From 7afcef8ee89f12e3525d35fa0a8acdccd7fd36be Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 17 Aug 2012 15:58:06 -0400 Subject: [PATCH] Cosmetic changes. --- doc/fixman.sh | 1 - doc/sudo.cat | 12 ++++----- doc/sudo.man.in | 17 ++++++------ doc/sudo.mdoc.in | 17 ++++++------ doc/sudoers.cat | 35 ++++++++++++------------ doc/sudoers.man.in | 64 ++++++++++++++++++++++++++++++------------- doc/sudoers.mdoc.in | 66 +++++++++++++++++++++++++++++++-------------- 7 files changed, 132 insertions(+), 80 deletions(-) diff --git a/doc/fixman.sh b/doc/fixman.sh index 90828a314..05c54db3a 100755 --- a/doc/fixman.sh +++ b/doc/fixman.sh @@ -103,7 +103,6 @@ case "$OUTFILE" in fi # SELinux - SE_SED= if [ X"$SEMAN" != X"1" ]; then cat >>"$OUTFILE" <<-EOF s/SELinux_Spec? // diff --git a/doc/sudo.cat b/doc/sudo.cat index d91d154f3..60d41961d 100644 --- a/doc/sudo.cat +++ b/doc/sudo.cat @@ -25,7 +25,7 @@ DDEESSCCRRIIPPTTIIOONN ssuuddoo supports a plugin architecture for security policies and input/output logging. Third parties can develop and distribute their own - policy and I/O logging modules to work seamlessly with the ssuuddoo front + policy and I/O logging plugins to work seamlessly with the ssuuddoo front end. The default security policy is _s_u_d_o_e_r_s, which is configured via the file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_L_U_G_I_N_S section for more information. @@ -60,8 +60,8 @@ DDEESSCCRRIIPPTTIIOONN if _/_e_t_c_/_s_u_d_o_._c_o_n_f contains a line specifying the askpass program, that value will be used. For example: - # Path to askpass helper program - Path askpass /usr/X11R6/bin/ssh-askpass + # Path to askpass helper program + Path askpass /usr/X11R6/bin/ssh-askpass If no askpass program is available, ssuuddoo will exit with an error. @@ -232,8 +232,8 @@ DDEESSCCRRIIPPTTIIOONN %u expanded to the invoking user's login name - %% two consecutive % characters are collapsed into a single - % character + %% two consecutive `%' characters are collapsed into a + single `%' character The prompt specified by the --pp option will override the system password prompt on systems that support PAM unless the @@ -574,7 +574,7 @@ CCAAVVEEAATTSS user is allowed to run arbitrary commands via ssuuddoo. Also, many programs (such as editors) allow the user to run commands via shell escapes, thus avoiding ssuuddoo's checks. However, on most systems it is possible to - prevent shell escapes with the sudoers(4) module's _n_o_e_x_e_c functionality. + prevent shell escapes with the sudoers(4) plugin's _n_o_e_x_e_c functionality. It is not meaningful to run the cd command directly via sudo, e.g., diff --git a/doc/sudo.man.in b/doc/sudo.man.in index 337462623..b1f11ccae 100644 --- a/doc/sudo.man.in +++ b/doc/sudo.man.in @@ -95,7 +95,7 @@ option was specified). supports a plugin architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O -logging modules to work seamlessly with the +logging plugins to work seamlessly with the \fBsudo\fR front end. The default security policy is @@ -174,9 +174,9 @@ For example: .RS .nf .sp -.RS 1n - # Path to askpass helper program - Path askpass /usr/X11R6/bin/ssh-askpass +.RS 4n +# Path to askpass helper program +Path askpass /usr/X11R6/bin/ssh-askpass .RE .fi .sp @@ -539,9 +539,9 @@ expanded to the invoking user's login name .TP 4n \fR%%\fR two consecutive -\fR%\fR +`%' characters are collapsed into a single -\fR%\fR +`%' character .PP The prompt specified by the @@ -971,7 +971,8 @@ To prevent command spoofing, \fBsudo\fR checks "." and "" (both denoting current directory) last when searching for a command in the user's -\fRPATH (if one or both are in the\fR +\fRPATH\fR +(if one or both are in the \fRPATH\fR). Note, however, that the actual \fRPATH\fR @@ -1232,7 +1233,7 @@ via shell escapes, thus avoiding checks. However, on most systems it is possible to prevent shell escapes with the sudoers(@mansectform@) -module's +plugin's \fInoexec\fR functionality. .PP diff --git a/doc/sudo.mdoc.in b/doc/sudo.mdoc.in index 23e98121d..ae1e21b99 100644 --- a/doc/sudo.mdoc.in +++ b/doc/sudo.mdoc.in @@ -135,7 +135,7 @@ option was specified). supports a plugin architecture for security policies and input/output logging. Third parties can develop and distribute their own policy and I/O -logging modules to work seamlessly with the +logging plugins to work seamlessly with the .Nm sudo front end. The default security policy is @@ -211,9 +211,9 @@ Otherwise, if contains a line specifying the askpass program, that value will be used. For example: -.Bd -literal -offset 4 - # Path to askpass helper program - Path askpass /usr/X11R6/bin/ssh-askpass +.Bd -literal -offset 4n +# Path to askpass helper program +Path askpass /usr/X11R6/bin/ssh-askpass .Ed .Pp If no askpass program is available, @@ -543,9 +543,9 @@ option is also specified) expanded to the invoking user's login name .It Li %% two consecutive -.Li % +.Ql % characters are collapsed into a single -.Li % +.Ql % character .El .Pp @@ -944,7 +944,8 @@ To prevent command spoofing, .Nm sudo checks "." and "" (both denoting current directory) last when searching for a command in the user's -.Ev PATH (if one or both are in the +.Ev PATH +(if one or both are in the .Ev PATH ) . Note, however, that the actual .Ev PATH @@ -1168,7 +1169,7 @@ via shell escapes, thus avoiding checks. However, on most systems it is possible to prevent shell escapes with the .Xr sudoers @mansectform@ -module's +plugin's .Em noexec functionality. .Pp diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 5103e99e5..c959b75f0 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -1534,22 +1534,21 @@ LLOOGG FFOORRMMAATT listed, depending on the type of error. problem with defaults entries - The sudoers file contains one or more unknown Defaults settings. This - does not prevent ssuuddoo from running, but the sudoers file should be + The _s_u_d_o_e_r_s file contains one or more unknown Defaults settings. This + does not prevent ssuuddoo from running, but the _s_u_d_o_e_r_s file should be checked using vviissuuddoo. - timestamp owner (@timestampowner@): No such user - The time stamp directory owner, which defaults to @timestampowner@ but - which may be specified via the _t_i_m_e_s_t_a_m_p_o_w_n_e_r setting, could not be - found in the password database. + timestamp owner (username): No such user + The time stamp directory owner, as specified by the _t_i_m_e_s_t_a_m_p_o_w_n_e_r + setting, could not be found in the password database. unable to open/read /etc/sudoers - The sudoers file could not be opened for reading. This can happen - when the sudoers file is located on a remote file system that maps + The _s_u_d_o_e_r_s file could not be opened for reading. This can happen + when the _s_u_d_o_e_r_s file is located on a remote file system that maps user ID 0 to a different value. Normally, ssuuddooeerrss tries to open - sudoers using group permissions to avoid this problem. Consider + _s_u_d_o_e_r_s using group permissions to avoid this problem. Consider changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s by adding an option like - ``sudoers_uid=N'' (where `N' is the user ID that owns the sudoers + ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. unable to stat /etc/sudoers @@ -1560,22 +1559,22 @@ LLOOGG FFOORRMMAATT link. /etc/sudoers is owned by uid N, should be 0 - The sudoers file has the wrong owner. If you wish to change the - sudoers file owner, please add ``sudoers_uid=N'' (where `N' is the - user ID that owns the sudoers file) to the ssuuddooeerrss plugin line in the + The _s_u_d_o_e_r_s file has the wrong owner. If you wish to change the + _s_u_d_o_e_r_s file owner, please add ``sudoers_uid=N'' (where `N' is the + user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. /etc/sudoers is world writable - The permissions on the sudoers file allow all users to write to it. - The sudoers file must not be world-writable, the default file mode is + The permissions on the _s_u_d_o_e_r_s file allow all users to write to it. + The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is 0440 (readable by owner and group, writable by none). The default mode may be changed via the ``sudoers_mode'' option to the ssuuddooeerrss plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. /etc/sudoers is owned by gid N, should be 1 - The sudoers file has the wrong group ownership. If you wish to change - the sudoers file group ownership, please add ``sudoers_gid=N'' (where - `N' is the group ID that owns the sudoers file) to the ssuuddooeerrss plugin + The _s_u_d_o_e_r_s file has the wrong group ownership. If you wish to change + the _s_u_d_o_e_r_s file group ownership, please add ``sudoers_gid=N'' (where + `N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. unable to open /var/adm/sudo/username/ttyname diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 2ad491093..9a5622ee2 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -3193,33 +3193,43 @@ In some cases, the actual error may be one line above or below the line number listed, depending on the type of error. .TP 3n problem with defaults entries -The sudoers file contains one or more unknown Defaults settings. +The +\fIsudoers\fR +file contains one or more unknown Defaults settings. This does not prevent \fBsudo\fR -from running, but the sudoers file should be checked using +from running, but the +\fIsudoers\fR +file should be checked using \fBvisudo\fR. .TP 3n -timestamp owner (@timestampowner@): \&No such user -The time stamp directory owner, which defaults to -@timestampowner@ but which may be specified via the +timestamp owner (username): \&No such user +The time stamp directory owner, as specified by the \fItimestampowner\fR setting, could not be found in the password database. .TP 3n unable to open/read @sysconfdir@/sudoers -The sudoers file could not be opened for reading. -This can happen when the sudoers file is located on a remote -file system that maps user ID 0 to a different value. +The +\fIsudoers\fR +file could not be opened for reading. +This can happen when the +\fIsudoers\fR +file is located on a remote file system that maps user ID 0 to +a different value. Normally, \fBsudoers\fR -tries to open sudoers using group permissions to avoid this problem. +tries to open +\fIsudoers\fR +using group permissions to avoid this problem. Consider changing the ownership of \fI@sysconfdir@/sudoers\fR by adding an option like ``sudoers_uid=N'' (where `N' -is the user ID that owns the sudoers file) -to the +is the user ID that owns the +\fIsudoers\fR +file) to the \fBsudoers\fR plugin line in the \fI@sysconfdir@/sudo.conf\fR @@ -3236,20 +3246,30 @@ The file exists but is not a regular file or symbolic link. .TP 3n @sysconfdir@/sudoers is owned by uid N, should be 0 -The sudoers file has the wrong owner. -If you wish to change the sudoers file owner, please add +The +\fIsudoers\fR +file has the wrong owner. +If you wish to change the +\fIsudoers\fR +file owner, please add ``sudoers_uid=N'' (where `N' -is the user ID that owns the sudoers file) to the +is the user ID that owns the +\fIsudoers\fR +file) to the \fBsudoers\fR plugin line in the \fI@sysconfdir@/sudo.conf\fR file. .TP 3n @sysconfdir@/sudoers is world writable -The permissions on the sudoers file allow all users to write to it. -The sudoers file must not be world-writable, the default file mode +The permissions on the +\fIsudoers\fR +file allow all users to write to it. +The +\fIsudoers\fR +file must not be world-writable, the default file mode is 0440 (readable by owner and group, writable by none). The default mode may be changed via the ``sudoers_mode'' @@ -3260,12 +3280,18 @@ plugin line in the file. .TP 3n @sysconfdir@/sudoers is owned by gid N, should be 1 -The sudoers file has the wrong group ownership. -If you wish to change the sudoers file group ownership, please add +The +\fIsudoers\fR +file has the wrong group ownership. +If you wish to change the +\fIsudoers\fR +file group ownership, please add ``sudoers_gid=N'' (where `N' -is the group ID that owns the sudoers file) to the +is the group ID that owns the +\fIsudoers\fR +file) to the \fBsudoers\fR plugin line in the \fI@sysconfdir@/sudo.conf\fR diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index b516d881b..509e56be5 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -1633,7 +1633,7 @@ is usually specified in the .Pa @nsswitch_conf@ , .Pa @netsvc_conf@ , .Pa /etc/host.conf , -or, in some cases, +or, in some cases, .Pa /etc/resolv.conf file. In the @@ -2969,31 +2969,41 @@ encountered an error when parsing the specified file. In some cases, the actual error may be one line above or below the line number listed, depending on the type of error. .It problem with defaults entries -The sudoers file contains one or more unknown Defaults settings. +The +.Em sudoers +file contains one or more unknown Defaults settings. This does not prevent .Nm sudo -from running, but the sudoers file should be checked using +from running, but the +.Em sudoers +file should be checked using .Nm visudo . -.It timestamp owner (@timestampowner@): \&No such user -The time stamp directory owner, which defaults to -@timestampowner@ but which may be specified via the +.It timestamp owner (username): \&No such user +The time stamp directory owner, as specified by the .Em timestampowner setting, could not be found in the password database. .It unable to open/read @sysconfdir@/sudoers -The sudoers file could not be opened for reading. -This can happen when the sudoers file is located on a remote -file system that maps user ID 0 to a different value. +The +.Em sudoers +file could not be opened for reading. +This can happen when the +.Em sudoers +file is located on a remote file system that maps user ID 0 to +a different value. Normally, .Nm sudoers -tries to open sudoers using group permissions to avoid this problem. +tries to open +.Em sudoers +using group permissions to avoid this problem. Consider changing the ownership of .Pa @sysconfdir@/sudoers by adding an option like .Dq sudoers_uid=N (where .Sq N -is the user ID that owns the sudoers file) -to the +is the user ID that owns the +.Em sudoers +file) to the .Nm sudoers plugin line in the .Pa @sysconfdir@/sudo.conf @@ -3007,19 +3017,29 @@ The .Pa @sysconfdir@/sudoers file exists but is not a regular file or symbolic link. .It @sysconfdir@/sudoers is owned by uid N, should be 0 -The sudoers file has the wrong owner. -If you wish to change the sudoers file owner, please add +The +.Em sudoers +file has the wrong owner. +If you wish to change the +.Em sudoers +file owner, please add .Dq sudoers_uid=N (where .Sq N -is the user ID that owns the sudoers file) to the +is the user ID that owns the +.Em sudoers +file) to the .Nm sudoers plugin line in the .Pa @sysconfdir@/sudo.conf file. .It @sysconfdir@/sudoers is world writable -The permissions on the sudoers file allow all users to write to it. -The sudoers file must not be world-writable, the default file mode +The permissions on the +.Em sudoers +file allow all users to write to it. +The +.Em sudoers +file must not be world-writable, the default file mode is 0440 (readable by owner and group, writable by none). The default mode may be changed via the .Dq sudoers_mode @@ -3029,12 +3049,18 @@ plugin line in the .Pa @sysconfdir@/sudo.conf file. .It @sysconfdir@/sudoers is owned by gid N, should be 1 -The sudoers file has the wrong group ownership. -If you wish to change the sudoers file group ownership, please add +The +.Em sudoers +file has the wrong group ownership. +If you wish to change the +.Em sudoers +file group ownership, please add .Dq sudoers_gid=N (where .Sq N -is the group ID that owns the sudoers file) to the +is the group ID that owns the +.Em sudoers +file) to the .Nm sudoers plugin line in the .Pa @sysconfdir@/sudo.conf