From d4f2ddb44824392ff3db0d6758572022b09e5f5d Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 28 Jan 2011 16:14:29 -0500 Subject: [PATCH] Document that sudoers_locale also affects logging and email. --HG-- branch : 1.7 --- sudoers.cat | 100 ++++++++++++++++++++++++------------------------- sudoers.man.in | 8 ++-- sudoers.pod | 6 +-- 3 files changed, 57 insertions(+), 57 deletions(-) diff --git a/sudoers.cat b/sudoers.cat index 1a7cb63a5..d3fa3c35b 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.5b2 January 13, 2011 1 +1.7.5b2 January 28, 2011 1 @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 January 13, 2011 2 +1.7.5b2 January 28, 2011 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 January 13, 2011 3 +1.7.5b2 January 28, 2011 3 @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 January 13, 2011 4 +1.7.5b2 January 28, 2011 4 @@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 January 13, 2011 5 +1.7.5b2 January 28, 2011 5 @@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 January 13, 2011 6 +1.7.5b2 January 28, 2011 6 @@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 January 13, 2011 7 +1.7.5b2 January 28, 2011 7 @@ -523,7 +523,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 January 13, 2011 8 +1.7.5b2 January 28, 2011 8 @@ -589,7 +589,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 January 13, 2011 9 +1.7.5b2 January 28, 2011 9 @@ -655,7 +655,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS -1.7.5b2 January 13, 2011 10 +1.7.5b2 January 28, 2011 10 @@ -721,7 +721,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 January 13, 2011 11 +1.7.5b2 January 28, 2011 11 @@ -787,7 +787,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 January 13, 2011 12 +1.7.5b2 January 28, 2011 12 @@ -853,7 +853,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 January 13, 2011 13 +1.7.5b2 January 28, 2011 13 @@ -919,7 +919,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 January 13, 2011 14 +1.7.5b2 January 28, 2011 14 @@ -985,7 +985,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 January 13, 2011 15 +1.7.5b2 January 28, 2011 15 @@ -1051,7 +1051,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 January 13, 2011 16 +1.7.5b2 January 28, 2011 16 @@ -1117,7 +1117,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.7.5b2 January 13, 2011 17 +1.7.5b2 January 28, 2011 17 @@ -1131,9 +1131,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) syslog_goodpri Syslog priority to use when user authenticates successfully. Defaults to notice. - sudoers_locale Locale to use when parsing the sudoers file. Note that - changing the locale may affect how sudoers is - interpreted. Defaults to "C". + sudoers_locale Locale to use when parsing the sudoers file, logging + commands, and sending email. Note that changing the + locale may affect how sudoers is interpreted. Defaults + to "C". timestampdir The directory in which ssuuddoo stores its timestamp files. The default is _/_v_a_r_/_a_d_m_/_s_u_d_o. @@ -1179,11 +1180,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) never Never lecture the user. - once Only lecture the user the first time they run ssuuddoo. -1.7.5b2 January 13, 2011 18 +1.7.5b2 January 28, 2011 18 @@ -1192,6 +1192,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + once Only lecture the user the first time they run ssuuddoo. + If no value is specified, a value of _o_n_c_e is implied. Negating the option results in a value of _n_e_v_e_r being used. The default value is _o_n_c_e. @@ -1244,12 +1246,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) secure_path Path used for every command run from ssuuddoo. If you don't trust the people running ssuuddoo to have a sane PATH environment variable you may want to use this. Another use - is if you want to have the "root path" be separate from the - "user path." Users in the group specified by the -1.7.5b2 January 13, 2011 19 +1.7.5b2 January 28, 2011 19 @@ -1258,6 +1258,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + is if you want to have the "root path" be separate from the + "user path." Users in the group specified by the _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This option is not set by default. @@ -1310,12 +1312,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) can be replaced, added to, deleted from, or disabled by using the =, +=, -=, and ! operators respectively. The default list of environment variables to remove is - displayed when ssuuddoo is run by root with the _-_V option. - Note that many operating systems will remove -1.7.5b2 January 13, 2011 20 +1.7.5b2 January 28, 2011 20 @@ -1324,6 +1324,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + displayed when ssuuddoo is run by root with the _-_V option. + Note that many operating systems will remove potentially dangerous variables from the environment of any setuid process (such as ssuuddoo). @@ -1376,12 +1378,10 @@ EEXXAAMMPPLLEESS # Host alias specification Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ - SGI = grolsch, dandelion, black :\ - ALPHA = widget, thalamus, foobar :\ -1.7.5b2 January 13, 2011 21 +1.7.5b2 January 28, 2011 21 @@ -1390,6 +1390,8 @@ EEXXAAMMPPLLEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + SGI = grolsch, dandelion, black :\ + ALPHA = widget, thalamus, foobar :\ HPPA = boa, nag, python Host_Alias CUNETS = 128.138.0.0/255.255.0.0 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 @@ -1443,11 +1445,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on any host without authenticating themselves. - PARTTIMERS ALL = ALL - -1.7.5b2 January 13, 2011 22 +1.7.5b2 January 28, 2011 22 @@ -1456,6 +1456,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + PARTTIMERS ALL = ALL + Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on any host but they must authenticate themselves first (since the entry lacks the NOPASSWD tag). @@ -1508,12 +1510,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser - Users in the sseeccrreettaarriieess netgroup need to help manage the printers as - well as add and remove users, so they are allowed to run those commands -1.7.5b2 January 13, 2011 23 +1.7.5b2 January 28, 2011 23 @@ -1522,6 +1522,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + Users in the sseeccrreettaarriieess netgroup need to help manage the printers as + well as add and remove users, so they are allowed to run those commands on all machines. fred ALL = (DB) NOPASSWD: ALL @@ -1575,11 +1577,9 @@ SSEECCUURRIITTYY NNOOTTEESS desired command to a different name and then executing that. For example: - bill ALL = ALL, !SU, !SHELLS - -1.7.5b2 January 13, 2011 24 +1.7.5b2 January 28, 2011 24 @@ -1588,6 +1588,8 @@ SSEECCUURRIITTYY NNOOTTEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + bill ALL = ALL, !SU, !SHELLS + Doesn't really prevent bbiillll from running the commands listed in _S_U or _S_H_E_L_L_S since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these @@ -1641,11 +1643,9 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS sudo -V | grep "dummy exec" - If the resulting output contains a line that begins with: - -1.7.5b2 January 13, 2011 25 +1.7.5b2 January 28, 2011 25 @@ -1654,6 +1654,8 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + If the resulting output contains a line that begins with: + File containing dummy exec functions: then ssuuddoo may be able to replace the exec family of functions @@ -1706,12 +1708,10 @@ BBUUGGSS SSUUPPPPOORRTT Limited free support is available via the sudo-users mailing list, see - http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search - the archives. -1.7.5b2 January 13, 2011 26 +1.7.5b2 January 28, 2011 26 @@ -1720,6 +1720,9 @@ SSUUPPPPOORRTT SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search + the archives. + DDIISSCCLLAAIIMMEERR ssuuddoo is provided ``AS IS'' and any express or implied warranties, including, but not limited to, the implied warranties of @@ -1774,9 +1777,6 @@ DDIISSCCLLAAIIMMEERR - - - -1.7.5b2 January 13, 2011 27 +1.7.5b2 January 28, 2011 27 diff --git a/sudoers.man.in b/sudoers.man.in index d1a4fa3ad..95b3320d5 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -148,7 +148,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "January 13, 2011" "1.7.5b2" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "January 28, 2011" "1.7.5b2" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -1184,9 +1184,9 @@ Syslog priority to use when user authenticates successfully. Defaults to \f(CW\*(C`@goodpri@\*(C'\fR. .IP "sudoers_locale" 16 .IX Item "sudoers_locale" -Locale to use when parsing the sudoers file. Note that changing -the locale may affect how sudoers is interpreted. -Defaults to \f(CW"C"\fR. +Locale to use when parsing the sudoers file, logging commands, and +sending email. Note that changing the locale may affect how sudoers +is interpreted. Defaults to \f(CW"C"\fR. .IP "timestampdir" 16 .IX Item "timestampdir" The directory in which \fBsudo\fR stores its timestamp files. diff --git a/sudoers.pod b/sudoers.pod index 1768c3cf2..4697be69b 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -1107,9 +1107,9 @@ Defaults to C<@goodpri@>. =item sudoers_locale -Locale to use when parsing the sudoers file. Note that changing -the locale may affect how sudoers is interpreted. -Defaults to C<"C">. +Locale to use when parsing the sudoers file, logging commands, and +sending email. Note that changing the locale may affect how sudoers +is interpreted. Defaults to C<"C">. =item timestampdir -- 2.40.0