Document SUCCESS=return support in sudoers nsswitch.conf entries.
Based on a patch from Dennis Filder. Bug #971.
This commit is contained in:
Todd C. Miller
@@ -2,7 +2,7 @@
|
||||
.\"
|
||||
.\" SPDX-License-Identifier: ISC
|
||||
.\"
|
||||
.\" Copyright (c) 2003-2020 Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
.\" Copyright (c) 2003-2021 Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
@@ -16,7 +16,7 @@
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.TH "SUDOERS.LDAP" "@mansectform@" "October 29, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
|
||||
.TH "SUDOERS.LDAP" "@mansectform@" "April 5, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
|
||||
.nh
|
||||
.if n .ad l
|
||||
.SH "NAME"
|
||||
@@ -1318,11 +1318,12 @@ search order.
|
||||
Sudo looks for a line beginning with
|
||||
\fRsudoers\fR:
|
||||
and uses this to determine the search order.
|
||||
Note that
|
||||
Note that by default,
|
||||
\fBsudo\fR
|
||||
does
|
||||
not stop searching after the first match and later matches take
|
||||
precedence over earlier ones.
|
||||
does not stop searching after the first match and later matches take
|
||||
precedence over earlier ones (unless
|
||||
\fR[SUCCESS=return]\fR
|
||||
is used, see below).
|
||||
The following sources are recognized:
|
||||
.PP
|
||||
.RS 4n
|
||||
@@ -1337,10 +1338,21 @@ read sudoers from LDAP
|
||||
.RE
|
||||
.PD
|
||||
.PP
|
||||
In addition, the entry
|
||||
\fR[NOTFOUND=return]\fR
|
||||
will short-circuit the search if the user was not found in the
|
||||
preceding source.
|
||||
In addition, a subset of
|
||||
\fInsswitch.conf\fR-style
|
||||
action statements is supported, specifically
|
||||
\fR[SUCCESS=return]\fR
|
||||
and
|
||||
\fR[NOTFOUND=return]\fR.
|
||||
These will unconditionally terminate the search if the user was either
|
||||
found
|
||||
(\fR[SUCCESS=return]\fR)
|
||||
or not found
|
||||
(\fR[NOTFOUND=return]\fR)
|
||||
in the immediately preceding source.
|
||||
Other action statements tokens are not supported, nor is test
|
||||
negation with
|
||||
\(oq\&!\(cq.
|
||||
.PP
|
||||
To consult LDAP first followed by the local sudoers file (if it
|
||||
exists), use:
|
||||
@@ -1351,6 +1363,15 @@ sudoers: ldap files
|
||||
.RE
|
||||
.fi
|
||||
.PP
|
||||
To consult LDAP only when no match is found in the local sudoers
|
||||
file (if it exists), use:
|
||||
.nf
|
||||
.sp
|
||||
.RS 4n
|
||||
sudoers: files [SUCCESS=return] ldap
|
||||
.RE
|
||||
.fi
|
||||
.PP
|
||||
The local
|
||||
\fIsudoers\fR
|
||||
file can be ignored completely by using:
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
.\"
|
||||
.\" SPDX-License-Identifier: ISC
|
||||
.\"
|
||||
.\" Copyright (c) 2003-2020 Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
.\" Copyright (c) 2003-2021 Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
.\"
|
||||
.\" Permission to use, copy, modify, and distribute this software for any
|
||||
.\" purpose with or without fee is hereby granted, provided that the above
|
||||
@@ -15,7 +15,7 @@
|
||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
.\"
|
||||
.Dd October 29, 2020
|
||||
.Dd April 5, 2021
|
||||
.Dt SUDOERS.LDAP @mansectform@
|
||||
.Os Sudo @PACKAGE_VERSION@
|
||||
.Sh NAME
|
||||
@@ -1211,11 +1211,12 @@ search order.
|
||||
Sudo looks for a line beginning with
|
||||
.Li sudoers :
|
||||
and uses this to determine the search order.
|
||||
Note that
|
||||
Note that by default,
|
||||
.Nm sudo
|
||||
does
|
||||
not stop searching after the first match and later matches take
|
||||
precedence over earlier ones.
|
||||
does not stop searching after the first match and later matches take
|
||||
precedence over earlier ones (unless
|
||||
.Li [SUCCESS=return]
|
||||
is used, see below).
|
||||
The following sources are recognized:
|
||||
.Pp
|
||||
.Bl -tag -width 8n -offset 4n -compact
|
||||
@@ -1226,10 +1227,21 @@ read sudoers from
|
||||
read sudoers from LDAP
|
||||
.El
|
||||
.Pp
|
||||
In addition, the entry
|
||||
.Li [NOTFOUND=return]
|
||||
will short-circuit the search if the user was not found in the
|
||||
preceding source.
|
||||
In addition, a subset of
|
||||
.Pa nsswitch.conf Ns -style
|
||||
action statements is supported, specifically
|
||||
.Li [SUCCESS=return]
|
||||
and
|
||||
.Li [NOTFOUND=return] .
|
||||
These will unconditionally terminate the search if the user was either
|
||||
found
|
||||
.No ( Li [SUCCESS=return] )
|
||||
or not found
|
||||
.No ( Li [NOTFOUND=return] )
|
||||
in the immediately preceding source.
|
||||
Other action statements tokens are not supported, nor is test
|
||||
negation with
|
||||
.Ql \&! .
|
||||
.Pp
|
||||
To consult LDAP first followed by the local sudoers file (if it
|
||||
exists), use:
|
||||
@@ -1237,6 +1249,12 @@ exists), use:
|
||||
sudoers: ldap files
|
||||
.Ed
|
||||
.Pp
|
||||
To consult LDAP only when no match is found in the local sudoers
|
||||
file (if it exists), use:
|
||||
.Bd -literal -offset 4n
|
||||
sudoers: files [SUCCESS=return] ldap
|
||||
.Ed
|
||||
.Pp
|
||||
The local
|
||||
.Em sudoers
|
||||
file can be ignored completely by using:
|
||||
|
||||
Reference in New Issue
Block a user