From: Todd C. Miller Date: Thu, 10 Jun 2010 21:41:55 +0000 (-0400) Subject: regen X-Git-Tag: SUDO_1_7_3~85 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4bedca52c372563b2bdf571c496f066dd80118cd;p=sudo regen --HG-- branch : 1.7 --- diff --git a/sudo.cat b/sudo.cat index 0134625af..92cab9dfb 100644 --- a/sudo.cat +++ b/sudo.cat @@ -33,17 +33,18 @@ DDEESSCCRRIIPPTTIIOONN password is required. Otherwise, ssuuddoo requires that users authenticate themselves with a password by default (NOTE: in the default configuration this is the user's password, not the root password). - Once a user has been authenticated, a timestamp is updated and the user - may then use sudo without a password for a short period of time (5 + Once a user has been authenticated, a time stamp is updated and the + user may then use sudo without a password for a short period of time (5 minutes unless overridden in _s_u_d_o_e_r_s). When invoked as ssuuddooeeddiitt, the --ee option (described below), is implied. ssuuddoo determines who is an authorized user by consulting the file _/_e_t_c_/_s_u_d_o_e_r_s. By running ssuuddoo with the --vv option, a user can update - the time stamp without running a _c_o_m_m_a_n_d. The password prompt itself - will also time out if the user's password is not entered within 5 - minutes (unless overridden via _s_u_d_o_e_r_s). + the time stamp without running a _c_o_m_m_a_n_d. If a password is required, + ssuuddoo will exit if the user's password is not entered within a + configurable time limit. The default password prompt timeout is 5 + minutes. If a user who is not listed in the _s_u_d_o_e_r_s file tries to run a command via ssuuddoo, mail is sent to the proper authorities, as defined at @@ -57,11 +58,10 @@ DDEESSCCRRIIPPTTIIOONN be used by a user to log commands through sudo even when a root shell has been invoked. It also allows the --ee option to remain useful even when being run via a sudo-run script or program. Note however, that - the sudoers lookup is still done for root, not the user specified by -1.7.3b2 June 3, 2010 1 +1.7.3b3 June 10, 2010 1 @@ -70,6 +70,7 @@ DDEESSCCRRIIPPTTIIOONN SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + the sudoers lookup is still done for root, not the user specified by SUDO_USER. ssuuddoo can log both successful and unsuccessful attempts (as well as @@ -123,11 +124,10 @@ OOPPTTIIOONNSS with BSD login classes. -E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the - _e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(4)). It is only available when -1.7.3b2 June 3, 2010 2 +1.7.3b3 June 10, 2010 2 @@ -136,6 +136,7 @@ OOPPTTIIOONNSS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + _e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(4)). It is only available when either the matching command has the SETENV tag or the _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s(4). @@ -189,11 +190,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) specified in the _p_a_s_s_w_d(4) entry of the target user as a login shell. This means that login-specific resource files such as .profile or .login will be read by the shell. If a - command is specified, it is passed to the shell for -1.7.3b2 June 3, 2010 3 +1.7.3b3 June 10, 2010 3 @@ -202,6 +202,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + command is specified, it is passed to the shell for execution. Otherwise, an interactive shell is executed. ssuuddoo attempts to change to that user's home directory before running the shell. It also initializes the @@ -211,12 +212,12 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) other environment variables are removed. -K The --KK (sure _k_i_l_l) option is like --kk except that it removes - the user's timestamp entirely and may not be used in + the user's time stamp entirely and may not be used in conjunction with a command or other option. This option does not require a password. -k When used by itself, the --kk (_k_i_l_l) option to ssuuddoo - invalidates the user's timestamp by setting the time on it + invalidates the user's time stamp by setting the time on it to the Epoch. The next time ssuuddoo is run a password will be required. This option does not require a password and was added to allow a user to revoke ssuuddoo permissions from a @@ -224,9 +225,9 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) When used in conjunction with a command or an option that may require a password, the --kk option will cause ssuuddoo to - ignore the user's timestamp file. As a result, ssuuddoo will + ignore the user's time stamp file. As a result, ssuuddoo will prompt for a password (if one is required by _s_u_d_o_e_r_s) and - will not update the user's timestamp file. + will not update the user's time stamp file. -L The --LL (_l_i_s_t defaults) option will list the parameters that may be set in a _D_e_f_a_u_l_t_s line along with a short @@ -258,8 +259,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - -1.7.3b2 June 3, 2010 4 +1.7.3b3 June 10, 2010 4 @@ -325,7 +325,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.7.3b2 June 3, 2010 5 +1.7.3b3 June 10, 2010 5 @@ -337,7 +337,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) addresses. -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the - user's timestamp, prompting for the user's password if + user's time stamp, prompting for the user's password if necessary. This extends the ssuuddoo timeout for another 5 minutes (or whatever the timeout is set to in _s_u_d_o_e_r_s) but does not run a command. @@ -391,7 +391,7 @@ SSEECCUURRIITTYY NNOOTTEESS -1.7.3b2 June 3, 2010 6 +1.7.3b3 June 10, 2010 6 @@ -418,26 +418,27 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) environment variable is _n_o_t modified and is passed unchanged to the program that ssuuddoo executes. - ssuuddoo will check the ownership of its timestamp directory (_/_v_a_r_/_r_u_n_/_s_u_d_o - by default) and ignore the directory's contents if it is not owned by - root or if it is writable by a user other than root. On systems that - allow non-root users to give away files via _c_h_o_w_n(2), if the timestamp - directory is located in a directory writable by anyone (e.g., _/_t_m_p), it - is possible for a user to create the timestamp directory before ssuuddoo is - run. However, because ssuuddoo checks the ownership and mode of the - directory and its contents, the only damage that can be done is to - "hide" files by putting them in the timestamp dir. This is unlikely to - happen since once the timestamp dir is owned by root and inaccessible - by any other user, the user placing files there would be unable to get - them back out. To get around this issue you can use a directory that - is not world-writable for the timestamps (_/_v_a_r_/_a_d_m_/_s_u_d_o for instance) - or create _/_v_a_r_/_r_u_n_/_s_u_d_o with the appropriate owner (root) and - permissions (0700) in the system startup files. - - ssuuddoo will not honor timestamps set far in the future. Timestamps with + ssuuddoo will check the ownership of its time stamp directory + (_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's contents if it is + not owned by root or if it is writable by a user other than root. On + systems that allow non-root users to give away files via _c_h_o_w_n(2), if + the time stamp directory is located in a directory writable by anyone + (e.g., _/_t_m_p), it is possible for a user to create the time stamp + directory before ssuuddoo is run. However, because ssuuddoo checks the + ownership and mode of the directory and its contents, the only damage + that can be done is to "hide" files by putting them in the time stamp + dir. This is unlikely to happen since once the time stamp dir is owned + by root and inaccessible by any other user, the user placing files + there would be unable to get them back out. To get around this issue + you can use a directory that is not world-writable for the time stamps + (_/_v_a_r_/_a_d_m_/_s_u_d_o for instance) or create _/_v_a_r_/_r_u_n_/_s_u_d_o with the + appropriate owner (root) and permissions (0700) in the system startup + files. + + ssuuddoo will not honor time stamps set far in the future. Timestamps with a date greater than current_time + 2 * TIMEOUT will be ignored and sudo will log and complain. This is done to keep a user from creating - his/her own timestamp with a bogus date on systems that allow users to + his/her own time stamp with a bogus date on systems that allow users to give away files. On systems where the boot time is available, ssuuddoo will also not honor @@ -453,11 +454,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) session. On Linux systems where the devpts filesystem is used, Solaris systems with the devices filesystem, as well as other systems that utilize a devfs filesystem that monotonically increase the inode number - of devices as they are created (such as Mac OS X), ssuuddoo is able to -1.7.3b2 June 3, 2010 7 +1.7.3b3 June 10, 2010 7 @@ -466,6 +466,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + of devices as they are created (such as Mac OS X), ssuuddoo is able to determine when a tty-based time stamp file is stale and will ignore it. Administrators should not rely on this feature as it is not universally available. @@ -522,8 +523,7 @@ EENNVVIIRROONNMMEENNTT - -1.7.3b2 June 3, 2010 8 +1.7.3b3 June 10, 2010 8 @@ -535,7 +535,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) FFIILLEESS _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what - _/_v_a_r_/_r_u_n_/_s_u_d_o Directory containing timestamps + _/_v_a_r_/_r_u_n_/_s_u_d_o Directory containing time stamps _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on Linux and AIX @@ -589,7 +589,7 @@ AAUUTTHHOORRSS -1.7.3b2 June 3, 2010 9 +1.7.3b3 June 10, 2010 9 @@ -655,6 +655,6 @@ DDIISSCCLLAAIIMMEERR -1.7.3b2 June 3, 2010 10 +1.7.3b3 June 10, 2010 10 diff --git a/sudo.man.in b/sudo.man.in index 5d4f0d1fa..c3d8425e8 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -18,6 +18,11 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" +.nr SL @SEMAN@ +.nr BA @BAMAN@ +.nr LC @LCMAN@ +.nr PT @password_timeout@ +.\" .\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) .\" .\" Standard preamble: @@ -144,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "June 3, 2010" "1.7.3b2" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "June 10, 2010" "1.7.3b3" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -156,28 +161,28 @@ sudo, sudoedit \- execute a command as another user \&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR .PP \&\fBsudo\fR \fB\-v\fR [\fB\-AknS\fR] -@BAMAN@[\fB\-a\fR\ \fIauth_type\fR] +.if \n(BA [\fB\-a\fR\ \fIauth_type\fR] [\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] .PP \&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR] -@BAMAN@[\fB\-a\fR\ \fIauth_type\fR] +.if \n(BA [\fB\-a\fR\ \fIauth_type\fR] [\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fIcommand\fR] .PP \&\fBsudo\fR [\fB\-AbEHnPS\fR] -@BAMAN@[\fB\-a\fR\ \fIauth_type\fR] +.if \n(BA [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] -@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] +.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] -@SEMAN@[\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR] +.if \n(SL [\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fB\s-1VAR\s0\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] [\fIcommand\fR] .PP \&\fBsudoedit\fR [\fB\-AnS\fR] -@BAMAN@[\fB\-a\fR\ \fIauth_type\fR] +.if \n(BA [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] -@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] +.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] file ... .SH "DESCRIPTION" @@ -192,7 +197,7 @@ the same as the invoking user, no password is required. Otherwise, \&\fBsudo\fR requires that users authenticate themselves with a password by default (\s-1NOTE:\s0 in the default configuration this is the user's password, not the root password). Once a user has been authenticated, -a timestamp is updated and the user may then use sudo without a +a time stamp is updated and the user may then use sudo without a password for a short period of time (\f(CW\*(C`@timeout@\*(C'\fR minutes unless overridden in \fIsudoers\fR). .PP @@ -201,10 +206,12 @@ is implied. .PP \&\fBsudo\fR determines who is an authorized user by consulting the file \&\fI@sysconfdir@/sudoers\fR. By running \fBsudo\fR with the \fB\-v\fR option, -a user can update the time stamp without running a \fIcommand\fR. The -password prompt itself will also time out if the user's password -is not entered within \f(CW\*(C`@password_timeout@\*(C'\fR minutes (unless overridden -via \fIsudoers\fR). +a user can update the time stamp without running a \fIcommand\fR. If +a password is required, \fBsudo\fR will exit if the user's password +is not entered within a configurable time limit. The default +password prompt timeout is +.ie \n(PT \f(CW\*(C`@password_timeout@\*(C'\fR minutes. +.el unlimited. .PP If a user who is not listed in the \fIsudoers\fR file tries to run a command via \fBsudo\fR, mail is sent to the proper authorities, as @@ -238,14 +245,16 @@ user's password and output the password to the standard output. If the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the path to the helper program. Otherwise, the value specified by the \&\fIaskpass\fR option in \fIsudoers\fR\|(@mansectform@) is used. -@BAMAN@.IP "\-a \fItype\fR" 12 -@BAMAN@.IX Item "-a type" -@BAMAN@The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the -@BAMAN@specified authentication type when validating the user, as allowed -@BAMAN@by \fI/etc/login.conf\fR. The system administrator may specify a list -@BAMAN@of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R" -@BAMAN@entry in \fI/etc/login.conf\fR. This option is only available on systems -@BAMAN@that support \s-1BSD\s0 authentication. +.if \n(BA \{\ +.IP "\-a \fItype\fR" 12 +.IX Item "-a type" +The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the +specified authentication type when validating the user, as allowed +by \fI/etc/login.conf\fR. The system administrator may specify a list +of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R" +entry in \fI/etc/login.conf\fR. This option is only available on systems +that support \s-1BSD\s0 authentication. +\} .IP "\-b" 12 .IX Item "-b" The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given @@ -260,17 +269,19 @@ above the standard error (file descriptor three). Values less than three are not permitted. This option is only available if the administrator has enabled the \fIclosefrom_override\fR option in \&\fIsudoers\fR\|(@mansectform@). -@LCMAN@.IP "\-c \fIclass\fR" 12 -@LCMAN@.IX Item "-c class" -@LCMAN@The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command -@LCMAN@with resources limited by the specified login class. The \fIclass\fR -@LCMAN@argument can be either a class name as defined in \fI/etc/login.conf\fR, -@LCMAN@or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates -@LCMAN@that the command should be run restricted by the default login -@LCMAN@capabilities for the user the command is run as. If the \fIclass\fR -@LCMAN@argument specifies an existing user class, the command must be run -@LCMAN@as root, or the \fBsudo\fR command must be run from a shell that is already -@LCMAN@root. This option is only available on systems with \s-1BSD\s0 login classes. +.if \n(LC \{\ +.IP "\-c \fIclass\fR" 12 +.IX Item "-c class" +The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command +with resources limited by the specified login class. The \fIclass\fR +argument can be either a class name as defined in \fI/etc/login.conf\fR, +or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates +that the command should be run restricted by the default login +capabilities for the user the command is run as. If the \fIclass\fR +argument specifies an existing user class, the command must be run +as root, or the \fBsudo\fR command must be run from a shell that is already +root. This option is only available on systems with \s-1BSD\s0 login classes. +\} .IP "\-E" 12 .IX Item "-E" The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option will override the @@ -342,22 +353,22 @@ All other environment variables are removed. .IP "\-K" 12 .IX Item "-K" The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes -the user's timestamp entirely and may not be used in conjunction +the user's time stamp entirely and may not be used in conjunction with a command or other option. This option does not require a password. .IP "\-k" 12 .IX Item "-k" When used by itself, the \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates -the user's timestamp by setting the time on it to the Epoch. The +the user's time stamp by setting the time on it to the Epoch. The next time \fBsudo\fR is run a password will be required. This option does not require a password and was added to allow a user to revoke \&\fBsudo\fR permissions from a .logout file. .Sp When used in conjunction with a command or an option that may require a password, the \fB\-k\fR option will cause \fBsudo\fR to ignore the user's -timestamp file. As a result, \fBsudo\fR will prompt for a password +time stamp file. As a result, \fBsudo\fR will prompt for a password (if one is required by \fIsudoers\fR) and will not update the user's -timestamp file. +time stamp file. .IP "\-L" 12 .IX Item "-L" The \fB\-L\fR (\fIlist\fR defaults) option will list the parameters that @@ -427,10 +438,12 @@ The prompt specified by the \fB\-p\fR option will override the system password prompt on systems that support \s-1PAM\s0 unless the \&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR. .RE -@SEMAN@.IP "\-r \fIrole\fR" 12 -@SEMAN@.IX Item "-r role" -@SEMAN@The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to -@SEMAN@have the role specified by \fIrole\fR. +.if \n(SL \{\ +.IP "\-r \fIrole\fR" 12 +.IX Item "-r role" +The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to +have the role specified by \fIrole\fR. +\} .IP "\-S" 12 .IX Item "-S" The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from @@ -442,11 +455,13 @@ The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\ environment variable if it is set or the shell as specified in \&\fIpasswd\fR\|(@mansectform@). If a command is specified, it is passed to the shell for execution. Otherwise, an interactive shell is executed. -@SEMAN@.IP "\-t \fItype\fR" 12 -@SEMAN@.IX Item "-t type" -@SEMAN@The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to -@SEMAN@have the type specified by \fItype\fR. If no type is specified, the default -@SEMAN@type is derived from the specified role. +.if \n(SL \{\ +.IP "\-t \fItype\fR" 12 +.IX Item "-t type" +The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to +have the type specified by \fItype\fR. If no type is specified, the default +type is derived from the specified role. +\} .IP "\-U \fIuser\fR" 12 .IX Item "-U user" The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR @@ -471,7 +486,7 @@ with as well as the machine's local network addresses. .IP "\-v" 12 .IX Item "-v" If given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the -user's timestamp, prompting for the user's password if necessary. +user's time stamp, prompting for the user's password if necessary. This extends the \fBsudo\fR timeout for another \f(CW\*(C`@timeout@\*(C'\fR minutes (or whatever the timeout is set to in \fIsudoers\fR) but does not run a command. @@ -541,27 +556,27 @@ current directory) last when searching for a command in the user's actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed unchanged to the program that \fBsudo\fR executes. .PP -\&\fBsudo\fR will check the ownership of its timestamp directory +\&\fBsudo\fR will check the ownership of its time stamp directory (\fI@timedir@\fR by default) and ignore the directory's contents if it is not owned by root or if it is writable by a user other than root. On systems that allow non-root users to give away files via -\&\fIchown\fR\|(2), if the timestamp directory is located in a directory +\&\fIchown\fR\|(2), if the time stamp directory is located in a directory writable by anyone (e.g., \fI/tmp\fR), it is possible for a user to -create the timestamp directory before \fBsudo\fR is run. However, +create the time stamp directory before \fBsudo\fR is run. However, because \fBsudo\fR checks the ownership and mode of the directory and its contents, the only damage that can be done is to \*(L"hide\*(R" files -by putting them in the timestamp dir. This is unlikely to happen -since once the timestamp dir is owned by root and inaccessible by +by putting them in the time stamp dir. This is unlikely to happen +since once the time stamp dir is owned by root and inaccessible by any other user, the user placing files there would be unable to get them back out. To get around this issue you can use a directory -that is not world-writable for the timestamps (\fI/var/adm/sudo\fR for +that is not world-writable for the time stamps (\fI/var/adm/sudo\fR for instance) or create \fI@timedir@\fR with the appropriate owner (root) and permissions (0700) in the system startup files. .PP -\&\fBsudo\fR will not honor timestamps set far in the future. +\&\fBsudo\fR will not honor time stamps set far in the future. Timestamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR will be ignored and sudo will log and complain. This is done to -keep a user from creating his/her own timestamp with a bogus +keep a user from creating his/her own time stamp with a bogus date on systems that allow users to give away files. .PP On systems where the boot time is available, \fBsudo\fR will also not @@ -664,7 +679,7 @@ List of who can run what .ie n .IP "\fI@timedir@\fR" 24 .el .IP "\fI@timedir@\fR" 24 .IX Item "@timedir@" -Directory containing timestamps +Directory containing time stamps .IP "\fI/etc/environment\fR" 24 .IX Item "/etc/environment" Initial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0 @@ -719,7 +734,7 @@ to make the \f(CW\*(C`cd\*(C'\fR and file redirection work. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), -@LCMAN@\&\fIlogin_cap\fR\|(3), +.if \n(LC \&\fIlogin_cap\fR\|(3), \&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(5), \fIvisudo\fR\|(@mansectsu@) .SH "AUTHORS" .IX Header "AUTHORS" diff --git a/sudoers.cat b/sudoers.cat index 9594d1feb..667c0682d 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.3b3 June 8, 2010 1 +1.7.3b3 June 10, 2010 1 @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 2 +1.7.3b3 June 10, 2010 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 3 +1.7.3b3 June 10, 2010 3 @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 4 +1.7.3b3 June 10, 2010 4 @@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 5 +1.7.3b3 June 10, 2010 5 @@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 6 +1.7.3b3 June 10, 2010 6 @@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 7 +1.7.3b3 June 10, 2010 7 @@ -523,7 +523,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 8 +1.7.3b3 June 10, 2010 8 @@ -589,7 +589,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS -1.7.3b3 June 8, 2010 9 +1.7.3b3 June 10, 2010 9 @@ -655,7 +655,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 10 +1.7.3b3 June 10, 2010 10 @@ -721,7 +721,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 11 +1.7.3b3 June 10, 2010 11 @@ -787,7 +787,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 12 +1.7.3b3 June 10, 2010 12 @@ -853,7 +853,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 13 +1.7.3b3 June 10, 2010 13 @@ -919,7 +919,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 14 +1.7.3b3 June 10, 2010 14 @@ -978,14 +978,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the option to disable word wrap). passwd_timeout Number of minutes before the ssuuddoo password prompt times - out. The timeout may include a fractional component if - minute granularity is insufficient, for example 2.5. - The default is 5; set this to 0 for no password - timeout. + out, or 0 for no timeout. The timeout may include a + fractional component if minute granularity is + insufficient, for example 2.5. The default is 5. + -1.7.3b3 June 8, 2010 15 +1.7.3b3 June 10, 2010 15 @@ -1051,7 +1051,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 16 +1.7.3b3 June 10, 2010 16 @@ -1117,7 +1117,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 17 +1.7.3b3 June 10, 2010 17 @@ -1183,7 +1183,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 18 +1.7.3b3 June 10, 2010 18 @@ -1249,7 +1249,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 19 +1.7.3b3 June 10, 2010 19 @@ -1315,7 +1315,7 @@ EEXXAAMMPPLLEESS -1.7.3b3 June 8, 2010 20 +1.7.3b3 June 10, 2010 20 @@ -1381,7 +1381,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 21 +1.7.3b3 June 10, 2010 21 @@ -1447,7 +1447,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 22 +1.7.3b3 June 10, 2010 22 @@ -1513,7 +1513,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.3b3 June 8, 2010 23 +1.7.3b3 June 10, 2010 23 @@ -1579,7 +1579,7 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS -1.7.3b3 June 8, 2010 24 +1.7.3b3 June 10, 2010 24 @@ -1645,7 +1645,7 @@ CCAAVVEEAATTSS -1.7.3b3 June 8, 2010 25 +1.7.3b3 June 10, 2010 25 @@ -1711,6 +1711,6 @@ DDIISSCCLLAAIIMMEERR -1.7.3b3 June 8, 2010 26 +1.7.3b3 June 10, 2010 26 diff --git a/sudoers.man.in b/sudoers.man.in index 5b576477d..eb91d320e 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -148,7 +148,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "June 8, 2010" "1.7.3b3" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "June 10, 2010" "1.7.3b3" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -1058,10 +1058,10 @@ effect on the syslog log file, only the file log. The default is \&\f(CW\*(C`@loglen@\*(C'\fR (use 0 or negate the option to disable word wrap). .IP "passwd_timeout" 16 .IX Item "passwd_timeout" -Number of minutes before the \fBsudo\fR password prompt times out. -The timeout may include a fractional component if minute granularity -is insufficient, for example \f(CW2.5\fR. The default is \f(CW\*(C`@password_timeout@\*(C'\fR; -set this to \f(CW0\fR for no password timeout. +Number of minutes before the \fBsudo\fR password prompt times out, or +\&\f(CW0\fR for no timeout. The timeout may include a fractional component +if minute granularity is insufficient, for example \f(CW2.5\fR. The +default is \f(CW\*(C`@password_timeout@\*(C'\fR. .IP "timestamp_timeout" 16 .IX Item "timestamp_timeout" Number of minutes that can elapse before \fBsudo\fR will ask for a