From: Todd C. Miller Date: Wed, 21 Mar 2018 12:52:50 +0000 (-0600) Subject: Decrease bullet width to 1n. X-Git-Tag: SUDO_1_8_23^2~75 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b6c53ac84657356370abc4a5cc6241db0e51c9b6;p=sudo Decrease bullet width to 1n. --- diff --git a/doc/sudo.cat b/doc/sudo.cat index 84ec77d02..66ec61ecf 100644 --- a/doc/sudo.cat +++ b/doc/sudo.cat @@ -137,17 +137,17 @@ DDEESSCCRRIIPPTTIIOONN following restrictions are enforced unless explicitly allowed by the security policy: - ++oo Symbolic links may not be edited (version 1.8.15 and - higher). + ++oo Symbolic links may not be edited (version 1.8.15 and + higher). - ++oo Symbolic links along the path to be edited are not - followed when the parent directory is writable by the - invoking user unless that user is root (version 1.8.16 - and higher). + ++oo Symbolic links along the path to be edited are not + followed when the parent directory is writable by the + invoking user unless that user is root (version 1.8.16 + and higher). - ++oo Files located in a directory that is writable by the - invoking user may not be edited unless that user is root - (version 1.8.16 and higher). + ++oo Files located in a directory that is writable by the + invoking user may not be edited unless that user is root + (version 1.8.16 and higher). Users are never allowed to edit device special files. @@ -363,27 +363,27 @@ CCOOMMMMAANNDD EEXXEECCUUTTIIOONN The following parameters may be specified by security policy: - ++oo real and effective user ID + ++oo real and effective user ID - ++oo real and effective group ID + ++oo real and effective group ID - ++oo supplementary group IDs + ++oo supplementary group IDs - ++oo the environment list + ++oo the environment list - ++oo current working directory + ++oo current working directory - ++oo file creation mode mask (umask) + ++oo file creation mode mask (umask) - ++oo SELinux role and type + ++oo SELinux role and type - ++oo Solaris project + ++oo Solaris project - ++oo Solaris privileges + ++oo Solaris privileges - ++oo BSD login class + ++oo BSD login class - ++oo scheduling priority (aka nice value) + ++oo scheduling priority (aka nice value) PPrroocceessss mmooddeell There are two distinct ways ssuuddoo can run a command. @@ -661,4 +661,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.22 December 1, 2017 Sudo 1.8.22 +Sudo 1.8.23 March 21, 2018 Sudo 1.8.23 diff --git a/doc/sudo.man.in b/doc/sudo.man.in index 5d01f57f3..47b9a386d 100644 --- a/doc/sudo.man.in +++ b/doc/sudo.man.in @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDO" "8" "December 1, 2017" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" +.TH "SUDO" "8" "March 21, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh .if n .ad l .SH "NAME" @@ -309,15 +309,15 @@ their original location and the temporary versions are removed. To help prevent the editing of unauthorized files, the following restrictions are enforced unless explicitly allowed by the security policy: .RS 16n -.TP 4n +.TP 3n \fB\(bu\fR Symbolic links may not be edited (version 1.8.15 and higher). -.TP 4n +.TP 3n \fB\(bu\fR Symbolic links along the path to be edited are not followed when the parent directory is writable by the invoking user unless that user is root (version 1.8.16 and higher). -.TP 4n +.TP 3n \fB\(bu\fR Files located in a directory that is writable by the invoking user may not be edited unless that user is root (version 1.8.16 and higher). @@ -688,37 +688,37 @@ and the group vector is initialized based on the group database option was specified). .PP The following parameters may be specified by security policy: -.TP 4n +.TP 3n \fB\(bu\fR real and effective user ID -.TP 4n +.TP 3n \fB\(bu\fR real and effective group ID -.TP 4n +.TP 3n \fB\(bu\fR supplementary group IDs -.TP 4n +.TP 3n \fB\(bu\fR the environment list -.TP 4n +.TP 3n \fB\(bu\fR current working directory -.TP 4n +.TP 3n \fB\(bu\fR file creation mode mask (umask) -.TP 4n +.TP 3n \fB\(bu\fR SELinux role and type -.TP 4n +.TP 3n \fB\(bu\fR Solaris project -.TP 4n +.TP 3n \fB\(bu\fR Solaris privileges -.TP 4n +.TP 3n \fB\(bu\fR BSD login class -.TP 4n +.TP 3n \fB\(bu\fR scheduling priority (aka nice value) .SS "Process model" diff --git a/doc/sudo.mdoc.in b/doc/sudo.mdoc.in index 07c9ae7e0..80e5638b6 100644 --- a/doc/sudo.mdoc.in +++ b/doc/sudo.mdoc.in @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd December 1, 2017 +.Dd March 21, 2018 .Dt SUDO @mansectsu@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -279,7 +279,7 @@ their original location and the temporary versions are removed. .Pp To help prevent the editing of unauthorized files, the following restrictions are enforced unless explicitly allowed by the security policy: -.Bl -bullet -offset 4 +.Bl -bullet -offset 4 -width 1n .It Symbolic links may not be edited (version 1.8.15 and higher). .It @@ -626,7 +626,7 @@ and the group vector is initialized based on the group database option was specified). .Pp The following parameters may be specified by security policy: -.Bl -bullet +.Bl -bullet -width 1n .It real and effective user ID .It diff --git a/doc/sudo_plugin.cat b/doc/sudo_plugin.cat index 6cfe4b905..82b2ba7a4 100644 --- a/doc/sudo_plugin.cat +++ b/doc/sudo_plugin.cat @@ -1142,15 +1142,15 @@ DDEESSCCRRIIPPTTIIOONN signals while the plugin functions are run. The following signals are trapped by default before the command is executed: - ++oo SIGALRM - ++oo SIGHUP - ++oo SIGINT - ++oo SIGPIPE - ++oo SIGQUIT - ++oo SIGTERM - ++oo SIGTSTP - ++oo SIGUSR1 - ++oo SIGUSR2 + ++oo SIGALRM + ++oo SIGHUP + ++oo SIGINT + ++oo SIGPIPE + ++oo SIGQUIT + ++oo SIGTERM + ++oo SIGTSTP + ++oo SIGUSR1 + ++oo SIGUSR2 If a fatal signal is received before the command is executed, ssuuddoo will call the plugin's cclloossee() function with an exit status of 128 plus the @@ -1604,4 +1604,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.22 July 11, 2017 Sudo 1.8.22 +Sudo 1.8.23 March 21, 2018 Sudo 1.8.23 diff --git a/doc/sudo_plugin.man.in b/doc/sudo_plugin.man.in index 76d3a1814..c6546ba9a 100644 --- a/doc/sudo_plugin.man.in +++ b/doc/sudo_plugin.man.in @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "SUDO_PLUGIN" "5" "July 11, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDO_PLUGIN" "5" "March 21, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -2007,32 +2007,32 @@ front end installs default signal handlers to trap common signals while the plugin functions are run. The following signals are trapped by default before the command is executed: -.TP 4n +.TP 3n \fB\(bu\fR \fRSIGALRM\fR .PD 0 -.TP 4n +.TP 3n \fB\(bu\fR \fRSIGHUP\fR -.TP 4n +.TP 3n \fB\(bu\fR \fRSIGINT\fR -.TP 4n +.TP 3n \fB\(bu\fR \fRSIGPIPE\fR -.TP 4n +.TP 3n \fB\(bu\fR \fRSIGQUIT\fR -.TP 4n +.TP 3n \fB\(bu\fR \fRSIGTERM\fR -.TP 4n +.TP 3n \fB\(bu\fR \fRSIGTSTP\fR -.TP 4n +.TP 3n \fB\(bu\fR \fRSIGUSR1\fR -.TP 4n +.TP 3n \fB\(bu\fR \fRSIGUSR2\fR .PD diff --git a/doc/sudo_plugin.mdoc.in b/doc/sudo_plugin.mdoc.in index 539fcec42..00c62584b 100644 --- a/doc/sudo_plugin.mdoc.in +++ b/doc/sudo_plugin.mdoc.in @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd July 11, 2017 +.Dd March 21, 2018 .Dt SUDO_PLUGIN @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -1758,7 +1758,7 @@ while the plugin functions are run. The following signals are trapped by default before the command is executed: .Pp -.Bl -bullet -compact +.Bl -bullet -compact -width 1n .It .Dv SIGALRM .It diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 026d61b43..8c2f8b980 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -302,11 +302,11 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT group provider plugin. For instance, the QAS AD plugin supports the following formats: - ++oo Group in the same domain: "%:Group Name" + ++oo Group in the same domain: "%:Group Name" - ++oo Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN" + ++oo Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN" - ++oo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" + ++oo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" See _G_R_O_U_P _P_R_O_V_I_D_E_R _P_L_U_G_I_N_S for more information. @@ -2106,16 +2106,15 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS variable is considered unsafe if any of the following are true: - ++oo It consists of a fully-qualified path name, - optionally prefixed with a colon (`:'), that does - not match the location of the _z_o_n_e_i_n_f_o directory. + ++oo It consists of a fully-qualified path name, + optionally prefixed with a colon (`:'), that does + not match the location of the _z_o_n_e_i_n_f_o directory. - ++oo It contains a _._. path element. + ++oo It contains a _._. path element. - ++oo It contains white space or non-printable - characters. + ++oo It contains white space or non-printable characters. - ++oo It is longer than the value of PATH_MAX. + ++oo It is longer than the value of PATH_MAX. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list @@ -2909,4 +2908,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.23 March 5, 2018 Sudo 1.8.23 +Sudo 1.8.23 March 21, 2018 Sudo 1.8.23 diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat index 86ce8426b..02c80f9b5 100644 --- a/doc/sudoers.ldap.cat +++ b/doc/sudoers.ldap.cat @@ -10,28 +10,27 @@ DDEESSCCRRIIPPTTIIOONN Using LDAP for _s_u_d_o_e_r_s has several benefits: - ++oo ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is - used, there are only two or three LDAP queries per invocation. This - makes it especially fast and particularly usable in LDAP - environments. - - ++oo ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not - possible to load LDAP data into the server that does not conform to - the sudoers schema, so proper syntax is guaranteed. It is still - possible to have typos in a user or host name, but this will not - prevent ssuuddoo from running. - - ++oo It is possible to specify per-entry options that override the global - default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options and - limited options associated with user/host/commands/aliases. The - syntax is complicated and can be difficult for users to understand. - Placing the options directly in the entry is more natural. - - ++oo The vviissuuddoo program is no longer needed. vviissuuddoo provides locking and - syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates are - atomic, locking is no longer necessary. Because syntax is checked - when the data is inserted into LDAP, there is no need for a - specialized tool to check syntax. + ++oo ssuuddoo no longer needs to read _s_u_d_o_e_r_s in its entirety. When LDAP is + used, there are only two or three LDAP queries per invocation. This + makes it especially fast and particularly usable in LDAP environments. + + ++oo ssuuddoo no longer exits if there is a typo in _s_u_d_o_e_r_s. It is not + possible to load LDAP data into the server that does not conform to + the sudoers schema, so proper syntax is guaranteed. It is still + possible to have typos in a user or host name, but this will not + prevent ssuuddoo from running. + + ++oo It is possible to specify per-entry options that override the global + default options. _/_e_t_c_/_s_u_d_o_e_r_s only supports default options and + limited options associated with user/host/commands/aliases. The + syntax is complicated and can be difficult for users to understand. + Placing the options directly in the entry is more natural. + + ++oo The vviissuuddoo program is no longer needed. vviissuuddoo provides locking and + syntax checking of the _/_e_t_c_/_s_u_d_o_e_r_s file. Since LDAP updates are + atomic, locking is no longer necessary. Because syntax is checked + when the data is inserted into LDAP, there is no need for a + specialized tool to check syntax. Another major difference between LDAP and file-based _s_u_d_o_e_r_s is that in LDAP, ssuuddoo-specific Aliases are not supported. @@ -913,4 +912,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.22 December 12, 2017 Sudo 1.8.22 +Sudo 1.8.23 March 21, 2018 Sudo 1.8.23 diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in index fb9edce15..b9029dbbc 100644 --- a/doc/sudoers.ldap.man.in +++ b/doc/sudoers.ldap.man.in @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "SUDOERS.LDAP" "5" "December 12, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS.LDAP" "5" "March 21, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -36,7 +36,7 @@ in a large, distributed environment. Using LDAP for \fIsudoers\fR has several benefits: -.TP 4n +.TP 3n \fB\(bu\fR \fBsudo\fR no longer needs to read @@ -44,7 +44,7 @@ no longer needs to read in its entirety. When LDAP is used, there are only two or three LDAP queries per invocation. This makes it especially fast and particularly usable in LDAP environments. -.TP 4n +.TP 3n \fB\(bu\fR \fBsudo\fR no longer exits if there is a typo in @@ -55,7 +55,7 @@ It is still possible to have typos in a user or host name, but this will not prevent \fBsudo\fR from running. -.TP 4n +.TP 3n \fB\(bu\fR It is possible to specify per-entry options that override the global default options. @@ -64,7 +64,7 @@ only supports default options and limited options associated with user/host/commands/aliases. The syntax is complicated and can be difficult for users to understand. Placing the options directly in the entry is more natural. -.TP 4n +.TP 3n \fB\(bu\fR The \fBvisudo\fR diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in index ef0fe9ac3..745322085 100644 --- a/doc/sudoers.ldap.mdoc.in +++ b/doc/sudoers.ldap.mdoc.in @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd December 12, 2017 +.Dd March 21, 2018 .Dt SUDOERS.LDAP @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -34,7 +34,7 @@ in a large, distributed environment. Using LDAP for .Em sudoers has several benefits: -.Bl -bullet +.Bl -bullet -width 1n .It .Nm sudo no longer needs to read diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index c131639e7..e7e63b66f 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDOERS" "5" "March 5, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "5" "March 21, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -698,13 +698,13 @@ and syntax depends on the underlying group provider plugin. For instance, the QAS AD plugin supports the following formats: -.TP 6n +.TP 3n \fB\(bu\fR Group in the same domain: "%:Group Name" -.TP 6n +.TP 3n \fB\(bu\fR Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN" -.TP 6n +.TP 3n \fB\(bu\fR Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" .PP @@ -4181,7 +4181,7 @@ variable is considered unsafe if any of the following are true: .PP .RS 18n .PD 0 -.TP 4n +.TP 3n \fB\(bu\fR It consists of a fully-qualified path name, optionally prefixed with a colon @@ -4190,15 +4190,15 @@ that does not match the location of the \fIzoneinfo\fR directory. .PD -.TP 4n +.TP 3n \fB\(bu\fR It contains a \fI..\fR path element. -.TP 4n +.TP 3n \fB\(bu\fR It contains white space or non-printable characters. -.TP 4n +.TP 3n \fB\(bu\fR It is longer than the value of \fRPATH_MAX\fR. diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index 9456e0916..443a6da84 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd March 5, 2018 +.Dd March 21, 2018 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -671,7 +671,7 @@ and syntax depends on the underlying group provider plugin. For instance, the QAS AD plugin supports the following formats: -.Bl -bullet -width 4n +.Bl -bullet -width 4n -width 1n .It Group in the same domain: "%:Group Name" .It @@ -3892,7 +3892,7 @@ in poorly-written programs. The .Li TZ variable is considered unsafe if any of the following are true: -.Bl -bullet +.Bl -bullet -width 1n .It It consists of a fully-qualified path name, optionally prefixed with a colon