From 7b7db85d861e83f012323834018ecc7fa158bf88 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 18 Jul 2012 09:22:43 -0400 Subject: [PATCH] More minor costmetic fixes. --HG-- branch : 1.7 --- sudoers.cat | 86 +++++++++++++++++++++++---------------------- sudoers.ldap.cat | 5 +-- sudoers.ldap.man.in | 4 +-- sudoers.ldap.pod | 2 +- sudoers.man.in | 55 +++++++++++++++-------------- sudoers.pod | 53 ++++++++++++++-------------- sudoreplay.cat | 41 ++++++++++----------- sudoreplay.man.in | 81 +++++++++++++++++++++++------------------- sudoreplay.pod | 49 +++++++++++++------------- visudo.cat | 10 +++--- visudo.man.in | 12 +++---- visudo.pod | 8 ++--- 12 files changed, 209 insertions(+), 197 deletions(-) diff --git a/sudoers.cat b/sudoers.cat index aa7bde8d6..a64af02e8 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -220,7 +220,7 @@ DDEESSCCRRIIPPTTIIOONN Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are implicitly boolean and can be turned off via the '!' operator. Some integer, string and list parameters may also be used in a boolean - context to disable them. Values may be enclosed in double quotes (") + context to disable them. Values may be enclosed in double quotes ("") when they contain multiple words. Special characters may be escaped with a backslash (\). @@ -294,7 +294,7 @@ DDEESSCCRRIIPPTTIIOONN We can extend this to allow ddggbb to run /bin/ls with either the user or group set to ooppeerraattoorr: - dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \ + dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\ /usr/bin/lprm Note that while the group portion of the Runas_Spec permits the user to @@ -310,7 +310,7 @@ DDEESSCCRRIIPPTTIIOONN In the following example, user ttccmm may run commands that access a modem device file with the dialer group. - tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ + tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\ /usr/local/bin/minicom Note that in this example only the group will be set, the command still @@ -335,11 +335,11 @@ DDEESSCCRRIIPPTTIIOONN however, will supercede the values in _s_u_d_o_e_r_s. TTaagg__SSppeecc - A command may have zero or more tags associated with it. There are - eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, - NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a - tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit - the tag unless it is overridden by the opposite tag (i.e.: PASSWD + A command may have zero or more tags associated with it. There are ten + possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV, + LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set + on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag + unless it is overridden by the opposite tag (in other words, PASSWD overrides NOPASSWD and NOEXEC overrides EXEC). _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D @@ -422,7 +422,7 @@ DDEESSCCRRIIPPTTIIOONN [!...] Matches any character nnoott in the specified range. \x For any character "x", evaluates to "x". This is used to - escape special characters such as: "*", "?", "[", and "}". + escape special characters such as: "*", "?", "[", and "]". POSIX character classes may also be used if your system's _g_l_o_b(3) and _f_n_m_a_t_c_h(3) functions support them. However, because the ':' character @@ -468,7 +468,7 @@ DDEESSCCRRIIPPTTIIOONN file loops. If the path to the include file is not fully-qualified (does not begin - with a _/), it must be located in the same directory as the sudoers file + with a /), it must be located in the same directory as the sudoers file it was included from. For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line: #include sudoers.local @@ -476,7 +476,8 @@ DDEESSCCRRIIPPTTIIOONN the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. The file name may also include the %h escape, signifying the short form - of the host name. I.e., if the machine's host name is "xerxes", then + of the host name. In other words, if the machine's host name is + "xerxes", then #include /etc/sudoers.%h @@ -499,7 +500,7 @@ DDEESSCCRRIIPPTTIIOONN Note that unlike files included via #include, vviissuuddoo will not edit the files in a #includedir directory unless one of them contains a syntax - error. It is still possible to run vviissuuddoo with the -f flag to edit the + error. It is still possible to run vviissuuddoo with the --ff flag to edit the files directly. OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss @@ -585,7 +586,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS followed by any variables present in the file specified by the _e_n_v___f_i_l_e option (if any). The default contents of the env_keep and env_check lists are displayed when - ssuuddoo is run by root with the _-_V option. If the + ssuuddoo is run by root with the --VV option. If the _s_e_c_u_r_e___p_a_t_h option is set, its value will be used for the PATH environment variable. This flag is _o_n by default. @@ -609,22 +610,22 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS flag is _o_f_f by default. fqdn Set this flag if you want to put fully qualified host - names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you - would use myhost.mydomain.edu. You may still use the - short form if you wish (and even mix the two). Beware - that turning on _f_q_d_n requires ssuuddoo to make DNS lookups - which may make ssuuddoo unusable if DNS stops working (for - example if the machine is not plugged into the - network). Also note that you must use the host's - official name as DNS knows it. That is, you may not - use a host alias (CNAME entry) due to performance - issues and the fact that there is no way to get all - aliases from DNS. If your machine's host name (as - returned by the hostname command) is already fully + names in the _s_u_d_o_e_r_s file. In other words, instead of + myhost you would use myhost.mydomain.edu. You may + still use the short form if you wish (and even mix the + two). Beware that turning on _f_q_d_n requires ssuuddoo to + make DNS lookups which may make ssuuddoo unusable if DNS + stops working (for example if the machine is not + plugged into the network). Also note that you must use + the host's official name as DNS knows it. That is, you + may not use a host alias (CNAME entry) due to + performance issues and the fact that there is no way to + get all aliases from DNS. If your machine's host name + (as returned by the hostname command) is already fully qualified you shouldn't need to set _f_q_d_n. This flag is _o_f_f by default. - ignore_dot If set, ssuuddoo will ignore '.' or '' (current dir) in the + ignore_dot If set, ssuuddoo will ignore "." or "" (current dir) in the PATH environment variable; the PATH itself is not modified. This flag is _o_f_f by default. @@ -656,7 +657,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS Input is logged to the directory specified by the _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a unique session ID that is included in the normal ssuuddoo - log line, prefixed with _T_S_I_D_=. + log line, prefixed with "TSID=". Note that user input may contain sensitive information such as passwords (even if they are not echoed to the @@ -675,7 +676,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS Output is logged to the directory specified by the _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a unique session ID that is included in the normal ssuuddoo - log line, prefixed with _T_S_I_D_=. + log line, prefixed with "TSID=". Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m) utility, which can also be used to list or search the @@ -863,8 +864,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo will prompt for a password even when it would be visible on the screen. This makes it possible to run - things like "rsh somehost sudo ls" since _r_s_h(1) does - not allocate a tty. This flag is _o_f_f by default. + things like "ssh somehost sudo ls" since by default, + _s_s_h(1) does not allocate a tty when running a command. + This flag is _o_f_f by default. IInntteeggeerrss: @@ -932,7 +934,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The escape %h will expand to the host name of the machine. - Default is *** SECURITY information for %h ***. + Default is "*** SECURITY information for %h ***". noexec_file Path to a shared library containing dummy versions of the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_e_c_v_e_(_) library functions @@ -965,7 +967,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS %% two consecutive % characters are collapsed into a single % character - The default value is Password:. + The default value is "Password:". role The default SELinux role to use when constructing a new security context to run the command. The default role @@ -1083,11 +1085,11 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS mailfrom Address to use for the "from" address when sending warning and error mail. The address should be enclosed in double - quotes (") to protect against ssuuddoo interpreting the @ sign. - Defaults to the name of the user running ssuuddoo. + quotes ("") to protect against ssuuddoo interpreting the @ + sign. Defaults to the name of the user running ssuuddoo. mailto Address to send warning and error mail to. The address - should be enclosed in double quotes (") to protect against + should be enclosed in double quotes ("") to protect against ssuuddoo interpreting the @ sign. Defaults to root. secure_path Path used for every command run from ssuuddoo. If you don't @@ -1142,7 +1144,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS env_check will be preserved in the environment if they pass the aforementioned check. The default list of environment variables to check is displayed when ssuuddoo - is run by root with the _-_V option. + is run by root with the --VV option. env_delete Environment variables to be removed from the user's environment when the _e_n_v___r_e_s_e_t option is not in effect. @@ -1151,7 +1153,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS can be replaced, added to, deleted from, or disabled by using the =, +=, -=, and ! operators respectively. The default list of environment variables to remove is - displayed when ssuuddoo is run by root with the _-_V option. + displayed when ssuuddoo is run by root with the --VV option. Note that many operating systems will remove potentially dangerous variables from the environment of any setuid process (such as ssuuddoo). @@ -1165,7 +1167,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS added to, deleted from, or disabled by using the =, +=, -=, and ! operators respectively. The default list of variables to keep is displayed when ssuuddoo is run by root - with the _-_V option. + with the --VV option. FFIILLEESS _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what @@ -1214,8 +1216,8 @@ EEXXAAMMPPLLEESS Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown Cmnd_Alias HALT = /usr/sbin/halt Cmnd_Alias REBOOT = /usr/sbin/reboot - Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ - /usr/local/bin/tcsh, /usr/bin/rsh, \ + Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\ + /usr/local/bin/tcsh, /usr/bin/rsh,\ /usr/local/bin/zsh Cmnd_Alias SU = /usr/bin/su Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less @@ -1379,7 +1381,7 @@ SSEECCUURRIITTYY NNOOTTEESS For example, given the following _s_u_d_o_e_r_s entry: - john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, + john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by @@ -1483,4 +1485,4 @@ DDIISSCCLLAAIIMMEERR -1.7.10 June 8, 2012 SUDOERS(4) +1.7.10 July 18, 2012 SUDOERS(4) diff --git a/sudoers.ldap.cat b/sudoers.ldap.cat index d3dc057cb..10b7c3dcf 100644 --- a/sudoers.ldap.cat +++ b/sudoers.ldap.cat @@ -518,7 +518,8 @@ DDEESSCCRRIIPPTTIIOONN sudoers: files Note that _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f is supported even when the underlying - operating system does not use an nsswitch.conf file. + operating system does not use an nsswitch.conf file, except on AIX (see + below). CCoonnffiigguurriinngg nneettssvvcc..ccoonnff On AIX systems, the _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f file is consulted instead of @@ -769,4 +770,4 @@ DDIISSCCLLAAIIMMEERR -1.7.10 June 29, 2012 SUDOERS.LDAP(4) +1.7.10 July 18, 2012 SUDOERS.LDAP(4) diff --git a/sudoers.ldap.man.in b/sudoers.ldap.man.in index eb1d4e0de..e545bf3a8 100644 --- a/sudoers.ldap.man.in +++ b/sudoers.ldap.man.in @@ -140,7 +140,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "June 29, 2012" "1.7.10" "MAINTENANCE COMMANDS" +.TH SUDOERS.LDAP @mansectform@ "July 18, 2012" "1.7.10" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -675,7 +675,7 @@ sudoers line, the following default is assumed: .Ve .PP Note that \fI@nsswitch_conf@\fR is supported even when the underlying -operating system does not use an nsswitch.conf file. +operating system does not use an nsswitch.conf file, except on \s-1AIX\s0 (see below). .SS "Configuring netsvc.conf" .IX Subsection "Configuring netsvc.conf" On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of diff --git a/sudoers.ldap.pod b/sudoers.ldap.pod index eaf7e3fdc..1c67ca045 100644 --- a/sudoers.ldap.pod +++ b/sudoers.ldap.pod @@ -600,7 +600,7 @@ sudoers line, the following default is assumed: sudoers: files Note that F<@nsswitch_conf@> is supported even when the underlying -operating system does not use an nsswitch.conf file. +operating system does not use an nsswitch.conf file, except on AIX (see below). =head2 Configuring netsvc.conf diff --git a/sudoers.man.in b/sudoers.man.in index 2e7753039..0e24d6952 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -148,7 +148,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "June 8, 2012" "1.7.10" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "July 18, 2012" "1.7.10" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -401,7 +401,7 @@ Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\ Flags are implicitly boolean and can be turned off via the '!' operator. Some integer, string and list parameters may also be used in a boolean context to disable them. Values may be enclosed -in double quotes (\f(CW\*(C`"\*(C'\fR) when they contain multiple words. Special +in double quotes (\f(CW""\fR) when they contain multiple words. Special characters may be escaped with a backslash (\f(CW\*(C`\e\*(C'\fR). .PP Lists have two additional assignment operators, \f(CW\*(C`+=\*(C'\fR and \f(CW\*(C`\-=\*(C'\fR. @@ -489,7 +489,7 @@ We can extend this to allow \fBdgb\fR to run \f(CW\*(C`/bin/ls\*(C'\fR with eith the user or group set to \fBoperator\fR: .PP .Vb 2 -\& dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \e +\& dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e \& /usr/bin/lprm .Ve .PP @@ -509,7 +509,7 @@ In the following example, user \fBtcm\fR may run commands that access a modem device file with the dialer group. .PP .Vb 2 -\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e +\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e \& /usr/local/bin/minicom .Ve .PP @@ -542,11 +542,11 @@ however, will supercede the values in \fIsudoers\fR. .SS "Tag_Spec" .IX Subsection "Tag_Spec" A command may have zero or more tags associated with it. There are -eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, +ten possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`LOG_INPUT\*(C'\fR, \f(CW\*(C`NOLOG_INPUT\*(C'\fR, \&\f(CW\*(C`LOG_OUTPUT\*(C'\fR and \f(CW\*(C`NOLOG_OUTPUT\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless -it is overridden by the opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides +it is overridden by the opposite tag (in other words, \f(CW\*(C`PASSWD\*(C'\fR overrides \&\f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR overrides \f(CW\*(C`EXEC\*(C'\fR). .PP \fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR @@ -652,7 +652,7 @@ Matches any character \fBnot\fR in the specified range. .el .IP "\f(CW\*(C`\ex\*(C'\fR" 8 .IX Item "x" For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to -escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R". +escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"]\*(R". .PP \&\s-1POSIX\s0 character classes may also be used if your system's \fIglob\fR\|(3) and \fIfnmatch\fR\|(3) functions support them. However, because the @@ -709,7 +709,7 @@ themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops. .PP If the path to the include file is not fully-qualified (does not -begin with a \fI/\fR), it must be located in the same directory as the +begin with a \f(CW\*(C`/\*(C'\fR), it must be located in the same directory as the sudoers file it was included from. For example, if \fI/etc/sudoers\fR contains the line: .Sp @@ -720,7 +720,7 @@ contains the line: the file that will be included is \fI/etc/sudoers.local\fR. .PP The file name may also include the \f(CW%h\fR escape, signifying the short form -of the host name. I.e., if the machine's host name is \*(L"xerxes\*(R", then +of the host name. In other words, if the machine's host name is \*(L"xerxes\*(R", then .PP \&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR .PP @@ -746,7 +746,7 @@ problems. Note that unlike files included via \f(CW\*(C`#include\*(C'\fR, \fBvisudo\fR will not edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them contains a syntax error. It is still possible to run \fBvisudo\fR -with the \f(CW\*(C`\-f\*(C'\fR flag to edit the files directly. +with the \fB\-f\fR flag to edit the files directly. .SS "Other special characters and reserved words" .IX Subsection "Other special characters and reserved words" The pound sign ('#') is used to indicate a comment (unless it is @@ -831,7 +831,7 @@ variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are then added, followed by any variables present in the file specified by the \fIenv_file\fR option (if any). The default contents of the \f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are -displayed when \fBsudo\fR is run by root with the \fI\-V\fR option. If +displayed when \fBsudo\fR is run by root with the \fB\-V\fR option. If the \fIsecure_path\fR option is set, its value will be used for the \&\f(CW\*(C`PATH\*(C'\fR environment variable. This flag is \fI@env_reset@\fR by default. @@ -854,7 +854,8 @@ This flag is \fIoff\fR by default. .IP "fqdn" 16 .IX Item "fqdn" Set this flag if you want to put fully qualified host names in the -\&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu. +\&\fIsudoers\fR file. +In other words, instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example @@ -867,7 +868,7 @@ command) is already fully qualified you shouldn't need to set \&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default. .IP "ignore_dot" 16 .IX Item "ignore_dot" -If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR +If set, \fBsudo\fR will ignore \*(L".\*(R" or "" (current dir) in the \f(CW\*(C`PATH\*(C'\fR environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This flag is \fI@ignore_dot@\fR by default. .IP "ignore_local_sudoers" 16 @@ -898,7 +899,7 @@ input is also captured and stored in a separate log file. .Sp Input is logged to the directory specified by the \fIiolog_dir\fR option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that -is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR. +is included in the normal \fBsudo\fR log line, prefixed with "\f(CW\*(C`TSID=\*(C'\fR". .Sp Note that user input may contain sensitive information such as passwords (even if they are not echoed to the screen), which will @@ -915,7 +916,7 @@ log files. .Sp Output is logged to the directory specified by the \fIiolog_dir\fR option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that -is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR. +is included in the normal \fBsudo\fR log line, prefixed with "\f(CW\*(C`TSID=\*(C'\fR". .Sp Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which can also be used to list or search the available logs. @@ -1106,8 +1107,8 @@ By default, \fBsudo\fR will refuse to run if the user must enter a password but it is not possible to disable echo on the terminal. If the \fIvisiblepw\fR flag is set, \fBsudo\fR will prompt for a password even when it would be visible on the screen. This makes it possible -to run things like \f(CW"rsh somehost sudo ls"\fR since \fIrsh\fR\|(1) does -not allocate a tty. This flag is \fIoff\fR by default. +to run things like \f(CW"ssh somehost sudo ls"\fR since by default, \fIssh\fR\|(1) does +not allocate a tty when running a command. This flag is \fIoff\fR by default. .PP \&\fBIntegers\fR: .IP "closefrom" 16 @@ -1175,7 +1176,7 @@ The default is \f(CW"@iolog_dir@"\fR. .IX Item "mailsub" Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR will expand to the host name of the machine. -Default is \f(CW\*(C`@mailsub@\*(C'\fR. +Default is "\f(CW\*(C`@mailsub@\*(C'\fR". .IP "noexec_file" 16 .IX Item "noexec_file" Path to a shared library containing dummy versions of the \fIexecv()\fR, @@ -1219,7 +1220,7 @@ two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW .RE .RS 16 .Sp -The default value is \f(CW\*(C`@passprompt@\*(C'\fR. +The default value is "\f(CW\*(C`@passprompt@\*(C'\fR". .RE .if \n(SL \{\ .IP "role" 16 @@ -1360,13 +1361,13 @@ Defaults to the path to sendmail found at configure time. .IP "mailfrom" 12 .IX Item "mailfrom" Address to use for the \*(L"from\*(R" address when sending warning and error -mail. The address should be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to +mail. The address should be enclosed in double quotes (\f(CW""\fR) to protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to the name of the user running \fBsudo\fR. .IP "mailto" 12 .IX Item "mailto" Address to send warning and error mail to. The address should -be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR +be enclosed in double quotes (\f(CW""\fR) to protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR. .IP "secure_path" 12 .IX Item "secure_path" @@ -1425,7 +1426,7 @@ of whether the \f(CW\*(C`env_reset\*(C'\fR option is enabled or disabled, variab specified by \f(CW\*(C`env_check\*(C'\fR will be preserved in the environment if they pass the aforementioned check. The default list of environment variables to check is displayed when \fBsudo\fR is run by root with -the \fI\-V\fR option. +the \fB\-V\fR option. .IP "env_delete" 16 .IX Item "env_delete" Environment variables to be removed from the user's environment @@ -1434,7 +1435,7 @@ be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. The default list of environment variables to remove -is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option. +is displayed when \fBsudo\fR is run by root with the \fB\-V\fR option. Note that many operating systems will remove potentially dangerous variables from the environment of any setuid process (such as \&\fBsudo\fR). @@ -1447,7 +1448,7 @@ The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep -is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option. +is displayed when \fBsudo\fR is run by root with the \fB\-V\fR option. .SH "FILES" .IX Header "FILES" .ie n .IP "\fI@sysconfdir@/sudoers\fR" 24 @@ -1504,8 +1505,8 @@ variables to pass and then define our \fIaliases\fR: \& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown \& Cmnd_Alias HALT = /usr/sbin/halt \& Cmnd_Alias REBOOT = /usr/sbin/reboot -\& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e -\& /usr/local/bin/tcsh, /usr/bin/rsh, \e +\& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e +\& /usr/local/bin/tcsh, /usr/bin/rsh,\e \& /usr/local/bin/zsh \& Cmnd_Alias SU = /usr/bin/su \& Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less @@ -1717,7 +1718,7 @@ privileges. For example, given the following \fIsudoers\fR entry: .PP .Vb 2 -\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*, +\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,\e \& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root .Ve .PP diff --git a/sudoers.pod b/sudoers.pod index 4b3a7133d..4e08ebf9b 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -269,7 +269,7 @@ Parameters may be B, B values, B, or B. Flags are implicitly boolean and can be turned off via the '!' operator. Some integer, string and list parameters may also be used in a boolean context to disable them. Values may be enclosed -in double quotes (C<">) when they contain multiple words. Special +in double quotes (C<"">) when they contain multiple words. Special characters may be escaped with a backslash (C<\>). Lists have two additional assignment operators, C<+=> and C<-=>. @@ -347,7 +347,7 @@ but F and F as B. We can extend this to allow B to run C with either the user or group set to B: - dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \ + dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\ /usr/bin/lprm Note that while the group portion of the C permits the @@ -363,7 +363,7 @@ entry. The following would all be permitted by the sudoers entry above: In the following example, user B may run commands that access a modem device file with the dialer group. - tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ + tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\ /usr/local/bin/minicom Note that in this example only the group will be set, the command @@ -391,11 +391,11 @@ however, will supercede the values in I. =head2 Tag_Spec A command may have zero or more tags associated with it. There are -eight possible tag values, C, C, C, +ten possible tag values, C, C, C, C, C, C, C, C, C and C. Once a tag is set on a C, subsequent Cs in the C, inherit the tag unless -it is overridden by the opposite tag (i.e.: C overrides +it is overridden by the opposite tag (in other words, C overrides C and C overrides C). =head3 NOPASSWD and PASSWD @@ -493,7 +493,7 @@ Matches any character B in the specified range. =item C<\x> For any character "x", evaluates to "x". This is used to -escape special characters such as: "*", "?", "[", and "}". +escape special characters such as: "*", "?", "[", and "]". =back @@ -556,7 +556,7 @@ themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops. If the path to the include file is not fully-qualified (does not -begin with a F), it must be located in the same directory as the +begin with a C), it must be located in the same directory as the sudoers file it was included from. For example, if F contains the line: @@ -569,7 +569,7 @@ C<#include sudoers.local> the file that will be included is F. The file name may also include the C<%h> escape, signifying the short form -of the host name. I.e., if the machine's host name is "xerxes", then +of the host name. In other words, if the machine's host name is "xerxes", then C<#include /etc/sudoers.%h> @@ -595,7 +595,7 @@ problems. Note that unlike files included via C<#include>, B will not edit the files in a C<#includedir> directory unless one of them contains a syntax error. It is still possible to run B -with the C<-f> flag to edit the files directly. +with the B<-f> flag to edit the files directly. =head2 Other special characters and reserved words @@ -690,7 +690,7 @@ variables in the caller's environment that match the C and C lists are then added, followed by any variables present in the file specified by the I option (if any). The default contents of the C and C lists are -displayed when B is run by root with the I<-V> option. If +displayed when B is run by root with the B<-V> option. If the I option is set, its value will be used for the C environment variable. This flag is I<@env_reset@> by default. @@ -715,7 +715,8 @@ This flag is I by default. =item fqdn Set this flag if you want to put fully qualified host names in the -I file. I.e., instead of myhost you would use myhost.mydomain.edu. +I file. +In other words, instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). Beware that turning on I requires B to make DNS lookups which may make B unusable if DNS stops working (for example @@ -729,7 +730,7 @@ I. This flag is I<@fqdn@> by default. =item ignore_dot -If set, B will ignore '.' or '' (current dir) in the C +If set, B will ignore "." or "" (current dir) in the C environment variable; the C itself is not modified. This flag is I<@ignore_dot@> by default. @@ -764,7 +765,7 @@ input is also captured and stored in a separate log file. Input is logged to the directory specified by the I option (F<@iolog_dir@> by default) using a unique session ID that -is included in the normal B log line, prefixed with I. +is included in the normal B log line, prefixed with "C". Note that user input may contain sensitive information such as passwords (even if they are not echoed to the screen), which will @@ -782,7 +783,7 @@ log files. Output is logged to the directory specified by the I option (F<@iolog_dir@> by default) using a unique session ID that -is included in the normal B log line, prefixed with I. +is included in the normal B log line, prefixed with "C". Output logs may be viewed with the L utility, which can also be used to list or search the available logs. @@ -998,8 +999,8 @@ By default, B will refuse to run if the user must enter a password but it is not possible to disable echo on the terminal. If the I flag is set, B will prompt for a password even when it would be visible on the screen. This makes it possible -to run things like C<"rsh somehost sudo ls"> since L does -not allocate a tty. This flag is I by default. +to run things like C<"ssh somehost sudo ls"> since by default, L does +not allocate a tty when running a command. This flag is I by default. =back @@ -1089,7 +1090,7 @@ The default is C<"@iolog_dir@">. Subject of the mail sent to the I user. The escape C<%h> will expand to the host name of the machine. -Default is C<@mailsub@>. +Default is "C<@mailsub@>". =item noexec_file @@ -1136,7 +1137,7 @@ two consecutive C<%> characters are collapsed into a single C<%> character =back -The default value is C<@passprompt@>. +The default value is "C<@passprompt@>". =item role @@ -1301,14 +1302,14 @@ Defaults to the path to sendmail found at configure time. =item mailfrom Address to use for the "from" address when sending warning and error -mail. The address should be enclosed in double quotes (C<">) to +mail. The address should be enclosed in double quotes (C<"">) to protect against B interpreting the C<@> sign. Defaults to the name of the user running B. =item mailto Address to send warning and error mail to. The address should -be enclosed in double quotes (C<">) to protect against B +be enclosed in double quotes (C<"">) to protect against B interpreting the C<@> sign. Defaults to C<@mailto@>. =item secure_path @@ -1379,7 +1380,7 @@ of whether the C option is enabled or disabled, variables specified by C will be preserved in the environment if they pass the aforementioned check. The default list of environment variables to check is displayed when B is run by root with -the I<-V> option. +the B<-V> option. =item env_delete @@ -1389,7 +1390,7 @@ be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and C operators respectively. The default list of environment variables to remove -is displayed when B is run by root with the I<-V> option. +is displayed when B is run by root with the B<-V> option. Note that many operating systems will remove potentially dangerous variables from the environment of any setuid process (such as B). @@ -1403,7 +1404,7 @@ The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and C operators respectively. The default list of variables to keep -is displayed when B is run by root with the I<-V> option. +is displayed when B is run by root with the B<-V> option. =back @@ -1468,8 +1469,8 @@ variables to pass and then define our I: Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown Cmnd_Alias HALT = /usr/sbin/halt Cmnd_Alias REBOOT = /usr/sbin/reboot - Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ - /usr/local/bin/tcsh, /usr/bin/rsh, \ + Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\ + /usr/local/bin/tcsh, /usr/bin/rsh,\ /usr/local/bin/zsh Cmnd_Alias SU = /usr/bin/su Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less @@ -1638,7 +1639,7 @@ privileges. For example, given the following I entry: - john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, + john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root User B can still run C if I is diff --git a/sudoreplay.cat b/sudoreplay.cat index 8daca0c1a..6d63485a9 100644 --- a/sudoreplay.cat +++ b/sudoreplay.cat @@ -6,8 +6,8 @@ NNAAMMEE sudoreplay - replay sudo session logs SSYYNNOOPPSSIISS - ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] [--ff _f_i_l_t_e_r] [--mm _m_a_x___w_a_i_t] [--ss - _s_p_e_e_d___f_a_c_t_o_r] ID + ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] [--ff _f_i_l_t_e_r] [--mm _m_a_x___w_a_i_t] + [--ss _s_p_e_e_d___f_a_c_t_o_r] ID ssuuddoorreeppllaayy [--hh] [--dd _d_i_r_e_c_t_o_r_y] -l [search expression] @@ -56,13 +56,13 @@ OOPPTTIIOONNSS the IDs that are displayed. An expression is composed of the following predicates: - command _c_o_m_m_a_n_d _p_a_t_t_e_r_n + command _p_a_t_t_e_r_n Evaluates to true if the command run matches - _c_o_m_m_a_n_d _p_a_t_t_e_r_n. On systems with POSIX regular - expression support, the pattern may be an extended - regular expression. On systems without POSIX - regular expression support, a simple substring - match is performed instead. + _p_a_t_t_e_r_n. On systems with POSIX regular expression + support, the pattern may be an extended regular + expression. On systems without POSIX regular + expression support, a simple substring match is + performed instead. cwd _d_i_r_e_c_t_o_r_y Evaluates to true if the command was run with the @@ -89,8 +89,9 @@ OOPPTTIIOONNSS prior to _d_a_t_e. See "Date and time format" for a description of supported date and time formats. - tty _t_t_y Evaluates to true if the command was run on the - specified terminal device. The _t_t_y should be + tty _t_t_y _n_a_m_e + Evaluates to true if the command was run on the + specified terminal device. The _t_t_y _n_a_m_e should be specified without the _/_d_e_v_/ prefix, e.g. _t_t_y_0_1 instead of _/_d_e_v_/_t_t_y_0_1. @@ -109,20 +110,20 @@ OOPPTTIIOONNSS _a_n_d unless separated by an _o_r. -m _m_a_x___w_a_i_t Specify an upper bound on how long to wait between key - presses or output data. By default, ssuuddoo__rreeppllaayy will + presses or output data. By default, ssuuddoorreeppllaayy will accurately reproduce the delays between key presses or program output. However, this can be tedious when the session includes long pauses. When the _-_m option is specified, ssuuddoorreeppllaayy will limit these pauses to at most _m_a_x___w_a_i_t seconds. The value may be specified as a floating - point number, .e.g. _2_._5. + point number, e.g. _2_._5. -s _s_p_e_e_d___f_a_c_t_o_r This option causes ssuuddoorreeppllaayy to adjust the number of seconds it will wait between key presses or program output. This can be used to slow down or speed up the display. For example, a _s_p_e_e_d___f_a_c_t_o_r of _2 would make the output twice as - fast whereas a _s_p_e_e_d___f_a_c_t_o_r of <.5> would make the output + fast whereas a _s_p_e_e_d___f_a_c_t_o_r of _._5 would make the output twice as slow. -V The --VV (version) option causes ssuuddoorreeppllaayy to print its @@ -150,7 +151,7 @@ OOPPTTIIOONNSS optional. If no date is specified, the current day is assumed; if no time is specified, the first second of the specified date is used. The less significant parts of both time and date may also be omitted, in - which case zero is assumed. For example, the following are all valid: + which case zero is assumed. The following are all valid time and date specifications: @@ -218,24 +219,24 @@ FFIILLEESS EEXXAAMMPPLLEESS List sessions run by user _m_i_l_l_e_r_t: - sudoreplay -l user millert + # sudoreplay -l user millert List sessions run by user _b_o_b with a command containing the string vi: - sudoreplay -l user bob command vi + # sudoreplay -l user bob command vi List sessions run by user _j_e_f_f that match a regular expression: - sudoreplay -l user jeff command '/bin/[a-z]*sh' + # sudoreplay -l user jeff command '/bin/[a-z]*sh' List sessions run by jeff or bob on the console: - sudoreplay -l ( user jeff or user bob ) tty console + # sudoreplay -l ( user jeff or user bob ) tty console SSEEEE AALLSSOO _s_u_d_o(1m), _s_c_r_i_p_t(1) -AAUUTTHHOORR +AAUUTTHHOORRSS Todd C. Miller BBUUGGSS @@ -256,4 +257,4 @@ DDIISSCCLLAAIIMMEERR -1.7.10 May 23, 2012 SUDOREPLAY(1m) +1.7.10 July 18, 2012 SUDOREPLAY(1m) diff --git a/sudoreplay.man.in b/sudoreplay.man.in index 30851de8c..a8c6f04ad 100644 --- a/sudoreplay.man.in +++ b/sudoreplay.man.in @@ -139,7 +139,7 @@ .\" ======================================================================== .\" .IX Title "SUDOREPLAY @mansectsu@" -.TH SUDOREPLAY @mansectsu@ "May 23, 2012" "1.7.10" "MAINTENANCE COMMANDS" +.TH SUDOREPLAY @mansectsu@ "July 18, 2012" "1.7.10" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -148,9 +148,9 @@ sudoreplay \- replay sudo session logs .SH "SYNOPSIS" .IX Header "SYNOPSIS" -\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR \fIdirectory\fR] [\fB\-f\fR \fIfilter\fR] [\fB\-m\fR \fImax_wait\fR] [\fB\-s\fR \fIspeed_factor\fR] \s-1ID\s0 +\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR\ \fIdirectory\fR] [\fB\-f\fR\ \fIfilter\fR] [\fB\-m\fR\ \fImax_wait\fR] [\fB\-s\fR\ \fIspeed_factor\fR] \s-1ID\s0 .PP -\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR \fIdirectory\fR] \-l [search expression] +\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR\ \fIdirectory\fR] \-l [search\ expression] .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fBsudoreplay\fR plays back or lists the session logs created by @@ -179,7 +179,7 @@ Double the playback speed. .IP "\-d \fIdirectory\fR" 12 .IX Item "-d directory" Use \fIdirectory\fR to for the session logs instead of the default, -\&\fI/var/log/sudo\-io\fR. +\&\fI@iolog_dir@\fR. .IP "\-f \fIfilter\fR" 12 .IX Item "-f filter" By default, \fBsudoreplay\fR will play back the command's standard @@ -199,9 +199,9 @@ by file name (or sequence number). If a \fIsearch expression\fR is specified, it will be used to restrict the IDs that are displayed. An expression is composed of the following predicates: .RS 12 -.IP "command \fIcommand pattern\fR" 8 -.IX Item "command command pattern" -Evaluates to true if the command run matches \fIcommand pattern\fR. +.IP "command \fIpattern\fR" 8 +.IX Item "command pattern" +Evaluates to true if the command run matches \fIpattern\fR. On systems with \s-1POSIX\s0 regular expression support, the pattern may be an extended regular expression. On systems without \s-1POSIX\s0 regular expression support, a simple substring match is performed instead. @@ -228,10 +228,10 @@ Note that \fBsudo\fR runs commands as user \fIroot\fR by default. Evaluates to true if the command was run on or prior to \fIdate\fR. See \*(L"Date and time format\*(R" for a description of supported date and time formats. -.IP "tty \fItty\fR" 8 -.IX Item "tty tty" +.IP "tty \fItty name\fR" 8 +.IX Item "tty tty name" Evaluates to true if the command was run on the specified terminal -device. The \fItty\fR should be specified without the \fI/dev/\fR prefix, +device. The \fItty name\fR should be specified without the \fI/dev/\fR prefix, e.g. \fItty01\fR instead of \fI/dev/tty01\fR. .IP "user \fIuser name\fR" 8 .IX Item "user user name" @@ -251,19 +251,19 @@ by an \fIor\fR. .IP "\-m \fImax_wait\fR" 12 .IX Item "-m max_wait" Specify an upper bound on how long to wait between key presses or -output data. By default, \fBsudo_replay\fR will accurately reproduce +output data. By default, \fBsudoreplay\fR will accurately reproduce the delays between key presses or program output. However, this can be tedious when the session includes long pauses. When the \&\fI\-m\fR option is specified, \fBsudoreplay\fR will limit these pauses to at most \fImax_wait\fR seconds. The value may be specified as a -floating point number, .e.g. \fI2.5\fR. +floating point number, e.g. \fI2.5\fR. .IP "\-s \fIspeed_factor\fR" 12 .IX Item "-s speed_factor" This option causes \fBsudoreplay\fR to adjust the number of seconds it will wait between key presses or program output. This can be used to slow down or speed up the display. For example, a \&\fIspeed_factor\fR of \fI2\fR would make the output twice as fast whereas -a \fIspeed_factor\fR of <.5> would make the output twice as slow. +a \fIspeed_factor\fR of \fI.5\fR would make the output twice as slow. .IP "\-V" 12 .IX Item "-V" The \fB\-V\fR (version) option causes \fBsudoreplay\fR to print its version number @@ -290,8 +290,7 @@ Either time or date may be omitted, the am/pm and timezone are optional. If no date is specified, the current day is assumed; if no time is specified, the first second of the specified date is used. The less significant parts of both time and date may also -be omitted, in which case zero is assumed. For example, the following -are all valid: +be omitted, in which case zero is assumed. .PP The following are all valid time and date specifications: .IP "now" 8 @@ -332,29 +331,37 @@ The current time but 14 days ago. 10:01 am, September 17, 2009. .SH "FILES" .IX Header "FILES" -.IP "\fI/var/log/sudo\-io\fR" 24 -.IX Item "/var/log/sudo-io" +.ie n .IP "\fI@iolog_dir@\fR" 24 +.el .IP "\fI@iolog_dir@\fR" 24 +.IX Item "@iolog_dir@" The default I/O log directory. -.IP "\fI/var/log/sudo\-io/00/00/01/log\fR" 24 -.IX Item "/var/log/sudo-io/00/00/01/log" +.ie n .IP "\fI@iolog_dir@/00/00/01/log\fR" 24 +.el .IP "\fI@iolog_dir@/00/00/01/log\fR" 24 +.IX Item "@iolog_dir@/00/00/01/log" Example session log info. -.IP "\fI/var/log/sudo\-io/00/00/01/stdin\fR" 24 -.IX Item "/var/log/sudo-io/00/00/01/stdin" +.ie n .IP "\fI@iolog_dir@/00/00/01/stdin\fR" 24 +.el .IP "\fI@iolog_dir@/00/00/01/stdin\fR" 24 +.IX Item "@iolog_dir@/00/00/01/stdin" Example session standard input log. -.IP "\fI/var/log/sudo\-io/00/00/01/stdout\fR" 24 -.IX Item "/var/log/sudo-io/00/00/01/stdout" +.ie n .IP "\fI@iolog_dir@/00/00/01/stdout\fR" 24 +.el .IP "\fI@iolog_dir@/00/00/01/stdout\fR" 24 +.IX Item "@iolog_dir@/00/00/01/stdout" Example session standard output log. -.IP "\fI/var/log/sudo\-io/00/00/01/stderr\fR" 24 -.IX Item "/var/log/sudo-io/00/00/01/stderr" +.ie n .IP "\fI@iolog_dir@/00/00/01/stderr\fR" 24 +.el .IP "\fI@iolog_dir@/00/00/01/stderr\fR" 24 +.IX Item "@iolog_dir@/00/00/01/stderr" Example session standard error log. -.IP "\fI/var/log/sudo\-io/00/00/01/ttyin\fR" 24 -.IX Item "/var/log/sudo-io/00/00/01/ttyin" +.ie n .IP "\fI@iolog_dir@/00/00/01/ttyin\fR" 24 +.el .IP "\fI@iolog_dir@/00/00/01/ttyin\fR" 24 +.IX Item "@iolog_dir@/00/00/01/ttyin" Example session tty input file. -.IP "\fI/var/log/sudo\-io/00/00/01/ttyout\fR" 24 -.IX Item "/var/log/sudo-io/00/00/01/ttyout" +.ie n .IP "\fI@iolog_dir@/00/00/01/ttyout\fR" 24 +.el .IP "\fI@iolog_dir@/00/00/01/ttyout\fR" 24 +.IX Item "@iolog_dir@/00/00/01/ttyout" Example session tty output file. -.IP "\fI/var/log/sudo\-io/00/00/01/timing\fR" 24 -.IX Item "/var/log/sudo-io/00/00/01/timing" +.ie n .IP "\fI@iolog_dir@/00/00/01/timing\fR" 24 +.el .IP "\fI@iolog_dir@/00/00/01/timing\fR" 24 +.IX Item "@iolog_dir@/00/00/01/timing" Example session timing file. .PP Note that the \fIstdin\fR, \fIstdout\fR and \fIstderr\fR files will be empty @@ -365,31 +372,31 @@ command. List sessions run by user \fImillert\fR: .PP .Vb 1 -\& sudoreplay \-l user millert +\& # sudoreplay \-l user millert .Ve .PP List sessions run by user \fIbob\fR with a command containing the string vi: .PP .Vb 1 -\& sudoreplay \-l user bob command vi +\& # sudoreplay \-l user bob command vi .Ve .PP List sessions run by user \fIjeff\fR that match a regular expression: .PP .Vb 1 -\& sudoreplay \-l user jeff command \*(Aq/bin/[a\-z]*sh\*(Aq +\& # sudoreplay \-l user jeff command \*(Aq/bin/[a\-z]*sh\*(Aq .Ve .PP List sessions run by jeff or bob on the console: .PP .Vb 1 -\& sudoreplay \-l ( user jeff or user bob ) tty console +\& # sudoreplay \-l ( user jeff or user bob ) tty console .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIsudo\fR\|(@mansectsu@), \fIscript\fR\|(1) -.SH "AUTHOR" -.IX Header "AUTHOR" +.SH "AUTHORS" +.IX Header "AUTHORS" Todd C. Miller .SH "BUGS" .IX Header "BUGS" diff --git a/sudoreplay.pod b/sudoreplay.pod index f3eba6f7d..6418e35f4 100644 --- a/sudoreplay.pod +++ b/sudoreplay.pod @@ -21,9 +21,9 @@ sudoreplay - replay sudo session logs =head1 SYNOPSIS -B [B<-h>] [B<-d> I] [B<-f> I] [B<-m> I] [B<-s> I] ID +B [B<-h>] S<[B<-d> I]> S<[B<-f> I]> S<[B<-m> I]> S<[B<-s> I]> ID -B [B<-h>] [B<-d> I] -l [search expression] +B [B<-h>] S<[B<-d> I]> -l S<[search expression]> =head1 DESCRIPTION @@ -66,7 +66,7 @@ B accepts the following command line options: =item -d I Use I to for the session logs instead of the default, -F. +F<@iolog_dir@>. =item -f I @@ -91,9 +91,9 @@ An expression is composed of the following predicates: =over 8 -=item command I +=item command I -Evaluates to true if the command run matches I. +Evaluates to true if the command run matches I. On systems with POSIX regular expression support, the pattern may be an extended regular expression. On systems without POSIX regular expression support, a simple substring match is performed instead. @@ -126,10 +126,10 @@ Evaluates to true if the command was run on or prior to I. See L<"Date and time format"> for a description of supported date and time formats. -=item tty I +=item tty I Evaluates to true if the command was run on the specified terminal -device. The I should be specified without the F prefix, +device. The I should be specified without the F prefix, e.g. F instead of F. =item user I @@ -150,12 +150,12 @@ by an I. =item -m I Specify an upper bound on how long to wait between key presses or -output data. By default, B will accurately reproduce +output data. By default, B will accurately reproduce the delays between key presses or program output. However, this can be tedious when the session includes long pauses. When the I<-m> option is specified, B will limit these pauses to at most I seconds. The value may be specified as a -floating point number, .e.g. I<2.5>. +floating point number, e.g. I<2.5>. =item -s I @@ -163,7 +163,7 @@ This option causes B to adjust the number of seconds it will wait between key presses or program output. This can be used to slow down or speed up the display. For example, a I of I<2> would make the output twice as fast whereas -a I of <.5> would make the output twice as slow. +a I of I<.5> would make the output twice as slow. =item -V @@ -202,8 +202,7 @@ Either time or date may be omitted, the am/pm and timezone are optional. If no date is specified, the current day is assumed; if no time is specified, the first second of the specified date is used. The less significant parts of both time and date may also -be omitted, in which case zero is assumed. For example, the following -are all valid: +be omitted, in which case zero is assumed. The following are all valid time and date specifications: @@ -263,35 +262,35 @@ The current time but 14 days ago. =over 24 -=item F +=item F<@iolog_dir@> The default I/O log directory. -=item F +=item F<@iolog_dir@/00/00/01/log> Example session log info. -=item F +=item F<@iolog_dir@/00/00/01/stdin> Example session standard input log. -=item F +=item F<@iolog_dir@/00/00/01/stdout> Example session standard output log. -=item F +=item F<@iolog_dir@/00/00/01/stderr> Example session standard error log. -=item F +=item F<@iolog_dir@/00/00/01/ttyin> Example session tty input file. -=item F +=item F<@iolog_dir@/00/00/01/ttyout> Example session tty output file. -=item F +=item F<@iolog_dir@/00/00/01/timing> Example session timing file. @@ -305,25 +304,25 @@ command. List sessions run by user I: - sudoreplay -l user millert + # sudoreplay -l user millert List sessions run by user I with a command containing the string vi: - sudoreplay -l user bob command vi + # sudoreplay -l user bob command vi List sessions run by user I that match a regular expression: - sudoreplay -l user jeff command '/bin/[a-z]*sh' + # sudoreplay -l user jeff command '/bin/[a-z]*sh' List sessions run by jeff or bob on the console: - sudoreplay -l ( user jeff or user bob ) tty console + # sudoreplay -l ( user jeff or user bob ) tty console =head1 SEE ALSO L, L -=head1 AUTHOR +=head1 AUTHORS Todd C. Miller diff --git a/visudo.cat b/visudo.cat index 804a26d18..8b9a356c6 100644 --- a/visudo.cat +++ b/visudo.cat @@ -94,10 +94,10 @@ DDIIAAGGNNOOSSTTIICCSS You didn't run vviissuuddoo as root. Can't find you in the passwd database - Your userid does not appear in the system passwd file. + Your user ID does not appear in the system passwd file. Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined - Either you are trying to use an undeclare + Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed that consists solely of uppercase letters, digits, and the underscore ('_') character. In the latter case, you can ignore the @@ -112,11 +112,11 @@ DDIIAAGGNNOOSSTTIICCSS SSEEEE AALLSSOO _v_i(1), _s_u_d_o_e_r_s(4), _s_u_d_o(1m), _v_i_p_w(8) -AAUUTTHHOORR +AAUUTTHHOORRSS Many people have worked on _s_u_d_o over the years; this version of vviissuuddoo was written by: - Todd Miller + Todd C. Miller See the HISTORY file in the sudo distribution or visit http://www.sudo.ws/sudo/history.html for more details. @@ -143,4 +143,4 @@ DDIISSCCLLAAIIMMEERR -1.7.10 May 23, 2012 VISUDO(1m) +1.7.10 July 18, 2012 VISUDO(1m) diff --git a/visudo.man.in b/visudo.man.in index 08493748d..a27dc08e0 100644 --- a/visudo.man.in +++ b/visudo.man.in @@ -144,7 +144,7 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "May 23, 2012" "1.7.10" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "July 18, 2012" "1.7.10" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -258,10 +258,10 @@ Someone else is currently editing the \fIsudoers\fR file. You didn't run \fBvisudo\fR as root. .IP "Can't find you in the passwd database" 4 .IX Item "Can't find you in the passwd database" -Your userid does not appear in the system passwd file. +Your user \s-1ID\s0 does not appear in the system passwd file. .IP "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" 4 .IX Item "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" -Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias +Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed that consists solely of uppercase letters, digits, and the underscore ('_') character. In the latter case, you can ignore the warnings (\fBsudo\fR will not @@ -274,13 +274,13 @@ used. You may wish to comment out or remove the unused alias. In .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(8) -.SH "AUTHOR" -.IX Header "AUTHOR" +.SH "AUTHORS" +.IX Header "AUTHORS" Many people have worked on \fIsudo\fR over the years; this version of \&\fBvisudo\fR was written by: .PP .Vb 1 -\& Todd Miller +\& Todd C. Miller .Ve .PP See the \s-1HISTORY\s0 file in the sudo distribution or visit diff --git a/visudo.pod b/visudo.pod index 708d9549a..23224ee0e 100644 --- a/visudo.pod +++ b/visudo.pod @@ -156,11 +156,11 @@ You didn't run B as root. =item Can't find you in the passwd database -Your userid does not appear in the system passwd file. +Your user ID does not appear in the system passwd file. =item Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined -Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias +Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed that consists solely of uppercase letters, digits, and the underscore ('_') character. In the latter case, you can ignore the warnings (B will not @@ -178,12 +178,12 @@ B<-s> (strict) mode this is an error, not a warning. L, L, L, L -=head1 AUTHOR +=head1 AUTHORS Many people have worked on I over the years; this version of B was written by: - Todd Miller + Todd C. Miller See the HISTORY file in the sudo distribution or visit http://www.sudo.ws/sudo/history.html for more details. -- 2.40.0