From: Todd C. Miller Date: Mon, 17 Dec 2001 23:35:57 +0000 (+0000) Subject: regen from sudoers.pod X-Git-Tag: SUDO_1_6_4~58 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a459e6a31d5c796f167a7cab411f482c6705617c;p=sudo regen from sudoers.pod --- diff --git a/sudoers.cat b/sudoers.cat index 95dea1944..45571a249 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -56,12 +56,12 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN User_Alias ::= NAME '=' User_List - Runas_Alias ::= NAME '=' Runas_User_List + Runas_Alias ::= NAME '=' Runas_List -December 15, 2001 1.6.4 1 +December 17, 2001 1.6.4 1 @@ -96,7 +96,6 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) User ',' User_List User ::= '!'* username | - '!'* '#'uid | '!'* '%'group | '!'* '+'netgroup | '!'* User_Alias @@ -117,9 +116,9 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) '!'* +netgroup | '!'* Runas_Alias - Likewise, a Runas_List has the same possible elements as a - User_List, except that it can include a Runas_Alias, - instead of a User_Alias. + A Runas_List is similar to a User_List except that it can + also contain uids (prefixed with '#') and instead of + User_Aliases it can contain Runas_Aliases. Host_List ::= Host | Host ',' Host_List @@ -127,7 +126,8 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 15, 2001 1.6.4 2 + +December 17, 2001 1.6.4 2 @@ -193,7 +193,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 15, 2001 1.6.4 3 +December 17, 2001 1.6.4 3 @@ -236,6 +236,10 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) respectively. It is not an error to use the -= operator to remove an element that does not exist in a list. + Note that since the _s_u_d_o_e_r_s file is parsed in order the + best place to put the Defaults section is after the Host, + User, and Cmnd aliases but before the user specifications. + FFFFllllaaaaggggssss: long_otp_prompt @@ -251,15 +255,11 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) PATH itself is not modified. This flag is _o_f_f by default. - mail_always Send mail to the _m_a_i_l_t_o user every time a - users runs ssssuuuuddddoooo. This flag is _o_f_f by default. - mail_badpass - Send mail to the _m_a_i_l_t_o user if the user -December 15, 2001 1.6.4 4 +December 17, 2001 1.6.4 4 @@ -268,8 +268,13 @@ December 15, 2001 1.6.4 4 sudoers(4) MAINTENANCE COMMANDS sudoers(4) - running sudo does not enter the correct pass­ - word. This flag is _o_f_f by default. + mail_always Send mail to the _m_a_i_l_t_o user every time a + users runs ssssuuuuddddoooo. This flag is _o_f_f by default. + + mail_badpass + Send mail to the _m_a_i_l_t_o user if the user run­ + ning sudo does not enter the correct password. + This flag is _o_f_f by default. mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user @@ -317,15 +322,10 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) log_host If set, the hostname will be logged in the (non-syslog) ssssuuuuddddoooo log file. This flag is _o_f_f - by default. - - log_year If set, the four-digit year will be logged in - the (non-syslog) ssssuuuuddddoooo log file. This flag is - _o_f_f by default. -December 15, 2001 1.6.4 5 +December 17, 2001 1.6.4 5 @@ -334,6 +334,12 @@ December 15, 2001 1.6.4 5 sudoers(4) MAINTENANCE COMMANDS sudoers(4) + by default. + + log_year If set, the four-digit year will be logged in + the (non-syslog) ssssuuuuddddoooo log file. This flag is + _o_f_f by default. + shell_noargs If set and ssssuuuuddddoooo is invoked with no arguments it acts as if the ----ssss flag had been given. @@ -382,16 +388,10 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) fied hostnames in the _s_u_d_o_e_r_s file. I.e.: instead of myhost you would use myhost.mydo­ main.edu. You may still use the short form if - you wish (and even mix the two). Beware that - turning on _f_q_d_n requires ssssuuuuddddoooo to make DNS - lookups which may make ssssuuuuddddoooo unusable if DNS - stops working (for example if the machine is - not plugged into the network). Also note that - you must use the host's official name as DNS -December 15, 2001 1.6.4 6 +December 17, 2001 1.6.4 6 @@ -400,6 +400,12 @@ December 15, 2001 1.6.4 6 sudoers(4) MAINTENANCE COMMANDS sudoers(4) + you wish (and even mix the two). Beware that + turning on _f_q_d_n requires ssssuuuuddddoooo to make DNS + lookups which may make ssssuuuuddddoooo unusable if DNS + stops working (for example if the machine is + not plugged into the network). Also note that + you must use the host's official name as DNS knows it. That is, you may not use a host alias (CNAME entry) due to performance issues and the fact that there is no way to get all @@ -448,16 +454,10 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) root) instead of the password of the invoking user. This flag is _o_f_f by default. - set_logname Normally, ssssuuuuddddoooo will set the LOGNAME and USER - environment variables to the name of the tar­ - get user (usually root unless the ----uuuu flag is - given). However, since some programs (includ­ - ing the RCS revision control system) use LOG­ - NAME to determine the real identity of the -December 15, 2001 1.6.4 7 +December 17, 2001 1.6.4 7 @@ -466,6 +466,12 @@ December 15, 2001 1.6.4 7 sudoers(4) MAINTENANCE COMMANDS sudoers(4) + set_logname Normally, ssssuuuuddddoooo will set the LOGNAME and USER + environment variables to the name of the tar­ + get user (usually root unless the ----uuuu flag is + given). However, since some programs (includ­ + ing the RCS revision control system) use LOG­ + NAME to determine the real identity of the user, it may be desirable to change this behavior. This can be done by negating the set_logname option. @@ -514,16 +520,10 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) wrap lines for nicer log files. This has no effect on the syslog log file, only the file log. The default is 80 (use 0 or negate the - option to disable word wrap). - - timestamp_timeout - Number of minutes that can elapse before ssssuuuuddddoooo - will ask for a passwd again. The default is - 5. Set this to 0 to always prompt for a -December 15, 2001 1.6.4 8 +December 17, 2001 1.6.4 8 @@ -532,7 +532,13 @@ December 15, 2001 1.6.4 8 sudoers(4) MAINTENANCE COMMANDS sudoers(4) - password. If set to a value less than 0 the + option to disable word wrap). + + timestamp_timeout + Number of minutes that can elapse before ssssuuuuddddoooo + will ask for a passwd again. The default is + 5. Set this to 0 to always prompt for a pass­ + word. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k @@ -579,17 +585,11 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) Syslog priority to use when user authenticates successfully. Defaults to notice. - syslog_badpri - Syslog priority to use when user authenticates - unsuccessfully. Defaults to alert. - editor A colon (':') separated list of editors - allowed to be used with vvvviiiissssuuuuddddoooo. vvvviiiissssuuuuddddoooo will - choose the editor that matches the user's USER -December 15, 2001 1.6.4 9 +December 17, 2001 1.6.4 9 @@ -598,6 +598,13 @@ December 15, 2001 1.6.4 9 sudoers(4) MAINTENANCE COMMANDS sudoers(4) + syslog_badpri + Syslog priority to use when user authenticates + unsuccessfully. Defaults to alert. + + editor A colon (':') separated list of editors + allowed to be used with vvvviiiissssuuuuddddoooo. vvvviiiissssuuuuddddoooo will + choose the editor that matches the user's USER environment variable if possible, or the first editor in the list that exists and is exe­ cutable. The default is the path to vi on @@ -646,23 +653,21 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) never The user need never enter a password to use the ----vvvv flag. - always The user must always enter a password - to use the ----vvvv flag. - - The default value is `all'. - +December 17, 2001 1.6.4 10 -December 15, 2001 1.6.4 10 +sudoers(4) MAINTENANCE COMMANDS sudoers(4) -sudoers(4) MAINTENANCE COMMANDS sudoers(4) + always The user must always enter a password + to use the ----vvvv flag. + The default value is `all'. listpw This option controls when a password will be required when a user runs ssssuuuuddddoooo with the ----llll. @@ -712,16 +717,11 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) ronment variables to be preserved in the user's environment when the _e_n_v___r_e_s_e_t option is in effect. This allows fine-grained con­ - trol over the environment ssssuuuuddddoooo-spawned pro­ - cesses will get. The list can be replaced, - added to, deleted from, or disabled by using - the =, +=, -=, and ! operators respectively. - This list has no default members. + trol over the environment ssssuuuuddddoooo-spawned - -December 15, 2001 1.6.4 11 +December 17, 2001 1.6.4 11 @@ -730,6 +730,11 @@ December 15, 2001 1.6.4 11 sudoers(4) MAINTENANCE COMMANDS sudoers(4) + processes will get. The list can be replaced, + added to, deleted from, or disabled by using + the =, +=, -=, and ! operators respectively. + This list has no default members. + When logging via _s_y_s_l_o_g(3), ssssuuuuddddoooo accepts the following values for the syslog facility (the value of the ssssyyyysssslllloooogggg Parameter): aaaauuuutttthhhhpppprrrriiiivvvv (if your OS supports it), aaaauuuutttthhhh, ddddaaaaeeee­­­­ @@ -779,15 +784,10 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm Then user ddddggggbbbb is now allowed to run _/_b_i_n_/_l_s as ooooppppeeeerrrraaaattttoooorrrr, - but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rrrrooooooootttt. - - - - -December 15, 2001 1.6.4 12 +December 17, 2001 1.6.4 12 @@ -796,6 +796,8 @@ December 15, 2001 1.6.4 12 sudoers(4) MAINTENANCE COMMANDS sudoers(4) + but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rrrrooooooootttt. + NNNNOOOOPPPPAAAASSSSSSSSWWWWDDDD aaaannnndddd PPPPAAAASSSSSSSSWWWWDDDD By default, ssssuuuuddddoooo requires that a user authenticate him or @@ -848,12 +850,10 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) Note that a forward slash ('/') will nnnnooootttt be matched by wildcards used in the pathname. When matching the command line arguments, however, as slash ddddooooeeeessss get matched by - wildcards. This is to make a path like: - -December 15, 2001 1.6.4 13 +December 17, 2001 1.6.4 13 @@ -862,6 +862,8 @@ December 15, 2001 1.6.4 13 sudoers(4) MAINTENANCE COMMANDS sudoers(4) + wildcards. This is to make a path like: + /usr/bin/* match /usr/bin/who but not /usr/bin/X11/xterm. @@ -917,9 +919,7 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS - - -December 15, 2001 1.6.4 14 +December 17, 2001 1.6.4 14 @@ -985,7 +985,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 15, 2001 1.6.4 15 +December 17, 2001 1.6.4 15 @@ -1051,7 +1051,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 15, 2001 1.6.4 16 +December 17, 2001 1.6.4 16 @@ -1117,7 +1117,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 15, 2001 1.6.4 17 +December 17, 2001 1.6.4 17 @@ -1183,6 +1183,6 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO -December 15, 2001 1.6.4 18 +December 17, 2001 1.6.4 18 diff --git a/sudoers.man.in b/sudoers.man.in index c368e4d8a..f2ed96e1b 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -1,5 +1,5 @@ .\" Automatically generated by Pod::Man version 1.15 -.\" Sat Dec 15 09:51:14 2001 +.\" Mon Dec 17 16:34:22 2001 .\" .\" Standard preamble: .\" ====================================================================== @@ -138,7 +138,7 @@ .\" ====================================================================== .\" .IX Title "sudoers @mansectform@" -.TH sudoers @mansectform@ "1.6.4" "December 15, 2001" "MAINTENANCE COMMANDS" +.TH sudoers @mansectform@ "1.6.4" "December 17, 2001" "MAINTENANCE COMMANDS" .UC .SH "NAME" sudoers \- list of which users may execute what @@ -194,7 +194,7 @@ There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_A \& User_Alias ::= NAME '=' User_List .Ve .Vb 1 -\& Runas_Alias ::= NAME '=' Runas_User_List +\& Runas_Alias ::= NAME '=' Runas_List .Ve .Vb 1 \& Host_Alias ::= NAME '=' Host_List @@ -225,9 +225,8 @@ The definitions of what constitutes a valid \fIalias\fR member follow. \& User_List ::= User | \& User ',' User_List .Ve -.Vb 5 +.Vb 4 \& User ::= '!'* username | -\& '!'* '#'uid | \& '!'* '%'group | \& '!'* '+'netgroup | \& '!'* User_Alias @@ -250,9 +249,9 @@ just cancel each other out. \& '!'* +netgroup | \& '!'* Runas_Alias .Ve -Likewise, a \f(CW\*(C`Runas_List\*(C'\fR has the same possible elements -as a \f(CW\*(C`User_List\*(C'\fR, except that it can include a \f(CW\*(C`Runas_Alias\*(C'\fR, -instead of a \f(CW\*(C`User_Alias\*(C'\fR. +A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that it can +also contain uids (prefixed with '#') and instead of \f(CW\*(C`User_Alias\*(C'\fRes +it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. .PP .Vb 2 \& Host_List ::= Host | @@ -342,6 +341,10 @@ These operators are used to add to and delete from a list respectively. It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element that does not exist in a list. .PP +Note that since the \fIsudoers\fR file is parsed in order the best place +to put the Defaults section is after the Host, User, and Cmnd aliases +but before the user specifications. +.PP \&\fBFlags\fR: .Ip "long_otp_prompt" 12 .IX Item "long_otp_prompt"