From: Todd C. Miller Date: Sun, 13 Jan 2002 18:42:15 +0000 (+0000) Subject: Regen from new sudoers.pod X-Git-Tag: SUDO_1_6_4 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e869e0eb504993b167a6c9e9671f71779c7b6924;p=sudo Regen from new sudoers.pod --- diff --git a/sudoers.cat b/sudoers.cat index 728d19a28..9c69a29d5 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN -December 30, 2001 1.6.4 1 +January 13, 2002 1.6.4 1 @@ -127,7 +127,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 30, 2001 1.6.4 2 +January 13, 2002 1.6.4 2 @@ -193,7 +193,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 30, 2001 1.6.4 3 +January 13, 2002 1.6.4 3 @@ -259,7 +259,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 30, 2001 1.6.4 4 +January 13, 2002 1.6.4 4 @@ -325,7 +325,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 30, 2001 1.6.4 5 +January 13, 2002 1.6.4 5 @@ -391,7 +391,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 30, 2001 1.6.4 6 +January 13, 2002 1.6.4 6 @@ -457,7 +457,7 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) -December 30, 2001 1.6.4 7 +January 13, 2002 1.6.4 7 @@ -484,7 +484,12 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) this makes ssssuuuuddddoooo act as a setuid wrapper. This can be useful on systems that disable some potentially dangerous functionality when a - program is run setuid. + program is run setuid. Note, however, that + this means that sudo will run with the real + uid of the invoking user which may allow that + user to kill ssssuuuuddddoooo before it can log a failure, + depending on how your OS defines the interac­ + tion between signals and setuid processes. env_reset If set, ssssuuuuddddoooo will reset the environment to only contain the following variables: HOME, @@ -515,15 +520,10 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) IIIInnnntttteeeeggggeeeerrrrssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt: - loglinelen Number of characters per line for the file - log. This value is used to decide when to - wrap lines for nicer log files. This has no - effect on the syslog log file, only the file - log. The default is 80 (use 0 or negate the -December 30, 2001 1.6.4 8 +January 13, 2002 1.6.4 8 @@ -532,6 +532,11 @@ December 30, 2001 1.6.4 8 sudoers(4) MAINTENANCE COMMANDS sudoers(4) + loglinelen Number of characters per line for the file + log. This value is used to decide when to + wrap lines for nicer log files. This has no + effect on the syslog log file, only the file + log. The default is 80 (use 0 or negate the option to disable word wrap). timestamp_timeout @@ -581,15 +586,10 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) flag is not specified on the command line. This defaults to root. - syslog_goodpri - Syslog priority to use when user authenticates - successfully. Defaults to notice. - - -December 30, 2001 1.6.4 9 +January 13, 2002 1.6.4 9 @@ -598,6 +598,10 @@ December 30, 2001 1.6.4 9 sudoers(4) MAINTENANCE COMMANDS sudoers(4) + syslog_goodpri + Syslog priority to use when user authenticates + successfully. Defaults to notice. + syslog_badpri Syslog priority to use when user authenticates unsuccessfully. Defaults to alert. @@ -647,15 +651,11 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) any At least one of the user's _s_u_d_o_e_r_s entries for the current host must have - the NOPASSWD flag set to avoid enter­ - ing a password. - - never The user need never enter a password - to use the ----vvvv flag. + the NOPASSWD flag set to avoid -December 30, 2001 1.6.4 10 +January 13, 2002 1.6.4 10 @@ -664,6 +664,11 @@ December 30, 2001 1.6.4 10 sudoers(4) MAINTENANCE COMMANDS sudoers(4) + entering a password. + + never The user need never enter a password + to use the ----vvvv flag. + always The user must always enter a password to use the ----vvvv flag. @@ -713,15 +718,10 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) abled by using the =, +=, -=, and ! operators respectively. The default list of environment variable to remove is printed when ssssuuuuddddoooo is run - by root with the _-_V option. - env_keep Environment variables to be preserved in the - user's environment when the _e_n_v___r_e_s_e_t option - is in effect. This allows fine-grained - -December 30, 2001 1.6.4 11 +January 13, 2002 1.6.4 11 @@ -730,7 +730,12 @@ December 30, 2001 1.6.4 11 sudoers(4) MAINTENANCE COMMANDS sudoers(4) - control over the environment ssssuuuuddddoooo-spawned pro­ + by root with the _-_V option. + + env_keep Environment variables to be preserved in the + user's environment when the _e_n_v___r_e_s_e_t option + is in effect. This allows fine-grained con­ + trol over the environment ssssuuuuddddoooo-spawned pro­ cesses will receive. The argument may be a double-quoted, space-separated list or a sin­ gle value without double-quotes. The list can @@ -780,21 +785,21 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) The user ddddggggbbbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only as ooooppppeeeerrrraaaattttoooorrrr. E.g., - sudo -u operator /bin/ls. - It is also possible to override a Runas_Spec later on in - an entry. If we modify the entry like so: +January 13, 2002 1.6.4 12 -December 30, 2001 1.6.4 12 +sudoers(4) MAINTENANCE COMMANDS sudoers(4) -sudoers(4) MAINTENANCE COMMANDS sudoers(4) + sudo -u operator /bin/ls. + It is also possible to override a Runas_Spec later on in + an entry. If we modify the entry like so: dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm @@ -844,16 +849,11 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) [...] Matches any character in the specified range. - [!...] Matches any character nnnnooootttt in the specified range. - - \x For any character "x", evaluates to "x". This is - used to escape special characters such as: "*", - "?", "[", and "}". -December 30, 2001 1.6.4 13 +January 13, 2002 1.6.4 13 @@ -862,6 +862,12 @@ December 30, 2001 1.6.4 13 sudoers(4) MAINTENANCE COMMANDS sudoers(4) + [!...] Matches any character nnnnooootttt in the specified range. + + \x For any character "x", evaluates to "x". This is + used to escape special characters such as: "*", + "?", "[", and "}". + Note that a forward slash ('/') will nnnnooootttt be matched by wildcards used in the pathname. When matching the command line arguments, however, as slash ddddooooeeeessss get matched by @@ -910,16 +916,10 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) syntactic characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional. - The following characters must be escaped with a backslash - ('\') when used as part of a word (e.g. a username or - hostname): '@', '!', '=', ':', ',', '(', ')', '\'. -EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS - Below are example _s_u_d_o_e_r_s entries. Admittedly, some of - -December 30, 2001 1.6.4 14 +January 13, 2002 1.6.4 14 @@ -928,6 +928,12 @@ December 30, 2001 1.6.4 14 sudoers(4) MAINTENANCE COMMANDS sudoers(4) + The following characters must be escaped with a backslash + ('\') when used as part of a word (e.g. a username or + hostname): '@', '!', '=', ':', ',', '(', ')', '\'. + +EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS + Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit contrived. First, we define our _a_l_i_a_s_e_s: # User alias specification @@ -977,22 +983,22 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) Defaults:millert !authenticate Defaults@SERVERS log_year, logfile=/var/log/sudo.log - The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually deter­ - mines who may run what. - root ALL = (ALL) ALL - %wheel ALL = (ALL) ALL +January 13, 2002 1.6.4 15 -December 30, 2001 1.6.4 15 +sudoers(4) MAINTENANCE COMMANDS sudoers(4) -sudoers(4) MAINTENANCE COMMANDS sudoers(4) + The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually deter­ + mines who may run what. + root ALL = (ALL) ALL + %wheel ALL = (ALL) ALL We let rrrrooooooootttt and any user in group wwwwhhhheeeeeeeellll run any command on any host as any user. @@ -1043,22 +1049,22 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) bob SPARC = (OP) ALL : SGI = (OP) ALL - The user bbbboooobbbb may run anything on the _S_P_A_R_C and _S_G_I - machines as any user listed in the _O_P Runas_Alias (rrrrooooooootttt - and ooooppppeeeerrrraaaattttoooorrrr). - jim +biglab = ALL +January 13, 2002 1.6.4 16 -December 30, 2001 1.6.4 16 +sudoers(4) MAINTENANCE COMMANDS sudoers(4) -sudoers(4) MAINTENANCE COMMANDS sudoers(4) + The user bbbboooobbbb may run anything on the _S_P_A_R_C and _S_G_I + machines as any user listed in the _O_P Runas_Alias (rrrrooooooootttt + and ooooppppeeeerrrraaaattttoooorrrr). + jim +biglab = ALL The user jjjjiiiimmmm may run any command on machines in the _b_i_g_l_a_b netgroup. SSSSuuuuddddoooo knows that "biglab" is a netgroup due to @@ -1108,16 +1114,10 @@ sudoers(4) MAINTENANCE COMMANDS sudoers(4) (will, wendy, and wim), may run any command as user www (which owns the web pages) or simply _s_u(1) to www. - ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ - /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM - - Any user may mount or unmount a CD-ROM on the machines in - the CDROM Host_Alias (orion, perseus, hercules) without - entering a password. This is a bit tedious for users to -December 30, 2001 1.6.4 17 +January 13, 2002 1.6.4 17 @@ -1126,6 +1126,12 @@ December 30, 2001 1.6.4 17 sudoers(4) MAINTENANCE COMMANDS sudoers(4) + ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ + /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM + + Any user may mount or unmount a CD-ROM on the machines in + the CDROM Host_Alias (orion, perseus, hercules) without + entering a password. This is a bit tedious for users to type, so it is a prime candidate for encapsulating in a shell script. @@ -1177,12 +1183,6 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO - - - - - - -December 30, 2001 1.6.4 18 +January 13, 2002 1.6.4 18 diff --git a/sudoers.man.in b/sudoers.man.in index 6689670db..d8b8b10c6 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -1,5 +1,5 @@ .\" Automatically generated by Pod::Man version 1.15 -.\" Sun Dec 30 12:24:30 2001 +.\" Sun Jan 13 11:37:06 2002 .\" .\" Standard preamble: .\" ====================================================================== @@ -138,7 +138,7 @@ .\" ====================================================================== .\" .IX Title "sudoers @mansectform@" -.TH sudoers @mansectform@ "1.6.4" "December 30, 2001" "MAINTENANCE COMMANDS" +.TH sudoers @mansectform@ "1.6.4" "January 13, 2002" "MAINTENANCE COMMANDS" .UC .SH "NAME" sudoers \- list of which users may execute what @@ -513,7 +513,11 @@ UIDs are set to the target user (root by default). This option changes that behavior such that the real \s-1UID\s0 is left as the invoking user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid wrapper. This can be useful on systems that disable some potentially -dangerous functionality when a program is run setuid. +dangerous functionality when a program is run setuid. Note, however, +that this means that sudo will run with the real uid of the invoking +user which may allow that user to kill \fBsudo\fR before it can log a +failure, depending on how your \s-1OS\s0 defines the interaction between +signals and setuid processes. .Ip "env_reset" 12 .IX Item "env_reset" If set, \fBsudo\fR will reset the environment to only contain the