From 1e0f96b912e7b99f930fdad0b6171eabebed2b99 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 6 Sep 2004 20:46:28 +0000 Subject: [PATCH] regen --- sudo.cat | 234 +++++++++++++++++++++++++++++++------------------ sudo.man.in | 123 ++++++++++++++------------ sudoers.cat | 198 +++++++++++++++++++++++++++-------------- sudoers.man.in | 41 ++++++--- visudo.cat | 78 ++++++++--------- visudo.man.in | 65 ++++++++------ 6 files changed, 456 insertions(+), 283 deletions(-) diff --git a/sudo.cat b/sudo.cat index 60b05ccad..962daadac 100644 --- a/sudo.cat +++ b/sudo.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.6.8 August 17, 2004 1 +1.6.8 September 6, 2004 1 @@ -127,7 +127,7 @@ OOPPTTIIOONNSS -1.6.8 August 17, 2004 2 +1.6.8 September 6, 2004 2 @@ -178,22 +178,22 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) receive a warning and the edited copy will remain in a temporary file. + Please note that the editor used must make its changes + to the original file (really the original inode). If + the editor makes changes to a temporary file and then + just renames this to the original file name it will + not work with ssuuddooeeddiitt. + -h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage mes­ sage and exit. -i The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell specified in the passwd(4) entry of the user that the command is being run as. The command name argument - given to the shell begins with a - to tell the shell - to run as a login shell. ssuuddoo attempts to change to - that user's home directory before running the shell. - It also initializes the environment, leaving _T_E_R_M - unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and - _P_A_T_H, and unsetting all other environment variables. -1.6.8 August 17, 2004 3 +1.6.8 September 6, 2004 3 @@ -202,6 +202,12 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + given to the shell begins with a - to tell the shell + to run as a login shell. ssuuddoo attempts to change to + that user's home directory before running the shell. + It also initializes the environment, leaving _T_E_R_M + unchanged, setting _H_O_M_E, _S_H_E_L_L, _U_S_E_R, _L_O_G_N_A_M_E, and + _P_A_T_H, and unsetting all other environment variables. Note that because the shell to use is determined before the _s_u_d_o_e_r_s file is parsed, a _r_u_n_a_s___d_e_f_a_u_l_t setting in _s_u_d_o_e_r_s will specify the user to run the @@ -250,16 +256,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) the password database. -v If given the --vv (_v_a_l_i_d_a_t_e) option, ssuuddoo will update - the user's timestamp, prompting for the user's pass­ - word if necessary. This extends the ssuuddoo timeout for - another 5 minutes (or whatever the timeout is set to - in _s_u_d_o_e_r_s) but does not run a command. - - -- The ---- flag indicates that ssuuddoo should stop processing -1.6.8 August 17, 2004 4 +1.6.8 September 6, 2004 4 @@ -268,6 +268,12 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + the user's timestamp, prompting for the user's pass­ + word if necessary. This extends the ssuuddoo timeout for + another 5 minutes (or whatever the timeout is set to + in _s_u_d_o_e_r_s) but does not run a command. + + -- The ---- flag indicates that ssuuddoo should stop processing command line arguments. It is most useful in conjunc­ tion with the --ss flag. @@ -316,16 +322,10 @@ SSEECCUURRIITTYY NNOOTTEESS that ssuuddoo executes. For security reasons, if your OS supports shared libraries - and does not disable user-defined library search paths for - setuid programs (most do), you should either use a linker - option that disables this behavior or link ssuuddoo stati­ - cally. - - ssuuddoo will check the ownership of its timestamp directory -1.6.8 August 17, 2004 5 +1.6.8 September 6, 2004 5 @@ -334,6 +334,12 @@ SSEECCUURRIITTYY NNOOTTEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + and does not disable user-defined library search paths for + setuid programs (most do), you should either use a linker + option that disables this behavior or link ssuuddoo stati­ + cally. + + ssuuddoo will check the ownership of its timestamp directory (_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's con­ tents if it is not owned by root and only writable by root. On systems that allow non-root users to give away @@ -369,29 +375,23 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) verify that the command does not inadvertently give the user an effective root shell. -EEXXAAMMPPLLEESS - Note: the following examples assume suitable sudoers(4) - entries. - - To get a file listing of an unreadable directory: - - $ sudo ls /usr/local/protected - - To list the home directory of user yazza on a machine - where the file system holding ~yazza is not exported as - root: +EENNVVIIRROONNMMEENNTT + ssuuddoo utilizes the following environment variables: - $ sudo -u yazza ls ~yazza + EDITOR Default editor to use in -e (sudoedit) mode if + VISUAL is not set - To edit the _i_n_d_e_x_._h_t_m_l file as user www: + HOME In -s or -H mode (or if sudo was configured with + the --enable-shell-sets-home option), set to + homedir of the target user - $ sudo -u www vi ~www/htdocs/index.html + PATH Set to a sane value if sudo was configured with + the --with-secure-path option - To shutdown a machine: -1.6.8 August 17, 2004 6 +1.6.8 September 6, 2004 6 @@ -400,27 +400,6 @@ EEXXAAMMPPLLEESS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - $ sudo shutdown -r +15 "quick reboot" - - To make a usage listing of the directories in the /home - partition. Note that this runs the commands in a sub- - shell to make the cd and file redirection work. - - $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" - -EENNVVIIRROONNMMEENNTT - ssuuddoo utilizes the following environment variables: - - EDITOR Default editor to use in -e (sudoedit) mode if - VISUAL is not set - - HOME In -s or -H mode (or if sudo was configured with - the --enable-shell-sets-home option), set to - homedir of the target user - - PATH Set to a sane value if sudo was configured with - the --with-secure-path option - SHELL Used to determine shell to run with -s option SUDO_PROMPT Used as the default password prompt @@ -444,20 +423,41 @@ FFIILLEESS /etc/sudoers List of who can run what /var/run/sudo Directory containing timestamps -AAUUTTHHOORRSS - Many people have worked on ssuuddoo over the years; this ver­ - sion consists of code written primarily by: +EEXXAAMMPPLLEESS + Note: the following examples assume suitable sudoers(4) + entries. - Todd Miller - Chris Jepeway + To get a file listing of an unreadable directory: - See the HISTORY file in the ssuuddoo distribution or visit - http://www.sudo.ws/sudo/history.html for a short history - of ssuuddoo. + $ sudo ls /usr/local/protected + + To list the home directory of user yazza on a machine + where the file system holding ~yazza is not exported as + root: + + $ sudo -u yazza ls ~yazza + + To edit the _i_n_d_e_x_._h_t_m_l file as user www: + + $ sudo -u www vi ~www/htdocs/index.html + + To shutdown a machine: + + $ sudo shutdown -r +15 "quick reboot" + + To make a usage listing of the directories in the /home + partition. Note that this runs the commands in a sub- + shell to make the cd and file redirection work. + + $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" + +SSEEEE AALLSSOO + _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), sudoers(4), + passwd(4), visudo(1m) -1.6.8 August 17, 2004 7 +1.6.8 September 6, 2004 7 @@ -466,16 +466,16 @@ AAUUTTHHOORRSS SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -BBUUGGSS - If you feel you have found a bug in sudo, please submit a - bug report at http://www.sudo.ws/sudo/bugs/ +AAUUTTHHOORRSS + Many people have worked on ssuuddoo over the years; this ver­ + sion consists of code written primarily by: -DDIISSCCLLAAIIMMEERR - SSuuddoo is provided ``AS IS'' and any express or implied war­ - ranties, including, but not limited to, the implied war­ - ranties of merchantability and fitness for a particular - purpose are disclaimed. See the LICENSE file distributed - with ssuuddoo for complete details. + Todd Miller + Chris Jepeway + + See the HISTORY file in the ssuuddoo distribution or visit + http://www.sudo.ws/sudo/history.html for a short history + of ssuuddoo. CCAAVVEEAATTSS There is no easy way to prevent a user from gaining a root @@ -502,12 +502,78 @@ CCAAVVEEAATTSS Running shell scripts via ssuuddoo can expose the same kernel bugs that make setuid shell scripts unsafe on some operat­ - ing systems (if your OS supports the /dev/fd/ directory, - setuid shell scripts are generally safe). + ing systems (if your OS has a /dev/fd/ directory, setuid + shell scripts are generally safe). + +BBUUGGSS + If you feel you have found a bug in ssuuddoo, please submit a + bug report at http://www.sudo.ws/sudo/bugs/ + +SSUUPPPPOORRTT + Commercial support is available for ssuuddoo, see + http://www.sudo.ws/sudo/support.html for details. + + Limited free support is available via the sudo-users mail­ + ing list, see http://www.sudo.ws/mail­ + man/listinfo/sudo-users to subscribe or search the + archives. + +DDIISSCCLLAAIIMMEERR + SSuuddoo is provided ``AS IS'' and any express or implied + + + +1.6.8 September 6, 2004 8 + + + + + +SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) + + + warranties, including, but not limited to, the implied + warranties of merchantability and fitness for a particular + purpose are disclaimed. See the LICENSE file distributed + with ssuuddoo or http://www.sudo.ws/sudo/license.html for com­ + plete details. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + -SSEEEE AALLSSOO - _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), sudoers(4), - passwd(4), visudo(1m) @@ -523,6 +589,6 @@ SSEEEE AALLSSOO -1.6.8 August 17, 2004 8 +1.6.8 September 6, 2004 9 diff --git a/sudo.man.in b/sudo.man.in index cfdd1a464..4134bd8a9 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "August 17, 2004" "1.6.8" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS" .SH "NAME" sudo, sudoedit \- execute a command as another user .SH "SYNOPSIS" @@ -299,6 +299,11 @@ the invoking user's environment unmodified. If, for some reason, \&\fBsudo\fR is unable to update a file with its edited version, the user will receive a warning and the edited copy will remain in a temporary file. +.Sp +Please note that the editor used must make its changes to the +original file (really the original inode). If the editor makes +changes to a temporary file and then just renames this to the +original file name it will not work with \fBsudoedit\fR. .RE .IP "\-h" 4 .IX Item "-h" @@ -460,42 +465,6 @@ commands that offer shell escapes (including most editors). Because of this, care must be taken when giving users access to commands via \fBsudo\fR to verify that the command does not inadvertently give the user an effective root shell. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Note: the following examples assume suitable sudoers(@mansectform@) entries. -.PP -To get a file listing of an unreadable directory: -.PP -.Vb 1 -\& $ sudo ls /usr/local/protected -.Ve -.PP -To list the home directory of user yazza on a machine where the -file system holding ~yazza is not exported as root: -.PP -.Vb 1 -\& $ sudo -u yazza ls ~yazza -.Ve -.PP -To edit the \fIindex.html\fR file as user www: -.PP -.Vb 1 -\& $ sudo -u www vi ~www/htdocs/index.html -.Ve -.PP -To shutdown a machine: -.PP -.Vb 1 -\& $ sudo shutdown -r +15 "quick reboot" -.Ve -.PP -To make a usage listing of the directories in the /home -partition. Note that this runs the commands in a sub-shell -to make the \f(CW\*(C`cd\*(C'\fR and file redirection work. -.PP -.Vb 1 -\& $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" -.Ve .SH "ENVIRONMENT" .IX Header "ENVIRONMENT" \&\fBsudo\fR utilizes the following environment variables: @@ -558,6 +527,46 @@ to make the \f(CW\*(C`cd\*(C'\fR and file redirection work. \& @sysconfdir@/sudoers List of who can run what \& @timedir@ Directory containing timestamps .Ve +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Note: the following examples assume suitable sudoers(@mansectform@) entries. +.PP +To get a file listing of an unreadable directory: +.PP +.Vb 1 +\& $ sudo ls /usr/local/protected +.Ve +.PP +To list the home directory of user yazza on a machine where the +file system holding ~yazza is not exported as root: +.PP +.Vb 1 +\& $ sudo -u yazza ls ~yazza +.Ve +.PP +To edit the \fIindex.html\fR file as user www: +.PP +.Vb 1 +\& $ sudo -u www vi ~www/htdocs/index.html +.Ve +.PP +To shutdown a machine: +.PP +.Vb 1 +\& $ sudo shutdown -r +15 "quick reboot" +.Ve +.PP +To make a usage listing of the directories in the /home +partition. Note that this runs the commands in a sub-shell +to make the \f(CW\*(C`cd\*(C'\fR and file redirection work. +.PP +.Vb 1 +\& $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), \fIlogin_cap\fR\|(3), sudoers(@mansectform@), +passwd(@mansectform@), visudo(@mansectsu@) .SH "AUTHORS" .IX Header "AUTHORS" Many people have worked on \fBsudo\fR over the years; this @@ -571,16 +580,6 @@ version consists of code written primarily by: See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution or visit http://www.sudo.ws/sudo/history.html for a short history of \fBsudo\fR. -.SH "BUGS" -.IX Header "BUGS" -If you feel you have found a bug in sudo, please submit a bug report -at http://www.sudo.ws/sudo/bugs/ -.SH "DISCLAIMER" -.IX Header "DISCLAIMER" -\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, -including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. -See the \s-1LICENSE\s0 file distributed with \fBsudo\fR for complete details. .SH "CAVEATS" .IX Header "CAVEATS" There is no easy way to prevent a user from gaining a root shell @@ -604,11 +603,25 @@ If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from creating their own program that gives them a root shell regardless of any '!' elements in the user specification. .PP -Running shell scripts via \fBsudo\fR can expose the same kernel bugs -that make setuid shell scripts unsafe on some operating systems -(if your \s-1OS\s0 supports the /dev/fd/ directory, setuid shell scripts -are generally safe). -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), \fIlogin_cap\fR\|(3), sudoers(@mansectform@), -passwd(@mansectform@), visudo(@mansectsu@) +Running shell scripts via \fBsudo\fR can expose the same kernel bugs that +make setuid shell scripts unsafe on some operating systems (if your \s-1OS\s0 +has a /dev/fd/ directory, setuid shell scripts are generally safe). +.SH "BUGS" +.IX Header "BUGS" +If you feel you have found a bug in \fBsudo\fR, please submit a bug report +at http://www.sudo.ws/sudo/bugs/ +.SH "SUPPORT" +.IX Header "SUPPORT" +Commercial support is available for \fBsudo\fR, see +http://www.sudo.ws/sudo/support.html for details. +.PP +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +search the archives. +.SH "DISCLAIMER" +.IX Header "DISCLAIMER" +\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, +including, but not limited to, the implied warranties of merchantability +and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 +file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html +for complete details. diff --git a/sudoers.cat b/sudoers.cat index 8a828b28c..065b4dd12 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.6.8 August 6, 2004 1 +1.6.8 September 6, 2004 1 @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 August 6, 2004 2 +1.6.8 September 6, 2004 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 August 6, 2004 3 +1.6.8 September 6, 2004 3 @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 August 6, 2004 4 +1.6.8 September 6, 2004 4 @@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 August 6, 2004 5 +1.6.8 September 6, 2004 5 @@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 August 6, 2004 6 +1.6.8 September 6, 2004 6 @@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 August 6, 2004 7 +1.6.8 September 6, 2004 7 @@ -523,7 +523,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 August 6, 2004 8 +1.6.8 September 6, 2004 8 @@ -589,7 +589,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 August 6, 2004 9 +1.6.8 September 6, 2004 9 @@ -655,7 +655,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 August 6, 2004 10 +1.6.8 September 6, 2004 10 @@ -721,7 +721,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 August 6, 2004 11 +1.6.8 September 6, 2004 11 @@ -787,7 +787,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 August 6, 2004 12 +1.6.8 September 6, 2004 12 @@ -853,7 +853,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 August 6, 2004 13 +1.6.8 September 6, 2004 13 @@ -919,7 +919,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 August 6, 2004 14 +1.6.8 September 6, 2004 14 @@ -985,7 +985,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 August 6, 2004 15 +1.6.8 September 6, 2004 15 @@ -1051,7 +1051,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.8 August 6, 2004 16 +1.6.8 September 6, 2004 16 @@ -1103,21 +1103,21 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ('\') when used as part of a word (e.g. a username or hostname): '@', '!', '=', ':', ',', '(', ')', '\'. +FFIILLEESS + /etc/sudoers List of who can run what + /etc/group Local groups file + /etc/netgroup List of network groups + EEXXAAMMPPLLEESS Since the _s_u_d_o_e_r_s file is parsed in a single pass, order is important. In general, you should structure _s_u_d_o_e_r_s such that the Host_Alias, User_Alias, and Cmnd_Alias spec­ ifications come first, followed by any Default_Entry - lines, and finally the Runas_Alias and user specifica­ - tions. The basic rule of thumb is you cannot reference an - Alias that has not already been defined. + lines, and finally the Runas_Alias and user - Below are example _s_u_d_o_e_r_s entries. Admittedly, some of - these are a bit contrived. First, we define our _a_l_i_a_s_e_s: - -1.6.8 August 6, 2004 17 +1.6.8 September 6, 2004 17 @@ -1126,6 +1126,12 @@ EEXXAAMMPPLLEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + specifications. The basic rule of thumb is you cannot + reference an Alias that has not already been defined. + + Below are example _s_u_d_o_e_r_s entries. Admittedly, some of + these are a bit contrived. First, we define our _a_l_i_a_s_e_s: + # User alias specification User_Alias FULLTIMERS = millert, mikef, dowdy User_Alias PARTTIMERS = bostley, jwfox, crawl @@ -1169,21 +1175,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) the year in each log line since the log entries will be kept around for several years. - # Override built-in defaults - Defaults syslog=auth - Defaults>root !set_logname - Defaults:FULLTIMERS !lecture - Defaults:millert !authenticate - Defaults@SERVERS log_year, logfile=/var/log/sudo.log - The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually deter­ - mines who may run what. -1.6.8 August 6, 2004 18 + + +1.6.8 September 6, 2004 18 @@ -1192,6 +1192,16 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + # Override built-in defaults + Defaults syslog=auth + Defaults>root !set_logname + Defaults:FULLTIMERS !lecture + Defaults:millert !authenticate + Defaults@SERVERS log_year, logfile=/var/log/sudo.log + + The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually deter­ + mines who may run what. + root ALL = (ALL) ALL %wheel ALL = (ALL) ALL @@ -1237,27 +1247,26 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root - The user ppeettee is allowed to change anyone's password - except for root on the _H_P_P_A machines. Note that this - assumes _p_a_s_s_w_d(1) does not take multiple usernames on the - command line. - - bob SPARC = (OP) ALL : SGI = (OP) ALL - The user bboobb may run anything on the _S_P_A_R_C and _S_G_I - machines as any user listed in the _O_P Runas_Alias (rroooott +1.6.8 September 6, 2004 19 -1.6.8 August 6, 2004 19 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + The user ppeettee is allowed to change anyone's password + except for root on the _H_P_P_A machines. Note that this + assumes _p_a_s_s_w_d(1) does not take multiple usernames on the + command line. + bob SPARC = (OP) ALL : SGI = (OP) ALL + The user bboobb may run anything on the _S_P_A_R_C and _S_G_I + machines as any user listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr). jim +biglab = ALL @@ -1304,25 +1313,25 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) On his personal workstation, valkyrie, mmaatttt needs to be able to kill hung processes. - WEBMASTERS www = (www) ALL, (root) /usr/bin/su www - On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias - (will, wendy, and wim), may run any command as user www - (which owns the web pages) or simply _s_u(1) to www. - ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ - /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM +1.6.8 September 6, 2004 20 -1.6.8 August 6, 2004 20 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + WEBMASTERS www = (www) ALL, (root) /usr/bin/su www -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias + (will, wendy, and wim), may run any command as user www + (which owns the web pages) or simply _s_u(1) to www. + ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ + /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM Any user may mount or unmount a CD-ROM on the machines in the CDROM Host_Alias (orion, perseus, hercules) without @@ -1369,27 +1378,27 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS sudo -V | grep "dummy exec" - If the resulting output contains a line that begins with: - File containing dummy exec functions: - then ssuuddoo may be able to replace the exec family of func­ - tions in the standard library with its own that simply - return an error. Unfortunately, there is no foolproof way - to know whether or not _n_o_e_x_e_c will work at compile-time. - _N_o_e_x_e_c should work on SunOS, Solaris, *BSD, Linux, IRIX, +1.6.8 September 6, 2004 21 -1.6.8 August 6, 2004 21 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + If the resulting output contains a line that begins with: + File containing dummy exec functions: + then ssuuddoo may be able to replace the exec family of func­ + tions in the standard library with its own that simply + return an error. Unfortunately, there is no foolproof way + to know whether or not _n_o_e_x_e_c will work at compile-time. + _N_o_e_x_e_c should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known nnoott to work on AIX and UnixWare. _N_o_e_x_e_c is expected to work on most operating systems that support the LD_PRELOAD envi­ @@ -1418,6 +1427,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) tion. In the specific case of an editor, a safer approach is to give the user permission to run ssuuddooeeddiitt. +SSEEEE AALLSSOO + _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), sudo(1m), visudo(1m) + CCAAVVEEAATTSS The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which locks the file and does grammatical check­ @@ -1431,13 +1443,67 @@ CCAAVVEEAATTSS hostname be fully qualified as returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. -FFIILLEESS - /etc/sudoers List of who can run what - /etc/group Local groups file - /etc/netgroup List of network groups -SSEEEE AALLSSOO - _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), sudo(1m), visudo(1m) + + + +1.6.8 September 6, 2004 22 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + +BBUUGGSS + If you feel you have found a bug in ssuuddoo, please submit a + bug report at http://www.sudo.ws/sudo/bugs/ + +SSUUPPPPOORRTT + Commercial support is available for ssuuddoo, see + http://www.sudo.ws/sudo/support.html for details. + + Limited free support is available via the sudo-users mail­ + ing list, see http://www.sudo.ws/mail­ + man/listinfo/sudo-users to subscribe or search the + archives. + +DDIISSCCLLAAIIMMEERR + SSuuddoo is provided ``AS IS'' and any express or implied war­ + ranties, including, but not limited to, the implied war­ + ranties of merchantability and fitness for a particular + purpose are disclaimed. See the LICENSE file distributed + with ssuuddoo or http://www.sudo.ws/sudo/license.html for com­ + plete details. + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1447,6 +1513,6 @@ SSEEEE AALLSSOO -1.6.8 August 6, 2004 22 +1.6.8 September 6, 2004 23 diff --git a/sudoers.man.in b/sudoers.man.in index 27a89473e..d105e31f5 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "August 6, 2004" "1.6.8" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" @@ -1069,6 +1069,13 @@ characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional. The following characters must be escaped with a backslash ('\e') when used as part of a word (e.g. a username or hostname): \&'@', '!', '=', ':', ',', '(', ')', '\e'. +.SH "FILES" +.IX Header "FILES" +.Vb 3 +\& @sysconfdir@/sudoers List of who can run what +\& /etc/group Local groups file +\& /etc/netgroup List of network groups +.Ve .SH "EXAMPLES" .IX Header "EXAMPLES" Since the \fIsudoers\fR file is parsed in a single pass, order is @@ -1366,6 +1373,9 @@ as root are still capable of many potentially hazardous operations (such as changing or overwriting files) that could lead to unintended privilege escalation. In the specific case of an editor, a safer approach is to give the user permission to run \fBsudoedit\fR. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(@mansectsu@), visudo(@mansectsu@) .SH "CAVEATS" .IX Header "CAVEATS" The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR @@ -1378,13 +1388,22 @@ store fully qualified hostnames in the netgroup (as is usually the case), you either need to have the machine's hostname be fully qualified as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in \&\fIsudoers\fR. -.SH "FILES" -.IX Header "FILES" -.Vb 3 -\& @sysconfdir@/sudoers List of who can run what -\& /etc/group Local groups file -\& /etc/netgroup List of network groups -.Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(@mansectsu@), visudo(@mansectsu@) +.SH "BUGS" +.IX Header "BUGS" +If you feel you have found a bug in \fBsudo\fR, please submit a bug report +at http://www.sudo.ws/sudo/bugs/ +.SH "SUPPORT" +.IX Header "SUPPORT" +Commercial support is available for \fBsudo\fR, see +http://www.sudo.ws/sudo/support.html for details. +.PP +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +search the archives. +.SH "DISCLAIMER" +.IX Header "DISCLAIMER" +\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, +including, but not limited to, the implied warranties of merchantability +and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 +file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html +for complete details. diff --git a/visudo.cat b/visudo.cat index a5aee2bf6..bdf817d2e 100644 --- a/visudo.cat +++ b/visudo.cat @@ -61,7 +61,7 @@ OOPPTTIIOONNSS -1.6.8 June 8, 2004 1 +1.6.8 September 6, 2004 1 @@ -88,7 +88,18 @@ VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) -V The --VV (version) option causes vviissuuddoo to print its version number and exit. -EERRRROORRSS +EENNVVIIRROONNMMEENNTT + The following environment variables are used only if + vviissuuddoo was configured with the _-_-_w_i_t_h_-_e_n_v_-_e_d_i_t_o_r option: + + VISUAL Invoked by visudo as the editor to use + EDITOR Used by visudo if VISUAL is not set + +FFIILLEESS + /etc/sudoers List of who can run what + /etc/sudoers.tmp Lock file for visudo + +DDIIAAGGNNOOSSTTIICCSS sudoers file busy, try again later. Someone else is currently editing the _s_u_d_o_e_r_s file. @@ -113,21 +124,10 @@ EERRRROORRSS used. This means that entries prior to the _r_u_n_a_s___d_e_f_a_u_l_t setting will match based on the default value of _r_u_n_a_s___d_e_f_a_u_l_t (root) whereas entries aafftteerr - the _r_u_n_a_s___d_e_f_a_u_l_t setting will match based on the new - value. This is usually unintentional and in most - cases the setting should be placed - before any Runas_Alias or User specifications. In --ss - (strict) mode this is an error, not a warning. - -EENNVVIIRROONNMMEENNTT - The following environment variables are used only if - vviissuuddoo was configured with the _-_-_w_i_t_h_-_e_n_v_-_e_d_i_t_o_r option: - - -1.6.8 June 8, 2004 2 +1.6.8 September 6, 2004 2 @@ -136,12 +136,14 @@ EENNVVIIRROONNMMEENNTT VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) - VISUAL Invoked by visudo as the editor to use - EDITOR Used by visudo if VISUAL is not set + the _r_u_n_a_s___d_e_f_a_u_l_t setting will match based on the new + value. This is usually unintentional and in most + cases the setting should be placed + before any Runas_Alias or User specifications. In --ss + (strict) mode this is an error, not a warning. -FFIILLEESS - /etc/sudoers List of who can run what - /etc/sudoers.tmp Lock file for visudo +SSEEEE AALLSSOO + _v_i(1), sudoers(4), sudo(1m), vipw(1m) AAUUTTHHOORR Many people have worked on _s_u_d_o over the years; this ver­ @@ -152,32 +154,30 @@ AAUUTTHHOORR See the HISTORY file in the sudo distribution or visit http://www.sudo.ws/sudo/history.html for more details. -BBUUGGSS - If you feel you have found a bug in sudo, please submit a - bug report at http://www.sudo.ws/sudo/bugs/ - -DDIISSCCLLAAIIMMEERR - VViissuuddoo is provided ``AS IS'' and any express or implied - warranties, including, but not limited to, the implied - warranties of merchantability and fitness for a particular - purpose are disclaimed. See the LICENSE file distributed - with ssuuddoo for complete details. - CCAAVVEEAATTSS There is no easy way to prevent a user from gaining a root shell if the editor used by vviissuuddoo allows shell escapes. -SSEEEE AALLSSOO - _v_i(1), sudoers(4), sudo(1m), vipw(1m) - - - - - - +BBUUGGSS + If you feel you have found a bug in vviissuuddoo, please submit + a bug report at http://www.sudo.ws/sudo/bugs/ +SSUUPPPPOORRTT + Commercial support is available for ssuuddoo, see + http://www.sudo.ws/sudo/support.html for details. + Limited free support is available via the sudo-users mail­ + ing list, see http://www.sudo.ws/mail­ + man/listinfo/sudo-users to subscribe or search the + archives. +DDIISSCCLLAAIIMMEERR + VViissuuddoo is provided ``AS IS'' and any express or implied + warranties, including, but not limited to, the implied + warranties of merchantability and fitness for a particular + purpose are disclaimed. See the LICENSE file distributed + with ssuuddoo or http://www.sudo.ws/sudo/license.html for com­ + plete details. @@ -193,6 +193,6 @@ SSEEEE AALLSSOO -1.6.8 June 8, 2004 3 +1.6.8 September 6, 2004 3 diff --git a/visudo.man.in b/visudo.man.in index 907f97e36..b00424c9d 100644 --- a/visudo.man.in +++ b/visudo.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "June 8, 2004" "1.6.8" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS" .SH "NAME" visudo \- edit the sudoers file .SH "SYNOPSIS" @@ -221,8 +221,23 @@ letters, digits, and the underscore ('_') character. .IX Item "-V" The \fB\-V\fR (version) option causes \fBvisudo\fR to print its version number and exit. -.SH "ERRORS" -.IX Header "ERRORS" +.SH "ENVIRONMENT" +.IX Header "ENVIRONMENT" +The following environment variables are used only if \fBvisudo\fR +was configured with the \fI\-\-with\-env\-editor\fR option: +.PP +.Vb 2 +\& VISUAL Invoked by visudo as the editor to use +\& EDITOR Used by visudo if VISUAL is not set +.Ve +.SH "FILES" +.IX Header "FILES" +.Vb 2 +\& @sysconfdir@/sudoers List of who can run what +\& @sysconfdir@/sudoers.tmp Lock file for visudo +.Ve +.SH "DIAGNOSTICS" +.IX Header "DIAGNOSTICS" .IP "sudoers file busy, try again later." 4 .IX Item "sudoers file busy, try again later." Someone else is currently editing the \fIsudoers\fR file. @@ -251,21 +266,9 @@ value. This is usually unintentional and in most cases the setting should be placed before any \f(CW\*(C`Runas_Alias\*(C'\fR or User specifications. In \fB\-s\fR (strict) mode this is an error, not a warning. -.SH "ENVIRONMENT" -.IX Header "ENVIRONMENT" -The following environment variables are used only if \fBvisudo\fR -was configured with the \fI\-\-with\-env\-editor\fR option: -.PP -.Vb 2 -\& VISUAL Invoked by visudo as the editor to use -\& EDITOR Used by visudo if VISUAL is not set -.Ve -.SH "FILES" -.IX Header "FILES" -.Vb 2 -\& @sysconfdir@/sudoers List of who can run what -\& @sysconfdir@/sudoers.tmp Lock file for visudo -.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIvi\fR\|(1), sudoers(@mansectform@), sudo(@mansectsu@), vipw(@mansectsu@) .SH "AUTHOR" .IX Header "AUTHOR" Many people have worked on \fIsudo\fR over the years; this version of @@ -277,20 +280,26 @@ Many people have worked on \fIsudo\fR over the years; this version of .PP See the \s-1HISTORY\s0 file in the sudo distribution or visit http://www.sudo.ws/sudo/history.html for more details. +.SH "CAVEATS" +.IX Header "CAVEATS" +There is no easy way to prevent a user from gaining a root shell if +the editor used by \fBvisudo\fR allows shell escapes. .SH "BUGS" .IX Header "BUGS" -If you feel you have found a bug in sudo, please submit a bug report +If you feel you have found a bug in \fBvisudo\fR, please submit a bug report at http://www.sudo.ws/sudo/bugs/ +.SH "SUPPORT" +.IX Header "SUPPORT" +Commercial support is available for \fBsudo\fR, see +http://www.sudo.ws/sudo/support.html for details. +.PP +Limited free support is available via the sudo-users mailing list, +see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or +search the archives. .SH "DISCLAIMER" .IX Header "DISCLAIMER" \&\fBVisudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability -and fitness for a particular purpose are disclaimed. -See the \s-1LICENSE\s0 file distributed with \fBsudo\fR for complete details. -.SH "CAVEATS" -.IX Header "CAVEATS" -There is no easy way to prevent a user from gaining a root shell if -the editor used by \fBvisudo\fR allows shell escapes. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIvi\fR\|(1), sudoers(@mansectform@), sudo(@mansectsu@), vipw(@mansectsu@) +and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0 +file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html +for complete details. -- 2.40.0