From: Todd C. Miller Date: Tue, 27 Nov 2018 15:14:15 +0000 (-0700) Subject: Use roff conditionals in the manuals instead of post-processing. X-Git-Tag: SUDO_1_8_27^2~26 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e010706ede6aa643c8bc5cfc0c2997e84533ee05;p=sudo Use roff conditionals in the manuals instead of post-processing. We still need to process the resulting .man.in files to add back the conditionals but this should be easier to debug as the changes are visible in the .in file. Some minor postprocessing is still used to make the manuals HP-UX friendly and to change "0 seconds" -> unlimited after substitution. --- diff --git a/MANIFEST b/MANIFEST index ad7142f14..08d7f25d3 100644 --- a/MANIFEST +++ b/MANIFEST @@ -24,7 +24,7 @@ doc/cvtsudoers.cat doc/cvtsudoers.man.in doc/cvtsudoers.mdoc.in doc/fixman.sh -doc/fixmdoc.sh +doc/fixmdoc.sed doc/schema.ActiveDirectory doc/schema.OpenLDAP doc/schema.iPlanet @@ -34,6 +34,7 @@ doc/sudo.conf.cat doc/sudo.conf.man.in doc/sudo.conf.mdoc.in doc/sudo.man.in +doc/sudo.man.in.sed doc/sudo.mdoc.in doc/sudo_plugin.cat doc/sudo_plugin.man.in @@ -43,6 +44,7 @@ doc/sudoers.ldap.cat doc/sudoers.ldap.man.in doc/sudoers.ldap.mdoc.in doc/sudoers.man.in +doc/sudoers.man.in.sed doc/sudoers.mdoc.in doc/sudoers_timestamp.cat doc/sudoers_timestamp.man.in diff --git a/doc/Makefile.in b/doc/Makefile.in index b3456a30f..e94f499a1 100644 --- a/doc/Makefile.in +++ b/doc/Makefile.in @@ -132,25 +132,22 @@ varsub: $(top_srcdir)/configure.ac $(SED) -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(top_srcdir)/configure.ac | $(SED) -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@; \ fi -$(srcdir)/sudo.man.in: $(srcdir)/sudo.mdoc.in +$(srcdir)/sudo.man.in: $(srcdir)/sudo.mdoc.in $(srcdir)/sudo.man.in.sed @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \ mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \ - $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \ + $(SED) -e 's/^\(\.nr [A-Z][A-Z]\) .[A-Z][A-Z]MAN./\1 1/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -f $(srcdir)/sudo.man.in.sed > $@; \ fi -sudo.man.sed: $(srcdir)/fixman.sh - BAMAN=@BAMAN@ LCMAN=@LCMAN@ SEMAN=@SEMAN@ PSMAN=@PSMAN@ $(SHELL) $(srcdir)/fixman.sh $@ +fixman.sed: $(srcdir)/fixman.sh + $(SHELL) $(srcdir)/fixman.sh $@ -$(mansrcdir)/sudo.man: $(top_builddir)/config.status $(srcdir)/sudo.man.in sudo.man.sed - (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.man.in | $(SED) -f $@.sed > $@ +$(mansrcdir)/sudo.man: $(top_builddir)/config.status $(srcdir)/sudo.man.in fixman.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.man.in | $(SED) -f fixman.sed > $@ -sudo.mdoc.sed: $(srcdir)/fixmdoc.sh - BAMAN=@BAMAN@ LCMAN=@LCMAN@ SEMAN=@SEMAN@ PSMAN=@PSMAN@ $(SHELL) $(srcdir)/fixmdoc.sh $@ - -$(mansrcdir)/sudo.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.mdoc.in sudo.mdoc.sed - (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.mdoc.in | $(SED) -f $@.sed > $@ +$(mansrcdir)/sudo.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.mdoc.in + cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ $(srcdir)/sudo.cat: varsub $(srcdir)/sudo.mdoc.in @if [ -n "$(DEVEL)" ]; then \ @@ -166,8 +163,8 @@ $(srcdir)/visudo.man.in: $(srcdir)/visudo.mdoc.in $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/visudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "VISUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \ fi -$(mansrcdir)/visudo.man: $(top_builddir)/config.status $(srcdir)/visudo.man.in - cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ +$(mansrcdir)/visudo.man: $(top_builddir)/config.status $(srcdir)/visudo.man.in fixman.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/visudo.man.in | $(SED) -f fixman.sed > $@ $(mansrcdir)/visudo.mdoc: $(top_builddir)/config.status $(srcdir)/visudo.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ @@ -186,8 +183,8 @@ $(srcdir)/sudo.conf.man.in: $(srcdir)/sudo.conf.mdoc.in $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.conf.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "VISUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \ fi -$(mansrcdir)/sudo.conf.man: $(top_builddir)/config.status $(srcdir)/sudo.conf.man.in - cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ +$(mansrcdir)/sudo.conf.man: $(top_builddir)/config.status $(srcdir)/sudo.conf.man.in fixman.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo.conf.man.in | $(SED) -f fixman.sed > $@ $(mansrcdir)/sudo.conf.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.conf.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ @@ -198,25 +195,19 @@ $(srcdir)/sudo.conf.cat: varsub $(srcdir)/sudo.conf.mdoc.in $(SED) -f varsub $(srcdir)/sudo.conf.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \ fi -$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in +$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in $(srcdir)/sudoers.man.in.sed @if [ -n "$(DEVEL)" ]; then \ echo "Generating $@"; \ mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \ mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \ - $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \ + $(SED) -e 's/^\(\.nr [A-Z][A-Z]\) .[A-Z][A-Z]MAN./\1 1/' -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -f $(srcdir)/sudoers.man.in.sed> $@; \ fi -sudoers.man.sed: $(srcdir)/fixman.sh - LCMAN=@LCMAN@ SEMAN=@SEMAN@ PSMAN=@PSMAN@ $(SHELL) $(srcdir)/fixman.sh $@ - -$(mansrcdir)/sudoers.man: $(top_builddir)/config.status $(srcdir)/sudoers.man.in sudoers.man.sed - (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.man.in | $(SED) -f $@.sed > $@ - -sudoers.mdoc.sed: $(srcdir)/fixmdoc.sh - LCMAN=@LCMAN@ SEMAN=@SEMAN@ PSMAN=@PSMAN@ $(SHELL) $(srcdir)/fixmdoc.sh $@ +$(mansrcdir)/sudoers.man: $(top_builddir)/config.status $(srcdir)/sudoers.man.in fixman.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.man.in | $(SED) -f fixman.sed > $@ -$(mansrcdir)/sudoers.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.mdoc.in sudoers.mdoc.sed - (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.mdoc.in | $(SED) -f $@.sed > $@ +$(mansrcdir)/sudoers.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.mdoc.in $(srcdir)/fixmdoc.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.mdoc.in | $(SED) -f $(srcdir)/fixmdoc.sed > $@ $(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.mdoc.in @if [ -n "$(DEVEL)" ]; then \ @@ -232,8 +223,8 @@ $(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.mdoc.in $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.ldap.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS.LDAP" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \ fi -$(mansrcdir)/sudoers.ldap.man: $(top_builddir)/config.status $(srcdir)/sudoers.ldap.man.in - cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ +$(mansrcdir)/sudoers.ldap.man: $(top_builddir)/config.status $(srcdir)/sudoers.ldap.man.in fixman.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.ldap.man.in | $(SED) -f fixman.sed > $@ $(mansrcdir)/sudoers.ldap.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.ldap.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ @@ -252,8 +243,8 @@ $(srcdir)/sudoers_timestamp.man.in: $(srcdir)/sudoers_timestamp.mdoc.in $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers_timestamp.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS.LDAP" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \ fi -$(mansrcdir)/sudoers_timestamp.man: $(top_builddir)/config.status $(srcdir)/sudoers_timestamp.man.in - cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ +$(mansrcdir)/sudoers_timestamp.man: $(top_builddir)/config.status $(srcdir)/sudoers_timestamp.man.in fixman.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers_timestamp.man.in | $(SED) -f fixman.sed > $@ $(mansrcdir)/sudoers_timestamp.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers_timestamp.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ @@ -272,8 +263,8 @@ $(srcdir)/cvtsudoers.man.in: $(srcdir)/cvtsudoers.mdoc.in $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/cvtsudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \ fi -$(mansrcdir)/cvtsudoers.man: $(top_builddir)/config.status $(srcdir)/cvtsudoers.man.in - cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ +$(mansrcdir)/cvtsudoers.man: $(top_builddir)/config.status $(srcdir)/cvtsudoers.man.in fixman.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/cvtsudoers.man.in | $(SED) -f fixman.sed > $@ $(mansrcdir)/cvtsudoers.mdoc: $(top_builddir)/config.status $(srcdir)/cvtsudoers.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ @@ -292,8 +283,8 @@ $(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.mdoc.in $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoreplay.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOREPLAY" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \ fi -$(mansrcdir)/sudoreplay.man: $(top_builddir)/config.status $(srcdir)/sudoreplay.man.in - cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ +$(mansrcdir)/sudoreplay.man: $(top_builddir)/config.status $(srcdir)/sudoreplay.man.in fixman.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoreplay.man.in | $(SED) -f fixman.sed > $@ $(mansrcdir)/sudoreplay.mdoc: $(top_builddir)/config.status $(srcdir)/sudoreplay.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ @@ -312,8 +303,8 @@ $(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.mdoc.in $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_plugin.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_PLUGIN" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" > $@; \ fi -$(mansrcdir)/sudo_plugin.man: $(top_builddir)/config.status $(srcdir)/sudo_plugin.man.in - cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ +$(mansrcdir)/sudo_plugin.man: $(top_builddir)/config.status $(srcdir)/sudo_plugin.man.in fixman.sed + (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudo_plugin.man.in | $(SED) -f fixman.sed > $@ $(mansrcdir)/sudo_plugin.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_plugin.mdoc.in cd $(top_builddir) && $(SHELL) config.status --file=doc/$@ @@ -390,7 +381,7 @@ pvs-studio: check: clean: - -rm -f varsub *.sed + -rm -f varsub fixman.sed mostlyclean: clean diff --git a/doc/fixman.sh b/doc/fixman.sh index bf4bd3257..f7ed1a8fc 100755 --- a/doc/fixman.sh +++ b/doc/fixman.sh @@ -28,130 +28,10 @@ if [ X"`uname 2>&1`" = X"HP-UX" ]; then EOF fi -# Page specific hacks -case "$OUTFILE" in - sudo.man.sed) - # Replace "0 minutes" with "unlimited" - cat >>"$OUTFILE" <<-'EOF' - /^\\fR0\\fR$/ { - N - s/^\\fR0\\fR\nminutes\.$/unlimited./ - } - EOF - - # BSD auth - if [ X"$BAMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-'EOF' - /^\[\\fB\\-a\\fR\\ \\fItype\\fR/d - /^\\fB\\-a\\fR \\fItype\\fR$/,/^\.TP 12n$/ { - /^\.PD$/!d - } - EOF - fi - - # BSD login class - if [ X"$LCMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-'EOF' - /^\[\\fB\\-c\\fR\\ \\fIclass\\fR/d - /^\\fB\\-c\\fR \\fIclass\\fR$/,/^\.TP 12n$/ { - /^\.PD$/!d - } - /^login_cap(3),$/d - /^BSD login class$/ { - N - N - /^BSD login class\n\.TP 4n\n\\fBo\\fR$/d - } - EOF - fi - - # SELinux - if [ X"$SEMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-'EOF' - /^\[\\fB\\-[rt]\\fR\\ \\fI[rt][oy][lp]e\\fR/d - /^\\fB\\-[rt]\\fR \\fI[rt][oy][lp]e\\fR$/,/^\.TP 12n$/ { - /^\.PD$/!d - } - /^SELinux role and type$/ { - N - N - /^SELinux role and type\n\.TP 4n\n\\fBo\\fR$/d - } - EOF - fi - - # Solaris privileges - if [ X"$PSMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-'EOF' - /^Solaris project$/ { - N - N - N - N - N - /^Solaris project\n\.TP 4n\n\\fBo\\fR\nSolaris privileges\n\.TP 4n\n\\fBo\\fR$/d - } - EOF - fi - ;; - sudoers.man.sed) - # Join tagged list line with the corresponding item and re-process - cat >>"$OUTFILE" <<-'EOF' - :again - /^\.TP 18n$/ { - N - bagain - } - EOF - - # Subsections to remove (SELinux and Solaris are adjacent) - RM_SS= - if [ X"$PSMAN" != X"1" ]; then - if [ X"$SEMAN" != X"1" ]; then - RM_SS='/^\.SS "SELinux_Spec"/,/^\.SS "[^S]/{;/^\.SS "[^S][^o][^l]/!d;};' - else - RM_SS='/^\.SS "Solaris_Priv_Spec"/,/^\.SS/{;/^\.SS "[^S][^o][^l]/!d;};' - fi - elif [ X"$SEMAN" != X"1" ]; then - RM_SS='/^\.SS "SELinux_Spec"/,/^\.SS/{;/^\.SS "[^S][^E][^L]/!d;};' - fi - if [ -n "$RM_SS" ]; then - cat >>"$OUTFILE" <<-EOF - $RM_SS - EOF - fi - - # BSD login class - if [ X"$LCMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-EOF - /^On BSD systems/,/\.$/d - /^\.TP 18n\nuse_loginclass$/,/^by default\./d - EOF - fi - - # Solaris PrivSpec - if [ X"$PSMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-EOF - s/Solaris_Priv_Spec | // - /^Solaris_Priv_Spec ::=/ { - N - d - } - /^\.TP 18n\n\(limit\)*privs$/,/^is built on Solaris 10 or higher\./d - /^On Solaris 10/,/^\.[sP][pP]/d - EOF - fi - - # SELinux - if [ X"$SEMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-EOF - s/SELinux_Spec | // - /^SELinux_Spec ::=/ { - N - d - } - /^\.TP 18n\n[rt][oy][lp]e$/,/^is built with SELinux support\.$/d - EOF - fi - ;; -esac +# Replace "0 minutes" with "unlimited" +cat >>"$OUTFILE" <<-'EOF' + /^\\fR0\\fR$/ { + N + s/^\\fR0\\fR\nminutes\.$/unlimited./ + } +EOF diff --git a/doc/fixmdoc.sed b/doc/fixmdoc.sed new file mode 100755 index 000000000..3d572166f --- /dev/null +++ b/doc/fixmdoc.sed @@ -0,0 +1,5 @@ +# Replace "0 minutes" with "unlimited" +/^\.Li 0$/ { + N + s/^\.Li 0\nminutes\.$/unlimited./ +} diff --git a/doc/fixmdoc.sh b/doc/fixmdoc.sh deleted file mode 100755 index 53bf64296..000000000 --- a/doc/fixmdoc.sh +++ /dev/null @@ -1,143 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2012-2014, 2017 Todd C. Miller -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# - -OUTFILE="$1" -rm -f "$OUTFILE" -> "$OUTFILE" - -# Page specific hacks -case "$OUTFILE" in - sudo.mdoc.sed) - # Replace "0 minutes" with "unlimited" - cat >>"$OUTFILE" <<-'EOF' - /^\.Li 0$/ { - N - s/^\.Li 0\nminutes\.$/unlimited./ - } - EOF - - # BSD auth - BA_FLAG= - if [ X"$BAMAN" != X"1" ]; then - BA_FLAG='/^.*\n\.Op Fl a Ar type/{;N;/^.*\n\.Ek$/d;};' - cat >>"$OUTFILE" <<-'EOF' - /^\.It Fl a Ar type/,/BSD authentication\.$/d - EOF - fi - - # BSD login class - LC_FLAG= - if [ X"$LCMAN" != X"1" ]; then - LC_FLAG='/^.*\n\.Op Fl c Ar class/{;N;/^.*\n\.Ek$/d;};' - cat >>"$OUTFILE" <<-'EOF' - /^\.It Fl c Ar class/,/BSD login classes\.$/d - /^\.Xr login_cap 3 ,$/d - /^BSD login class$/ { - N - /^BSD login class\n\.It$/d - } - EOF - fi - - # SELinux - SE_FLAG= - if [ X"$SEMAN" != X"1" ]; then - SE_FLAG='/^.*\n\.Op Fl r Ar role/{;N;/^.*\n\.Ek$/d;};/^.*\n\.Op Fl t Ar type/{;N;/^.*\n\.Ek$/d;};' - cat >>"$OUTFILE" <<-'EOF' - /^\.It Fl r Ar role/,/^\.Ar role \.$/d - /^\.It Fl t Ar type/,/derived from the role\.$/d - /^SELinux role and type$/ { - N - /^SELinux role and type\n\.It$/d - } - EOF - fi - - # Solaris privileges - if [ X"$PSMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-'EOF' - /^Solaris project$/ { - N - N - N - /^Solaris project\n\.It\nSolaris privileges\n\.It$/d - } - EOF - fi - - # Unsupported flags must be removed together - if [ -n "$BA_FLAG$LC_FLAG$SE_FLAG" ]; then - cat >>"$OUTFILE" <<-EOF - /^\.Bk -words\$/ { - N - $BA_FLAG$LC_FLAG$SE_FLAG - } - EOF - fi - ;; - sudoers.mdoc.sed) - # Subsections to remove (SELinux and Solaris are adjacent) - RM_SS= - if [ X"$PSMAN" != X"1" ]; then - if [ X"$SEMAN" != X"1" ]; then - RM_SS='/^\.Ss SELinux_Spec/,/^\.Ss [^S]/{;/^\.Ss [^S][^o][^l]/!d;};' - else - RM_SS='/^\.Ss Solaris_Priv_Spec/,/^\.Ss/{;/^\.Ss [^S][^o][^l]/!d;};' - fi - elif [ X"$SEMAN" != X"1" ]; then - RM_SS='/^\.Ss SELinux_Spec/,/^\.Ss/{;/^\.Ss [^S][^E][^L]/!d;};' - fi - if [ -n "$RM_SS" ]; then - cat >>"$OUTFILE" <<-EOF - $RM_SS - EOF - fi - - # BSD login class - if [ X"$LCMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-'EOF' - /^On BSD systems/,/\.$/d - /^\.It use_loginclass$/,/^by default\./d - EOF - fi - - # Solaris PrivSpec - if [ X"$PSMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-'EOF' - s/Solaris_Priv_Spec | // - /^Solaris_Priv_Spec ::=/ { - N - d - } - /^\.It \(limit\)*privs$/,/is built on Solaris 10 or higher\.$/d - /^On Solaris 10/,/^\.Pp/d - EOF - fi - - # SELinux - if [ X"$SEMAN" != X"1" ]; then - cat >>"$OUTFILE" <<-'EOF' - s/SELinux_Spec | // - /^SELinux_Spec ::=/ { - N - d - } - /^\.It [rt][oy][lp]e$/,/is built with SELinux support\.$/d - EOF - fi - ;; -esac diff --git a/doc/sudo.cat b/doc/sudo.cat index eb679c1e2..6d7671bbe 100644 --- a/doc/sudo.cat +++ b/doc/sudo.cat @@ -738,4 +738,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.26 October 27, 2018 Sudo 1.8.26 +Sudo 1.8.26 November 25, 2018 Sudo 1.8.26 diff --git a/doc/sudo.man.in b/doc/sudo.man.in index aec771518..38d381523 100644 --- a/doc/sudo.man.in +++ b/doc/sudo.man.in @@ -19,7 +19,11 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDO" "8" "October 27, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" +.nr SL @SEMAN@ +.nr BA @BAMAN@ +.nr LC @LCMAN@ +.nr PS @PSMAN@ +.TH "SUDO" "8" "November 25, 2018" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh .if n .ad l .SH "NAME" @@ -36,7 +40,7 @@ \fBsudo\fR \fB\-v\fR [\fB\-AknS\fR] -[\fB\-a\fR\ \fItype\fR] +.if \n(BA [\fB\-a\fR\ \fItype\fR] [\fB\-g\fR\ \fIgroup\fR] [\fB\-h\fR\ \fIhost\fR] [\fB\-p\fR\ \fIprompt\fR] @@ -46,7 +50,7 @@ \fBsudo\fR \fB\-l\fR [\fB\-AknS\fR] -[\fB\-a\fR\ \fItype\fR] +.if \n(BA [\fB\-a\fR\ \fItype\fR] [\fB\-g\fR\ \fIgroup\fR] [\fB\-h\fR\ \fIhost\fR] [\fB\-p\fR\ \fIprompt\fR] @@ -57,14 +61,14 @@ .HP 5n \fBsudo\fR [\fB\-AbEHnPS\fR] -[\fB\-a\fR\ \fItype\fR] +.if \n(BA [\fB\-a\fR\ \fItype\fR] [\fB\-C\fR\ \fInum\fR] -[\fB\-c\fR\ \fIclass\fR] +.if \n(LC [\fB\-c\fR\ \fIclass\fR] [\fB\-g\fR\ \fIgroup\fR] [\fB\-h\fR\ \fIhost\fR] [\fB\-p\fR\ \fIprompt\fR] -[\fB\-r\fR\ \fIrole\fR] -[\fB\-t\fR\ \fItype\fR] +.if \n(SL [\fB\-r\fR\ \fIrole\fR] +.if \n(SL [\fB\-t\fR\ \fItype\fR] [\fB\-T\fR\ \fItimeout\fR] [\fB\-u\fR\ \fIuser\fR] [\fIVAR\fR=\fIvalue\fR] @@ -74,9 +78,9 @@ .HP 9n \fBsudoedit\fR [\fB\-AknS\fR] -[\fB\-a\fR\ \fItype\fR] +.if \n(BA [\fB\-a\fR\ \fItype\fR] [\fB\-C\fR\ \fInum\fR] -[\fB\-c\fR\ \fIclass\fR] +.if \n(LC [\fB\-c\fR\ \fIclass\fR] [\fB\-g\fR\ \fIgroup\fR] [\fB\-h\fR\ \fIhost\fR] [\fB\-p\fR\ \fIprompt\fR] @@ -188,9 +192,12 @@ If no askpass program is available, \fBsudo\fR will exit with an error. .RE +.if \n(BA \{\ .TP 12n \fB\-a\fR \fItype\fR, \fB\--auth-type\fR=\fItype\fR -Use the specified BSD authentication +Use the specified +BSD +authentication \fItype\fR when validating the user, if allowed by \fI/etc/login.conf\fR. @@ -199,7 +206,10 @@ authentication methods by adding an \(lqauth-sudo\(rq entry in \fI/etc/login.conf\fR. -This option is only available on systems that support BSD authentication. +This option is only available on systems that support +BSD +authentication. +.\} .TP 12n \fB\-b\fR, \fB\--background\fR Run the given command in the background. @@ -226,6 +236,7 @@ policy only permits use of the option when the administrator has enabled the \fIclosefrom_override\fR option. +.if \n(LC \{\ .TP 12n \fB\-c\fR \fIclass\fR, \fB\--login-class\fR=\fIclass\fR Run the command with resource limits and scheduling priority of @@ -250,7 +261,10 @@ If the command is being run as a login shell, additional \fI/etc/login.conf\fR settings, such as the umask and environment variables, will be applied, if present. -This option is only available on systems with BSD login classes. +This option is only available on systems with +BSD +login classes. +.\} .TP 12n \fB\-E\fR, \fB\--preserve-env\fR Indicates to the security policy that the user wishes to @@ -545,11 +559,13 @@ specified by a PAM module unless the flag is disabled in \fIsudoers\fR. .RE +.if \n(SL \{\ .TP 12n \fB\-r\fR \fIrole\fR, \fB\--role\fR=\fIrole\fR Run the command with an SELinux security context that includes the specified \fIrole\fR. +.\} .TP 12n \fB\-S\fR, \fB\--stdin\fR Write the prompt to the standard error and read the password from the @@ -568,6 +584,7 @@ If no command is specified, an interactive shell is executed. Note that most shells behave differently when a command is specified as compared to an interactive session; consult the shell's manual for details. +.if \n(SL \{\ .TP 12n \fB\-t\fR \fItype\fR, \fB\--type\fR=\fItype\fR Run the command with an SELinux security context that includes @@ -576,6 +593,7 @@ the specified If no \fItype\fR is specified, the default type is derived from the role. +.\} .TP 12n \fB\-U\fR \fIuser\fR, \fB\--other-user\fR=\fIuser\fR Used in conjunction with the @@ -711,18 +729,27 @@ current working directory .TP 3n \fB\(bu\fR file creation mode mask (umask) +.if \n(SL \{\ .TP 3n \fB\(bu\fR SELinux role and type +.\} +.if \n(PS \{\ .TP 3n \fB\(bu\fR Solaris project +.\} +.if \n(PS \{\ .TP 3n \fB\(bu\fR Solaris privileges +.\} +.if \n(LC \{\ .TP 3n \fB\(bu\fR -BSD login class +BSD +login class +.\} .TP 3n \fB\(bu\fR scheduling priority (aka nice value) diff --git a/doc/sudo.man.in.sed b/doc/sudo.man.in.sed new file mode 100644 index 000000000..432dd7474 --- /dev/null +++ b/doc/sudo.man.in.sed @@ -0,0 +1,76 @@ +s/^\(.TH .*\)/.nr SL @SEMAN@\ +.nr BA @BAMAN@\ +.nr LC @LCMAN@\ +.nr PS @PSMAN@\ +\1/ + +s/^\(\[\\fB\\-a\\fR.*\\fItype\\fR\]\) *$/.if \\n(BA \1/ +s/^\(\[\\fB\\-c\\fR.*\\fIclass\\fR\]\) *$/.if \\n(LC \1/ +s/^\(\[\\fB\\-r\\fR.*\\fIrole\\fR\]\) *$/.if \\n(SL \1/ +s/^\(\[\\fB\\-t\\fR.*\\fItype\\fR\]\) *$/.if \\n(SL \1/ + +/^\.TP 12n$/ { + N + /^\.TP 12n\n\\fB\\-a\\fR.*\\fItype\\fR$/,/^\.TP 12n/ { + /^\.TP 12n/ { + /^\.TP 12n\n\\fB\\-a\\fR.*\\fItype\\fR$/i\ +.if \\n(BA \\{\\ + /^\.TP 12n\n\\fB\\-a\\fR.*\\fItype\\fR$/!i\ +.\\} + } + } + /^\.TP 12n\n\\fB\\-c\\fR.*\\fIclass\\fR$/,/^\.TP 12n/ { + /^\.TP 12n/ { + /^\.TP 12n\n\\fB\\-c\\fR.*\\fIclass\\fR$/i\ +.if \\n(LC \\{\\ + /^\.TP 12n\n\\fB\\-c\\fR.*\\fIclass\\fR$/!i\ +.\\} + } + } + /^\.TP 12n\n\\fB\\-r\\fR.*\\fIrole\\fR$/,/^\.TP 12n/ { + /^\.TP 12n/ { + /^\.TP 12n\n\\fB\\-r\\fR.*\\fIrole\\fR$/i\ +.if \\n(SL \\{\\ + /^\.TP 12n\n\\fB\\-r\\fR.*\\fIrole\\fR$/!i\ +.\\} + } + } + /^\.TP 12n\n\\fB\\-t\\fR.*\\fItype\\fR$/,/^\.TP 12n/ { + /^\.TP 12n/ { + /^\.TP 12n\n\\fB\\-t\\fR.*\\fItype\\fR$/i\ +.if \\n(SL \\{\\ + /^\.TP 12n\n\\fB\\-t\\fR.*\\fItype\\fR$/!i\ +.\\} + } + } +} + +/^\.TP 3n$/ { + N + N + /^.TP 3n\n\\fB\\(bu\\fR\nSELinux role and type$/ { + i\ +.if \\n(SL \\{\\ + a\ +.\\} + } + /^.TP 3n\n\\fB\\(bu\\fR\nSolaris project$/ { + i\ +.if \\n(PS \\{\\ + a\ +.\\} + } + /^.TP 3n\n\\fB\\(bu\\fR\nSolaris privileges$/ { + i\ +.if \\n(PS \\{\\ + a\ +.\\} + } + /^.TP 3n\n\\fB\\(bu\\fR\nBSD$/ { + N + i\ +.if \\n(LC \\{\\ + a\ +.\\} + } +} diff --git a/doc/sudo.mdoc.in b/doc/sudo.mdoc.in index ebb05b146..c9b928e0c 100644 --- a/doc/sudo.mdoc.in +++ b/doc/sudo.mdoc.in @@ -18,7 +18,11 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd October 27, 2018 +.nr SL @SEMAN@ +.nr BA @BAMAN@ +.nr LC @LCMAN@ +.nr PS @PSMAN@ +.Dd November 25, 2018 .Dt SUDO @mansectsu@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -31,7 +35,9 @@ .Nm sudo .Fl v .Op Fl AknS +.if \n(BA \{\ .Op Fl a Ar type +.\} .Op Fl g Ar group .Op Fl h Ar host .Op Fl p Ar prompt @@ -39,7 +45,9 @@ .Nm sudo .Fl l .Op Fl AknS +.if \n(BA \{\ .Op Fl a Ar type +.\} .Op Fl g Ar group .Op Fl h Ar host .Op Fl p Ar prompt @@ -48,14 +56,20 @@ .Op Ar command .Nm sudo .Op Fl AbEHnPS +.if \n(BA \{\ .Op Fl a Ar type +.\} .Op Fl C Ar num +.if \n(LC \{\ .Op Fl c Ar class +.\} .Op Fl g Ar group .Op Fl h Ar host .Op Fl p Ar prompt +.if \n(SL \{\ .Op Fl r Ar role .Op Fl t Ar type +.\} .Op Fl T Ar timeout .Op Fl u Ar user .Op Ar VAR Ns = Ns Ar value @@ -63,9 +77,13 @@ .Op Ar command .Nm sudoedit .Op Fl AknS +.if \n(BA \{\ .Op Fl a Ar type +.\} .Op Fl C Ar num +.if \n(LC \{\ .Op Fl c Ar class +.\} .Op Fl g Ar group .Op Fl h Ar host .Op Fl p Ar prompt @@ -171,8 +189,11 @@ Path askpass /usr/X11R6/bin/ssh-askpass If no askpass program is available, .Nm will exit with an error. +.if \n(BA \{\ .It Fl a Ar type , Fl -auth-type Ns = Ns Ar type -Use the specified BSD authentication +Use the specified +.Bx +authentication .Ar type when validating the user, if allowed by .Pa /etc/login.conf . @@ -181,7 +202,10 @@ authentication methods by adding an .Dq auth-sudo entry in .Pa /etc/login.conf . -This option is only available on systems that support BSD authentication. +This option is only available on systems that support +.Bx +authentication. +.\} .It Fl b , -background Run the given command in the background. Note that it is not possible to use shell job control to manipulate @@ -206,6 +230,7 @@ policy only permits use of the option when the administrator has enabled the .Em closefrom_override option. +.if \n(LC \{\ .It Fl c Ar class , Fl -login-class Ns = Ns Ar class Run the command with resource limits and scheduling priority of the specified login @@ -229,7 +254,10 @@ If the command is being run as a login shell, additional .Pa /etc/login.conf settings, such as the umask and environment variables, will be applied, if present. -This option is only available on systems with BSD login classes. +This option is only available on systems with +.Bx +login classes. +.\} .It Fl E , -preserve-env Indicates to the security policy that the user wishes to preserve their existing environment variables. @@ -493,10 +521,12 @@ specified by a PAM module unless the .Em passprompt_override flag is disabled in .Em sudoers . +.if \n(SL \{\ .It Fl r Ar role , Fl -role Ns = Ns Ar role Run the command with an SELinux security context that includes the specified .Ar role . +.\} .It Fl S , -stdin Write the prompt to the standard error and read the password from the standard input instead of using the terminal device. @@ -513,6 +543,7 @@ If no command is specified, an interactive shell is executed. Note that most shells behave differently when a command is specified as compared to an interactive session; consult the shell's manual for details. +.if \n(SL \{\ .It Fl t Ar type , Fl -type Ns = Ns Ar type Run the command with an SELinux security context that includes the specified @@ -520,6 +551,7 @@ the specified If no .Ar type is specified, the default type is derived from the role. +.\} .It Fl U Ar user , Fl -other-user Ns = Ns Ar user Used in conjunction with the .Fl l @@ -645,14 +677,21 @@ the environment list current working directory .It file creation mode mask (umask) +.if \n(SL \{\ .It SELinux role and type +.\} +.if \n(PS \{\ .It Solaris project .It Solaris privileges +.\} +.if \n(LC \{\ .It -BSD login class +.Bx +login class +.\} .It scheduling priority (aka nice value) .El diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 9574f6d82..5574bcb30 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -596,9 +596,9 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT setting the group to operator or system. OOppttiioonn__SSppeecc - A Cmnd may have zero or more options associated with it. Depending on - the system, options may consist of SELinux roles and/or types, Solaris - privileges sets, and command timeouts. Once an option is set for a Cmnd, + A Cmnd may have zero or more options associated with it. Options may + consist of SELinux roles and/or types, Solaris privileges sets, start + and/or end dates and command timeouts. Once an option is set for a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit that option unless it is overridden by another option. @@ -2928,4 +2928,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.26 October 27, 2018 Sudo 1.8.26 +Sudo 1.8.26 November 25, 2018 Sudo 1.8.26 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index b345ec4b7..3db57071b 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -19,7 +19,11 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDOERS" "5" "October 27, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.nr SL @SEMAN@ +.nr BA @BAMAN@ +.nr LC @LCMAN@ +.nr PS @PSMAN@ +.TH "SUDOERS" "5" "November 25, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -292,7 +296,10 @@ systems without PAM), the environment is initialized with the contents of the \fI/etc/environment\fR file. -On BSD systems, if the +.if \n(LC \{\ +On +BSD +systems, if the \fIuse_loginclass\fR option is enabled, the environment is initialized based on the @@ -301,6 +308,7 @@ and \fIsetenv\fR settings in \fI/etc/login.conf\fR. +.\} The new environment contains the \fRTERM\fR, \fRPATH\fR, @@ -483,7 +491,10 @@ systems without PAM), the contents of \fI/etc/environment\fR are also included. -On BSD systems, if the +.if \n(LC \{\ +On +BSD +systems, if the \fIuse_loginclass\fR flag is enabled, the @@ -493,6 +504,7 @@ and variables in \fI/etc/login.conf\fR are also applied. +.\} All other environment variables are removed unless permitted by \fIenv_keep\fR or @@ -1037,12 +1049,23 @@ Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' -Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec) +.ie \n(SL \{\ +.ie \n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec) +.el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec) +.\} +.el \{\ +.ie \n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec) +.el Option_Spec ::= (Date_Spec | Timeout_Spec) +.\} +.if \n(SL \{\ SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') +.\} +.if \n(PS \{\ Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset') +.\} Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp') Timeout_Spec ::= 'TIMEOUT=timeout' @@ -1248,8 +1271,14 @@ optionally setting the group to operator or system. A \fRCmnd\fR may have zero or more options associated with it. -Depending on the system, options may consist of SELinux roles -and/or types, Solaris privileges sets, and command timeouts. +Options may consist of +.if \n(SL \{\ +SELinux roles and/or types, +.\} +.if \n(PS \{\ +Solaris privileges sets, +.\} +start and/or end dates and command timeouts. Once an option is set for a \fRCmnd\fR, subsequent @@ -1257,6 +1286,7 @@ subsequent in the \fRCmnd_Spec_List\fR, inherit that option unless it is overridden by another option. +.if \n(SL \{\ .SS "SELinux_Spec" On systems with SELinux support, \fIsudoers\fR @@ -1269,6 +1299,8 @@ specified in A role or type specified on the command line, however, will supersede the values in \fIsudoers\fR. +.\} +.if \n(PS \{\ .SS "Solaris_Priv_Spec" On Solaris systems, \fIsudoers\fR @@ -1312,6 +1344,7 @@ name with either an or \(oq\-\(cq character. +.\} .SS "Date_Spec" \fBsudoers\fR rules can be specified with a start and end date via the @@ -3086,6 +3119,7 @@ will set the umask to be the union of the user's umask and what is specified in This flag is \fI@umask_override@\fR by default. +.if \n(BA \{\ .TP 18n use_loginclass If set, @@ -3100,6 +3134,7 @@ option. This flag is \fIoff\fR by default. +.\} .TP 18n use_netgroups If set, netgroups (prefixed with @@ -3563,6 +3598,7 @@ This directory should be cleared when the system reboots. The default is \fI@vardir@/lectured\fR. +.if \n(PS \{\ .TP 18n limitprivs The default Solaris limit privileges to use when constructing a new @@ -3573,6 +3609,7 @@ The default limit privileges may be overridden on a per-command basis in This option is only available if \fBsudoers\fR is built on Solaris 10 or higher. +.\} .TP 18n mailsub Subject of the mail sent to the @@ -3681,6 +3718,7 @@ flag can be used to change this behavior. The default value is \(lq\fR@passprompt@\fR\(rq. .RE +.if \n(PS \{\ .TP 18n privs The default Solaris privileges to use when constructing a new @@ -3698,6 +3736,8 @@ The default privileges may be overridden on a per-command basis in This option is only available if \fBsudoers\fR is built on Solaris 10 or higher. +.\} +.if \n(SL \{\ .TP 18n role The default SELinux role to use when constructing a new security @@ -3708,6 +3748,7 @@ file or via command line options. This option is only available when \fBsudo\fR is built with SELinux support. +.\} .TP 18n runas_default The default user to run commands as if the @@ -3800,6 +3841,7 @@ The owner of the lecture status directory, time stamp directory and all files stored therein. The default is \fRroot\fR. +.if \n(SL \{\ .TP 18n type The default SELinux type to use when constructing a new security @@ -4199,6 +4241,7 @@ The default value is .RE .PP \fBLists that can be used in a boolean context\fR: +.\} .TP 18n env_check Environment variables to be removed from the user's environment diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index c78ac7fd2..b60c7b3bc 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -18,7 +18,11 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd October 27, 2018 +.nr SL @SEMAN@ +.nr BA @BAMAN@ +.nr LC @LCMAN@ +.nr PS @PSMAN@ +.Dd November 25, 2018 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -282,7 +286,10 @@ systems without PAM), the environment is initialized with the contents of the .Pa /etc/environment file. -On BSD systems, if the +.if \n(LC \{\ +On +.Bx +systems, if the .Em use_loginclass option is enabled, the environment is initialized based on the @@ -291,6 +298,7 @@ and .Em setenv settings in .Pa /etc/login.conf . +.\} The new environment contains the .Ev TERM , .Ev PATH , @@ -470,7 +478,10 @@ systems without PAM), the contents of .Pa /etc/environment are also included. -On BSD systems, if the +.if \n(LC \{\ +On +.Bx +systems, if the .Em use_loginclass flag is enabled, the @@ -480,6 +491,7 @@ and variables in .Pa /etc/login.conf are also applied. +.\} All other environment variables are removed unless permitted by .Em env_keep or @@ -991,12 +1003,23 @@ Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' -Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec) +.ie \n(SL \{\ +.ie \n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec) +.el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec) +.\} +.el \{\ +.ie \n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec) +.el Option_Spec ::= (Date_Spec | Timeout_Spec) +.\} +.if \n(SL \{\ SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') +.\} +.if \n(PS \{\ Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset') +.\} Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp') Timeout_Spec ::= 'TIMEOUT=timeout' @@ -1177,8 +1200,14 @@ optionally setting the group to operator or system. A .Li Cmnd may have zero or more options associated with it. -Depending on the system, options may consist of SELinux roles -and/or types, Solaris privileges sets, and command timeouts. +Options may consist of +.if \n(SL \{\ +SELinux roles and/or types, +.\} +.if \n(PS \{\ +Solaris privileges sets, +.\} +start and/or end dates and command timeouts. Once an option is set for a .Li Cmnd , subsequent @@ -1186,6 +1215,7 @@ subsequent in the .Li Cmnd_Spec_List , inherit that option unless it is overridden by another option. +.if \n(SL \{\ .Ss SELinux_Spec On systems with SELinux support, .Em sudoers @@ -1198,6 +1228,8 @@ specified in A role or type specified on the command line, however, will supersede the values in .Em sudoers . +.\} +.if \n(PS \{\ .Ss Solaris_Priv_Spec On Solaris systems, .Em sudoers @@ -1236,6 +1268,7 @@ name with either an or .Ql \- character. +.\} .Ss Date_Spec .Nm sudoers rules can be specified with a start and end date via the @@ -2902,6 +2935,7 @@ will set the umask to be the union of the user's umask and what is specified in This flag is .Em @umask_override@ by default. +.if \n(LC \{\ .It use_loginclass If set, .Nm sudo @@ -2915,6 +2949,7 @@ option. This flag is .Em off by default. +.\} .It use_netgroups If set, netgroups (prefixed with .Ql + ) , @@ -3349,6 +3384,7 @@ This directory should be cleared when the system reboots. The default is .Pa @vardir@/lectured . +.if \n(PS \{\ .It limitprivs The default Solaris limit privileges to use when constructing a new privilege set for a command. @@ -3358,6 +3394,7 @@ The default limit privileges may be overridden on a per-command basis in This option is only available if .Nm is built on Solaris 10 or higher. +.\} .It mailsub Subject of the mail sent to the .Em mailto @@ -3451,6 +3488,7 @@ flag can be used to change this behavior. .Pp The default value is .Dq Li "@passprompt@" . +.if \n(PS \{\ .It privs The default Solaris privileges to use when constructing a new privilege set for a command. @@ -3467,6 +3505,8 @@ The default privileges may be overridden on a per-command basis in This option is only available if .Nm is built on Solaris 10 or higher. +.\} +.if \n(SL \{\ .It role The default SELinux role to use when constructing a new security context to run the command. @@ -3476,6 +3516,7 @@ file or via command line options. This option is only available when .Nm sudo is built with SELinux support. +.\} .It runas_default The default user to run commands as if the .Fl u @@ -3558,6 +3599,7 @@ The owner of the lecture status directory, time stamp directory and all files stored therein. The default is .Li root . +.if \n(SL \{\ .It type The default SELinux type to use when constructing a new security context to run the command. @@ -3567,6 +3609,7 @@ file or via command line options. This option is only available when .Nm sudo is built with SELinux support. +.\} .El .Pp .Sy Strings that can be used in a boolean context :