isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Cosmetic changes.

Browse Source
This commit is contained in:
Todd C. Miller
2012-08-17 15:58:06 -04:00
parent 3bef51c62d
commit 7afcef8ee8
7 changed files with 132 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
doc/fixman.sh
View File

@@ -103,7 +103,6 @@ case "$OUTFILE" in
fi fi
# SELinux # SELinux
SE_SED=
if [ X"$SEMAN" != X"1" ]; then if [ X"$SEMAN" != X"1" ]; then
cat >>"$OUTFILE" <<-EOF cat >>"$OUTFILE" <<-EOF
s/SELinux_Spec? // s/SELinux_Spec? //

12
doc/sudo.cat
View File

@@ -25,7 +25,7 @@ DDEESSCCRRIIPPTTIIOONN
ssuuddoo supports a plugin architecture for security policies and ssuuddoo supports a plugin architecture for security policies and
input/output logging. Third parties can develop and distribute their own input/output logging. Third parties can develop and distribute their own
policy and I/O logging modules to work seamlessly with the ssuuddoo front policy and I/O logging plugins to work seamlessly with the ssuuddoo front
end. The default security policy is _s_u_d_o_e_r_s, which is configured via the end. The default security policy is _s_u_d_o_e_r_s, which is configured via the
file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_L_U_G_I_N_S section for more file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_L_U_G_I_N_S section for more
information. information.
@@ -60,8 +60,8 @@ DDEESSCCRRIIPPTTIIOONN
if _/_e_t_c_/_s_u_d_o_._c_o_n_f contains a line specifying the askpass if _/_e_t_c_/_s_u_d_o_._c_o_n_f contains a line specifying the askpass
program, that value will be used. For example: program, that value will be used. For example:
# Path to askpass helper program # Path to askpass helper program
Path askpass /usr/X11R6/bin/ssh-askpass Path askpass /usr/X11R6/bin/ssh-askpass
If no askpass program is available, ssuuddoo will exit with an If no askpass program is available, ssuuddoo will exit with an
error. error.
@@ -232,8 +232,8 @@ DDEESSCCRRIIPPTTIIOONN
%u expanded to the invoking user's login name %u expanded to the invoking user's login name
%% two consecutive % characters are collapsed into a single %% two consecutive `%' characters are collapsed into a
% character single `%' character
The prompt specified by the --pp option will override the The prompt specified by the --pp option will override the
system password prompt on systems that support PAM unless the system password prompt on systems that support PAM unless the
@@ -574,7 +574,7 @@ CCAAVVEEAATTSS
user is allowed to run arbitrary commands via ssuuddoo. Also, many programs user is allowed to run arbitrary commands via ssuuddoo. Also, many programs
(such as editors) allow the user to run commands via shell escapes, thus (such as editors) allow the user to run commands via shell escapes, thus
avoiding ssuuddoo's checks. However, on most systems it is possible to avoiding ssuuddoo's checks. However, on most systems it is possible to
prevent shell escapes with the sudoers(4) module's _n_o_e_x_e_c functionality. prevent shell escapes with the sudoers(4) plugin's _n_o_e_x_e_c functionality.
It is not meaningful to run the cd command directly via sudo, e.g., It is not meaningful to run the cd command directly via sudo, e.g.,

17
doc/sudo.man.in
View File

@@ -95,7 +95,7 @@ option was specified).
supports a plugin architecture for security policies and input/output supports a plugin architecture for security policies and input/output
logging. logging.
Third parties can develop and distribute their own policy and I/O Third parties can develop and distribute their own policy and I/O
logging modules to work seamlessly with the logging plugins to work seamlessly with the
\fBsudo\fR \fBsudo\fR
front end. front end.
The default security policy is The default security policy is
@@ -174,9 +174,9 @@ For example:
.RS .RS
.nf .nf
.sp .sp
.RS 1n .RS 4n
# Path to askpass helper program # Path to askpass helper program
Path askpass /usr/X11R6/bin/ssh-askpass Path askpass /usr/X11R6/bin/ssh-askpass
.RE .RE
.fi .fi
.sp .sp
@@ -539,9 +539,9 @@ expanded to the invoking user's login name
.TP 4n .TP 4n
\fR%%\fR \fR%%\fR
two consecutive two consecutive
\fR%\fR `%'
characters are collapsed into a single characters are collapsed into a single
\fR%\fR `%'
character character
.PP .PP
The prompt specified by the The prompt specified by the
@@ -971,7 +971,8 @@ To prevent command spoofing,
\fBsudo\fR \fBsudo\fR
checks "." and "" (both denoting current directory) last when checks "." and "" (both denoting current directory) last when
searching for a command in the user's searching for a command in the user's
\fRPATH (if one or both are in the\fR \fRPATH\fR
(if one or both are in the
\fRPATH\fR). \fRPATH\fR).
Note, however, that the actual Note, however, that the actual
\fRPATH\fR \fRPATH\fR
@@ -1232,7 +1233,7 @@ via shell escapes, thus avoiding
checks. checks.
However, on most systems it is possible to prevent shell escapes with the However, on most systems it is possible to prevent shell escapes with the
sudoers(@mansectform@) sudoers(@mansectform@)
module's plugin's
\fInoexec\fR \fInoexec\fR
functionality. functionality.
.PP .PP

17
doc/sudo.mdoc.in
View File

@@ -135,7 +135,7 @@ option was specified).
supports a plugin architecture for security policies and input/output supports a plugin architecture for security policies and input/output
logging. logging.
Third parties can develop and distribute their own policy and I/O Third parties can develop and distribute their own policy and I/O
logging modules to work seamlessly with the logging plugins to work seamlessly with the
.Nm sudo .Nm sudo
front end. front end.
The default security policy is The default security policy is
@@ -211,9 +211,9 @@ Otherwise, if
contains a line specifying the askpass program, that value will be contains a line specifying the askpass program, that value will be
used. used.
For example: For example:
.Bd -literal -offset 4 .Bd -literal -offset 4n
# Path to askpass helper program # Path to askpass helper program
Path askpass /usr/X11R6/bin/ssh-askpass Path askpass /usr/X11R6/bin/ssh-askpass
.Ed .Ed
.Pp .Pp
If no askpass program is available, If no askpass program is available,
@@ -543,9 +543,9 @@ option is also specified)
expanded to the invoking user's login name expanded to the invoking user's login name
.It Li %% .It Li %%
two consecutive two consecutive
.Li % .Ql %
characters are collapsed into a single characters are collapsed into a single
.Li % .Ql %
character character
.El .El
.Pp .Pp
@@ -944,7 +944,8 @@ To prevent command spoofing,
.Nm sudo .Nm sudo
checks "." and "" (both denoting current directory) last when checks "." and "" (both denoting current directory) last when
searching for a command in the user's searching for a command in the user's
.Ev PATH (if one or both are in the .Ev PATH
(if one or both are in the
.Ev PATH ) . .Ev PATH ) .
Note, however, that the actual Note, however, that the actual
.Ev PATH .Ev PATH
@@ -1168,7 +1169,7 @@ via shell escapes, thus avoiding
checks. checks.
However, on most systems it is possible to prevent shell escapes with the However, on most systems it is possible to prevent shell escapes with the
.Xr sudoers @mansectform@ .Xr sudoers @mansectform@
module's plugin's
.Em noexec .Em noexec
functionality. functionality.
.Pp .Pp

35
doc/sudoers.cat
View File

@@ -1534,22 +1534,21 @@ LLOOGG FFOORRMMAATT
listed, depending on the type of error. listed, depending on the type of error.
problem with defaults entries problem with defaults entries
The sudoers file contains one or more unknown Defaults settings. This The _s_u_d_o_e_r_s file contains one or more unknown Defaults settings. This
does not prevent ssuuddoo from running, but the sudoers file should be does not prevent ssuuddoo from running, but the _s_u_d_o_e_r_s file should be
checked using vviissuuddoo. checked using vviissuuddoo.
timestamp owner (@timestampowner@): No such user timestamp owner (username): No such user
The time stamp directory owner, which defaults to @timestampowner@ but The time stamp directory owner, as specified by the _t_i_m_e_s_t_a_m_p_o_w_n_e_r
which may be specified via the _t_i_m_e_s_t_a_m_p_o_w_n_e_r setting, could not be setting, could not be found in the password database.
found in the password database.
unable to open/read /etc/sudoers unable to open/read /etc/sudoers
The sudoers file could not be opened for reading. This can happen The _s_u_d_o_e_r_s file could not be opened for reading. This can happen
when the sudoers file is located on a remote file system that maps when the _s_u_d_o_e_r_s file is located on a remote file system that maps
user ID 0 to a different value. Normally, ssuuddooeerrss tries to open user ID 0 to a different value. Normally, ssuuddooeerrss tries to open
sudoers using group permissions to avoid this problem. Consider _s_u_d_o_e_r_s using group permissions to avoid this problem. Consider
changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s by adding an option like changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s by adding an option like
``sudoers_uid=N'' (where `N' is the user ID that owns the sudoers ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s
file) to the ssuuddooeerrss plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. file) to the ssuuddooeerrss plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
unable to stat /etc/sudoers unable to stat /etc/sudoers
@@ -1560,22 +1559,22 @@ LLOOGG FFOORRMMAATT
link. link.
/etc/sudoers is owned by uid N, should be 0 /etc/sudoers is owned by uid N, should be 0
The sudoers file has the wrong owner. If you wish to change the The _s_u_d_o_e_r_s file has the wrong owner. If you wish to change the
sudoers file owner, please add ``sudoers_uid=N'' (where `N' is the _s_u_d_o_e_r_s file owner, please add ``sudoers_uid=N'' (where `N' is the
user ID that owns the sudoers file) to the ssuuddooeerrss plugin line in the user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin line in the
_/_e_t_c_/_s_u_d_o_._c_o_n_f file. _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
/etc/sudoers is world writable /etc/sudoers is world writable
The permissions on the sudoers file allow all users to write to it. The permissions on the _s_u_d_o_e_r_s file allow all users to write to it.
The sudoers file must not be world-writable, the default file mode is The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is
0440 (readable by owner and group, writable by none). The default 0440 (readable by owner and group, writable by none). The default
mode may be changed via the ``sudoers_mode'' option to the ssuuddooeerrss mode may be changed via the ``sudoers_mode'' option to the ssuuddooeerrss
plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
/etc/sudoers is owned by gid N, should be 1 /etc/sudoers is owned by gid N, should be 1
The sudoers file has the wrong group ownership. If you wish to change The _s_u_d_o_e_r_s file has the wrong group ownership. If you wish to change
the sudoers file group ownership, please add ``sudoers_gid=N'' (where the _s_u_d_o_e_r_s file group ownership, please add ``sudoers_gid=N'' (where
`N' is the group ID that owns the sudoers file) to the ssuuddooeerrss plugin `N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin
line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
unable to open /var/adm/sudo/username/ttyname unable to open /var/adm/sudo/username/ttyname

64
doc/sudoers.man.in
View File

@@ -3193,33 +3193,43 @@ In some cases, the actual error may be one line above or below the
line number listed, depending on the type of error. line number listed, depending on the type of error.
.TP 3n .TP 3n
problem with defaults entries problem with defaults entries
The sudoers file contains one or more unknown Defaults settings. The
\fIsudoers\fR
file contains one or more unknown Defaults settings.
This does not prevent This does not prevent
\fBsudo\fR \fBsudo\fR
from running, but the sudoers file should be checked using from running, but the
\fIsudoers\fR
file should be checked using
\fBvisudo\fR. \fBvisudo\fR.
.TP 3n .TP 3n
timestamp owner (@timestampowner@): \&No such user timestamp owner (username): \&No such user
The time stamp directory owner, which defaults to The time stamp directory owner, as specified by the
@timestampowner@ but which may be specified via the
\fItimestampowner\fR \fItimestampowner\fR
setting, could not be found in the password database. setting, could not be found in the password database.
.TP 3n .TP 3n
unable to open/read @sysconfdir@/sudoers unable to open/read @sysconfdir@/sudoers
The sudoers file could not be opened for reading. The
This can happen when the sudoers file is located on a remote \fIsudoers\fR
file system that maps user ID 0 to a different value. file could not be opened for reading.
This can happen when the
\fIsudoers\fR
file is located on a remote file system that maps user ID 0 to
a different value.
Normally, Normally,
\fBsudoers\fR \fBsudoers\fR
tries to open sudoers using group permissions to avoid this problem. tries to open
\fIsudoers\fR
using group permissions to avoid this problem.
Consider changing the ownership of Consider changing the ownership of
\fI@sysconfdir@/sudoers\fR \fI@sysconfdir@/sudoers\fR
by adding an option like by adding an option like
``sudoers_uid=N'' ``sudoers_uid=N''
(where (where
`N' `N'
is the user ID that owns the sudoers file) is the user ID that owns the
to the \fIsudoers\fR
file) to the
\fBsudoers\fR \fBsudoers\fR
plugin line in the plugin line in the
\fI@sysconfdir@/sudo.conf\fR \fI@sysconfdir@/sudo.conf\fR
@@ -3236,20 +3246,30 @@ The
file exists but is not a regular file or symbolic link. file exists but is not a regular file or symbolic link.
.TP 3n .TP 3n
@sysconfdir@/sudoers is owned by uid N, should be 0 @sysconfdir@/sudoers is owned by uid N, should be 0
The sudoers file has the wrong owner. The
If you wish to change the sudoers file owner, please add \fIsudoers\fR
file has the wrong owner.
If you wish to change the
\fIsudoers\fR
file owner, please add
``sudoers_uid=N'' ``sudoers_uid=N''
(where (where
`N' `N'
is the user ID that owns the sudoers file) to the is the user ID that owns the
\fIsudoers\fR
file) to the
\fBsudoers\fR \fBsudoers\fR
plugin line in the plugin line in the
\fI@sysconfdir@/sudo.conf\fR \fI@sysconfdir@/sudo.conf\fR
file. file.
.TP 3n .TP 3n
@sysconfdir@/sudoers is world writable @sysconfdir@/sudoers is world writable
The permissions on the sudoers file allow all users to write to it. The permissions on the
The sudoers file must not be world-writable, the default file mode \fIsudoers\fR
file allow all users to write to it.
The
\fIsudoers\fR
file must not be world-writable, the default file mode
is 0440 (readable by owner and group, writable by none). is 0440 (readable by owner and group, writable by none).
The default mode may be changed via the The default mode may be changed via the
``sudoers_mode'' ``sudoers_mode''
@@ -3260,12 +3280,18 @@ plugin line in the
file. file.
.TP 3n .TP 3n
@sysconfdir@/sudoers is owned by gid N, should be 1 @sysconfdir@/sudoers is owned by gid N, should be 1
The sudoers file has the wrong group ownership. The
If you wish to change the sudoers file group ownership, please add \fIsudoers\fR
file has the wrong group ownership.
If you wish to change the
\fIsudoers\fR
file group ownership, please add
``sudoers_gid=N'' ``sudoers_gid=N''
(where (where
`N' `N'
is the group ID that owns the sudoers file) to the is the group ID that owns the
\fIsudoers\fR
file) to the
\fBsudoers\fR \fBsudoers\fR
plugin line in the plugin line in the
\fI@sysconfdir@/sudo.conf\fR \fI@sysconfdir@/sudo.conf\fR

66
doc/sudoers.mdoc.in
View File

@@ -1633,7 +1633,7 @@ is usually specified in the
.Pa @nsswitch_conf@ , .Pa @nsswitch_conf@ ,
.Pa @netsvc_conf@ , .Pa @netsvc_conf@ ,
.Pa /etc/host.conf , .Pa /etc/host.conf ,
or, in some cases, or, in some cases,
.Pa /etc/resolv.conf .Pa /etc/resolv.conf
file. file.
In the In the
@@ -2969,31 +2969,41 @@ encountered an error when parsing the specified file.
In some cases, the actual error may be one line above or below the In some cases, the actual error may be one line above or below the
line number listed, depending on the type of error. line number listed, depending on the type of error.
.It problem with defaults entries .It problem with defaults entries
The sudoers file contains one or more unknown Defaults settings. The
.Em sudoers
file contains one or more unknown Defaults settings.
This does not prevent This does not prevent
.Nm sudo .Nm sudo
from running, but the sudoers file should be checked using from running, but the
.Em sudoers
file should be checked using
.Nm visudo . .Nm visudo .
.It timestamp owner (@timestampowner@): \&No such user .It timestamp owner (username): \&No such user
The time stamp directory owner, which defaults to The time stamp directory owner, as specified by the
@timestampowner@ but which may be specified via the
.Em timestampowner .Em timestampowner
setting, could not be found in the password database. setting, could not be found in the password database.
.It unable to open/read @sysconfdir@/sudoers .It unable to open/read @sysconfdir@/sudoers
The sudoers file could not be opened for reading. The
This can happen when the sudoers file is located on a remote .Em sudoers
file system that maps user ID 0 to a different value. file could not be opened for reading.
This can happen when the
.Em sudoers
file is located on a remote file system that maps user ID 0 to
a different value.
Normally, Normally,
.Nm sudoers .Nm sudoers
tries to open sudoers using group permissions to avoid this problem. tries to open
.Em sudoers
using group permissions to avoid this problem.
Consider changing the ownership of Consider changing the ownership of
.Pa @sysconfdir@/sudoers .Pa @sysconfdir@/sudoers
by adding an option like by adding an option like
.Dq sudoers_uid=N .Dq sudoers_uid=N
(where (where
.Sq N .Sq N
is the user ID that owns the sudoers file) is the user ID that owns the
to the .Em sudoers
file) to the
.Nm sudoers .Nm sudoers
plugin line in the plugin line in the
.Pa @sysconfdir@/sudo.conf .Pa @sysconfdir@/sudo.conf
@@ -3007,19 +3017,29 @@ The
.Pa @sysconfdir@/sudoers .Pa @sysconfdir@/sudoers
file exists but is not a regular file or symbolic link. file exists but is not a regular file or symbolic link.
.It @sysconfdir@/sudoers is owned by uid N, should be 0 .It @sysconfdir@/sudoers is owned by uid N, should be 0
The sudoers file has the wrong owner. The
If you wish to change the sudoers file owner, please add .Em sudoers
file has the wrong owner.
If you wish to change the
.Em sudoers
file owner, please add
.Dq sudoers_uid=N .Dq sudoers_uid=N
(where (where
.Sq N .Sq N
is the user ID that owns the sudoers file) to the is the user ID that owns the
.Em sudoers
file) to the
.Nm sudoers .Nm sudoers
plugin line in the plugin line in the
.Pa @sysconfdir@/sudo.conf .Pa @sysconfdir@/sudo.conf
file. file.
.It @sysconfdir@/sudoers is world writable .It @sysconfdir@/sudoers is world writable
The permissions on the sudoers file allow all users to write to it. The permissions on the
The sudoers file must not be world-writable, the default file mode .Em sudoers
file allow all users to write to it.
The
.Em sudoers
file must not be world-writable, the default file mode
is 0440 (readable by owner and group, writable by none). is 0440 (readable by owner and group, writable by none).
The default mode may be changed via the The default mode may be changed via the
.Dq sudoers_mode .Dq sudoers_mode
@@ -3029,12 +3049,18 @@ plugin line in the
.Pa @sysconfdir@/sudo.conf .Pa @sysconfdir@/sudo.conf
file. file.
.It @sysconfdir@/sudoers is owned by gid N, should be 1 .It @sysconfdir@/sudoers is owned by gid N, should be 1
The sudoers file has the wrong group ownership. The
If you wish to change the sudoers file group ownership, please add .Em sudoers
file has the wrong group ownership.
If you wish to change the
.Em sudoers
file group ownership, please add
.Dq sudoers_gid=N .Dq sudoers_gid=N
(where (where
.Sq N .Sq N
is the group ID that owns the sudoers file) to the is the group ID that owns the
.Em sudoers
file) to the
.Nm sudoers .Nm sudoers
plugin line in the plugin line in the
.Pa @sysconfdir@/sudo.conf .Pa @sysconfdir@/sudo.conf