From: Todd C. Miller Date: Thu, 18 Jul 2013 22:51:56 +0000 (-0600) Subject: Add support for long options and fix inclusion of sudo_usage.h with X-Git-Tag: SUDO_1_8_8^2~104 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6e56e6d8c86cc7beedd5c0b9a32c47a92b7b43f9;p=sudo Add support for long options and fix inclusion of sudo_usage.h with modern gcc broken in 8597:1fcb7ba13018. --- diff --git a/doc/sudo.cat b/doc/sudo.cat index 29bc20736..f1deb5f8b 100644 --- a/doc/sudo.cat +++ b/doc/sudo.cat @@ -5,15 +5,15 @@ NNAAMMEE SSYYNNOOPPSSIISS ssuuddoo --hh | --KK | --kk | --VV - ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--pp _p_r_o_m_p_t] - [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] - ssuuddoo --ll[_l] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--hh _h_o_s_t _n_a_m_e] + ssuuddoo --vv [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--hh _r_e_m_o_t_e _h_o_s_t] + [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] + ssuuddoo --ll[_l] [--AAkknnSS] [--aa _a_u_t_h___t_y_p_e] [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--hh _r_e_m_o_t_e _h_o_s_t] [--pp _p_r_o_m_p_t] [--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] [_c_o_m_m_a_n_d] ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s | _-] - [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--hh _h_o_s_t _n_a_m_e] [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] + [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--hh _r_e_m_o_t_e _h_o_s_t] [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] [VVAARR=_v_a_l_u_e] --ii | --ss [_c_o_m_m_a_n_d] ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s | _-] - [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--hh _h_o_s_t _n_a_m_e] [--pp _p_r_o_m_p_t] + [--gg _g_r_o_u_p _n_a_m_e | _#_g_i_d] [--hh _r_e_m_o_t_e _h_o_s_t] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e | _#_u_i_d] file ... DDEESSCCRRIIPPTTIIOONN @@ -48,7 +48,8 @@ DDEESSCCRRIIPPTTIIOONN The options are as follows: - --AA Normally, if ssuuddoo requires a password, it will read it from + --AA, ----aasskkppaassss + Normally, if ssuuddoo requires a password, it will read it from the user's terminal. If the --AA (_a_s_k_p_a_s_s) option is specified, a (possibly graphical) helper program is executed to read the user's password and output the password to the @@ -63,7 +64,8 @@ DDEESSCCRRIIPPTTIIOONN If no askpass program is available, ssuuddoo will exit with an error. - --aa _t_y_p_e The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the + --aa, ----aauutthh--ttyyppee _a_u_t_h___t_y_p_e + The --aa (_a_u_t_h_e_n_t_i_c_a_t_i_o_n _t_y_p_e) option causes ssuuddoo to use the specified authentication type when validating the user, as allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may specify a list of sudo-specific authentication methods by @@ -71,13 +73,15 @@ DDEESSCCRRIIPPTTIIOONN option is only available on systems that support BSD authentication. - --bb The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given + --bb, ----bbaacckkggrroouunndd + The --bb (_b_a_c_k_g_r_o_u_n_d) option tells ssuuddoo to run the given command in the background. Note that if you use the --bb option you cannot use shell job control to manipulate the process. Most interactive commands will fail to work properly in background mode. - --CC _f_d Normally, ssuuddoo will close all open file descriptors other + --CC, ----cclloossee--ffrroomm _f_d + Normally, ssuuddoo will close all open file descriptors other than standard input, standard output and standard error. The --CC (_c_l_o_s_e _f_r_o_m) option allows the user to specify a starting point above the standard error (file descriptor three). @@ -86,7 +90,8 @@ DDEESSCCRRIIPPTTIIOONN The _s_u_d_o_e_r_s policy only permits use of the --CC option when the administrator has enabled the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option. - --cc _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified + --cc, ----llooggiinn--ccllaassss _c_l_a_s_s + The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified command with resources limited by the specified login class. The _c_l_a_s_s argument can be either a class name as defined in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single `-' character. Specifying a @@ -98,13 +103,14 @@ DDEESSCCRRIIPPTTIIOONN This option is only available on systems with BSD login classes. - --EE The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option indicates to the + --EE, ----pprreesseerrvvee--eennvv + The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option indicates to the security policy that the user wishes to preserve their existing environment variables. The security policy may return an error if the --EE option is specified and the user does not have permission to preserve the environment. - --ee The --ee (_e_d_i_t) option indicates that, instead of running a + --ee, ----eeddiitt The --ee (_e_d_i_t) option indicates that, instead of running a command, the user wishes to edit one or more files. In lieu of a command, the string "sudoedit" is used when consulting the security policy. If the user is authorized by the @@ -131,32 +137,35 @@ DDEESSCCRRIIPPTTIIOONN version, the user will receive a warning and the edited copy will remain in a temporary file. - --gg _g_r_o_u_p Normally, ssuuddoo runs a command with the primary group set to + --gg, ----ggrroouupp _g_r_o_u_p + Normally, ssuuddoo runs a command with the primary group set to the one specified by the password database for the user the command is being run as (by default, root). The --gg (_g_r_o_u_p) option causes ssuuddoo to run the command with the primary group - set to _g_r_o_u_p instead. To specify a _g_i_d instead of a _g_r_o_u_p - _n_a_m_e, use _#_g_i_d. When running commands as a _g_i_d, many shells - require that the `#' be escaped with a backslash (`\'). If - no --uu option is specified, the command will be run as the - invoking user (not root). In either case, the primary group - will be set to _g_r_o_u_p. - - --HH The --HH (_H_O_M_E) option requests that the security policy set + set to _g_r_o_u_p instead. To specify a numeric group ID (gid) + instead of a group name, use _#_g_i_d. When running commands as + a gid, many shells require that the `#' be escaped with a + backslash (`\'). If no --uu option is specified, the command + will be run as the invoking user (not root). In either case, + the primary group will be set to _g_r_o_u_p. + + --HH, ----sseett--hhoommee + The --HH (_H_O_M_E) option requests that the security policy set the HOME environment variable to the home directory of the target user (root by default) as specified by the password database. Depending on the policy, this may be the default behavior. - --hh [_h_o_s_t _n_a_m_e] - If a _h_o_s_t _n_a_m_e is specified and the policy plugin supports + --hh, ----hheellpp The --hh (_h_e_l_p) option causes ssuuddoo will print a short help + message to the standard output and exit. + + --hh, ----hhoosstt _r_e_m_o_t_e _h_o_s_t + If a _r_e_m_o_t_e _h_o_s_t is specified and the policy plugin supports it, the command will be run on the specified remote host. Note that the _s_u_d_o_e_r_s plugin does not currently support - running remote commands. If no _h_o_s_t _n_a_m_e is specified, ssuuddoo - will print a short help message to the standard output and - exit. + running remote commands. - --ii [_c_o_m_m_a_n_d] + --ii, ----llooggiinn [_c_o_m_m_a_n_d] The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell specified by the password database entry of the target user as a login shell. This means that login-specific resource @@ -172,13 +181,14 @@ DDEESSCCRRIIPPTTIIOONN environment in which a command is run when the _s_u_d_o_e_r_s policy is in use. - --KK The --KK (sure _k_i_l_l) option is like --kk except that it removes + --KK, ----rreemmoovvee--ttiimmeessttaammpp + The --KK (sure _k_i_l_l) option is like --kk except that it removes the user's cached credentials entirely and may not be used in conjunction with a command or other option. This option does not require a password. Not all security policies support credential caching. - --kk [_c_o_m_m_a_n_d] + --kk, ----rreesseett--ttiimmeessttaammpp [_c_o_m_m_a_n_d] When used alone, the --kk (_k_i_l_l) option to ssuuddoo invalidates the user's cached credentials. The next time ssuuddoo is run a password will be required. This option does not require a @@ -192,7 +202,7 @@ DDEESSCCRRIIPPTTIIOONN for a password (if one is required by the security policy) and will not update the user's cached credentials. - --ll[ll] [_c_o_m_m_a_n_d] + --ll[ll], ----lliisstt [_c_o_m_m_a_n_d] If no _c_o_m_m_a_n_d is specified, the --ll (_l_i_s_t) option will list the allowed (and forbidden) commands for the invoking user (or the user specified by the --UU option) on the current host. @@ -204,17 +214,20 @@ DDEESSCCRRIIPPTTIIOONN --llll), or if --ll is specified multiple times, a longer list format is used. - --nn The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from prompting + --nn, ----nnoonn--iinntteerraaccttiivvee + The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from prompting the user for a password. If a password is required for the command to run, ssuuddoo will display an error message and exit. - --PP The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to preserve + --PP, ----pprreesseerrvvee--ggrroouuppss + The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to preserve the invoking user's group vector unaltered. By default, the _s_u_d_o_e_r_s policy will initialize the group vector to the list of groups the target user is in. The real and effective group IDs, however, are still set to match the target user. - --pp _p_r_o_m_p_t The --pp (_p_r_o_m_p_t) option allows you to override the default + --pp, ----pprroommpptt _p_r_o_m_p_t + The --pp (_p_r_o_m_p_t) option allows you to override the default password prompt and use a custom one. The following percent (`%') escapes are supported by the _s_u_d_o_e_r_s policy: @@ -241,49 +254,56 @@ DDEESSCCRRIIPPTTIIOONN system password prompt on systems that support PAM unless the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. - --rr _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security - context to have the role specified by _r_o_l_e. + --rr, ----rroollee _r_o_l_e + The --rr (_r_o_l_e) option causes the new SELinux security context + to have the role specified by _r_o_l_e. - --SS The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from + --SS, ----ssttddiinn + The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from the standard input instead of the terminal device. The password must be followed by a newline character. - --ss [_c_o_m_m_a_n_d] + --ss, ----sshheellll [_c_o_m_m_a_n_d] The --ss (_s_h_e_l_l) option runs the shell specified by the SHELL environment variable if it is set or the shell as specified in the password database. If a command is specified, it is passed to the shell for execution via the shell's --cc option. If no command is specified, an interactive shell is executed. - --tt _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security - context to have the type specified by _t_y_p_e. If no type is - specified, the default type is derived from the specified - role. + --tt, ----ttyyppee _t_y_p_e + The --tt (_t_y_p_e) option causes the new SELinux security context + to have the type specified by _t_y_p_e. If no type is specified, + the default type is derived from the specified role. - --UU _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the --ll + --UU, ----ootthheerr--uusseerr _u_s_e_r + The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the --ll option to specify the user whose privileges should be listed. The security policy may restrict listing other users' privileges. The _s_u_d_o_e_r_s policy only allows root or a user with the ALL privilege on the current host to use this option. - --uu _u_s_e_r The --uu (_u_s_e_r) option causes ssuuddoo to run the specified command - as a user other than _r_o_o_t. To specify a _u_i_d instead of a - _u_s_e_r _n_a_m_e, _#_u_i_d. When running commands as a _u_i_d, many shells - require that the `#' be escaped with a backslash (`\'). - Security policies may restrict _u_i_ds to those listed in the - password database. The _s_u_d_o_e_r_s policy allows _u_i_ds that are - not in the password database as long as the _t_a_r_g_e_t_p_w option - is not set. Other security policies may not support this. - - --VV The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print its version + --uu, ----uusseerr _u_s_e_r + The --uu (_u_s_e_r) option causes ssuuddoo to run the specified command + as a user other than _r_o_o_t. To specify a numeric user ID + (uid) instead of a user name, use _#_u_i_d. When running + commands as a uid, many shells require that the `#' be + escaped with a backslash (`\'). Some security policies may + restrict uids to those listed in the password database. The + _s_u_d_o_e_r_s policy allows uids that are not in the password + database as long as the _t_a_r_g_e_t_p_w option is not set. Other + security policies may not support this. + + --VV, ----vveerrssiioonn + The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print its version string and the version string of the security policy plugin and any I/O plugins. If the invoking user is already root the --VV option will display the arguments passed to configure when ssuuddoo was built and plugins may display more verbose information such as default options. - --vv When given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the + --vv, ----vvaalliiddaattee + When given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update the user's cached credentials, authenticating the user's password if necessary. For the _s_u_d_o_e_r_s plugin, this extends the ssuuddoo timeout for another 5 minutes (or whatever the timeout is set @@ -304,10 +324,10 @@ DDEESSCCRRIIPPTTIIOONN CCOOMMMMAANNDD EEXXEECCUUTTIIOONN When ssuuddoo executes a command, the security policy specifies the execution - environment for the command. Typically, the real and effective uid and - gid are set to match those of the target user, as specified in the - password database, and the group vector is initialized based on the group - database (unless the --PP option was specified). + environment for the command. Typically, the real and effective user and + group and IDs are set to match those of the target user, as specified in + the password database, and the group vector is initialized based on the + group database (unless the --PP option was specified). The following parameters may be specified by security policy: diff --git a/doc/sudo.man.in b/doc/sudo.man.in index b2faf186f..e45396494 100644 --- a/doc/sudo.man.in +++ b/doc/sudo.man.in @@ -39,6 +39,7 @@ [\fB\-AknS\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR] +[\fB\-h\fR\ \fIremote\ host\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIuser\ name\fR\ |\ \fI#uid\fR] .br @@ -48,7 +49,7 @@ [\fB\-AknS\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR] -[\fB\-h\fR\ \fIhost\ name\fR] +[\fB\-h\fR\ \fIremote\ host\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR\ |\ \fI#uid\fR] @@ -61,7 +62,7 @@ [\fB\-C\fR\ \fIfd\fR] [\fB\-c\fR\ \fIclass\fR\ |\ \fI-\fR] [\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR] -[\fB\-h\fR\ \fIhost\ name\fR] +[\fB\-h\fR\ \fIremote\ host\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR] @@ -77,7 +78,7 @@ [\fB\-C\fR\ \fIfd\fR] [\fB\-c\fR\ \fIclass\fR\ |\ \fI-\fR] [\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR] -[\fB\-h\fR\ \fIhost\ name\fR] +[\fB\-h\fR\ \fIremote\ host\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIuser\ name\fR\ |\ \fI#uid\fR] file ... @@ -151,7 +152,7 @@ output may be logged as well. .PP The options are as follows: .TP 12n -\fB\-A\fR +\fB\-A\fR, \fB\--askpass\fR Normally, if \fBsudo\fR requires a password, it will read it from the user's terminal. @@ -183,7 +184,7 @@ If no askpass program is available, will exit with an error. .RE .TP 12n -\fB\-a\fR \fItype\fR +\fB\-a\fR, \fB\--auth-type\fR \fIauth_type\fR The \fB\-a\fR (\fIauthentication type\fR) option causes @@ -198,7 +199,7 @@ entry in \fI/etc/login.conf\fR. This option is only available on systems that support BSD authentication. .TP 12n -\fB\-b\fR +\fB\-b\fR, \fB\--background\fR The \fB\-b\fR (\fIbackground\fR) option tells @@ -210,7 +211,7 @@ option you cannot use shell job control to manipulate the process. Most interactive commands will fail to work properly in background mode. .TP 12n -\fB\-C\fR \fIfd\fR +\fB\-C\fR, \fB\--close-from\fR \fIfd\fR Normally, \fBsudo\fR will close all open file descriptors other than standard input, @@ -231,7 +232,7 @@ option when the administrator has enabled the \fIclosefrom_override\fR option. .TP 12n -\fB\-c\fR \fIclass\fR +\fB\-c\fR, \fB\--login-class\fR \fIclass\fR The \fB\-c\fR (\fIclass\fR) option causes @@ -259,7 +260,7 @@ as root, or the command must be run from a shell that is already root. This option is only available on systems with BSD login classes. .TP 12n -\fB\-E\fR +\fB\-E\fR, \fB\--preserve-env\fR The \fB\-E\fR (\fIpreserve environment\fR) option indicates to the security policy that the user wishes to @@ -269,7 +270,7 @@ The security policy may return an error if the option is specified and the user does not have permission to preserve the environment. .TP 12n -\fB\-e\fR +\fB\-e\fR, \fB\--edit\fR The \fB\-e\fR (\fIedit\fR) option indicates that, instead of running a command, the user wishes @@ -322,7 +323,7 @@ receive a warning and the edited copy will remain in a temporary file. .RE .TP 12n -\fB\-g\fR \fIgroup\fR +\fB\-g\fR, \fB\--group\fR \fIgroup\fR Normally, \fBsudo\fR runs a command with the primary group set to the one specified by @@ -335,15 +336,11 @@ option causes to run the command with the primary group set to \fIgroup\fR instead. -To specify a -\fIgid\fR -instead of a -\fIgroup name\fR, -use +To specify a numeric group ID +(gid) +instead of a group name, use \fI#gid\fR. -When running commands as a -\fIgid\fR, -many shells require that the +When running commands as a gid, many shells require that the \(oq#\(cq be escaped with a backslash (\(oq\e\(cq). @@ -354,7 +351,7 @@ option is specified, the command will be run as the invoking user In either case, the primary group will be set to \fIgroup\fR. .TP 12n -\fB\-H\fR +\fB\-H\fR, \fB\--set-home\fR The \fB\-H\fR (\fIHOME\fR) option requests that the security policy set the @@ -363,21 +360,23 @@ environment variable to the home directory of the target user (root by default) as specified by the password database. Depending on the policy, this may be the default behavior. .TP 12n -\fB\-h\fR [\fIhost name\fR] +\fB\-h\fR, \fB\--help\fR +The +\fB\-h\fR (\fIhelp\fR) +option causes +\fBsudo\fR +will print a short help message to the standard output and exit. +.TP 12n +\fB\-h\fR, \fB\--host\fR \fIremote host\fR If a -\fIhost name\fR +\fIremote host\fR is specified and the policy plugin supports it, the command will be run on the specified remote host. Note that the \fIsudoers\fR plugin does not currently support running remote commands. -If no -\fIhost name\fR -is specified, -\fBsudo\fR -will print a short help message to the standard output and exit. .TP 12n -\fB\-i\fR [\fIcommand\fR] +\fB\-i\fR, \fB\--login\fR [\fIcommand\fR] The \fB\-i\fR (\fIsimulate initial login\fR) option runs the shell specified by the password database entry of @@ -407,7 +406,7 @@ option affects the environment in which a command is run when the \fIsudoers\fR policy is in use. .TP 12n -\fB\-K\fR +\fB\-K\fR, \fB\--remove-timestamp\fR The \fB\-K\fR (sure \fIkill\fR) option is like @@ -417,7 +416,7 @@ may not be used in conjunction with a command or other option. This option does not require a password. Not all security policies support credential caching. .TP 12n -\fB\-k\fR [\fIcommand\fR] +\fB\-k\fR, \fB\--reset-timestamp\fR [\fIcommand\fR] When used alone, the \fB\-k\fR (\fIkill\fR) option to @@ -445,7 +444,7 @@ As a result, will prompt for a password (if one is required by the security policy) and will not update the user's cached credentials. .TP 12n -\fB\-l\fR[\fBl\fR] [\fIcommand\fR] +\fB\-l\fR[\fBl\fR], \fB\--list\fR [\fIcommand\fR] If no \fIcommand\fR is specified, the @@ -474,7 +473,7 @@ or if \fB\-l\fR is specified multiple times, a longer list format is used. .TP 12n -\fB\-n\fR +\fB\-n\fR, \fB\--non-interactive\fR The \fB\-n\fR (\fInon-interactive\fR) option prevents @@ -484,7 +483,7 @@ If a password is required for the command to run, \fBsudo\fR will display an error message and exit. .TP 12n -\fB\-P\fR +\fB\-P\fR, \fB\--preserve-groups\fR The \fB\-P\fR (\fIpreserve group vector\fR) option causes @@ -497,7 +496,7 @@ target user is in. The real and effective group IDs, however, are still set to match the target user. .TP 12n -\fB\-p\fR \fIprompt\fR +\fB\-p\fR, \fB\--prompt\fR \fIprompt\fR The \fB\-p\fR (\fIprompt\fR) option allows you to override the default password prompt and use @@ -557,14 +556,14 @@ flag is disabled in \fIsudoers\fR. .RE .TP 12n -\fB\-r\fR \fIrole\fR +\fB\-r\fR, \fB\--role\fR \fIrole\fR The \fB\-r\fR (\fIrole\fR) -option causes the new (SELinux) security context to have the role +option causes the new SELinux security context to have the role specified by \fIrole\fR. .TP 12n -\fB\-S\fR +\fB\-S\fR, \fB\--stdin\fR The \fB\-S\fR (\fIstdin\fR) option causes @@ -573,7 +572,7 @@ to read the password from the standard input instead of the terminal device. The password must be followed by a newline character. .TP 12n -\fB\-s\fR [\fIcommand\fR] +\fB\-s\fR, \fB\--shell\fR [\fIcommand\fR] The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the @@ -586,16 +585,16 @@ via the shell's option. If no command is specified, an interactive shell is executed. .TP 12n -\fB\-t\fR \fItype\fR +\fB\-t\fR, \fB\--type\fR \fItype\fR The \fB\-t\fR (\fItype\fR) -option causes the new (SELinux) security context to have the type +option causes the new SELinux security context to have the type specified by \fItype\fR. If no type is specified, the default type is derived from the specified role. .TP 12n -\fB\-U\fR \fIuser\fR +\fB\-U\fR, \fB\--other-user\fR \fIuser\fR The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the @@ -608,37 +607,31 @@ policy only allows root or a user with the \fRALL\fR privilege on the current host to use this option. .TP 12n -\fB\-u\fR \fIuser\fR +\fB\-u\fR, \fB\--user\fR \fIuser\fR The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified command as a user other than \fIroot\fR. -To specify a -\fIuid\fR -instead of a -\fIuser name\fR, +To specify a numeric user ID +(uid) +instead of a user name, use \fI#uid\fR. -When running commands as a -\fIuid\fR, -many shells require that the +When running commands as a uid, many shells require that the \(oq#\(cq be escaped with a backslash (\(oq\e\(cq). -Security policies may restrict -\fIuid\fRs +Some security policies may restrict uids to those listed in the password database. The \fIsudoers\fR -policy allows -\fIuid\fRs -that are not in the password database as long as the +policy allows uids that are not in the password database as long as the \fItargetpw\fR option is not set. Other security policies may not support this. .TP 12n -\fB\-V\fR +\fB\-V\fR, \fB\--version\fR The \fB\-V\fR (\fIversion\fR) option causes @@ -652,7 +645,7 @@ option will display the arguments passed to configure when was built and plugins may display more verbose information such as default options. .TP 12n -\fB\-v\fR +\fB\-v\fR, \fB\--validate\fR When given the \fB\-v\fR (\fIvalidate\fR) option, @@ -701,7 +694,7 @@ When \fBsudo\fR executes a command, the security policy specifies the execution environment for the command. -Typically, the real and effective uid and gid are set to +Typically, the real and effective user and group and IDs are set to match those of the target user, as specified in the password database, and the group vector is initialized based on the group database (unless the diff --git a/doc/sudo.mdoc.in b/doc/sudo.mdoc.in index 74dd3cd3b..6e8a95936 100644 --- a/doc/sudo.mdoc.in +++ b/doc/sudo.mdoc.in @@ -39,6 +39,9 @@ .Op Fl g Ar group name No | Ar #gid .Ek .Bk -words +.Op Fl h Ar remote host +.Ek +.Bk -words .Op Fl p Ar prompt .Ek .Bk -words @@ -54,7 +57,7 @@ .Op Fl g Ar group name No | Ar #gid .Ek .Bk -words -.Op Fl h Ar host name +.Op Fl h Ar remote host .Ek .Bk -words .Op Fl p Ar prompt @@ -81,7 +84,7 @@ .Op Fl g Ar group name No | Ar #gid .Ek .Bk -words -.Op Fl h Ar host name +.Op Fl h Ar remote host .Ek .Bk -words .Op Fl p Ar prompt @@ -117,7 +120,7 @@ .Op Fl g Ar group name No | Ar #gid .Ek .Bk -words -.Op Fl h Ar host name +.Op Fl h Ar remote host .Ek .Bk -words .Op Fl p Ar prompt @@ -197,7 +200,7 @@ output may be logged as well. .Pp The options are as follows: .Bl -tag -width Fl -.It Fl A +.It Fl A , -askpass Normally, if .Nm sudo requires a password, it will read it from the user's terminal. @@ -223,7 +226,7 @@ Path askpass /usr/X11R6/bin/ssh-askpass If no askpass program is available, .Nm sudo will exit with an error. -.It Fl a Ar type +.It Fl a , -auth-type Ar auth_type The .Fl a No ( Em "authentication type" Ns No ) option causes @@ -237,7 +240,7 @@ authentication methods by adding an entry in .Pa /etc/login.conf . This option is only available on systems that support BSD authentication. -.It Fl b +.It Fl b , -background The .Fl b No ( Em background Ns No ) option tells @@ -248,7 +251,7 @@ Note that if you use the option you cannot use shell job control to manipulate the process. Most interactive commands will fail to work properly in background mode. -.It Fl C Ar fd +.It Fl C , -close-from Ar fd Normally, .Nm sudo will close all open file descriptors other than standard input, @@ -268,7 +271,7 @@ policy only permits use of the option when the administrator has enabled the .Em closefrom_override option. -.It Fl c Ar class +.It Fl c , -login-class Ar class The .Fl c No ( Em class Ns No ) option causes @@ -295,7 +298,7 @@ as root, or the .Nm sudo command must be run from a shell that is already root. This option is only available on systems with BSD login classes. -.It Fl E +.It Fl E , -preserve-env The .Fl E No ( Em preserve environment Ns No ) option indicates to the security policy that the user wishes to @@ -304,7 +307,7 @@ The security policy may return an error if the .Fl E option is specified and the user does not have permission to preserve the environment. -.It Fl e +.It Fl e , -edit The .Fl e No ( Em edit Ns No ) option indicates that, instead of running a command, the user wishes @@ -351,7 +354,7 @@ If, for some reason, is unable to update a file with its edited version, the user will receive a warning and the edited copy will remain in a temporary file. -.It Fl g Ar group +.It Fl g , -group Ar group Normally, .Nm sudo runs a command with the primary group set to the one specified by @@ -364,15 +367,11 @@ option causes to run the command with the primary group set to .Ar group instead. -To specify a -.Em gid -instead of a -.Em "group name" , -use -.Em #gid . -When running commands as a -.Em gid , -many shells require that the +To specify a numeric group ID +.Pq gid +instead of a group name, use +.Ar #gid . +When running commands as a gid, many shells require that the .Ql # be escaped with a backslash .Pq Ql \e . @@ -381,8 +380,8 @@ If no option is specified, the command will be run as the invoking user (not root). In either case, the primary group will be set to -.Em group . -.It Fl H +.Ar group . +.It Fl H , -set-home The .Fl H No ( Em HOME Ns No ) option requests that the security policy set the @@ -390,20 +389,21 @@ option requests that the security policy set the environment variable to the home directory of the target user (root by default) as specified by the password database. Depending on the policy, this may be the default behavior. -.It Fl h Op Ar host name +.It Fl h , -help +The +.Fl h No ( Em help Ns No ) +option causes +.Nm sudo +will print a short help message to the standard output and exit. +.It Fl h , -host Ar remote host If a -.Ar host name +.Ar remote host is specified and the policy plugin supports it, the command will be run on the specified remote host. Note that the .Em sudoers plugin does not currently support running remote commands. -If no -.Ar host name -is specified, -.Nm sudo -will print a short help message to the standard output and exit. -.It Fl i Op Ar command +.It Fl i , -login Op Ar command The .Fl i No ( Em simulate initial login Ns No ) option runs the shell specified by the password database entry of @@ -432,7 +432,7 @@ manual documents how the option affects the environment in which a command is run when the .Em sudoers policy is in use. -.It Fl K +.It Fl K , -remove-timestamp The .Fl K No ( sure Em kill Ns No ) option is like @@ -441,7 +441,7 @@ except that it removes the user's cached credentials entirely and may not be used in conjunction with a command or other option. This option does not require a password. Not all security policies support credential caching. -.It Fl k Op Ar command +.It Fl k , -reset-timestamp Op Ar command When used alone, the .Fl k No ( Em kill Ns No ) option to @@ -468,7 +468,7 @@ As a result, .Nm sudo will prompt for a password (if one is required by the security policy) and will not update the user's cached credentials. -.It Fl l Ns Oo Sy l Oc Op Ar command +.It Fl l Ns Oo Sy l Oc , Fl -list Op Ar command If no .Ar command is specified, the @@ -496,7 +496,7 @@ argument or if .Fl l is specified multiple times, a longer list format is used. -.It Fl n +.It Fl n , -non-interactive The .Fl n No ( Em non-interactive Ns No ) option prevents @@ -505,7 +505,7 @@ from prompting the user for a password. If a password is required for the command to run, .Nm sudo will display an error message and exit. -.It Fl P +.It Fl P , -preserve-groups The .Fl P No ( Em preserve group vector Ns No ) option causes @@ -517,7 +517,7 @@ policy will initialize the group vector to the list of groups the target user is in. The real and effective group IDs, however, are still set to match the target user. -.It Fl p Ar prompt +.It Fl p , -prompt Ar prompt The .Fl p No ( Em prompt Ns No ) option allows you to override the default password prompt and use @@ -567,13 +567,13 @@ support PAM unless the .Em passprompt_override flag is disabled in .Em sudoers . -.It Fl r Ar role +.It Fl r , -role Ar role The .Fl r No ( Em role Ns No ) -option causes the new (SELinux) security context to have the role +option causes the new SELinux security context to have the role specified by .Ar role . -.It Fl S +.It Fl S , -stdin The .Fl S ( Em stdin Ns No ) option causes @@ -581,7 +581,7 @@ option causes to read the password from the standard input instead of the terminal device. The password must be followed by a newline character. -.It Fl s Op Ar command +.It Fl s , -shell Op Ar command The .Fl s ( Em shell Ns No ) option runs the shell specified by the @@ -593,15 +593,15 @@ via the shell's .Fl c option. If no command is specified, an interactive shell is executed. -.It Fl t Ar type +.It Fl t , -type Ar type The .Fl t ( Em type Ns No ) -option causes the new (SELinux) security context to have the type +option causes the new SELinux security context to have the type specified by .Ar type . If no type is specified, the default type is derived from the specified role. -.It Fl U Ar user +.It Fl U , -other-user Ar user The .Fl U ( Em other user Ns No ) option is used in conjunction with the @@ -613,36 +613,30 @@ The policy only allows root or a user with the .Li ALL privilege on the current host to use this option. -.It Fl u Ar user +.It Fl u , -user Ar user The .Fl u ( Em user Ns No ) option causes .Nm sudo to run the specified command as a user other than .Em root . -To specify a -.Em uid -instead of a -.Em user name , -.Em #uid . -When running commands as a -.Em uid , -many shells require that the +To specify a numeric user ID +.Pq uid +instead of a user name, use +.Ar #uid . +When running commands as a uid, many shells require that the .Ql # be escaped with a backslash .Pq Ql \e . -Security policies may restrict -.Em uid Ns No s +Some security policies may restrict uids to those listed in the password database. The .Em sudoers -policy allows -.Em uid Ns No s -that are not in the password database as long as the +policy allows uids that are not in the password database as long as the .Em targetpw option is not set. Other security policies may not support this. -.It Fl V +.It Fl V , -version The .Fl V ( Em version Ns No ) option causes @@ -655,7 +649,7 @@ option will display the arguments passed to configure when .Nm sudo was built and plugins may display more verbose information such as default options. -.It Fl v +.It Fl v , -validate When given the .Fl v ( Em validate Ns No ) option, @@ -704,7 +698,7 @@ When .Nm sudo executes a command, the security policy specifies the execution environment for the command. -Typically, the real and effective uid and gid are set to +Typically, the real and effective user and group and IDs are set to match those of the target user, as specified in the password database, and the group vector is initialized based on the group database (unless the diff --git a/src/Makefile.in b/src/Makefile.in index 2d1a376de..3181bd9c5 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -38,7 +38,7 @@ LT_LIBS = $(top_builddir)/common/libcommon.la $(LIBOBJDIR)libreplace.la LIBS = @LIBS@ @SUDO_LIBS@ @GETGROUPS_LIB@ @NET_LIBS@ @LIBINTL@ $(LT_LIBS) # C preprocessor flags -CPPFLAGS = -I$(incdir) -I$(top_builddir) -I$(srcdir) -I$(top_srcdir) -I. @CPPFLAGS@ +CPPFLAGS = -I$(incdir) -I$(top_builddir) -I. -I$(srcdir) -I$(top_srcdir) @CPPFLAGS@ # Usually -O and/or -g CFLAGS = @CFLAGS@ @@ -106,7 +106,7 @@ Makefile: $(srcdir)/Makefile.in (cd $(top_builddir) && ./config.status --file src/Makefile) ./sudo_usage.h: $(srcdir)/sudo_usage.h.in - (cd $(top_builddir) && ./config.status --file src/sudo_usage.h) + (cd $(top_builddir) && ./config.status --file src/sudo_usage.h) .SUFFIXES: .c .h .lo .o diff --git a/src/parse_args.c b/src/parse_args.c index c67944378..e3779e554 100644 --- a/src/parse_args.c +++ b/src/parse_args.c @@ -49,7 +49,7 @@ #include #include -#include "sudo_usage.h" +#include #include "sudo.h" #include "lbuf.h" @@ -123,6 +123,45 @@ static struct sudo_settings { */ #define DEFAULT_VALID_FLAGS (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_SHELL) +/* Option number for the --host long option due to ambiguity of the -h flag. */ +#define OPT_HOSTNAME 256 + +/* + * Available command line options, both short and long. + * Note that we must disable arg permutation to support setting environment + * variables and to better support the optional arg of the -h flag. + */ +static const char short_opts[] = "+Aa:bC:c:D:Eeg:Hh::iKklnPp:r:Sst:U:u:Vv"; +static struct option long_opts[] = { + { "askpass", no_argument, NULL, 'A' }, + { "auth-type", required_argument, NULL, 'a' }, + { "background", no_argument, NULL, 'b' }, + { "close-from", required_argument, NULL, 'C' }, + { "login-class", required_argument, NULL, 'c' }, + { "preserve-env", no_argument, NULL, 'E' }, + { "edit", no_argument, NULL, 'e' }, + { "group", required_argument, NULL, 'g' }, + { "set-home", no_argument, NULL, 'H' }, + { "help", no_argument, NULL, 'h' }, + { "host", required_argument, NULL, OPT_HOSTNAME }, + { "login", no_argument, NULL, 'i' }, + { "remove-timestamp", no_argument, NULL, 'K' }, + { "reset-timestamp", no_argument, NULL, 'k' }, + { "list", no_argument, NULL, 'l' }, + { "non-interactive", no_argument, NULL, 'n' }, + { "preserve-groups", no_argument, NULL, 'P' }, + { "prompt", required_argument, NULL, 'p' }, + { "role", required_argument, NULL, 'r' }, + { "stdin", no_argument, NULL, 'S' }, + { "shell", no_argument, NULL, 's' }, + { "type", required_argument, NULL, 't' }, + { "other-user", required_argument, NULL, 'U' }, + { "user", required_argument, NULL, 'u' }, + { "version", no_argument, NULL, 'V' }, + { "validate", no_argument, NULL, 'v' }, + { NULL, no_argument, NULL, '\0' }, +}; + /* * Command line argument parsing. * Sets nargc and nargv which corresponds to the argc/argv we'll use @@ -186,11 +225,10 @@ parse_args(int argc, char **argv, int *nargc, char ***nargv, char ***settingsp, /* XXX - should fill in settings at the end to avoid dupes */ for (;;) { /* - * We disable arg permutation for GNU getopt(). * Some trickiness is required to allow environment variables * to be interspersed with command line options. */ - if ((ch = getopt_long(argc, argv, "+Aa:bC:c:D:Eeg:Hh::iKklnPp:r:Sst:U:u:Vv", NULL, NULL)) != -1) { + if ((ch = getopt_long(argc, argv, short_opts, long_opts, NULL)) != -1) { switch (ch) { case 'A': SET(tgetpass_flags, TGP_ASKPASS); @@ -236,16 +274,18 @@ parse_args(int argc, char **argv, int *nargc, char ***nargv, char ***settingsp, sudo_settings[ARG_SET_HOME].value = "true"; break; case 'h': - if (optarg != NULL) { - sudo_settings[ARG_REMOTE_HOST].value = optarg; - } else { + if (optarg == NULL) { if (mode && mode != MODE_HELP) { if (strcmp(getprogname(), "sudoedit") != 0) usage_excl(1); } mode = MODE_HELP; valid_flags = 0; + break; } + /* FALLTHROUGH */ + case OPT_HOSTNAME: + sudo_settings[ARG_REMOTE_HOST].value = optarg; break; case 'i': sudo_settings[ARG_LOGIN_SHELL].value = "true"; @@ -318,7 +358,7 @@ parse_args(int argc, char **argv, int *nargc, char ***nargv, char ***settingsp, default: usage(1); } - } else if (got_host_flag) { + } else if (got_host_flag && optind < argc) { /* * Optional args only support -hhostname, not -h hostname. * If we see a non-option after the -h flag, treat as @@ -559,7 +599,7 @@ static void help(void) { struct lbuf lbuf; - int indent = 16; + const int indent = 30; const char *pname = getprogname(); debug_decl(help, SUDO_DEBUG_ARGS) @@ -573,67 +613,67 @@ help(void) usage(0); lbuf_append(&lbuf, _("\nOptions:\n")); - lbuf_append(&lbuf, " -A %s", + lbuf_append(&lbuf, " -A, --askpass %s", _("use helper program for password prompting\n")); #ifdef HAVE_BSD_AUTH_H - lbuf_append(&lbuf, " -a type %s", + lbuf_append(&lbuf, " -a, --auth-type auth_type %s", _("use specified BSD authentication type\n")); #endif - lbuf_append(&lbuf, " -b %s", + lbuf_append(&lbuf, " -b, --background %s", _("run command in the background\n")); - lbuf_append(&lbuf, " -C fd %s", + lbuf_append(&lbuf, " -C, --close-from fd %s", _("close all file descriptors >= fd\n")); #ifdef HAVE_LOGIN_CAP_H - lbuf_append(&lbuf, " -c class %s", + lbuf_append(&lbuf, " -c, --login-class class %s", _("run command with specified login class\n")); #endif - lbuf_append(&lbuf, " -E %s", + lbuf_append(&lbuf, " -E, --preserve-env %s", _("preserve user environment when executing command\n")); - lbuf_append(&lbuf, " -e %s", + lbuf_append(&lbuf, " -e, --edit %s", _("edit files instead of running a command\n")); - lbuf_append(&lbuf, " -g group %s", + lbuf_append(&lbuf, " -g, --group group name|#gid %s", _("execute command as the specified group\n")); - lbuf_append(&lbuf, " -H %s", + lbuf_append(&lbuf, " -H, --set-home %s", _("set HOME variable to target user's home dir.\n")); - lbuf_append(&lbuf, " -h %s", + lbuf_append(&lbuf, " -h, --help %s", _("display help message and exit\n")); - lbuf_append(&lbuf, " -h host name %s", - _("run command on specified host if supported\n")); - lbuf_append(&lbuf, " -i [command] %s", + lbuf_append(&lbuf, " -h, --host remote host %s", + _("run command on specified host (if supported)\n")); + lbuf_append(&lbuf, " -i, --login [command] %s", _("run a login shell as target user\n")); - lbuf_append(&lbuf, " -K %s", + lbuf_append(&lbuf, " -K, --remove-timestamp %s", _("remove timestamp file completely\n")); - lbuf_append(&lbuf, " -k %s", + lbuf_append(&lbuf, " -k, --reset-timestamp %s", _("invalidate timestamp file\n")); - lbuf_append(&lbuf, " -l[l] command %s", + lbuf_append(&lbuf, " -l[l], --list [command] %s", _("list user's available commands\n")); - lbuf_append(&lbuf, " -n %s", + lbuf_append(&lbuf, " -n, --non-interactive %s", _("non-interactive mode, will not prompt user\n")); - lbuf_append(&lbuf, " -P %s", + lbuf_append(&lbuf, " -P, --preserve-groups %s", _("preserve group vector instead of setting to target's\n")); - lbuf_append(&lbuf, " -p prompt %s", + lbuf_append(&lbuf, " -p, --prompt prompt %s", _("use specified password prompt\n")); #ifdef HAVE_SELINUX - lbuf_append(&lbuf, " -r role %s", + lbuf_append(&lbuf, " -r, --role role %s", _("create SELinux security context with specified role\n")); #endif - lbuf_append(&lbuf, " -S %s", + lbuf_append(&lbuf, " -S, --stdin %s", _("read password from standard input\n")); - lbuf_append(&lbuf, - " -s [command] %s", _("run a shell as target user\n")); + lbuf_append(&lbuf, " -s, --shell [command] %s", + _("run a shell as target user\n")); #ifdef HAVE_SELINUX - lbuf_append(&lbuf, " -t type %s", + lbuf_append(&lbuf, " -t, --type type %s", _("create SELinux security context with specified role\n")); #endif - lbuf_append(&lbuf, " -U user %s", + lbuf_append(&lbuf, " -U, --other-user user name %s", _("when listing, list specified user's privileges\n")); - lbuf_append(&lbuf, " -u user %s", + lbuf_append(&lbuf, " -u, --user user name|#uid %s", _("run command (or edit file) as specified user\n")); - lbuf_append(&lbuf, " -V %s", + lbuf_append(&lbuf, " -V, --version %s", _("display version information and exit\n")); - lbuf_append(&lbuf, " -v %s", + lbuf_append(&lbuf, " -v, --validate %s", _("update user's timestamp without running a command\n")); - lbuf_append(&lbuf, " -- %s", + lbuf_append(&lbuf, " -- %s", _("stop processing command line arguments\n")); lbuf_print(&lbuf); lbuf_destroy(&lbuf); diff --git a/src/sudo.c b/src/sudo.c index e9eac66ca..8815ecfc4 100644 --- a/src/sudo.c +++ b/src/sudo.c @@ -83,10 +83,10 @@ # include #endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */ +#include #include "sudo.h" #include "sudo_plugin.h" #include "sudo_plugin_int.h" -#include "sudo_usage.h" /* * Local variables diff --git a/src/sudo_usage.h.in b/src/sudo_usage.h.in index b78198803..fb520afcb 100644 --- a/src/sudo_usage.h.in +++ b/src/sudo_usage.h.in @@ -23,11 +23,11 @@ * Usage strings for sudo. These are here because we * need to be able to substitute values from configure. */ -#define SUDO_USAGE1 " [-D level] -h | -K | -k | -V" -#define SUDO_USAGE2 " -v [-AknS] @BSDAUTH_USAGE@[-D level] [-g groupname|#gid] [-h hostname] [-p prompt] [-u user name|#uid]" -#define SUDO_USAGE3 " -l[l] [-AknS] @BSDAUTH_USAGE@[-D level] [-g groupname|#gid] [-h hostname] [-p prompt] [-U user name] [-u user name|#uid] [command]" -#define SUDO_USAGE4 " [-AbEHknPS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C fd] [-D level] @LOGINCAP_USAGE@[-g groupname|#gid] [-h hostname] [-p prompt] [-u user name|#uid] [VAR=value] [-i|-s] []" -#define SUDO_USAGE5 " -e [-AknS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C fd] [-D level] @LOGINCAP_USAGE@[-g groupname|#gid] [-h hostname] [-p prompt] [-u user name|#uid] file ..." +#define SUDO_USAGE1 " -h | -K | -k | -V" +#define SUDO_USAGE2 " -v [-AknS] @BSDAUTH_USAGE@[-g group name|#gid] [-h remote host] [-p prompt] [-u user name|#uid]" +#define SUDO_USAGE3 " -l[l] [-AknS] @BSDAUTH_USAGE@[-g group name|#gid] [-h remote host] [-p prompt] [-U user name] [-u user name|#uid] [command]" +#define SUDO_USAGE4 " [-AbEHknPS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C fd] @LOGINCAP_USAGE@[-g group name|#gid] [-h remote host] [-p prompt] [-u user name|#uid] [VAR=value] [-i|-s] []" +#define SUDO_USAGE5 " -e [-AknS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C fd] @LOGINCAP_USAGE@[-g group name|#gid] [-h remote host] [-p prompt] [-u user name|#uid] file ..." /* * Configure script arguments used to build sudo.