From 8528827500226da5d326cf03839a0a5fce28df3e Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 8 Nov 2010 11:27:20 -0500 Subject: [PATCH] Bump version to 1.8.0b2 --- configure | 18 +-- configure.in | 2 +- doc/sudo.cat | 20 +-- doc/sudo.man.in | 4 +- doc/sudo_plugin.cat | 336 ++++++++++++++++++++-------------------- doc/sudo_plugin.man.in | 11 +- doc/sudoers.ldap.cat | 72 ++++----- doc/sudoers.ldap.man.in | 24 +-- doc/visudo.cat | 26 ++-- doc/visudo.man.in | 6 +- 10 files changed, 265 insertions(+), 254 deletions(-) diff --git a/configure b/configure index 6460859ff..11a4047d2 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.65 for sudo 1.8.0b1. +# Generated by GNU Autoconf 2.65 for sudo 1.8.0b2. # # Report bugs to . # @@ -701,8 +701,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.8.0b1' -PACKAGE_STRING='sudo 1.8.0b1' +PACKAGE_VERSION='1.8.0b2' +PACKAGE_STRING='sudo 1.8.0b2' PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/' PACKAGE_URL='' @@ -1564,7 +1564,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.8.0b1 to adapt to many kinds of systems. +\`configure' configures sudo 1.8.0b2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1629,7 +1629,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.8.0b1:";; + short | recursive ) echo "Configuration of sudo 1.8.0b2:";; esac cat <<\_ACEOF @@ -1840,7 +1840,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.8.0b1 +sudo configure 1.8.0b2 generated by GNU Autoconf 2.65 Copyright (C) 2009 Free Software Foundation, Inc. @@ -2539,7 +2539,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.8.0b1, which was +It was created by sudo $as_me 1.8.0b2, which was generated by GNU Autoconf 2.65. Invocation command line was $ $0 $@ @@ -19054,7 +19054,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.8.0b1, which was +This file was extended by sudo $as_me 1.8.0b2, which was generated by GNU Autoconf 2.65. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -19120,7 +19120,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sudo config.status 1.8.0b1 +sudo config.status 1.8.0b2 configured by $0, generated by GNU Autoconf 2.65, with options \\"\$ac_cs_config\\" diff --git a/configure.in b/configure.in index 7255d6707..8508dcf57 100644 --- a/configure.in +++ b/configure.in @@ -3,7 +3,7 @@ dnl Process this file with GNU autoconf to produce a configure script. dnl dnl Copyright (c) 1994-1996,1998-2010 Todd C. Miller dnl -AC_INIT([sudo], [1.8.0b1], [http://www.sudo.ws/bugs/], [sudo]) +AC_INIT([sudo], [1.8.0b2], [http://www.sudo.ws/bugs/], [sudo]) AC_CONFIG_HEADER(config.h pathnames.h zlib/zconf.h) dnl dnl This won't work before AC_INIT diff --git a/doc/sudo.cat b/doc/sudo.cat index 021941a9d..dd3b961ae 100644 --- a/doc/sudo.cat +++ b/doc/sudo.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.8.0b1 July 19, 2010 1 +1.8.0b2 November 5, 2010 1 @@ -127,7 +127,7 @@ OOPPTTIIOONNSS -1.8.0b1 July 19, 2010 2 +1.8.0b2 November 5, 2010 2 @@ -193,7 +193,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.8.0b1 July 19, 2010 3 +1.8.0b2 November 5, 2010 3 @@ -259,7 +259,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.8.0b1 July 19, 2010 4 +1.8.0b2 November 5, 2010 4 @@ -325,7 +325,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.8.0b1 July 19, 2010 5 +1.8.0b2 November 5, 2010 5 @@ -391,7 +391,7 @@ PPLLUUGGIINNSS -1.8.0b1 July 19, 2010 6 +1.8.0b2 November 5, 2010 6 @@ -457,7 +457,7 @@ SSEECCUURRIITTYY NNOOTTEESS -1.8.0b1 July 19, 2010 7 +1.8.0b2 November 5, 2010 7 @@ -523,7 +523,7 @@ FFIILLEESS -1.8.0b1 July 19, 2010 8 +1.8.0b2 November 5, 2010 8 @@ -589,7 +589,7 @@ CCAAVVEEAATTSS -1.8.0b1 July 19, 2010 9 +1.8.0b2 November 5, 2010 9 @@ -655,6 +655,6 @@ DDIISSCCLLAAIIMMEERR -1.8.0b1 July 19, 2010 10 +1.8.0b2 November 5, 2010 10 diff --git a/doc/sudo.man.in b/doc/sudo.man.in index fc9aeb373..5130ed878 100644 --- a/doc/sudo.man.in +++ b/doc/sudo.man.in @@ -23,7 +23,7 @@ .nr LC @LCMAN@ .nr PT @password_timeout@ .\" -.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) +.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) .\" .\" Standard preamble: .\" ======================================================================== @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "July 19, 2010" "1.8.0b1" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "November 5, 2010" "1.8.0b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/doc/sudo_plugin.cat b/doc/sudo_plugin.cat index eaf55716b..bce114a94 100644 --- a/doc/sudo_plugin.cat +++ b/doc/sudo_plugin.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.8.0b1 August 12, 2010 1 +1.8.0b2 November 5, 2010 1 @@ -127,7 +127,7 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) -1.8.0b1 August 12, 2010 2 +1.8.0b2 November 5, 2010 2 @@ -193,7 +193,7 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) -1.8.0b1 August 12, 2010 3 +1.8.0b2 November 5, 2010 3 @@ -241,6 +241,14 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) Authentication type, if specified by the -a flag, to use on systems where BSD authentication is supported. + network_addrs=list + A space-separated list of IP network addresses and netmasks + in the form "addr/netmask", e.g. + "192.168.1.2/255.255.255.0". The address and netmask pairs + may be either IPv4 or IPv6, depending on what the operating + system supports. If the address contains a colon (':'), it + is an IPv6 address, else it is IPv4. + progname=string The command name that sudo was run as, typically "sudo" or "sudoedit". @@ -248,18 +256,10 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) sudoedit=bool Set to true when the -e flag is is specified or if invoked as ssuuddooeeddiitt. The plugin shall substitute an editor into - _a_r_g_v in the _c_h_e_c_k___p_o_l_i_c_y function or return -2 with a usage - error if the plugin does not support _s_u_d_o_e_d_i_t. For more - information, see the _c_h_e_c_k___p_o_l_i_c_y section. - - closefrom=number - If specified, the user has requested via the -C flag that - ssuuddoo close all files descriptors with a value of _n_u_m_b_e_r or - higher. The plugin may optionally pass this, or another -1.8.0b1 August 12, 2010 4 +1.8.0b2 November 5, 2010 4 @@ -268,6 +268,14 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + _a_r_g_v in the _c_h_e_c_k___p_o_l_i_c_y function or return -2 with a usage + error if the plugin does not support _s_u_d_o_e_d_i_t. For more + information, see the _c_h_e_c_k___p_o_l_i_c_y section. + + closefrom=number + If specified, the user has requested via the -C flag that + ssuuddoo close all files descriptors with a value of _n_u_m_b_e_r or + higher. The plugin may optionally pass this, or another value, back in the _c_o_m_m_a_n_d___i_n_f_o list. Additional settings may be added in the future so the plugin @@ -314,26 +322,26 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) cols=int The number of columns the user's terminal supports. If - there is no terminal device available, a default value of - 80 is used. - user_env - The user's environment in the form of a NULL-terminated vector - of "name=value" strings. - When parsing _u_s_e_r___e_n_v, the plugin should split on the ffiirrsstt +1.8.0b2 November 5, 2010 5 -1.8.0b1 August 12, 2010 5 +SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) -SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + there is no terminal device available, a default value of + 80 is used. + user_env + The user's environment in the form of a NULL-terminated vector + of "name=value" strings. + When parsing _u_s_e_r___e_n_v, the plugin should split on the ffiirrsstt equal sign ('=') since the _n_a_m_e field will never include one itself but the _v_a_l_u_e might. @@ -380,18 +388,10 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) with the user's credentials instead of with elevated privileges. ssuuddoo achieves this by creating user-writable temporary copies of the files to be edited and then overwriting the originals with the - temporary copies after editing is complete. If the plugin supports - ssuuddooeeddiitt, it should choose the editor to be used, potentially from - a variable in the user's environment, such as EDITOR, and include - it in _a_r_g_v___o_u_t (note that environment variables may include command - line flags). The files to be edited should be copied from _a_r_g_v - into _a_r_g_v___o_u_t, separated from the editor and its arguments by a - "--" element. The "--" will be removed by ssuuddoo before the editor - is executed. The plugin should also set _s_u_d_o_e_d_i_t_=_t_r_u_e in the -1.8.0b1 August 12, 2010 6 +1.8.0b2 November 5, 2010 6 @@ -400,6 +400,14 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + temporary copies after editing is complete. If the plugin supports + ssuuddooeeddiitt, it should choose the editor to be used, potentially from + a variable in the user's environment, such as EDITOR, and include + it in _a_r_g_v___o_u_t (note that environment variables may include command + line flags). The files to be edited should be copied from _a_r_g_v + into _a_r_g_v___o_u_t, separated from the editor and its arguments by a + "--" element. The "--" will be removed by ssuuddoo before the editor + is executed. The plugin should also set _s_u_d_o_e_d_i_t_=_t_r_u_e in the _c_o_m_m_a_n_d___i_n_f_o list. The _c_h_e_c_k___p_o_l_i_c_y function returns 1 if the command is allowed, 0 if @@ -446,25 +454,24 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) runas_uid=uid User ID to run the command as. - runas_euid=uid - Effective user ID to run the command as. If not specified, - the value of _r_u_n_a_s___u_i_d is used. - runas_gid=gid - Group ID to run the command as. +1.8.0b2 November 5, 2010 7 -1.8.0b1 August 12, 2010 7 - +SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) -SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + runas_euid=uid + Effective user ID to run the command as. If not specified, + the value of _r_u_n_a_s___u_i_d is used. + runas_gid=gid + Group ID to run the command as. runas_egid=gid Effective group ID to run the command as. If not @@ -512,18 +519,11 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) Command timeout. If non-zero then when the timeout expires the command will be killed. - sudoedit=bool - Set to true when in _s_u_d_o_e_d_i_t mode. The plugin may enable - _s_u_d_o_e_d_i_t mode even if ssuuddoo was not invoked as ssuuddooeeddiitt. - This allows the plugin to perform command substitution and - transparently enable _s_u_d_o_e_d_i_t when the user attempts to run - an editor. - -1.8.0b1 August 12, 2010 8 +1.8.0b2 November 5, 2010 8 @@ -532,6 +532,13 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + sudoedit=bool + Set to true when in _s_u_d_o_e_d_i_t mode. The plugin may enable + _s_u_d_o_e_d_i_t mode even if ssuuddoo was not invoked as ssuuddooeeddiitt. + This allows the plugin to perform command substitution and + transparently enable _s_u_d_o_e_d_i_t when the user attempts to run + an editor. + closefrom=number If specified, ssuuddoo will close all files descriptors with a value of _n_u_m_b_e_r or higher. @@ -579,25 +586,25 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) would be passed to the _e_x_e_c_v_e_(_) system call. If the command is permitted by the policy, the fully-qualified path to the command should be displayed along with any command line - arguments. - validate - int (*validate)(void); - The validate function is called when ssuuddoo is run with the -v flag. - For policy plugins such as _s_u_d_o_e_r_s that cache authentication +1.8.0b2 November 5, 2010 9 -1.8.0b1 August 12, 2010 9 +SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) -SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + arguments. + validate + int (*validate)(void); + The validate function is called when ssuuddoo is run with the -v flag. + For policy plugins such as _s_u_d_o_e_r_s that cache authentication credentials, this function will validate and cache the credentials. The validate function should be NULL if the plugin does not support @@ -640,22 +647,15 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) _V_e_r_s_i_o_n _m_a_c_r_o_s - #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16) - #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff) - #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \ - *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \ - } while(0) - #define SUDO_VERSION_SET_MINOR(vp, n) do { \ - *(vp) = (*(vp) & 0xffff0000) | (n); \ - } while(0) - #define SUDO_API_VERSION_MAJOR 1 - #define SUDO_API_VERSION_MINOR 0 - #define SUDO_API_VERSION ((SUDO_API_VERSION_MAJOR << 16) | \ -1.8.0b1 August 12, 2010 10 + + + + +1.8.0b2 November 5, 2010 10 @@ -664,6 +664,18 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16) + #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff) + #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \ + *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \ + } while(0) + #define SUDO_VERSION_SET_MINOR(vp, n) do { \ + *(vp) = (*(vp) & 0xffff0000) | (n); \ + } while(0) + + #define SUDO_API_VERSION_MAJOR 1 + #define SUDO_API_VERSION_MINOR 0 + #define SUDO_API_VERSION ((SUDO_API_VERSION_MAJOR << 16) | \ SUDO_API_VERSION_MINOR) II//OO PPlluuggiinn AAPPII @@ -707,28 +719,28 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) type The type field should always be set to SUDO_IO_PLUGIN - version - The version field should be set to SUDO_API_VERSION. - This allows ssuuddoo to determine the API version the plugin was built - against. - open - int (*open)(unsigned int version, sudo_conv_t conversation - sudo_printf_t plugin_printf, char * const settings[], - char * const user_info[], int argc, char * const argv[], - char * const user_env[]); +1.8.0b2 November 5, 2010 11 -1.8.0b1 August 12, 2010 11 +SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + version + The version field should be set to SUDO_API_VERSION. -SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + This allows ssuuddoo to determine the API version the plugin was built + against. + open + int (*open)(unsigned int version, sudo_conv_t conversation + sudo_printf_t plugin_printf, char * const settings[], + char * const user_info[], int argc, char * const argv[], + char * const user_env[]); The _o_p_e_n function is run before the _l_o_g___i_n_p_u_t, _l_o_g___o_u_t_p_u_t or _s_h_o_w___v_e_r_s_i_o_n functions are called. It is only called if the @@ -773,28 +785,28 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) equal sign ('=') since the _n_a_m_e field will never include one itself but the _v_a_l_u_e might. - See the "Policy Plugin API" section for a list of all possible - settings. - user_info - A vector of information about the user running the command in - the form of "name=value" strings. The vector is terminated by - a NULL pointer. - When parsing _u_s_e_r___i_n_f_o, the plugin should split on the ffiirrsstt - equal sign ('=') since the _n_a_m_e field will never include one - itself but the _v_a_l_u_e might. +1.8.0b2 November 5, 2010 12 -1.8.0b1 August 12, 2010 12 +SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + See the "Policy Plugin API" section for a list of all possible + settings. -SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + user_info + A vector of information about the user running the command in + the form of "name=value" strings. The vector is terminated by + a NULL pointer. + When parsing _u_s_e_r___i_n_f_o, the plugin should split on the ffiirrsstt + equal sign ('=') since the _n_a_m_e field will never include one + itself but the _v_a_l_u_e might. See the "Policy Plugin API" section for a list of all possible strings. @@ -838,30 +850,30 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) int (*show_version)(int verbose); The show_version function is called by ssuuddoo when the user specifies - the -V option. The plugin may display its version information to - the user via the conversation or plugin_printf function using - SUDO_CONV_INFO_MSG. If the user requests detailed version - information, the verbose flag will be set. - log_ttyin - int (*log_ttyin)(const char *buf, unsigned int len); - The _l_o_g___t_t_y_i_n function is called whenever data can be read from the - user but before it is passed to the running command. This allows - the plugin to reject data if it chooses to (for instance if the - input contains banned content). Returns 1 if the data should be +1.8.0b2 November 5, 2010 13 -1.8.0b1 August 12, 2010 13 +SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) -SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + the -V option. The plugin may display its version information to + the user via the conversation or plugin_printf function using + SUDO_CONV_INFO_MSG. If the user requests detailed version + information, the verbose flag will be set. + log_ttyin + int (*log_ttyin)(const char *buf, unsigned int len); + The _l_o_g___t_t_y_i_n function is called whenever data can be read from the + user but before it is passed to the running command. This allows + the plugin to reject data if it chooses to (for instance if the + input contains banned content). Returns 1 if the data should be passed to the command, 0 if the data is rejected (which will terminate the command) or -1 if an error occurred. @@ -904,6 +916,18 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) len The length of _b_u_f in bytes. + + + +1.8.0b2 November 5, 2010 14 + + + + + +SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + + log_stdout int (*log_stdout)(const char *buf, unsigned int len); @@ -917,17 +941,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) The function arguments are as follows: - - -1.8.0b1 August 12, 2010 14 - - - - - -SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) - - buf The buffer containing command output. len The length of _b_u_f in bytes. @@ -964,6 +977,23 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) informational or error messages to the user, which is usually more convenient for simple messages where no use input is required. + + + + + + + + +1.8.0b2 November 5, 2010 15 + + + + + +SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + + struct sudo_conv_message { #define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */ #define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */ @@ -982,18 +1012,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) typedef int (*sudo_conv_t)(int num_msgs, const struct sudo_conv_message msgs[], - - - -1.8.0b1 August 12, 2010 15 - - - - - -SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) - - struct sudo_conv_reply replies[]); typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...); @@ -1027,6 +1045,21 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) in the global scope. This structure contains pointers to the functions that implement plugin initialization, cleanup and group lookup. + + + + + + +1.8.0b2 November 5, 2010 16 + + + + + +SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + + struct sudoers_group_plugin { unsigned int version; int (*init)(int version, sudo_printf_t sudo_printf, @@ -1048,18 +1081,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) int (*init)(int version, sudo_printf_t plugin_printf, char *const argv[]); - - - -1.8.0b1 August 12, 2010 16 - - - - - -SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) - - The _i_n_i_t function is called after _s_u_d_o_e_r_s has been parsed but before any policy checks. It returns 1 on success, 0 on failure (or if the plugin is not configured), and -1 if a error occurred. @@ -1092,6 +1113,19 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) close open file handles. query + + + + +1.8.0b2 November 5, 2010 17 + + + + + +SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) + + int (*query)(const char *user, const char *group, const struct passwd *pwd); @@ -1112,20 +1146,6 @@ SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) _V_e_r_s_i_o_n _M_a_c_r_o_s - - - - - -1.8.0b1 August 12, 2010 17 - - - - - -SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m) - - /* Sudoers group plugin version major/minor */ #define GROUP_API_VERSION_MAJOR 1 #define GROUP_API_VERSION_MINOR 0 @@ -1163,26 +1183,6 @@ DDIISSCCLLAAIIMMEERR - - - - - - - - - - - - - - - - - - - - -1.8.0b1 August 12, 2010 18 +1.8.0b2 November 5, 2010 18 diff --git a/doc/sudo_plugin.man.in b/doc/sudo_plugin.man.in index 27d7af763..51afe7581 100644 --- a/doc/sudo_plugin.man.in +++ b/doc/sudo_plugin.man.in @@ -13,7 +13,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) +.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) .\" .\" Standard preamble: .\" ======================================================================== @@ -139,7 +139,7 @@ .\" ======================================================================== .\" .IX Title "SUDO_PLUGIN @mansectsu@" -.TH SUDO_PLUGIN @mansectsu@ "August 12, 2010" "1.8.0b1" "MAINTENANCE COMMANDS" +.TH SUDO_PLUGIN @mansectsu@ "November 5, 2010" "1.8.0b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -350,6 +350,13 @@ the \f(CW\*(C`\-t\*(C'\fR flag. .IX Item "bsdauth_type=string" Authentication type, if specified by the \f(CW\*(C`\-a\*(C'\fR flag, to use on systems where \s-1BSD\s0 authentication is supported. +.IP "network_addrs=list" 4 +.IX Item "network_addrs=list" +A space-separated list of \s-1IP\s0 network addresses and netmasks in the +form \*(L"addr/netmask\*(R", e.g. \*(L"192.168.1.2/255.255.255.0\*(R". The address +and netmask pairs may be either IPv4 or IPv6, depending on what the +operating system supports. If the address contains a colon (':'), +it is an IPv6 address, else it is IPv4. .IP "progname=string" 4 .IX Item "progname=string" The command name that sudo was run as, typically \*(L"sudo\*(R" or \*(L"sudoedit\*(R". diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat index f27f7d239..18a6c535e 100644 --- a/doc/sudoers.ldap.cat +++ b/doc/sudoers.ldap.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.8.0b1 July 8, 2010 1 +1.8.0b2 November 5, 2010 1 @@ -127,7 +127,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.8.0b1 July 8, 2010 2 +1.8.0b2 November 5, 2010 2 @@ -193,7 +193,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.8.0b1 July 8, 2010 3 +1.8.0b2 November 5, 2010 3 @@ -259,7 +259,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.8.0b1 July 8, 2010 4 +1.8.0b2 November 5, 2010 4 @@ -268,10 +268,12 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - ssuuddoo will connect to llooccaallhhoosstt. Only systems using the OpenSSL - libraries support the mixing of ldap:// and ldaps:// URIs. The - Netscape-derived libraries used on most commercial versions of Unix - are only capable of supporting one or the other. + ssuuddoo will connect to llooccaallhhoosstt. Multiple UURRII lines are treated + identically to a UURRII line containing multiple entries. Only + systems using the OpenSSL libraries support the mixing of ldap:// + and ldaps:// URIs. The Netscape-derived libraries used on most + commercial versions of Unix are only capable of supporting one or + the other. HHOOSSTT name[:port] ... If no UURRII is specified, the HHOOSSTT parameter specifies a whitespace- @@ -319,13 +321,11 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) identity. By default, most LDAP servers will allow anonymous access. - BBIINNDDPPWW secret - The BBIINNDDPPWW parameter specifies the password to use when performing - LDAP operations. This is typically used in conjunction with the -1.8.0b1 July 8, 2010 5 + +1.8.0b2 November 5, 2010 5 @@ -334,6 +334,9 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + BBIINNDDPPWW secret + The BBIINNDDPPWW parameter specifies the password to use when performing + LDAP operations. This is typically used in conjunction with the BBIINNDDDDNN parameter. RROOOOTTBBIINNDDDDNN DN @@ -385,13 +388,10 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) TTLLSS__CCAACCEERRTTDDIIRR directory Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory - containing individual Certificate Authority certificates, e.g. - _/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is - checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the -1.8.0b1 July 8, 2010 6 +1.8.0b2 November 5, 2010 6 @@ -400,6 +400,9 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + containing individual Certificate Authority certificates, e.g. + _/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is + checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the OpenLDAP libraries. TTLLSS__CCEERRTT file name @@ -451,13 +454,10 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting to an LDAP server from a privileged process, such as ssuuddoo. - RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity - The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled. - -1.8.0b1 July 8, 2010 7 +1.8.0b2 November 5, 2010 7 @@ -466,6 +466,9 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity + The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled. + SSAASSLL__SSEECCPPRROOPPSS none/properties SASL security properties or _n_o_n_e for no properties. See the SASL programmer's manual for details. @@ -518,12 +521,9 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) To consult LDAP first followed by the local sudoers file (if it exists), use: - sudoers = ldap, files - - -1.8.0b1 July 8, 2010 8 +1.8.0b2 November 5, 2010 8 @@ -532,6 +532,8 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + sudoers = ldap, files + The local _s_u_d_o_e_r_s file can be ignored completely by using: sudoers = ldap @@ -584,12 +586,10 @@ EEXXAAMMPPLLEESS # # verbose sudoers matching from ldap #sudoers_debug 2 - # - # optional proxy credentials -1.8.0b1 July 8, 2010 9 +1.8.0b2 November 5, 2010 9 @@ -598,6 +598,8 @@ EEXXAAMMPPLLEESS SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + # + # optional proxy credentials #binddn #bindpw #rootbinddn @@ -650,12 +652,10 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # For OpenLDAP: #tls_cert /etc/certs/client_cert.pem #tls_key /etc/certs/client_key.pem - # - # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either -1.8.0b1 July 8, 2010 10 +1.8.0b2 November 5, 2010 10 @@ -664,6 +664,8 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + # + # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either # a directory, in which case the files in the directory must have the # default names (e.g. cert8.db and key4.db), or the path to the cert # and key files themselves. However, a bug in version 5.0 of the LDAP @@ -717,11 +719,9 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - attributetype ( 1.3.6.1.4.1.15953.9.1.5 - -1.8.0b1 July 8, 2010 11 +1.8.0b2 November 5, 2010 11 @@ -730,6 +730,8 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + attributetype ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match @@ -785,8 +787,6 @@ DDIISSCCLLAAIIMMEERR - - -1.8.0b1 July 8, 2010 12 +1.8.0b2 November 5, 2010 12 diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in index e44a7b379..151821678 100644 --- a/doc/sudoers.ldap.man.in +++ b/doc/sudoers.ldap.man.in @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003-2009 +.\" Copyright (c) 2003-2010 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) +.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) .\" .\" Standard preamble: .\" ======================================================================== @@ -140,7 +140,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "July 8, 2010" "1.8.0b1" "MAINTENANCE COMMANDS" +.TH SUDOERS.LDAP @mansectform@ "November 5, 2010" "1.8.0b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -364,14 +364,16 @@ below in upper case but are parsed in a case-independent manner. .IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4 .IX Item "URI ldap[s]://[hostname[:port]] ..." Specifies a whitespace-delimited list of one or more URIs describing -the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either \fBldap\fR -or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0 (\s-1SSL\s0) -encryption. If no \fIport\fR is specified, the default is port 389 for -\&\f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR is specified, -\&\fBsudo\fR will connect to \fBlocalhost\fR. Only systems using the OpenSSL -libraries support the mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. -The Netscape-derived libraries used on most commercial versions of -Unix are only capable of supporting one or the other. +the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either +\&\fBldap\fR or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0 +(\s-1SSL\s0) encryption. If no \fIport\fR is specified, the default is port +389 for \f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR +is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR +lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple +entries. Only systems using the OpenSSL libraries support the +mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. The Netscape-derived +libraries used on most commercial versions of Unix are only capable +of supporting one or the other. .IP "\fB\s-1HOST\s0\fR name[:port] ..." 4 .IX Item "HOST name[:port] ..." If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a diff --git a/doc/visudo.cat b/doc/visudo.cat index 35e9fe527..fc57988f6 100644 --- a/doc/visudo.cat +++ b/doc/visudo.cat @@ -54,14 +54,14 @@ OOPPTTIIOONNSS option vviissuuddoo will edit (or check) the _s_u_d_o_e_r_s file of your choice, instead of the default, _/_e_t_c_/_s_u_d_o_e_r_s. The lock file used is the specified _s_u_d_o_e_r_s file with ".tmp" - appended to it. + appended to it. In cchheecckk--oonnllyy mode only, the argument to + --ff may be "-", indicating that _s_u_d_o_e_r_s will be read from + the standard input. - -q Enable qquuiieett mode. In this mode details about syntax - errors are not printed. This option is only useful when -1.8.0b1 July 14, 2010 1 +1.8.0b2 November 5, 2010 1 @@ -70,6 +70,8 @@ OOPPTTIIOONNSS VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) + -q Enable qquuiieett mode. In this mode details about syntax + errors are not printed. This option is only useful when combined with the --cc option. -s Enable ssttrriicctt checking of the _s_u_d_o_e_r_s file. If an alias is @@ -121,13 +123,11 @@ DDIIAAGGNNOOSSTTIICCSS SSEEEE AALLSSOO _v_i(1), _s_u_d_o_e_r_s(4), _s_u_d_o(1m), _v_i_p_w(1m) -AAUUTTHHOORR - Many people have worked on _s_u_d_o over the years; this version of vviissuuddoo - was written by: -1.8.0b1 July 14, 2010 2 + +1.8.0b2 November 5, 2010 2 @@ -136,6 +136,10 @@ AAUUTTHHOORR VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m) +AAUUTTHHOORR + Many people have worked on _s_u_d_o over the years; this version of vviissuuddoo + was written by: + Todd Miller See the HISTORY file in the sudo distribution or visit @@ -189,10 +193,6 @@ DDIISSCCLLAAIIMMEERR - - - - -1.8.0b1 July 14, 2010 3 +1.8.0b2 November 5, 2010 3 diff --git a/doc/visudo.man.in b/doc/visudo.man.in index fc0124ca7..e0b4b1c6a 100644 --- a/doc/visudo.man.in +++ b/doc/visudo.man.in @@ -18,7 +18,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) +.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) .\" .\" Standard preamble: .\" ======================================================================== @@ -144,7 +144,7 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "July 14, 2010" "1.8.0b1" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "November 5, 2010" "1.8.0b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -203,6 +203,8 @@ Specify and alternate \fIsudoers\fR file location. With this option \&\fBvisudo\fR will edit (or check) the \fIsudoers\fR file of your choice, instead of the default, \fI@sysconfdir@/sudoers\fR. The lock file used is the specified \fIsudoers\fR file with \*(L".tmp\*(R" appended to it. +In \fBcheck-only\fR mode only, the argument to \fB\-f\fR may be \*(L"\-\*(R", +indicating that \fIsudoers\fR will be read from the standard input. .IP "\-q" 12 .IX Item "-q" Enable \fBquiet\fR mode. In this mode details about syntax errors -- 2.40.0