From 3442a0aeae16e3b7bcc3a114ee22c17669e68a28 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 23 Oct 2012 10:21:24 -0400 Subject: [PATCH] Use a list for the possible values of Tag_Spec with a minimal indent to improve readability. In the pod version, these were =head3. Also use .St -p1003.1 instead of just POSIX when talking about glob() and fnmatch(). --- doc/sudoers.cat | 103 ++++++++++++++++++++++---------------------- doc/sudoers.man.in | 54 +++++++++++++---------- doc/sudoers.mdoc.in | 35 +++++++-------- 3 files changed, 100 insertions(+), 92 deletions(-) diff --git a/doc/sudoers.cat b/doc/sudoers.cat index bc835cef5..9b6fa2105 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -469,76 +469,77 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT it is overridden by the opposite tag (in other words, PASSWD overrides NOPASSWD and NOEXEC overrides EXEC). - _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D + _N_O_P_A_S_S_W_D and _P_A_S_S_W_D - By default, ssuuddoo requires that a user authenticate him or herself before - running a command. This behavior can be modified via the NOPASSWD tag. - Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that - follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used - to reverse things. For example: + By default, ssuuddoo requires that a user authenticate him or herself + before running a command. This behavior can be modified via the + NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for + the commands that follow it in the Cmnd_Spec_List. Conversely, the + PASSWD tag can be used to reverse things. For example: - ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm + ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm - would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m as - rroooott on the machine rushmore without authenticating himself. If we only - want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry would - be: + would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m + as rroooott on the machine rushmore without authenticating himself. If we + only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry + would be: - ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm + ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm - Note, however, that the PASSWD tag has no effect on users who are in the - group specified by the _e_x_e_m_p_t___g_r_o_u_p option. + Note, however, that the PASSWD tag has no effect on users who are in + the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. - By default, if the NOPASSWD tag is applied to any of the entries for a - user on the current host, he or she will be able to run ``sudo -l'' - without a password. Additionally, a user may only run ``sudo -v'' - without a password if the NOPASSWD tag is present for all a user's - entries that pertain to the current host. This behavior may be - overridden via the _v_e_r_i_f_y_p_w and _l_i_s_t_p_w options. + By default, if the NOPASSWD tag is applied to any of the entries for a + user on the current host, he or she will be able to run ``sudo -l'' + without a password. Additionally, a user may only run ``sudo -v'' + without a password if the NOPASSWD tag is present for all a user's + entries that pertain to the current host. This behavior may be + overridden via the _v_e_r_i_f_y_p_w and _l_i_s_t_p_w options. - _N_O_E_X_E_C _a_n_d _E_X_E_C + _N_O_E_X_E_C and _E_X_E_C - If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying - operating system supports it, the NOEXEC tag can be used to prevent a - dynamically-linked executable from running further commands itself. + If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying + operating system supports it, the NOEXEC tag can be used to prevent a + dynamically-linked executable from running further commands itself. - In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and - _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. + In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and + _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. - aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - See the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section below for more details on how - NOEXEC works and whether or not it will work on your system. + See the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section below for more details on how + NOEXEC works and whether or not it will work on your system. - _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V + _S_E_T_E_N_V and _N_O_S_E_T_E_N_V - These tags override the value of the _s_e_t_e_n_v option on a per-command - basis. Note that if SETENV has been set for a command, the user may - disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option. - Additionally, environment variables set on the command line are not - subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or - _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set variables - in this manner. If the command matched is AALLLL, the SETENV tag is implied - for that command; this default may be overridden by use of the NOSETENV - tag. + These tags override the value of the _s_e_t_e_n_v option on a per-command + basis. Note that if SETENV has been set for a command, the user may + disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option. + Additionally, environment variables set on the command line are not + subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or + _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set + variables in this manner. If the command matched is AALLLL, the SETENV + tag is implied for that command; this default may be overridden by use + of the NOSETENV tag. - _L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T + _L_O_G___I_N_P_U_T and _N_O_L_O_G___I_N_P_U_T - These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command - basis. For more information, see the description of _l_o_g___i_n_p_u_t in the - _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. + These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command + basis. For more information, see the description of _l_o_g___i_n_p_u_t in the + _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. - _L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T + _L_O_G___O_U_T_P_U_T and _N_O_L_O_G___O_U_T_P_U_T - These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command - basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the - _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. + These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command + basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the + _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. WWiillddccaarrddss ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be used in host names, path names and command line arguments in the _s_u_d_o_e_r_s - file. Wildcard matching is done via the PPOOSSIIXX glob(3) and fnmatch(3) - routines. Note that these are _n_o_t regular expressions. + file. Wildcard matching is done via the glob(3) and fnmatch(3) functions + as specified by IEEE Std 1003.1 (``POSIX.1''). Note that these are _n_o_t + regular expressions. * Matches any set of zero or more characters. @@ -551,7 +552,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT \x For any character `x', evaluates to `x'. This is used to escape special characters such as: `*', `?', `[', and `]'. - POSIX character classes may also be used if your system's glob(3) and + Character classes may also be used if your system's glob(3) and fnmatch(3) functions support them. However, because the `:' character has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example: @@ -2091,4 +2092,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. -Sudo 1.8.6 September 15, 2012 Sudo 1.8.6 +Sudo 1.8.6 October 23, 2012 Sudo 1.8.6 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 6494bb550..2e22114c6 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDOERS" "@mansectsu@" "September 15, 2012" "Sudo @PACKAGE_VERSION@" "Programmer's Manual" +.TH "SUDOERS" "@mansectsu@" "October 23, 2012" "Sudo @PACKAGE_VERSION@" "Programmer's Manual" .nh .if n .ad l .SH "NAME" @@ -1028,9 +1028,9 @@ and \fRNOEXEC\fR overrides \fREXEC\fR). -.PP -\fINOPASSWD and PASSWD\fR -.PP +.TP 2n +\fINOPASSWD\fR and \fIPASSWD\fR +.sp By default, \fBsudo\fR requires that a user authenticate him or herself @@ -1049,13 +1049,14 @@ Conversely, the \fRPASSWD\fR tag can be used to reverse things. For example: +.RS .nf .sp .RS 0n ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm .RE .fi -.PP +.sp would allow the user \fBray\fR to run @@ -1078,13 +1079,13 @@ without a password the entry would be: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm .RE .fi -.PP +.sp Note, however, that the \fRPASSWD\fR tag has no effect on users who are in the group specified by the \fIexempt_group\fR option. -.PP +.sp By default, if the \fRNOPASSWD\fR tag is applied to any of the entries for a user on the current host, @@ -1102,8 +1103,11 @@ and \fIlistpw\fR options. .PP -\fINOEXEC and EXEC\fR -.PP +.RE +.PD 0 +.TP 2n +\fINOEXEC\fR and \fIEXEC\fR +.sp If \fBsudo\fR has been compiled with @@ -1112,7 +1116,7 @@ support and the underlying operating system supports it, the \fRNOEXEC\fR tag can be used to prevent a dynamically-linked executable from running further commands itself. -.PP +.sp In the following example, user \fBaaron\fR may run @@ -1120,21 +1124,26 @@ may run and \fI/usr/bin/vi\fR but shell escapes will be disabled. +.RS .nf .sp .RS 0n aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi .RE .fi -.PP +.sp See the \fIPreventing shell escapes\fR section below for more details on how \fRNOEXEC\fR works and whether or not it will work on your system. +.PD .PP -\fISETENV and NOSETENV\fR -.PP +.RE +.PD 0 +.TP 2n +\fISETENV\fR and \fINOSETENV\fR +.sp These tags override the value of the \fIsetenv\fR option on a per-command basis. @@ -1159,9 +1168,10 @@ the tag is implied for that command; this default may be overridden by use of the \fRNOSETENV\fR tag. -.PP -\fILOG_INPUT and NOLOG_INPUT\fR -.PP +.PD +.TP 2n +\fILOG_INPUT\fR and \fINOLOG_INPUT\fR +.sp These tags override the value of the \fIlog_input\fR option on a per-command basis. @@ -1170,9 +1180,9 @@ For more information, see the description of in the \fISUDOERS OPTIONS\fR section below. -.PP -\fILOG_OUTPUT and NOLOG_OUTPUT\fR -.PP +.TP 2n +\fILOG_OUTPUT\fR and \fINOLOG_OUTPUT\fR +.sp These tags override the value of the \fIlog_output\fR option on a per-command basis. @@ -1190,11 +1200,11 @@ to be used in host names, path names and command line arguments in the \fIsudoers\fR file. Wildcard matching is done via the -\fBPOSIX\fR glob(3) and fnmatch(3) -routines. +functions as specified by +IEEE Std 1003.1 (\(lqPOSIX.1\(rq). Note that these are \fInot\fR regular expressions. @@ -1225,7 +1235,7 @@ This is used to escape special characters such as: and `]\&'. .PP -POSIX character classes may also be used if your system's +Character classes may also be used if your system's glob(3) and fnmatch(3) diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index 8d642d91c..b912e8ca5 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd September 15, 2012 +.Dd October 23, 2012 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -970,9 +970,9 @@ and .Li NOEXEC overrides .Li EXEC ) . -.Pp -.Em NOPASSWD and PASSWD -.Pp +.Bl -hang -width 0n +.It Em NOPASSWD No and Em PASSWD +.sp By default, .Nm sudo requires that a user authenticate him or herself @@ -1037,9 +1037,8 @@ This behavior may be overridden via the and .Em listpw options. -.Pp -.Em NOEXEC and EXEC -.Pp +.It Em NOEXEC No and Em EXEC +.sp If .Nm sudo has been compiled with @@ -1065,9 +1064,8 @@ See the section below for more details on how .Li NOEXEC works and whether or not it will work on your system. -.Pp -.Em SETENV and NOSETENV -.Pp +.It Em SETENV No and Em NOSETENV +.sp These tags override the value of the .Em setenv option on a per-command basis. @@ -1092,9 +1090,8 @@ the tag is implied for that command; this default may be overridden by use of the .Li NOSETENV tag. -.Pp -.Em LOG_INPUT and NOLOG_INPUT -.Pp +.It Em LOG_INPUT No and Em NOLOG_INPUT +.sp These tags override the value of the .Em log_input option on a per-command basis. @@ -1103,9 +1100,8 @@ For more information, see the description of in the .Sx SUDOERS OPTIONS section below. -.Pp -.Em LOG_OUTPUT and NOLOG_OUTPUT -.Pp +.It Em LOG_OUTPUT No and Em NOLOG_OUTPUT +.sp These tags override the value of the .Em log_output option on a per-command basis. @@ -1114,6 +1110,7 @@ For more information, see the description of in the .Sx SUDOERS OPTIONS section below. +.El .Ss Wildcards .Nm sudo allows shell-style @@ -1123,11 +1120,11 @@ to be used in host names, path names and command line arguments in the .Em sudoers file. Wildcard matching is done via the -.Sy POSIX .Xr glob 3 and .Xr fnmatch 3 -routines. +functions as specified by +.St -p1003.1 . Note that these are .Em not regular expressions. @@ -1155,7 +1152,7 @@ and .Ql ]\& . .El .Pp -POSIX character classes may also be used if your system's +Character classes may also be used if your system's .Xr glob 3 and .Xr fnmatch 3 -- 2.40.0