From a7ab0002fddbdde199b72e4799af7584d1784dcb Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sat, 13 Nov 2010 13:56:49 -0500 Subject: [PATCH] Bump version and regen man pages --HG-- branch : 1.7 --- configure | 18 +-- configure.in | 2 +- sudo.cat | 20 +-- sudo.man.in | 2 +- sudoers.cat | 54 ++++---- sudoers.ldap.cat | 302 +++++++++++++++++++++++++++----------------- sudoers.ldap.man.in | 55 +++++++- sudoers.man.in | 2 +- sudoreplay.cat | 10 +- sudoreplay.man.in | 4 +- visudo.cat | 6 +- visudo.man.in | 2 +- 12 files changed, 297 insertions(+), 180 deletions(-) diff --git a/configure b/configure index 2f72ba581..0f5c6d6c0 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.65 for sudo 1.7.5. +# Generated by GNU Autoconf 2.65 for sudo 1.7.5b2. # # Report bugs to . # @@ -701,8 +701,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.7.5' -PACKAGE_STRING='sudo 1.7.5' +PACKAGE_VERSION='1.7.5b2' +PACKAGE_STRING='sudo 1.7.5b2' PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/' PACKAGE_URL='' @@ -1556,7 +1556,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.7.5 to adapt to many kinds of systems. +\`configure' configures sudo 1.7.5b2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1621,7 +1621,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.7.5:";; + short | recursive ) echo "Configuration of sudo 1.7.5b2:";; esac cat <<\_ACEOF @@ -1835,7 +1835,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.7.5 +sudo configure 1.7.5b2 generated by GNU Autoconf 2.65 Copyright (C) 2009 Free Software Foundation, Inc. @@ -2534,7 +2534,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.7.5, which was +It was created by sudo $as_me 1.7.5b2, which was generated by GNU Autoconf 2.65. Invocation command line was $ $0 $@ @@ -19219,7 +19219,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.7.5, which was +This file was extended by sudo $as_me 1.7.5b2, which was generated by GNU Autoconf 2.65. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -19285,7 +19285,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sudo config.status 1.7.5 +sudo config.status 1.7.5b2 configured by $0, generated by GNU Autoconf 2.65, with options \\"\$ac_cs_config\\" diff --git a/configure.in b/configure.in index f6a7c4dd0..9ed1cfc1f 100644 --- a/configure.in +++ b/configure.in @@ -3,7 +3,7 @@ dnl Process this file with GNU autoconf to produce a configure script. dnl dnl Copyright (c) 1994-1996,1998-2010 Todd C. Miller dnl -AC_INIT([sudo], [1.7.5], [http://www.sudo.ws/bugs/], [sudo]) +AC_INIT([sudo], [1.7.5b2], [http://www.sudo.ws/bugs/], [sudo]) AC_CONFIG_HEADER(config.h pathnames.h zlib/zconf.h) dnl dnl This won't work before AC_INIT diff --git a/sudo.cat b/sudo.cat index ea05e0a04..1d069d04f 100644 --- a/sudo.cat +++ b/sudo.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.5 November 3, 2010 1 +1.7.5b2 November 13, 2010 1 @@ -127,7 +127,7 @@ OOPPTTIIOONNSS -1.7.5 November 3, 2010 2 +1.7.5b2 November 13, 2010 2 @@ -193,7 +193,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.7.5 November 3, 2010 3 +1.7.5b2 November 13, 2010 3 @@ -259,7 +259,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.7.5 November 3, 2010 4 +1.7.5b2 November 13, 2010 4 @@ -325,7 +325,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.7.5 November 3, 2010 5 +1.7.5b2 November 13, 2010 5 @@ -391,7 +391,7 @@ SSEECCUURRIITTYY NNOOTTEESS -1.7.5 November 3, 2010 6 +1.7.5b2 November 13, 2010 6 @@ -457,7 +457,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) -1.7.5 November 3, 2010 7 +1.7.5b2 November 13, 2010 7 @@ -523,7 +523,7 @@ EENNVVIIRROONNMMEENNTT -1.7.5 November 3, 2010 8 +1.7.5b2 November 13, 2010 8 @@ -589,7 +589,7 @@ EEXXAAMMPPLLEESS -1.7.5 November 3, 2010 9 +1.7.5b2 November 13, 2010 9 @@ -655,6 +655,6 @@ DDIISSCCLLAAIIMMEERR -1.7.5 November 3, 2010 10 +1.7.5b2 November 13, 2010 10 diff --git a/sudo.man.in b/sudo.man.in index 3d7b1a829..c8a321822 100644 --- a/sudo.man.in +++ b/sudo.man.in @@ -149,7 +149,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "November 3, 2010" "1.7.5" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "November 13, 2010" "1.7.5b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/sudoers.cat b/sudoers.cat index 629173bb2..d19cdff22 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.5 November 3, 2010 1 +1.7.5b2 November 13, 2010 1 @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 2 +1.7.5b2 November 13, 2010 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 3 +1.7.5b2 November 13, 2010 3 @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 4 +1.7.5b2 November 13, 2010 4 @@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 5 +1.7.5b2 November 13, 2010 5 @@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 6 +1.7.5b2 November 13, 2010 6 @@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 7 +1.7.5b2 November 13, 2010 7 @@ -523,7 +523,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 8 +1.7.5b2 November 13, 2010 8 @@ -589,7 +589,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 9 +1.7.5b2 November 13, 2010 9 @@ -655,7 +655,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS -1.7.5 November 3, 2010 10 +1.7.5b2 November 13, 2010 10 @@ -721,7 +721,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 11 +1.7.5b2 November 13, 2010 11 @@ -787,7 +787,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 12 +1.7.5b2 November 13, 2010 12 @@ -853,7 +853,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 13 +1.7.5b2 November 13, 2010 13 @@ -919,7 +919,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 14 +1.7.5b2 November 13, 2010 14 @@ -985,7 +985,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 15 +1.7.5b2 November 13, 2010 15 @@ -1051,7 +1051,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 16 +1.7.5b2 November 13, 2010 16 @@ -1117,7 +1117,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 17 +1.7.5b2 November 13, 2010 17 @@ -1183,7 +1183,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 18 +1.7.5b2 November 13, 2010 18 @@ -1249,7 +1249,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 19 +1.7.5b2 November 13, 2010 19 @@ -1315,7 +1315,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 20 +1.7.5b2 November 13, 2010 20 @@ -1381,7 +1381,7 @@ EEXXAAMMPPLLEESS -1.7.5 November 3, 2010 21 +1.7.5b2 November 13, 2010 21 @@ -1447,7 +1447,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 22 +1.7.5b2 November 13, 2010 22 @@ -1513,7 +1513,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5 November 3, 2010 23 +1.7.5b2 November 13, 2010 23 @@ -1579,7 +1579,7 @@ SSEECCUURRIITTYY NNOOTTEESS -1.7.5 November 3, 2010 24 +1.7.5b2 November 13, 2010 24 @@ -1645,7 +1645,7 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS -1.7.5 November 3, 2010 25 +1.7.5b2 November 13, 2010 25 @@ -1711,7 +1711,7 @@ SSUUPPPPOORRTT -1.7.5 November 3, 2010 26 +1.7.5b2 November 13, 2010 26 @@ -1777,6 +1777,6 @@ DDIISSCCLLAAIIMMEERR -1.7.5 November 3, 2010 27 +1.7.5b2 November 13, 2010 27 diff --git a/sudoers.ldap.cat b/sudoers.ldap.cat index 22ee70f76..dba3cbbee 100644 --- a/sudoers.ldap.cat +++ b/sudoers.ldap.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.5 November 3, 2010 1 +1.7.5b2 November 13, 2010 1 @@ -113,28 +113,43 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) A Unix group or gid (prefixed with '#') that commands may be run as. The special value ALL will match any group. - Each component listed above should contain a single value, but there - may be multiple instances of each component type. A sudoRole must - contain at least one sudoUser, sudoHost and sudoCommand. + ssuuddooNNoottBBeeffoorree + A timestamp in the form yyyymmddHHMMZ that indicates start of + validity of this sudoRole. If multiple ssuuddooNNoottBBeeffoorree entries are + present, the earliest is used. - The following example allows users in group wheel to run any command on - any host via ssuuddoo: + ssuuddooNNoottAAfftteerr + A timestamp in the form yyyymmddHHMMZ that indicates end of + validity of this sudoRole. If multiple ssuuddooNNoottAAfftteerr entries are + present, the last one is used. +1.7.5b2 November 13, 2010 2 -1.7.5 November 3, 2010 2 +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + ssuuddooOOrrddeerr + The sudoRole entries retrieved from the LDAP directory have no + inherent order. The ssuuddooOOrrddeerr attribute is an integer that will be + used to sort the matching entries. This allows to more closely + mimic the behaviour of the sudoers file, where the of the entries + does have an influence on the result. If the ssuuddooOOrrddeerr attribute + is not present, a value of 0 is assumed. -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + Each component listed above should contain a single value, but there + may be multiple instances of each component type. A sudoRole must + contain at least one sudoUser, sudoHost and sudoCommand. + The following example allows users in group wheel to run any command on + any host via ssuuddoo: dn: cn=%wheel,ou=SUDOers,dc=example,dc=com objectClass: top @@ -153,6 +168,10 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) third query returns all entries containing user netgroups and checks to see if the user belongs to any of them. + If timed entries are enabled with the SSUUDDOOEERRSS__TTIIMMEEDD configuration + directive, the LDAP queries include a subfilter that limits retrieval + to entries that satisfy the time constraints, if any are present. + DDiiffffeerreenncceess bbeettwweeeenn LLDDAAPP aanndd nnoonn--LLDDAAPP ssuuddooeerrss There are some subtle differences in the way sudoers is handled once in LDAP. Probably the biggest is that according to the RFC, LDAP ordering @@ -171,6 +190,18 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # LDAP equivalent of johnny # Allows all commands except shell + + + +1.7.5b2 November 13, 2010 3 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com objectClass: sudoRole objectClass: top @@ -190,18 +221,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) sudoUser: puddles sudoHost: ALL sudoCommand: !/bin/sh - - - -1.7.5 November 3, 2010 3 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - sudoCommand: ALL Another difference is that negations on the Host, User or Runas are @@ -237,6 +256,18 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) CCoonnffiigguurriinngg llddaapp..ccoonnff Sudo reads the _/_e_t_c_/_l_d_a_p_._c_o_n_f file for LDAP-specific configuration. + + + +1.7.5b2 November 13, 2010 4 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + Typically, this file is shared amongst different LDAP-aware clients. As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from @@ -256,18 +287,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) either llddaapp or llddaappss, the latter being for servers that support TLS (SSL) encryption. If no _p_o_r_t is specified, the default is port 389 for ldap:// or port 636 for ldaps://. If no _h_o_s_t_n_a_m_e is specified, - - - -1.7.5 November 3, 2010 4 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - ssuuddoo will connect to llooccaallhhoosstt. Multiple UURRII lines are treated identically to a UURRII line containing multiple entries. Only systems using the OpenSSL libraries support the mixing of ldap:// @@ -303,9 +322,25 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) SSUUDDOOEERRSS__BBAASSEE base The base DN to use when performing ssuuddoo LDAP queries. Typically this is of the form ou=SUDOers,dc=example,dc=com for the domain + + + +1.7.5b2 November 13, 2010 5 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + example.com. Multiple SSUUDDOOEERRSS__BBAASSEE lines may be specified, in which case they are queried in the order specified. + SSUUDDOOEERRSS__TTIIMMEEDD on/true/yes/off/false/no + Whether or not to evaluate the ssuuddooNNoottBBeeffoorree and ssuuddooNNoottAAfftteerr + attributes that implement time-dependent sudoers entries. + SSUUDDOOEERRSS__DDEEBBUUGG debug_level This sets the debug level for ssuuddoo LDAP queries. Debugging information is printed to the standard error. A value of 1 results @@ -321,19 +356,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) identity. By default, most LDAP servers will allow anonymous access. - - - - -1.7.5 November 3, 2010 5 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - BBIINNDDPPWW secret The BBIINNDDPPWW parameter specifies the password to use when performing LDAP operations. This is typically used in conjunction with the @@ -366,6 +388,18 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) TTLLSS__CCHHEECCKKPPEEEERR on/true/yes/off/false/no If enabled, TTLLSS__CCHHEECCKKPPEEEERR will cause the LDAP server's TLS + + + +1.7.5b2 November 13, 2010 6 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + certificated to be verified. If the server's TLS certificate cannot be verified (usually because it is signed by an unknown certificate authority), ssuuddoo will be unable to connect to it. If @@ -388,18 +422,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) TTLLSS__CCAACCEERRTTDDIIRR directory Similar to TTLLSS__CCAACCEERRTTFFIILLEE but instead of a file, it is a directory - - - -1.7.5 November 3, 2010 6 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - containing individual Certificate Authority certificates, e.g. _/_e_t_c_/_s_s_l_/_c_e_r_t_s. The directory specified by TTLLSS__CCAACCEERRTTDDIIRR is checked after TTLLSS__CCAACCEERRTTFFIILLEE. This option is only supported by the @@ -431,6 +453,19 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) Netscape-derived: tls_key /var/ldap/key3.db + + + + +1.7.5b2 November 13, 2010 7 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + TTLLSS__RRAANNDDFFIILLEE file name The TTLLSS__RRAANNDDFFIILLEE parameter specifies the path to an entropy source for systems that lack a random device. It is generally used in @@ -454,18 +489,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) Enable RROOOOTTUUSSEE__SSAASSLL to enable SASL authentication when connecting to an LDAP server from a privileged process, such as ssuuddoo. - - - -1.7.5 November 3, 2010 7 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - RROOOOTTSSAASSLL__AAUUTTHH__IIDD identity The SASL user name to use when RROOOOTTUUSSEE__SSAASSLL is enabled. @@ -498,6 +521,17 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) To consult LDAP first followed by the local sudoers file (if it exists), use: + + +1.7.5b2 November 13, 2010 8 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + sudoers: ldap files The local _s_u_d_o_e_r_s file can be ignored completely by using: @@ -521,17 +555,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) To consult LDAP first followed by the local sudoers file (if it exists), use: - - -1.7.5 November 3, 2010 8 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - sudoers = ldap, files The local _s_u_d_o_e_r_s file can be ignored completely by using: @@ -560,6 +583,21 @@ FFIILLEESS EEXXAAMMPPLLEESS EExxaammppllee llddaapp..ccoonnff + + + + + + +1.7.5b2 November 13, 2010 9 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + # Either specify one or more URIs or one or more host:port pairs. # If neither is specified sudo will default to localhost, port 389. # @@ -586,18 +624,9 @@ EEXXAAMMPPLLEESS # # verbose sudoers matching from ldap #sudoers_debug 2 - - - -1.7.5 November 3, 2010 9 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - + # + # Enable support for time-based entries in sudoers. + #sudoers_timed yes # # optional proxy credentials #binddn @@ -623,6 +652,18 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) #tls_checkpeer yes # verify server SSL certificate #tls_checkpeer no # ignore server SSL certificate # + + + +1.7.5b2 November 13, 2010 10 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + # If you enable tls_checkpeer, specify either tls_cacertfile # or tls_cacertdir. Only supported when using OpenLDAP. # @@ -652,18 +693,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # For OpenLDAP: #tls_cert /etc/certs/client_cert.pem #tls_key /etc/certs/client_key.pem - - - -1.7.5 November 3, 2010 10 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - # # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either # a directory, in which case the files in the directory must have the @@ -688,6 +717,19 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) # sasl_secprops none # krb5_ccname /etc/.ldapcache + + + + +1.7.5b2 November 13, 2010 11 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + SSuuddoo sscchheemmaa ffoorr OOppeennLLDDAAPP The following schema is in OpenLDAP format. Simply copy it to the schema directory (e.g. _/_e_t_c_/_o_p_e_n_l_d_a_p_/_s_c_h_e_m_a), add the proper include @@ -719,18 +761,6 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - - -1.7.5 November 3, 2010 11 - - - - - -SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) - - - attributetype ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' @@ -749,11 +779,45 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + attributetype ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' + DESC 'Start of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + + + +1.7.5b2 November 13, 2010 12 + + + + + +SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) + + + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + + attributetype ( 1.3.6.1.4.1.15953.9.1.9 + NAME 'sudoNotAfter' + DESC 'End of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + + attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 + NAME 'sudoOrder' + DESC 'an integer to order the sudoRole entries' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) + objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ - sudoRunAsGroup $ sudoOption $ description ) + sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ + sudoOrder $ description ) ) SSEEEE AALLSSOO @@ -787,6 +851,8 @@ DDIISSCCLLAAIIMMEERR -1.7.5 November 3, 2010 12 + + +1.7.5b2 November 13, 2010 13 diff --git a/sudoers.ldap.man.in b/sudoers.ldap.man.in index 2366be95e..ee1b9a4e2 100644 --- a/sudoers.ldap.man.in +++ b/sudoers.ldap.man.in @@ -140,7 +140,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "November 3, 2010" "1.7.5" "MAINTENANCE COMMANDS" +.TH SUDOERS.LDAP @mansectform@ "November 13, 2010" "1.7.5b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -245,6 +245,24 @@ The special value \f(CW\*(C`ALL\*(C'\fR will match any user. .IX Item "sudoRunAsGroup" A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as. The special value \f(CW\*(C`ALL\*(C'\fR will match any group. +.IP "\fBsudoNotBefore\fR" 4 +.IX Item "sudoNotBefore" +A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that indicates start of validity +of this \f(CW\*(C`sudoRole\*(C'\fR. +If multiple \fBsudoNotBefore\fR entries are present, the earliest is used. +.IP "\fBsudoNotAfter\fR" 4 +.IX Item "sudoNotAfter" +A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that indicates end of validity +of this \f(CW\*(C`sudoRole\*(C'\fR. +If multiple \fBsudoNotAfter\fR entries are present, the last one is used. +.IP "\fBsudoOrder\fR" 4 +.IX Item "sudoOrder" +The sudoRole entries retrieved from the \s-1LDAP\s0 directory have no +inherent order. The \fBsudoOrder\fR attribute is an integer that will +be used to sort the matching entries. This allows to more closely +mimic the behaviour of the sudoers file, where the of the entries +does have an influence on the result. If the \fBsudoOrder\fR attribute +is not present, a value of 0 is assumed. .PP Each component listed above should contain a single value, but there may be multiple instances of each component type. A sudoRole must @@ -271,6 +289,10 @@ groups that the user belongs to. (The special \s-1ALL\s0 tag is matched in this query too.) If no match is returned for the user's name and groups, a third query returns all entries containing user netgroups and checks to see if the user belongs to any of them. +.PP +If timed entries are enabled with the \fB\s-1SUDOERS_TIMED\s0\fR configuration +directive, the \s-1LDAP\s0 queries include a subfilter that limits retrieval +to entries that satisfy the time constraints, if any are present. .SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers" .IX Subsection "Differences between LDAP and non-LDAP sudoers" There are some subtle differences in the way sudoers is handled @@ -405,6 +427,10 @@ The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries. Typic this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain \&\f(CW\*(C`example.com\*(C'\fR. Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified, in which case they are queried in the order specified. +.IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4 +.IX Item "SUDOERS_TIMED on/true/yes/off/false/no" +Whether or not to evaluate the \fBsudoNotBefore\fR and \fBsudoNotAfter\fR +attributes that implement time-dependent sudoers entries. .IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4 .IX Item "SUDOERS_DEBUG debug_level" This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries. Debugging @@ -664,6 +690,9 @@ determines sudoers source order on \s-1AIX\s0 \& # verbose sudoers matching from ldap \& #sudoers_debug 2 \& # +\& # Enable support for time\-based entries in sudoers. +\& #sudoers_timed yes +\& # \& # optional proxy credentials \& #binddn \& #bindpw @@ -792,11 +821,33 @@ schema directory (e.g. \fI/etc/openldap/schema\fR), add the proper \& EQUALITY caseExactIA5Match \& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) \& +\& attributetype ( 1.3.6.1.4.1.15953.9.1.8 +\& NAME \*(AqsudoNotBefore\*(Aq +\& DESC \*(AqStart of time interval for which the entry is valid\*(Aq +\& EQUALITY generalizedTimeMatch +\& ORDERING generalizedTimeOrderingMatch +\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) +\& +\& attributetype ( 1.3.6.1.4.1.15953.9.1.9 +\& NAME \*(AqsudoNotAfter\*(Aq +\& DESC \*(AqEnd of time interval for which the entry is valid\*(Aq +\& EQUALITY generalizedTimeMatch +\& ORDERING generalizedTimeOrderingMatch +\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) +\& +\& attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 +\& NAME \*(AqsudoOrder\*(Aq +\& DESC \*(Aqan integer to order the sudoRole entries\*(Aq +\& EQUALITY integerMatch +\& ORDERING integerOrderingMatch +\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) +\& \& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME \*(AqsudoRole\*(Aq SUP top STRUCTURAL \& DESC \*(AqSudoer Entries\*(Aq \& MUST ( cn ) \& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ -\& sudoRunAsGroup $ sudoOption $ description ) +\& sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $ +\& sudoOrder $ description ) \& ) .Ve .SH "SEE ALSO" diff --git a/sudoers.man.in b/sudoers.man.in index 87ec829f1..2dfd25fba 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -148,7 +148,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "November 3, 2010" "1.7.5" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "November 13, 2010" "1.7.5b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/sudoreplay.cat b/sudoreplay.cat index 9c03469df..7c253c290 100644 --- a/sudoreplay.cat +++ b/sudoreplay.cat @@ -61,7 +61,7 @@ OOPPTTIIOONNSS -1.7.4 July 12, 2010 1 +1.7.5b2 November 13, 2010 1 @@ -127,7 +127,7 @@ SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) -1.7.4 July 12, 2010 2 +1.7.5b2 November 13, 2010 2 @@ -193,7 +193,7 @@ SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) -1.7.4 July 12, 2010 3 +1.7.5b2 November 13, 2010 3 @@ -259,7 +259,7 @@ EEXXAAMMPPLLEESS -1.7.4 July 12, 2010 4 +1.7.5b2 November 13, 2010 4 @@ -325,6 +325,6 @@ DDIISSCCLLAAIIMMEERR -1.7.4 July 12, 2010 5 +1.7.5b2 November 13, 2010 5 diff --git a/sudoreplay.man.in b/sudoreplay.man.in index 1ed044d17..56bf2209c 100644 --- a/sudoreplay.man.in +++ b/sudoreplay.man.in @@ -13,7 +13,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) +.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14) .\" .\" Standard preamble: .\" ======================================================================== @@ -139,7 +139,7 @@ .\" ======================================================================== .\" .IX Title "SUDOREPLAY @mansectsu@" -.TH SUDOREPLAY @mansectsu@ "July 12, 2010" "1.7.4" "MAINTENANCE COMMANDS" +.TH SUDOREPLAY @mansectsu@ "November 13, 2010" "1.7.5b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/visudo.cat b/visudo.cat index 92b13664a..88d2e0c2e 100644 --- a/visudo.cat +++ b/visudo.cat @@ -61,7 +61,7 @@ OOPPTTIIOONNSS -1.7.5 November 3, 2010 1 +1.7.5b2 November 13, 2010 1 @@ -127,7 +127,7 @@ SSEEEE AALLSSOO -1.7.5 November 3, 2010 2 +1.7.5b2 November 13, 2010 2 @@ -193,6 +193,6 @@ DDIISSCCLLAAIIMMEERR -1.7.5 November 3, 2010 3 +1.7.5b2 November 13, 2010 3 diff --git a/visudo.man.in b/visudo.man.in index 6f677cf82..ba89bb1e9 100644 --- a/visudo.man.in +++ b/visudo.man.in @@ -144,7 +144,7 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "November 3, 2010" "1.7.5" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "November 13, 2010" "1.7.5b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l -- 2.40.0