From ad8c96403d8c39d47138862bc94e996d2f19e30a Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sat, 16 Jan 2016 16:46:17 -0700 Subject: [PATCH] Use "Nm sudoers" when talking about the plugin and "Em sudoers" when talking about the sudoers file. --- doc/sudoers.cat | 202 ++++++++++++++++++++++---------------------- doc/sudoers.man.in | 149 ++++++++++++++++---------------- doc/sudoers.mdoc.in | 149 ++++++++++++++++---------------- 3 files changed, 250 insertions(+), 250 deletions(-) diff --git a/doc/sudoers.cat b/doc/sudoers.cat index ea1eb968c..8ad5beaa0 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -7,7 +7,7 @@ DDEESSCCRRIIPPTTIIOONN The ssuuddooeerrss policy plugin determines a user's ssuuddoo privileges. It is the default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s file or, optionally in LDAP. The policy format is described in detail in - the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing _s_u_d_o_e_r_s + the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing ssuuddooeerrss policy information in LDAP, please see sudoers.ldap(4). CCoonnffiigguurriinngg ssuuddoo..ccoonnff ffoorr ssuuddooeerrss @@ -61,11 +61,11 @@ DDEESSCCRRIIPPTTIIOONN manual. AAuutthheennttiiccaattiioonn aanndd llooggggiinngg - The _s_u_d_o_e_r_s security policy requires that most users authenticate + The ssuuddooeerrss security policy requires that most users authenticate themselves before they can use ssuuddoo. A password is not required if the invoking user is root, if the target user is the same as the invoking user, or if the policy has disabled authentication for the user or - command. Unlike su(1), when _s_u_d_o_e_r_s requires authentication, it + command. Unlike su(1), when ssuuddooeerrss requires authentication, it validates the invoking user's credentials, not the target user's (or root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w flags, described later. @@ -83,25 +83,24 @@ DDEESSCCRRIIPPTTIIOONN regardless of whether or not mail is sent. If ssuuddoo is run by root and the SUDO_USER environment variable is set, the - _s_u_d_o_e_r_s policy will use this value to determine who the actual user is. + ssuuddooeerrss policy will use this value to determine who the actual user is. This can be used by a user to log commands through sudo even when a root shell has been invoked. It also allows the --ee option to remain useful even when invoked via a sudo-run script or program. Note, however, that - the _s_u_d_o_e_r_s lookup is still done for root, not the user specified by + the _s_u_d_o_e_r_s file lookup is still done for root, not the user specified by SUDO_USER. - _s_u_d_o_e_r_s uses per-user time stamp files for credential caching. Once a + ssuuddooeerrss uses per-user time stamp files for credential caching. Once a user has been authenticated, a record is written containing the uid that was used to authenticate, the terminal session ID, and a time stamp (using a monotonic clock if one is available). The user may then use ssuuddoo without a password for a short period of time (5 minutes unless - overridden by the _t_i_m_e_o_u_t option). By default, _s_u_d_o_e_r_s uses a separate + overridden by the _t_i_m_e_o_u_t option). By default, ssuuddooeerrss uses a separate record for each tty, which means that a user's login sessions are authenticated separately. The _t_t_y___t_i_c_k_e_t_s option can be disabled to force the use of a single time stamp for all of a user's sessions. - - _s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as - errors) to syslog(3), a log file, or both. By default, _s_u_d_o_e_r_s will log + ssuuddooeerrss can log both successful and unsuccessful attempts (as well as + errors) to syslog(3), a log file, or both. By default, ssuuddooeerrss will log via syslog(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e Defaults settings. @@ -111,10 +110,10 @@ DDEESSCCRRIIPPTTIIOONN tags. CCoommmmaanndd eennvviirroonnmmeenntt - Since environment variables can influence program behavior, _s_u_d_o_e_r_s + Since environment variables can influence program behavior, ssuuddooeerrss provides a means to restrict which variables from the user's environment are inherited by the command to be run. There are two distinct ways - _s_u_d_o_e_r_s can deal with environment variables. + ssuuddooeerrss can deal with environment variables. By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to be executed with a new, minimal environment. On AIX (and Linux systems @@ -173,7 +172,7 @@ DDEESSCCRRIIPPTTIIOONN them. As a special case, if ssuuddoo's --ii option (initial login) is specified, - _s_u_d_o_e_r_s will initialize the environment regardless of the value of + ssuuddooeerrss will initialize the environment regardless of the value of _e_n_v___r_e_s_e_t. The DISPLAY, PATH and TERM variables remain unchanged; HOME, MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX (and Linux systems without PAM), the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are @@ -193,8 +192,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT there are multiple matches, the last match is used (which is not necessarily the most specific match). - The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur Form - (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly + The _s_u_d_o_e_r_s file grammar will be described below in Extended Backus-Naur + Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly simple, and the definitions below are annotated. QQuuiicckk gguuiiddee ttoo EEBBNNFF @@ -388,7 +387,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may take command line arguments just as a normal command does. Note that ``sudoedit'' is a command built into ssuuddoo itself and must be specified in - _s_u_d_o_e_r_s without a leading path. + the _s_u_d_o_e_r_s file without a leading path. If a command name is prefixed with a Digest_Spec, the command will only match successfully if it can be verified using the specified SHA-2 @@ -556,14 +555,14 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT setting the group to operator or system. SSEELLiinnuuxx__SSppeecc - On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an - SELinux role and/or type associated with a command. If a role or type is - specified with the command it will override any default values specified - in _s_u_d_o_e_r_s. A role or type specified on the command line, however, will - supersede the values in _s_u_d_o_e_r_s. + On systems with SELinux support, _s_u_d_o_e_r_s file entries may optionally have + an SELinux role and/or type associated with a command. If a role or type + is specified with the command it will override any default values + specified in _s_u_d_o_e_r_s. A role or type specified on the command line, + however, will supersede the values in _s_u_d_o_e_r_s. SSoollaarriiss__PPrriivv__SSppeecc - On Solaris systems, _s_u_d_o_e_r_s entries may optionally specify Solaris + On Solaris systems, _s_u_d_o_e_r_s file entries may optionally specify Solaris privilege set and/or limit privilege set associated with a command. If privileges or limit privileges are specified with the command it will override any default values specified in _s_u_d_o_e_r_s. @@ -736,14 +735,15 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT $ sudo cat /var/log/messages /etc/shadow which is probably not what was intended. In most cases it is better to - do command line processing outside of _s_u_d_o_e_r_s in a scripting language. + do command line processing outside of the _s_u_d_o_e_r_s file in a scripting + language. EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess The following exceptions apply to the above rules: "" If the empty string "" is the only command line argument in the - _s_u_d_o_e_r_s entry it means that command is not allowed to be run - with _a_n_y arguments. + _s_u_d_o_e_r_s file entry it means that command is not allowed to be + run with _a_n_y arguments. sudoedit Command line arguments to the _s_u_d_o_e_d_i_t built-in command should always be path names, so a forward slash (`/') will not be @@ -756,8 +756,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in addition to a local, per-machine file. For the sake of this example the - site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be - _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within + site-wide _s_u_d_o_e_r_s file will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will + be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: #include /etc/sudoers.local @@ -785,8 +785,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s. The #includedir directive can be used to create a _s_u_d_o_e_r_s_._d directory - that the system package manager can drop _s_u_d_o_e_r_s rules into as part of - package installation. For example, given: + that the system package manager can drop _s_u_d_o_e_r_s file rules into as part + of package installation. For example, given: #includedir /etc/sudoers.d @@ -967,9 +967,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS names that include globbing characters are used with the negation operator, `!', as such rules can be trivially bypassed. As such, this option should not be - used when _s_u_d_o_e_r_s contains rules that contain negated - path names which include globbing characters. This - flag is _o_f_f by default. + used when the _s_u_d_o_e_r_s file contains rules that contain + negated path names which include globbing characters. + This flag is _o_f_f by default. fqdn Set this flag if you want to put fully qualified host names in the _s_u_d_o_e_r_s file when the local host name (as @@ -1039,7 +1039,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS log_host If set, the host name will be logged in the (non- syslog) ssuuddoo log file. This flag is _o_f_f by default. - log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o_-_t_t_y and + log_input If set, ssuuddoo will run the command in a pseudo-tty and log all user input. If the standard input is not connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that input @@ -1064,7 +1064,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS unencrypted. In most cases, logging the command output via _l_o_g___o_u_t_p_u_t is all that is required. - log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o_-_t_t_y and + log_output If set, ssuuddoo will run the command in a pseudo-tty and log all output that is sent to the screen, similar to the script(1) command. If the standard output or standard error is not connected to the user's tty, due @@ -1112,7 +1112,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo does not enter the correct password. If the command the user is attempting to run is not permitted by - _s_u_d_o_e_r_s and one of the _m_a_i_l___a_l_l___c_m_n_d_s, _m_a_i_l___a_l_w_a_y_s, + ssuuddooeerrss and one of the _m_a_i_l___a_l_l___c_m_n_d_s, _m_a_i_l___a_l_w_a_y_s, _m_a_i_l___n_o___h_o_s_t, _m_a_i_l___n_o___p_e_r_m_s or _m_a_i_l___n_o___u_s_e_r flags are set, this flag will have no effect. This flag is _o_f_f by default. @@ -1323,13 +1323,14 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS single record is used for all login sessions. This flag is _o_n by default. - umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s - without modification. This makes it possible to - specify a more permissive umask in _s_u_d_o_e_r_s than the - user's own umask and matches historical behavior. If - _u_m_a_s_k___o_v_e_r_r_i_d_e is not set, ssuuddoo will set the umask to - be the union of the user's umask and what is specified - in _s_u_d_o_e_r_s. This flag is _o_f_f by default. + umask_override If set, ssuuddoo will set the umask as specified in the + _s_u_d_o_e_r_s file without modification. This makes it + possible to specify a umask in the _s_u_d_o_e_r_s file that is + more permissive than the user's own umask and matches + historical behavior. If _u_m_a_s_k___o_v_e_r_r_i_d_e is not set, + ssuuddoo will set the umask to be the union of the user's + umask and what is specified in _s_u_d_o_e_r_s. This flag is + _o_f_f by default. use_loginclass If set, ssuuddoo will apply the defaults specified for the target user's login class if one exists. Only @@ -1588,8 +1589,8 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS role The default SELinux role to use when constructing a new security context to run the command. The default role - may be overridden on a per-command basis in _s_u_d_o_e_r_s or - via command line options. This option is only + may be overridden on a per-command basis in the _s_u_d_o_e_r_s + file or via command line options. This option is only available when ssuuddoo is built with SELinux support. runas_default The default user to run commands as if the --uu option is @@ -1623,8 +1624,8 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS type The default SELinux type to use when constructing a new security context to run the command. The default type - may be overridden on a per-command basis in _s_u_d_o_e_r_s or - via command line options. This option is only + may be overridden on a per-command basis in the _s_u_d_o_e_r_s + file or via command line options. This option is only available when ssuuddoo is built with SELinux support. SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: @@ -1642,7 +1643,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS requirements. The group name specified should not include a % prefix. This is not set by default. - group_plugin A string containing a _s_u_d_o_e_r_s group plugin with optional + group_plugin A string containing a ssuuddooeerrss group plugin with optional arguments. The string should consist of the plugin path, either fully-qualified or relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o directory, followed by any @@ -1675,16 +1676,16 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS a user runs ssuuddoo with the --ll option. It has the following possible values: - all All the user's _s_u_d_o_e_r_s entries for the current - host must have the NOPASSWD flag set to avoid - entering a password. + all All the user's _s_u_d_o_e_r_s file entries for the + current host must have the NOPASSWD flag set to + avoid entering a password. always The user must always enter a password to use the --ll option. - any At least one of the user's _s_u_d_o_e_r_s entries for - the current host must have the NOPASSWD flag set - to avoid entering a password. + any At least one of the user's _s_u_d_o_e_r_s file entries + for the current host must have the NOPASSWD flag + set to avoid entering a password. never The user need never enter a password to use the --ll option. @@ -1730,15 +1731,15 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS a user runs ssuuddoo with the --vv option. It has the following possible values: - all All the user's _s_u_d_o_e_r_s entries for the current host - must have the NOPASSWD flag set to avoid entering a - password. + all All the user's _s_u_d_o_e_r_s file entries for the current + host must have the NOPASSWD flag set to avoid + entering a password. always The user must always enter a password to use the --vv option. - any At least one of the user's _s_u_d_o_e_r_s entries for the - current host must have the NOPASSWD flag set to + any At least one of the user's _s_u_d_o_e_r_s file entries for + the current host must have the NOPASSWD flag set to avoid entering a password. never The user need never enter a password to use the --vv @@ -1938,8 +1939,8 @@ LLOOGG FFOORRMMAATT unable to open/read /etc/sudoers The _s_u_d_o_e_r_s file could not be opened for reading. This can happen when the _s_u_d_o_e_r_s file is located on a remote file system that maps - user ID 0 to a different value. Normally, ssuuddooeerrss tries to open - _s_u_d_o_e_r_s using group permissions to avoid this problem. Consider + user ID 0 to a different value. Normally, ssuuddooeerrss tries to open the + _s_u_d_o_e_r_s file using group permissions to avoid this problem. Consider either changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s or adding an argument like ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s file) to the end of the ssuuddooeerrss Plugin line in the sudo.conf(4) file. @@ -1971,29 +1972,29 @@ LLOOGG FFOORRMMAATT line in the sudo.conf(4) file. unable to open /var/run/sudo/ts/username - _s_u_d_o_e_r_s was unable to read or create the user's time stamp file. This + ssuuddooeerrss was unable to read or create the user's time stamp file. This can happen when _t_i_m_e_s_t_a_m_p_o_w_n_e_r is set to a user other than root and the mode on _/_v_a_r_/_r_u_n_/_s_u_d_o is not searchable by group or other. The default mode for _/_v_a_r_/_r_u_n_/_s_u_d_o is 0711. unable to write to /var/run/sudo/ts/username - _s_u_d_o_e_r_s was unable to write to the user's time stamp file. + ssuuddooeerrss was unable to write to the user's time stamp file. /var/run/sudo/ts is owned by uid X, should be Y The time stamp directory is owned by a user other than _t_i_m_e_s_t_a_m_p_o_w_n_e_r. This can occur when the value of _t_i_m_e_s_t_a_m_p_o_w_n_e_r has been changed. - _s_u_d_o_e_r_s will ignore the time stamp directory until the owner is + ssuuddooeerrss will ignore the time stamp directory until the owner is corrected. /var/run/sudo/ts is group writable The time stamp directory is group-writable; it should be writable only by _t_i_m_e_s_t_a_m_p_o_w_n_e_r. The default mode for the time stamp directory is - 0700. _s_u_d_o_e_r_s will ignore the time stamp directory until the mode is + 0700. ssuuddooeerrss will ignore the time stamp directory until the mode is corrected. NNootteess oonn llooggggiinngg vviiaa ssyysslloogg - By default, _s_u_d_o_e_r_s logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and - _p_r_o_g_n_a_m_e fields are added by the syslog daemon, not _s_u_d_o_e_r_s itself. As + By default, ssuuddooeerrss logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and + _p_r_o_g_n_a_m_e fields are added by the syslog daemon, not ssuuddooeerrss itself. As such, they may vary in format on different systems. On most systems, syslog(3) has a relatively small log buffer. To prevent @@ -2004,8 +2005,8 @@ LLOOGG FFOORRMMAATT and before the continued command line arguments. NNootteess oonn llooggggiinngg ttoo aa ffiillee - If the _l_o_g_f_i_l_e option is set, _s_u_d_o_e_r_s will log to a local file, such as - _/_v_a_r_/_l_o_g_/_s_u_d_o. When logging to a file, _s_u_d_o_e_r_s uses a format similar to + If the _l_o_g_f_i_l_e option is set, ssuuddooeerrss will log to a local file, such as + _/_v_a_r_/_l_o_g_/_s_u_d_o. When logging to a file, ssuuddooeerrss uses a format similar to syslog(3), with a few important differences: 1. The _p_r_o_g_n_a_m_e and _h_o_s_t_n_a_m_e fields are not present. @@ -2032,18 +2033,18 @@ FFIILLEESS _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files _/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s Directory containing time stamps for the - _s_u_d_o_e_r_s security policy + ssuuddooeerrss security policy _/_v_a_r_/_a_d_m_/_s_u_d_o_/_l_e_c_t_u_r_e_d Directory containing lecture status files for - the _s_u_d_o_e_r_s security policy + the ssuuddooeerrss security policy _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and Linux systems EEXXAAMMPPLLEESS - Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit - contrived. First, we allow a few environment variables to pass and then - define our _a_l_i_a_s_e_s: + Below are example _s_u_d_o_e_r_s file entries. Admittedly, some of these are a + bit contrived. First, we allow a few environment variables to pass and + then define our _a_l_i_a_s_e_s: # Run X applications through sudo; HOME is used to find the # .Xauthority file. Note that other programs use HOME to find @@ -2265,7 +2266,7 @@ SSEECCUURRIITTYY NNOOTTEESS that grant privileges, it can result in a security issue for rules that subtract or revoke privileges. - For example, given the following _s_u_d_o_e_r_s entry: + For example, given the following _s_u_d_o_e_r_s file entry: john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root @@ -2331,13 +2332,13 @@ SSEECCUURRIITTYY NNOOTTEESS give the user permission to run ssuuddooeeddiitt (see below). SSeeccuurree eeddiittiinngg - The _s_u_d_o_e_r_s plugin includes ssuuddooeeddiitt support which allows users to + The ssuuddooeerrss plugin includes ssuuddooeeddiitt support which allows users to securely edit files with the editor of their choice. As ssuuddooeeddiitt is a - built-in command, it must be specified in _s_u_d_o_e_r_s without a leading path. - However, it may take command line arguments just as a normal command - does. Wildcards used in _s_u_d_o_e_d_i_t command line arguments are expected to - be path names, so a forward slash (`/') will not be matched by a - wildcard. + built-in command, it must be specified in the _s_u_d_o_e_r_s file without a + leading path. However, it may take command line arguments just as a + normal command does. Wildcards used in _s_u_d_o_e_d_i_t command line arguments + are expected to be path names, so a forward slash (`/') will not be + matched by a wildcard. Unlike other ssuuddoo commands, the editor is run with the permissions of the invoking user and with the environment unmodified. More information may @@ -2368,7 +2369,7 @@ SSEECCUURRIITTYY NNOOTTEESS same file system. TTiimmee ssttaammpp ffiillee cchheecckkss - _s_u_d_o_e_r_s will check the ownership of its time stamp directory + ssuuddooeerrss will check the ownership of its time stamp directory (_/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s by default) and ignore the directory's contents if it is not owned by root or if it is writable by a user other than root. Older versions of ssuuddoo stored time stamp files in _/_t_m_p; this is no longer @@ -2378,33 +2379,33 @@ SSEECCUURRIITTYY NNOOTTEESS While the time stamp directory _s_h_o_u_l_d be cleared at reboot time, not all systems contain a _/_v_a_r_/_r_u_n directory. To avoid potential problems, - _s_u_d_o_e_r_s will ignore time stamp files that date from before the machine + ssuuddooeerrss will ignore time stamp files that date from before the machine booted on systems where the boot time is available. Some systems with graphical desktop environments allow unprivileged users - to change the system clock. Since _s_u_d_o_e_r_s relies on the system clock for + to change the system clock. Since ssuuddooeerrss relies on the system clock for time stamp validation, it may be possible on such systems for a user to run ssuuddoo for longer than _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t by setting the clock back. To - combat this, _s_u_d_o_e_r_s uses a monotonic clock (which never moves backwards) + combat this, ssuuddooeerrss uses a monotonic clock (which never moves backwards) for its time stamps if the system supports it. - _s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps + ssuuddooeerrss will not honor time stamps set far in the future. Time stamps with a date greater than current_time + 2 * TIMEOUT will be ignored and - _s_u_d_o_e_r_s will log and complain. + ssuuddooeerrss will log and complain. Since time stamp files live in the file system, they can outlive a user's login session. As a result, a user may be able to login, run a command with ssuuddoo after authenticating, logout, login again, and run ssuuddoo without authenticating so long as the record's time stamp is within 5 minutes (or - whatever value the timeout is set to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s - option is enabled, the time stamp record includes the device number of - the terminal the user authenticated with. This provides per-tty - granularity but time stamp records still may outlive the user's session. - The time stamp record also includes the session ID of the process that - last authenticated. This prevents processes in different terminal - sessions from using the same time stamp record. It also helps reduce the - chance that a user will be able to run ssuuddoo without entering a password - when logging out and back in again on the same terminal. + whatever value the timeout is set to in the _s_u_d_o_e_r_s file). When the + _t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp record includes the device + number of the terminal the user authenticated with. This provides per- + tty granularity but time stamp records still may outlive the user's + session. The time stamp record also includes the session ID of the + process that last authenticated. This prevents processes in different + terminal sessions from using the same time stamp record. It also helps + reduce the chance that a user will be able to run ssuuddoo without entering a + password when logging out and back in again on the same terminal. DDEEBBUUGGGGIINNGG Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible @@ -2431,7 +2432,7 @@ DDEEBBUUGGGGIINNGG _a_u_t_h user authentication - _d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings + _d_e_f_a_u_l_t_s _s_u_d_o_e_r_s file _D_e_f_a_u_l_t_s settings _e_n_v environment handling @@ -2439,11 +2440,12 @@ DDEEBBUUGGGGIINNGG _l_o_g_g_i_n_g logging support - _m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s + _m_a_t_c_h matching of users, groups, hosts and netgroups in the _s_u_d_o_e_r_s + file _n_e_t_i_f network interface handling - _n_s_s network service switch handling in _s_u_d_o_e_r_s + _n_s_s network service switch handling in ssuuddooeerrss _p_a_r_s_e_r _s_u_d_o_e_r_s file parsing @@ -2480,8 +2482,8 @@ AAUUTTHHOORRSS CCAAVVEEAATTSS The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which - locks the file and does grammatical checking. It is imperative that - _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a + locks the file and does grammatical checking. It is imperative that the + _s_u_d_o_e_r_s file be free of syntax errors since ssuuddoo will not run with a syntactically incorrect _s_u_d_o_e_r_s file. When using netgroups of machines (as opposed to users), if you store diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 00af9a3e2..145a7430a 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -44,7 +44,7 @@ The policy format is described in detail in the \fISUDOERS FILE FORMAT\fR section. For information on storing -\fIsudoers\fR +\fBsudoers\fR policy information in LDAP, please see sudoers.ldap(@mansectform@). @@ -138,7 +138,7 @@ sudo.conf(@mansectform@), please refer to its manual. .SS "Authentication and logging" The -\fIsudoers\fR +\fBsudoers\fR security policy requires that most users authenticate themselves before they can use \fBsudo\fR. @@ -149,7 +149,7 @@ user or command. Unlike su(1), when -\fIsudoers\fR +\fBsudoers\fR requires authentication, it validates the invoking user's credentials, not the target user's (or root's) credentials. @@ -198,7 +198,7 @@ is run by root and the \fRSUDO_USER\fR environment variable is set, the -\fIsudoers\fR +\fBsudoers\fR policy will use this value to determine who the actual user is. This can be used by a user to log commands @@ -210,10 +210,10 @@ option to remain useful even when invoked via a sudo-run script or program. Note, however, that the \fIsudoers\fR -lookup is still done for root, not the user specified by +file lookup is still done for root, not the user specified by \fRSUDO_USER\fR. .PP -\fIsudoers\fR +\fBsudoers\fR uses per-user time stamp files for credential caching. Once a user has been authenticated, a record is written containing the uid that was used to authenticate, the @@ -228,21 +228,20 @@ minutes unless overridden by the option) \&. By default, -\fIsudoers\fR +\fBsudoers\fR uses a separate record for each tty, which means that a user's login sessions are authenticated separately. The \fItty_tickets\fR option can be disabled to force the use of a single time stamp for all of a user's sessions. -.PP -\fIsudoers\fR +\fBsudoers\fR can log both successful and unsuccessful attempts (as well as errors) to syslog(3), a log file, or both. By default, -\fIsudoers\fR +\fBsudoers\fR will log via syslog(3) but this is changeable via the @@ -266,12 +265,12 @@ and command tags. .SS "Command environment" Since environment variables can influence program behavior, -\fIsudoers\fR +\fBsudoers\fR provides a means to restrict which variables from the user's environment are inherited by the command to be run. There are two distinct ways -\fIsudoers\fR +\fBsudoers\fR can deal with environment variables. .PP By default, the @@ -424,7 +423,7 @@ As a special case, if \fB\-i\fR option (initial login) is specified, -\fIsudoers\fR +\fBsudoers\fR will initialize the environment regardless of the value of \fIenv_reset\fR. @@ -476,7 +475,7 @@ not necessarily the most specific match). .PP The \fIsudoers\fR -grammar will be described below in Extended Backus-Naur +file grammar will be described below in Extended Backus-Naur Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly simple, and the definitions below are annotated. @@ -840,9 +839,9 @@ Note that \(Lq\fRsudoedit\fR\(Rq is a command built into \fBsudo\fR -itself and must be specified in +itself and must be specified in the \fIsudoers\fR -without a leading path. +file without a leading path. .PP If a \fRcommand name\fR @@ -1168,7 +1167,7 @@ optionally setting the group to operator or system. .SS "SELinux_Spec" On systems with SELinux support, \fIsudoers\fR -entries may optionally have an SELinux role and/or type associated +file entries may optionally have an SELinux role and/or type associated with a command. If a role or type is specified with the command it will override any default values @@ -1180,7 +1179,7 @@ however, will supersede the values in .SS "Solaris_Priv_Spec" On Solaris systems, \fIsudoers\fR -entries may optionally specify Solaris privilege set and/or limit +file entries may optionally specify Solaris privilege set and/or limit privilege set associated with a command. If privileges or limit privileges are specified with the command it will override any default values specified in @@ -1582,9 +1581,9 @@ $ sudo cat /var/log/messages /etc/shadow .PP which is probably not what was intended. In most cases it is better to do command line processing -outside of +outside of the \fIsudoers\fR -in a scripting language. +file in a scripting language. .SS "Exceptions to wildcard rules" The following exceptions apply to the above rules: .TP 10n @@ -1593,7 +1592,7 @@ If the empty string \fR\&""\fR is the only command line argument in the \fIsudoers\fR -entry it means that command is not allowed to be run with +file entry it means that command is not allowed to be run with \fIany\fR arguments. .TP 10n @@ -1619,7 +1618,7 @@ This can be used, for example, to keep a site-wide file in addition to a local, per-machine file. For the sake of this example the site-wide \fIsudoers\fR -will be +file will be \fI/etc/sudoers\fR and the per-machine one will be \fI/etc/sudoers.local\fR. @@ -1694,8 +1693,7 @@ directive can be used to create a \fIsudoers.d\fR directory that the system package manager can drop \fIsudoers\fR -rules -into as part of package installation. +file rules into as part of package installation. For example, given: .nf .sp @@ -2084,9 +2082,9 @@ This has security implications when path names that include globbing characters are used with the negation operator, \(oq!\&\(cq, as such rules can be trivially bypassed. -As such, this option should not be used when +As such, this option should not be used when the \fIsudoers\fR -contains rules that contain negated path names which include globbing +file contains rules that contain negated path names which include globbing characters. This flag is \fIoff\fR @@ -2218,9 +2216,7 @@ by default. log_input If set, \fBsudo\fR -will run the command in a -\fIpseudo-tty\fR -and log all user input. +will run the command in a pseudo-tty and log all user input. If the standard input is not connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that input is also captured and stored in a separate log file. @@ -2263,9 +2259,8 @@ is all that is required. log_output If set, \fBsudo\fR -will run the command in a -\fIpseudo-tty\fR -and log all output that is sent to the screen, similar to the +will run the command in a pseudo-tty and log all output that is sent +to the screen, similar to the script(1) command. If the standard output or standard error is not connected to the @@ -2363,7 +2358,7 @@ user if the user running \fBsudo\fR does not enter the correct password. If the command the user is attempting to run is not permitted by -\fIsudoers\fR +\fBsudoers\fR and one of the \fImail_all_cmnds\fR, \fImail_always\fR, @@ -2809,12 +2804,13 @@ by default. umask_override If set, \fBsudo\fR -will set the umask as specified by +will set the umask as specified in the \fIsudoers\fR -without modification. -This makes it possible to specify a more permissive umask in +file without modification. +This makes it possible to specify a umask in the \fIsudoers\fR -than the user's own umask and matches historical behavior. +file that is more permissive than the user's own umask and matches +historical behavior. If \fIumask_override\fR is not set, @@ -3272,9 +3268,9 @@ is built on Solaris 10 or higher. role The default SELinux role to use when constructing a new security context to run the command. -The default role may be overridden on a per-command basis in +The default role may be overridden on a per-command basis in the \fIsudoers\fR -or via command line options. +file or via command line options. This option is only available when \fBsudo\fR is built with SELinux support. @@ -3335,9 +3331,9 @@ The default is type The default SELinux type to use when constructing a new security context to run the command. -The default type may be overridden on a per-command basis in +The default type may be overridden on a per-command basis in the \fIsudoers\fR -or via command line options. +file or via command line options. This option is only available when \fBsudo\fR is built with SELinux support. @@ -3370,7 +3366,7 @@ This is not set by default. .TP 14n group_plugin A string containing a -\fIsudoers\fR +\fBsudoers\fR group plugin with optional arguments. The string should consist of the plugin path, either fully-qualified or relative to the @@ -3435,7 +3431,7 @@ It has the following possible values: all All the user's \fIsudoers\fR -entries for the current host must have +file entries for the current host must have the \fRNOPASSWD\fR flag set to avoid entering a password. @@ -3449,7 +3445,7 @@ option. any At least one of the user's \fIsudoers\fR -entries for the current host +file entries for the current host must have the \fRNOPASSWD\fR flag set to avoid entering a password. @@ -3569,7 +3565,7 @@ It has the following possible values: all All the user's \fIsudoers\fR -entries for the current host must have the +file entries for the current host must have the \fRNOPASSWD\fR flag set to avoid entering a password. .PD @@ -3582,7 +3578,7 @@ option. any At least one of the user's \fIsudoers\fR -entries for the current host must have the +file entries for the current host must have the \fRNOPASSWD\fR flag set to avoid entering a password. .TP 8n @@ -3941,9 +3937,9 @@ file is located on a remote file system that maps user ID 0 to a different value. Normally, \fBsudoers\fR -tries to open +tries to open the \fIsudoers\fR -using group permissions to avoid this problem. +file using group permissions to avoid this problem. Consider either changing the ownership of \fI@sysconfdir@/sudoers\fR or adding an argument like @@ -4025,7 +4021,7 @@ sudo.conf(@mansectform@) file. .TP 3n unable to open @rundir@/ts/username -\fIsudoers\fR +\fBsudoers\fR was unable to read or create the user's time stamp file. This can happen when \fItimestampowner\fR @@ -4037,7 +4033,7 @@ The default mode for is 0711. .TP 3n unable to write to @rundir@/ts/username -\fIsudoers\fR +\fBsudoers\fR was unable to write to the user's time stamp file. .TP 3n @rundir@/ts is owned by uid X, should be Y @@ -4046,18 +4042,18 @@ The time stamp directory is owned by a user other than This can occur when the value of \fItimestampowner\fR has been changed. -\fIsudoers\fR +\fBsudoers\fR will ignore the time stamp directory until the owner is corrected. .TP 3n @rundir@/ts is group writable The time stamp directory is group-writable; it should be writable only by \fItimestampowner\fR. The default mode for the time stamp directory is 0700. -\fIsudoers\fR +\fBsudoers\fR will ignore the time stamp directory until the mode is corrected. .SS "Notes on logging via syslog" By default, -\fIsudoers\fR +\fBsudoers\fR logs messages via syslog(3). The @@ -4066,7 +4062,7 @@ The and \fIprogname\fR fields are added by the syslog daemon, not -\fIsudoers\fR +\fBsudoers\fR itself. As such, they may vary in format on different systems. .PP @@ -4085,11 +4081,11 @@ after the user name and before the continued command line arguments. If the \fIlogfile\fR option is set, -\fIsudoers\fR +\fBsudoers\fR will log to a local file, such as \fI/var/log/sudo\fR. When logging to a file, -\fIsudoers\fR +\fBsudoers\fR uses a format similar to syslog(3), with a few important differences: @@ -4140,12 +4136,12 @@ I/O log files .TP 26n \fI@rundir@/ts\fR Directory containing time stamps for the -\fIsudoers\fR +\fBsudoers\fR security policy .TP 26n \fI@vardir@/lectured\fR Directory containing lecture status files for the -\fIsudoers\fR +\fBsudoers\fR security policy .TP 26n \fI/etc/environment\fR @@ -4155,7 +4151,7 @@ mode on AIX and Linux systems .SH "EXAMPLES" Below are example \fIsudoers\fR -entries. +file entries. Admittedly, some of these are a bit contrived. First, we allow a few environment variables to pass and then define our \fIaliases\fR: @@ -4635,7 +4631,7 @@ it can result in a security issue for rules that subtract or revoke privileges. .PP For example, given the following \fIsudoers\fR -entry: +file entry: .nf .sp .RS 0n @@ -4760,16 +4756,16 @@ user permission to run (see below). .SS "Secure editing" The -\fIsudoers\fR +\fBsudoers\fR plugin includes \fBsudoedit\fR support which allows users to securely edit files with the editor of their choice. As \fBsudoedit\fR -is a built-in command, it must be specified in +is a built-in command, it must be specified in the \fIsudoers\fR -without a leading path. +file without a leading path. However, it may take command line arguments just as a normal command does. Wildcards used in \fIsudoedit\fR @@ -4833,7 +4829,7 @@ tag. However, it is still possible to create a hard link if the directory is writable and the link target resides on the same file system. .SS "Time stamp file checks" -\fIsudoers\fR +\fBsudoers\fR will check the ownership of its time stamp directory (\fI@rundir@/ts\fR by default) @@ -4853,14 +4849,14 @@ be cleared at reboot time, not all systems contain a \fI/var/run\fR directory. To avoid potential problems, -\fIsudoers\fR +\fBsudoers\fR will ignore time stamp files that date from before the machine booted on systems where the boot time is available. .PP Some systems with graphical desktop environments allow unprivileged users to change the system clock. Since -\fIsudoers\fR +\fBsudoers\fR relies on the system clock for time stamp validation, it may be possible on such systems for a user to run \fBsudo\fR @@ -4868,16 +4864,16 @@ for longer than \fItimestamp_timeout\fR by setting the clock back. To combat this, -\fIsudoers\fR +\fBsudoers\fR uses a monotonic clock (which never moves backwards) for its time stamps if the system supports it. .PP -\fIsudoers\fR +\fBsudoers\fR will not honor time stamps set far in the future. Time stamps with a date greater than current_time + 2 * \fRTIMEOUT\fR will be ignored and -\fIsudoers\fR +\fBsudoers\fR will log and complain. .PP Since time stamp files live in the file system, they can outlive a @@ -4888,8 +4884,9 @@ after authenticating, logout, login again, and run \fBsudo\fR without authenticating so long as the record's time stamp is within \fR@timeout@\fR -minutes (or whatever value the timeout is set to in -\fIsudoers\fR). +minutes (or whatever value the timeout is set to in the +\fIsudoers\fR +file). When the \fItty_tickets\fR option is enabled, the time stamp record includes the device @@ -4958,6 +4955,7 @@ user authentication .TP 10n \fIdefaults\fR \fIsudoers\fR +file \fIDefaults\fR settings .TP 10n @@ -4971,15 +4969,16 @@ LDAP-based sudoers logging support .TP 10n \fImatch\fR -matching of users, groups, hosts and netgroups in +matching of users, groups, hosts and netgroups in the \fIsudoers\fR +file .TP 10n \fInetif\fR network interface handling .TP 10n \fInss\fR network service switch handling in -\fIsudoers\fR +\fBsudoers\fR .TP 10n \fIparser\fR \fIsudoers\fR @@ -5053,9 +5052,9 @@ be edited by the \fBvisudo\fR command which locks the file and does grammatical checking. It is -imperative that +imperative that the \fIsudoers\fR -be free of syntax errors since +file be free of syntax errors since \fBsudo\fR will not run with a syntactically incorrect \fIsudoers\fR diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index 0d5c9fa36..98c076556 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -42,7 +42,7 @@ The policy format is described in detail in the .Sx SUDOERS FILE FORMAT section. For information on storing -.Em sudoers +.Nm sudoers policy information in LDAP, please see .Xr sudoers.ldap @mansectform@ . @@ -126,7 +126,7 @@ For more information on configuring please refer to its manual. .Ss Authentication and logging The -.Em sudoers +.Nm sudoers security policy requires that most users authenticate themselves before they can use .Nm sudo . @@ -137,7 +137,7 @@ user or command. Unlike .Xr su 1 , when -.Em sudoers +.Nm sudoers requires authentication, it validates the invoking user's credentials, not the target user's (or root's) credentials. @@ -186,7 +186,7 @@ is run by root and the .Ev SUDO_USER environment variable is set, the -.Em sudoers +.Nm sudoers policy will use this value to determine who the actual user is. This can be used by a user to log commands @@ -198,10 +198,10 @@ option to remain useful even when invoked via a sudo-run script or program. Note, however, that the .Em sudoers -lookup is still done for root, not the user specified by +file lookup is still done for root, not the user specified by .Ev SUDO_USER . .Pp -.Em sudoers +.Nm sudoers uses per-user time stamp files for credential caching. Once a user has been authenticated, a record is written containing the uid that was used to authenticate, the @@ -217,21 +217,20 @@ minutes unless overridden by the option .Pc . By default, -.Em sudoers +.Nm sudoers uses a separate record for each tty, which means that a user's login sessions are authenticated separately. The .Em tty_tickets option can be disabled to force the use of a single time stamp for all of a user's sessions. -.Pp -.Em sudoers +.Nm sudoers can log both successful and unsuccessful attempts (as well as errors) to .Xr syslog 3 , a log file, or both. By default, -.Em sudoers +.Nm sudoers will log via .Xr syslog 3 but this is changeable via the @@ -255,12 +254,12 @@ and command tags. .Ss Command environment Since environment variables can influence program behavior, -.Em sudoers +.Nm sudoers provides a means to restrict which variables from the user's environment are inherited by the command to be run. There are two distinct ways -.Em sudoers +.Nm sudoers can deal with environment variables. .Pp By default, the @@ -410,7 +409,7 @@ As a special case, if .Fl i option (initial login) is specified, -.Em sudoers +.Nm sudoers will initialize the environment regardless of the value of .Em env_reset . @@ -462,7 +461,7 @@ not necessarily the most specific match). .Pp The .Em sudoers -grammar will be described below in Extended Backus-Naur +file grammar will be described below in Extended Backus-Naur Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly simple, and the definitions below are annotated. @@ -803,9 +802,9 @@ Note that .Dq Li sudoedit is a command built into .Nm sudo -itself and must be specified in +itself and must be specified in the .Em sudoers -without a leading path. +file without a leading path. .Pp If a .Li command name @@ -1096,7 +1095,7 @@ optionally setting the group to operator or system. .Ss SELinux_Spec On systems with SELinux support, .Em sudoers -entries may optionally have an SELinux role and/or type associated +file entries may optionally have an SELinux role and/or type associated with a command. If a role or type is specified with the command it will override any default values @@ -1108,7 +1107,7 @@ however, will supersede the values in .Ss Solaris_Priv_Spec On Solaris systems, .Em sudoers -entries may optionally specify Solaris privilege set and/or limit +file entries may optionally specify Solaris privilege set and/or limit privilege set associated with a command. If privileges or limit privileges are specified with the command it will override any default values specified in @@ -1473,9 +1472,9 @@ $ sudo cat /var/log/messages /etc/shadow .Pp which is probably not what was intended. In most cases it is better to do command line processing -outside of +outside of the .Em sudoers -in a scripting language. +file in a scripting language. .Ss Exceptions to wildcard rules The following exceptions apply to the above rules: .Bl -tag -width 8n @@ -1484,7 +1483,7 @@ If the empty string .Li \&"" is the only command line argument in the .Em sudoers -entry it means that command is not allowed to be run with +file entry it means that command is not allowed to be run with .Em any arguments. .It sudoedit @@ -1510,7 +1509,7 @@ This can be used, for example, to keep a site-wide file in addition to a local, per-machine file. For the sake of this example the site-wide .Em sudoers -will be +file will be .Pa /etc/sudoers and the per-machine one will be .Pa /etc/sudoers.local . @@ -1576,8 +1575,7 @@ directive can be used to create a .Pa sudoers.d directory that the system package manager can drop .Em sudoers -rules -into as part of package installation. +file rules into as part of package installation. For example, given: .Bd -literal -offset 4n #includedir /etc/sudoers.d @@ -1951,9 +1949,9 @@ This has security implications when path names that include globbing characters are used with the negation operator, .Ql !\& , as such rules can be trivially bypassed. -As such, this option should not be used when +As such, this option should not be used when the .Em sudoers -contains rules that contain negated path names which include globbing +file contains rules that contain negated path names which include globbing characters. This flag is .Em off @@ -2077,9 +2075,7 @@ by default. .It log_input If set, .Nm sudo -will run the command in a -.Em pseudo-tty -and log all user input. +will run the command in a pseudo-tty and log all user input. If the standard input is not connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that input is also captured and stored in a separate log file. @@ -2123,9 +2119,8 @@ is all that is required. .It log_output If set, .Nm sudo -will run the command in a -.Em pseudo-tty -and log all output that is sent to the screen, similar to the +will run the command in a pseudo-tty and log all output that is sent +to the screen, similar to the .Xr script 1 command. If the standard output or standard error is not connected to the @@ -2220,7 +2215,7 @@ user if the user running .Nm sudo does not enter the correct password. If the command the user is attempting to run is not permitted by -.Em sudoers +.Nm sudoers and one of the .Em mail_all_cmnds , .Em mail_always , @@ -2639,12 +2634,13 @@ by default. .It umask_override If set, .Nm sudo -will set the umask as specified by +will set the umask as specified in the .Em sudoers -without modification. -This makes it possible to specify a more permissive umask in +file without modification. +This makes it possible to specify a umask in the .Em sudoers -than the user's own umask and matches historical behavior. +file that is more permissive than the user's own umask and matches +historical behavior. If .Em umask_override is not set, @@ -3062,9 +3058,9 @@ is built on Solaris 10 or higher. .It role The default SELinux role to use when constructing a new security context to run the command. -The default role may be overridden on a per-command basis in +The default role may be overridden on a per-command basis in the .Em sudoers -or via command line options. +file or via command line options. This option is only available when .Nm sudo is built with SELinux support. @@ -3118,9 +3114,9 @@ The default is .It type The default SELinux type to use when constructing a new security context to run the command. -The default type may be overridden on a per-command basis in +The default type may be overridden on a per-command basis in the .Em sudoers -or via command line options. +file or via command line options. This option is only available when .Nm sudo is built with SELinux support. @@ -3152,7 +3148,7 @@ prefix. This is not set by default. .It group_plugin A string containing a -.Em sudoers +.Nm sudoers group plugin with optional arguments. The string should consist of the plugin path, either fully-qualified or relative to the @@ -3205,7 +3201,7 @@ It has the following possible values: .It all All the user's .Em sudoers -entries for the current host must have +file entries for the current host must have the .Li NOPASSWD flag set to avoid entering a password. @@ -3216,7 +3212,7 @@ option. .It any At least one of the user's .Em sudoers -entries for the current host +file entries for the current host must have the .Li NOPASSWD flag set to avoid entering a password. @@ -3324,7 +3320,7 @@ It has the following possible values: .It all All the user's .Em sudoers -entries for the current host must have the +file entries for the current host must have the .Li NOPASSWD flag set to avoid entering a password. .It always @@ -3334,7 +3330,7 @@ option. .It any At least one of the user's .Em sudoers -entries for the current host must have the +file entries for the current host must have the .Li NOPASSWD flag set to avoid entering a password. .It never @@ -3660,9 +3656,9 @@ file is located on a remote file system that maps user ID 0 to a different value. Normally, .Nm -tries to open +tries to open the .Em sudoers -using group permissions to avoid this problem. +file using group permissions to avoid this problem. Consider either changing the ownership of .Pa @sysconfdir@/sudoers or adding an argument like @@ -3738,7 +3734,7 @@ line in the .Xr sudo.conf @mansectform@ file. .It unable to open @rundir@/ts/username -.Em sudoers +.Nm sudoers was unable to read or create the user's time stamp file. This can happen when .Em timestampowner @@ -3749,7 +3745,7 @@ The default mode for .Pa @rundir@ is 0711. .It unable to write to @rundir@/ts/username -.Em sudoers +.Nm sudoers was unable to write to the user's time stamp file. .It @rundir@/ts is owned by uid X, should be Y The time stamp directory is owned by a user other than @@ -3757,18 +3753,18 @@ The time stamp directory is owned by a user other than This can occur when the value of .Em timestampowner has been changed. -.Em sudoers +.Nm sudoers will ignore the time stamp directory until the owner is corrected. .It @rundir@/ts is group writable The time stamp directory is group-writable; it should be writable only by .Em timestampowner . The default mode for the time stamp directory is 0700. -.Em sudoers +.Nm sudoers will ignore the time stamp directory until the mode is corrected. .El .Ss Notes on logging via syslog By default, -.Em sudoers +.Nm sudoers logs messages via .Xr syslog 3 . The @@ -3777,7 +3773,7 @@ The and .Em progname fields are added by the syslog daemon, not -.Em sudoers +.Nm sudoers itself. As such, they may vary in format on different systems. .Pp @@ -3796,11 +3792,11 @@ after the user name and before the continued command line arguments. If the .Em logfile option is set, -.Em sudoers +.Nm sudoers will log to a local file, such as .Pa /var/log/sudo . When logging to a file, -.Em sudoers +.Nm sudoers uses a format similar to .Xr syslog 3 , with a few important differences: @@ -3845,11 +3841,11 @@ List of network groups I/O log files .It Pa @rundir@/ts Directory containing time stamps for the -.Em sudoers +.Nm sudoers security policy .It Pa @vardir@/lectured Directory containing lecture status files for the -.Em sudoers +.Nm sudoers security policy .It Pa /etc/environment Initial environment for @@ -3859,7 +3855,7 @@ mode on AIX and Linux systems .Sh EXAMPLES Below are example .Em sudoers -entries. +file entries. Admittedly, some of these are a bit contrived. First, we allow a few environment variables to pass and then define our .Em aliases : @@ -4277,7 +4273,7 @@ it can result in a security issue for rules that subtract or revoke privileges. .Pp For example, given the following .Em sudoers -entry: +file entry: .Bd -literal john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root @@ -4394,16 +4390,16 @@ user permission to run (see below). .Ss Secure editing The -.Em sudoers +.Nm sudoers plugin includes .Nm sudoedit support which allows users to securely edit files with the editor of their choice. As .Nm sudoedit -is a built-in command, it must be specified in +is a built-in command, it must be specified in the .Em sudoers -without a leading path. +file without a leading path. However, it may take command line arguments just as a normal command does. Wildcards used in .Em sudoedit @@ -4461,7 +4457,7 @@ tag. However, it is still possible to create a hard link if the directory is writable and the link target resides on the same file system. .Ss Time stamp file checks -.Em sudoers +.Nm sudoers will check the ownership of its time stamp directory .Po .Pa @rundir@/ts @@ -4483,14 +4479,14 @@ be cleared at reboot time, not all systems contain a .Pa /var/run directory. To avoid potential problems, -.Em sudoers +.Nm sudoers will ignore time stamp files that date from before the machine booted on systems where the boot time is available. .Pp Some systems with graphical desktop environments allow unprivileged users to change the system clock. Since -.Em sudoers +.Nm sudoers relies on the system clock for time stamp validation, it may be possible on such systems for a user to run .Nm sudo @@ -4498,16 +4494,16 @@ for longer than .Em timestamp_timeout by setting the clock back. To combat this, -.Em sudoers +.Nm sudoers uses a monotonic clock (which never moves backwards) for its time stamps if the system supports it. .Pp -.Em sudoers +.Nm sudoers will not honor time stamps set far in the future. Time stamps with a date greater than current_time + 2 * .Li TIMEOUT will be ignored and -.Em sudoers +.Nm sudoers will log and complain. .Pp Since time stamp files live in the file system, they can outlive a @@ -4518,8 +4514,9 @@ after authenticating, logout, login again, and run .Nm sudo without authenticating so long as the record's time stamp is within .Li @timeout@ -minutes (or whatever value the timeout is set to in -.Em sudoers ) . +minutes (or whatever value the timeout is set to in the +.Em sudoers +file). When the .Em tty_tickets option is enabled, the time stamp record includes the device @@ -4584,6 +4581,7 @@ BSM and Linux audit code user authentication .It Em defaults .Em sudoers +file .Em Defaults settings .It Em env @@ -4593,13 +4591,14 @@ LDAP-based sudoers .It Em logging logging support .It Em match -matching of users, groups, hosts and netgroups in +matching of users, groups, hosts and netgroups in the .Em sudoers +file .It Em netif network interface handling .It Em nss network service switch handling in -.Em sudoers +.Nm sudoers .It Em parser .Em sudoers file parsing @@ -4660,9 +4659,9 @@ be edited by the .Nm visudo command which locks the file and does grammatical checking. It is -imperative that +imperative that the .Em sudoers -be free of syntax errors since +file be free of syntax errors since .Nm sudo will not run with a syntactically incorrect .Em sudoers -- 2.40.0