From a06ae77c5a09b6ff38afe35e8d046957bf4d2c12 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 5 Sep 2007 22:50:55 +0000 Subject: [PATCH] regen --- sudoers.cat | 446 ++++++++++++++++++++++++++++--------------------- sudoers.man.in | 36 ++-- 2 files changed, 274 insertions(+), 208 deletions(-) diff --git a/sudoers.cat b/sudoers.cat index f721da508..14b997af7 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7 August 15, 2007 1 +1.7 September 5, 2007 1 @@ -105,29 +105,29 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) User ',' User_List User ::= '!'* username | + '!'* '#'uid | '!'* '%'group | '!'* '+'netgroup | '!'* User_Alias - A User_List is made up of one or more usernames, system - groups (prefixed with '%'), netgroups (prefixed with '+') - and other aliases. Each list item may be prefixed with - one or more '!' operators. An odd number of '!' operators - negate the value of the item; an even number just cancel - each other out. + A User_List is made up of one or more usernames, uids + (prefixed with '#'), system groups (prefixed with '%'), + netgroups (prefixed with '+') and User_Aliases. Each list + item may be prefixed with zero or more '!' operators. An + odd number of '!' operators negate the value of the item; + an even number just cancel each other out. Runas_List ::= Runas_User | Runas_User ',' Runas_List - Runas_User ::= '!'* username | - '!'* '#'uid | - '!'* '%'group | - '!'* +netgroup | - '!'* Runas_Alias -1.7 August 15, 2007 2 + + + + +1.7 September 5, 2007 2 @@ -136,9 +136,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - A Runas_List is similar to a User_List except that it can - also contain uids (prefixed with '#') and instead of - User_Aliases it can contain Runas_Aliases. Note that + Runas_User ::= '!'* username | + '!'* '#'uid | + '!'* '%'group | + '!'* +netgroup | + '!'* Runas_Alias + + A Runas_List is similar to a User_List except that instead + of User_Aliases it can contain Runas_Aliases. Note that usernames and groups are matched as strings. In other words, two users (groups) with the same uid (gid) are con- sidered to be distinct. If you wish to match all user- @@ -185,15 +190,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) A Cmnd_List is a list of one or more commandnames, direc- tories, and other aliases. A commandname is a fully qual- ified filename which may include shell-style wildcards - (see the Wildcards section below). A simple filename - allows the user to run the command with any arguments - he/she wishes. However, you may also specify command line - arguments (including wildcards). Alternately, you can - specify "" to indicate that the command may only be run -1.7 August 15, 2007 3 +1.7 September 5, 2007 3 @@ -202,6 +202,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + (see the Wildcards section below). A simple filename + allows the user to run the command with any arguments + he/she wishes. However, you may also specify command line + arguments (including wildcards). Alternately, you can + specify "" to indicate that the command may only be run wwiitthhoouutt command line arguments. A directory is a fully qualified pathname ending in a '/'. When you specify a directory in a Cmnd_List, the user will be able to run any @@ -230,10 +235,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) reference that instead. Default_Type ::= 'Defaults' | - 'Defaults' '@' Host | - 'Defaults' ':' User | - 'Defaults' '!' Cmnd | - 'Defaults' '>' RunasUser + 'Defaults' '@' Host_List | + 'Defaults' ':' User_List | + 'Defaults' '!' Cmnd_List | + 'Defaults' '>' Runas_List Default_Entry ::= Default_Type Parameter_List @@ -251,15 +256,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) parameters may also be used in a boolean context to dis- able them. Values may be enclosed in double quotes (") when they contain multiple words. Special characters may - be escaped with a backslash (\). - - Lists have two additional assignment operators, += and -=. - These operators are used to add to and delete from a list - respectively. It is not an error to use the -= operator -1.7 August 15, 2007 4 +1.7 September 5, 2007 4 @@ -268,6 +268,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + be escaped with a backslash (\). + + Lists have two additional assignment operators, += and -=. + These operators are used to add to and delete from a list + respectively. It is not an error to use the -= operator to remove an element that does not exist in a list. See "SUDOERS OPTIONS" for a list of supported Defaults @@ -317,15 +322,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, - but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. - - - - -1.7 August 15, 2007 5 +1.7 September 5, 2007 5 @@ -334,6 +334,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. + TTaagg__SSppeecc A command may have zero or more tags associated with it. @@ -386,12 +388,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi See the "PREVENTING SHELL ESCAPES" section below for more - details on how NOEXEC works and whether or not it will - work on your system. -1.7 August 15, 2007 6 +1.7 September 5, 2007 6 @@ -400,6 +400,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + details on how NOEXEC works and whether or not it will + work on your system. + _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V These tags override the value of the _s_e_t_e_n_v option on a @@ -451,13 +454,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s file currently being parsed using the #include directive, similar to the one used by the C preprocessor. - This is useful, for example, for keeping a site-wide _s_u_d_o_- - _e_r_s file in addition to a per-machine local one. For the - sake of this example the site-wide _s_u_d_o_e_r_s will be -1.7 August 15, 2007 7 +1.7 September 5, 2007 7 @@ -466,6 +466,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + This is useful, for example, for keeping a site-wide _s_u_d_o_- + _e_r_s file in addition to a per-machine local one. For the + sake of this example the site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be _/_e_t_c_/_s_u_d_o_- _e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from _/_e_t_c_/_s_u_d_o_- _e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: @@ -516,14 +519,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ('\') when used as part of a word (e.g. a username or hostname): '@', '!', '=', ':', ',', '(', ')', '\'. -SSUUDDOOEERRSS OOPPTTIIOONNSS - ssuuddoo's behavior can be modified by Default_Entry lines, as - explained earlier. A list of all supported Defaults - parameters, grouped by type, are listed below. -1.7 August 15, 2007 8 + +1.7 September 5, 2007 8 @@ -532,6 +532,11 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +SSUUDDOOEERRSS OOPPTTIIOONNSS + ssuuddoo's behavior can be modified by Default_Entry lines, as + explained earlier. A list of all supported Defaults + parameters, grouped by type, are listed below. + FFllaaggss: always_set_home If set, ssuuddoo will set the HOME environment @@ -581,15 +586,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) default. fqdn Set this flag if you want to put fully - qualified hostnames in the _s_u_d_o_e_r_s file. - I.e., instead of myhost you would use - myhost.mydomain.edu. You may still use - the short form if you wish (and even mix - the two). Beware that turning on _f_q_d_n -1.7 August 15, 2007 9 +1.7 September 5, 2007 9 @@ -598,6 +598,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + qualified hostnames in the _s_u_d_o_e_r_s file. + I.e., instead of myhost you would use + myhost.mydomain.edu. You may still use + the short form if you wish (and even mix + the two). Beware that turning on _f_q_d_n requires ssuuddoo to make DNS lookups which may make ssuuddoo unusable if DNS stops work- ing (for example if the machine is not @@ -647,15 +652,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) flag is _o_f_f by default. long_otp_prompt When validating with a One Time Password - (OPT) scheme such as SS//KKeeyy or OOPPIIEE, a two- - line prompt is used to make it easier to - cut and paste the challenge to a local - window. It's not as pretty as the default - but some people find it more convenient. -1.7 August 15, 2007 10 +1.7 September 5, 2007 10 @@ -664,6 +664,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + (OPT) scheme such as SS//KKeeyy or OOPPIIEE, a two- + line prompt is used to make it easier to + cut and paste the challenge to a local + window. It's not as pretty as the default + but some people find it more convenient. This flag is _o_f_f by default. mail_always Send mail to the _m_a_i_l_t_o user every time a @@ -713,15 +718,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) preserve_groups By default ssuuddoo will initialize the group vector to the list of groups the target - user is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, - the user's existing group vector is left - unaltered. The real and effective group - IDs, however, are still set to match the - target user. This flag is _o_f_f by default. -1.7 August 15, 2007 11 +1.7 September 5, 2007 11 @@ -730,6 +730,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + user is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, + the user's existing group vector is left + unaltered. The real and effective group + IDs, however, are still set to match the + target user. This flag is _o_f_f by default. + requiretty If set, ssuuddoo will only run when the user is logged in to a real tty. This will disallow things like "rsh somehost sudo @@ -777,17 +783,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) since some programs (including the RCS revision control system) use LOGNAME to determine the real identity of the user, - it may be desirable to change this behav- - ior. This can be done by negating the - set_logname option. Note that if the - _e_n_v___r_e_s_e_t option has not been disabled, - entries in the _e_n_v___k_e_e_p list will override - the value of _s_e_t___l_o_g_n_a_m_e. This flag is - _o_f_f by default. + it may be desirable to change this -1.7 August 15, 2007 12 +1.7 September 5, 2007 12 @@ -796,6 +796,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + behavior. This can be done by negating + the set_logname option. Note that if the + _e_n_v___r_e_s_e_t option has not been disabled, + entries in the _e_n_v___k_e_e_p list will override + the value of _s_e_t___l_o_g_n_a_m_e. This flag is + _o_f_f by default. + setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the command line. Addition- ally, environment variables set via the @@ -843,17 +850,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) as the user running it. With this flag enabled, ssuuddoo will use a file named for the tty the user is logged in on in that - directory. This flag is _o_f_f by default. - - use_loginclass If set, ssuuddoo will apply the defaults spec- - ified for the target user's login class if - one exists. Only available if ssuuddoo is - configured with the --with-logincap - option. This flag is _o_f_f by default. -1.7 August 15, 2007 13 +1.7 September 5, 2007 13 @@ -862,6 +862,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + directory. This flag is _o_f_f by default. + + use_loginclass If set, ssuuddoo will apply the defaults spec- + ified for the target user's login class if + one exists. Only available if ssuuddoo is + configured with the --with-logincap + option. This flag is _o_f_f by default. + IInntteeggeerrss: closefrom Before it executes a command, ssuuddoo will @@ -908,18 +916,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SSttrriinnggss: badpass_message Message that is displayed if a user enters - an incorrect password. The default is - Sorry, try again. unless insults are - enabled. - - editor A colon (':') separated list of editors - allowed to be used with vviissuuddoo. vviissuuddoo - will choose the editor that matches the - user's EDITOR environment variable if -1.7 August 15, 2007 14 +1.7 September 5, 2007 14 @@ -928,7 +928,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - possible, or the first editor in the list + an incorrect password. The default is + Sorry, try again. unless insults are + enabled. + + editor A colon (':') separated list of editors + allowed to be used with vviissuuddoo. vviissuuddoo + will choose the editor that matches the + user's EDITOR environment variable if pos- + sible, or the first editor in the list that exists and is executable. The default is the path to vi on your system. @@ -974,28 +982,27 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) runas_default The default user to run commands as if the --uu flag is not specified on the command - line. This defaults to root. Note that - if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur - before any Runas_Alias specifications. - syslog_badpri Syslog priority to use when user authenti- - cates unsuccessfully. Defaults to alert. - syslog_goodpri Syslog priority to use when user +1.7 September 5, 2007 15 -1.7 August 15, 2007 15 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + line. This defaults to root. Note that + if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur + before any Runas_Alias specifications. + syslog_badpri Syslog priority to use when user authenti- + cates unsuccessfully. Defaults to alert. - authenticates successfully. Defaults to - notice. + syslog_goodpri Syslog priority to use when user authenti- + cates successfully. Defaults to notice. timestampdir The directory in which ssuuddoo stores its timestamp files. The default is @@ -1042,16 +1049,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) current host must have the NOPASSWD flag set to avoid entering a password. - always The user must always enter a password - to use the --ll flag. - - any At least one of the user's _s_u_d_o_e_r_s - entries for the current host must have - the NOPASSWD flag set to avoid - -1.7 August 15, 2007 16 +1.7 September 5, 2007 16 @@ -1060,7 +1060,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - entering a password. + always The user must always enter a password + to use the --ll flag. + + any At least one of the user's _s_u_d_o_e_r_s + entries for the current host must have + the NOPASSWD flag set to avoid enter- + ing a password. never The user need never enter a password to use the --ll flag. @@ -1108,16 +1114,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) current host must have the NOPASSWD flag set to avoid entering a password. - always The user must always enter a password - to use the --vv flag. - any At least one of the user's _s_u_d_o_e_r_s - entries for the current host must have - the NOPASSWD flag set to avoid - -1.7 August 15, 2007 17 +1.7 September 5, 2007 17 @@ -1126,7 +1126,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - entering a password. + always The user must always enter a password + to use the --vv flag. + + any At least one of the user's _s_u_d_o_e_r_s + entries for the current host must have + the NOPASSWD flag set to avoid enter- + ing a password. never The user need never enter a password to use the --vv flag. @@ -1174,16 +1180,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) env_keep Environment variables to be preserved in the user's environment when the _e_n_v___r_e_s_e_t option is in effect. This allows fine- - grained control over the environment - ssuuddoo-spawned processes will receive. The - argument may be a double-quoted, space- - separated list or a single value without - double-quotes. The list can be replaced, - added to, deleted from, or disabled by -1.7 August 15, 2007 18 +1.7 September 5, 2007 18 @@ -1192,6 +1192,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + grained control over the environment + ssuuddoo-spawned processes will receive. The + argument may be a double-quoted, space- + separated list or a single value without + double-quotes. The list can be replaced, + added to, deleted from, or disabled by using the =, +=, -=, and ! operators respectively. The default list of vari- ables to keep is displayed when ssuuddoo is @@ -1233,6 +1239,25 @@ EEXXAAMMPPLLEESS Host_Alias SERVERS = master, mail, www, ns Host_Alias CDROM = orion, perseus, hercules + + + + + + + + + + +1.7 September 5, 2007 19 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + # Cmnd alias specification Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ /usr/sbin/restore, /usr/sbin/rrestore @@ -1247,17 +1272,6 @@ EEXXAAMMPPLLEESS Cmnd_Alias SU = /usr/bin/su Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less - - -1.7 August 15, 2007 19 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - Here we override some of the compiled in default values. We want ssuuddoo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't want to subject the full time @@ -1299,6 +1313,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) any command on any host but they must authenticate them- selves first (since the entry lacks the NOPASSWD tag). + + +1.7 September 5, 2007 20 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + jack CSNETS = ALL The user jjaacckk may run any command on the machines in the @@ -1313,17 +1338,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the class B network 128.138.0.0). - - -1.7 August 15, 2007 20 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ sudoedit /etc/printcap, /usr/oper/bin/ @@ -1364,31 +1378,32 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) fred ALL = (DB) NOPASSWD: ALL The user ffrreedd can run commands as any user in the _D_B - Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password. - john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* - On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except - root but he is not allowed to give _s_u(1) any flags. - jen ALL, !SERVERS = ALL +1.7 September 5, 2007 21 - The user jjeenn may run any command on any machine except for - those in the _S_E_R_V_E_R_S Host_Alias (master, mail, www and - ns). - jill SERVERS = /usr/bin/, !SU, !SHELLS -1.7 August 15, 2007 21 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password. + john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* + On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except + root but he is not allowed to give _s_u(1) any flags. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + jen ALL, !SERVERS = ALL + The user jjeenn may run any command on any machine except for + those in the _S_E_R_V_E_R_S Host_Alias (master, mail, www and + ns). + + jill SERVERS = /usr/bin/, !SU, !SHELLS For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in the directory _/_u_s_r_/_b_i_n_/ except for those @@ -1428,9 +1443,21 @@ SSEECCUURRIITTYY NNOOTTEESS bill ALL = ALL, !SU, !SHELLS Doesn't really prevent bbiillll from running the commands - listed in _S_U or _S_H_E_L_L_S since he can simply copy those com- - mands to a different name, or use a shell escape from an - editor or other program. Therefore, these kind of + listed in _S_U or _S_H_E_L_L_S since he can simply copy those + + + +1.7 September 5, 2007 22 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + + commands to a different name, or use a shell escape from + an editor or other program. Therefore, these kind of restrictions should be considered advisory at best (and reinforced by policy). @@ -1445,17 +1472,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS There are two basic approaches to this problem: - - -1.7 August 15, 2007 22 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - restrict Avoid giving users access to commands that allow the user to run arbitrary commands. Many edi- tors have a restricted mode where shell escapes @@ -1494,6 +1510,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known nnoott + + + +1.7 September 5, 2007 23 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + to work on AIX and UnixWare. _n_o_e_x_e_c is expected to work on most operating systems that support the LD_PRELOAD environment variable. Check your @@ -1509,20 +1537,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and - _/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will - - - -1.7 August 15, 2007 23 - - - - - -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - - prevent those two commands from executing other + _/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will pre- + vent those two commands from executing other commands (such as a shell). If you are unsure whether or not your system is capable of sup- porting _n_o_e_x_e_c you can always just try it out @@ -1561,6 +1577,17 @@ SSUUPPPPOORRTT man/listinfo/sudo-users to subscribe or search the archives. + + +1.7 September 5, 2007 24 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + DDIISSCCLLAAIIMMEERR ssuuddoo is provided ``AS IS'' and any express or implied war- ranties, including, but not limited to, the implied war- @@ -1579,6 +1606,45 @@ DDIISSCCLLAAIIMMEERR -1.7 August 15, 2007 24 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +1.7 September 5, 2007 25 diff --git a/sudoers.man.in b/sudoers.man.in index bffe07e31..09d7e01ad 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -150,7 +150,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "August 15, 2007" "1.7" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "September 5, 2007" "1.7" "MAINTENANCE COMMANDS" .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" @@ -254,18 +254,19 @@ The definitions of what constitutes a valid \fIalias\fR member follow. \& User ',' User_List .Ve .PP -.Vb 4 +.Vb 5 \& User ::= '!'* username | +\& '!'* '#'uid | \& '!'* '%'group | \& '!'* '+'netgroup | \& '!'* User_Alias .Ve .PP -A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, system groups -(prefixed with '%'), netgroups (prefixed with '+') and other aliases. -Each list item may be prefixed with one or more '!' operators. -An odd number of '!' operators negate the value of the item; an even -number just cancel each other out. +A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, uids (prefixed +with '#'), system groups (prefixed with '%'), netgroups (prefixed +with '+') and \f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with +zero or more '!' operators. An odd number of '!' operators negate +the value of the item; an even number just cancel each other out. .PP .Vb 2 \& Runas_List ::= Runas_User | @@ -280,13 +281,12 @@ number just cancel each other out. \& '!'* Runas_Alias .Ve .PP -A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that it can -also contain uids (prefixed with '#') and instead of \f(CW\*(C`User_Alias\*(C'\fRes -it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that usernames and groups -are matched as strings. In other words, two users (groups) with -the same uid (gid) are considered to be distinct. If you wish to -match all usernames with the same uid (e.g.\ root and toor), you -can use a uid instead (#0 in the example given). +A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead +of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that +usernames and groups are matched as strings. In other words, two +users (groups) with the same uid (gid) are considered to be distinct. +If you wish to match all usernames with the same uid (e.g.\ root +and toor), you can use a uid instead (#0 in the example given). .PP .Vb 2 \& Host_List ::= Host | @@ -365,10 +365,10 @@ that instead. .PP .Vb 5 \& Default_Type ::= 'Defaults' | -\& 'Defaults' '@' Host | -\& 'Defaults' ':' User | -\& 'Defaults' '!' Cmnd | -\& 'Defaults' '>' RunasUser +\& 'Defaults' '@' Host_List | +\& 'Defaults' ':' User_List | +\& 'Defaults' '!' Cmnd_List | +\& 'Defaults' '>' Runas_List .Ve .PP .Vb 1 -- 2.40.0