isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Remove pod versions of the manual; we now use mdoc.

Browse Source
This commit is contained in:
Todd C. Miller
2012-07-26 13:51:43 -04:00
parent 336233c2e5
commit 12bad90ba3
8 changed files with 0 additions and 6152 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
doc/sudo.man.pl
View File

@@ -1,35 +0,0 @@
#!/usr/bin/perl -p
BEGIN {
%tags = ( 'a', 'BA', 'c', 'LC', 'r', 'SL', 't', 'SL');
$cond = -1;
}
# Initialize the numeric register we use for conditionals
if ($cond == -1) {
$_ = ".nr SL \@SEMAN\@\n.nr BA \@BAMAN\@\n.nr LC \@LCMAN\@\n.nr PT \@password_timeout\@\n.\\\"\n$_";
$cond = 0;
}
# Add conditionals
if (/^\.IP.*-([acrt])/) {
$_ = ".if \\n($tags{$1} \\{\\\n$_";
$cond = 1;
} elsif ($cond && /^\.(Sh|SS|IP|PP)/) {
$_ = "\\}\n$_";
$cond = 0;
}
if (/-a.*auth_type/) {
$_ = ".if \\n($tags{'a'} $_";
} elsif (/(-c.*class.*\||login_cap)/) {
$_ = ".if \\n($tags{'c'} $_";
} elsif (/-r.*role.*-t.*type/) {
$_ = ".if \\n($tags{'r'} $_";
}
# Fix up broken pod2man formatting of F<@foo@/bar>
s/\\fI\\f(\(C)?I\@([^\@]*)\\fI\@/\\fI\@$2\@/g;
# Try to deal sensibly with password_timeout being set to 0 by default
s/([^ ]*\@password_timeout\@[^ ]* minutes.$)/\n.ie \\n(PT $1\n.el unlimited./;

807
doc/sudo.pod
View File

@@ -1,807 +0,0 @@
Copyright (c) 1994-1996, 1998-2005, 2007-2012
Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Sponsored in part by the Defense Advanced Research Projects
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
=pod
=head1 NAME
sudo, sudoedit - execute a command as another user
=head1 SYNOPSIS
B<sudo> B<-h> | B<-K> | B<-k> | B<-V>
B<sudo> B<-v> [B<-AknS>]
S<[B<-a> I<auth_type>]>
S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<-u> I<user name>|I<#uid>]>
B<sudo> B<-l[l]> [B<-AknS>]
S<[B<-a> I<auth_type>]>
S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<-U> I<user name>]> S<[B<-u> I<user name>|I<#uid>]> [I<command>]
B<sudo> [B<-AbEHnPS>]
S<[B<-a> I<auth_type>]>
S<[B<-C> I<fd>]>
S<[B<-c> I<class>|I<->]>
S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<-r> I<role>]> S<[B<-t> I<type>]>
S<[B<-u> I<user name>|I<#uid>]>
S<[B<VAR>=I<value>]> S<[B<-i> | B<-s>]> [I<command>]
B<sudoedit> [B<-AnS>]
S<[B<-a> I<auth_type>]>
S<[B<-C> I<fd>]>
S<[B<-c> I<class>|I<->]>
S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<-u> I<user name>|I<#uid>]> file ...
=head1 DESCRIPTION
B<sudo> allows a permitted user to execute a I<command> as the
superuser or another user, as specified by the security policy.
The real and effective uid and gid are set to match those of the
target user, as specified in the password database, and the group
vector is initialized based on the group database (unless the B<-P>
option was specified).
B<sudo> supports a plugin architecture for security policies and
input/output logging. Third parties can develop and distribute
their own policy and I/O logging modules to work seamlessly with
the B<sudo> front end. The default security policy is I<sudoers>,
which is configured via the file F<@sysconfdir@/sudoers>, or via
LDAP. See the L<PLUGINS> section for more information.
The security policy determines what privileges, if any, a user has
to run B<sudo>. The policy may require that users authenticate
themselves with a password or another authentication mechanism. If
authentication is required, B<sudo> will exit if the user's password
is not entered within a configurable time limit. This limit is
policy-specific; the default password prompt timeout for the
I<sudoers> security policy is C<@password_timeout@> minutes.
Security policies may support credential caching to allow the user
to run B<sudo> again for a period of time without requiring
authentication. The I<sudoers> policy caches credentials for
C<@timeout@> minutes, unless overridden in L<sudoers(5)>. By
running B<sudo> with the B<-v> option, a user can update the cached
credentials without running a I<command>.
When invoked as B<sudoedit>, the B<-e> option (described below),
is implied.
Security policies may log successful and failed attempts to use
B<sudo>. If an I/O plugin is configured, the running command's
input and output may be logged as well.
=head1 OPTIONS
B<sudo> accepts the following command line options:
=over 12
=item -A
Normally, if B<sudo> requires a password, it will read it from the
user's terminal. If the B<-A> (I<askpass>) option is specified,
a (possibly graphical) helper program is executed to read the user's
password and output the password to the standard output. If the
C<SUDO_ASKPASS> environment variable is set, it specifies the path
to the helper program. Otherwise, if F<@sysconfdir@/sudo.conf>
contains a line specifying the askpass program, that value will be
used. For example:
# Path to askpass helper program
Path askpass /usr/X11R6/bin/ssh-askpass
If no askpass program is available, sudo will exit with an error.
=item -a I<type>
The B<-a> (I<authentication type>) option causes B<sudo> to use the
specified authentication type when validating the user, as allowed
by F</etc/login.conf>. The system administrator may specify a list
of sudo-specific authentication methods by adding an "auth-sudo"
entry in F</etc/login.conf>. This option is only available on systems
that support BSD authentication.
=item -b
The B<-b> (I<background>) option tells B<sudo> to run the given
command in the background. Note that if you use the B<-b>
option you cannot use shell job control to manipulate the process.
Most interactive commands will fail to work properly in background
mode.
=item -C I<fd>
Normally, B<sudo> will close all open file descriptors other than
standard input, standard output and standard error. The B<-C>
(I<close from>) option allows the user to specify a starting point
above the standard error (file descriptor three). Values less than
three are not permitted. The security policy may restrict the
user's ability to use the B<-C> option. The I<sudoers> policy only
permits use of the B<-C> option when the administrator has enabled
the I<closefrom_override> option.
=item -c I<class>
The B<-c> (I<class>) option causes B<sudo> to run the specified command
with resources limited by the specified login class. The I<class>
argument can be either a class name as defined in F</etc/login.conf>,
or a single '-' character. Specifying a I<class> of C<-> indicates
that the command should be run restricted by the default login
capabilities for the user the command is run as. If the I<class>
argument specifies an existing user class, the command must be run
as root, or the B<sudo> command must be run from a shell that is already
root. This option is only available on systems with BSD login classes.
=item -E
The B<-E> (I<preserve> I<environment>) option indicates to the
security policy that the user wishes to preserve their existing
environment variables. The security policy may return an error if
the B<-E> option is specified and the user does not have permission
to preserve the environment.
=item -e
The B<-e> (I<edit>) option indicates that, instead of running a
command, the user wishes to edit one or more files. In lieu of a
command, the string "sudoedit" is used when consulting the security
policy. If the user is authorized by the policy, the following
steps are taken:
=over 4
=item 1.
Temporary copies are made of the files to be edited with the owner
set to the invoking user.
=item 2.
The editor specified by the policy is run to edit the temporary files.
The I<sudoers> policy uses the C<SUDO_EDITOR>, C<VISUAL> and C<EDITOR>
environment variables (in that order). If none of C<SUDO_EDITOR>,
C<VISUAL> or C<EDITOR> are set, the first program listed in the
I<editor> L<sudoers(5)> option is used.
=item 3.
If they have been modified, the temporary files are copied back to
their original location and the temporary versions are removed.
=back
If the specified file does not exist, it will be created. Note
that unlike most commands run by B<sudo>, the editor is run with
the invoking user's environment unmodified. If, for some reason,
B<sudo> is unable to update a file with its edited version, the
user will receive a warning and the edited copy will remain in a
temporary file.
=item -g I<group>
Normally, B<sudo> runs a command with the primary group set to the
one specified by the password database for the user the command is
being run as (by default, root). The B<-g> (I<group>) option causes
B<sudo> to run the command with the primary group set to I<group>
instead. To specify a I<gid> instead of a I<group name>, use
I<#gid>. When running commands as a I<gid>, many shells require
that the '#' be escaped with a backslash ('\'). If no B<-u> option
is specified, the command will be run as the invoking user (not
root). In either case, the primary group will be set to I<group>.
=item -H
The B<-H> (I<HOME>) option requests that the security policy set
the C<HOME> environment variable to the home directory of the target
user (root by default) as specified by the password database.
Depending on the policy, this may be the default behavior.
=item -h
The B<-h> (I<help>) option causes B<sudo> to print a short help message
to the standard output and exit.
=item -i [command]
The B<-i> (I<simulate initial login>) option runs the shell specified
by the password database entry of the target user as a login shell.
This means that login-specific resource files such as C<.profile>
or C<.login> will be read by the shell. If a command is specified,
it is passed to the shell for execution via the shell's B<-c> option.
If no command is specified, an interactive shell is executed.
B<sudo> attempts to change to that user's home directory before
running the shell. The security policy shall initialize the
environment to a minimal set of variables, similar to what is present
when a user logs in. The I<Command Environment> section in the
L<sudoers(5)> manual documents how the B<-i> option affects the
environment in which a command is run when the I<sudoers> policy
is in use.
=item -K
The B<-K> (sure I<kill>) option is like B<-k> except that it removes
the user's cached credentials entirely and may not be used in
conjunction with a command or other option. This option does not
require a password. Not all security policies support credential
caching.
=item -k [command]
When used alone, the B<-k> (I<kill>) option to B<sudo> invalidates
the user's cached credentials. The next time B<sudo> is run a
password will be required. This option does not require a password
and was added to allow a user to revoke B<sudo> permissions from a
.logout file. Not all security policies support credential
caching.
When used in conjunction with a command or an option that may require
a password, the B<-k> option will cause B<sudo> to ignore the user's
cached credentials. As a result, B<sudo> will prompt for a password
(if one is required by the security policy) and will not update the
user's cached credentials.
=item -l[l] [I<command>]
If no I<command> is specified, the B<-l> (I<list>) option will list
the allowed (and forbidden) commands for the invoking user (or the
user specified by the B<-U> option) on the current host. If a
I<command> is specified and is permitted by the security policy,
the fully-qualified path to the command is displayed along with any
command line arguments. If I<command> is specified but not allowed,
B<sudo> will exit with a status value of 1. If the B<-l> option
is specified with an B<l> argument (i.e. B<-ll>), or if B<-l> is
specified multiple times, a longer list format is used.
=item -n
The B<-n> (I<non-interactive>) option prevents B<sudo> from prompting
the user for a password. If a password is required for the command
to run, B<sudo> will display an error message and exit.
=item -P
The B<-P> (I<preserve> I<group vector>) option causes B<sudo> to
preserve the invoking user's group vector unaltered. By default,
the I<sudoers> policy will initialize the group vector to the list
of groups the target user is in. The real and effective group IDs,
however, are still set to match the target user.
=item -p I<prompt>
The B<-p> (I<prompt>) option allows you to override the default
password prompt and use a custom one. The following percent (`C<%>')
escapes are supported by the I<sudoers> policy:
=over 4
=item C<%H>
expanded to the host name including the domain name (on if
the machine's host name is fully qualified or the I<fqdn> option
is set in L<sudoers(5)>)
=item C<%h>
expanded to the local host name without the domain name
=item C<%p>
expanded to the name of the user whose password is being requested
(respects the I<rootpw>, I<targetpw> and I<runaspw> flags in
L<sudoers(5)>)
=item C<%U>
expanded to the login name of the user the command will be run as
(defaults to root unless the B<-u> option is also specified)
=item C<%u>
expanded to the invoking user's login name
=item C<%%>
two consecutive C<%> characters are collapsed into a single C<%> character
=back
The prompt specified by the B<-p> option will override the system
password prompt on systems that support PAM unless the
I<passprompt_override> flag is disabled in I<sudoers>.
=item -r I<role>
The B<-r> (I<role>) option causes the new (SELinux) security context to
have the role specified by I<role>.
=item -S
The B<-S> (I<stdin>) option causes B<sudo> to read the password from
the standard input instead of the terminal device. The password must
be followed by a newline character.
=item -s [command]
The B<-s> (I<shell>) option runs the shell specified by the I<SHELL>
environment variable if it is set or the shell as specified in the
password database. If a command is specified, it is passed to the
shell for execution via the shell's B<-c> option. If no command
is specified, an interactive shell is executed.
=item -t I<type>
The B<-t> (I<type>) option causes the new (SELinux) security context to
have the type specified by I<type>. If no type is specified, the default
type is derived from the specified role.
=item -U I<user>
The B<-U> (I<other user>) option is used in conjunction with the
B<-l> option to specify the user whose privileges should be listed.
The security policy may restrict listing other users' privileges.
The I<sudoers> policy only allows root or a user with the C<ALL>
privilege on the current host to use this option.
=item -u I<user>
The B<-u> (I<user>) option causes B<sudo> to run the specified
command as a user other than I<root>. To specify a I<uid> instead
of a I<user name>, use I<#uid>. When running commands as a I<uid>,
many shells require that the '#' be escaped with a backslash ('\').
Security policies may restrict I<uid>s to those listed in the
password database. The I<sudoers> policy allows I<uid>s that are
not in the password database as long as the I<targetpw> option is
not set. Other security policies may not support this.
=item -V
The B<-V> (I<version>) option causes B<sudo> to print its version
string and the version string of the security policy plugin and any
I/O plugins. If the invoking user is already root the B<-V> option
will display the arguments passed to configure when B<sudo> was
built and plugins may display more verbose information such as
default options.
=item -v
When given the B<-v> (I<validate>) option, B<sudo> will update the
user's cached credentials, authenticating the user's password if
necessary. For the I<sudoers> plugin, this extends the B<sudo>
timeout for another C<@timeout@> minutes (or whatever the timeout
is set to by the security policy) but does not run a command. Not all
security policies support cached credentials.
=item --
The B<--> option indicates that B<sudo> should stop processing command
line arguments.
=back
Environment variables to be set for the command may also be passed
on the command line in the form of B<VAR>=I<value>, e.g.
B<LD_LIBRARY_PATH>=I</usr/local/pkg/lib>. Variables passed on the
command line are subject to the same restrictions as normal environment
variables with one important exception. If the I<setenv> option
is set in I<sudoers>, the command to be run has the C<SETENV> tag
set or the command matched is C<ALL>, the user may set variables
that would otherwise be forbidden. See L<sudoers(5)> for more information.
=head1 PLUGINS
Plugins are dynamically loaded based on the contents of the
F<@sysconfdir@/sudo.conf> file. If no F<@sysconfdir@/sudo.conf>
file is present, or it contains no C<Plugin> lines, B<sudo>
will use the traditional I<sudoers> security policy and I/O logging,
which corresponds to the following F<@sysconfdir@/sudo.conf> file.
#
# Default @sysconfdir@/sudo.conf file
#
# Format:
# Plugin plugin_name plugin_path plugin_options ...
# Path askpass /path/to/askpass
# Path noexec /path/to/sudo_noexec.so
# Debug sudo /var/log/sudo_debug all@warn
# Set disable_coredump true
#
# The plugin_path is relative to @prefix@/libexec unless
# fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
# The plugin_options are optional.
#
Plugin policy_plugin sudoers.so
Plugin io_plugin sudoers.so
A C<Plugin> line consists of the C<Plugin> keyword, followed by the
I<symbol_name> and the I<path> to the shared object containing the
plugin. The I<symbol_name> is the name of the C<struct policy_plugin>
or C<struct io_plugin> in the plugin shared object. The I<path>
may be fully qualified or relative. If not fully qualified it is
relative to the F<@prefix@/libexec> directory. Any additional
parameters after the I<path> are passed as arguments to the plugin's
I<open> function. Lines that don't begin with C<Plugin>, C<Path>,
C<Debug> or C<Set> are silently ignored.
For more information, see the L<sudo_plugin(8)> manual.
=head1 PATHS
A C<Path> line consists of the C<Path> keyword, followed by the
name of the path to set and its value. E.g.
Path noexec @noexec_file@
Path askpass /usr/X11R6/bin/ssh-askpass
The following plugin-agnostic paths may be set in the
F<@sysconfdir@/sudo.conf> file.
=over 16
=item askpass
The fully qualified path to a helper program used to read the user's
password when no terminal is available. This may be the case when
B<sudo> is executed from a graphical (as opposed to text-based)
application. The program specified by I<askpass> should display
the argument passed to it as the prompt and write the user's password
to the standard output. The value of I<askpass> may be overridden
by the C<SUDO_ASKPASS> environment variable.
=item noexec
The fully-qualified path to a shared library containing dummy
versions of the execv(), execve() and fexecve() library functions
that just return an error. This is used to implement the I<noexec>
functionality on systems that support C<LD_PRELOAD> or its equivalent.
Defaults to F<@noexec_file@>.
=back
=head1 DEBUG FLAGS
B<sudo> versions 1.8.4 and higher support a flexible debugging
framework that can help track down what B<sudo> is doing internally
if there is a problem.
A C<Debug> line consists of the C<Debug> keyword, followed by the
name of the program to debug (B<sudo>, B<visudo>, B<sudoreplay>),
the debug file name and a comma-separated list of debug flags.
The debug flag syntax used by B<sudo> and the I<sudoers> plugin is
I<subsystem>@I<priority> but the plugin is free to use a different
format so long as it does not include a comma (`C<,>').
For instance:
Debug sudo /var/log/sudo_debug all@warn,plugin@info
would log all debugging statements at the I<warn> level and higher
in addition to those at the I<info> level for the plugin subsystem.
Currently, only one C<Debug> entry per program is supported. The
C<sudo> C<Debug> entry is shared by the B<sudo> front end, B<sudoedit>
and the plugins. A future release may add support for per-plugin
C<Debug> lines and/or support for multiple debugging files for a
single program.
The priorities used by the B<sudo> front end, in order of decreasing
severity, are: I<crit>, I<err>, I<warn>, I<notice>, I<diag>, I<info>,
I<trace> and I<debug>. Each priority, when specified, also includes
all priorities higher than it. For example, a priority of I<notice>
would include debug messages logged at I<notice> and higher.
The following subsystems are used by B<sudo>:
=over 10
=item I<all>
matches every subsystem
=item I<args>
command line argument processing
=item I<conv>
user conversation
=item I<edit>
sudoedit
=item I<exec>
command execution
=item I<main>
B<sudo> main function
=item I<netif>
network interface handling
=item I<pcomm>
communication with the plugin
=item I<plugin>
plugin configuration
=item I<pty>
pseudo-tty related code
=item I<selinux>
SELinux-specific handling
=item I<util>
utility functions
=item I<utmp>
utmp handling
=back
=head1 EXIT VALUE
Upon successful execution of a program, the exit status from B<sudo>
will simply be the exit status of the program that was executed.
Otherwise, B<sudo> exits with a value of 1 if there is a
configuration/permission problem or if B<sudo> cannot execute the
given command. In the latter case the error string is printed to
the standard error. If B<sudo> cannot L<stat(2)> one or more entries
in the user's C<PATH>, an error is printed on stderr. (If the
directory does not exist or if it is not really a directory, the
entry is ignored and no error is printed.) This should not happen
under normal circumstances. The most common reason for L<stat(2)>
to return "permission denied" is if you are running an automounter
and one of the directories in your C<PATH> is on a machine that is
currently unreachable.
=head1 SECURITY NOTES
B<sudo> tries to be safe when executing external commands.
To prevent command spoofing, B<sudo> checks "." and "" (both denoting
current directory) last when searching for a command in the user's
PATH (if one or both are in the PATH). Note, however, that the
actual C<PATH> environment variable is I<not> modified and is passed
unchanged to the program that B<sudo> executes.
Please note that B<sudo> will normally only log the command it
explicitly runs. If a user runs a command such as C<sudo su> or
C<sudo sh>, subsequent commands run from that shell are not subject
to B<sudo>'s security policy. The same is true for commands that
offer shell escapes (including most editors). If I/O logging is
enabled, subsequent commands will have their input and/or output
logged, but there will not be traditional logs for those commands.
Because of this, care must be taken when giving users access to
commands via B<sudo> to verify that the command does not inadvertently
give the user an effective root shell. For more information, please
see the C<PREVENTING SHELL ESCAPES> section in L<sudoers(5)>.
To prevent the disclosure of potentially sensitive information,
B<sudo> disables core dumps by default while it is executing (they
are re-enabled for the command that is run). To aid in debugging
B<sudo> crashes, you may wish to re-enable core dumps by setting
"disable_coredump" to false in the F<@sysconfdir@/sudo.conf> file.
Set disable_coredump false
Note that by default, most operating systems disable core dumps
from setuid programs, which includes B<sudo>. To actually get a
B<sudo> core file you may need to enable core dumps for setuid
processes. On BSD and Linux systems this is accomplished via the
sysctl command, on Solaris the coreadm command can be used.
=head1 ENVIRONMENT
B<sudo> utilizes the following environment variables. The security
policy has control over the content of the command's environment.
=over 16
=item C<EDITOR>
Default editor to use in B<-e> (sudoedit) mode if neither C<SUDO_EDITOR>
nor C<VISUAL> is set.
=item C<MAIL>
In B<-i> mode or when I<env_reset> is enabled in I<sudoers>, set
to the mail spool of the target user.
=item C<HOME>
Set to the home directory of the target user if B<-i> or B<-H> are
specified, I<env_reset> or I<always_set_home> are set in I<sudoers>,
or when the B<-s> option is specified and I<set_home> is set in
I<sudoers>.
=item C<PATH>
May be overridden by the security policy.
=item C<SHELL>
Used to determine shell to run with B<-s> option.
=item C<SUDO_ASKPASS>
Specifies the path to a helper program used to read the password
if no terminal is available or if the B<-A> option is specified.
=item C<SUDO_COMMAND>
Set to the command run by sudo.
=item C<SUDO_EDITOR>
Default editor to use in B<-e> (sudoedit) mode.
=item C<SUDO_GID>
Set to the group ID of the user who invoked sudo.
=item C<SUDO_PROMPT>
Used as the default password prompt.
=item C<SUDO_PS1>
If set, C<PS1> will be set to its value for the program being run.
=item C<SUDO_UID>
Set to the user ID of the user who invoked sudo.
=item C<SUDO_USER>
Set to the login name of the user who invoked sudo.
=item C<USER>
Set to the target user (root unless the B<-u> option is specified).
=item C<VISUAL>
Default editor to use in B<-e> (sudoedit) mode if C<SUDO_EDITOR>
is not set.
=back
=head1 FILES
=over 24
=item F<@sysconfdir@/sudo.conf>
B<sudo> front end configuration
=back
=head1 EXAMPLES
Note: the following examples assume a properly configured security policy.
To get a file listing of an unreadable directory:
$ sudo ls /usr/local/protected
To list the home directory of user yaz on a machine where the
file system holding ~yaz is not exported as root:
$ sudo -u yaz ls ~yaz
To edit the F<index.html> file as user www:
$ sudo -u www vi ~www/htdocs/index.html
To view system logs only accessible to root and users in the adm group:
$ sudo -g adm view /var/log/syslog
To run an editor as jim with a different primary group:
$ sudo -u jim -g audio vi ~jim/sound.txt
To shutdown a machine:
$ sudo shutdown -r +15 "quick reboot"
To make a usage listing of the directories in the /home
partition. Note that this runs the commands in a sub-shell
to make the C<cd> and file redirection work.
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
=head1 SEE ALSO
L<grep(1)>, L<su(1)>, L<stat(2)>,
L<login_cap(3)>,
L<passwd(5)>, L<sudoers(5)>, L<sudo_plugin(8)>, L<sudoreplay(8)>, L<visudo(8)>
=head1 HISTORY
See the HISTORY file in the B<sudo> distribution
(http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
=head1 AUTHORS
Many people have worked on B<sudo> over the years; this
version consists of code written primarily by:
Todd C. Miller
See the CONTRIBUTORS file in the B<sudo> distribution
(http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of people
who have contributed to B<sudo>.
=head1 CAVEATS
There is no easy way to prevent a user from gaining a root shell
if that user is allowed to run arbitrary commands via B<sudo>.
Also, many programs (such as editors) allow the user to run commands
via shell escapes, thus avoiding B<sudo>'s checks. However, on
most systems it is possible to prevent shell escapes with the
L<sudoers(5)> module's I<noexec> functionality.
It is not meaningful to run the C<cd> command directly via sudo, e.g.,
$ sudo cd /usr/local/protected
since when the command exits the parent process (your shell) will
still be the same. Please see the EXAMPLES section for more information.
Running shell scripts via B<sudo> can expose the same kernel bugs that
make setuid shell scripts unsafe on some operating systems (if your OS
has a /dev/fd/ directory, setuid shell scripts are generally safe).
=head1 BUGS
If you feel you have found a bug in B<sudo>, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
=head1 SUPPORT
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
=head1 DISCLAIMER
B<sudo> is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the LICENSE
file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
for complete details.

1617
doc/sudo_plugin.pod
View File

File diff suppressed because it is too large Load Diff

872
doc/sudoers.ldap.pod
View File

@@ -1,872 +0,0 @@
Copyright (c) 2003-2012
Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
=pod
=head1 NAME
sudoers.ldap - sudo LDAP configuration
=head1 DESCRIPTION
In addition to the standard I<sudoers> file, B<sudo> may be configured
via LDAP. This can be especially useful for synchronizing I<sudoers>
in a large, distributed environment.
Using LDAP for I<sudoers> has several benefits:
=over 4
=item *
B<sudo> no longer needs to read I<sudoers> in its entirety. When
LDAP is used, there are only two or three LDAP queries per invocation.
This makes it especially fast and particularly usable in LDAP
environments.
=item *
B<sudo> no longer exits if there is a typo in I<sudoers>.
It is not possible to load LDAP data into the server that does
not conform to the sudoers schema, so proper syntax is guaranteed.
It is still possible to have typos in a user or host name, but
this will not prevent B<sudo> from running.
=item *
It is possible to specify per-entry options that override the global
default options. F<@sysconfdir@/sudoers> only supports default options and
limited options associated with user/host/commands/aliases. The
syntax is complicated and can be difficult for users to understand.
Placing the options directly in the entry is more natural.
=item *
The B<visudo> program is no longer needed. B<visudo> provides
locking and syntax checking of the F<@sysconfdir@/sudoers> file.
Since LDAP updates are atomic, locking is no longer necessary.
Because syntax is checked when the data is inserted into LDAP, there
is no need for a specialized tool to check syntax.
=back
Another major difference between LDAP and file-based I<sudoers>
is that in LDAP, B<sudo>-specific Aliases are not supported.
For the most part, there is really no need for B<sudo>-specific
Aliases. Unix groups or user netgroups can be used in place of
User_Aliases and Runas_Aliases. Host netgroups can be used in place
of Host_Aliases. Since Unix groups and netgroups can also be stored
in LDAP there is no real need for B<sudo>-specific aliases.
Cmnd_Aliases are not really required either since it is possible
to have multiple users listed in a C<sudoRole>. Instead of defining
a Cmnd_Alias that is referenced by multiple users, one can create
a C<sudoRole> that contains the commands and assign multiple users
to it.
=head2 SUDOers LDAP container
The I<sudoers> configuration is contained in the C<ou=SUDOers> LDAP
container.
Sudo first looks for the C<cn=default> entry in the SUDOers container.
If found, the multi-valued C<sudoOption> attribute is parsed in the
same manner as a global C<Defaults> line in F<@sysconfdir@/sudoers>. In
the following example, the C<SSH_AUTH_SOCK> variable will be preserved
in the environment for all users.
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: env_keep+=SSH_AUTH_SOCK
The equivalent of a sudoer in LDAP is a C<sudoRole>. It consists of
the following attributes:
=over 4
=item B<sudoUser>
A user name, user ID (prefixed with C<'#'>), Unix group (prefixed with
C<'%'>), Unix group ID (prefixed with C<'%#'>), or user netgroup
(prefixed with C<'+'>).
=item B<sudoHost>
A host name, IP address, IP network, or host netgroup (prefixed
with a C<'+'>).
The special value C<ALL> will match any host.
=item B<sudoCommand>
A Unix command with optional command line arguments, potentially
including globbing characters (aka wild cards).
The special value C<ALL> will match any command.
If a command is prefixed with an exclamation point C<'!'>, the
user will be prohibited from running that command.
=item B<sudoOption>
Identical in function to the global options described above, but
specific to the C<sudoRole> in which it resides.
=item B<sudoRunAsUser>
A user name or uid (prefixed with C<'#'>) that commands may be run
as or a Unix group (prefixed with a C<'%'>) or user netgroup (prefixed
with a C<'+'>) that contains a list of users that commands may be
run as.
The special value C<ALL> will match any user.
The C<sudoRunAsUser> attribute is only available in B<sudo> versions
1.7.0 and higher. Older versions of B<sudo> use the C<sudoRunAs>
attribute instead.
=item B<sudoRunAsGroup>
A Unix group or gid (prefixed with C<'#'>) that commands may be run as.
The special value C<ALL> will match any group.
The C<sudoRunAsGroup> attribute is only available in B<sudo> versions
1.7.0 and higher.
=item B<sudoNotBefore>
A timestamp in the form C<yyyymmddHHMMSSZ> that can be used to provide
a start date/time for when the C<sudoRole> will be valid. If
multiple C<sudoNotBefore> entries are present, the earliest is used.
Note that timestamps must be in Coordinated Universal Time (UTC),
not the local timezone. The minute and seconds portions are optional,
but some LDAP servers require that they be present (contrary to the RFC).
The C<sudoNotBefore> attribute is only available in B<sudo> versions
1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
option in F<@ldap_conf@>.
=item B<sudoNotAfter>
A timestamp in the form C<yyyymmddHHMMSSZ> that indicates an expiration
date/time, after which the C<sudoRole> will no longer be valid. If
multiple C<sudoNotBefore> entries are present, the last one is used.
Note that timestamps must be in Coordinated Universal Time (UTC),
not the local timezone. The minute and seconds portions are optional,
but some LDAP servers require that they be present (contrary to the RFC).
The C<sudoNotAfter> attribute is only available in B<sudo> versions
1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
option in F<@ldap_conf@>.
=item B<sudoOrder>
The C<sudoRole> entries retrieved from the LDAP directory have no
inherent order. The C<sudoOrder> attribute is an integer (or
floating point value for LDAP servers that support it) that is used
to sort the matching entries. This allows LDAP-based sudoers entries
to more closely mimic the behaviour of the sudoers file, where the
of the entries influences the result. If multiple entries match,
the entry with the highest C<sudoOrder> attribute is chosen. This
corresponds to the "last match" behavior of the sudoers file. If
the C<sudoOrder> attribute is not present, a value of 0 is assumed.
The C<sudoOrder> attribute is only available in B<sudo> versions
1.7.5 and higher.
=back
Each attribute listed above should contain a single value, but there
may be multiple instances of each attribute type. A C<sudoRole> must
contain at least one C<sudoUser>, C<sudoHost> and C<sudoCommand>.
The following example allows users in group wheel to run any command
on any host via B<sudo>:
dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoCommand: ALL
=head2 Anatomy of LDAP sudoers lookup
When looking up a sudoer using LDAP there are only two or three
LDAP queries per invocation. The first query is to parse the global
options. The second is to match against the user's name and the
groups that the user belongs to. (The special ALL tag is matched
in this query too.) If no match is returned for the user's name
and groups, a third query returns all entries containing user
netgroups and checks to see if the user belongs to any of them.
If timed entries are enabled with the B<SUDOERS_TIMED> configuration
directive, the LDAP queries include a subfilter that limits retrieval
to entries that satisfy the time constraints, if any.
=head2 Differences between LDAP and non-LDAP sudoers
There are some subtle differences in the way sudoers is handled
once in LDAP. Probably the biggest is that according to the RFC,
LDAP ordering is arbitrary and you cannot expect that Attributes
and Entries are returned in any specific order.
The order in which different entries are applied can be controlled
using the C<sudoOrder> attribute, but there is no way to guarantee
the order of attributes within a specific entry. If there are
conflicting command rules in an entry, the negative takes precedence.
This is called paranoid behavior (not necessarily the most specific
match).
Here is an example:
# /etc/sudoers:
# Allow all commands except shell
johnny ALL=(root) ALL,!/bin/sh
# Always allows all commands because ALL is matched last
puddles ALL=(root) !/bin/sh,ALL
# LDAP equivalent of johnny
# Allows all commands except shell
dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
objectClass: sudoRole
objectClass: top
cn: role1
sudoUser: johnny
sudoHost: ALL
sudoCommand: ALL
sudoCommand: !/bin/sh
# LDAP equivalent of puddles
# Notice that even though ALL comes last, it still behaves like
# role1 since the LDAP code assumes the more paranoid configuration
dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
objectClass: sudoRole
objectClass: top
cn: role2
sudoUser: puddles
sudoHost: ALL
sudoCommand: !/bin/sh
sudoCommand: ALL
Another difference is that negations on the Host, User or Runas are
currently ignored. For example, the following attributes do not
behave the way one might expect.
# does not match all but joe
# rather, does not match anyone
sudoUser: !joe
# does not match all but joe
# rather, matches everyone including Joe
sudoUser: ALL
sudoUser: !joe
# does not match all but web01
# rather, matches all hosts including web01
sudoHost: ALL
sudoHost: !web01
=head2 Sudoers Schema
In order to use B<sudo>'s LDAP support, the B<sudo> schema must be
installed on your LDAP server. In addition, be sure to index the
'sudoUser' attribute.
Three versions of the schema: one for OpenLDAP servers (F<schema.OpenLDAP>),
one for Netscape-derived servers (F<schema.iPlanet>), and one for
Microsoft Active Directory (F<schema.ActiveDirectory>) may
be found in the B<sudo> distribution.
The schema for B<sudo> in OpenLDAP form is included in the L<EXAMPLES>
section.
=head2 Configuring ldap.conf
Sudo reads the F<@ldap_conf@> file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not B<sudo>-specific. Note that
B<sudo> parses F<@ldap_conf@> itself and may support options that
differ from those described in the system's L<ldap.conf(5)> manual.
Also note that on systems using the OpenLDAP libraries, default
values specified in F</etc/openldap/ldap.conf> or the user's
F<.ldaprc> files are not used.
Only those options explicitly listed in F<@ldap_conf@> as being
supported by B<sudo> are honored. Configuration options are listed
below in upper case but are parsed in a case-independent manner.
=over 4
=item B<URI> ldap[s]://[hostname[:port]] ...
Specifies a whitespace-delimited list of one or more URIs describing
the LDAP server(s) to connect to. The I<protocol> may be either
B<ldap> or B<ldaps>, the latter being for servers that support TLS
(SSL) encryption. If no I<port> is specified, the default is port
389 for C<ldap://> or port 636 for C<ldaps://>. If no I<hostname>
is specified, B<sudo> will connect to B<localhost>. Multiple B<URI>
lines are treated identically to a B<URI> line containing multiple
entries. Only systems using the OpenSSL libraries support the
mixing of C<ldap://> and C<ldaps://> URIs. Both the Netscape-derived
and Tivoli LDAP libraries used on most commercial versions of Unix
are only capable of supporting one or the other.
=item B<HOST> name[:port] ...
If no B<URI> is specified, the B<HOST> parameter specifies a
whitespace-delimited list of LDAP servers to connect to. Each host
may include an optional I<port> separated by a colon (':'). The
B<HOST> parameter is deprecated in favor of the B<URI> specification
and is included for backwards compatibility.
=item B<PORT> port_number
If no B<URI> is specified, the B<PORT> parameter specifies the
default port to connect to on the LDAP server if a B<HOST> parameter
does not specify the port itself. If no B<PORT> parameter is used,
the default is port 389 for LDAP and port 636 for LDAP over TLS
(SSL). The B<PORT> parameter is deprecated in favor of the B<URI>
specification and is included for backwards compatibility.
=item B<BIND_TIMELIMIT> seconds
The B<BIND_TIMELIMIT> parameter specifies the amount of time, in seconds,
to wait while trying to connect to an LDAP server. If multiple B<URI>s or
B<HOST>s are specified, this is the amount of time to wait before trying
the next one in the list.
=item B<NETWORK_TIMEOUT> seconds
An alias for B<BIND_TIMELIMIT> for OpenLDAP compatibility.
=item B<TIMELIMIT> seconds
The B<TIMELIMIT> parameter specifies the amount of time, in seconds,
to wait for a response to an LDAP query.
=item B<TIMEOUT> seconds
The B<TIMEOUT> parameter specifies the amount of time, in seconds,
to wait for a response from the various LDAP APIs.
=item B<SUDOERS_BASE> base
The base DN to use when performing B<sudo> LDAP queries. Typically
this is of the form C<ou=SUDOers,dc=example,dc=com> for the domain
C<example.com>. Multiple B<SUDOERS_BASE> lines may be specified,
in which case they are queried in the order specified.
=item B<SUDOERS_SEARCH_FILTER> ldap_filter
An LDAP filter which is used to restrict the set of records returned
when performing a B<sudo> LDAP query. Typically, this is of the
form C<attribute=value> or C<(&(attribute=value)(attribute2=value2))>.
=item B<SUDOERS_TIMED> on/true/yes/off/false/no
Whether or not to evaluate the C<sudoNotBefore> and C<sudoNotAfter>
attributes that implement time-dependent sudoers entries.
=item B<SUDOERS_DEBUG> debug_level
This sets the debug level for B<sudo> LDAP queries. Debugging
information is printed to the standard error. A value of 1 results
in a moderate amount of debugging information. A value of 2 shows
the results of the matches themselves. This parameter should not
be set in a production environment as the extra information is
likely to confuse users.
=item B<BINDDN> DN
The B<BINDDN> parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing LDAP operations.
If not specified, LDAP operations are performed with an anonymous
identity. By default, most LDAP servers will allow anonymous access.
=item B<BINDPW> secret
The B<BINDPW> parameter specifies the password to use when performing
LDAP operations. This is typically used in conjunction with the
B<BINDDN> parameter.
=item B<ROOTBINDDN> DN
The B<ROOTBINDDN> parameter specifies the identity, in the form of
a Distinguished Name (DN), to use when performing privileged LDAP
operations, such as I<sudoers> queries. The password corresponding
to the identity should be stored in F<@ldap_secret@>.
If not specified, the B<BINDDN> identity is used (if any).
=item B<LDAP_VERSION> number
The version of the LDAP protocol to use when connecting to the server.
The default value is protocol version 3.
=item B<SSL> on/true/yes/off/false/no
If the B<SSL> parameter is set to C<on>, C<true> or C<yes>, TLS
(SSL) encryption is always used when communicating with the LDAP
server. Typically, this involves connecting to the server on port
636 (ldaps).
=item B<SSL> start_tls
If the B<SSL> parameter is set to C<start_tls>, the LDAP server
connection is initiated normally and TLS encryption is begun before
the bind credentials are sent. This has the advantage of not
requiring a dedicated port for encrypted communications. This
parameter is only supported by LDAP servers that honor the C<start_tls>
extension, such as the OpenLDAP server.
=item B<TLS_CHECKPEER> on/true/yes/off/false/no
If enabled, B<TLS_CHECKPEER> will cause the LDAP server's TLS
certificated to be verified. If the server's TLS certificate cannot
be verified (usually because it is signed by an unknown certificate
authority), B<sudo> will be unable to connect to it. If B<TLS_CHECKPEER>
is disabled, no check is made. Note that disabling the check creates
an opportunity for man-in-the-middle attacks since the server's
identity will not be authenticated. If possible, the CA's certificate
should be installed locally so it can be verified. This option is
not supported by the Tivoli Directory Server LDAP libraries.
=item B<TLS_CACERT> file name
An alias for B<TLS_CACERTFILE> for OpenLDAP compatibility.
=item B<TLS_CACERTFILE> file name
The path to a certificate authority bundle which contains the certificates
for all the Certificate Authorities the client knows to be valid,
e.g. F</etc/ssl/ca-bundle.pem>.
This option is only supported by the OpenLDAP libraries.
Netscape-derived LDAP libraries use the same certificate
database for CA and client certificates (see B<TLS_CERT>).
=item B<TLS_CACERTDIR> directory
Similar to B<TLS_CACERTFILE> but instead of a file, it is a
directory containing individual Certificate Authority certificates,
e.g. F</etc/ssl/certs>.
The directory specified by B<TLS_CACERTDIR> is checked after
B<TLS_CACERTFILE>.
This option is only supported by the OpenLDAP libraries.
=item B<TLS_CERT> file name
The path to a file containing the client certificate which can
be used to authenticate the client to the LDAP server.
The certificate type depends on the LDAP libraries used.
OpenLDAP:
C<tls_cert /etc/ssl/client_cert.pem>
Netscape-derived:
C<tls_cert /var/ldap/cert7.db>
Tivoli Directory Server:
Unused, the key database specified by B<TLS_KEY> contains both
keys and certificates.
When using Netscape-derived libraries, this file may also contain
Certificate Authority certificates.
=item B<TLS_KEY> file name
The path to a file containing the private key which matches the
certificate specified by B<TLS_CERT>. The private key must not be
password-protected. The key type depends on the LDAP libraries
used.
OpenLDAP:
C<tls_key /etc/ssl/client_key.pem>
Netscape-derived:
C<tls_key /var/ldap/key3.db>
Tivoli Directory Server:
C<tls_cert /usr/ldap/ldapkey.kdb>
When using Tivoli LDAP libraries, this file may also contain
Certificate Authority and client certificates and may be encrypted.
=item B<TLS_KEYPW> secret
The B<TLS_KEYPW> contains the password used to decrypt the key
database on clients using the Tivoli Directory Server LDAP library.
If no B<TLS_KEYPW> is specified, a I<stash file> will be used if
it exists. The I<stash file> must have the same path as the file
specified by B<TLS_KEY>, but use a C<.sth> file extension instead
of C<.kdb>, e.g. C<ldapkey.sth>. The default C<ldapkey.kdb> that
ships with Tivoli Directory Server is encrypted with the password
C<ssl_password>. This option is only supported by the Tivoli LDAP
libraries.
=item B<TLS_RANDFILE> file name
The B<TLS_RANDFILE> parameter specifies the path to an entropy
source for systems that lack a random device. It is generally used
in conjunction with I<prngd> or I<egd>.
This option is only supported by the OpenLDAP libraries.
=item B<TLS_CIPHERS> cipher list
The B<TLS_CIPHERS> parameter allows the administer to restrict which
encryption algorithms may be used for TLS (SSL) connections. See
the OpenLDAP or Tivoli Directory Server manual for a list of valid
ciphers. This option is not supported by Netscape-derived libraries.
=item B<USE_SASL> on/true/yes/off/false/no
Enable B<USE_SASL> for LDAP servers that support SASL authentication.
=item B<SASL_AUTH_ID> identity
The SASL user name to use when connecting to the LDAP server.
By default, B<sudo> will use an anonymous connection.
=item B<ROOTUSE_SASL> on/true/yes/off/false/no
Enable B<ROOTUSE_SASL> to enable SASL authentication when connecting
to an LDAP server from a privileged process, such as B<sudo>.
=item B<ROOTSASL_AUTH_ID> identity
The SASL user name to use when B<ROOTUSE_SASL> is enabled.
=item B<SASL_SECPROPS> none/properties
SASL security properties or I<none> for no properties. See the
SASL programmer's manual for details.
=item B<KRB5_CCNAME> file name
The path to the Kerberos 5 credential cache to use when authenticating
with the remote server.
=item B<DEREF> never/searching/finding/always
How alias dereferencing is to be performed when searching. See the
L<ldap.conf(5)> manual for a full description of this option.
=back
See the C<ldap.conf> entry in the L<EXAMPLES> section.
=head2 Configuring nsswitch.conf
Unless it is disabled at build time, B<sudo> consults the Name
Service Switch file, F<@nsswitch_conf@>, to specify the I<sudoers>
search order. Sudo looks for a line beginning with C<sudoers>: and
uses this to determine the search order. Note that B<sudo> does
not stop searching after the first match and later matches take
precedence over earlier ones.
The following sources are recognized:
files read sudoers from F<@sysconfdir@/sudoers>
ldap read sudoers from LDAP
In addition, the entry C<[NOTFOUND=return]> will short-circuit the
search if the user was not found in the preceding source.
To consult LDAP first followed by the local sudoers file (if it
exists), use:
sudoers: ldap files
The local I<sudoers> file can be ignored completely by using:
sudoers: ldap
If the F<@nsswitch_conf@> file is not present or there is no
sudoers line, the following default is assumed:
sudoers: files
Note that F<@nsswitch_conf@> is supported even when the underlying
operating system does not use an nsswitch.conf file, except on AIX (see below).
=head2 Configuring netsvc.conf
On AIX systems, the F<@netsvc_conf@> file is consulted instead of
F<@nsswitch_conf@>. B<sudo> simply treats I<netsvc.conf> as a
variant of I<nsswitch.conf>; information in the previous section
unrelated to the file format itself still applies.
To consult LDAP first followed by the local sudoers file (if it
exists), use:
sudoers = ldap, files
The local I<sudoers> file can be ignored completely by using:
sudoers = ldap
To treat LDAP as authoratative and only use the local sudoers file
if the user is not present in LDAP, use:
sudoers = ldap = auth, files
Note that in the above example, the C<auth> qualfier only affects
user lookups; both LDAP and I<sudoers> will be queried for C<Defaults>
entries.
If the F<@netsvc_conf@> file is not present or there is no
sudoers line, the following default is assumed:
sudoers = files
=head1 FILES
=over 24
=item F<@ldap_conf@>
LDAP configuration file
=item F<@nsswitch_conf@>
determines sudoers source order
=item F<@netsvc_conf@>
determines sudoers source order on AIX
=back
=head1 EXAMPLES
=head2 Example ldap.conf
# Either specify one or more URIs or one or more host:port pairs.
# If neither is specified sudo will default to localhost, port 389.
#
#host ldapserver
#host ldapserver1 ldapserver2:390
#
# Default port if host is specified without one, defaults to 389.
#port 389
#
# URI will override the host and port settings.
uri ldap://ldapserver
#uri ldaps://secureldapserver
#uri ldaps://secureldapserver ldap://ldapserver
#
# The amount of time, in seconds, to wait while trying to connect to
# an LDAP server.
bind_timelimit 30
#
# The amount of time, in seconds, to wait while performing an LDAP query.
timelimit 30
#
# Must be set or sudo will ignore LDAP; may be specified multiple times.
sudoers_base ou=SUDOers,dc=example,dc=com
#
# verbose sudoers matching from ldap
#sudoers_debug 2
#
# Enable support for time-based entries in sudoers.
#sudoers_timed yes
#
# optional proxy credentials
#binddn <who to search as>
#bindpw <password>
#rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
#
# LDAP protocol version, defaults to 3
#ldap_version 3
#
# Define if you want to use an encrypted LDAP connection.
# Typically, you must also set the port to 636 (ldaps).
#ssl on
#
# Define if you want to use port 389 and switch to
# encryption before the bind credentials are sent.
# Only supported by LDAP servers that support the start_tls
# extension such as OpenLDAP.
#ssl start_tls
#
# Additional TLS options follow that allow tweaking of the
# SSL/TLS connection.
#
#tls_checkpeer yes # verify server SSL certificate
#tls_checkpeer no # ignore server SSL certificate
#
# If you enable tls_checkpeer, specify either tls_cacertfile
# or tls_cacertdir. Only supported when using OpenLDAP.
#
#tls_cacertfile /etc/certs/trusted_signers.pem
#tls_cacertdir /etc/certs
#
# For systems that don't have /dev/random
# use this along with PRNGD or EGD.pl to seed the
# random number pool to generate cryptographic session keys.
# Only supported when using OpenLDAP.
#
#tls_randfile /etc/egd-pool
#
# You may restrict which ciphers are used. Consult your SSL
# documentation for which options go here.
# Only supported when using OpenLDAP.
#
#tls_ciphers <cipher-list>
#
# Sudo can provide a client certificate when communicating to
# the LDAP server.
# Tips:
# * Enable both lines at the same time.
# * Do not password protect the key file.
# * Ensure the keyfile is only readable by root.
#
# For OpenLDAP:
#tls_cert /etc/certs/client_cert.pem
#tls_key /etc/certs/client_key.pem
#
# For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
# a directory, in which case the files in the directory must have the
# default names (e.g. cert8.db and key4.db), or the path to the cert
# and key files themselves. However, a bug in version 5.0 of the LDAP
# SDK will prevent specific file names from working. For this reason
# it is suggested that tls_cert and tls_key be set to a directory,
# not a file name.
#
# The certificate database specified by tls_cert may contain CA certs
# and/or the client's cert. If the client's cert is included, tls_key
# should be specified as well.
# For backward compatibility, "sslpath" may be used in place of tls_cert.
#tls_cert /var/ldap
#tls_key /var/ldap
#
# If using SASL authentication for LDAP (OpenSSL)
# use_sasl yes
# sasl_auth_id <SASL user name>
# rootuse_sasl yes
# rootsasl_auth_id <SASL user name for root access>
# sasl_secprops none
# krb5_ccname /etc/.ldapcache
=head2 Sudo schema for OpenLDAP
The following schema, in OpenLDAP format, is included with B<sudo>
source and binary distributions as F<schema.OpenLDAP>. Simply copy
it to the schema directory (e.g. F</etc/openldap/schema>), add the
proper C<include> line in C<slapd.conf> and restart B<slapd>.
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
DESC 'User(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
DESC 'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.3
NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.4
NAME 'sudoRunAs'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.5
NAME 'sudoOption'
DESC 'Options(s) followed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.6
NAME 'sudoRunAsUser'
DESC 'User(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
DESC 'Group(s) impersonated by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.8
NAME 'sudoNotBefore'
DESC 'Start of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributetype ( 1.3.6.1.4.1.15953.9.1.9
NAME 'sudoNotAfter'
DESC 'End of time interval for which the entry is valid'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
NAME 'sudoOrder'
DESC 'an integer to order the sudoRole entries'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
DESC 'Sudoer Entries'
MUST ( cn )
MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
sudoOrder $ description )
)
=head1 SEE ALSO
L<ldap.conf(5)>, L<sudoers(5)>
=head1 CAVEATS
Note that there are differences in the way that LDAP-based I<sudoers>
is parsed compared to file-based I<sudoers>. See the L<Differences
between LDAP and non-LDAP sudoers> section for more information.
=head1 BUGS
If you feel you have found a bug in B<sudo>, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
=head1 SUPPORT
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
=head1 DISCLAIMER
B<sudo> is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the LICENSE
file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
for complete details.

60
doc/sudoers.man.pl
View File

@@ -1,60 +0,0 @@
#!/usr/bin/perl -p
BEGIN {
$cond = -1;
}
# Initialize the numeric registers we use for conditionals
if ($cond == -1) {
$prefix = "";
$prefix = "$prefix.nr BA \@BAMAN\@\n";
$prefix = "$prefix.nr LC \@LCMAN\@\n";
$prefix = "$prefix.nr PS \@PSMAN\@\n";
$prefix = "$prefix.nr SL \@SEMAN\@\n";
$_ = "$prefix.\\\"\n$_";
$cond = 0;
}
# Make SELinux_Spec and Solaris_Priv_Spec conditional
if (/(.*) SELinux_Spec\? Solaris_Priv_Spec(.*)$/) {
$_ = "$1\\*(S+$2\n";
$prefix = "";
$prefix = "$prefix.ds S+\n";
$prefix = "$prefix.if \\n(SL .as S+ \" SELinux_Spec?\n";
$prefix = "$prefix.if \\n(PS .as S+ \" Solaris_Priv_Spec?\n";
$_ = "$prefix$_";
} elsif (/^(.*SELinux_Spec ::=)/) {
$_ = ".if \\n(SL \\{\\\n$_";
} elsif (/^(.*Solaris_Priv_Spec ::=)/) {
$_ = "\\}\n.if \\n(PS \\{\\\n$_";
} elsif (/^(.*Tag_Spec ::=)/) {
$_ = "\\}\n$_";
}
if (/^\.(Sh|SS|IP|PP)/) {
$prefix = $cond ? "\\}\n" : "";
$cond = 0;
}
if (/^\.S[Sh] "SELinux_Spec"/) {
$_ = "$prefix.if \\n(SL \\{\\\n$_";
$cond = 1;
} elsif (/^\.IP "(role|type)"/) {
$_ = "$prefix.if \\n(SL \\{\\\n$_";
$cond = 1;
} elsif (/^\.S[Sh] "Solaris_Priv_Spec"/) {
$_ = "$prefix.if \\n(PS \\{\\\n$_";
$cond = 1;
} elsif (/^\.IP "(privs|limitprivs)"/) {
$_ = "$prefix.if \\n(PS \\{\\\n$_";
$cond = 1;
} elsif (/^\.IP "use_loginclass"/) {
$_ = "$prefix.if \\n(LC \\{\\\n$_";
$cond = 1;
} elsif (/^\.(Sh|SS|IP|PP)/) {
$_ = "$prefix$_";
}
# Fix up broken pod2man formatting of F<@foo@/bar>
s/\\fI\\f(\(C)?I\@([^\@]*)\\fI\@/\\fI\@$2\@/g;
s/\\f\(\CW\@([^\@]*)\\fR\@/\@$1\@/g;
#\f(CW@secure_path\fR@

2190
doc/sudoers.pod
View File

File diff suppressed because it is too large Load Diff

350
doc/sudoreplay.pod
View File

@@ -1,350 +0,0 @@
Copyright (c) 2009-2011 Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
=pod
=head1 NAME
sudoreplay - replay sudo session logs
=head1 SYNOPSIS
B<sudoreplay> [B<-h>] S<[B<-d> I<directory>]> S<[B<-f> I<filter>]> S<[B<-m> I<max_wait>]> S<[B<-s> I<speed_factor>]> ID
B<sudoreplay> [B<-h>] S<[B<-d> I<directory>]> -l S<[search expression]>
=head1 DESCRIPTION
B<sudoreplay> plays back or lists the output logs created by B<sudo>.
When replaying, B<sudoreplay> can play the session back in real-time,
or the playback speed may be adjusted (faster or slower) based on
the command line options.
The I<ID> should either be a six character sequence of digits and
upper case letters, e.g. C<0100A5>, or a pattern matching the
I<iolog_file> option in the I<sudoers> file. When a command is run
via B<sudo> with I<log_output> enabled in the I<sudoers> file, a
C<TSID=ID> string is logged via syslog or to the B<sudo> log file.
The I<ID> may also be determined using B<sudoreplay>'s list mode.
In list mode, B<sudoreplay> can be used to find the ID of a session
based on a number of criteria such as the user, tty or command run.
In replay mode, if the standard output has not been redirected,
B<sudoreplay> will act on the following keys:
=over 8
=item ' ' (space)
Pause output; press any key to resume.
=item '<'
Reduce the playback speed by one half.
=item '>'
Double the playback speed.
=back
=head1 OPTIONS
B<sudoreplay> accepts the following command line options:
=over 12
=item -d I<directory>
Use I<directory> to for the session logs instead of the default,
F<@iolog_dir@>.
=item -f I<filter>
By default, B<sudoreplay> will play back the command's standard
output, standard error and tty output. The I<-f> option can be
used to select which of these to output. The I<filter> argument
is a comma-separated list, consisting of one or more of following:
I<stdout>, I<stderr>, and I<ttyout>.
=item -h
The B<-h> (I<help>) option causes B<sudoreplay> to print a short
help message to the standard output and exit.
=item -l [I<search expression>]
Enable "list mode". In this mode, B<sudoreplay> will list available
sessions in a format similar to the B<sudo> log file format, sorted
by file name (or sequence number). If a I<search expression> is
specified, it will be used to restrict the IDs that are displayed.
An expression is composed of the following predicates:
=over 8
=item command I<pattern>
Evaluates to true if the command run matches I<pattern>.
On systems with POSIX regular expression support, the pattern may
be an extended regular expression. On systems without POSIX regular
expression support, a simple substring match is performed instead.
=item cwd I<directory>
Evaluates to true if the command was run with the specified current
working directory.
=item fromdate I<date>
Evaluates to true if the command was run on or after I<date>.
See L<"Date and time format"> for a description of supported
date and time formats.
=item group I<runas_group>
Evaluates to true if the command was run with the specified
I<runas_group>. Note that unless a I<runas_group> was explicitly
specified when B<sudo> was run this field will be empty in the log.
=item runas I<runas_user>
Evaluates to true if the command was run as the specified I<runas_user>.
Note that B<sudo> runs commands as user I<root> by default.
=item todate I<date>
Evaluates to true if the command was run on or prior to I<date>.
See L<"Date and time format"> for a description of supported
date and time formats.
=item tty I<tty name>
Evaluates to true if the command was run on the specified terminal
device. The I<tty name> should be specified without the F</dev/> prefix,
e.g. F<tty01> instead of F</dev/tty01>.
=item user I<user name>
Evaluates to true if the ID matches a command run by I<user name>.
=back
Predicates may be abbreviated to the shortest unique string (currently
all predicates may be shortened to a single character).
Predicates may be combined using I<and>, I<or> and I<!> operators
as well as C<'('> and C<')'> for grouping (note that parentheses
must generally be escaped from the shell). The I<and> operator is
optional, adjacent predicates have an implied I<and> unless separated
by an I<or>.
=item -m I<max_wait>
Specify an upper bound on how long to wait between key presses or
output data. By default, B<sudoreplay> will accurately reproduce
the delays between key presses or program output. However, this
can be tedious when the session includes long pauses. When the
I<-m> option is specified, B<sudoreplay> will limit these pauses
to at most I<max_wait> seconds. The value may be specified as a
floating point number, e.g. I<2.5>.
=item -s I<speed_factor>
This option causes B<sudoreplay> to adjust the number of seconds
it will wait between key presses or program output. This can be
used to slow down or speed up the display. For example, a
I<speed_factor> of I<2> would make the output twice as fast whereas
a I<speed_factor> of I<.5> would make the output twice as slow.
=item -V
The B<-V> (version) option causes B<sudoreplay> to print its version number
and exit.
=back
=head2 Date and time format
The time and date may be specified multiple ways, common formats include:
=over 8
=item HH:MM:SS am MM/DD/CCYY timezone
24 hour time may be used in place of am/pm.
=item HH:MM:SS am Month, Day Year timezone
24 hour time may be used in place of am/pm, and month and day names
may be abbreviated. Note that month and day of the week names must
be specified in English.
=item CCYY-MM-DD HH:MM:SS
ISO time format
=item DD Month CCYY HH:MM:SS
The month name may be abbreviated.
=back
Either time or date may be omitted, the am/pm and timezone are
optional. If no date is specified, the current day is assumed; if
no time is specified, the first second of the specified date is
used. The less significant parts of both time and date may also
be omitted, in which case zero is assumed.
The following are all valid time and date specifications:
=over 8
=item now
The current time and date.
=item tomorrow
Exactly one day from now.
=item yesterday
24 hours ago.
=item 2 hours ago
2 hours ago.
=item next Friday
The first second of the next Friday.
=item this week
The current time but the first day of the coming week.
=item a fortnight ago
The current time but 14 days ago.
=item 10:01 am 9/17/2009
10:01 am, September 17, 2009.
=item 10:01 am
10:01 am on the current day.
=item 10
10:00 am on the current day.
=item 9/17/2009
00:00 am, September 17, 2009.
=item 10:01 am Sep 17, 2009
10:01 am, September 17, 2009.
=back
=head1 FILES
=over 24
=item F<@iolog_dir@>
The default I/O log directory.
=item F<@iolog_dir@/00/00/01/log>
Example session log info.
=item F<@iolog_dir@/00/00/01/stdin>
Example session standard input log.
=item F<@iolog_dir@/00/00/01/stdout>
Example session standard output log.
=item F<@iolog_dir@/00/00/01/stderr>
Example session standard error log.
=item F<@iolog_dir@/00/00/01/ttyin>
Example session tty input file.
=item F<@iolog_dir@/00/00/01/ttyout>
Example session tty output file.
=item F<@iolog_dir@/00/00/01/timing>
Example session timing file.
=back
Note that the I<stdin>, I<stdout> and I<stderr> files will be empty
unless B<sudo> was used as part of a pipeline for a particular
command.
=head1 EXAMPLES
List sessions run by user I<millert>:
# sudoreplay -l user millert
List sessions run by user I<bob> with a command containing the string vi:
# sudoreplay -l user bob command vi
List sessions run by user I<jeff> that match a regular expression:
# sudoreplay -l user jeff command '/bin/[a-z]*sh'
List sessions run by jeff or bob on the console:
# sudoreplay -l ( user jeff or user bob ) tty console
=head1 SEE ALSO
L<sudo(8)>, L<script(1)>
=head1 AUTHORS
Todd C. Miller
=head1 BUGS
If you feel you have found a bug in B<sudoreplay>, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
=head1 SUPPORT
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
=head1 DISCLAIMER
B<sudoreplay> is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the LICENSE
file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
for complete details.

221
doc/visudo.pod
View File

@@ -1,221 +0,0 @@
Copyright (c) 1996,1998-2005, 2007-2012
Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Sponsored in part by the Defense Advanced Research Projects
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
=pod
=head1 NAME
visudo - edit the sudoers file
=head1 SYNOPSIS
B<visudo> [B<-chqsV>] [B<-f> I<sudoers>]
=head1 DESCRIPTION
B<visudo> edits the I<sudoers> file in a safe fashion, analogous to
L<vipw(8)>. B<visudo> locks the I<sudoers> file against multiple
simultaneous edits, provides basic sanity checks, and checks
for parse errors. If the I<sudoers> file is currently being
edited you will receive a message to try again later.
There is a hard-coded list of one or more editors that B<visudo> will
use set at compile-time that may be overridden via the I<editor> I<sudoers>
C<Default> variable. This list defaults to C<"@editor@">. Normally,
B<visudo> does not honor the C<VISUAL> or C<EDITOR> environment
variables unless they contain an editor in the aforementioned editors
list. However, if B<visudo> is configured with the I<--with-env-editor>
option or the I<env_editor> C<Default> variable is set in I<sudoers>,
B<visudo> will use any the editor defines by C<VISUAL> or C<EDITOR>.
Note that this can be a security hole since it allows the user to
execute any program they wish simply by setting C<VISUAL> or C<EDITOR>.
B<visudo> parses the I<sudoers> file after the edit and will
not save the changes if there is a syntax error. Upon finding
an error, B<visudo> will print a message stating the line number(s)
where the error occurred and the user will receive the
"What now?" prompt. At this point the user may enter "e"
to re-edit the I<sudoers> file, "x" to exit without
saving the changes, or "Q" to quit and save changes. The
"Q" option should be used with extreme care because if B<visudo>
believes there to be a parse error, so will B<sudo> and no one
will be able to B<sudo> again until the error is fixed.
If "e" is typed to edit the I<sudoers> file after a parse error
has been detected, the cursor will be placed on the line where the
error occurred (if the editor supports this feature).
=head1 OPTIONS
B<visudo> accepts the following command line options:
=over 12
=item -c
Enable B<check-only> mode. The existing I<sudoers> file will be
checked for syntax errors, owner and mode. A message will be printed
to the standard output describing the status of I<sudoers> unless
the B<-q> option was specified. If the check completes successfully,
B<visudo> will exit with a value of 0. If an error is encountered,
B<visudo> will exit with a value of 1.
=item -f I<sudoers>
Specify and alternate I<sudoers> file location. With this option
B<visudo> will edit (or check) the I<sudoers> file of your choice,
instead of the default, F<@sysconfdir@/sudoers>. The lock file used
is the specified I<sudoers> file with ".tmp" appended to it.
In B<check-only> mode only, the argument to B<-f> may be "-",
indicating that I<sudoers> will be read from the standard input.
=item -h
The B<-h> (I<help>) option causes B<visudo> to print a short help message
to the standard output and exit.
=item -q
Enable B<quiet> mode. In this mode details about syntax errors
are not printed. This option is only useful when combined with
the B<-c> option.
=item -s
Enable B<strict> checking of the I<sudoers> file. If an alias is
used before it is defined, B<visudo> will consider this a parse
error. Note that it is not possible to differentiate between an
alias and a host name or user name that consists solely of uppercase
letters, digits, and the underscore ('_') character.
=item -V
The B<-V> (version) option causes B<visudo> to print its version number
and exit.
=back
=head1 ENVIRONMENT
The following environment variables may be consulted depending on
the value of the I<editor> and I<env_editor> I<sudoers> variables:
=over 16
=item C<VISUAL>
Invoked by visudo as the editor to use
=item C<EDITOR>
Used by visudo if VISUAL is not set
=back
=head1 FILES
=over 24
=item F<@sysconfdir@/sudoers>
List of who can run what
=item F<@sysconfdir@/sudoers.tmp>
Lock file for visudo
=back
=head1 DIAGNOSTICS
=over 4
=item sudoers file busy, try again later.
Someone else is currently editing the I<sudoers> file.
=item @sysconfdir@/sudoers.tmp: Permission denied
You didn't run B<visudo> as root.
=item Can't find you in the passwd database
Your user ID does not appear in the system passwd file.
=item Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore ('_') character. In
the latter case, you can ignore the warnings (B<sudo> will not
complain). In B<-s> (strict) mode these are errors, not warnings.
=item Warning: unused {User,Runas,Host,Cmnd}_Alias
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
used. You may wish to comment out or remove the unused alias. In
B<-s> (strict) mode this is an error, not a warning.
=item Warning: cycle in {User,Runas,Host,Cmnd}_Alias
The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
itself, either directly or through an alias it includes. This is
only a warning by default as B<sudo> will ignore cycles when parsing
the I<sudoers> file.
=back
=head1 SEE ALSO
L<vi(1)>, L<sudoers(5)>, L<sudo(8)>, L<vipw(8)>
=head1 AUTHORS
Many people have worked on B<sudo> over the years; this version of
B<visudo> was written by:
Todd C. Miller
See the CONTRIBUTORS file in the B<sudo> distribution
(http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of people
who have contributed to B<sudo>.
=head1 CAVEATS
There is no easy way to prevent a user from gaining a root shell if
the editor used by B<visudo> allows shell escapes.
=head1 BUGS
If you feel you have found a bug in B<visudo>, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
=head1 SUPPORT
Limited free support is available via the sudo-users mailing list,
see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
=head1 DISCLAIMER
B<visudo> is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the LICENSE
file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
for complete details.