From: Todd C. Miller Date: Sat, 9 Apr 2011 15:28:47 +0000 (-0400) Subject: regen for 1.7.6 X-Git-Tag: SUDO_1_7_6 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=581fa192e4301b8eac3052dad5e86c9c790165bd;p=sudo regen for 1.7.6 --HG-- branch : 1.7 --- diff --git a/configure b/configure index 0949eefad..ba0440abc 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.65 for sudo 1.7.6rc2. +# Generated by GNU Autoconf 2.65 for sudo 1.7.6. # # Report bugs to . # @@ -701,8 +701,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.7.6rc2' -PACKAGE_STRING='sudo 1.7.6rc2' +PACKAGE_VERSION='1.7.6' +PACKAGE_STRING='sudo 1.7.6' PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/' PACKAGE_URL='' @@ -1559,7 +1559,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.7.6rc2 to adapt to many kinds of systems. +\`configure' configures sudo 1.7.6 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1624,7 +1624,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.7.6rc2:";; + short | recursive ) echo "Configuration of sudo 1.7.6:";; esac cat <<\_ACEOF @@ -1839,7 +1839,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.7.6rc2 +sudo configure 1.7.6 generated by GNU Autoconf 2.65 Copyright (C) 2009 Free Software Foundation, Inc. @@ -2538,7 +2538,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.7.6rc2, which was +It was created by sudo $as_me 1.7.6, which was generated by GNU Autoconf 2.65. Invocation command line was $ $0 $@ @@ -19321,7 +19321,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.7.6rc2, which was +This file was extended by sudo $as_me 1.7.6, which was generated by GNU Autoconf 2.65. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -19387,7 +19387,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sudo config.status 1.7.6rc2 +sudo config.status 1.7.6 configured by $0, generated by GNU Autoconf 2.65, with options \\"\$ac_cs_config\\" diff --git a/configure.in b/configure.in index f3817d0bd..8c88740f4 100644 --- a/configure.in +++ b/configure.in @@ -3,7 +3,7 @@ dnl Process this file with GNU autoconf to produce a configure script. dnl dnl Copyright (c) 1994-1996,1998-2011 Todd C. Miller dnl -AC_INIT([sudo], [1.7.6rc2], [http://www.sudo.ws/bugs/], [sudo]) +AC_INIT([sudo], [1.7.6], [http://www.sudo.ws/bugs/], [sudo]) AC_CONFIG_HEADER(config.h pathnames.h zlib/zconf.h) dnl dnl Note: this must come after AC_INIT diff --git a/sudo.cat b/sudo.cat index a2c9f9124..4cee4867d 100644 --- a/sudo.cat +++ b/sudo.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.6rc2 April 9, 2011 1 +1.7.6 April 9, 2011 1 @@ -127,7 +127,7 @@ OOPPTTIIOONNSS -1.7.6rc2 April 9, 2011 2 +1.7.6 April 9, 2011 2 @@ -193,7 +193,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.7.6rc2 April 9, 2011 3 +1.7.6 April 9, 2011 3 @@ -259,7 +259,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.7.6rc2 April 9, 2011 4 +1.7.6 April 9, 2011 4 @@ -325,7 +325,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.7.6rc2 April 9, 2011 5 +1.7.6 April 9, 2011 5 @@ -391,7 +391,7 @@ SSEECCUURRIITTYY NNOOTTEESS -1.7.6rc2 April 9, 2011 6 +1.7.6 April 9, 2011 6 @@ -457,7 +457,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.7.6rc2 April 9, 2011 7 +1.7.6 April 9, 2011 7 @@ -523,7 +523,7 @@ EENNVVIIRROONNMMEENNTT -1.7.6rc2 April 9, 2011 8 +1.7.6 April 9, 2011 8 @@ -589,7 +589,7 @@ EEXXAAMMPPLLEESS -1.7.6rc2 April 9, 2011 9 +1.7.6 April 9, 2011 9 @@ -655,6 +655,6 @@ DDIISSCCLLAAIIMMEERR -1.7.6rc2 April 9, 2011 10 +1.7.6 April 9, 2011 10 diff --git a/sudo.man.in b/sudo.man.in index 5032f7adf..09f1508b4 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "April 9, 2011" "1.7.6rc2" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/sudoers.cat b/sudoers.cat index 40b209583..2a7a521ce 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.5rc1 February 21, 2011 1 +1.7.6 April 9, 2011 1 @@ -93,25 +93,31 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) User ',' User_List User ::= '!'* user name | - '!'* '#'uid | - '!'* '%'group | - '!'* '+'netgroup | - '!'* '%:'nonunix_group | + '!'* #uid | + '!'* %group | + '!'* %#gid | + '!'* +netgroup | + '!'* %:nonunix_group | + '!'* %:#nonunix_gid | '!'* User_Alias - A User_List is made up of one or more user names, uids (prefixed with - '#'), system groups (prefixed with '%'), netgroups (prefixed with '+') - and User_Aliases. Each list item may be prefixed with zero or more '!' - operators. An odd number of '!' operators negate the value of the - item; an even number just cancel each other out. + A User_List is made up of one or more user names, user ids (prefixed + with '#'), system group names and ids (prefixed with '%' and '%#' + respectively), netgroups (prefixed with '+'), non-Unix group names and + IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each + list item may be prefixed with zero or more '!' operators. An odd + number of '!' operators negate the value of the item; an even number + just cancel each other out. - A user name, group, netgroup or nonunix_group may be enclosed in double - quotes to avoid the need for escaping special characters. Alternately, - special characters may be specified in escaped hex mode, e.g. \x20 for - space. + A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid + may be enclosed in double quotes to avoid the need for escaping special + characters. Alternately, special characters may be specified in + escaped hex mode, e.g. \x20 for space. When using double quotes, any + prefix characters must be included inside the quotes. - The nonunix_group syntax depends on the underlying implementation. For - instance, the QAS AD backend supports the following formats: + The nonunix_group and nonunix_gid syntax depends on the underlying + implementation. For instance, the QAS AD backend supports the + following formats: +o Group in the same domain: "Group Name" @@ -119,15 +125,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567" - Note that quotes around group names are optional. Unquoted strings - must use a backslash (\) to escape spaces and the '@' symbol. - - Runas_List ::= Runas_Member | - Runas_Member ',' Runas_List - -1.7.5rc1 February 21, 2011 2 +1.7.6 April 9, 2011 2 @@ -136,10 +136,20 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Note that quotes around group names are optional. Unquoted strings + must use a backslash (\) to escape spaces and special characters. See + "Other special characters and reserved words" for a list of characters + that need to be escaped. + + Runas_List ::= Runas_Member | + Runas_Member ',' Runas_List Runas_Member ::= '!'* user name | - '!'* '#'uid | - '!'* '%'group | + '!'* #uid | + '!'* %group | + '!'* %#gid | + '!'* %:nonunix_group | + '!'* %:#nonunix_gid | '!'* +netgroup | '!'* Runas_Alias @@ -156,7 +166,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Host ::= '!'* host name | '!'* ip_addr | '!'* network(/netmask)? | - '!'* '+'netgroup | + '!'* +netgroup | '!'* Host_Alias A Host_List is made up of one or more host names, IP addresses, network @@ -180,28 +190,28 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Cmnd ',' Cmnd_List commandname ::= file name | - file name args | - file name '""' - Cmnd ::= '!'* commandname | - '!'* directory | - '!'* "sudoedit" | - '!'* Cmnd_Alias - A Cmnd_List is a list of one or more commandnames, directories, and - other aliases. A commandname is a fully qualified file name which may +1.7.6 April 9, 2011 3 -1.7.5rc1 February 21, 2011 3 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + file name args | + file name '""' + Cmnd ::= '!'* commandname | + '!'* directory | + '!'* "sudoedit" | + '!'* Cmnd_Alias + A Cmnd_List is a list of one or more commandnames, directories, and + other aliases. A commandname is a fully qualified file name which may include shell-style wildcards (see the Wildcards section below). A simple file name allows the user to run the command with any arguments he/she wishes. However, you may also specify command line arguments @@ -246,27 +256,27 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are implicitly boolean and can be turned off via the '!' operator. Some - integer, string and list parameters may also be used in a boolean - context to disable them. Values may be enclosed in double quotes (") - when they contain multiple words. Special characters may be escaped - with a backslash (\). - Lists have two additional assignment operators, += and -=. These - operators are used to add to and delete from a list respectively. It - is not an error to use the -= operator to remove an element that does - not exist in a list. +1.7.6 April 9, 2011 4 -1.7.5rc1 February 21, 2011 4 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + integer, string and list parameters may also be used in a boolean + context to disable them. Values may be enclosed in double quotes (") + when they contain multiple words. Special characters may be escaped + with a backslash (\). + Lists have two additional assignment operators, += and -=. These + operators are used to add to and delete from a list respectively. It + is not an error to use the -= operator to remove an element that does + not exist in a list. Defaults entries are parsed in the following order: generic, host and user Defaults first, then runas Defaults and finally command defaults. @@ -294,7 +304,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) what user) on specified hosts. By default, commands are run as rroooott, but this can be changed on a per-command basis. - The basic structure of a user specification is `who = where (as_whom) + The basic structure of a user specification is `who where = (as_whom) what'. Let's break that down into its constituent parts: RRuunnaass__SSppeecc @@ -312,27 +322,27 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the group set to any listed in the Runas_List. If no Runas_Spec is specified the command may be run as rroooott and no group may be specified. - A Runas_Spec sets the default for the commands that follow it. What - this means is that for the entry: - dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm - The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only - as ooppeerraattoorr. E.g., - $ sudo -u operator /bin/ls +1.7.6 April 9, 2011 5 -1.7.5rc1 February 21, 2011 5 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + A Runas_Spec sets the default for the commands that follow it. What + this means is that for the entry: + dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only + as ooppeerraattoorr. E.g., + $ sudo -u operator /bin/ls It is also possible to override a Runas_Spec later on in an entry. If we modify the entry like so: @@ -378,20 +388,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) user aallaann may run any command as either user root or bin, optionally setting the group to operator or system. - SSEELLiinnuuxx__SSppeecc - On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an - SELinux role and/or type associated with a command. If a role or type - is specified with the command it will override any default values - specified in _s_u_d_o_e_r_s. A role or type specified on the command line, - however, will supercede the values in _s_u_d_o_e_r_s. - - TTaagg__SSppeecc - A command may have zero or more tags associated with it. There are - eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, -1.7.5rc1 February 21, 2011 6 +1.7.6 April 9, 2011 6 @@ -400,6 +400,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + SSEELLiinnuuxx__SSppeecc + On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an + SELinux role and/or type associated with a command. If a role or type + is specified with the command it will override any default values + specified in _s_u_d_o_e_r_s. A role or type specified on the command line, + however, will supercede the values in _s_u_d_o_e_r_s. + + TTaagg__SSppeecc + A command may have zero or more tags associated with it. There are + eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless it is overridden by the opposite tag (i.e.: PASSWD @@ -444,29 +454,31 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi See the "PREVENTING SHELL ESCAPES" section below for more details on - how NOEXEC works and whether or not it will work on your system. - _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V - These tags override the value of the _s_e_t_e_n_v option on a per-command - basis. Note that if SETENV has been set for a command, any environment - variables set on the command line way are not subject to the - restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, - only trusted users should be allowed to set variables in this manner. - If the command matched is AALLLL, the SETENV tag is implied for that +1.7.6 April 9, 2011 7 -1.7.5rc1 February 21, 2011 7 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + how NOEXEC works and whether or not it will work on your system. + _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V - command; this default may be overridden by use of the NOSETENV tag. + These tags override the value of the _s_e_t_e_n_v option on a per-command + basis. Note that if SETENV has been set for a command, the user may + disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option. + Additionally, environment variables set on the command line are not + subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or + _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set + variables in this manner. If the command matched is AALLLL, the SETENV + tag is implied for that command; this default may be overridden by use + of the NOSETENV tag. _L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T @@ -509,28 +521,27 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) in the path name. When matching the command line arguments, however, a slash ddooeess get matched by wildcards. This is to make a path like: - /usr/bin/* - - match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. - EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess - The following exceptions apply to the above rules: - "" If the empty string "" is the only command line argument in the - _s_u_d_o_e_r_s entry it means that command is not allowed to be run - with aannyy arguments. +1.7.6 April 9, 2011 8 -1.7.5rc1 February 21, 2011 8 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + /usr/bin/* + match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess + The following exceptions apply to the above rules: + "" If the empty string "" is the only command line argument in the + _s_u_d_o_e_r_s entry it means that command is not allowed to be run + with aannyy arguments. IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s @@ -575,28 +586,28 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) in the file names can be used to avoid such problems. Note that unlike files included via #include, vviissuuddoo will not edit the - files in a #includedir directory unless one of them contains a syntax - error. It is still possible to run vviissuuddoo with the -f flag to edit the - files directly. - OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss - The pound sign ('#') is used to indicate a comment (unless it is part - of a #include directive or unless it occurs in the context of a user - name and is followed by one or more digits, in which case it is treated - as a uid). Both the comment character and any text after it, up to the - end of the line, are ignored. +1.7.6 April 9, 2011 9 -1.7.5rc1 February 21, 2011 9 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + files in a #includedir directory unless one of them contains a syntax + error. It is still possible to run vviissuuddoo with the -f flag to edit the + files directly. + OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss + The pound sign ('#') is used to indicate a comment (unless it is part + of a #include directive or unless it occurs in the context of a user + name and is followed by one or more digits, in which case it is treated + as a uid). Both the comment character and any text after it, up to the + end of the line, are ignored. The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to succeed. It can be used wherever one might otherwise use a Cmnd_Alias, @@ -619,8 +630,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional. The following characters must be escaped with a backslash ('\') when - used as part of a word (e.g. a user name or host name): '@', '!', '=', - ':', ',', '(', ')', '\'. + used as part of a word (e.g. a user name or host name): '!', '=', ':', + ',', '(', ')', '\'. SSUUDDOOEERRSS OOPPTTIIOONNSS ssuuddoo's behavior can be modified by Default_Entry lines, as explained @@ -641,29 +652,29 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS authenticate If set, users must authenticate themselves via a password (or other means of authentication) before they - may run commands. This default may be overridden via - the PASSWD and NOPASSWD tags. This flag is _o_n by - default. - closefrom_override - If set, the user may use ssuuddoo's --CC option which - overrides the default starting point at which ssuuddoo - begins closing open file descriptors. This flag is _o_f_f - by default. - compress_io If set, and ssuuddoo is configured to log a command's input +1.7.6 April 9, 2011 10 -1.7.5rc1 February 21, 2011 10 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + may run commands. This default may be overridden via + the PASSWD and NOPASSWD tags. This flag is _o_n by + default. + closefrom_override + If set, the user may use ssuuddoo's --CC option which + overrides the default starting point at which ssuuddoo + begins closing open file descriptors. This flag is _o_f_f + by default. + compress_io If set, and ssuuddoo is configured to log a command's input or output, the I/O logs will be compressed using zzlliibb. This flag is _o_n by default when ssuuddoo is compiled with zzlliibb support. @@ -707,21 +718,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) flag is _o_f_f by default. fqdn Set this flag if you want to put fully qualified host - names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you - would use myhost.mydomain.edu. You may still use the - short form if you wish (and even mix the two). Beware - that turning on _f_q_d_n requires ssuuddoo to make DNS lookups - which may make ssuuddoo unusable if DNS stops working (for - example if the machine is not plugged into the - network). Also note that you must use the host's - official name as DNS knows it. That is, you may not - use a host alias (CNAME entry) due to performance - issues and the fact that there is no way to get all - aliases from DNS. If your machine's host name (as -1.7.5rc1 February 21, 2011 11 +1.7.6 April 9, 2011 11 @@ -730,6 +730,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you + would use myhost.mydomain.edu. You may still use the + short form if you wish (and even mix the two). Beware + that turning on _f_q_d_n requires ssuuddoo to make DNS lookups + which may make ssuuddoo unusable if DNS stops working (for + example if the machine is not plugged into the + network). Also note that you must use the host's + official name as DNS knows it. That is, you may not + use a host alias (CNAME entry) due to performance + issues and the fact that there is no way to get all + aliases from DNS. If your machine's host name (as returned by the hostname command) is already fully qualified you shouldn't need to set _f_q_d_n. This flag is _o_f_f by default. @@ -757,6 +768,51 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) log_host If set, the host name will be logged in the (non- syslog) ssuuddoo log file. This flag is _o_f_f by default. + log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and + log all user input. If the standard input is not + connected to the user's tty, due to I/O redirection or + because the command is part of a pipeline, that input + is also captured and stored in a separate log file. + + Input is logged to the directory specified by the + _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a + unique session ID that is included in the normal ssuuddoo + log line, prefixed with _T_S_I_D_=. + + Note that user input may contain sensitive information + such as passwords (even if they are not echoed to the + screen), which will be stored in the log file + unencrypted. In most cases, logging the command output + via _l_o_g___o_u_t_p_u_t is all that is required. + + + +1.7.6 April 9, 2011 12 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + + log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and + log all output that is sent to the screen, similar to + the _s_c_r_i_p_t(1) command. If the standard output or + standard error is not connected to the user's tty, due + to I/O redirection or because the command is part of a + pipeline, that output is also captured and stored in + separate log files. + + Output is logged to the directory specified by the + _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a + unique session ID that is included in the normal ssuuddoo + log line, prefixed with _T_S_I_D_=. + + Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m) + utility, which can also be used to list or search the + available logs. + log_year If set, the four-digit year will be logged in the (non- syslog) ssuuddoo log file. This flag is _o_f_f by default. @@ -785,26 +841,26 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) entry or is explicitly denied. This flag is _o_f_f by default. + mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the + invoking user is not in the _s_u_d_o_e_r_s file. This flag is + _o_n by default. + noexec If set, all commands run via ssuuddoo will behave as if the + NOEXEC tag has been set, unless overridden by a EXEC + tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as + well as the "PREVENTING SHELL ESCAPES" section at the + end of this manual. This flag is _o_f_f by default. -1.7.5rc1 February 21, 2011 12 +1.7.6 April 9, 2011 13 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the - invoking user is not in the _s_u_d_o_e_r_s file. This flag is - _o_n by default. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - noexec If set, all commands run via ssuuddoo will behave as if the - NOEXEC tag has been set, unless overridden by a EXEC - tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as - well as the "PREVENTING SHELL ESCAPES" section at the - end of this manual. This flag is _o_f_f by default. path_info Normally, ssuuddoo will tell the user when a command could not be found in their PATH environment variable. Some @@ -850,28 +906,28 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) this prevents users from "chaining" ssuuddoo commands to get a root shell by doing something like "sudo sudo /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o + will also prevent root from running ssuuddooeeddiitt. + Disabling _r_o_o_t___s_u_d_o provides no real additional + security; it exists purely for historical reasons. + This flag is _o_n by default. + rootpw If set, ssuuddoo will prompt for the root password instead + of the password of the invoking user. This flag is _o_f_f + by default. + runaspw If set, ssuuddoo will prompt for the password of the user -1.7.5rc1 February 21, 2011 13 +1.7.6 April 9, 2011 14 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - will also prevent root from running ssuuddooeeddiitt. - Disabling _r_o_o_t___s_u_d_o provides no real additional - security; it exists purely for historical reasons. - This flag is _o_n by default. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - rootpw If set, ssuuddoo will prompt for the root password instead - of the password of the invoking user. This flag is _o_f_f - by default. - runaspw If set, ssuuddoo will prompt for the password of the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) instead of the password of the invoking user. This flag is _o_f_f by default. @@ -916,10 +972,20 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) effective UIDs are set to the target user (root by default). This option changes that behavior such that the real UID is left as the invoking user's UID. In + other words, this makes ssuuddoo act as a setuid wrapper. + This can be useful on systems that disable some + potentially dangerous functionality when a program is + run setuid. This option is only effective on systems + with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. + This flag is _o_f_f by default. + + targetpw If set, ssuuddoo will prompt for the password of the user + specified by the --uu option (defaults to root) instead + of the password of the invoking user. In addition, the -1.7.5rc1 February 21, 2011 14 +1.7.6 April 9, 2011 15 @@ -928,47 +994,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - other words, this makes ssuuddoo act as a setuid wrapper. - This can be useful on systems that disable some - potentially dangerous functionality when a program is - run setuid. This option is only effective on systems - with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. - This flag is _o_f_f by default. - - targetpw If set, ssuuddoo will prompt for the password of the user - specified by the --uu option (defaults to root) instead - of the password of the invoking user. In addition, the timestamp file name will include the target user's name. Note that this flag precludes the use of a uid not listed in the passwd database as an argument to the --uu option. This flag is _o_f_f by default. - log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and - log all user input. If the standard input is not - connected to the user's tty, due to I/O redirection or - because the command is part of a pipeline, that input - is also captured and stored in a separate log file. - - Input is logged to the _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o directory using - a unique session ID that is included in the normal ssuuddoo - log line, prefixed with _T_S_I_D_=. - - log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and - log all output that is sent to the screen, similar to - the _s_c_r_i_p_t(1) command. If the standard output or - standard error is not connected to the user's tty, due - to I/O redirection or because the command is part of a - pipeline, that output is also captured and stored in - separate log files. - - Output is logged to the _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o directory - using a unique session ID that is included in the - normal ssuuddoo log line, prefixed with _T_S_I_D_=. - - Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m) - utility, which can also be used to list or search the - available logs. - tty_tickets If set, users must authenticate on a per-tty basis. With this flag enabled, ssuuddoo will use a file named for the tty the user is logged in on in the user's time @@ -983,17 +1013,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) be the union of the user's umask and what is specified in _s_u_d_o_e_r_s. This flag is _o_f_f by default. - - -1.7.5rc1 February 21, 2011 15 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - use_loginclass If set, ssuuddoo will apply the defaults specified for the target user's login class if one exists. Only available if ssuuddoo is configured with the @@ -1029,6 +1048,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + + + +1.7.6 April 9, 2011 16 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + loglinelen Number of characters per line for the file log. This value is used to decide when to wrap lines for nicer log files. This has no effect on the syslog log file, @@ -1048,18 +1079,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or - - - -1.7.5rc1 February 21, 2011 16 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - delete their own timestamps via sudo -v and sudo -k respectively. @@ -1095,6 +1114,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Default is *** SECURITY information for %h ***. noexec_file Path to a shared library containing dummy versions of + + + +1.7.6 April 9, 2011 17 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_e_c_v_e_(_) library functions that just return an error. This is used to implement the _n_o_e_x_e_c functionality on systems that support @@ -1114,18 +1145,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) name %p expanded to the user whose password is being asked - - - -1.7.5rc1 February 21, 2011 17 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w flags in _s_u_d_o_e_r_s) @@ -1161,6 +1180,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) locale may affect how sudoers is interpreted. Defaults to "C". + + + +1.7.6 April 9, 2011 18 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + timestampdir The directory in which ssuuddoo stores its timestamp files. The default is _/_v_a_r_/_a_d_m_/_s_u_d_o. @@ -1180,18 +1211,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) terminal is available. This may be the case when ssuuddoo is executed from a graphical (as opposed to text-based) application. The program specified by _a_s_k_p_a_s_s should - - - -1.7.5rc1 February 21, 2011 18 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - display the argument passed to it as the prompt and write the user's password to the standard output. The value of _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment @@ -1228,6 +1247,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) will be used in place of the standard lecture if the named file exists. By default, ssuuddoo uses a built-in lecture. + + +1.7.6 April 9, 2011 19 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + listpw This option controls when a password will be required when a user runs ssuuddoo with the --ll option. It has the following possible values: @@ -1246,18 +1276,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) never The user need never enter a password to use the --ll option. - - - -1.7.5rc1 February 21, 2011 19 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - If no value is specified, a value of _a_n_y is implied. Negating the option results in a value of _n_e_v_e_r being used. The default value is _a_n_y. @@ -1295,6 +1313,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) a user runs ssuuddoo with the --vv option. It has the following possible values: + + +1.7.6 April 9, 2011 20 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + all All the user's _s_u_d_o_e_r_s entries for the current host must have the NOPASSWD flag set to avoid entering a password. @@ -1313,17 +1342,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Negating the option results in a value of _n_e_v_e_r being used. The default value is _a_l_l. - - -1.7.5rc1 February 21, 2011 20 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: env_check Environment variables to be removed from the user's @@ -1360,6 +1378,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the =, +=, + + + +1.7.6 April 9, 2011 21 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + -=, and ! operators respectively. The default list of variables to keep is displayed when ssuuddoo is run by root with the _-_V option. @@ -1378,18 +1408,6 @@ FFIILLEESS _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups - - - -1.7.5rc1 February 21, 2011 21 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files EEXXAAMMPPLLEESS @@ -1426,6 +1444,18 @@ EEXXAAMMPPLLEESS Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ /usr/sbin/restore, /usr/sbin/rrestore Cmnd_Alias KILL = /usr/bin/kill + + + +1.7.6 April 9, 2011 22 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown Cmnd_Alias HALT = /usr/sbin/halt @@ -1444,18 +1474,6 @@ EEXXAAMMPPLLEESS Additionally, on the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an additional local log file and make sure we log the year in each log line since the log entries will be kept around for several years. - - - -1.7.5rc1 February 21, 2011 22 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - Lastly, we disable shell escapes for the commands in the PAGERS Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and _/_u_s_r_/_b_i_n_/_l_e_s_s). @@ -1492,6 +1510,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those networks, only 128.138.204.0 has an explicit netmask (in CIDR + + + +1.7.6 April 9, 2011 23 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + notation) indicating it is a class C network. For the other networks in _C_S_N_E_T_S, the local machine's netmask will be used during matching. @@ -1510,18 +1540,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) joe ALL = /usr/bin/su operator - - - -1.7.5rc1 February 21, 2011 23 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - The user jjooee may only _s_u(1) to operator. pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root @@ -1558,6 +1576,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* + + + +1.7.6 April 9, 2011 24 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is not allowed to specify any options to the _s_u(1) command. @@ -1577,17 +1607,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The user sstteevvee may run any command in the directory /usr/local/op_commands/ but only as user operator. - - -1.7.5rc1 February 21, 2011 24 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - matt valkyrie = KILL On his personal workstation, valkyrie, mmaatttt needs to be able to kill @@ -1623,6 +1642,18 @@ SSEECCUURRIITTYY NNOOTTEESS Furthermore, if the _f_a_s_t___g_l_o_b option is in use, it is not possible to reliably negate commands where the path name includes globbing (aka + + + +1.7.6 April 9, 2011 25 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + wildcard) characters. This is because the C library's _f_n_m_a_t_c_h(3) function cannot resolve relative paths. While this is typically only an inconvenience for rules that grant privileges, it can result in a @@ -1642,18 +1673,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS since it is not uncommon for a program to allow shell escapes, which lets a user bypass ssuuddoo's access control and logging. Common programs that permit shell escapes include shells (obviously), editors, - - - -1.7.5rc1 February 21, 2011 25 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - paginators, mail and terminal programs. There are two basic approaches to this problem: @@ -1689,6 +1708,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) error. Unfortunately, there is no foolproof way to know whether or not _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, + + + +1.7.6 April 9, 2011 26 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + MacOS X, and HP-UX 11.x. It is known nnoott to work on AIX and UnixWare. _n_o_e_x_e_c is expected to work on most operating systems that support the LD_PRELOAD environment variable. @@ -1708,18 +1739,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) unsure whether or not your system is capable of supporting _n_o_e_x_e_c you can always just try it out and see if it works. - - - -1.7.5rc1 February 21, 2011 26 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - Note that restricting shell escapes is not a panacea. Programs running as root are still capable of many potentially hazardous operations (such as changing or overwriting files) that could lead to unintended @@ -1758,25 +1777,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - - - - - - - - - - - -1.7.5rc1 February 21, 2011 27 +1.7.6 April 9, 2011 27 diff --git a/sudoers.ldap.cat b/sudoers.ldap.cat index 1ae19a605..8b1433382 100644 --- a/sudoers.ldap.cat +++ b/sudoers.ldap.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.5rc1 February 21, 2011 1 +1.7.6 April 9, 2011 1 @@ -127,7 +127,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.5rc1 February 21, 2011 2 +1.7.6 April 9, 2011 2 @@ -193,7 +193,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.5rc1 February 21, 2011 3 +1.7.6 April 9, 2011 3 @@ -259,7 +259,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.5rc1 February 21, 2011 4 +1.7.6 April 9, 2011 4 @@ -325,7 +325,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.5rc1 February 21, 2011 5 +1.7.6 April 9, 2011 5 @@ -372,6 +372,12 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) example.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in which case they are queried in the order specified. + SSUUDDOOEERRSS__SSEEAARRCCHH__FFIILLTTEERR ldap_filter + An LDAP filter which is used to restrict the set of records + returned when performing a ssuuddoo LDAP query. Typically, this is of + the form attribute=value or + (&(attribute=value)(attribute2=value2)). + SSUUDDOOEERRSS__TTIIMMEEDD on/true/yes/off/false/no Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes that implement time-dependent sudoers entries. @@ -382,16 +388,10 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) in a moderate amount of debugging information. A value of 2 shows the results of the matches themselves. This parameter should not be set in a production environment as the extra information is - likely to confuse users. - - BBIINNDDDDNN DN - The BBIINNDDDDNN parameter specifies the identity, in the form of a - Distinguished Name (DN), to use when performing LDAP operations. - If not specified, LDAP operations are performed with an anonymous -1.7.5rc1 February 21, 2011 6 +1.7.6 April 9, 2011 6 @@ -400,6 +400,12 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + likely to confuse users. + + BBIINNDDDDNN DN + The BBIINNDDDDNN parameter specifies the identity, in the form of a + Distinguished Name (DN), to use when performing LDAP operations. + If not specified, LDAP operations are performed with an anonymous identity. By default, most LDAP servers will allow anonymous access. @@ -447,17 +453,11 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) TTLLSS__CCAACCEERRTT file name An alias for TTLLSS__CCAACCEERRTTFFIILLEE for OpenLDAP compatibility. - TTLLSS__CCAACCEERRTTFFIILLEE file name - The path to a certificate authority bundle which contains the - certificates for all the Certificate Authorities the client knows - to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only - supported by the OpenLDAP libraries. Netscape-derived LDAP - libraries use the same certificate database for CA and client - certificates (see TTLLSS__CCEERRTT). -1.7.5rc1 February 21, 2011 7 + +1.7.6 April 9, 2011 7 @@ -466,6 +466,14 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + TTLLSS__CCAACCEERRTTFFIILLEE file name + The path to a certificate authority bundle which contains the + certificates for all the Certificate Authorities the client knows + to be valid, e.g. _/_e_t_c_/_s_s_l_/_c_a_-_b_u_n_d_l_e_._p_e_m. This option is only + supported by the OpenLDAP libraries. Netscape-derived LDAP + libraries use the same certificate database for CA and client + certificates (see TTLLSS__CCEERRTT). + TTLLSS__CCAACCEERRTTDDIIRR directory Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory containing individual Certificate Authority certificates, e.g. @@ -511,19 +519,11 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) the OpenSSL manual for a list of valid ciphers. This option is only supported by the OpenLDAP libraries. - UUSSEE__SSAASSLL on/true/yes/off/false/no - Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication. - SSAASSLL__AAUUTTHH__IIDD identity - The SASL user name to use when connecting to the LDAP server. By - default, ssuuddoo will use an anonymous connection. - - RROOOOTTUUSSEE__SSAASSLL on/true/yes/off/false/no - Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting -1.7.5rc1 February 21, 2011 8 +1.7.6 April 9, 2011 8 @@ -532,6 +532,15 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + UUSSEE__SSAASSLL on/true/yes/off/false/no + Enable UUSSEE__SSAASSLL for LDAP servers that support SASL authentication. + + SSAASSLL__AAUUTTHH__IIDD identity + The SASL user name to use when connecting to the LDAP server. By + default, ssuuddoo will use an anonymous connection. + + RROOOOTTUUSSEE__SSAASSLL on/true/yes/off/false/no + Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting to an LDAP server from a privileged process, such as ssuuddoo. RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity @@ -577,26 +586,26 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoers: files - Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying - operating system does not use an nsswitch.conf file. - CCoonnffiigguurriinngg nneettssvvcc..ccoonnff - On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of - _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of - _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the - file format itself still applies. +1.7.6 April 9, 2011 9 -1.7.5rc1 February 21, 2011 9 +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying + operating system does not use an nsswitch.conf file. + CCoonnffiigguurriinngg nneettssvvcc..ccoonnff + On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of + _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f. ssuuddoo simply treats _n_e_t_s_v_c_._c_o_n_f as a variant of + _n_s_s_w_i_t_c_h_._c_o_n_f; information in the previous section unrelated to the + file format itself still applies. To consult LDAP first followed by the local sudoers file (if it exists), use: @@ -643,19 +652,10 @@ EEXXAAMMPPLLEESS #uri ldaps://secureldapserver #uri ldaps://secureldapserver ldap://ldapserver # - # The amount of time, in seconds, to wait while trying to connect to - # an LDAP server. - bind_timelimit 30 - # - # The amount of time, in seconds, to wait while performing an LDAP query. - timelimit 30 - # - # Must be set or sudo will ignore LDAP; may be specified multiple times. - sudoers_base ou=SUDOers,dc=example,dc=com -1.7.5rc1 February 21, 2011 10 +1.7.6 April 9, 2011 10 @@ -664,6 +664,15 @@ EEXXAAMMPPLLEESS SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + # The amount of time, in seconds, to wait while trying to connect to + # an LDAP server. + bind_timelimit 30 + # + # The amount of time, in seconds, to wait while performing an LDAP query. + timelimit 30 + # + # Must be set or sudo will ignore LDAP; may be specified multiple times. + sudoers_base ou=SUDOers,dc=example,dc=com # # verbose sudoers matching from ldap #sudoers_debug 2 @@ -709,19 +718,10 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) #tls_randfile /etc/egd-pool # # You may restrict which ciphers are used. Consult your SSL - # documentation for which options go here. - # Only supported when using OpenLDAP. - # - #tls_ciphers - # - # Sudo can provide a client certificate when communicating to - # the LDAP server. - # Tips: - # * Enable both lines at the same time. -1.7.5rc1 February 21, 2011 11 +1.7.6 April 9, 2011 11 @@ -730,6 +730,15 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + # documentation for which options go here. + # Only supported when using OpenLDAP. + # + #tls_ciphers + # + # Sudo can provide a client certificate when communicating to + # the LDAP server. + # Tips: + # * Enable both lines at the same time. # * Do not password protect the key file. # * Ensure the keyfile is only readable by root. # @@ -775,19 +784,10 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) attributetype ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' - DESC 'Host(s) who may run sudo' - EQUALITY caseExactIA5Match - SUBSTR caseExactIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - attributetype ( 1.3.6.1.4.1.15953.9.1.3 - NAME 'sudoCommand' - DESC 'Command(s) to be executed by sudo' - EQUALITY caseExactIA5Match -1.7.5rc1 February 21, 2011 12 +1.7.6 April 9, 2011 12 @@ -796,6 +796,15 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.15953.9.1.4 @@ -841,19 +850,10 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) - - objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL - DESC 'Sudoer Entries' - MUST ( cn ) - MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ - sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ - sudoOrder $ description ) - ) -1.7.5rc1 February 21, 2011 13 +1.7.6 April 9, 2011 13 @@ -862,6 +862,16 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) + + objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ + sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ + sudoOrder $ description ) + ) + SSEEEE AALLSSOO _l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(5) @@ -909,16 +919,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - - -1.7.5rc1 February 21, 2011 14 +1.7.6 April 9, 2011 14 diff --git a/sudoers.ldap.man.in b/sudoers.ldap.man.in index 0cecdc904..74cafeca5 100644 --- a/sudoers.ldap.man.in +++ b/sudoers.ldap.man.in @@ -140,7 +140,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "February 21, 2011" "1.7.5rc1" "MAINTENANCE COMMANDS" +.TH SUDOERS.LDAP @mansectform@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -463,6 +463,11 @@ The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries. Typic this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain \&\f(CW\*(C`example.com\*(C'\fR. Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified, in which case they are queried in the order specified. +.IP "\fB\s-1SUDOERS_SEARCH_FILTER\s0\fR ldap_filter" 4 +.IX Item "SUDOERS_SEARCH_FILTER ldap_filter" +An \s-1LDAP\s0 filter which is used to restrict the set of records returned +when performing a \fBsudo\fR \s-1LDAP\s0 query. Typically, this is of the +form \f(CW\*(C`attribute=value\*(C'\fR or \f(CW\*(C`(&(attribute=value)(attribute2=value2))\*(C'\fR. .IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4 .IX Item "SUDOERS_TIMED on/true/yes/off/false/no" Whether or not to evaluate the \f(CW\*(C`sudoNotBefore\*(C'\fR and \f(CW\*(C`sudoNotAfter\*(C'\fR diff --git a/sudoers.man.in b/sudoers.man.in index cddeb01f9..531ead6ed 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -148,7 +148,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "February 21, 2011" "1.7.5rc1" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -246,26 +246,33 @@ The definitions of what constitutes a valid \fIalias\fR member follow. \& User \*(Aq,\*(Aq User_List \& \& User ::= \*(Aq!\*(Aq* user name | -\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid | -\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup | -\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup | -\& \*(Aq!\*(Aq* \*(Aq%:\*(Aqnonunix_group | +\& \*(Aq!\*(Aq* #uid | +\& \*(Aq!\*(Aq* %group | +\& \*(Aq!\*(Aq* %#gid | +\& \*(Aq!\*(Aq* +netgroup | +\& \*(Aq!\*(Aq* %:nonunix_group | +\& \*(Aq!\*(Aq* %:#nonunix_gid | \& \*(Aq!\*(Aq* User_Alias .Ve .PP -A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, uids (prefixed -with '#'), system groups (prefixed with '%'), netgroups (prefixed -with '+') and \f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with -zero or more '!' operators. An odd number of '!' operators negate -the value of the item; an even number just cancel each other out. -.PP -A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR or \f(CW\*(C`nonunix_group\*(C'\fR may -be enclosed in double quotes to avoid the need for escaping special -characters. Alternately, special characters may be specified in -escaped hex mode, e.g. \ex20 for space. -.PP -The \f(CW\*(C`nonunix_group\*(C'\fR syntax depends on the underlying implementation. -For instance, the \s-1QAS\s0 \s-1AD\s0 backend supports the following formats: +A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, user ids +(prefixed with '#'), system group names and ids (prefixed with '%' +and '%#' respectively), netgroups (prefixed with '+'), non-Unix +group names and IDs (prefixed with '%:' and '%:#' respectively) and +\&\f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with zero or more +\&'!' operators. An odd number of '!' operators negate the value of +the item; an even number just cancel each other out. +.PP +A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`uid\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`gid\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR, \f(CW\*(C`nonunix_group\*(C'\fR +or \f(CW\*(C`nonunix_gid\*(C'\fR may be enclosed in double quotes to avoid the +need for escaping special characters. Alternately, special characters +may be specified in escaped hex mode, e.g. \ex20 for space. When +using double quotes, any prefix characters must be included inside +the quotes. +.PP +The \f(CW\*(C`nonunix_group\*(C'\fR and \f(CW\*(C`nonunix_gid\*(C'\fR syntax depends on the +underlying implementation. For instance, the \s-1QAS\s0 \s-1AD\s0 backend supports +the following formats: .IP "\(bu" 4 Group in the same domain: \*(L"Group Name\*(R" .IP "\(bu" 4 @@ -273,16 +280,21 @@ Group in any domain: \*(L"Group Name@FULLY.QUALIFIED.DOMAIN\*(R" .IP "\(bu" 4 Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R" .PP -Note that quotes around group names are optional. Unquoted strings must -use a backslash (\e) to escape spaces and the '@' symbol. +Note that quotes around group names are optional. Unquoted strings +must use a backslash (\e) to escape spaces and special characters. +See \*(L"Other special characters and reserved words\*(R" for a list of +characters that need to be escaped. .PP .Vb 2 \& Runas_List ::= Runas_Member | \& Runas_Member \*(Aq,\*(Aq Runas_List \& \& Runas_Member ::= \*(Aq!\*(Aq* user name | -\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid | -\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup | +\& \*(Aq!\*(Aq* #uid | +\& \*(Aq!\*(Aq* %group | +\& \*(Aq!\*(Aq* %#gid | +\& \*(Aq!\*(Aq* %:nonunix_group | +\& \*(Aq!\*(Aq* %:#nonunix_gid | \& \*(Aq!\*(Aq* +netgroup | \& \*(Aq!\*(Aq* Runas_Alias .Ve @@ -301,7 +313,7 @@ and toor), you can use a uid instead (#0 in the example given). \& Host ::= \*(Aq!\*(Aq* host name | \& \*(Aq!\*(Aq* ip_addr | \& \*(Aq!\*(Aq* network(/netmask)? | -\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup | +\& \*(Aq!\*(Aq* +netgroup | \& \*(Aq!\*(Aq* Host_Alias .Ve .PP @@ -429,7 +441,7 @@ A \fBuser specification\fR determines which commands a user may run (and as what user) on specified hosts. By default, commands are run as \fBroot\fR, but this can be changed on a per-command basis. .PP -The basic structure of a user specification is `who = where (as_whom) +The basic structure of a user specification is `who where = (as_whom) what'. Let's break that down into its constituent parts: .SS "Runas_Spec" .IX Subsection "Runas_Spec" @@ -591,13 +603,14 @@ on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your sy .IX Subsection "SETENV and NOSETENV" .PP These tags override the value of the \fIsetenv\fR option on a per-command -basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, any -environment variables set on the command line way are not subject -to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or -\&\fIenv_keep\fR. As such, only trusted users should be allowed to set -variables in this manner. If the command matched is \fB\s-1ALL\s0\fR, the -\&\f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this default may -be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag. +basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, the user +may disable the \fIenv_reset\fR option from the command line via the +\&\fB\-E\fR option. Additionally, environment variables set on the command +line are not subject to the restrictions imposed by \fIenv_check\fR, +\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should +be allowed to set variables in this manner. If the command matched +is \fB\s-1ALL\s0\fR, the \f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this +default may be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag. .PP \fI\s-1LOG_INPUT\s0 and \s-1NOLOG_INPUT\s0\fR .IX Subsection "LOG_INPUT and NOLOG_INPUT" @@ -754,7 +767,7 @@ characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional. .PP The following characters must be escaped with a backslash ('\e') when used as part of a word (e.g.\ a user name or host name): -\&'@', '!', '=', ':', ',', '(', ')', '\e'. +\&'!', '=', ':', ',', '(', ')', '\e'. .SH "SUDOERS OPTIONS" .IX Header "SUDOERS OPTIONS" \&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as @@ -861,6 +874,37 @@ password. This flag is \fI@insults@\fR by default. .IX Item "log_host" If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file. This flag is \fIoff\fR by default. +.IP "log_input" 16 +.IX Item "log_input" +If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all +user input. +If the standard input is not connected to the user's tty, due to +I/O redirection or because the command is part of a pipeline, that +input is also captured and stored in a separate log file. +.Sp +Input is logged to the directory specified by the \fIiolog_dir\fR +option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that +is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR. +.Sp +Note that user input may contain sensitive information such as +passwords (even if they are not echoed to the screen), which will +be stored in the log file unencrypted. In most cases, logging the +command output via \fIlog_output\fR is all that is required. +.IP "log_output" 16 +.IX Item "log_output" +If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all +output that is sent to the screen, similar to the \fIscript\fR\|(1) command. +If the standard output or standard error is not connected to the +user's tty, due to I/O redirection or because the command is part +of a pipeline, that output is also captured and stored in separate +log files. +.Sp +Output is logged to the directory specified by the \fIiolog_dir\fR +option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that +is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR. +.Sp +Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which +can also be used to list or search the available logs. .IP "log_year" 16 .IX Item "log_year" If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file. @@ -1013,32 +1057,6 @@ of the invoking user. In addition, the timestamp file name will include the target user's name. Note that this flag precludes the use of a uid not listed in the passwd database as an argument to the \fB\-u\fR option. This flag is \fIoff\fR by default. -.IP "log_input" 16 -.IX Item "log_input" -If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all -user input. -If the standard input is not connected to the user's tty, due to -I/O redirection or because the command is part of a pipeline, that -input is also captured and stored in a separate log file. -.Sp -Input is logged to the \fI/var/log/sudo\-io\fR directory using a unique -session \s-1ID\s0 that is included in the normal \fBsudo\fR log line, prefixed -with \fITSID=\fR. -.IP "log_output" 16 -.IX Item "log_output" -If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all -output that is sent to the screen, similar to the \fIscript\fR\|(1) command. -If the standard output or standard error is not connected to the -user's tty, due to I/O redirection or because the command is part -of a pipeline, that output is also captured and stored in separate -log files. -.Sp -Output is logged to the -\&\fI/var/log/sudo\-io\fR directory using a unique session \s-1ID\s0 that is -included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR. -.Sp -Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which -can also be used to list or search the available logs. .IP "tty_tickets" 16 .IX Item "tty_tickets" If set, users must authenticate on a per-tty basis. With this flag diff --git a/sudoreplay.cat b/sudoreplay.cat index 8278afb82..aee5497cf 100644 --- a/sudoreplay.cat +++ b/sudoreplay.cat @@ -61,7 +61,7 @@ OOPPTTIIOONNSS -1.7.5rc1 February 21, 2011 1 +1.7.6 April 9, 2011 1 @@ -127,7 +127,7 @@ SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) -1.7.5rc1 February 21, 2011 2 +1.7.6 April 9, 2011 2 @@ -193,7 +193,7 @@ SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) -1.7.5rc1 February 21, 2011 3 +1.7.6 April 9, 2011 3 @@ -259,7 +259,7 @@ EEXXAAMMPPLLEESS -1.7.5rc1 February 21, 2011 4 +1.7.6 April 9, 2011 4 @@ -325,6 +325,6 @@ DDIISSCCLLAAIIMMEERR -1.7.5rc1 February 21, 2011 5 +1.7.6 April 9, 2011 5 diff --git a/sudoreplay.man.in b/sudoreplay.man.in index 874ff813c..89418d8ee 100644 --- a/sudoreplay.man.in +++ b/sudoreplay.man.in @@ -139,7 +139,7 @@ .\" ======================================================================== .\" .IX Title "SUDOREPLAY @mansectsu@" -.TH SUDOREPLAY @mansectsu@ "February 21, 2011" "1.7.5rc1" "MAINTENANCE COMMANDS" +.TH SUDOREPLAY @mansectsu@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/visudo.cat b/visudo.cat index ad4e30b86..ce7c1a3f6 100644 --- a/visudo.cat +++ b/visudo.cat @@ -61,7 +61,7 @@ OOPPTTIIOONNSS -1.7.5rc1 February 21, 2011 1 +1.7.6 April 9, 2011 1 @@ -127,7 +127,7 @@ DDIIAAGGNNOOSSTTIICCSS -1.7.5rc1 February 21, 2011 2 +1.7.6 April 9, 2011 2 @@ -193,6 +193,6 @@ DDIISSCCLLAAIIMMEERR -1.7.5rc1 February 21, 2011 3 +1.7.6 April 9, 2011 3 diff --git a/visudo.man.in b/visudo.man.in index ae23d29b6..c8ee72e5a 100644 --- a/visudo.man.in +++ b/visudo.man.in @@ -144,7 +144,7 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "February 21, 2011" "1.7.5rc1" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l