From 795a303ea15f4f4226fd1a2349270efc4a7aff89 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 18 Feb 2008 16:05:20 +0000 Subject: [PATCH] regen --- sudo.cat | 164 ++++++++++++++++++++++---------------------- sudo.man.in | 94 +++++++++++++------------ sudoers.cat | 122 ++++++++++++++++---------------- sudoers.ldap.cat | 52 +++++++------- sudoers.ldap.man.in | 2 +- sudoers.man.in | 56 ++++++++------- visudo.cat | 22 +++--- visudo.man.in | 16 ++--- 8 files changed, 270 insertions(+), 258 deletions(-) diff --git a/sudo.cat b/sudo.cat index a20644428..103731e62 100644 --- a/sudo.cat +++ b/sudo.cat @@ -1,7 +1,7 @@ -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) +SUDO(8) MAINTENANCE COMMANDS SUDO(8) NNAAMMEE @@ -14,8 +14,7 @@ SSYYNNOOPPSSIISS _m_a_n_d] ssuuddoo [--bbEEHHPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] - [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] - [{--ii | --ss] [<_c_o_m_m_a_n_d}] + [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] [{--ii | --ss] [<_c_o_m_m_a_n_d}] ssuuddooeeddiitt [--SS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] file ... @@ -58,19 +57,19 @@ DDEESSCCRRIIPPTTIIOONN SUDO_USER. ssuuddoo can log both successful and unsuccessful attempts (as well as + errors) to _s_y_s_l_o_g(3), a log file, or both. By default ssuuddoo will log -1.7 February 15, 2008 1 +1.7 February 18, 2008 1 -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) +SUDO(8) MAINTENANCE COMMANDS SUDO(8) - errors) to _s_y_s_l_o_g(3), a log file, or both. By default ssuuddoo will log via _s_y_s_l_o_g(3) but this is changeable at configure time or via the _s_u_d_o_- _e_r_s file. @@ -95,7 +94,7 @@ OOPPTTIIOONNSS starting point above the standard error (file descriptor three). Values less than three are not permitted. This option is only available if the administrator has enabled - the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option in _s_u_d_o_e_r_s(4). + the _c_l_o_s_e_f_r_o_m___o_v_e_r_r_i_d_e option in _s_u_d_o_e_r_s(5). -c _c_l_a_s_s The --cc (_c_l_a_s_s) option causes ssuuddoo to run the specified com- mand with resources limited by the specified login class. @@ -110,9 +109,9 @@ OOPPTTIIOONNSS login classes. -E The --EE (_p_r_e_s_e_r_v_e _e_n_v_i_r_o_n_m_e_n_t) option will override the - _e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(4)). It is only available when + _e_n_v___r_e_s_e_t option in _s_u_d_o_e_r_s(5)). It is only available when either the matching command has the SETENV tag or the - _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s(4). + _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s(5). -e The --ee (_e_d_i_t) option indicates that, instead of running a command, the user wishes to edit one or more files. In @@ -123,22 +122,22 @@ OOPPTTIIOONNSS 1. Temporary copies are made of the files to be edited with the owner set to the invoking user. - 2. The editor specified by the VISUAL or EDITOR + 2. The editor specified by the VISUAL or EDITOR environ- + ment variables is run to edit the temporary files. If -1.7 February 15, 2008 2 +1.7 February 18, 2008 2 -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) +SUDO(8) MAINTENANCE COMMANDS SUDO(8) - environment variables is run to edit the temporary - files. If neither VISUAL nor EDITOR are set, the pro- - gram listed in the _e_d_i_t_o_r _s_u_d_o_e_r_s variable is used. + neither VISUAL nor EDITOR are set, the program listed + in the _e_d_i_t_o_r _s_u_d_o_e_r_s variable is used. 3. If they have been modified, the temporary files are copied back to their original location and the tempo- @@ -164,15 +163,15 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -H The --HH (_H_O_M_E) option sets the HOME environment variable to the homedir of the target user (root by default) as speci- - fied in _p_a_s_s_w_d(4). By default, ssuuddoo does not modify HOME - (see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e in _s_u_d_o_e_r_s(4)). + fied in _p_a_s_s_w_d(5). By default, ssuuddoo does not modify HOME + (see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e in _s_u_d_o_e_r_s(5)). -h The --hh (_h_e_l_p) option causes ssuuddoo to print a usage message and exit. -i [command] The --ii (_s_i_m_u_l_a_t_e _i_n_i_t_i_a_l _l_o_g_i_n) option runs the shell spec- - ified in the _p_a_s_s_w_d(4) entry of the target user as a login + ified in the _p_a_s_s_w_d(5) entry of the target user as a login shell. This means that login-specific resource files such as .profile or .login will be read by the shell. If a com- mand is specified, it is passed to the shell for execution. @@ -190,19 +189,19 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -k The --kk (_k_i_l_l) option to ssuuddoo invalidates the user's times- tamp by setting the time on it to the Epoch. The next time + ssuuddoo is run a password will be required. This option does -1.7 February 15, 2008 3 +1.7 February 18, 2008 3 -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) +SUDO(8) MAINTENANCE COMMANDS SUDO(8) - ssuuddoo is run a password will be required. This option does not require a password and was added to allow a user to revoke ssuuddoo permissions from a .logout file. @@ -255,36 +254,27 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) system password prompt on systems that support PAM unless the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. - -r _r_o_l_e The --rr (_r_o_l_e) option causes the new (SELinux) security - - + -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from + the standard input instead of the terminal device. -1.7 February 15, 2008 4 +1.7 February 18, 2008 4 -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - context to have the role specified by _r_o_l_e. +SUDO(8) MAINTENANCE COMMANDS SUDO(8) - -S The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from - the standard input instead of the terminal device. -s [command] The --ss (_s_h_e_l_l) option runs the shell specified by the _S_H_E_L_L environment variable if it is set or the shell as specified - in _p_a_s_s_w_d(4). If a command is specified, it is passed to + in _p_a_s_s_w_d(5). If a command is specified, it is passed to the shell for execution. Otherwise, an interactive shell is executed. - -t _t_y_p_e The --tt (_t_y_p_e) option causes the new (SELinux) security con- - text to have the type specified by _t_y_p_e. If no type is - specified, the default type is derived from the specified - role. - -U _u_s_e_r The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the --ll option to specify the user whose privileges should be listed. Only root or a user with ssuuddoo ALL on the current @@ -295,7 +285,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) of a _u_s_e_r _n_a_m_e, use _#_u_i_d. When running commands as a _u_i_d, many shells require that the '#' be escaped with a back- slash ('\'). Note that if the _t_a_r_g_e_t_p_w Defaults option is - set (see _s_u_d_o_e_r_s(4)) it is not possible to run commands + set (see _s_u_d_o_e_r_s(5)) it is not possible to run commands with a uid not listed in the password database. -V The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the version @@ -321,28 +311,29 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) ables with one important exception. If the _s_e_t_e_n_v option is set in _s_u_d_o_e_r_s, the command to be run has the SETENV tag set or the command matched is ALL, the user may set variables that would overwise be for- - bidden. See _s_u_d_o_e_r_s(4) for more information. + bidden. See _s_u_d_o_e_r_s(5) for more information. +RREETTUURRNN VVAALLUUEESS + Upon successful execution of a program, the return value from ssuuddoo will + simply be the return value of the program that was executed. + Otherwise, ssuuddoo quits with an exit value of 1 if there is a configura- + tion/permission problem or if ssuuddoo cannot execute the given command. + In the latter case the error string is printed to stderr. If ssuuddoo can- + not _s_t_a_t(2) one or more entries in the user's PATH an error is printed + on stderr. (If the directory does not exist or if it is not really a -1.7 February 15, 2008 5 +1.7 February 18, 2008 5 -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -RREETTUURRNN VVAALLUUEESS - Upon successful execution of a program, the return value from ssuuddoo will - simply be the return value of the program that was executed. +SUDO(8) MAINTENANCE COMMANDS SUDO(8) + - Otherwise, ssuuddoo quits with an exit value of 1 if there is a configura- - tion/permission problem or if ssuuddoo cannot execute the given command. - In the latter case the error string is printed to stderr. If ssuuddoo can- - not _s_t_a_t(2) one or more entries in the user's PATH an error is printed - on stderr. (If the directory does not exist or if it is not really a directory, the entry is ignored and no error is printed.) This should not happen under normal circumstances. The most common reason for _s_t_a_t(2) to return "permission denied" is if you are running an auto- @@ -388,27 +379,27 @@ SSEECCUURRIITTYY NNOOTTEESS ssuuddoo will check the ownership of its timestamp directory (_/_v_a_r_/_r_u_n_/_s_u_d_o by default) and ignore the directory's contents if it is not owned by root or if it is writable by a user other than root. On systems that + allow non-root users to give away files via _c_h_o_w_n(2), if the timestamp + directory is located in a directory writable by anyone (e.g., _/_t_m_p), it + is possible for a user to create the timestamp directory before ssuuddoo is + run. However, because ssuuddoo checks the ownership and mode of the direc- + tory and its contents, the only damage that can be done is to "hide" + files by putting them in the timestamp dir. This is unlikely to happen + since once the timestamp dir is owned by root and inaccessible by any + other user, the user placing files there would be unable to get them + back out. To get around this issue you can use a directory that is not -1.7 February 15, 2008 6 +1.7 February 18, 2008 6 -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) +SUDO(8) MAINTENANCE COMMANDS SUDO(8) - allow non-root users to give away files via _c_h_o_w_n(2), if the timestamp - directory is located in a directory writable by anyone (e.g., _/_t_m_p), it - is possible for a user to create the timestamp directory before ssuuddoo is - run. However, because ssuuddoo checks the ownership and mode of the direc- - tory and its contents, the only damage that can be done is to "hide" - files by putting them in the timestamp dir. This is unlikely to happen - since once the timestamp dir is owned by root and inaccessible by any - other user, the user placing files there would be unable to get them - back out. To get around this issue you can use a directory that is not world-writable for the timestamps (_/_v_a_r_/_a_d_m_/_s_u_d_o for instance) or cre- ate _/_v_a_r_/_r_u_n_/_s_u_d_o with the appropriate owner (root) and permissions (0700) in the system startup files. @@ -427,7 +418,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) when giving users access to commands via ssuuddoo to verify that the com- mand does not inadvertently give the user an effective root shell. For more information, please see the PREVENTING SHELL ESCAPES section in - _s_u_d_o_e_r_s(4). + _s_u_d_o_e_r_s(5). EENNVVIIRROONNMMEENNTT ssuuddoo utilizes the following environment variables: @@ -454,32 +445,34 @@ EENNVVIIRROONNMMEENNTT SUDO_GID Set to the gid of the user who invoked sudo + SUDO_PS1 If set, PS1 will be set to its value + USER Set to the target user (root unless the --uu option is + specified) + VISUAL Default editor to use in --ee (sudoedit) mode -1.7 February 15, 2008 7 +FFIILLEESS + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what +1.7 February 18, 2008 7 -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - SUDO_PS1 If set, PS1 will be set to its value - USER Set to the target user (root unless the --uu option is - specified) +SUDO(8) MAINTENANCE COMMANDS SUDO(8) - VISUAL Default editor to use in --ee (sudoedit) mode -FFIILLEESS - _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what - _/_v_a_r_/_r_u_n_/_s_u_d_o Directory containing timestamps - _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mmooddee oonn LLiinnuuxx aanndd AAIIXX + _/_v_a_r_/_r_u_n_/_s_u_d_o Directory containing timestamps + + _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on Linux and + AIX EEXXAAMMPPLLEESS - Note: the following examples assume suitable _s_u_d_o_e_r_s(4) entries. + Note: the following examples assume suitable _s_u_d_o_e_r_s(5) entries. To get a file listing of an unreadable directory: @@ -505,8 +498,7 @@ EEXXAAMMPPLLEESS $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" SSEEEE AALLSSOO - _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), _s_u_d_o_e_r_s(4), - _v_i_s_u_d_o(1m) + _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(5), _s_u_d_o_e_r_s(5), _v_i_s_u_d_o(8) AAUUTTHHOORRSS Many people have worked on ssuuddoo over the years; this version consists @@ -520,26 +512,25 @@ AAUUTTHHOORRSS CCAAVVEEAATTSS There is no easy way to prevent a user from gaining a root shell if that user is allowed to run arbitrary commands via ssuuddoo. Also, many + programs (such as editors) allow the user to run commands via shell + escapes, thus avoiding ssuuddoo's checks. However, on most systems it is + possible to prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality. + See the _s_u_d_o_e_r_s(5) manual for details. + It is not meaningful to run the cd command directly via sudo, e.g., - -1.7 February 15, 2008 8 + $ sudo cd /usr/local/protected +1.7 February 18, 2008 8 -SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) - programs (such as editors) allow the user to run commands via shell - escapes, thus avoiding ssuuddoo's checks. However, on most systems it is - possible to prevent shell escapes with ssuuddoo's _n_o_e_x_e_c functionality. - See the _s_u_d_o_e_r_s(4) manual for details. - It is not meaningful to run the cd command directly via sudo, e.g., +SUDO(8) MAINTENANCE COMMANDS SUDO(8) - $ sudo cd /usr/local/protected since when the command exits the parent process (your shell) will still be the same. Please see the EXAMPLES section for more information. @@ -589,6 +580,15 @@ DDIISSCCLLAAIIMMEERR -1.7 February 15, 2008 9 + + + + + + + + + +1.7 February 18, 2008 9 diff --git a/sudo.man.in b/sudo.man.in index 44a810d9c..51b3984cf 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -150,7 +150,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "February 15, 2008" "1.7" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "February 18, 2008" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" sudo, sudoedit \- execute a command as another user .SH "SYNOPSIS" @@ -160,14 +160,20 @@ sudo, sudoedit \- execute a command as another user \&\fBsudo\fR \fB\-l[l]\fR [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-U\fR\ \fIusername\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR] .PP -\&\fBsudo\fR [\fB\-bEHPS\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] -[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] -[\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR] +\&\fBsudo\fR [\fB\-bEHPS\fR] +@BAMAN@[\fB\-a\fR\ \fIauth_type\fR] +[\fB\-C\fR\ \fIfd\fR] +@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] +[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] +@SEMAN@[\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fB\s-1VAR\s0\fR=\fIvalue\fR] [{\fB\-i\fR\ |\ \fB\-s\fR]\ [<\fIcommand\fR}] .PP -\&\fBsudoedit\fR [\fB\-S\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] -[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] +\&\fBsudoedit\fR [\fB\-S\fR] +@BAMAN@[\fB\-a\fR\ \fIauth_type\fR] +[\fB\-C\fR\ \fIfd\fR] +@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] +[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] file ... .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -218,14 +224,14 @@ or via the \fIsudoers\fR file. .SH "OPTIONS" .IX Header "OPTIONS" \&\fBsudo\fR accepts the following command line options: -.IP "\-a \fItype\fR" 12 -.IX Item "-a type" -The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the -specified authentication type when validating the user, as allowed -by \fI/etc/login.conf\fR. The system administrator may specify a list -of sudo-specific authentication methods by adding an \*(L"auth\-sudo\*(R" -entry in \fI/etc/login.conf\fR. This option is only available on systems -that support \s-1BSD\s0 authentication. +@BAMAN@.IP "\-a \fItype\fR" 12 +@BAMAN@.IX Item "-a type" +@BAMAN@The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the +@BAMAN@specified authentication type when validating the user, as allowed +@BAMAN@by \fI/etc/login.conf\fR. The system administrator may specify a list +@BAMAN@of sudo-specific authentication methods by adding an \*(L"auth\-sudo\*(R" +@BAMAN@entry in \fI/etc/login.conf\fR. This option is only available on systems +@BAMAN@that support \s-1BSD\s0 authentication. .IP "\-b" 12 .IX Item "-b" The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given @@ -240,17 +246,17 @@ above the standard error (file descriptor three). Values less than three are not permitted. This option is only available if the administrator has enabled the \fIclosefrom_override\fR option in \&\fIsudoers\fR\|(@mansectform@). -.IP "\-c \fIclass\fR" 12 -.IX Item "-c class" -The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command -with resources limited by the specified login class. The \fIclass\fR -argument can be either a class name as defined in \fI/etc/login.conf\fR, -or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates -that the command should be run restricted by the default login -capabilities for the user the command is run as. If the \fIclass\fR -argument specifies an existing user class, the command must be run -as root, or the \fBsudo\fR command must be run from a shell that is already -root. This option is only available on systems with \s-1BSD\s0 login classes. +@LCMAN@.IP "\-c \fIclass\fR" 12 +@LCMAN@.IX Item "-c class" +@LCMAN@The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command +@LCMAN@with resources limited by the specified login class. The \fIclass\fR +@LCMAN@argument can be either a class name as defined in \fI/etc/login.conf\fR, +@LCMAN@or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates +@LCMAN@that the command should be run restricted by the default login +@LCMAN@capabilities for the user the command is run as. If the \fIclass\fR +@LCMAN@argument specifies an existing user class, the command must be run +@LCMAN@as root, or the \fBsudo\fR command must be run from a shell that is already +@LCMAN@root. This option is only available on systems with \s-1BSD\s0 login classes. .IP "\-E" 12 .IX Item "-E" The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option will override the @@ -395,10 +401,10 @@ The prompt specified by the \fB\-p\fR option will override the system password prompt on systems that support \s-1PAM\s0 unless the \&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR. .RE -.IP "\-r \fIrole\fR" 12 -.IX Item "-r role" -The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to -have the role specified by \fIrole\fR. +@SEMAN@.IP "\-r \fIrole\fR" 12 +@SEMAN@.IX Item "-r role" +@SEMAN@The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to +@SEMAN@have the role specified by \fIrole\fR. .IP "\-S" 12 .IX Item "-S" The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from @@ -409,11 +415,11 @@ The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\ environment variable if it is set or the shell as specified in \&\fIpasswd\fR\|(@mansectform@). If a command is specified, it is passed to the shell for execution. Otherwise, an interactive shell is executed. -.IP "\-t \fItype\fR" 12 -.IX Item "-t type" -The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to -have the type specified by \fItype\fR. If no type is specified, the default -type is derived from the specified role. +@SEMAN@.IP "\-t \fItype\fR" 12 +@SEMAN@.IX Item "-t type" +@SEMAN@The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to +@SEMAN@have the type specified by \fItype\fR. If no type is specified, the default +@SEMAN@type is derived from the specified role. .IP "\-U \fIuser\fR" 12 .IX Item "-U user" The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR @@ -595,17 +601,15 @@ Set to the target user (root unless the \fB\-u\fR option is specified) Default editor to use in \fB\-e\fR (sudoedit) mode .SH "FILES" .IX Header "FILES" -.ie n .IP "\fI@sysconfdir@/sudoers\fR\*(C` \*(C'List of who can run what" 4 -.el .IP "\fI@sysconfdir@/sudoers\fR\f(CW\*(C` \*(C'\fRList of who can run what" 4 -.IX Item "@sysconfdir@/sudoers List of who can run what" -.PD 0 -.ie n .IP "\fI@timedir@\fR\*(C` \*(C'Directory containing timestamps" 4 -.el .IP "\fI@timedir@\fR\f(CW\*(C` \*(C'\fRDirectory containing timestamps" 4 -.IX Item "@timedir@ Directory containing timestamps" -.ie n .IP "\fI/etc/environment\fR\*(C` \*(C'\fRInitial environment for \fB\-i mode on Linux and \s-1AIX\s0" 4 -.el .IP "\fI/etc/environment\fR\f(CW\*(C` \*(C'\fRInitial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0" 4 -.IX Item "/etc/environment Initial environment for -i mode on Linux and AIX" -.PD +.IP "\fI@sysconfdir@/sudoers\fR" 24 +.IX Item "@sysconfdir@/sudoers" +List of who can run what +.IP "\fI@timedir@\fR" 24 +.IX Item "@timedir@" +Directory containing timestamps +.IP "\fI/etc/environment\fR" 24 +.IX Item "/etc/environment" +Initial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0 .SH "EXAMPLES" .IX Header "EXAMPLES" Note: the following examples assume suitable \fIsudoers\fR\|(@mansectform@) entries. diff --git a/sudoers.cat b/sudoers.cat index 8866236c0..19d5533ad 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -1,7 +1,7 @@ -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) NNAAMMEE @@ -61,13 +61,13 @@ DDEESSCCRRIIPPTTIIOONN -1.7 January 21, 2008 1 +1.7 February 18, 2008 1 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) Host_Alias ::= NAME '=' Host_List @@ -127,13 +127,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 January 21, 2008 2 +1.7 February 18, 2008 2 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) Host ::= '!'* hostname | @@ -193,13 +193,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 January 21, 2008 3 +1.7 February 18, 2008 3 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) users on any host, all users on a specific host, a specific user, a @@ -259,13 +259,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 January 21, 2008 4 +1.7 February 18, 2008 4 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) Let's break that down into its constituent parts: @@ -325,13 +325,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 January 21, 2008 5 +1.7 February 18, 2008 5 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) Cmnd_Spec_List, inherit the tag unless it is overridden by the opposite @@ -391,13 +391,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 January 21, 2008 6 +1.7 February 18, 2008 6 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) WWiillddccaarrddss @@ -457,13 +457,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 January 21, 2008 7 +1.7 February 18, 2008 7 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss @@ -523,13 +523,13 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS -1.7 January 21, 2008 8 +1.7 February 18, 2008 8 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) env_editor If set, vviissuuddoo will use the value of the EDITOR or @@ -572,30 +572,30 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) fied. This flag is _o_f_f by default. ignore_local_sudoers - If set via LDAP, parsing of @sysconfdir@/sudoers will - be skipped. This is intended for Enterprises that wish - to prevent the usage of local sudoers files so that - only LDAP is used. This thwarts the efforts of rogue - operators who would attempt to add roles to - @sysconfdir@/sudoers. When this option is present, - @sysconfdir@/sudoers does not even need to exist. - Since this option tells ssuuddoo how to behave when no spe- - cific LDAP entries have been matched, this sudoOption - is only meaningful for the cn=defaults section. This - flag is _o_f_f by default. + If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be + skipped. This is intended for Enterprises that wish to + prevent the usage of local sudoers files so that only + LDAP is used. This thwarts the efforts of rogue opera- + tors who would attempt to add roles to _/_e_t_c_/_s_u_d_o_e_r_s. + When this option is present, _/_e_t_c_/_s_u_d_o_e_r_s does not even + need to exist. Since this option tells ssuuddoo how to + behave when no specific LDAP entries have been matched, + this sudoOption is only meaningful for the cn=defaults + section. This flag is _o_f_f by default. insults If set, ssuuddoo will insult users when they enter an incorrect password. This flag is _o_f_f by default. -1.7 January 21, 2008 9 + +1.7 February 18, 2008 9 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) log_host If set, the hostname will be logged in the (non-syslog) @@ -655,13 +655,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 January 21, 2008 10 +1.7 February 18, 2008 10 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) normally only be used if the passwod prompt provided by @@ -721,13 +721,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 January 21, 2008 11 +1.7 February 18, 2008 11 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the @@ -787,13 +787,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 January 21, 2008 12 +1.7 February 18, 2008 12 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) password before ssuuddoo logs the failure and exits. The @@ -853,13 +853,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 January 21, 2008 13 +1.7 February 18, 2008 13 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) environment variable. The following percent (`%') @@ -919,13 +919,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 January 21, 2008 14 +1.7 February 18, 2008 14 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) once Only lecture the user the first time they run ssuuddoo. @@ -985,13 +985,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 January 21, 2008 15 +1.7 February 18, 2008 15 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) syslog Syslog facility if syslog is being used for logging (negate @@ -1051,13 +1051,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 January 21, 2008 16 +1.7 February 18, 2008 16 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) env_keep Environment variables to be preserved in the user's @@ -1079,9 +1079,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) iinngg. FFIILLEESS - _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what - _/_e_t_c_/_g_r_o_u_p Local groups file - _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what + + _/_e_t_c_/_g_r_o_u_p Local groups file + + _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups EEXXAAMMPPLLEESS Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit @@ -1115,15 +1117,13 @@ EEXXAAMMPPLLEESS - - -1.7 January 21, 2008 17 +1.7 February 18, 2008 17 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) # Cmnd alias specification @@ -1183,13 +1183,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 January 21, 2008 18 +1.7 February 18, 2008 18 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias @@ -1249,13 +1249,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 January 21, 2008 19 +1.7 February 18, 2008 19 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) jen ALL, !SERVERS = ALL @@ -1315,13 +1315,13 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS -1.7 January 21, 2008 20 +1.7 February 18, 2008 20 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) that permit shell escapes include shells (obviously), editors, pagina- @@ -1381,13 +1381,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7 January 21, 2008 21 +1.7 February 18, 2008 21 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SUDOERS(5) MAINTENANCE COMMANDS SUDOERS(5) Note that restricting shell escapes is not a panacea. Programs running @@ -1397,7 +1397,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) approach is to give the user permission to run ssuuddooeeddiitt. SSEEEE AALLSSOO - _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _s_u_d_o(1m), _v_i_s_u_d_o(8) + _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _s_u_d_o(8), _v_i_s_u_d_o(8) CCAAVVEEAATTSS The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which @@ -1447,6 +1447,6 @@ DDIISSCCLLAAIIMMEERR -1.7 January 21, 2008 22 +1.7 February 18, 2008 22 diff --git a/sudoers.ldap.cat b/sudoers.ldap.cat index 11094fc94..007b37e75 100644 --- a/sudoers.ldap.cat +++ b/sudoers.ldap.cat @@ -1,7 +1,7 @@ -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) +SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5) NNAAMMEE @@ -61,13 +61,13 @@ DDEESSCCRRIIPPTTIIOONN -1.7 February 9, 2008 1 +1.7 February 18, 2008 1 -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) +SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5) manner as a global Defaults line in _/_e_t_c_/_s_u_d_o_e_r_s. In the following @@ -127,13 +127,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 February 9, 2008 2 +1.7 February 18, 2008 2 -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) +SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5) dn: cn=%wheel,ou=SUDOers,dc=example,dc=com @@ -193,13 +193,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 February 9, 2008 3 +1.7 February 18, 2008 3 -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) +SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5) # LDAP equivalent of puddles @@ -251,7 +251,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) Typically, this file is shared amongst different LDAP-aware clients. As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from - those described in the _l_d_a_p_._c_o_n_f(4) manual. + those described in the _l_d_a_p_._c_o_n_f(5) manual. Also note that on systems using the OpenLDAP libraries, default values specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are @@ -259,13 +259,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 February 9, 2008 4 +1.7 February 18, 2008 4 -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) +SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5) Only those options explicitly listed in _/_e_t_c_/_l_d_a_p_._c_o_n_f that are sup- @@ -325,13 +325,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 February 9, 2008 5 +1.7 February 18, 2008 5 -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) +SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5) BBIINNDDDDNN DN @@ -391,13 +391,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 February 9, 2008 6 +1.7 February 18, 2008 6 -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) +SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5) OpenLDAP libraries. @@ -457,13 +457,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 February 9, 2008 7 +1.7 February 18, 2008 7 -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) +SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5) SSAASSLL__SSEECCPPRROOPPSS none/properties @@ -523,13 +523,13 @@ EEXXAAMMPPLLEESS -1.7 February 9, 2008 8 +1.7 February 18, 2008 8 -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) +SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5) # Either specify one or more URIs or one or more host:port pairs. @@ -589,13 +589,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 February 9, 2008 9 +1.7 February 18, 2008 9 -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) +SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5) #tls_cacertfile /etc/certs/trusted_signers.pem @@ -655,13 +655,13 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7 February 9, 2008 10 +1.7 February 18, 2008 10 -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) +SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5) attributetype ( 1.3.6.1.4.1.15953.9.1.2 @@ -715,19 +715,19 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SSEEEE AALLSSOO - _l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(5) + _l_d_a_p_._c_o_n_f(5), _s_u_d_o_e_r_s(5) -1.7 February 9, 2008 11 +1.7 February 18, 2008 11 -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) +SUDOERS.LDAP(5) MAINTENANCE COMMANDS SUDOERS.LDAP(5) CCAAVVEEAATTSS @@ -787,6 +787,6 @@ DDIISSCCLLAAIIMMEERR -1.7 February 9, 2008 12 +1.7 February 18, 2008 12 diff --git a/sudoers.ldap.man.in b/sudoers.ldap.man.in index d42da1fee..4baf4c65a 100644 --- a/sudoers.ldap.man.in +++ b/sudoers.ldap.man.in @@ -146,7 +146,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "February 9, 2008" "1.7" "MAINTENANCE COMMANDS" +.TH SUDOERS.LDAP @mansectform@ "February 18, 2008" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" sudoers.ldap \- sudo LDAP configuration .SH "DESCRIPTION" diff --git a/sudoers.man.in b/sudoers.man.in index 8368bd0f0..7803ef05b 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -150,7 +150,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "January 21, 2008" "1.7" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "February 18, 2008" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" @@ -724,14 +724,14 @@ environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This flag is \fI@ignore_dot@\fR by default. .IP "ignore_local_sudoers" 16 .IX Item "ignore_local_sudoers" -If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped. +If set via \s-1LDAP\s0, parsing of \fI@sysconfdir@/sudoers\fR will be skipped. This is intended for Enterprises that wish to prevent the usage of local sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of -rogue operators who would attempt to add roles to \f(CW@sysconfdir\fR@/sudoers. -When this option is present, \f(CW@sysconfdir\fR@/sudoers does not even need to exist. -Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0 entries -have been matched, this sudoOption is only meaningful for the cn=defaults -section. This flag is \fIoff\fR by default. +rogue operators who would attempt to add roles to \fI@sysconfdir@/sudoers\fR. +When this option is present, \fI@sysconfdir@/sudoers\fR does not even need to +exist. Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0 +entries have been matched, this sudoOption is only meaningful for the +\&\f(CW\*(C`cn=defaults\*(C'\fR section. This flag is \fIoff\fR by default. .IP "insults" 16 .IX Item "insults" If set, \fBsudo\fR will insult users when they enter an incorrect @@ -885,11 +885,11 @@ If set, users must authenticate on a per-tty basis. Normally, the user running it. With this flag enabled, \fBsudo\fR will use a file named for the tty the user is logged in on in that directory. This flag is \fI@tty_tickets@\fR by default. -.IP "use_loginclass" 16 -.IX Item "use_loginclass" -If set, \fBsudo\fR will apply the defaults specified for the target user's -login class if one exists. Only available if \fBsudo\fR is configured with -the \-\-with\-logincap option. This flag is \fIoff\fR by default. +@LCMAN@.IP "use_loginclass" 16 +@LCMAN@.IX Item "use_loginclass" +@LCMAN@If set, \fBsudo\fR will apply the defaults specified for the target user's +@LCMAN@login class if one exists. Only available if \fBsudo\fR is configured with +@LCMAN@the \-\-with\-logincap option. This flag is \fIoff\fR by default. .PP \&\fBIntegers\fR: .IP "closefrom" 16 @@ -990,6 +990,12 @@ two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW .Sp The default value is \f(CW\*(C`@passprompt@\*(C'\fR. .RE +@SEMAN@.IP "role" 16 +@SEMAN@.IX Item "role" +@SEMAN@The default SELinux role to use when constructing a new security +@SEMAN@context to run the command. The default role may be overridden on +@SEMAN@a per-command basis in \fIsudoers\fR or via command line options. +@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support. .IP "runas_default" 16 .IX Item "runas_default" The default user to run commands as if the \fB\-u\fR flag is not specified @@ -1012,6 +1018,12 @@ The default is \fI@timedir@\fR. .IX Item "timestampowner" The owner of the timestamp directory and the timestamps stored therein. The default is \f(CW\*(C`root\*(C'\fR. +@SEMAN@.IP "type" 16 +@SEMAN@.IX Item "type" +@SEMAN@The default SELinux type to use when constructing a new security +@SEMAN@context to run the command. The default type may be overridden on +@SEMAN@a per-command basis in \fIsudoers\fR or via command line options. +@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support. .PP \&\fBStrings that can be used in a boolean context\fR: .IP "exempt_group" 12 @@ -1172,17 +1184,15 @@ supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo \&\fBnotice\fR, and \fBwarning\fR. .SH "FILES" .IX Header "FILES" -.ie n .IP "\fI@sysconfdir@/sudoers\fR\*(C` \*(C' List of who can run what" 4 -.el .IP "\fI@sysconfdir@/sudoers\fR\f(CW\*(C` \*(C'\fR List of who can run what" 4 -.IX Item "@sysconfdir@/sudoers List of who can run what" -.PD 0 -.ie n .IP "\fI/etc/group\fR\*(C` \*(C' Local groups file" 4 -.el .IP "\fI/etc/group\fR\f(CW\*(C` \*(C'\fR Local groups file" 4 -.IX Item "/etc/group Local groups file" -.ie n .IP "\fI/etc/netgroup\fR\*(C` \*(C' List of network groups" 4 -.el .IP "\fI/etc/netgroup\fR\f(CW\*(C` \*(C'\fR List of network groups" 4 -.IX Item "/etc/netgroup List of network groups" -.PD +.IP "\fI@sysconfdir@/sudoers\fR" 24 +.IX Item "@sysconfdir@/sudoers" +List of who can run what +.IP "\fI/etc/group\fR" 24 +.IX Item "/etc/group" +Local groups file +.IP "\fI/etc/netgroup\fR" 24 +.IX Item "/etc/netgroup" +List of network groups .SH "EXAMPLES" .IX Header "EXAMPLES" Below are example \fIsudoers\fR entries. Admittedly, some of diff --git a/visudo.cat b/visudo.cat index f2c951db1..490036a98 100644 --- a/visudo.cat +++ b/visudo.cat @@ -1,7 +1,7 @@ -VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) +VISUDO(8) MAINTENANCE COMMANDS VISUDO(8) NNAAMMEE @@ -11,7 +11,7 @@ SSYYNNOOPPSSIISS vviissuuddoo [--cc] [--qq] [--ss] [--VV] [--ff _s_u_d_o_e_r_s] DDEESSCCRRIIPPTTIIOONN - vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to _v_i_p_w(1m). + vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to _v_i_p_w(8). vviissuuddoo locks the _s_u_d_o_e_r_s file against multiple simultaneous edits, pro- vides basic sanity checks, and checks for parse errors. If the _s_u_d_o_e_r_s file is currently being edited you will receive a message to try again @@ -61,13 +61,13 @@ OOPPTTIIOONNSS -1.7 January 21, 2008 1 +1.7 February 18, 2008 1 -VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) +VISUDO(8) MAINTENANCE COMMANDS VISUDO(8) combined with the --cc flag. @@ -91,8 +91,9 @@ EENNVVIIRROONNMMEENNTT EDITOR Used by visudo if VISUAL is not set FFIILLEESS - _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what - _/_e_t_c_/_s_u_d_o_e_r_s_._t_m_p Lock file for visudo + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what + + _/_e_t_c_/_s_u_d_o_e_r_s_._t_m_p Lock file for visudo DDIIAAGGNNOOSSTTIICCSS sudoers file busy, try again later. @@ -118,7 +119,7 @@ DDIIAAGGNNOOSSTTIICCSS --ss (strict) mode this is an error, not a warning. SSEEEE AALLSSOO - _v_i(1), _s_u_d_o_e_r_s(4), _s_u_d_o(1m), _v_i_p_w(8) + _v_i(1), _s_u_d_o_e_r_s(5), _s_u_d_o(8), _v_i_p_w(8) AAUUTTHHOORR Many people have worked on _s_u_d_o over the years; this version of vviissuuddoo @@ -126,14 +127,13 @@ AAUUTTHHOORR - -1.7 January 21, 2008 2 +1.7 February 18, 2008 2 -VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) +VISUDO(8) MAINTENANCE COMMANDS VISUDO(8) Todd Miller @@ -193,6 +193,6 @@ DDIISSCCLLAAIIMMEERR -1.7 January 21, 2008 3 +1.7 February 18, 2008 3 diff --git a/visudo.man.in b/visudo.man.in index ecefe4477..82bbae2cd 100644 --- a/visudo.man.in +++ b/visudo.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "January 21, 2008" "1.7" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "February 18, 2008" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" visudo \- edit the sudoers file .SH "SYNOPSIS" @@ -235,14 +235,12 @@ Invoked by visudo as the editor to use Used by visudo if \s-1VISUAL\s0 is not set .SH "FILES" .IX Header "FILES" -.ie n .IP "\fI@sysconfdir@/sudoers\fR\*(C` \*(C'List of who can run what" 4 -.el .IP "\fI@sysconfdir@/sudoers\fR\f(CW\*(C` \*(C'\fRList of who can run what" 4 -.IX Item "@sysconfdir@/sudoers List of who can run what" -.PD 0 -.ie n .IP "\fI@sysconfdir@/sudoers.tmp\fR\*(C` \*(C'Lock file for visudo" 4 -.el .IP "\fI@sysconfdir@/sudoers.tmp\fR\f(CW\*(C` \*(C'\fRLock file for visudo" 4 -.IX Item "@sysconfdir@/sudoers.tmp Lock file for visudo" -.PD +.IP "\fI@sysconfdir@/sudoers\fR" 24 +.IX Item "@sysconfdir@/sudoers" +List of who can run what +.IP "\fI@sysconfdir@/sudoers.tmp\fR" 24 +.IX Item "@sysconfdir@/sudoers.tmp" +Lock file for visudo .SH "DIAGNOSTICS" .IX Header "DIAGNOSTICS" .IP "sudoers file busy, try again later." 4 -- 2.40.0