONNNNSSSS SUDO(8) MAINTENANCE COMMANDS SUDO(8) + password if necessary. This extends the ssssuuuuddddoooo timeout + to for another N minutes (where N is defined at + installation time and defaults to 5 minutes) but does + not run a command. + -k The -k (_k_i_l_l) option to ssssuuuuddddoooo invalidates the user's timestamp by setting the time on it to the epoch. The next time ssssuuuuddddoooo is run a password will be required. @@ -119,15 +124,10 @@ RRRREEEETTTTUUUURRRRNNNN VVVVAAAALLLLUUUUEEEES ssssuuuuddddoooo quits with an exit value of 1 if there is a configuration/permission problem or if ssssuuuuddddoooo cannot execute the given command. In the latter case the error string is - printed to stderr. If ssssuuuuddddoooo cannot _s_t_a_t(2) one or more - entries in the user's PATH an error is printed on stderr. - (If the directory does not exist or if it is not really a - directory, the entry is ignored and no error is printed.) - This should not happen under normal circumstances. The -25/Aug/1999 1.6 2 +11/Oct/1999 1.6 2 @@ -136,6 +136,11 @@ RRRREEEETTTTUUUURRRRNNNN VVVVAAAALLLLUUUUEEEES SUDO(8) MAINTENANCE COMMANDS SUDO(8) + printed to stderr. If ssssuuuuddddoooo cannot _s_t_a_t(2) one or more + entries in the user's PATH an error is printed on stderr. + (If the directory does not exist or if it is not really a + directory, the entry is ignored and no error is printed.) + This should not happen under normal circumstances. The most common reason for _s_t_a_t(2) to return "permission denied" is if you are running an automounter and one of the directories in your PATH is on a machine that is @@ -185,15 +190,10 @@ SSSSEEEECCCCUUUURRRRIIIITTTTYYYY NNNNOOOOTTTTE (root) and permissions (0700) in the system startup files. ssssuuuuddddoooo will not honor timestamps set far in the future. - Timestamps with a date greater than current_time + 2 * - TIMEOUT will be ignored and sudo will log and complain. - This is done to keep a user from creating his/her own - timestamp with a bogus date on system that allow users to - give away files. -25/Aug/1999 1.6 3 +11/Oct/1999 1.6 3 @@ -202,6 +202,12 @@ SSSSEEEECCCCUUUURRRRIIIITTTTYYYY NNNNOOOOTTTTE SUDO(8) MAINTENANCE COMMANDS SUDO(8) + Timestamps with a date greater than current_time + 2 * + TIMEOUT will be ignored and sudo will log and complain. + This is done to keep a user from creating his/her own + timestamp with a bogus date on system that allow users to + give away files. + EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS Note: the following examples assume suitable _s_u_d_o_e_r_s(5) entries. @@ -249,24 +255,24 @@ EEEENNNNVVVVIIIIRRRROOOONNNNMMMMEEEENNNNTTTT SUDO_PS1 If set, PS1 will be set to its value -FFFFIIIILLLLEEEESSSS - /etc/sudoers List of who can run what - /var/run/sudo Directory containing timestamps - ssssuuuuddddoooo utilizes the following environment variables: +11/Oct/1999 1.6 4 -25/Aug/1999 1.6 4 +SUDO(8) MAINTENANCE COMMANDS SUDO(8) -SUDO(8) MAINTENANCE COMMANDS SUDO(8) +FFFFIIIILLLLEEEESSSS + /etc/sudoers List of who can run what + /var/run/sudo Directory containing timestamps + ssssuuuuddddoooo utilizes the following environment variables: PATH Set to a sane value if SECURE_PATH is set SHELL Used to determine shell to run with -s option @@ -316,16 +322,10 @@ CCCCAAAAVVVVEEEEAAAATTTTSSSS shell if that user has access to commands allowing shell escapes. - If users have sudo ALL there is nothing to prevent them - from creating their own program that gives them a root - shell regardless of any '!' elements in the user - specification. - - Running shell scripts via ssssuuuuddddoooo can expose the same kernel -25/Aug/1999 1.6 5 +11/Oct/1999 1.6 5 @@ -334,6 +334,12 @@ CCCCAAAAVVVVEEEEAAAATTTTSSSS SUDO(8) MAINTENANCE COMMANDS SUDO(8) + If users have sudo ALL there is nothing to prevent them + from creating their own program that gives them a root + shell regardless of any '!' elements in the user + specification. + + Running shell scripts via ssssuuuuddddoooo can expose the same kernel bugs that make setuid shell scripts unsafe on some operating systems (if your OS supports the /dev/fd/ directory, setuid shell scripts are generally safe). @@ -385,12 +391,6 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO - - - - - - -25/Aug/1999 1.6 6 +11/Oct/1999 1.6 6 diff --git a/sudo.html b/sudo.html index 38ba8a4ed..cd9001e0f 100644 --- a/sudo.html +++ b/sudo.html @@ -39,7 +39,7 @@ sudo - execute a command as another user

SYNOPSIS

-sudo -V | -h | -l | -v | -k | -K | -s | -H | [ -b ] | [ -r realm ] | [ -p prompt ] [ -u username/#uid] command +sudo -V | -h | -l | -L | -v | -k | -K | -s | -H | [ -b ] | [ -r realm ] | [ -p prompt ] [ -u username/#uid] command @@ -86,6 +86,11 @@ The -V (version) option causes sudo to pr The -l (list) option will list out the allowed (and forbidden) commands for the user on the current host. +

-L
+

+The -L (list defaults) option will list out the parameters that may be set in a Defaults line along with a short description for each. This option is useful in +conjunction with grep(1). +

-h

The -h (help) option causes sudo to print a usage message and exit. diff --git a/sudo.man b/sudo.man index a1b65b21d..d6ca9bd12 100644 --- a/sudo.man +++ b/sudo.man @@ -2,8 +2,8 @@ ''' $RCSfile$$Revision$$Date$ ''' ''' $Log$ -''' Revision 1.36 1999/08/26 09:10:11 millert -''' rename "ENVIRONMENT VARIABLES" section to "ENVIRONMENT" to be more standard and add "EXAMPLES" section +''' Revision 1.37 1999/10/12 00:05:39 millert +''' document -L flag ''' ''' .de Sh @@ -96,7 +96,7 @@ .nr % 0 .rr F .\} -.TH SUDO 8 "1.6" "25/Aug/1999" "MAINTENANCE COMMANDS" +.TH SUDO 8 "1.6" "11/Oct/1999" "MAINTENANCE COMMANDS" .UC .if n .hy 0 .if n .na @@ -193,7 +193,7 @@ .SH "NAME" sudo \- execute a command as another user .SH "SYNOPSIS" -\fBsudo\fR \fB\-V\fR | \fB\-h\fR | \fB\-l\fR | \fB\-v\fR | \fB\-k\fR | \fB\-K\fR | \fB\-s\fR | \fB\-H\fR | +\fBsudo\fR \fB\-V\fR | \fB\-h\fR | \fB\-l\fR | \fB\-L\fR | \fB\-v\fR | \fB\-k\fR | \fB\-K\fR | \fB\-s\fR | \fB\-H\fR | [ \fB\-b\fR ] | [ \fB\-r\fR realm ] | [ \fB\-p\fR prompt ] [ \fB\-u\fR username/#uid] \fIcommand\fR .SH "DESCRIPTION" \fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the @@ -227,6 +227,10 @@ version number and exit. .Ip "-l" 4 The \f(CW-l\fR (\fIlist\fR) option will list out the allowed (and forbidden) commands for the user on the current host. +.Ip "-L" 4 +The \f(CW-L\fR (\fIlist\fR defaults) option will list out the parameters +that may be set in a \fIDefaults\fR line along with a short description +for each. This option is useful in conjunction with \fIgrep\fR\|(1). .Ip "-h" 4 The \f(CW-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit. .Ip "-v" 4 @@ -459,6 +463,8 @@ are generally safe). .IX Item "-l" +.IX Item "-L" + .IX Item "-h" .IX Item "-v" diff --git a/sudo.pod b/sudo.pod index 9a522d8df..c0f4708e1 100644 --- a/sudo.pod +++ b/sudo.pod @@ -41,7 +41,7 @@ sudo - execute a command as another user =head1 SYNOPSIS -B B<-V> | B<-h> | B<-l> | B<-v> | B<-k> | B<-K> | B<-s> | B<-H> | +B B<-V> | B<-h> | B<-l> | B<-L> | B<-v> | B<-k> | B<-K> | B<-s> | B<-H> | [ B<-b> ] | [ B<-r> realm ] | [ B<-p> prompt ] [ B<-u> username/#uid] I =head1 DESCRIPTION @@ -86,6 +86,12 @@ version number and exit. The C<-l> (I) option will list out the allowed (and forbidden) commands for the user on the current host. +=item -L + +The C<-L> (I defaults) option will list out the parameters +that may be set in a I line along with a short description +for each. This option is useful in conjunction with grep(1). + =item -h The C<-h> (I) option causes B to print a usage message and exit.