From: Todd C. Miller Date: Thu, 16 Aug 2012 14:11:04 +0000 (-0400) Subject: Expand description of fqdn to talk about systems where the hosts X-Git-Tag: SUDO_1_8_6^2~33 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=82115dfa1712e40045b4b7ba64f03e9f12c90a4b;p=sudo Expand description of fqdn to talk about systems where the hosts file is searched before DNS. --- diff --git a/doc/sudoers.cat b/doc/sudoers.cat index d64cb4f95..5103e99e5 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -281,7 +281,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT the command may only be run wwiitthhoouutt command line arguments. A directory is a fully qualified path name ending in a `/'. When you specify a directory in a Cmnd_List, the user will be able to run any file within - that directory (but not in any subdirectories therein). + that directory (but not in any sub-directories therein). If a Cmnd has associated command line arguments, then the arguments in the Cmnd must match exactly those given by the user on the command line @@ -293,7 +293,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT DDeeffaauullttss Certain configuration options may be changed from their default values at - runtime via one or more Default_Entry lines. These may affect all users + run-time via one or more Default_Entry lines. These may affect all users on any host, all users on a specific host, a specific user, a specific command, or commands being run as a specific user. Note that per-command entries may not include command line arguments. If you need to specify @@ -433,7 +433,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT SELinux role and/or type associated with a command. If a role or type is specified with the command it will override any default values specified in _s_u_d_o_e_r_s. A role or type specified on the command line, however, will - supercede the values in _s_u_d_o_e_r_s. + supersede the values in _s_u_d_o_e_r_s. SSoollaarriiss__PPrriivv__SSppeecc On Solaris systems, _s_u_d_o_e_r_s entries may optionally specify Solaris @@ -494,7 +494,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT without a password. Additionally, a user may only run ``sudo -v'' without a password if the NOPASSWD tag is present for all a user's entries that pertain to the current host. This behavior may be - overridden via the verifypw and listpw options. + overridden via the _v_e_r_i_f_y_p_w and _l_i_s_t_p_w options. _N_O_E_X_E_C _a_n_d _E_X_E_C @@ -568,7 +568,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT When matching the command line arguments, however, a slash ddooeess get matched by wildcards since command line arguments may contain arbitrary - strings and not just pathnames. + strings and not just path names. Wildcards in command line arguments should be used with care. Because command line arguments are matched as a single, concatenated string, a @@ -585,7 +585,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT $ sudo cat /var/log/messages /etc/shadow - which is probaby not what was intended. + which is probably not what was intended. EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess The following exceptions apply to the above rules: @@ -595,7 +595,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT with aannyy arguments. sudoedit Command line arguments to the _s_u_d_o_e_d_i_t built-in command should - always be pathnames, so a forward slash (`/') will not be + always be path names, so a forward slash (`/') will not be matched by a wildcard. IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss @@ -677,7 +677,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT Long lines can be continued with a backslash (`\') as the last character on the line. - Whitespace between elements in a list as well as special syntactic + White space between elements in a list as well as special syntactic characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n (`=', `:', `(', `)') is optional. The following characters must be escaped with a backslash (`\') when used @@ -746,7 +746,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS since it accesses the file system, glob(3) can take a long time to complete for some patterns, especially when the pattern references a network file system that - is mounted on demand (automounted). The _f_a_s_t___g_l_o_b + is mounted on demand (auto mounted). The _f_a_s_t___g_l_o_b option causes ssuuddoo to use the fnmatch(3) function, which does not access the file system to do its matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is @@ -760,20 +760,48 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS flag is _o_f_f by default. fqdn Set this flag if you want to put fully qualified host - names in the _s_u_d_o_e_r_s file. In other words, instead of - myhost you would use myhost.mydomain.edu. You may - still use the short form if you wish (and even mix the - two). Beware that turning on _f_q_d_n requires ssuuddoo to - make DNS lookups which may make ssuuddoo unusable if DNS - stops working (for example if the machine is not - plugged into the network). Also note that you must use - the host's official name as DNS knows it. That is, you - may not use a host alias (CNAME entry) due to - performance issues and the fact that there is no way to - get all aliases from DNS. If your machine's host name - (as returned by the hostname command) is already fully - qualified you shouldn't need to set _f_q_d_n. This flag is - _o_f_f by default. + names in the _s_u_d_o_e_r_s file when the local host name (as + returned by the hostname command) does not contain the + domain name. In other words, instead of myhost you + would use myhost.mydomain.edu. You may still use the + short form if you wish (and even mix the two). This + option is only effective when the ``canonical'' host + name, as returned by the ggeettaaddddrriinnffoo() or + ggeetthhoossttbbyynnaammee() function, is a fully-qualified domain + name. This is usually the case when the system is + configured to use DNS for host name resolution. + + If the system is configured to use the _/_e_t_c_/_h_o_s_t_s file + in preference to DNS, the ``canonical'' host name may + not be fully-qualified. The order that sources are + queried for hosts name resolution is usually specified + in the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f, + _/_e_t_c_/_h_o_s_t_._c_o_n_f, or, in some cases, _/_e_t_c_/_r_e_s_o_l_v_._c_o_n_f + file. In the _/_e_t_c_/_h_o_s_t_s file, the first host name of + the entry is considered to be the ``canonical'' name; + subsequent names are aliases that are not used by + ssuuddooeerrss. For example, the following hosts file line + for the machine ``xyzzy'' has the fully-qualified + domain name as the ``canonical'' host name, and the + short version as an alias. + + 192.168.1.1 xyzzy.sudo.ws xyzzy + + If the machine's hosts file entry is not formatted + properly, the _f_q_d_n option will not be effective if it + is queried before DNS. + + Beware that when using DNS for host name resolution, + turning on _f_q_d_n requires ssuuddooeerrss to make DNS lookups + which renders ssuuddoo unusable if DNS stops working (for + example if the machine is disconnected from the + network). Also note that just like with the hosts + file, you must use the ``canonical'' name as DNS knows + it. That is, you may not use a host alias (CNAME + entry) due to performance issues and the fact that + there is no way to get all aliases from DNS. + + This flag is _o_f_f by default. ignore_dot If set, ssuuddoo will ignore "." or "" (both denoting current directory) in the PATH environment variable; @@ -995,7 +1023,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS targetpw If set, ssuuddoo will prompt for the password of the user specified by the --uu option (defaults to root) instead of the password of the invoking user. In addition, the - timestamp file name will include the target user's + time stamp file name will include the target user's name. Note that this flag precludes the use of a uid not listed in the passwd database as an argument to the --uu option. This flag is _o_f_f by default. @@ -1073,9 +1101,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS fractional component if minute granularity is insufficient, for example 2.5. The default is 5. Set this to 0 to always prompt for a password. If set to a - value less than 0 the user's timestamp will never + value less than 0 the user's time stamp will never expire. This can be used to allow users to create or - delete their own timestamps via ``sudo -v'' and ``sudo + delete their own time stamps via ``sudo -v'' and ``sudo -k'' respectively. umask Umask to use when running the command. Negate this @@ -1239,17 +1267,17 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS locale may affect how sudoers is interpreted. Defaults to ``C''. - timestampdir The directory in which ssuuddoo stores its timestamp files. - The default is _/_v_a_r_/_a_d_m_/_s_u_d_o. + timestampdir The directory in which ssuuddoo stores its time stamp + files. The default is _/_v_a_r_/_a_d_m_/_s_u_d_o. - timestampowner The owner of the timestamp directory and the timestamps - stored therein. The default is root. + timestampowner The owner of the time stamp directory and the time + stamps stored therein. The default is root. type The default SELinux type to use when constructing a new security context to run the command. The default type may be overridden on a per-command basis in _s_u_d_o_e_r_s or via command line options. This option is only - available whe ssuuddoo is built with SELinux support. + available when ssuuddoo is built with SELinux support. SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: @@ -1422,7 +1450,7 @@ LLOOGG FFOORRMMAATT ssuuddooeerrss can log events using either syslog(3) or a simple log file. In each case the log format is almost identical. - CCoommmmaanndd lloogg eennttrriieess + AAcccceepptteedd ccoommmmaanndd lloogg eennttrriieess Commands that sudo runs are logged using the following format (split into multiple lines for readability): @@ -1469,9 +1497,9 @@ LLOOGG FFOORRMMAATT Messages are logged using the locale specified by _s_u_d_o_e_r_s___l_o_c_a_l_e, which defaults to the ``C'' locale. - EErrrroorr lloogg eennttrriieess - If there was a problem running the command, an error string will follow - the user name. Possible errors include: + DDeenniieedd ccoommmmaanndd lloogg eennttrriieess + If the user is not allowed to run the command, the reason for the denial + will follow the user name. Possible reasons include: user NOT in sudoers The user is not listed in the _s_u_d_o_e_r_s file. @@ -1481,7 +1509,7 @@ LLOOGG FFOORRMMAATT commands on the host. command not allowed - The user is listed in the sudoers file for the host but they are not + The user is listed in the _s_u_d_o_e_r_s file for the host but they are not allowed to run the specified command. 3 incorrect password attempts @@ -1492,6 +1520,73 @@ LLOOGG FFOORRMMAATT a password is required ssuuddoo's --nn option was specified but a password was required. + sorry, you are not allowed to set the following environment variables + The user specified environment variables on the command line that were + not allowed by _s_u_d_o_e_r_s. + + EErrrroorr lloogg eennttrriieess + If an error occurs, ssuuddooeerrss will log a message and, in most cases, send a + message to the administrator via email. Possible errors include: + + parse error in /etc/sudoers near line N + ssuuddooeerrss encountered an error when parsing the specified file. In some + cases, the actual error may be one line above or below the line number + listed, depending on the type of error. + + problem with defaults entries + The sudoers file contains one or more unknown Defaults settings. This + does not prevent ssuuddoo from running, but the sudoers file should be + checked using vviissuuddoo. + + timestamp owner (@timestampowner@): No such user + The time stamp directory owner, which defaults to @timestampowner@ but + which may be specified via the _t_i_m_e_s_t_a_m_p_o_w_n_e_r setting, could not be + found in the password database. + + unable to open/read /etc/sudoers + The sudoers file could not be opened for reading. This can happen + when the sudoers file is located on a remote file system that maps + user ID 0 to a different value. Normally, ssuuddooeerrss tries to open + sudoers using group permissions to avoid this problem. Consider + changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s by adding an option like + ``sudoers_uid=N'' (where `N' is the user ID that owns the sudoers + file) to the ssuuddooeerrss plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + + unable to stat /etc/sudoers + The _/_e_t_c_/_s_u_d_o_e_r_s file is missing. + + /etc/sudoers is not a regular file + The _/_e_t_c_/_s_u_d_o_e_r_s file exists but is not a regular file or symbolic + link. + + /etc/sudoers is owned by uid N, should be 0 + The sudoers file has the wrong owner. If you wish to change the + sudoers file owner, please add ``sudoers_uid=N'' (where `N' is the + user ID that owns the sudoers file) to the ssuuddooeerrss plugin line in the + _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + + /etc/sudoers is world writable + The permissions on the sudoers file allow all users to write to it. + The sudoers file must not be world-writable, the default file mode is + 0440 (readable by owner and group, writable by none). The default + mode may be changed via the ``sudoers_mode'' option to the ssuuddooeerrss + plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + + /etc/sudoers is owned by gid N, should be 1 + The sudoers file has the wrong group ownership. If you wish to change + the sudoers file group ownership, please add ``sudoers_gid=N'' (where + `N' is the group ID that owns the sudoers file) to the ssuuddooeerrss plugin + line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + + unable to open /var/adm/sudo/username/ttyname + _s_u_d_o_e_r_s was unable to read or create the user's time stamp file. + + unable to write to /var/adm/sudo/username/ttyname + _s_u_d_o_e_r_s was unable to write to the user's time stamp file. + + unable to mkdir to /var/adm/sudo/username + _s_u_d_o_e_r_s was unable to create the user's time stamp directory. + NNootteess oonn llooggggiinngg vviiaa ssyysslloogg By default, _s_u_d_o_e_r_s logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and _p_r_o_g_n_a_m_e fields are added by the syslog daemon, not _s_u_d_o_e_r_s itself. As @@ -1984,4 +2079,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. -Sudo 1.8.6b4 July 16, 2012 Sudo 1.8.6b4 +Sudo 1.8.6 July 16, 2012 Sudo 1.8.6 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 27167ff31..2ad491093 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -639,7 +639,7 @@ fully qualified path name ending in a When you specify a directory in a \fRCmnd_List\fR, the user will be able to run any file within that directory -(but not in any subdirectories therein). +(but not in any sub-directories therein). .PP If a \fRCmnd\fR @@ -666,7 +666,7 @@ option (or as It may take command line arguments just as a normal command does. .SS "Defaults" Certain configuration options may be changed from their default -values at runtime via one or more +values at run-time via one or more \fRDefault_Entry\fR lines. These may affect all users on any host, all users on a specific host, a @@ -954,7 +954,7 @@ type is specified with the command it will override any default values specified in \fIsudoers\fR. A role or type specified on the command line, -however, will supercede the values in +however, will supersede the values in \fIsudoers\fR. .SS "Solaris_Priv_Spec" On Solaris systems, @@ -1096,7 +1096,11 @@ Additionally, a user may only run without a password if the \fRNOPASSWD\fR tag is present for all a user's entries that pertain to the current host. -This behavior may be overridden via the verifypw and listpw options. +This behavior may be overridden via the +\fIverifypw\fR +and +\fIlistpw\fR +options. .PP \fINOEXEC and EXEC\fR .PP @@ -1264,7 +1268,7 @@ but not When matching the command line arguments, however, a slash \fBdoes\fR get matched by wildcards since command line arguments may contain -arbitrary strings and not just pathnames. +arbitrary strings and not just path names. .PP Wildcards in command line arguments should be used with care. Because command line arguments are matched as a single, concatenated @@ -1297,7 +1301,7 @@ $ sudo cat /var/log/messages /etc/shadow .RE .fi .PP -which is probaby not what was intended. +which is probably not what was intended. .SS "Exceptions to wildcard rules" The following exceptions apply to the above rules: .TP 10n @@ -1313,7 +1317,7 @@ arguments. sudoedit Command line arguments to the \fIsudoedit\fR -built-in command should always be pathnames, so a forward slash +built-in command should always be path names, so a forward slash (`/') will not be matched by a wildcard. .SS "Including other files from within sudoers" @@ -1505,7 +1509,7 @@ Long lines can be continued with a backslash (`\e') as the last character on the line. .PP -Whitespace between elements in a list as well as special syntactic +White space between elements in a list as well as special syntactic characters in a \fIUser Specification\fR (`=\&', @@ -1677,7 +1681,7 @@ However, since it accesses the file system, glob(3) can take a long time to complete for some patterns, especially when the pattern references a network file system that is mounted -on demand (automounted). +on demand (auto mounted). The \fIfast_glob\fR option causes @@ -1706,27 +1710,71 @@ by default. fqdn Set this flag if you want to put fully qualified host names in the \fIsudoers\fR -file. +file when the local host name (as returned by the +\fRhostname\fR +command) does not contain the domain name. In other words, instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). -Beware that turning on +This option is only effective when the +``canonical'' +host name, as returned by the +\fBgetaddrinfo\fR() +or +\fBgethostbyname\fR() +function, is a fully-qualified domain name. +This is usually the case when the system is configured to use DNS +for host name resolution. +.sp +If the system is configured to use the +\fI/etc/hosts\fR +file in preference to DNS, the +``canonical'' +host name may not be fully-qualified. +The order that sources are queried for hosts name resolution +is usually specified in the +\fI@nsswitch_conf@\fR, +\fI@netsvc_conf@\fR, +\fI/etc/host.conf\fR, +or, in some cases, +\fI/etc/resolv.conf\fR +file. +In the +\fI/etc/hosts\fR +file, the first host name of the entry is considered to be the +``canonical'' +name; subsequent names are aliases that are not used by +\fBsudoers\fR. +For example, the following hosts file line for the machine +``xyzzy'' +has the fully-qualified domain name as the +``canonical'' +host name, and the short version as an alias. +.sp +.RS 6n +192.168.1.1 xyzzy.sudo.ws xyzzy +.RE +.sp +If the machine's hosts file entry is not formatted properly, the +\fIfqdn\fR +option will not be effective if it is queried before DNS. +.sp +Beware that when using DNS for host name resolution, turning on \fIfqdn\fR requires +\fBsudoers\fR +to make DNS lookups which renders \fBsudo\fR -to make DNS lookups which may make -\fBsudo\fR -unusable if DNS stops working (for example if the machine is not plugged -into the network). -Also note that you must use the host's official name as DNS knows it. +unusable if DNS stops working (for example if the machine is disconnected +from the network). +Also note that just like with the hosts file, you must use the +``canonical'' +name as DNS knows it. That is, you may not use a host alias (\fRCNAME\fR entry) due to performance issues and the fact that there is no way to get all aliases from DNS. -If your machine's host name (as returned by the -\fRhostname\fR -command) is already fully qualified you shouldn't need to set -\fIfqdn\fR. +.sp This flag is \fI@fqdn@\fR by default. @@ -2194,7 +2242,7 @@ by the option (defaults to \fRroot\fR) instead of the password of the invoking user. -In addition, the timestamp file name will include the target user's name. +In addition, the time stamp file name will include the target user's name. Note that this flag precludes the use of a uid not listed in the passwd database as an argument to the \fB\-u\fR @@ -2350,8 +2398,8 @@ Set this to to always prompt for a password. If set to a value less than \fR0\fR -the user's timestamp will never expire. -This can be used to allow users to create or delete their own timestamps via +the user's time stamp will never expire. +This can be used to allow users to create or delete their own time stamps via ``\fRsudo -v\fR'' and ``\fRsudo -k\fR'' @@ -2632,12 +2680,12 @@ Defaults to timestampdir The directory in which \fBsudo\fR -stores its timestamp files. +stores its time stamp files. The default is \fI@timedir@\fR. .TP 18n timestampowner -The owner of the timestamp directory and the timestamps stored therein. +The owner of the time stamp directory and the time stamps stored therein. The default is \fRroot\fR. .TP 18n @@ -2647,7 +2695,7 @@ context to run the command. The default type may be overridden on a per-command basis in \fIsudoers\fR or via command line options. -This option is only available whe +This option is only available when \fBsudo\fR is built with SELinux support. .PP @@ -3008,7 +3056,7 @@ can log events using either syslog(3) or a simple log file. In each case the log format is almost identical. -.SS "Command log entries" +.SS "Accepted command log entries" Commands that sudo runs are logged using the following format (split into multiple lines for readability): .nf @@ -3095,10 +3143,10 @@ Messages are logged using the locale specified by which defaults to the ``\fRC\fR'' locale. -.SS "Error log entries" -If there was a problem running the command, an error string will follow -the user name. -Possible errors include: +.SS "Denied command log entries" +If the user is not allowed to run the command, the reason for the denial +will follow the user name. +Possible reasons include: .TP 3n user NOT in sudoers The user is not listed in the @@ -3112,7 +3160,7 @@ file but is not allowed to run commands on the host. .TP 3n command not allowed The user is listed in the -sudoers +\fIsudoers\fR file for the host but they are not allowed to run the specified command. .TP 3n 3 incorrect password attempts @@ -3126,6 +3174,114 @@ a password is required \fBsudo\fR's \fB\-n\fR option was specified but a password was required. +.TP 3n +sorry, you are not allowed to set the following environment variables +The user specified environment variables on the command line that +were not allowed by +\fIsudoers\fR. +.SS "Error log entries" +If an error occurs, +\fBsudoers\fR +will log a message and, in most cases, send a message to the +administrator via email. +Possible errors include: +.TP 3n +parse error in @sysconfdir@/sudoers near line N +\fBsudoers\fR +encountered an error when parsing the specified file. +In some cases, the actual error may be one line above or below the +line number listed, depending on the type of error. +.TP 3n +problem with defaults entries +The sudoers file contains one or more unknown Defaults settings. +This does not prevent +\fBsudo\fR +from running, but the sudoers file should be checked using +\fBvisudo\fR. +.TP 3n +timestamp owner (@timestampowner@): \&No such user +The time stamp directory owner, which defaults to +@timestampowner@ but which may be specified via the +\fItimestampowner\fR +setting, could not be found in the password database. +.TP 3n +unable to open/read @sysconfdir@/sudoers +The sudoers file could not be opened for reading. +This can happen when the sudoers file is located on a remote +file system that maps user ID 0 to a different value. +Normally, +\fBsudoers\fR +tries to open sudoers using group permissions to avoid this problem. +Consider changing the ownership of +\fI@sysconfdir@/sudoers\fR +by adding an option like +``sudoers_uid=N'' +(where +`N' +is the user ID that owns the sudoers file) +to the +\fBsudoers\fR +plugin line in the +\fI@sysconfdir@/sudo.conf\fR +file. +.TP 3n +unable to stat @sysconfdir@/sudoers +The +\fI@sysconfdir@/sudoers\fR +file is missing. +.TP 3n +@sysconfdir@/sudoers is not a regular file +The +\fI@sysconfdir@/sudoers\fR +file exists but is not a regular file or symbolic link. +.TP 3n +@sysconfdir@/sudoers is owned by uid N, should be 0 +The sudoers file has the wrong owner. +If you wish to change the sudoers file owner, please add +``sudoers_uid=N'' +(where +`N' +is the user ID that owns the sudoers file) to the +\fBsudoers\fR +plugin line in the +\fI@sysconfdir@/sudo.conf\fR +file. +.TP 3n +@sysconfdir@/sudoers is world writable +The permissions on the sudoers file allow all users to write to it. +The sudoers file must not be world-writable, the default file mode +is 0440 (readable by owner and group, writable by none). +The default mode may be changed via the +``sudoers_mode'' +option to the +\fBsudoers\fR +plugin line in the +\fI@sysconfdir@/sudo.conf\fR +file. +.TP 3n +@sysconfdir@/sudoers is owned by gid N, should be 1 +The sudoers file has the wrong group ownership. +If you wish to change the sudoers file group ownership, please add +``sudoers_gid=N'' +(where +`N' +is the group ID that owns the sudoers file) to the +\fBsudoers\fR +plugin line in the +\fI@sysconfdir@/sudo.conf\fR +file. +.TP 3n +unable to open @timedir@/username/ttyname +\fIsudoers\fR +was unable to read or create the user's time stamp file. +.TP 3n +unable to write to @timedir@/username/ttyname +\fIsudoers\fR +was unable to write to the user's time stamp file. +.TP 3n +unable to mkdir to @timedir@/username +\fIsudoers\fR +was unable to create the user's time stamp directory. .SS "Notes on logging via syslog" By default, \fIsudoers\fR diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index 49cc6de3d..b516d881b 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -1608,18 +1608,63 @@ by default. .It fqdn Set this flag if you want to put fully qualified host names in the .Em sudoers -file. +file when the local host name (as returned by the +.Li hostname +command) does not contain the domain name. In other words, instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). -Beware that turning on +This option is only effective when the +.Dq canonical +host name, as returned by the +.Fn getaddrinfo +or +.Fn gethostbyname +function, is a fully-qualified domain name. +This is usually the case when the system is configured to use DNS +for host name resolution. +.Pp +If the system is configured to use the +.Pa /etc/hosts +file in preference to DNS, the +.Dq canonical +host name may not be fully-qualified. +The order that sources are queried for hosts name resolution +is usually specified in the +.Pa @nsswitch_conf@ , +.Pa @netsvc_conf@ , +.Pa /etc/host.conf , +or, in some cases, +.Pa /etc/resolv.conf +file. +In the +.Pa /etc/hosts +file, the first host name of the entry is considered to be the +.Dq canonical +name; subsequent names are aliases that are not used by +.Nm sudoers . +For example, the following hosts file line for the machine +.Dq xyzzy +has the fully-qualified domain name as the +.Dq canonical +host name, and the short version as an alias. +.sp +.Dl 192.168.1.1 xyzzy.sudo.ws xyzzy +.sp +If the machine's hosts file entry is not formatted properly, the +.Em fqdn +option will not be effective if it is queried before DNS. +.Pp +Beware that when using DNS for host name resolution, turning on .Em fqdn requires +.Nm sudoers +to make DNS lookups which renders .Nm sudo -to make DNS lookups which may make -.Nm sudo -unusable if DNS stops working (for example if the machine is not plugged -into the network). -Also note that you must use the host's official name as DNS knows it. +unusable if DNS stops working (for example if the machine is disconnected +from the network). +Also note that just like with the hosts file, you must use the +.Dq canonical +name as DNS knows it. That is, you may not use a host alias .Po .Li CNAME @@ -1627,10 +1672,7 @@ entry .Pc due to performance issues and the fact that there is no way to get all aliases from DNS. -If your machine's host name (as returned by the -.Li hostname -command) is already fully qualified you shouldn't need to set -.Em fqdn . +.Pp This flag is .Em @fqdn@ by default.