Document SUCCESS=return support in sudoers nsswitch.conf entries.
Based on a patch from Dennis Filder. Bug #971.
This commit is contained in:
Todd C. Miller
@@ -2,7 +2,7 @@
|
|||||||
.\"
|
.\"
|
||||||
.\" SPDX-License-Identifier: ISC
|
.\" SPDX-License-Identifier: ISC
|
||||||
.\"
|
.\"
|
||||||
.\" Copyright (c) 2003-2020 Todd C. Miller <Todd.Miller@sudo.ws>
|
.\" Copyright (c) 2003-2021 Todd C. Miller <Todd.Miller@sudo.ws>
|
||||||
.\"
|
.\"
|
||||||
.\" Permission to use, copy, modify, and distribute this software for any
|
.\" Permission to use, copy, modify, and distribute this software for any
|
||||||
.\" purpose with or without fee is hereby granted, provided that the above
|
.\" purpose with or without fee is hereby granted, provided that the above
|
||||||
@@ -16,7 +16,7 @@
|
|||||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
.\"
|
.\"
|
||||||
.TH "SUDOERS.LDAP" "@mansectform@" "October 29, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
|
.TH "SUDOERS.LDAP" "@mansectform@" "April 5, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
|
||||||
.nh
|
.nh
|
||||||
.if n .ad l
|
.if n .ad l
|
||||||
.SH "NAME"
|
.SH "NAME"
|
||||||
@@ -1318,11 +1318,12 @@ search order.
|
|||||||
Sudo looks for a line beginning with
|
Sudo looks for a line beginning with
|
||||||
\fRsudoers\fR:
|
\fRsudoers\fR:
|
||||||
and uses this to determine the search order.
|
and uses this to determine the search order.
|
||||||
Note that
|
Note that by default,
|
||||||
\fBsudo\fR
|
\fBsudo\fR
|
||||||
does
|
does not stop searching after the first match and later matches take
|
||||||
not stop searching after the first match and later matches take
|
precedence over earlier ones (unless
|
||||||
precedence over earlier ones.
|
\fR[SUCCESS=return]\fR
|
||||||
|
is used, see below).
|
||||||
The following sources are recognized:
|
The following sources are recognized:
|
||||||
.PP
|
.PP
|
||||||
.RS 4n
|
.RS 4n
|
||||||
@@ -1337,10 +1338,21 @@ read sudoers from LDAP
|
|||||||
.RE
|
.RE
|
||||||
.PD
|
.PD
|
||||||
.PP
|
.PP
|
||||||
In addition, the entry
|
In addition, a subset of
|
||||||
\fR[NOTFOUND=return]\fR
|
\fInsswitch.conf\fR-style
|
||||||
will short-circuit the search if the user was not found in the
|
action statements is supported, specifically
|
||||||
preceding source.
|
\fR[SUCCESS=return]\fR
|
||||||
|
and
|
||||||
|
\fR[NOTFOUND=return]\fR.
|
||||||
|
These will unconditionally terminate the search if the user was either
|
||||||
|
found
|
||||||
|
(\fR[SUCCESS=return]\fR)
|
||||||
|
or not found
|
||||||
|
(\fR[NOTFOUND=return]\fR)
|
||||||
|
in the immediately preceding source.
|
||||||
|
Other action statements tokens are not supported, nor is test
|
||||||
|
negation with
|
||||||
|
\(oq\&!\(cq.
|
||||||
.PP
|
.PP
|
||||||
To consult LDAP first followed by the local sudoers file (if it
|
To consult LDAP first followed by the local sudoers file (if it
|
||||||
exists), use:
|
exists), use:
|
||||||
@@ -1351,6 +1363,15 @@ sudoers: ldap files
|
|||||||
.RE
|
.RE
|
||||||
.fi
|
.fi
|
||||||
.PP
|
.PP
|
||||||
|
To consult LDAP only when no match is found in the local sudoers
|
||||||
|
file (if it exists), use:
|
||||||
|
.nf
|
||||||
|
.sp
|
||||||
|
.RS 4n
|
||||||
|
sudoers: files [SUCCESS=return] ldap
|
||||||
|
.RE
|
||||||
|
.fi
|
||||||
|
.PP
|
||||||
The local
|
The local
|
||||||
\fIsudoers\fR
|
\fIsudoers\fR
|
||||||
file can be ignored completely by using:
|
file can be ignored completely by using:
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
.\"
|
.\"
|
||||||
.\" SPDX-License-Identifier: ISC
|
.\" SPDX-License-Identifier: ISC
|
||||||
.\"
|
.\"
|
||||||
.\" Copyright (c) 2003-2020 Todd C. Miller <Todd.Miller@sudo.ws>
|
.\" Copyright (c) 2003-2021 Todd C. Miller <Todd.Miller@sudo.ws>
|
||||||
.\"
|
.\"
|
||||||
.\" Permission to use, copy, modify, and distribute this software for any
|
.\" Permission to use, copy, modify, and distribute this software for any
|
||||||
.\" purpose with or without fee is hereby granted, provided that the above
|
.\" purpose with or without fee is hereby granted, provided that the above
|
||||||
@@ -15,7 +15,7 @@
|
|||||||
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||||
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
.\"
|
.\"
|
||||||
.Dd October 29, 2020
|
.Dd April 5, 2021
|
||||||
.Dt SUDOERS.LDAP @mansectform@
|
.Dt SUDOERS.LDAP @mansectform@
|
||||||
.Os Sudo @PACKAGE_VERSION@
|
.Os Sudo @PACKAGE_VERSION@
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@@ -1211,11 +1211,12 @@ search order.
|
|||||||
Sudo looks for a line beginning with
|
Sudo looks for a line beginning with
|
||||||
.Li sudoers :
|
.Li sudoers :
|
||||||
and uses this to determine the search order.
|
and uses this to determine the search order.
|
||||||
Note that
|
Note that by default,
|
||||||
.Nm sudo
|
.Nm sudo
|
||||||
does
|
does not stop searching after the first match and later matches take
|
||||||
not stop searching after the first match and later matches take
|
precedence over earlier ones (unless
|
||||||
precedence over earlier ones.
|
.Li [SUCCESS=return]
|
||||||
|
is used, see below).
|
||||||
The following sources are recognized:
|
The following sources are recognized:
|
||||||
.Pp
|
.Pp
|
||||||
.Bl -tag -width 8n -offset 4n -compact
|
.Bl -tag -width 8n -offset 4n -compact
|
||||||
@@ -1226,10 +1227,21 @@ read sudoers from
|
|||||||
read sudoers from LDAP
|
read sudoers from LDAP
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
In addition, the entry
|
In addition, a subset of
|
||||||
.Li [NOTFOUND=return]
|
.Pa nsswitch.conf Ns -style
|
||||||
will short-circuit the search if the user was not found in the
|
action statements is supported, specifically
|
||||||
preceding source.
|
.Li [SUCCESS=return]
|
||||||
|
and
|
||||||
|
.Li [NOTFOUND=return] .
|
||||||
|
These will unconditionally terminate the search if the user was either
|
||||||
|
found
|
||||||
|
.No ( Li [SUCCESS=return] )
|
||||||
|
or not found
|
||||||
|
.No ( Li [NOTFOUND=return] )
|
||||||
|
in the immediately preceding source.
|
||||||
|
Other action statements tokens are not supported, nor is test
|
||||||
|
negation with
|
||||||
|
.Ql \&! .
|
||||||
.Pp
|
.Pp
|
||||||
To consult LDAP first followed by the local sudoers file (if it
|
To consult LDAP first followed by the local sudoers file (if it
|
||||||
exists), use:
|
exists), use:
|
||||||
@@ -1237,6 +1249,12 @@ exists), use:
|
|||||||
sudoers: ldap files
|
sudoers: ldap files
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
|
To consult LDAP only when no match is found in the local sudoers
|
||||||
|
file (if it exists), use:
|
||||||
|
.Bd -literal -offset 4n
|
||||||
|
sudoers: files [SUCCESS=return] ldap
|
||||||
|
.Ed
|
||||||
|
.Pp
|
||||||
The local
|
The local
|
||||||
.Em sudoers
|
.Em sudoers
|
||||||
file can be ignored completely by using:
|
file can be ignored completely by using:
|
||||||
|
|||||||
Reference in New Issue
Block a user