isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use a 4n indent for code blocks instead of the default 6n.

Browse Source
This commit is contained in:
Todd C. Miller
2022-02-10 13:05:34 -07:00
parent 4e3a48f2d1
commit 7b5f0dfaf7
16 changed files with 154 additions and 154 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
docs/cvtsudoers.man.in
View File

@@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "CVTSUDOERS" "1" "January 19, 2022" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
.TH "CVTSUDOERS" "1" "February 10, 2022" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -537,7 +537,7 @@ of my-domain,dc=com, storing the result in
\fIsudoers.ldif\fR:
.nf
.sp
.RS 6n
.RS 4n
$ cvtsudoers -b ou=SUDOers,dc=my-domain,dc=com -o sudoers.ldif \e
/etc/sudoers
.RE
@@ -549,7 +549,7 @@ to JSON format, storing the result in
\fIsudoers.json\fR:
.nf
.sp
.RS 6n
.RS 4n
$ cvtsudoers -f json -o sudoers.json /etc/sudoers
.RE
.fi
@@ -562,7 +562,7 @@ on host
\fIhastur\fR:
.nf
.sp
.RS 6n
.RS 4n
$ cvtsudoers -f sudoers -m user=ambrose,host=hastur /etc/sudoers
.RE
.fi
@@ -571,7 +571,7 @@ Same as above, but expand aliases and prune out any non-matching
users and hosts from the expanded entries.
.nf
.sp
.RS 6n
.RS 4n
$ cvtsudoers -ep -f sudoers -m user=ambrose,host=hastur /etc/sudoers
.RE
.fi
@@ -583,7 +583,7 @@ from LDIF to traditional
format:
.nf
.sp
.RS 6n
.RS 4n
$ cvtsudoers -i ldif -f sudoers -o sudoers.new sudoers.ldif
.RE
.fi
@@ -596,7 +596,7 @@ and
\(lqplugh\(rq:
.nf
.sp
.RS 6n
.RS 4n
$ cvtsudoers -f sudoers -o sudoers.merged sudoers \e
xyzzy:sudoers.xyzzy plugh:sudoers.plugh
.RE

14
docs/cvtsudoers.mdoc.in
View File

@@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd January 19, 2022
.Dd February 10, 2022
.Dt CVTSUDOERS 1
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -468,7 +468,7 @@ file uses a
.Em sudoers_base
of my-domain,dc=com, storing the result in
.Pa sudoers.ldif :
.Bd -literal -offset indent
.Bd -literal -offset 4n
$ cvtsudoers -b ou=SUDOers,dc=my-domain,dc=com -o sudoers.ldif \e
/etc/sudoers
.Ed
@@ -477,7 +477,7 @@ Convert
.Pa /etc/sudoers
to JSON format, storing the result in
.Pa sudoers.json :
.Bd -literal -offset indent
.Bd -literal -offset 4n
$ cvtsudoers -f json -o sudoers.json /etc/sudoers
.Ed
.Pp
@@ -487,13 +487,13 @@ and display only rules that match user
.Em ambrose
on host
.Em hastur :
.Bd -literal -offset indent
.Bd -literal -offset 4n
$ cvtsudoers -f sudoers -m user=ambrose,host=hastur /etc/sudoers
.Ed
.Pp
Same as above, but expand aliases and prune out any non-matching
users and hosts from the expanded entries.
.Bd -literal -offset indent
.Bd -literal -offset 4n
$ cvtsudoers -ep -f sudoers -m user=ambrose,host=hastur /etc/sudoers
.Ed
.Pp
@@ -502,7 +502,7 @@ Convert
from LDIF to traditional
.Em sudoers
format:
.Bd -literal -offset indent
.Bd -literal -offset 4n
$ cvtsudoers -i ldif -f sudoers -o sudoers.new sudoers.ldif
.Ed
.Pp
@@ -512,7 +512,7 @@ file with two host-specific policy files from the hosts
.Dq xyzzy
and
.Dq plugh :
.Bd -literal -offset indent
.Bd -literal -offset 4n
$ cvtsudoers -f sudoers -o sudoers.merged sudoers \e
xyzzy:sudoers.xyzzy plugh:sudoers.plugh
.Ed

28
docs/sudo.conf.man.in
View File

@@ -17,7 +17,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.nr SL @SEMAN@
.TH "SUDO.CONF" "@mansectform@" "January 20, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDO.CONF" "@mansectform@" "February 10, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -126,7 +126,7 @@ setting, which defaults to
In other words:
.nf
.sp
.RS 6n
.RS 4n
Plugin sudoers_policy sudoers.so
.RE
.fi
@@ -134,7 +134,7 @@ Plugin sudoers_policy sudoers.so
is equivalent to:
.nf
.sp
.RS 6n
.RS 4n
Plugin sudoers_policy @plugindir@/sudoers.so
.RE
.fi
@@ -148,7 +148,7 @@ as it does not actually exist in the file system.
For example:
.nf
.sp
.RS 6n
.RS 4n
Plugin sudoers_policy sudoers.so
.RE
.fi
@@ -163,7 +163,7 @@ function.
For example, to override the compile-time default sudoers file mode:
.nf
.sp
.RS 6n
.RS 4n
Plugin sudoers_policy sudoers.so sudoers_mode=0440
.RE
.fi
@@ -190,7 +190,7 @@ plugin will be used as the default security policy, for I/O logging
This is equivalent to the following:
.nf
.sp
.RS 6n
.RS 4n
Plugin sudoers_policy sudoers.so
Plugin sudoers_io sudoers.so
Plugin sudoers_audit sudoers.so
@@ -228,7 +228,7 @@ keyword, followed by the name of the path to set and its value.
For example:
.nf
.sp
.RS 6n
.RS 4n
Path intercept @intercept_file@
Path noexec @noexec_file@
Path askpass /usr/X11R6/bin/ssh-askpass
@@ -373,7 +373,7 @@ to false in
as follows:
.nf
.sp
.RS 16n
.RS 14n
Set disable_coredump false
.RE
.fi
@@ -416,7 +416,7 @@ option to true in
as follows:
.nf
.sp
.RS 16n
.RS 14n
Set developer_mode true
.RE
.fi
@@ -510,7 +510,7 @@ For example, to cause
to only use the kernel's static list of groups for the user:
.nf
.sp
.RS 16n
.RS 14n
Set group_source static
.RE
.fi
@@ -551,7 +551,7 @@ If IP-based matching is not required, network interface probing
can be disabled as follows:
.nf
.sp
.RS 16n
.RS 14n
Set probe_interfaces false
.RE
.fi
@@ -587,7 +587,7 @@ as it does not include a comma
Examples:
.nf
.sp
.RS 6n
.RS 4n
Debug sudo /var/log/sudo_debug all@warn,plugin@info
.RE
.fi
@@ -599,7 +599,7 @@ level and higher in addition to those at the
level for the plugin subsystem.
.nf
.sp
.RS 6n
.RS 4n
Debug sudo_intercept.so /var/log/intercept_debug all@debug
.RE
.fi
@@ -659,7 +659,7 @@ For example, the following trace is for the
function located in src/sudo.c:
.nf
.sp
.RS 6n
.RS 4n
sudo[123] -> get_user_groups @ src/sudo.c:385
sudo[123] <- get_user_groups @ src/sudo.c:429 := groups=10,0,5
.RE

28
docs/sudo.conf.mdoc.in
View File

@@ -16,7 +16,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.nr SL @SEMAN@
.Dd January 20, 2022
.Dd February 10, 2022
.Dt SUDO.CONF @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -121,12 +121,12 @@ specified by the
setting, which defaults to
.Pa @plugindir@ .
In other words:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Plugin sudoers_policy sudoers.so
.Ed
.Pp
is equivalent to:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Plugin sudoers_policy @plugindir@/sudoers.so
.Ed
.Pp
@@ -137,7 +137,7 @@ binary instead of being installed as a dynamic shared object, the
should be specified without a leading directory,
as it does not actually exist in the file system.
For example:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Plugin sudoers_policy sudoers.so
.Ed
.Pp
@@ -149,7 +149,7 @@ are passed as arguments to the plugin's
.Em open
function.
For example, to override the compile-time default sudoers file mode:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Plugin sudoers_policy sudoers.so sudoers_mode=0440
.Ed
.Pp
@@ -173,7 +173,7 @@ lines, the
plugin will be used as the default security policy, for I/O logging
(if enabled by the policy), and for auditing.
This is equivalent to the following:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Plugin sudoers_policy sudoers.so
Plugin sudoers_io sudoers.so
Plugin sudoers_audit sudoers.so
@@ -208,7 +208,7 @@ line consists of the
.Li Path
keyword, followed by the name of the path to set and its value.
For example:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Path intercept @intercept_file@
Path noexec @noexec_file@
Path askpass /usr/X11R6/bin/ssh-askpass
@@ -344,7 +344,7 @@ crashes, you may wish to re-enable core dumps by setting
to false in
.Nm
as follows:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Set disable_coredump false
.Ed
.Pp
@@ -384,7 +384,7 @@ To make development of a plugin easier, you can disable that by setting
option to true in
.Nm sudo.conf
as follows:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Set developer_mode true
.Ed
.Pp
@@ -468,7 +468,7 @@ This is the default behavior on systems other than macOS in
For example, to cause
.Nm sudo
to only use the kernel's static list of groups for the user:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Set group_source static
.Ed
.Pp
@@ -503,7 +503,7 @@ On Linux systems with a large number of virtual interfaces, this may
take a non-negligible amount of time.
If IP-based matching is not required, network interface probing
can be disabled as follows:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Set probe_interfaces false
.Ed
.Pp
@@ -535,7 +535,7 @@ as it does not include a comma
.Pq Ql \&, .
.Pp
Examples:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Debug sudo /var/log/sudo_debug all@warn,plugin@info
.Ed
.Pp
@@ -544,7 +544,7 @@ would log all debugging statements at the
level and higher in addition to those at the
.Em info
level for the plugin subsystem.
.Bd -literal -offset indent
.Bd -literal -offset 4n
Debug sudo_intercept.so /var/log/intercept_debug all@debug
.Ed
.Pp
@@ -601,7 +601,7 @@ entered and when it returns.
For example, the following trace is for the
.Fn get_user_groups
function located in src/sudo.c:
.Bd -literal -offset indent
.Bd -literal -offset 4n
sudo[123] -> get_user_groups @ src/sudo.c:385
sudo[123] <- get_user_groups @ src/sudo.c:429 := groups=10,0,5
.Ed

20
docs/sudo.man.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.TH "SUDO" "@mansectsu@" "January 19, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.TH "SUDO" "@mansectsu@" "February 10, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -1103,7 +1103,7 @@ sudo.conf(@mansectform@)
file as follows:
.nf
.sp
.RS 6n
.RS 4n
Set disable_coredump false
.RE
.fi
@@ -1248,7 +1248,7 @@ policy.
To get a file listing of an unreadable directory:
.nf
.sp
.RS 6n
.RS 4n
$ sudo ls /usr/local/protected
.RE
.fi
@@ -1257,7 +1257,7 @@ To list the home directory of user yaz on a machine where the file
system holding ~yaz is not exported as root:
.nf
.sp
.RS 6n
.RS 4n
$ sudo -u yaz ls ~yaz
.RE
.fi
@@ -1267,7 +1267,7 @@ To edit the
file as user www:
.nf
.sp
.RS 6n
.RS 4n
$ sudoedit -u www ~www/htdocs/index.html
.RE
.fi
@@ -1276,7 +1276,7 @@ To view system logs only accessible to root and users in the adm
group:
.nf
.sp
.RS 6n
.RS 4n
$ sudo -g adm more /var/log/syslog
.RE
.fi
@@ -1284,7 +1284,7 @@ $ sudo -g adm more /var/log/syslog
To run an editor as jim with a different primary group:
.nf
.sp
.RS 6n
.RS 4n
$ sudoedit -u jim -g audio ~jim/sound.txt
.RE
.fi
@@ -1292,7 +1292,7 @@ $ sudoedit -u jim -g audio ~jim/sound.txt
To shut down a machine:
.nf
.sp
.RS 6n
.RS 4n
$ sudo shutdown -r +15 "quick reboot"
.RE
.fi
@@ -1303,7 +1303,7 @@ Note that this runs the commands in a sub-shell to make the
and file redirection work.
.nf
.sp
.RS 6n
.RS 4n
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
.RE
.fi
@@ -1488,7 +1488,7 @@ It is not meaningful to run the
command directly via sudo, e.g.,
.nf
.sp
.RS 6n
.RS 4n
$ sudo cd /usr/local/protected
.RE
.fi

20
docs/sudo.mdoc.in
View File

@@ -24,7 +24,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.Dd January 19, 2022
.Dd February 10, 2022
.Dt SUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -1042,7 +1042,7 @@ crashes, you may wish to re-enable core dumps by setting
to false in the
.Xr sudo.conf @mansectform@
file as follows:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Set disable_coredump false
.Ed
.Pp
@@ -1171,36 +1171,36 @@ Note: the following examples assume a properly configured security
policy.
.Pp
To get a file listing of an unreadable directory:
.Bd -literal -offset indent
.Bd -literal -offset 4n
$ sudo ls /usr/local/protected
.Ed
.Pp
To list the home directory of user yaz on a machine where the file
system holding ~yaz is not exported as root:
.Bd -literal -offset indent
.Bd -literal -offset 4n
$ sudo -u yaz ls ~yaz
.Ed
.Pp
To edit the
.Pa index.html
file as user www:
.Bd -literal -offset indent
.Bd -literal -offset 4n
$ sudoedit -u www ~www/htdocs/index.html
.Ed
.Pp
To view system logs only accessible to root and users in the adm
group:
.Bd -literal -offset indent
.Bd -literal -offset 4n
$ sudo -g adm more /var/log/syslog
.Ed
.Pp
To run an editor as jim with a different primary group:
.Bd -literal -offset indent
.Bd -literal -offset 4n
$ sudoedit -u jim -g audio ~jim/sound.txt
.Ed
.Pp
To shut down a machine:
.Bd -literal -offset indent
.Bd -literal -offset 4n
$ sudo shutdown -r +15 "quick reboot"
.Ed
.Pp
@@ -1208,7 +1208,7 @@ To make a usage listing of the directories in the /home partition.
Note that this runs the commands in a sub-shell to make the
.Li cd
and file redirection work.
.Bd -literal -offset indent
.Bd -literal -offset 4n
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
.Ed
.Sh DIAGNOSTICS
@@ -1376,7 +1376,7 @@ functionality.
It is not meaningful to run the
.Li cd
command directly via sudo, e.g.,
.Bd -literal -offset indent
.Bd -literal -offset 4n
$ sudo cd /usr/local/protected
.Ed
.Pp

26
docs/sudo_logsrvd.man.in
View File

@@ -2,7 +2,7 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
.\" Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_LOGSRVD" "@mansectsu@" "September 17, 2021" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.TH "SUDO_LOGSRVD" "@mansectsu@" "February 10, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -171,7 +171,7 @@ We'll create a new directory hierarchy in
for this purpose.
.nf
.sp
.RS 6n
.RS 4n
# mkdir /etc/ssl/sudo
# cd /etc/ssl/sudo
# mkdir certs csr newcerts private
@@ -192,7 +192,7 @@ You will need to adjust the example below if it has a different location on
your system.
.nf
.sp
.RS 6n
.RS 4n
# cp /etc/ssl/openssl.cnf .
.RE
.fi
@@ -207,7 +207,7 @@ sections.
Those sections should include the following settings:
.nf
.sp
.RS 6n
.RS 4n
[ ca ]
default_ca = CA_default
@@ -233,7 +233,7 @@ a private key and a certificate for the root of the CA.
First, create the private key and protect it with a pass phrase:
.nf
.sp
.RS 6n
.RS 4n
# openssl genrsa -aes256 -out private/cakey.pem 4096
# chmod 400 private/cakey.pem
.RE
@@ -243,7 +243,7 @@ Next, generate the root certificate, using appropriate values for
the site-specific fields:
.nf
.sp
.RS 6n
.RS 4n
# openssl req -config openssl.cnf -key private/cakey.pem \e
-new -x509 -days 7300 -sha256 -extensions v3_ca \e
-out cacert.pem
@@ -272,7 +272,7 @@ Email Address []:
Finally, verify the root certificate:
.nf
.sp
.RS 6n
.RS 4n
# openssl x509 -noout -text -in cacert.pem
.RE
.fi
@@ -290,7 +290,7 @@ CSRs with the root CA.
First, generate the private key without a pass phrase.
.nf
.sp
.RS 6n
.RS 4n
# openssl genrsa -out private/logsrvd_key.pem 2048
# chmod 400 private/logsrvd_key.pem
.RE
@@ -302,7 +302,7 @@ The common name should be either the server's IP address or a fully
qualified domain name.
.nf
.sp
.RS 6n
.RS 4n
# openssl req -config openssl.cnf -key private/logsrvd_key.pem -new \e
-sha256 -out csr/logsrvd_csr.pem
@@ -333,7 +333,7 @@ An optional company name []:
Now sign the CSR that was just created:
.nf
.sp
.RS 6n
.RS 4n
# openssl ca -config openssl.cnf -days 375 -notext -md sha256 \e
-in csr/logsrvd_csr.pem -out certs/logsrvd_cert.pem
@@ -374,7 +374,7 @@ Data Base Updated
Finally, verify the new certificate:
.nf
.sp
.RS 6n
.RS 4n
# openssl verify -CAfile cacert.pem certs/logsrvd_cert.pem
certs/logsrvd_cert.pem: OK
.RE
@@ -399,7 +399,7 @@ for TLS requires the following settings, assuming the same path
names used earlier:
.nf
.sp
.RS 6n
.RS 4n
# Listen on port 30344 for TLS connections to any address.
listen_address = *:30344(tls)

26
docs/sudo_logsrvd.mdoc.in
View File

@@ -1,7 +1,7 @@
.\"
.\" SPDX-License-Identifier: ISC
.\"
.\" Copyright (c) 2019-2021 Todd C. Miller <Todd.Miller@sudo.ws>
.\" Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd September 17, 2021
.Dd February 10, 2022
.Dt SUDO_LOGSRVD @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -159,7 +159,7 @@ files for the CA.
We'll create a new directory hierarchy in
.Pa /etc/ssl/sudo
for this purpose.
.Bd -literal -offset indent
.Bd -literal -offset 4n
# mkdir /etc/ssl/sudo
# cd /etc/ssl/sudo
# mkdir certs csr newcerts private
@@ -177,7 +177,7 @@ The path to openssl.cnf is system-dependent but
is the most common location.
You will need to adjust the example below if it has a different location on
your system.
.Bd -literal -offset indent
.Bd -literal -offset 4n
# cp /etc/ssl/openssl.cnf .
.Ed
.Pp
@@ -189,7 +189,7 @@ and
.Dq CA_default
sections.
Those sections should include the following settings:
.Bd -literal -offset indent
.Bd -literal -offset 4n
[ ca ]
default_ca = CA_default
@@ -212,14 +212,14 @@ setting.
In order to create and sign our own certificates, we need to create
a private key and a certificate for the root of the CA.
First, create the private key and protect it with a pass phrase:
.Bd -literal -offset indent
.Bd -literal -offset 4n
# openssl genrsa -aes256 -out private/cakey.pem 4096
# chmod 400 private/cakey.pem
.Ed
.Pp
Next, generate the root certificate, using appropriate values for
the site-specific fields:
.Bd -literal -offset indent
.Bd -literal -offset 4n
# openssl req -config openssl.cnf -key private/cakey.pem \e
-new -x509 -days 7300 -sha256 -extensions v3_ca \e
-out cacert.pem
@@ -245,7 +245,7 @@ Email Address []:
.Ed
.Pp
Finally, verify the root certificate:
.Bd -literal -offset indent
.Bd -literal -offset 4n
# openssl x509 -noout -text -in cacert.pem
.Ed
.Ss Creating and signing certificates
@@ -260,7 +260,7 @@ In this example we'll skip this part for simplicity's sake and sign the
CSRs with the root CA.
.Pp
First, generate the private key without a pass phrase.
.Bd -literal -offset indent
.Bd -literal -offset 4n
# openssl genrsa -out private/logsrvd_key.pem 2048
# chmod 400 private/logsrvd_key.pem
.Ed
@@ -269,7 +269,7 @@ Next, create a certificate signing request (CSR) for the server's certificate.
The organization name must match the name given in the root certificate.
The common name should be either the server's IP address or a fully
qualified domain name.
.Bd -literal -offset indent
.Bd -literal -offset 4n
# openssl req -config openssl.cnf -key private/logsrvd_key.pem -new \e
-sha256 -out csr/logsrvd_csr.pem
@@ -297,7 +297,7 @@ An optional company name []:
.Ed
.Pp
Now sign the CSR that was just created:
.Bd -literal -offset indent
.Bd -literal -offset 4n
# openssl ca -config openssl.cnf -days 375 -notext -md sha256 \e
-in csr/logsrvd_csr.pem -out certs/logsrvd_cert.pem
@@ -335,7 +335,7 @@ Data Base Updated
.Ed
.Pp
Finally, verify the new certificate:
.Bd -literal -offset indent
.Bd -literal -offset 4n
# openssl verify -CAfile cacert.pem certs/logsrvd_cert.pem
certs/logsrvd_cert.pem: OK
.Ed
@@ -357,7 +357,7 @@ Configuring
.Nm
for TLS requires the following settings, assuming the same path
names used earlier:
.Bd -literal -offset indent
.Bd -literal -offset 4n
# Listen on port 30344 for TLS connections to any address.
listen_address = *:30344(tls)

42
docs/sudo_plugin_python.man.in
View File

@@ -17,7 +17,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_PLUGIN_PYTHON" "5" "January 20, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDO_PLUGIN_PYTHON" "5" "February 10, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -74,7 +74,7 @@ constructor yourself.
For example:
.nf
.sp
.RS 6n
.RS 4n
import sudo
class MySudoPlugin(sudo.Plugin):
@@ -137,7 +137,7 @@ result code the plugin can also provide a message describing the problem.
This can be done by raising one of the special exceptions:
.nf
.sp
.RS 6n
.RS 4n
raise sudo.PluginError("Message")
raise sudo.PluginReject("Message")
.RE
@@ -161,7 +161,7 @@ Example usage in
sudo.conf(@mansectform@):
.nf
.sp
.RS 6n
.RS 4n
Plugin python_policy python_plugin.so ModulePath=<path> ClassName=<class>
Plugin python_io python_plugin.so ModulePath=<path> ClassName=<class>
Plugin python_audit python_plugin.so ModulePath=<path> ClassName=<class>
@@ -174,7 +174,7 @@ Example group provider plugin usage in the
file:
.nf
.sp
.RS 6n
.RS 4n
Defaults group_plugin="python_plugin.so ModulePath=<path> ClassName=<class>"
.RE
.fi
@@ -198,7 +198,7 @@ sudo.conf(@mansectform@).
For example:
.nf
.sp
.RS 6n
.RS 4n
Plugin python_policy python_plugin.so ModulePath=<path> ClassName=<class>
.RE
.fi
@@ -300,7 +300,7 @@ convenience function can be used to convert them to a dictionary.
This function should return a result code or a tuple in the following format:
.nf
.sp
.RS 12n
.RS 10n
return (rc, command_info_out, argv_out, user_env_out)
.RE
.fi
@@ -567,7 +567,7 @@ sudo.conf(@mansectform@).
For example:
.nf
.sp
.RS 6n
.RS 4n
Plugin python_io python_plugin.so ModulePath=<path> ClassName=<class>
.RE
.fi
@@ -843,7 +843,7 @@ To try it, register it by adding the following lines to
\fI@sysconfdir@/sudo.conf\fR:
.nf
.sp
.RS 6n
.RS 4n
Plugin python_io python_plugin.so \e
ModulePath=@prefix@/share/doc/sudo/examples/example_io_plugin.py \e
ClassName=SudoIOPlugin
@@ -855,7 +855,7 @@ sudo.conf(@mansectform@).
For example:
.nf
.sp
.RS 6n
.RS 4n
Plugin python_audit python_plugin.so ModulePath=<path> ClassName=<class>
.RE
.fi
@@ -1159,7 +1159,7 @@ To try it, register it by adding the following lines to
\fI@sysconfdir@/sudo.conf\fR:
.nf
.sp
.RS 6n
.RS 4n
Plugin python_audit python_plugin.so \e
ModulePath=@prefix@/share/doc/sudo/examples/example_audit_plugin.py \e
ClassName=SudoAuditPlugin
@@ -1173,7 +1173,7 @@ sudo.conf(@mansectform@).
For example:
.nf
.sp
.RS 6n
.RS 4n
Plugin python_approval python_plugin.so ModulePath=<path> ClassName=<class>
.RE
.fi
@@ -1269,7 +1269,7 @@ It can reject execution of the command by returning sudo.RC.REJECT or
raising the special exception:
.nf
.sp
.RS 12n
.RS 10n
raise sudo.PluginReject("some message")
.RE
.fi
@@ -1300,7 +1300,7 @@ To try it, register it by adding the following lines to
\fI@sysconfdir@/sudo.conf\fR:
.nf
.sp
.RS 6n
.RS 4n
Plugin python_approval python_plugin.so \e
ModulePath=@prefix@/share/doc/sudo/examples/example_approval_plugin.py \e
ClassName=BusinessHoursApprovalPlugin
@@ -1316,7 +1316,7 @@ file.
For example:
.nf
.sp
.RS 6n
.RS 4n
Defaults group_plugin="python_plugin.so ModulePath=<path> ClassName=<class>"
.RE
.fi
@@ -1397,7 +1397,7 @@ To try it, register it in the
file by adding the following lines:
.nf
.sp
.RS 6n
.RS 4n
Defaults group_plugin="python_plugin.so \e
ModulePath=@prefix@/share/doc/sudo/examples/example_group_plugin.py \e
ClassName=SudoGroupPlugin"
@@ -1416,7 +1416,7 @@ user.
For example:
.nf
.sp
.RS 6n
.RS 4n
%:mygroup ALL=(ALL) NOPASSWD: ALL
.RE
.fi
@@ -1556,7 +1556,7 @@ To try it, register it by adding the following lines to
\fI@sysconfdir@/sudo.conf\fR:
.nf
.sp
.RS 6n
.RS 4n
Plugin python_io python_plugin.so \e
ModulePath=@prefix@/share/doc/sudo/examples/example_conversation.py \e
ClassName=ReasonLoggerIOPlugin
@@ -1617,7 +1617,7 @@ For example, to store debug output in
use a line like the following:
.nf
.sp
.RS 6n
.RS 4n
Debug python_plugin.so /var/log/sudo_python_debug \e
plugin@trace,c_calls@trace
.RE
@@ -1632,7 +1632,7 @@ For example to just see the debug output of
calls, use:
.nf
.sp
.RS 6n
.RS 4n
Debug python_plugin.so /var/log/sudo_python_debug plugin@trace
.RE
.fi
@@ -1735,7 +1735,7 @@ To try it, register it by adding the following lines to
\fI@sysconfdir@/sudo.conf\fR:
.nf
.sp
.RS 6n
.RS 4n
Plugin python_io python_plugin.so \e
ModulePath=@prefix@/share/doc/sudo/examples/example_debugging.py \e
ClassName=DebugDemoPlugin

42
docs/sudo_plugin_python.mdoc.in
View File

@@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd January 20, 2022
.Dd February 10, 2022
.Dt SUDO_PLUGIN_PYTHON @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -64,7 +64,7 @@ This is intended as a convenience to allow you to avoid writing the
constructor yourself.
.Pp
For example:
.Bd -literal -offset indent
.Bd -literal -offset 4n
import sudo
class MySudoPlugin(sudo.Plugin):
@@ -115,7 +115,7 @@ or
.Dv sudo.RC.REJECT
result code the plugin can also provide a message describing the problem.
This can be done by raising one of the special exceptions:
.Bd -literal -offset indent
.Bd -literal -offset 4n
raise sudo.PluginError("Message")
raise sudo.PluginReject("Message")
.Ed
@@ -136,7 +136,7 @@ plugin it is loading as arguments.
.Pp
Example usage in
.Xr sudo.conf @mansectform@ :
.Bd -literal -offset indent
.Bd -literal -offset 4n
Plugin python_policy python_plugin.so ModulePath=<path> ClassName=<class>
Plugin python_io python_plugin.so ModulePath=<path> ClassName=<class>
Plugin python_audit python_plugin.so ModulePath=<path> ClassName=<class>
@@ -146,7 +146,7 @@ Plugin python_approval python_plugin.so ModulePath=<path> ClassName=<class>
Example group provider plugin usage in the
.Em sudoers
file:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Defaults group_plugin="python_plugin.so ModulePath=<path> ClassName=<class>"
.Ed
.Pp
@@ -167,7 +167,7 @@ will result in an error.
Policy plugins must be registered in
.Xr sudo.conf @mansectform@ .
For example:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Plugin python_policy python_plugin.so ModulePath=<path> ClassName=<class>
.Ed
.Pp
@@ -255,7 +255,7 @@ convenience function can be used to convert them to a dictionary.
.El
.Pp
This function should return a result code or a tuple in the following format:
.Bd -literal -offset indent
.Bd -literal -offset 4n
return (rc, command_info_out, argv_out, user_env_out)
.Ed
.Pp
@@ -460,7 +460,7 @@ in addition to another policy plugin, such as
I/O plugins must be registered in
.Xr sudo.conf @mansectform@ .
For example:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Plugin python_io python_plugin.so ModulePath=<path> ClassName=<class>
.Ed
.Pp
@@ -681,7 +681,7 @@ system call, otherwise 0.
Sudo ships a Python I/O plugin example.
To try it, register it by adding the following lines to
.Pa @sysconfdir@/sudo.conf :
.Bd -literal -offset indent
.Bd -literal -offset 4n
Plugin python_io python_plugin.so \e
ModulePath=@prefix@/share/doc/sudo/examples/example_io_plugin.py \e
ClassName=SudoIOPlugin
@@ -690,7 +690,7 @@ Plugin python_io python_plugin.so \e
Audit plugins must be registered in
.Xr sudo.conf @mansectform@ .
For example:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Plugin python_audit python_plugin.so ModulePath=<path> ClassName=<class>
.Ed
.Pp
@@ -928,7 +928,7 @@ manual for possible values.
Sudo ships a Python Audit plugin example.
To try it, register it by adding the following lines to
.Pa @sysconfdir@/sudo.conf :
.Bd -literal -offset indent
.Bd -literal -offset 4n
Plugin python_audit python_plugin.so \e
ModulePath=@prefix@/share/doc/sudo/examples/example_audit_plugin.py \e
ClassName=SudoAuditPlugin
@@ -939,7 +939,7 @@ It will log the plugin accept / reject / error results to the output.
Approval plugins must be registered in
.Xr sudo.conf @mansectform@ .
For example:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Plugin python_approval python_plugin.so ModulePath=<path> ClassName=<class>
.Ed
.Pp
@@ -1010,7 +1010,7 @@ check(self, command_info: Tuple[str, ...], run_argv: Tuple[str, ...],
This function is called after policy plugin's check_policy has succeeded.
It can reject execution of the command by returning sudo.RC.REJECT or
raising the special exception:
.Bd -literal -offset indent
.Bd -literal -offset 4n
raise sudo.PluginReject("some message")
.Ed
.Pp
@@ -1034,7 +1034,7 @@ The environment the command will be run with.
Sudo ships a Python Approval plugin example.
To try it, register it by adding the following lines to
.Pa @sysconfdir@/sudo.conf :
.Bd -literal -offset indent
.Bd -literal -offset 4n
Plugin python_approval python_plugin.so \e
ModulePath=@prefix@/share/doc/sudo/examples/example_approval_plugin.py \e
ClassName=BusinessHoursApprovalPlugin
@@ -1047,7 +1047,7 @@ A group provider plugin is registered in the
.Xr sudoers @mansectform@
file.
For example:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Defaults group_plugin="python_plugin.so ModulePath=<path> ClassName=<class>"
.Ed
.Pp
@@ -1111,7 +1111,7 @@ Sudo ships a Python group plugin example.
To try it, register it in the
.Em sudoers
file by adding the following lines:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Defaults group_plugin="python_plugin.so \e
ModulePath=@prefix@/share/doc/sudo/examples/example_group_plugin.py \e
ClassName=SudoGroupPlugin"
@@ -1127,7 +1127,7 @@ If you add a rule that uses this group, it will affect the
.Em test
user.
For example:
.Bd -literal -offset indent
.Bd -literal -offset 4n
%:mygroup ALL=(ALL) NOPASSWD: ALL
.Ed
.Pp
@@ -1247,7 +1247,7 @@ or the user interrupted the conversation by pressing control-C.
Sudo ships with an example plugin demonstrating the Python conversation API.
To try it, register it by adding the following lines to
.Pa @sysconfdir@/sudo.conf :
.Bd -literal -offset indent
.Bd -literal -offset 4n
Plugin python_io python_plugin.so \e
ModulePath=@prefix@/share/doc/sudo/examples/example_conversation.py \e
ClassName=ReasonLoggerIOPlugin
@@ -1302,7 +1302,7 @@ with the program set to
For example, to store debug output in
.Pa /var/log/sudo_python_debug ,
use a line like the following:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Debug python_plugin.so /var/log/sudo_python_debug \e
plugin@trace,c_calls@trace
.Ed
@@ -1314,7 +1314,7 @@ strings, separated by commas
For example to just see the debug output of
.Fn sudo.debug
calls, use:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Debug python_plugin.so /var/log/sudo_python_debug plugin@trace
.Ed
.Pp
@@ -1396,7 +1396,7 @@ for the sudo debug system.
Sudo ships an example debug plugin by default.
To try it, register it by adding the following lines to
.Pa @sysconfdir@/sudo.conf :
.Bd -literal -offset indent
.Bd -literal -offset 4n
Plugin python_io python_plugin.so \e
ModulePath=@prefix@/share/doc/sudo/examples/example_debugging.py \e
ClassName=DebugDemoPlugin

10
docs/sudoers.man.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.TH "SUDOERS" "@mansectform@" "February 8, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDOERS" "@mansectform@" "February 10, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -71,7 +71,7 @@ to use the
plugin, the following configuration can be used.
.nf
.sp
.RS 6n
.RS 4n
Plugin sudoers_audit sudoers.so
Plugin sudoers_policy sudoers.so
Plugin sudoers_io sudoers.so
@@ -104,7 +104,7 @@ Multiple arguments may be specified, separated by white space.
For example:
.nf
.sp
.RS 6n
.RS 4n
Plugin sudoers_audit sudoers.so sudoers_mode=0400 error_recovery=false
.RE
.fi
@@ -6772,7 +6772,7 @@ For example, to allow user operator to edit the
file on any machine:
.nf
.sp
.RS 6n
.RS 4n
operator ALL = sudoedit /etc/motd
.RE
.fi
@@ -6782,7 +6782,7 @@ The operator user then runs
as follows:
.nf
.sp
.RS 6n
.RS 4n
$ sudoedit /etc/motd
.RE
.fi

10
docs/sudoers.mdoc.in
View File

@@ -24,7 +24,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.Dd February 8, 2022
.Dd February 10, 2022
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -68,7 +68,7 @@ To explicitly configure
to use the
.Nm
plugin, the following configuration can be used.
.Bd -literal -offset indent
.Bd -literal -offset 4n
Plugin sudoers_audit sudoers.so
Plugin sudoers_policy sudoers.so
Plugin sudoers_io sudoers.so
@@ -98,7 +98,7 @@ For older versions, it is the
plugin.
Multiple arguments may be specified, separated by white space.
For example:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Plugin sudoers_audit sudoers.so sudoers_mode=0400 error_recovery=false
.Ed
.Pp
@@ -6260,14 +6260,14 @@ option in
For example, to allow user operator to edit the
.Dq message of the day
file on any machine:
.Bd -literal -offset indent
.Bd -literal -offset 4n
operator ALL = sudoedit /etc/motd
.Ed
.Pp
The operator user then runs
.Nm sudoedit
as follows:
.Bd -literal -offset indent
.Bd -literal -offset 4n
$ sudoedit /etc/motd
.Ed
.Pp

10
docs/sudoreplay.man.in
View File

@@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDOREPLAY" "@mansectsu@" "January 19, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.TH "SUDOREPLAY" "@mansectsu@" "February 10, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -453,7 +453,7 @@ List sessions run by user
\fImillert\fR:
.nf
.sp
.RS 6n
.RS 4n
# sudoreplay -l user millert
.RE
.fi
@@ -463,7 +463,7 @@ List sessions run by user
with a command containing the string vi:
.nf
.sp
.RS 6n
.RS 4n
# sudoreplay -l user bob command vi
.RE
.fi
@@ -473,7 +473,7 @@ List sessions run by user
that match a regular expression:
.nf
.sp
.RS 6n
.RS 4n
# sudoreplay -l user jeff command '/bin/[a-z]*sh'
.RE
.fi
@@ -481,7 +481,7 @@ that match a regular expression:
List sessions run by jeff or bob on the console:
.nf
.sp
.RS 6n
.RS 4n
# sudoreplay -l ( user jeff or user bob ) tty console
.RE
.fi

10
docs/sudoreplay.mdoc.in
View File

@@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd January 19, 2022
.Dd February 10, 2022
.Dt SUDOREPLAY @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -406,26 +406,26 @@ was used as part of a pipeline for a particular command.
.Sh EXAMPLES
List sessions run by user
.Em millert :
.Bd -literal -offset indent
.Bd -literal -offset 4n
# sudoreplay -l user millert
.Ed
.Pp
List sessions run by user
.Em bob
with a command containing the string vi:
.Bd -literal -offset indent
.Bd -literal -offset 4n
# sudoreplay -l user bob command vi
.Ed
.Pp
List sessions run by user
.Em jeff
that match a regular expression:
.Bd -literal -offset indent
.Bd -literal -offset 4n
# sudoreplay -l user jeff command '/bin/[a-z]*sh'
.Ed
.Pp
List sessions run by jeff or bob on the console:
.Bd -literal -offset indent
.Bd -literal -offset 4n
# sudoreplay -l ( user jeff or user bob ) tty console
.Ed
.Sh SEE ALSO

4
docs/visudo.man.in
View File

@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.TH "VISUDO" "@mansectsu@" "January 20, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.TH "VISUDO" "@mansectsu@" "February 10, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -312,7 +312,7 @@ Multiple arguments may be specified, separated by white space.
For example:
.nf
.sp
.RS 6n
.RS 4n
Plugin sudoers_policy sudoers.so sudoers_mode=0400
.RE
.fi

4
docs/visudo.mdoc.in
View File

@@ -20,7 +20,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.Dd January 20, 2022
.Dd February 10, 2022
.Dt VISUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -302,7 +302,7 @@ These arguments, if present, should be listed after the path to the plugin
.Pa sudoers.so ) .
Multiple arguments may be specified, separated by white space.
For example:
.Bd -literal -offset indent
.Bd -literal -offset 4n
Plugin sudoers_policy sudoers.so sudoers_mode=0400
.Ed
.Pp