From 8b3845c1ca2a9189d2e6fbf559f1eb91ed8eb64f Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 14 Mar 2017 09:13:25 -0600 Subject: [PATCH] Regenerate the cat pages with newer mandoc which formats double quotes as "foo" instead of ``foo''. --- doc/sudo.cat | 32 ++++---- doc/sudo.conf.cat | 30 +++---- doc/sudo_plugin.cat | 36 ++++----- doc/sudoers.cat | 189 +++++++++++++++++++++---------------------- doc/sudoers.ldap.cat | 19 +++-- doc/sudoreplay.cat | 24 +++--- doc/visudo.cat | 8 +- 7 files changed, 167 insertions(+), 171 deletions(-) diff --git a/doc/sudo.cat b/doc/sudo.cat index 76607c17e..33f8a3b35 100644 --- a/doc/sudo.cat +++ b/doc/sudo.cat @@ -68,7 +68,7 @@ DDEESSCCRRIIPPTTIIOONN Use the specified BSD authentication _t_y_p_e when validating the user, if allowed by _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The system administrator may specify a list of sudo-specific - authentication methods by adding an ``auth-sudo'' entry in + authentication methods by adding an "auth-sudo" entry in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. This option is only available on systems that support BSD authentication. @@ -377,18 +377,18 @@ CCOOMMMMAANNDD EEXXEECCUUTTIIOONN completed, then passes the command's exit status to the security policy's close function and exits. If an I/O logging plugin is configured or if the security policy explicitly requests it, a new pseudo-terminal - (``pty'') is created and a second ssuuddoo process is used to relay job - control signals between the user's existing pty and the new pty the - command is being run in. This extra process makes it possible to, for - example, suspend and resume the command. Without it, the command would - be in what POSIX terms an ``orphaned process group'' and it would not - receive any job control signals. As a special case, if the policy plugin - does not define a close function and no pty is required, ssuuddoo will - execute the command directly instead of calling fork(2) first. The - _s_u_d_o_e_r_s policy plugin will only define a close function when I/O logging - is enabled, a pty is required, or the _p_a_m___s_e_s_s_i_o_n or _p_a_m___s_e_t_c_r_e_d options - are enabled. Note that _p_a_m___s_e_s_s_i_o_n and _p_a_m___s_e_t_c_r_e_d are enabled by - default on systems using PAM. + ("pty") is created and a second ssuuddoo process is used to relay job control + signals between the user's existing pty and the new pty the command is + being run in. This extra process makes it possible to, for example, + suspend and resume the command. Without it, the command would be in what + POSIX terms an "orphaned process group" and it would not receive any job + control signals. As a special case, if the policy plugin does not define + a close function and no pty is required, ssuuddoo will execute the command + directly instead of calling fork(2) first. The _s_u_d_o_e_r_s policy plugin + will only define a close function when I/O logging is enabled, a pty is + required, or the _p_a_m___s_e_s_s_i_o_n or _p_a_m___s_e_t_c_r_e_d options are enabled. Note + that _p_a_m___s_e_s_s_i_o_n and _p_a_m___s_e_t_c_r_e_d are enabled by default on systems using + PAM. SSiiggnnaall hhaannddlliinngg When the command is run as a child of the ssuuddoo process, ssuuddoo will relay @@ -442,7 +442,7 @@ EEXXIITT VVAALLUUEE error is printed to the standard error. (If the directory does not exist or if it is not really a directory, the entry is ignored and no error is printed.) This should not happen under normal circumstances. The most - common reason for stat(2) to return ``permission denied'' is if you are + common reason for stat(2) to return "permission denied" is if you are running an automounter and one of the directories in your PATH is on a machine that is currently unreachable. @@ -477,7 +477,7 @@ SSEECCUURRIITTYY NNOOTTEESS for the command that is run). This historical practice dates from a time when most operating systems allowed setuid processes to dump core by default. To aid in debugging ssuuddoo crashes, you may wish to re-enable - core dumps by setting ``disable_coredump'' to false in the sudo.conf(4) + core dumps by setting "disable_coredump" to false in the sudo.conf(4) file as follows: Set disable_coredump false @@ -622,7 +622,7 @@ SSUUPPPPOORRTT the archives. DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied warranties, + ssuuddoo is provided "AS IS" and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed with ssuuddoo or https://www.sudo.ws/license.html for diff --git a/doc/sudo.conf.cat b/doc/sudo.conf.cat index 42812ed2a..05197d12b 100644 --- a/doc/sudo.conf.cat +++ b/doc/sudo.conf.cat @@ -30,7 +30,7 @@ DDEESSCCRRIIPPTTIIOONN Non-comment lines that don't begin with Plugin, Path, Debug, or Set are silently ignored. - The ssuuddoo..ccoonnff file is always parsed in the ``C'' locale. + The ssuuddoo..ccoonnff file is always parsed in the "C" locale. PPlluuggiinn ccoonnffiigguurraattiioonn ssuuddoo supports a plugin architecture for security policies and @@ -131,7 +131,7 @@ DDEESSCCRRIIPPTTIIOONN Core dumps of ssuuddoo itself are disabled by default to prevent the disclosure of potentially sensitive information. To aid in debugging ssuuddoo crashes, you may wish to re-enable core dumps by - setting ``disable_coredump'' to false in ssuuddoo..ccoonnff as follows: + setting "disable_coredump" to false in ssuuddoo..ccoonnff as follows: Set disable_coredump false @@ -171,20 +171,20 @@ DDEESSCCRRIIPPTTIIOONN static Use the static group list that the kernel returns. Retrieving the group list this way is very fast but it is subject to an upper limit as described above. - It is ``static'' in that it does not reflect changes - to the group database made after the user logs in. - This was the default behavior prior to ssuuddoo 1.8.7. + It is "static" in that it does not reflect changes to + the group database made after the user logs in. This + was the default behavior prior to ssuuddoo 1.8.7. dynamic Always query the group database directly. It is - ``dynamic'' in that changes made to the group - database after the user logs in will be reflected in - the group list. On some systems, querying the group - database for all of a user's groups can be time - consuming when querying a network-based group - database. Most operating systems provide an - efficient method of performing such queries. - Currently, ssuuddoo supports efficient group queries on - AIX, BSD, HP-UX, Linux and Solaris. + "dynamic" in that changes made to the group database + after the user logs in will be reflected in the group + list. On some systems, querying the group database + for all of a user's groups can be time consuming when + querying a network-based group database. Most + operating systems provide an efficient method of + performing such queries. Currently, ssuuddoo supports + efficient group queries on AIX, BSD, HP-UX, Linux and + Solaris. adaptive Only query the group database if the static group list returned by the kernel has the maximum number of @@ -412,7 +412,7 @@ SSUUPPPPOORRTT the archives. DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied warranties, + ssuuddoo is provided "AS IS" and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed with ssuuddoo or https://www.sudo.ws/license.html for diff --git a/doc/sudo_plugin.cat b/doc/sudo_plugin.cat index ee99754c9..48f7bd3ca 100644 --- a/doc/sudo_plugin.cat +++ b/doc/sudo_plugin.cat @@ -94,7 +94,7 @@ DDEESSCCRRIIPPTTIIOONN settings A vector of user-supplied ssuuddoo settings in the form of - ``name=value'' strings. The vector is terminated by a NULL + "name=value" strings. The vector is terminated by a NULL pointer. These settings correspond to flags the user specified when running ssuuddoo. As such, they will only be present when the corresponding flag has been specified on the @@ -164,8 +164,8 @@ DDEESSCCRRIIPPTTIIOONN network_addrs=list A space-separated list of IP network addresses and - netmasks in the form ``addr/netmask'', e.g. - ``192.168.1.2/255.255.255.0''. The address and netmask + netmasks in the form "addr/netmask", e.g. + "192.168.1.2/255.255.255.0". The address and netmask pairs may be either IPv4 or IPv6, depending on what the operating system supports. If the address contains a colon (`:'), it is an IPv6 address, else it is IPv4. @@ -199,8 +199,8 @@ DDEESSCCRRIIPPTTIIOONN vector instead of setting it based on the runas user. progname=string - The command name that sudo was run as, typically - ``sudo'' or ``sudoedit''. + The command name that sudo was run as, typically "sudo" + or "sudoedit". prompt=string The prompt to use when requesting a password, if @@ -259,7 +259,7 @@ DDEESSCCRRIIPPTTIIOONN user_info A vector of information about the user running the command in - the form of ``name=value'' strings. The vector is terminated + the form of "name=value" strings. The vector is terminated by a NULL pointer. When parsing _u_s_e_r___i_n_f_o, the plugin should split on the ffiirrsstt @@ -337,7 +337,7 @@ DDEESSCCRRIIPPTTIIOONN tty=string The path to the user's terminal device. If the user has no terminal device associated with the session, the - value will be empty, as in ``tty=''. + value will be empty, as in "tty=". uid=uid_t The real user ID of the user invoking ssuuddoo. @@ -351,7 +351,7 @@ DDEESSCCRRIIPPTTIIOONN user_env The user's environment in the form of a NULL-terminated - vector of ``name=value'' strings. + vector of "name=value" strings. When parsing _u_s_e_r___e_n_v, the plugin should split on the ffiirrsstt equal sign (`=') since the _n_a_m_e field will never include one @@ -411,7 +411,7 @@ DDEESSCCRRIIPPTTIIOONN EDITOR, and include it in _a_r_g_v___o_u_t (note that environment variables may include command line flags). The files to be edited should be copied from _a_r_g_v into _a_r_g_v___o_u_t, separated from the editor and its - arguments by a ``--'' element. The ``--'' will be removed by ssuuddoo + arguments by a "--" element. The "--" will be removed by ssuuddoo before the editor is executed. The plugin should also set _s_u_d_o_e_d_i_t_=_t_r_u_e in the _c_o_m_m_a_n_d___i_n_f_o list. @@ -436,7 +436,7 @@ DDEESSCCRRIIPPTTIIOONN env_add Additional environment variables specified by the user on the command line in the form of a NULL-terminated vector of - ``name=value'' strings. The plugin may reject the command if + "name=value" strings. The plugin may reject the command if one or more variables are not allowed to be set, or it may silently ignore such variables. @@ -446,7 +446,7 @@ DDEESSCCRRIIPPTTIIOONN command_info Information about the command being run in the form of - ``name=value'' strings. These values are used by ssuuddoo to set + "name=value" strings. These values are used by ssuuddoo to set the execution environment when running a command. The plugin is responsible for creating and populating the vector, which must be terminated with a NULL pointer. The following values @@ -764,7 +764,7 @@ DDEESSCCRRIIPPTTIIOONN password database, otherwise it will be NULL. The _u_s_e_r___e_n_v argument points to the environment the command will - run in, in the form of a NULL-terminated vector of ``name=value'' + run in, in the form of a NULL-terminated vector of "name=value" strings. This is the same string passed back to the front end via the Policy Plugin's _u_s_e_r___e_n_v___o_u_t parameter. If the iinniitt__sseessssiioonn() function needs to modify the user environment, it should update the @@ -951,7 +951,7 @@ DDEESSCCRRIIPPTTIIOONN settings A vector of user-supplied ssuuddoo settings in the form of - ``name=value'' strings. The vector is terminated by a NULL + "name=value" strings. The vector is terminated by a NULL pointer. These settings correspond to flags the user specified when running ssuuddoo. As such, they will only be present when the corresponding flag has been specified on the @@ -966,7 +966,7 @@ DDEESSCCRRIIPPTTIIOONN user_info A vector of information about the user running the command in - the form of ``name=value'' strings. The vector is terminated + the form of "name=value" strings. The vector is terminated by a NULL pointer. When parsing _u_s_e_r___i_n_f_o, the plugin should split on the ffiirrsstt @@ -985,7 +985,7 @@ DDEESSCCRRIIPPTTIIOONN user_env The user's environment in the form of a NULL-terminated - vector of ``name=value'' strings. + vector of "name=value" strings. When parsing _u_s_e_r___e_n_v, the plugin should split on the ffiirrsstt equal sign (`=') since the _n_a_m_e field will never include one @@ -1286,9 +1286,9 @@ DDEESSCCRRIIPPTTIIOONN The ssuuddoo front end does not have native support for running remote commands. However, starting with ssuuddoo 1.8.8, the --hh option may be used to specify a remote host that is passed to the policy plugin. A plugin - may also accept a _r_u_n_a_s___u_s_e_r in the form of ``user@hostname'' which will + may also accept a _r_u_n_a_s___u_s_e_r in the form of "user@hostname" which will work with older versions of ssuuddoo. It is anticipated that remote commands - will be supported by executing a ``helper'' program. The policy plugin + will be supported by executing a "helper" program. The policy plugin should setup the execution environment such that the ssuuddoo front end will run the helper which, in turn, will connect to the remote host and run the command. @@ -1586,7 +1586,7 @@ SSUUPPPPOORRTT the archives. DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied warranties, + ssuuddoo is provided "AS IS" and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed with ssuuddoo or https://www.sudo.ws/license.html for diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 84ed7f8a8..86874b654 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -150,12 +150,12 @@ DDEESSCCRRIIPPTTIIOONN env_keep += "my_func=()*" - Without the ``=()*'' suffix, this would not match, as old-style bbaasshh - shell functions are not preserved by default. + Without the "=()*" suffix, this would not match, as old-style bbaasshh shell + functions are not preserved by default. The complete list of environment variables that ssuuddoo allows or denies is - contained in the output of ``sudo -V'' when run as root. Please note - that this list varies based on the operating system ssuuddoo is running on. + contained in the output of "sudo -V" when run as root. Please note that + this list varies based on the operating system ssuuddoo is running on. On systems that support PAM where the ppaamm__eennvv module is enabled for ssuuddoo, variables in the PAM environment may be merged in to the environment. If @@ -209,7 +209,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for the language. EBNF also contains the following operators, which many readers will recognize from regular expressions. Do not, however, - confuse them with ``wildcard'' characters, which have different meanings. + confuse them with "wildcard" characters, which have different meanings. ? Means that the preceding symbol (or group of symbols) is optional. That is, it may appear once or not at all. @@ -348,9 +348,9 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT command on your machine returns the fully qualified host name, you'll need to use the _f_q_d_n option for wildcards to be useful. Note that ssuuddoo only inspects actual network interfaces; this means that IP address - 127.0.0.1 (localhost) will never match. Also, the host name - ``localhost'' will only match if that is the actual host name, which is - usually only the case for non-networked systems. + 127.0.0.1 (localhost) will never match. Also, the host name "localhost" + will only match if that is the actual host name, which is usually only + the case for non-networked systems. digest ::= [A-Fa-f0-9]+ | [[A-Za-z0-9+/=]+ @@ -387,10 +387,10 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT the Cmnd must match exactly those given by the user on the command line (or match the wildcards if there are any). Note that the following characters must be escaped with a `\' if they are used in command - arguments: `,', `:', `=', `\'. The built-in command ``sudoedit'' is used + arguments: `,', `:', `=', `\'. The built-in command "sudoedit" is used to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may take command line arguments just as a normal command does. Note that - ``sudoedit'' is a command built into ssuuddoo itself and must be specified in + "sudoedit" is a command built into ssuuddoo itself and must be specified in the _s_u_d_o_e_r_s file without a leading path. If a command name is prefixed with a Digest_Spec, the command will only @@ -497,8 +497,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT what user) on specified hosts. By default, commands are run as rroooott, but this can be changed on a per-command basis. - The basic structure of a user specification is ``who where = (as_whom) - what''. Let's break that down into its constituent parts: + The basic structure of a user specification is "who where = (as_whom) + what". Let's break that down into its constituent parts: RRuunnaass__SSppeecc A Runas_Spec determines the user and/or the group that a command may be @@ -596,7 +596,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT $ ppriv -l - In addition, there are several ``special'' privilege strings: + In addition, there are several "special" privilege strings: none the empty set @@ -718,8 +718,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. By default, if the NOPASSWD tag is applied to any of the entries for a - user on the current host, he or she will be able to run ``sudo -l'' - without a password. Additionally, a user may only run ``sudo -v'' + user on the current host, he or she will be able to run "sudo -l" + without a password. Additionally, a user may only run "sudo -v" without a password if the NOPASSWD tag is present for all a user's entries that pertain to the current host. This behavior may be overridden via the _v_e_r_i_f_y_p_w and _l_i_s_t_p_w options. @@ -740,7 +740,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be used in host names, path names and command line arguments in the _s_u_d_o_e_r_s file. Wildcard matching is done via the glob(3) and fnmatch(3) functions - as specified by IEEE Std 1003.1 (``POSIX.1''). + as specified by IEEE Std 1003.1 ("POSIX.1"). * Matches any set of zero or more characters (including white space). @@ -836,7 +836,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT The file name may also include the %h escape, signifying the short form of the host name. In other words, if the machine's host name is - ``xerxes'', then + "xerxes", then #include /etc/sudoers.%h @@ -891,10 +891,10 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT !root it would explicitly deny root but not match any other users. This is - different from a true ``negation'' operator. + different from a true "negation" operator. Note, however, that using a `!' in conjunction with the built-in AALLLL - alias to allow a user to run ``all but a few'' commands rarely works as + alias to allow a user to run "all but a few" commands rarely works as intended (see _S_E_C_U_R_I_T_Y _N_O_T_E_S below). Long lines can be continued with a backslash (`\') as the last character @@ -1039,25 +1039,24 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS domain name. In other words, instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). This - option is only effective when the ``canonical'' host + option is only effective when the "canonical" host name, as returned by the ggeettaaddddrriinnffoo() or ggeetthhoossttbbyynnaammee() function, is a fully-qualified domain name. This is usually the case when the system is configured to use DNS for host name resolution. If the system is configured to use the _/_e_t_c_/_h_o_s_t_s file - in preference to DNS, the ``canonical'' host name may - not be fully-qualified. The order that sources are - queried for host name resolution is usually specified - in the _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f, - _/_e_t_c_/_h_o_s_t_._c_o_n_f, or, in some cases, _/_e_t_c_/_r_e_s_o_l_v_._c_o_n_f - file. In the _/_e_t_c_/_h_o_s_t_s file, the first host name of - the entry is considered to be the ``canonical'' name; - subsequent names are aliases that are not used by - ssuuddooeerrss. For example, the following hosts file line - for the machine ``xyzzy'' has the fully-qualified - domain name as the ``canonical'' host name, and the - short version as an alias. + in preference to DNS, the "canonical" host name may not + be fully-qualified. The order that sources are queried + for host name resolution is usually specified in the + _/_e_t_c_/_n_s_s_w_i_t_c_h_._c_o_n_f, _/_e_t_c_/_n_e_t_s_v_c_._c_o_n_f, _/_e_t_c_/_h_o_s_t_._c_o_n_f, + or, in some cases, _/_e_t_c_/_r_e_s_o_l_v_._c_o_n_f file. In the + _/_e_t_c_/_h_o_s_t_s file, the first host name of the entry is + considered to be the "canonical" name; subsequent names + are aliases that are not used by ssuuddooeerrss. For example, + the following hosts file line for the machine "xyzzy" + has the fully-qualified domain name as the "canonical" + host name, and the short version as an alias. 192.168.1.1 xyzzy.sudo.ws xyzzy @@ -1070,7 +1069,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS which renders ssuuddoo unusable if DNS stops working (for example if the machine is disconnected from the network). Also note that just like with the hosts - file, you must use the ``canonical'' name as DNS knows + file, you must use the "canonical" name as DNS knows it. That is, you may not use a host alias (CNAME entry) due to performance issues and the fact that there is no way to get all aliases from DNS. @@ -1255,10 +1254,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS passprompt_override The password prompt specified by _p_a_s_s_p_r_o_m_p_t will normally only be used if the password prompt provided - by systems such as PAM matches the string - ``Password:''. If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, - _p_a_s_s_p_r_o_m_p_t will always be used. This flag is _o_f_f by - default. + by systems such as PAM matches the string "Password:". + If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always + be used. This flag is _o_f_f by default. path_info Normally, ssuuddoo will tell the user when a command could not be found in their PATH environment variable. Some @@ -1294,9 +1292,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS default. root_sudo If set, root is allowed to run ssuuddoo too. Disabling - this prevents users from ``chaining'' ssuuddoo commands to - get a root shell by doing something like ``sudo sudo - /bin/sh''. Note, however, that turning off _r_o_o_t___s_u_d_o + this prevents users from "chaining" ssuuddoo commands to + get a root shell by doing something like "sudo sudo + /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o will also prevent root from running ssuuddooeeddiitt. Disabling _r_o_o_t___s_u_d_o provides no real additional security; it exists purely for historical reasons. @@ -1461,7 +1459,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo will prompt for a password even when it would be visible on the screen. This makes it possible to run - things like ``ssh somehost sudo ls'' since by default, + things like "ssh somehost sudo ls" since by default, ssh(1) does not allocate a tty when running a command. This flag is _o_f_f by default. @@ -1482,17 +1480,16 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS higher. maxseq The maximum sequence number that will be substituted - for the ``%{seq}'' escape in the I/O log file (see the + for the "%{seq}" escape in the I/O log file (see the _i_o_l_o_g___d_i_r description above for more information). - While the value substituted for ``%{seq}'' is in base - 36, _m_a_x_s_e_q itself should be expressed in decimal. - Values larger than 2176782336 (which corresponds to the - base 36 sequence number ``ZZZZZZ'') will be silently - truncated to 2176782336. The default value is - 2176782336. + While the value substituted for "%{seq}" is in base 36, + _m_a_x_s_e_q itself should be expressed in decimal. Values + larger than 2176782336 (which corresponds to the base + 36 sequence number "ZZZZZZ") will be silently truncated + to 2176782336. The default value is 2176782336. Once the local sequence number reaches the value of - _m_a_x_s_e_q, it will ``roll over'' to zero, after which + _m_a_x_s_e_q, it will "roll over" to zero, after which ssuuddooeerrss will truncate and re-use any existing I/O log path names. @@ -1525,7 +1522,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS value less than 0 the user's time stamp will not expire until the system is rebooted. This can be used to allow users to create or delete their own time stamps - via ``sudo -v'' and ``sudo -k'' respectively. + via "sudo -v" and "sudo -k" respectively. umask Umask to use when running the command. Negate this option or set it to 0777 to preserve the user's umask. @@ -1603,7 +1600,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS options are enabled or when the LOG_INPUT or LOG_OUTPUT tags are present for a command. Note that _i_o_l_o_g___f_i_l_e may contain directory components. The default is - ``%{seq}''. + "%{seq}". See the _i_o_l_o_g___d_i_r option above for a list of supported percent (`%') escape sequences. @@ -1660,7 +1657,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The escape %h will expand to the host name of the machine. - Default is ``*** SECURITY information for %h ***''. + Default is "*** SECURITY information for %h ***". noexec_file As of ssuuddoo version 1.8.1 this option is no longer supported. The path to the noexec file should now be @@ -1669,7 +1666,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS pam_login_service On systems that use PAM for authentication, this is the service name used when the --ii option is specified. The - default value is ``sudo''. See the description of + default value is "sudo". See the description of _p_a_m___s_e_r_v_i_c_e for more information. This setting is only supported by version 1.8.8 or @@ -1679,7 +1676,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS name specifies the PAM policy to apply. This usually corresponds to an entry in the _p_a_m_._c_o_n_f file or a file in the _/_e_t_c_/_p_a_m_._d directory. The default value is - ``sudo''. + "sudo". This setting is only supported by version 1.8.8 or higher. @@ -1708,7 +1705,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS %% two consecutive % characters are collapsed into a single % character - The default value is ``Password:''. + The default value is "Password:". privs The default Solaris privileges to use when constructing a new privilege set for a command. This is passed to @@ -1761,7 +1758,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS being truncated, ssuuddooeerrss will split up log messages that are larger than _s_y_s_l_o_g___m_a_x_l_e_n bytes. When a message is split, additional parts will include the - string ``(command continued)'' after the user name and + string "(command continued)" after the user name and before the continued command line arguments. This setting is only supported by version 1.8.19 or @@ -1770,7 +1767,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS sudoers_locale Locale to use when parsing the sudoers file, logging commands, and sending email. Note that changing the locale may affect how sudoers is interpreted. Defaults - to ``C''. + to "C". timestampdir The directory in which ssuuddoo stores its time stamp files. This directory should be cleared when the @@ -1791,13 +1788,13 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS env_file The _e_n_v___f_i_l_e option specifies the fully qualified path to a file containing variables to be set in the environment of the program being run. Entries in this file should either - be of the form ``VARIABLE=value'' or ``export - VARIABLE=value''. The value may optionally be surrounded - by single or double quotes. Variables in this file are - only added if the variable does not already exist in the - environment. This file is considered to be part of the - security policy, its contents are not subject to other ssuuddoo - environment restrictions such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k. + be of the form "VARIABLE=value" or "export VARIABLE=value". + The value may optionally be surrounded by single or double + quotes. Variables in this file are only added if the + variable does not already exist in the environment. This + file is considered to be part of the security policy, its + contents are not subject to other ssuuddoo environment + restrictions such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k. exempt_group Users in this group are exempt from password and PATH requirements. The group name specified should not include @@ -1891,10 +1888,10 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS mailerpath Path to mail program used to send warning mail. Defaults to the path to sendmail found at configure time. - mailfrom Address to use for the ``from'' address when sending - warning and error mail. The address should be enclosed in - double quotes ("") to protect against ssuuddoo interpreting the - @ sign. Defaults to the name of the user running ssuuddoo. + mailfrom Address to use for the "from" address when sending warning + and error mail. The address should be enclosed in double + quotes ("") to protect against ssuuddoo interpreting the @ + sign. Defaults to the name of the user running ssuuddoo. mailto Address to send warning and error mail to. The address should be enclosed in double quotes ("") to protect against @@ -1903,8 +1900,8 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS secure_path Path used for every command run from ssuuddoo. If you don't trust the people running ssuuddoo to have a sane PATH environment variable you may want to use this. Another use - is if you want to have the ``root path'' be separate from - the ``user path''. Users in the group specified by the + is if you want to have the "root path" be separate from the + "user path". Users in the group specified by the _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This option is not set by default. @@ -1940,13 +1937,13 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: env_check Environment variables to be removed from the user's - environment unless they are considered ``safe''. For - all variables except TZ, ``safe'' means that the - variable's value does not contain any `%' or `/' - characters. This can be used to guard against printf- - style format vulnerabilities in poorly-written - programs. The TZ variable is considered unsafe if any - of the following are true: + environment unless they are considered "safe". For all + variables except TZ, "safe" means that the variable's + value does not contain any `%' or `/' characters. This + can be used to guard against printf-style format + vulnerabilities in poorly-written programs. The TZ + variable is considered unsafe if any of the following + are true: ++oo It consists of a fully-qualified path name, optionally prefixed with a colon (`:'), that does @@ -2043,10 +2040,10 @@ LLOOGG FFOORRMMAATT Where the fields are as follows: date The date the command was run. Typically, this is in the - format ``MMM, DD, HH:MM:SS''. If logging via syslog(3), - the actual date format is controlled by the syslog daemon. - If logging to a file and the _l_o_g___y_e_a_r option is enabled, - the date will also include the year. + format "MMM, DD, HH:MM:SS". If logging via syslog(3), the + actual date format is controlled by the syslog daemon. If + logging to a file and the _l_o_g___y_e_a_r option is enabled, the + date will also include the year. hostname The name of the host ssuuddoo was run on. This field is only present when logging via syslog(3). @@ -2056,9 +2053,9 @@ LLOOGG FFOORRMMAATT username The login name of the user who ran ssuuddoo. - ttyname The short name of the terminal (e.g. ``console'', - ``tty01'', or ``pts/0'') ssuuddoo was run on, or ``unknown'' if - there was no terminal present. + ttyname The short name of the terminal (e.g. "console", "tty01", or + "pts/0") ssuuddoo was run on, or "unknown" if there was no + terminal present. cwd The current working directory that ssuuddoo was run in. @@ -2077,7 +2074,7 @@ LLOOGG FFOORRMMAATT command The actual command that was executed. Messages are logged using the locale specified by _s_u_d_o_e_r_s___l_o_c_a_l_e, which - defaults to the ``C'' locale. + defaults to the "C" locale. DDeenniieedd ccoommmmaanndd lloogg eennttrriieess If the user is not allowed to run the command, the reason for the denial @@ -2130,7 +2127,7 @@ LLOOGG FFOORRMMAATT user ID 0 to a different value. Normally, ssuuddooeerrss tries to open the _s_u_d_o_e_r_s file using group permissions to avoid this problem. Consider either changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s or adding an argument - like ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s + like "sudoers_uid=N" (where `N' is the user ID that owns the _s_u_d_o_e_r_s file) to the end of the ssuuddooeerrss Plugin line in the sudo.conf(4) file. unable to stat /etc/sudoers @@ -2142,20 +2139,20 @@ LLOOGG FFOORRMMAATT /etc/sudoers is owned by uid N, should be 0 The _s_u_d_o_e_r_s file has the wrong owner. If you wish to change the - _s_u_d_o_e_r_s file owner, please add ``sudoers_uid=N'' (where `N' is the - user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin line in the + _s_u_d_o_e_r_s file owner, please add "sudoers_uid=N" (where `N' is the user + ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin line in the sudo.conf(4) file. /etc/sudoers is world writable The permissions on the _s_u_d_o_e_r_s file allow all users to write to it. The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is 0440 (readable by owner and group, writable by none). The default - mode may be changed via the ``sudoers_mode'' option to the ssuuddooeerrss + mode may be changed via the "sudoers_mode" option to the ssuuddooeerrss Plugin line in the sudo.conf(4) file. /etc/sudoers is owned by gid N, should be 1 The _s_u_d_o_e_r_s file has the wrong group ownership. If you wish to change - the _s_u_d_o_e_r_s file group ownership, please add ``sudoers_gid=N'' (where + the _s_u_d_o_e_r_s file group ownership, please add "sudoers_gid=N" (where `N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin line in the sudo.conf(4) file. @@ -2212,8 +2209,8 @@ II//OO LLOOGG FFIILLEESS and log all user input and/or output. I/O is logged to the directory specified by the _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a unique session ID that is included in the ssuuddoo log line, prefixed with - ``TSID=''. The _i_o_l_o_g___f_i_l_e option may be used to control the format of - the session ID. + "TSID=". The _i_o_l_o_g___f_i_l_e option may be used to control the format of the + session ID. Each I/O log is stored in a separate directory that contains the following files: @@ -2421,7 +2418,7 @@ EEXXAAMMPPLLEESS jim +biglab = ALL The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. - ssuuddoo knows that ``biglab'' is a netgroup due to the `+' prefix. + ssuuddoo knows that "biglab" is a netgroup due to the `+' prefix. +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser @@ -2478,7 +2475,7 @@ EEXXAAMMPPLLEESS SSEECCUURRIITTYY NNOOTTEESS LLiimmiittaattiioonnss ooff tthhee ``!!'' ooppeerraattoorr - It is generally not effective to ``subtract'' commands from AALLLL using the + It is generally not effective to "subtract" commands from AALLLL using the `!' operator. A user can trivially circumvent this by copying the desired command to a different name and then executing that. For example: @@ -2582,7 +2579,7 @@ SSEECCUURRIITTYY NNOOTTEESS invoking user and with the environment unmodified. More information may be found in the description of the --ee option in sudo(1m). - For example, to allow user operator to edit the ``message of the day'' + For example, to allow user operator to edit the "message of the day" file: operator sudoedit /etc/motd @@ -2741,7 +2738,7 @@ SSUUPPPPOORRTT the archives. DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied warranties, + ssuuddoo is provided "AS IS" and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed with ssuuddoo or https://www.sudo.ws/license.html for diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat index a243e9cc4..8dfb9ba68 100644 --- a/doc/sudoers.ldap.cat +++ b/doc/sudoers.ldap.cat @@ -91,10 +91,10 @@ DDEESSCCRRIIPPTTIIOONN cards). If a command name is preceded by an exclamation point, `!', the user will be prohibited from running that command. - The built-in command ``sudoedit'' is used to permit a user to run + The built-in command "sudoedit" is used to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may take command line - arguments just as a normal command does. Note that ``sudoedit'' is - a command built into ssuuddoo itself and must be specified in without a + arguments just as a normal command does. Note that "sudoedit" is a + command built into ssuuddoo itself and must be specified in without a leading path. The special value ALL will match any command. @@ -169,9 +169,8 @@ DDEESSCCRRIIPPTTIIOONN more closely mimic the behavior of the sudoers file, where the order of the entries influences the result. If multiple entries match, the entry with the highest sudoOrder attribute is chosen. - This corresponds to the ``last match'' behavior of the sudoers - file. If the sudoOrder attribute is not present, a value of 0 is - assumed. + This corresponds to the "last match" behavior of the sudoers file. + If the sudoOrder attribute is not present, a value of 0 is assumed. The sudoOrder attribute is only available in ssuuddoo versions 1.7.5 and higher. @@ -338,7 +337,7 @@ DDEESSCCRRIIPPTTIIOONN The BBIINNDDPPWW parameter specifies the password to use when performing LDAP operations. This is typically used in conjunction with the BBIINNDDDDNN parameter. The _s_e_c_r_e_t may be a plain text password or a - base64-encoded string with a ``base64:'' prefix. For example: + base64-encoded string with a "base64:" prefix. For example: BINDPW base64:dGVzdA== @@ -465,7 +464,7 @@ DDEESSCCRRIIPPTTIIOONN The SSUUDDOOEERRSS__DDEEBBUUGG parameter is deprecated and will be removed in a future release. The same information is now logged via the ssuuddoo - debugging framework using the ``ldap'' subsystem at priorities _d_i_a_g + debugging framework using the "ldap" subsystem at priorities _d_i_a_g and _i_n_f_o for _d_e_b_u_g___l_e_v_e_l values 1 and 2 respectively. See the sudo.conf(4) manual for details on how to configure ssuuddoo debugging. @@ -565,7 +564,7 @@ DDEESSCCRRIIPPTTIIOONN The TTLLSS__KKEEYYPPWW contains the password used to decrypt the key database on clients using the Tivoli Directory Server LDAP library. The _s_e_c_r_e_t may be a plain text password or a base64-encoded string - with a ``base64:'' prefix. For example: + with a "base64:" prefix. For example: TLS_KEYPW base64:dGVzdA== @@ -905,7 +904,7 @@ SSUUPPPPOORRTT the archives. DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied warranties, + ssuuddoo is provided "AS IS" and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed with ssuuddoo or https://www.sudo.ws/license.html for diff --git a/doc/sudoreplay.cat b/doc/sudoreplay.cat index 17f888a94..4a8d9fb20 100644 --- a/doc/sudoreplay.cat +++ b/doc/sudoreplay.cat @@ -50,7 +50,7 @@ DDEESSCCRRIIPPTTIIOONN --hh, ----hheellpp Display a short help message to the standard output and exit. --ll, ----lliisstt [_s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n] - Enable ``list mode''. In this mode, ssuuddoorreeppllaayy will list + Enable "list mode". In this mode, ssuuddoorreeppllaayy will list available sessions in a format similar to the ssuuddoo log file format, sorted by file name (or sequence number). If a _s_e_a_r_c_h _e_x_p_r_e_s_s_i_o_n is specified, it will be used to restrict @@ -162,12 +162,12 @@ DDEESSCCRRIIPPTTIIOONN next Friday The first second of the Friday in the next (upcoming) week. Not - to be confused with ``this friday'' which would match the friday - of the current week. + to be confused with "this friday" which would match the friday of + the current week. last week - The current time but 7 days ago. This is equivalent to ``a week - ago''. + The current time but 7 days ago. This is equivalent to "a week + ago". a fortnight ago The current time but 14 days ago. @@ -187,12 +187,12 @@ DDEESSCCRRIIPPTTIIOONN 10:01 am, September 17, 2009. Note that relative time specifications do not always work as expected. - For example, the ``next'' qualifier is intended to be used in conjunction - with a day such as ``next Monday''. When used with units of weeks, - months, years, etc the result will be one more than expected. For - example, ``next week'' will result in a time exactly two weeks from now, - which is probably not what was intended. This will be addressed in a - future version of ssuuddoorreeppllaayy. + For example, the "next" qualifier is intended to be used in conjunction + with a day such as "next Monday". When used with units of weeks, months, + years, etc the result will be one more than expected. For example, "next + week" will result in a time exactly two weeks from now, which is probably + not what was intended. This will be addressed in a future version of + ssuuddoorreeppllaayy. DDeebbuuggggiinngg ssuuddoorreeppllaayy ssuuddoorreeppllaayy versions 1.8.4 and higher support a flexible debugging @@ -270,7 +270,7 @@ SSUUPPPPOORRTT the archives. DDIISSCCLLAAIIMMEERR - ssuuddoorreeppllaayy is provided ``AS IS'' and any express or implied warranties, + ssuuddoorreeppllaayy is provided "AS IS" and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed with ssuuddoo or https://www.sudo.ws/license.html for diff --git a/doc/visudo.cat b/doc/visudo.cat index 597f8efa2..c684c266f 100644 --- a/doc/visudo.cat +++ b/doc/visudo.cat @@ -26,8 +26,8 @@ DDEESSCCRRIIPPTTIIOONN vviissuuddoo parses the _s_u_d_o_e_r_s file after the edit and will not save the changes if there is a syntax error. Upon finding an error, vviissuuddoo will print a message stating the line number(s) where the error occurred and - the user will receive the ``What now?'' prompt. At this point the user - may enter `e' to re-edit the _s_u_d_o_e_r_s file, `x' to exit without saving the + the user will receive the "What now?" prompt. At this point the user may + enter `e' to re-edit the _s_u_d_o_e_r_s file, `x' to exit without saving the changes, or `Q' to quit and save changes. The `Q' option should be used with extreme care because if vviissuuddoo believes there to be a parse error, so will ssuuddoo and no one will be able to run ssuuddoo again until the error is @@ -50,7 +50,7 @@ DDEESSCCRRIIPPTTIIOONN Specify an alternate _s_u_d_o_e_r_s file location. With this option, vviissuuddoo will edit (or check) the _s_u_d_o_e_r_s file of your choice, instead of the default, _/_e_t_c_/_s_u_d_o_e_r_s. The lock file - used is the specified _s_u_d_o_e_r_s file with ``.tmp'' appended to + used is the specified _s_u_d_o_e_r_s file with ".tmp" appended to it. In _c_h_e_c_k_-_o_n_l_y mode only, the argument to --ff may be `-', indicating that _s_u_d_o_e_r_s will be read from the standard input. @@ -206,7 +206,7 @@ SSUUPPPPOORRTT the archives. DDIISSCCLLAAIIMMEERR - vviissuuddoo is provided ``AS IS'' and any express or implied warranties, + vviissuuddoo is provided "AS IS" and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. See the LICENSE file distributed with ssuuddoo or https://www.sudo.ws/license.html for -- 2.40.0