From: Todd C. Miller Date: Mon, 10 Jan 2011 14:26:41 +0000 (-0500) Subject: regen X-Git-Tag: SUDO_1_7_5~77 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6eb5f601b55a1ac033a60666695e3e768ffb9c17;p=sudo regen --HG-- branch : 1.7 --- diff --git a/sudoers.cat b/sudoers.cat index d19cdff22..6975221c8 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.5b2 November 13, 2010 1 +1.7.5b2 December 17, 2010 1 @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 November 13, 2010 2 +1.7.5b2 December 17, 2010 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 November 13, 2010 3 +1.7.5b2 December 17, 2010 3 @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 November 13, 2010 4 +1.7.5b2 December 17, 2010 4 @@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 November 13, 2010 5 +1.7.5b2 December 17, 2010 5 @@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 November 13, 2010 6 +1.7.5b2 December 17, 2010 6 @@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 November 13, 2010 7 +1.7.5b2 December 17, 2010 7 @@ -523,7 +523,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 November 13, 2010 8 +1.7.5b2 December 17, 2010 8 @@ -589,7 +589,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 November 13, 2010 9 +1.7.5b2 December 17, 2010 9 @@ -655,7 +655,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS -1.7.5b2 November 13, 2010 10 +1.7.5b2 December 17, 2010 10 @@ -721,7 +721,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 November 13, 2010 11 +1.7.5b2 December 17, 2010 11 @@ -787,7 +787,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 November 13, 2010 12 +1.7.5b2 December 17, 2010 12 @@ -853,7 +853,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 November 13, 2010 13 +1.7.5b2 December 17, 2010 13 @@ -919,7 +919,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 November 13, 2010 14 +1.7.5b2 December 17, 2010 14 @@ -985,7 +985,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 November 13, 2010 15 +1.7.5b2 December 17, 2010 15 @@ -1051,7 +1051,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 November 13, 2010 16 +1.7.5b2 December 17, 2010 16 @@ -1060,6 +1060,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + iolog_dir The directory in which to store input/output logs when + the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled or when + the or LOG_OUTPUT tags are present for a + command. The default is "/var/log/sudo-io". + mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The escape %h will expand to the host name of the machine. Default is *** SECURITY information for %h ***. @@ -1109,22 +1114,22 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) before any Runas_Alias specifications. syslog_badpri Syslog priority to use when user authenticates - unsuccessfully. Defaults to alert. - syslog_goodpri Syslog priority to use when user authenticates - successfully. Defaults to notice. +1.7.5b2 December 17, 2010 17 -1.7.5b2 November 13, 2010 17 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + unsuccessfully. Defaults to alert. + syslog_goodpri Syslog priority to use when user authenticates + successfully. Defaults to notice. sudoers_locale Locale to use when parsing the sudoers file. Note that changing the locale may affect how sudoers is @@ -1176,14 +1181,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) once Only lecture the user the first time they run ssuuddoo. - If no value is specified, a value of _o_n_c_e is implied. - Negating the option results in a value of _n_e_v_e_r being used. - The default value is _o_n_c_e. - - -1.7.5b2 November 13, 2010 18 +1.7.5b2 December 17, 2010 18 @@ -1192,6 +1192,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + If no value is specified, a value of _o_n_c_e is implied. + Negating the option results in a value of _n_e_v_e_r being used. + The default value is _o_n_c_e. + lecture_file Path to a file containing an alternate ssuuddoo lecture that will be used in place of the standard lecture if the named @@ -1242,14 +1246,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) environment variable you may want to use this. Another use is if you want to have the "root path" be separate from the "user path." Users in the group specified by the - _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This - option is not set by default. - syslog Syslog facility if syslog is being used for logging (negate - -1.7.5b2 November 13, 2010 19 +1.7.5b2 December 17, 2010 19 @@ -1258,6 +1258,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This + option is not set by default. + + syslog Syslog facility if syslog is being used for logging (negate to disable syslog logging). Defaults to auth. verifypw This option controls when a password will be required when @@ -1308,14 +1312,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) default list of environment variables to remove is displayed when ssuuddoo is run by root with the _-_V option. Note that many operating systems will remove - potentially dangerous variables from the environment of - any setuid process (such as ssuuddoo). - - env_keep Environment variables to be preserved in the user's -1.7.5b2 November 13, 2010 20 +1.7.5b2 December 17, 2010 20 @@ -1324,6 +1324,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + potentially dangerous variables from the environment of + any setuid process (such as ssuuddoo). + + env_keep Environment variables to be preserved in the user's environment when the _e_n_v___r_e_s_e_t option is in effect. This allows fine-grained control over the environment ssuuddoo-spawned processes will receive. The argument may @@ -1374,14 +1378,10 @@ EEXXAAMMPPLLEESS Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ SGI = grolsch, dandelion, black :\ ALPHA = widget, thalamus, foobar :\ - HPPA = boa, nag, python - Host_Alias CUNETS = 128.138.0.0/255.255.0.0 - Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 - Host_Alias SERVERS = master, mail, www, ns -1.7.5b2 November 13, 2010 21 +1.7.5b2 December 17, 2010 21 @@ -1390,6 +1390,10 @@ EEXXAAMMPPLLEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + HPPA = boa, nag, python + Host_Alias CUNETS = 128.138.0.0/255.255.0.0 + Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 + Host_Alias SERVERS = master, mail, www, ns Host_Alias CDROM = orion, perseus, hercules # Cmnd alias specification @@ -1441,13 +1445,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) PARTTIMERS ALL = ALL - Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on - any host but they must authenticate themselves first (since the entry - lacks the NOPASSWD tag). - -1.7.5b2 November 13, 2010 22 +1.7.5b2 December 17, 2010 22 @@ -1456,6 +1456,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on + any host but they must authenticate themselves first (since the entry + lacks the NOPASSWD tag). + jack CSNETS = ALL The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias @@ -1506,21 +1510,21 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Users in the sseeccrreettaarriieess netgroup need to help manage the printers as well as add and remove users, so they are allowed to run those commands - on all machines. - fred ALL = (DB) NOPASSWD: ALL +1.7.5b2 December 17, 2010 23 -1.7.5b2 November 13, 2010 23 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + on all machines. + fred ALL = (DB) NOPASSWD: ALL The user ffrreedd can run commands as any user in the _D_B Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password. @@ -1573,13 +1577,9 @@ SSEECCUURRIITTYY NNOOTTEESS bill ALL = ALL, !SU, !SHELLS - Doesn't really prevent bbiillll from running the commands listed in _S_U or - _S_H_E_L_L_S since he can simply copy those commands to a different name, or - use a shell escape from an editor or other program. Therefore, these - -1.7.5b2 November 13, 2010 24 +1.7.5b2 December 17, 2010 24 @@ -1588,6 +1588,9 @@ SSEECCUURRIITTYY NNOOTTEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Doesn't really prevent bbiillll from running the commands listed in _S_U or + _S_H_E_L_L_S since he can simply copy those commands to a different name, or + use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy). @@ -1621,7 +1624,7 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS where shell escapes are disabled, though ssuuddooeeddiitt is a better solution to running editors via ssuuddoo. Due to the large number of programs that offer shell escapes, restricting - users to the set of programs that do not if often unworkable. + users to the set of programs that do not is often unworkable. noexec Many systems that support shared libraries have the ability to override default library functions by pointing an @@ -1640,12 +1643,9 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS If the resulting output contains a line that begins with: - File containing dummy exec functions: - - -1.7.5b2 November 13, 2010 25 +1.7.5b2 December 17, 2010 25 @@ -1654,6 +1654,8 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + File containing dummy exec functions: + then ssuuddoo may be able to replace the exec family of functions in the standard library with its own that simply return an error. Unfortunately, there is no foolproof way to know @@ -1709,9 +1711,7 @@ SSUUPPPPOORRTT - - -1.7.5b2 November 13, 2010 26 +1.7.5b2 December 17, 2010 26 @@ -1777,6 +1777,6 @@ DDIISSCCLLAAIIMMEERR -1.7.5b2 November 13, 2010 27 +1.7.5b2 December 17, 2010 27 diff --git a/sudoers.ldap.cat b/sudoers.ldap.cat index dba3cbbee..d858eb000 100644 --- a/sudoers.ldap.cat +++ b/sudoers.ldap.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.5b2 November 13, 2010 1 +1.7.5b2 January 10, 2011 1 @@ -127,7 +127,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.5b2 November 13, 2010 2 +1.7.5b2 January 10, 2011 2 @@ -138,11 +138,14 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) ssuuddooOOrrddeerr The sudoRole entries retrieved from the LDAP directory have no - inherent order. The ssuuddooOOrrddeerr attribute is an integer that will be - used to sort the matching entries. This allows to more closely - mimic the behaviour of the sudoers file, where the of the entries - does have an influence on the result. If the ssuuddooOOrrddeerr attribute - is not present, a value of 0 is assumed. + inherent order. The ssuuddooOOrrddeerr attribute is an integer (or floating + point value for LDAP servers that support it) that is used to sort + the matching entries. This allows LDAP-based sudoers entries to + more closely mimic the behaviour of the sudoers file, where the of + the entries influences the result. If multiple entries match, the + entry with the highest ssuuddooOOrrddeerr attribute is chosen. This + corresponds to the "last match" behavior of the sudoers file. If + the ssuuddooOOrrddeerr attribute is not present, a value of 0 is assumed. Each component listed above should contain a single value, but there may be multiple instances of each component type. A sudoRole must @@ -176,24 +179,21 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) There are some subtle differences in the way sudoers is handled once in LDAP. Probably the biggest is that according to the RFC, LDAP ordering is arbitrary and you cannot expect that Attributes and Entries are - returned in any specific order. If there are conflicting command rules - on an entry, the negative takes precedence. This is called paranoid - behavior (not necessarily the most specific match). + returned in any specific order. + + The order in which different entries are applied can be controlled + using the ssuuddooOOrrddeerr attribute, but there is no way to guarantee the + order of attributes within a specific entry. If there are conflicting + command rules in an entry, the negative takes precedence. This is + called paranoid behavior (not necessarily the most specific match). Here is an example: - # /etc/sudoers: - # Allow all commands except shell - johnny ALL=(root) ALL,!/bin/sh - # Always allows all commands because ALL is matched last - puddles ALL=(root) !/bin/sh,ALL - # LDAP equivalent of johnny - # Allows all commands except shell -1.7.5b2 November 13, 2010 3 +1.7.5b2 January 10, 2011 3 @@ -202,6 +202,14 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + # /etc/sudoers: + # Allow all commands except shell + johnny ALL=(root) ALL,!/bin/sh + # Always allows all commands because ALL is matched last + puddles ALL=(root) !/bin/sh,ALL + + # LDAP equivalent of johnny + # Allows all commands except shell dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com objectClass: sudoRole objectClass: top @@ -224,8 +232,8 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoCommand: ALL Another difference is that negations on the Host, User or Runas are - currently ignorred. For example, the following attributes do not - behave the way one might expect. + currently ignored. For example, the following attributes do not behave + the way one might expect. # does not match all but joe # rather, does not match anyone @@ -248,26 +256,26 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) Three versions of the schema: one for OpenLDAP servers (_s_c_h_e_m_a_._O_p_e_n_L_D_A_P), one for Netscape-derived servers (_s_c_h_e_m_a_._i_P_l_a_n_e_t), - and one for Microsoft Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be - found in the ssuuddoo distribution. - The schema for ssuuddoo in OpenLDAP form is included in the EXAMPLES - section. - CCoonnffiigguurriinngg llddaapp..ccoonnff - Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration. +1.7.5b2 January 10, 2011 4 -1.7.5b2 November 13, 2010 4 +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + and one for Microsoft Active Directory (_s_c_h_e_m_a_._A_c_t_i_v_e_D_i_r_e_c_t_o_r_y) may be + found in the ssuuddoo distribution. + The schema for ssuuddoo in OpenLDAP form is included in the EXAMPLES + section. + CCoonnffiigguurriinngg llddaapp..ccoonnff + Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration. Typically, this file is shared amongst different LDAP-aware clients. As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from @@ -315,25 +323,27 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) multiple UURRIIs or HHOOSSTTs are specified, this is the amount of time to wait before trying the next one in the list. - TTIIMMEELLIIMMIITT seconds - The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds, - to wait for a response to an LDAP query. - SSUUDDOOEERRSS__BBAASSEE base - The base DN to use when performing ssuuddoo LDAP queries. Typically - this is of the form ou=SUDOers,dc=example,dc=com for the domain +1.7.5b2 January 10, 2011 5 -1.7.5b2 November 13, 2010 5 +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + NNEETTWWOORRKK__TTIIMMEEOOUUTT seconds + An alias for BBIINNDD__TTIIMMEELLIIMMIITT. + TTIIMMEELLIIMMIITT seconds + The TTIIMMEELLIIMMIITT parameter specifies the amount of time, in seconds, + to wait for a response to an LDAP query. + SSUUDDOOEERRSS__BBAASSEE base + The base DN to use when performing ssuuddoo LDAP queries. Typically + this is of the form ou=SUDOers,dc=example,dc=com for the domain example.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in which case they are queried in the order specified. @@ -378,20 +388,10 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) Typically, this involves connecting to the server on port 636 (ldaps). - SSSSLL start_tls - If the SSSSLL parameter is set to start_tls, the LDAP server - connection is initiated normally and TLS encryption is begun before - the bind credentials are sent. This has the advantage of not - requiring a dedicated port for encrypted communications. This - parameter is only supported by LDAP servers that honor the - start_tls extension, such as the OpenLDAP server. - - TTLLSS__CCHHEECCKKPPEEEERR on/true/yes/off/false/no - If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS -1.7.5b2 November 13, 2010 6 +1.7.5b2 January 10, 2011 6 @@ -400,6 +400,16 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + SSSSLL start_tls + If the SSSSLL parameter is set to start_tls, the LDAP server + connection is initiated normally and TLS encryption is begun before + the bind credentials are sent. This has the advantage of not + requiring a dedicated port for encrypted communications. This + parameter is only supported by LDAP servers that honor the + start_tls extension, such as the OpenLDAP server. + + TTLLSS__CCHHEECCKKPPEEEERR on/true/yes/off/false/no + If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS certificated to be verified. If the server's TLS certificate cannot be verified (usually because it is signed by an unknown certificate authority), ssuuddoo will be unable to connect to it. If @@ -444,27 +454,26 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) TTLLSS__KKEEYY file name The path to a file containing the private key which matches the certificate specified by TTLLSS__CCEERRTT. The private key must not be - password-protected. The key type depends on the LDAP libraries - used. - OpenLDAP: - tls_key /etc/ssl/client_key.pem - Netscape-derived: - tls_key /var/ldap/key3.db +1.7.5b2 January 10, 2011 7 -1.7.5b2 November 13, 2010 7 - +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + password-protected. The key type depends on the LDAP libraries + used. -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + OpenLDAP: + tls_key /etc/ssl/client_key.pem + Netscape-derived: + tls_key /var/ldap/key3.db TTLLSS__RRAANNDDFFIILLEE file name The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source @@ -512,25 +521,25 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) The following sources are recognized: - files read sudoers from F - ldap read sudoers from LDAP - In addition, the entry [NOTFOUND=return] will short-circuit the search - if the user was not found in the preceding source. - To consult LDAP first followed by the local sudoers file (if it - exists), use: +1.7.5b2 January 10, 2011 8 -1.7.5b2 November 13, 2010 8 +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + files read sudoers from F + ldap read sudoers from LDAP -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + In addition, the entry [NOTFOUND=return] will short-circuit the search + if the user was not found in the preceding source. + To consult LDAP first followed by the local sudoers file (if it + exists), use: sudoers: ldap files @@ -577,27 +586,24 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) FFIILLEESS _/_e_t_c_/_l_d_a_p_._c_o_n_f LDAP configuration file - _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order - - _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX - -EEXXAAMMPPLLEESS - EExxaammppllee llddaapp..ccoonnff - +1.7.5b2 January 10, 2011 9 -1.7.5b2 November 13, 2010 9 +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f determines sudoers source order + _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f determines sudoers source order on AIX +EEXXAAMMPPLLEESS + EExxaammppllee llddaapp..ccoonnff # Either specify one or more URIs or one or more host:port pairs. # If neither is specified sudo will default to localhost, port 389. # @@ -646,16 +652,10 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # extension such as OpenLDAP. #ssl start_tls # - # Additional TLS options follow that allow tweaking of the - # SSL/TLS connection. - # - #tls_checkpeer yes # verify server SSL certificate - #tls_checkpeer no # ignore server SSL certificate - # -1.7.5b2 November 13, 2010 10 +1.7.5b2 January 10, 2011 10 @@ -664,6 +664,12 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + # Additional TLS options follow that allow tweaking of the + # SSL/TLS connection. + # + #tls_checkpeer yes # verify server SSL certificate + #tls_checkpeer no # ignore server SSL certificate + # # If you enable tls_checkpeer, specify either tls_cacertfile # or tls_cacertdir. Only supported when using OpenLDAP. # @@ -712,16 +718,10 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # If using SASL authentication for LDAP (OpenSSL) # use_sasl yes # sasl_auth_id - # rootuse_sasl yes - # rootsasl_auth_id - # sasl_secprops none - # krb5_ccname /etc/.ldapcache - - -1.7.5b2 November 13, 2010 11 +1.7.5b2 January 10, 2011 11 @@ -730,6 +730,11 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + # rootuse_sasl yes + # rootsasl_auth_id + # sasl_secprops none + # krb5_ccname /etc/.ldapcache + SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP The following schema is in OpenLDAP format. Simply copy it to the schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include @@ -779,15 +784,10 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - attributetype ( 1.3.6.1.4.1.15953.9.1.8 - NAME 'sudoNotBefore' - DESC 'Start of time interval for which the entry is valid' - EQUALITY generalizedTimeMatch - ORDERING generalizedTimeOrderingMatch -1.7.5b2 November 13, 2010 12 +1.7.5b2 January 10, 2011 12 @@ -796,6 +796,11 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + attributetype ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' + DESC 'Start of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) attributetype ( 1.3.6.1.4.1.15953.9.1.9 @@ -824,10 +829,9 @@ SSEEEE AALLSSOO _l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(5) CCAAVVEEAATTSS - The way that _s_u_d_o_e_r_s is parsed differs between Note that there are - differences in the way that LDAP-based _s_u_d_o_e_r_s is parsed compared to - file-based _s_u_d_o_e_r_s. See the "Differences between LDAP and non-LDAP - sudoers" section for more information. + Note that there are differences in the way that LDAP-based _s_u_d_o_e_r_s is + parsed compared to file-based _s_u_d_o_e_r_s. See the "Differences between + LDAP and non-LDAP sudoers" section for more information. BBUUGGSS If you feel you have found a bug in ssuuddoo, please submit a bug report at @@ -849,10 +853,6 @@ DDIISSCCLLAAIIMMEERR - - - - -1.7.5b2 November 13, 2010 13 +1.7.5b2 January 10, 2011 13 diff --git a/sudoers.ldap.man.in b/sudoers.ldap.man.in index ee1b9a4e2..e04473b6a 100644 --- a/sudoers.ldap.man.in +++ b/sudoers.ldap.man.in @@ -140,7 +140,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "November 13, 2010" "1.7.5b2" "MAINTENANCE COMMANDS" +.TH SUDOERS.LDAP @mansectform@ "January 10, 2011" "1.7.5b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -258,11 +258,14 @@ If multiple \fBsudoNotAfter\fR entries are present, the last one is used. .IP "\fBsudoOrder\fR" 4 .IX Item "sudoOrder" The sudoRole entries retrieved from the \s-1LDAP\s0 directory have no -inherent order. The \fBsudoOrder\fR attribute is an integer that will -be used to sort the matching entries. This allows to more closely -mimic the behaviour of the sudoers file, where the of the entries -does have an influence on the result. If the \fBsudoOrder\fR attribute -is not present, a value of 0 is assumed. +inherent order. The \fBsudoOrder\fR attribute is an integer (or +floating point value for \s-1LDAP\s0 servers that support it) that is used +to sort the matching entries. This allows LDAP-based sudoers entries +to more closely mimic the behaviour of the sudoers file, where the +of the entries influences the result. If multiple entries match, +the entry with the highest \fBsudoOrder\fR attribute is chosen. This +corresponds to the \*(L"last match\*(R" behavior of the sudoers file. If +the \fBsudoOrder\fR attribute is not present, a value of 0 is assumed. .PP Each component listed above should contain a single value, but there may be multiple instances of each component type. A sudoRole must @@ -298,8 +301,12 @@ to entries that satisfy the time constraints, if any are present. There are some subtle differences in the way sudoers is handled once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0, \&\s-1LDAP\s0 ordering is arbitrary and you cannot expect that Attributes -and Entries are returned in any specific order. If there are -conflicting command rules on an entry, the negative takes precedence. +and Entries are returned in any specific order. +.PP +The order in which different entries are applied can be controlled +using the \fBsudoOrder\fR attribute, but there is no way to guarantee +the order of attributes within a specific entry. If there are +conflicting command rules in an entry, the negative takes precedence. This is called paranoid behavior (not necessarily the most specific match). .PP @@ -337,7 +344,7 @@ Here is an example: .Ve .PP Another difference is that negations on the Host, User or Runas are -currently ignorred. For example, the following attributes do not +currently ignored. For example, the following attributes do not behave the way one might expect. .PP .Vb 3 @@ -417,6 +424,9 @@ The \fB\s-1BIND_TIMELIMIT\s0\fR parameter specifies the amount of time, in secon to wait while trying to connect to an \s-1LDAP\s0 server. If multiple \fB\s-1URI\s0\fRs or \&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying the next one in the list. +.IP "\fB\s-1NETWORK_TIMEOUT\s0\fR seconds" 4 +.IX Item "NETWORK_TIMEOUT seconds" +An alias for \fB\s-1BIND_TIMELIMIT\s0\fR. .IP "\fB\s-1TIMELIMIT\s0\fR seconds" 4 .IX Item "TIMELIMIT seconds" The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds, @@ -855,10 +865,9 @@ schema directory (e.g. \fI/etc/openldap/schema\fR), add the proper \&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(5) .SH "CAVEATS" .IX Header "CAVEATS" -The way that \fIsudoers\fR is parsed differs between Note that there -are differences in the way that LDAP-based \fIsudoers\fR is parsed -compared to file-based \fIsudoers\fR. See the \*(L"Differences between -\&\s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information. +Note that there are differences in the way that LDAP-based \fIsudoers\fR +is parsed compared to file-based \fIsudoers\fR. See the \*(L"Differences +between \s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information. .SH "BUGS" .IX Header "BUGS" If you feel you have found a bug in \fBsudo\fR, please submit a bug report diff --git a/sudoers.man.in b/sudoers.man.in index 2dfd25fba..69bc9e5e6 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -148,7 +148,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "November 13, 2010" "1.7.5b2" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "December 17, 2010" "1.7.5b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -1104,6 +1104,12 @@ A colon (':') separated list of editors allowed to be used with \&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's \&\s-1EDITOR\s0 environment variable if possible, or the first editor in the list that exists and is executable. The default is \f(CW"@editor@"\fR. +.IP "iolog_dir" 16 +.IX Item "iolog_dir" +The directory in which to store input/output logs when the \fIlog_input\fR +or \fIlog_output\fR options are enabled or when the <\s-1LOG_INPUT\s0> or +\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command. +The default is \f(CW"@iolog_dir@"\fR. .IP "mailsub" 16 .IX Item "mailsub" Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR @@ -1393,8 +1399,9 @@ Local groups file .IP "\fI/etc/netgroup\fR" 24 .IX Item "/etc/netgroup" List of network groups -.IP "\fI/var/log/sudo\-io\fR" 24 -.IX Item "/var/log/sudo-io" +.ie n .IP "\fI@iolog_dir@\fR" 24 +.el .IP "\fI@iolog_dir@\fR" 24 +.IX Item "@iolog_dir@" I/O log files .SH "EXAMPLES" .IX Header "EXAMPLES" @@ -1672,7 +1679,7 @@ arbitrary commands. Many editors have a restricted mode where shell escapes are disabled, though \fBsudoedit\fR is a better solution to running editors via \fBsudo\fR. Due to the large number of programs that offer shell escapes, restricting users to the set of programs that -do not if often unworkable. +do not is often unworkable. .IP "noexec" 10 .IX Item "noexec" Many systems that support shared libraries have the ability to