isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use numeric registers to handle conditionals instead of trying

Browse Source 
to do it all with text processing.
This commit is contained in:
Todd C. Miller
2010-05-25 16:13:04 -04:00
parent 5dd8e98ec7
commit 807d1313a5
13 changed files with 217 additions and 158 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
configure vendored
View File

@@ -2811,9 +2811,9 @@ PROGS="sudo"
: ${SUDOERS_GID='0'}
DEV="#"
LDAP="#"
BAMAN='.\" '
LCMAN='.\" '
SEMAN='.\" '
BAMAN=0
LCMAN=0
SEMAN=0
ZLIB=
AUTH_OBJS=
AUTH_REG=
@@ -5421,7 +5421,7 @@ if test "${with_selinux+set}" = set; then :
SUDO_LIBS="${SUDO_LIBS} -lselinux"
SUDO_OBJS="${SUDO_OBJS} selinux.o"
PROGS="${PROGS} sesh"
SEMAN=""
SEMAN=1
;;
no) ;;
*) as_fn_error "\"--with-selinux does not take an argument.\"" "$LINENO" 5
@@ -13969,7 +13969,7 @@ if test "x$ac_cv_header_login_cap_h" = x""yes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_LOGIN_CAP_H 1
_ACEOF
LOGINCAP_USAGE='[-c class|-] '; LCMAN=""
LOGINCAP_USAGE='[-c class|-] '; LCMAN=1
case "$OS" in
freebsd|netbsd) SUDO_LIBS="${SUDO_LIBS} -lutil"
;;
@@ -16143,7 +16143,7 @@ if test "x$ac_cv_header_bsd_auth_h" = x""yes; then :
AUTH_OBJS="$AUTH_OBJS bsdauth.lo"
BSDAUTH_USAGE='[-a auth_type] '
AUTH_EXCL=BSD_AUTH; BAMAN=""
AUTH_EXCL=BSD_AUTH; BAMAN=1
else
as_fn_error "BSD authentication was specified but bsd_auth.h could not be found" "$LINENO" 5
fi

12
configure.in
View File

@@ -135,9 +135,9 @@ PROGS="sudo"
: ${SUDOERS_GID='0'}
DEV="#"
LDAP="#"
BAMAN='.\" '
LCMAN='.\" '
SEMAN='.\" '
BAMAN=0
LCMAN=0
SEMAN=0
ZLIB=
AUTH_OBJS=
AUTH_REG=
@@ -1272,7 +1272,7 @@ AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support])
SUDO_LIBS="${SUDO_LIBS} -lselinux"
SUDO_OBJS="${SUDO_OBJS} selinux.o"
PROGS="${PROGS} sesh"
SEMAN=""
SEMAN=1
;;
no) ;;
*) AC_MSG_ERROR(["--with-selinux does not take an argument."])
@@ -1851,7 +1851,7 @@ else
AC_CHECK_HEADERS(termio.h, [], [AC_MSG_ERROR([Must have either termios.h or termio.h to build sudo])])
fi
if test ${with_logincap-'no'} != "no"; then
AC_CHECK_HEADERS(login_cap.h, [LOGINCAP_USAGE='[[-c class|-]] '; LCMAN=""
AC_CHECK_HEADERS(login_cap.h, [LOGINCAP_USAGE='[[-c class|-]] '; LCMAN=1
case "$OS" in
freebsd|netbsd) SUDO_LIBS="${SUDO_LIBS} -lutil"
;;
@@ -2140,7 +2140,7 @@ if test ${with_bsdauth-'no'} != "no"; then
AC_CHECK_HEADER(bsd_auth.h, AC_DEFINE(HAVE_BSD_AUTH_H)
[AUTH_OBJS="$AUTH_OBJS bsdauth.lo"]
[BSDAUTH_USAGE='[[-a auth_type]] ']
[AUTH_EXCL=BSD_AUTH; BAMAN=""],
[AUTH_EXCL=BSD_AUTH; BAMAN=1],
[AC_MSG_ERROR([BSD authentication was specified but bsd_auth.h could not be found])])
fi

86
doc/sudo.man.in
View File

@@ -18,6 +18,10 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.nr SL @SEMAN@
.nr BA @BAMAN@
.nr LC @LCMAN@
.\"
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
@@ -144,7 +148,7 @@
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
.TH SUDO @mansectsu@ "May 11, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
.TH SUDO @mansectsu@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -156,31 +160,31 @@ sudo, sudoedit \- execute a command as another user
\&\fBsudo\fR [\fB\-D\fR\ \fIlevel\fR] \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR
.PP
\&\fBsudo\fR \fB\-v\fR [\fB\-AknS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
[\fB\-D\fR\ \fIlevel\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
.PP
\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
[\fB\-D\fR\ \fIlevel\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fIcommand\fR]
.PP
\&\fBsudo\fR [\fB\-AbEHnPS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
[\fB\-D\fR\ \fIlevel\fR]
@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
@SEMAN@[\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
.if \n(SL [\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR]
[\fB\s-1VAR\s0\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] [\fIcommand\fR]
.PP
\&\fBsudoedit\fR [\fB\-AnS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
[\fB\-D\fR\ \fIlevel\fR]
[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] file ...
@@ -242,14 +246,16 @@ user's password and output the password to the standard output. If
the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the
path to the helper program. Otherwise, the value specified by the
\&\fIaskpass\fR option in \fIsudoers\fR\|(@mansectform@) is used.
@BAMAN@.IP "\-a \fItype\fR" 12
@BAMAN@.IX Item "-a type"
@BAMAN@The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
@BAMAN@specified authentication type when validating the user, as allowed
@BAMAN@by \fI/etc/login.conf\fR. The system administrator may specify a list
@BAMAN@of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R"
@BAMAN@entry in \fI/etc/login.conf\fR. This option is only available on systems
@BAMAN@that support \s-1BSD\s0 authentication.
.if \n(BA \{\
.IP "\-a \fItype\fR" 12
.IX Item "-a type"
The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
specified authentication type when validating the user, as allowed
by \fI/etc/login.conf\fR. The system administrator may specify a list
of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R"
entry in \fI/etc/login.conf\fR. This option is only available on systems
that support \s-1BSD\s0 authentication.
\}
.IP "\-b" 12
.IX Item "-b"
The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given
@@ -264,17 +270,19 @@ above the standard error (file descriptor three). Values less than
three are not permitted. This option is only available if the
administrator has enabled the \fIclosefrom_override\fR option in
\&\fIsudoers\fR\|(@mansectform@).
@LCMAN@.IP "\-c \fIclass\fR" 12
@LCMAN@.IX Item "-c class"
@LCMAN@The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
@LCMAN@with resources limited by the specified login class. The \fIclass\fR
@LCMAN@argument can be either a class name as defined in \fI/etc/login.conf\fR,
@LCMAN@or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
@LCMAN@that the command should be run restricted by the default login
@LCMAN@capabilities for the user the command is run as. If the \fIclass\fR
@LCMAN@argument specifies an existing user class, the command must be run
@LCMAN@as root, or the \fBsudo\fR command must be run from a shell that is already
@LCMAN@root. This option is only available on systems with \s-1BSD\s0 login classes.
.if \n(LC \{\
.IP "\-c \fIclass\fR" 12
.IX Item "-c class"
The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
with resources limited by the specified login class. The \fIclass\fR
argument can be either a class name as defined in \fI/etc/login.conf\fR,
or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
that the command should be run restricted by the default login
capabilities for the user the command is run as. If the \fIclass\fR
argument specifies an existing user class, the command must be run
as root, or the \fBsudo\fR command must be run from a shell that is already
root. This option is only available on systems with \s-1BSD\s0 login classes.
\}
.IP "\-D \fIlevel\fR" 12
.IX Item "-D level"
Enable debugging of \fBsudo\fR plugins and \fBsudo\fR itself. The \fIlevel\fR
@@ -435,10 +443,12 @@ The prompt specified by the \fB\-p\fR option will override the system
password prompt on systems that support \s-1PAM\s0 unless the
\&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR.
.RE
@SEMAN@.IP "\-r \fIrole\fR" 12
@SEMAN@.IX Item "-r role"
@SEMAN@The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
@SEMAN@have the role specified by \fIrole\fR.
.if \n(SL \{\
.IP "\-r \fIrole\fR" 12
.IX Item "-r role"
The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
have the role specified by \fIrole\fR.
\}
.IP "\-S" 12
.IX Item "-S"
The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
@@ -450,11 +460,13 @@ The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\
environment variable if it is set or the shell as specified in
\&\fIpasswd\fR\|(@mansectform@). If a command is specified, it is passed to the shell
for execution. Otherwise, an interactive shell is executed.
@SEMAN@.IP "\-t \fItype\fR" 12
@SEMAN@.IX Item "-t type"
@SEMAN@The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
@SEMAN@have the type specified by \fItype\fR. If no type is specified, the default
@SEMAN@type is derived from the specified role.
.if \n(SL \{\
.IP "\-t \fItype\fR" 12
.IX Item "-t type"
The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
have the type specified by \fItype\fR. If no type is specified, the default
type is derived from the specified role.
\}
.IP "\-U \fIuser\fR" 12
.IX Item "-U user"
The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR
@@ -727,7 +739,7 @@ to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2),
@LCMAN@\&\fIlogin_cap\fR\|(3),
.if \n(LC \&\fIlogin_cap\fR\|(3),
\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@), \fIvisudo\fR\|(@mansectsu@)
.SH "AUTHORS"
.IX Header "AUTHORS"

35
doc/sudo.man.pl
View File

@@ -1,23 +1,32 @@
#!/usr/bin/perl -p
BEGIN {
%tags = ( 'a', '@BAMAN@', 'c', '@LCMAN@', 'r', '@SEMAN@', 't', '@SEMAN@');
$t = undef;
%tags = ( 'a', 'BA', 'c', 'LC', 'r', 'SL', 't', 'SL');
$cond = -1;
}
if (/^\.IP(.*-([acrt]))?/) {
$t = $1 ? $tags{$2} : undef;
} elsif (/-a.*auth_type/) {
$_ = $tags{'a'} . $_;
# Initialize the numeric register we use for conditionals
if ($cond == -1) {
$_ = ".nr SL \@SEMAN\@\n.nr BA \@BAMAN\@\n.nr LC \@LCMAN\@\n.\\\"\n$_";
$cond = 0;
}
# Add conditionals
if (/^\.IP.*-([acrt])/) {
$_ = ".if \\n($tags{$1} \\{\\\n$_";
$cond = 1;
} elsif ($cond && /^\.(Sh|SS|IP|PP)/) {
$_ = "\\}\n$_";
$cond = 0;
}
if (/-a.*auth_type/) {
$_ = ".if \\n($tags{'a'} $_";
} elsif (/(-c.*class.*\||login_cap)/) {
$_ = $tags{'c'} . $_;
$_ = ".if \\n($tags{'c'} $_";
} elsif (/-r.*role.*-t.*type/) {
$_ = $tags{'r'} . $_;
$_ = ".if \\n($tags{'r'} $_";
}
# Fix up broken pod2man formatting of F<@foo@/bar>
s/\\fI\\f(\(C)?I\@([^\@]*)\\fI\@/\\fI\@$2\@/g;
# comment out Compile-time-specific lines in DESCRIPTION
if ($t) {
$_ = $t . $_;
}

70
doc/sudoers.cat
View File

@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.8.0a1 April 7, 2010 1
1.8.0a1 May 25, 2010 1
@@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 2
1.8.0a1 May 25, 2010 2
@@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 3
1.8.0a1 May 25, 2010 3
@@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 4
1.8.0a1 May 25, 2010 4
@@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 5
1.8.0a1 May 25, 2010 5
@@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 6
1.8.0a1 May 25, 2010 6
@@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 7
1.8.0a1 May 25, 2010 7
@@ -523,7 +523,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 8
1.8.0a1 May 25, 2010 8
@@ -589,7 +589,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
1.8.0a1 April 7, 2010 9
1.8.0a1 May 25, 2010 9
@@ -615,7 +615,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
alternative is to place a colon-separated list of
editors in the editor variable. vviissuuddoo will then only
use the EDITOR or VISUAL if they match a value
specified in editor. This flag is _o_n by default.
specified in editor. This flag is _o_f_f by default.
env_reset If set, ssuuddoo will reset the environment to only contain
the LOGNAME, SHELL, USER, USERNAME and the SUDO_*
@@ -655,7 +655,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 10
1.8.0a1 May 25, 2010 10
@@ -675,7 +675,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
ignore_dot If set, ssuuddoo will ignore '.' or '' (current dir) in the
PATH environment variable; the PATH itself is not
modified. This flag is _o_n by default.
modified. This flag is _o_f_f by default.
ignore_local_sudoers
If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be
@@ -691,7 +691,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_o_f_f by default.
insults If set, ssuuddoo will insult users when they enter an
incorrect password. This flag is _o_n by default.
incorrect password. This flag is _o_f_f by default.
log_host If set, the host name will be logged in the (non-
syslog) ssuuddoo log file. This flag is _o_f_f by default.
@@ -721,7 +721,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 11
1.8.0a1 May 25, 2010 11
@@ -758,10 +758,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
passprompt_override
The password prompt specified by _p_a_s_s_p_r_o_m_p_t will
normally only be used if the password prompt provided by
systems such as PAM matches the string "Password:". If
_p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always be
used. This flag is _o_f_f by default.
normally only be used if the password prompt provided
by systems such as PAM matches the string "Password:".
If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always
be used. This flag is _o_f_f by default.
preserve_groups By default, ssuuddoo will initialize the group vector to
the list of groups the target user is in. When
@@ -787,7 +787,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 12
1.8.0a1 May 25, 2010 12
@@ -853,7 +853,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 13
1.8.0a1 May 25, 2010 13
@@ -919,7 +919,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 14
1.8.0a1 May 25, 2010 14
@@ -985,7 +985,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 15
1.8.0a1 May 25, 2010 15
@@ -1051,7 +1051,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 16
1.8.0a1 May 25, 2010 16
@@ -1117,7 +1117,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 17
1.8.0a1 May 25, 2010 17
@@ -1183,7 +1183,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 18
1.8.0a1 May 25, 2010 18
@@ -1196,7 +1196,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
option is not set by default.
syslog Syslog facility if syslog is being used for logging (negate
to disable syslog logging). Defaults to authpriv.
to disable syslog logging). Defaults to local2.
verifypw This option controls when a password will be required when
a user runs ssuuddoo with the --vv option. It has the following
@@ -1249,7 +1249,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 19
1.8.0a1 May 25, 2010 19
@@ -1315,7 +1315,7 @@ EEXXAAMMPPLLEESS
1.8.0a1 April 7, 2010 20
1.8.0a1 May 25, 2010 20
@@ -1381,7 +1381,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 21
1.8.0a1 May 25, 2010 21
@@ -1447,7 +1447,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 22
1.8.0a1 May 25, 2010 22
@@ -1513,7 +1513,7 @@ SSEECCUURRIITTYY NNOOTTEESS
1.8.0a1 April 7, 2010 23
1.8.0a1 May 25, 2010 23
@@ -1579,7 +1579,7 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
1.8.0a1 April 7, 2010 24
1.8.0a1 May 25, 2010 24
@@ -1616,7 +1616,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
approach is to give the user permission to run ssuuddooeeddiitt.
SSEEEE AALLSSOO
_r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _s_u_d_o(1m), _v_i_s_u_d_o(8)
_r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _s_u_d_o(1m), _v_i_s_u_d_o(1m)
CCAAVVEEAATTSS
The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which
@@ -1645,7 +1645,7 @@ DDIISSCCLLAAIIMMEERR
1.8.0a1 April 7, 2010 25
1.8.0a1 May 25, 2010 25
@@ -1711,6 +1711,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1.8.0a1 April 7, 2010 26
1.8.0a1 May 25, 2010 26

26
doc/sudoers.ldap.cat
View File

@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.7.3b2 December 19, 2009 1
1.8.0a1 May 25, 2010 1
@@ -127,7 +127,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.7.3b2 December 19, 2009 2
1.8.0a1 May 25, 2010 2
@@ -193,7 +193,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.7.3b2 December 19, 2009 3
1.8.0a1 May 25, 2010 3
@@ -259,7 +259,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.7.3b2 December 19, 2009 4
1.8.0a1 May 25, 2010 4
@@ -325,7 +325,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.7.3b2 December 19, 2009 5
1.8.0a1 May 25, 2010 5
@@ -391,7 +391,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.7.3b2 December 19, 2009 6
1.8.0a1 May 25, 2010 6
@@ -457,7 +457,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.7.3b2 December 19, 2009 7
1.8.0a1 May 25, 2010 7
@@ -523,7 +523,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.7.3b2 December 19, 2009 8
1.8.0a1 May 25, 2010 8
@@ -589,7 +589,7 @@ EEXXAAMMPPLLEESS
1.7.3b2 December 19, 2009 9
1.8.0a1 May 25, 2010 9
@@ -655,7 +655,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.7.3b2 December 19, 2009 10
1.8.0a1 May 25, 2010 10
@@ -721,7 +721,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
1.7.3b2 December 19, 2009 11
1.8.0a1 May 25, 2010 11
@@ -745,7 +745,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
)
SSEEEE AALLSSOO
_l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(5)
_l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(4)
CCAAVVEEAATTSS
The way that _s_u_d_o_e_r_s is parsed differs between Note that there are
@@ -787,6 +787,6 @@ DDIISSCCLLAAIIMMEERR
1.7.3b2 December 19, 2009 12
1.8.0a1 May 25, 2010 12

4
doc/sudoers.ldap.man.in
View File

@@ -140,7 +140,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
.TH SUDOERS.LDAP @mansectform@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
.TH SUDOERS.LDAP @mansectform@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -790,7 +790,7 @@ schema directory (e.g. \fI/etc/openldap/schema\fR), add the proper
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(5)
\&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@)
.SH "CAVEATS"
.IX Header "CAVEATS"
The way that \fIsudoers\fR is parsed differs between Note that there

64
doc/sudoers.man.in
View File

@@ -18,6 +18,10 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.nr SL @SEMAN@
.nr BA @BAMAN@
.nr LC @LCMAN@
.\"
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
@@ -144,7 +148,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
.TH SUDOERS @mansectform@ "April 7, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
.TH SUDOERS @mansectform@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -403,10 +407,15 @@ See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults par
\& Cmnd_Spec_List ::= Cmnd_Spec |
\& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List
\&
\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
.ie \n(SL \& Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
.el \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
\&
\& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq
\&
.if \n(SL \{\
\& SELinux_Spec ::= (\*(AqROLE=role\*(Aq | \*(AqTYPE=type\*(Aq)
\&
\}
\& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqTRANSCRIPT:\*(Aq | \*(AqNOTRANSCRIPT:\*(Aq)
.Ve
@@ -475,6 +484,15 @@ only the group will be set, the command still runs as user \fBtcm\fR.
\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
\& /usr/local/bin/minicom
.Ve
.if \n(SL \{\
.SS "SELinux_Spec"
.IX Subsection "SELinux_Spec"
On systems with SELinux support, \fIsudoers\fR entries may optionally have
an SELinux role and/or type associated with a command. If a role or
type is specified with the command it will override any default values
specified in \fIsudoers\fR. A role or type specified on the command line,
however, will supercede the values in \fIsudoers\fR.
\}
.SS "Tag_Spec"
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
@@ -979,11 +997,13 @@ umask in \fIsudoers\fR than the user's own umask and matches historical
behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the
umask to be the union of the user's umask and what is specified in
\&\fIsudoers\fR. This flag is \fIoff\fR by default.
@LCMAN@.IP "use_loginclass" 16
@LCMAN@.IX Item "use_loginclass"
@LCMAN@If set, \fBsudo\fR will apply the defaults specified for the target user's
@LCMAN@login class if one exists. Only available if \fBsudo\fR is configured with
@LCMAN@the \-\-with\-logincap option. This flag is \fIoff\fR by default.
.if \n(LC \{\
.IP "use_loginclass" 16
.IX Item "use_loginclass"
If set, \fBsudo\fR will apply the defaults specified for the target user's
login class if one exists. Only available if \fBsudo\fR is configured with
the \-\-with\-logincap option. This flag is \fIoff\fR by default.
\}
.IP "visiblepw" 16
.IX Item "visiblepw"
By default, \fBsudo\fR will refuse to run if the user must enter a
@@ -1100,12 +1120,14 @@ two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW
.Sp
The default value is \f(CW\*(C`@passprompt@\*(C'\fR.
.RE
@SEMAN@.IP "role" 16
@SEMAN@.IX Item "role"
@SEMAN@The default SELinux role to use when constructing a new security
@SEMAN@context to run the command. The default role may be overridden on
@SEMAN@a per-command basis in \fIsudoers\fR or via command line options.
@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support.
.if \n(SL \{\
.IP "role" 16
.IX Item "role"
The default SELinux role to use when constructing a new security
context to run the command. The default role may be overridden on
a per-command basis in \fIsudoers\fR or via command line options.
This option is only available whe \fBsudo\fR is built with SELinux support.
\}
.IP "runas_default" 16
.IX Item "runas_default"
The default user to run commands as if the \fB\-u\fR option is not specified
@@ -1133,12 +1155,14 @@ The default is \fI@timedir@\fR.
.IX Item "timestampowner"
The owner of the timestamp directory and the timestamps stored therein.
The default is \f(CW\*(C`root\*(C'\fR.
@SEMAN@.IP "type" 16
@SEMAN@.IX Item "type"
@SEMAN@The default SELinux type to use when constructing a new security
@SEMAN@context to run the command. The default type may be overridden on
@SEMAN@a per-command basis in \fIsudoers\fR or via command line options.
@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support.
.if \n(SL \{\
.IP "type" 16
.IX Item "type"
The default SELinux type to use when constructing a new security
context to run the command. The default type may be overridden on
a per-command basis in \fIsudoers\fR or via command line options.
This option is only available whe \fBsudo\fR is built with SELinux support.
\}
.PP
\&\fBStrings that can be used in a boolean context\fR:
.IP "askpass" 12
@@ -1665,7 +1689,7 @@ editor, a safer approach is to give the user permission to run
\&\fBsudoedit\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(8)
\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@)
.SH "CAVEATS"
.IX Header "CAVEATS"
The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR

42
doc/sudoers.man.pl
View File

@@ -1,25 +1,39 @@
#!/usr/bin/perl -p
BEGIN {
$t = undef;
$cond = -1;
}
if (/^\./) {
if (/^\.I[PX].*use_loginclass/) {
$t = '@LCMAN@';
} elsif (/^\.I[PX].*(role|type)/) {
$t = '@SEMAN@';
} else {
$t = undef;
}
# Initialize the numeric register we use for conditionals
if ($cond == -1) {
$_ = ".nr SL \@SEMAN\@\n.nr BA \@BAMAN\@\n.nr LC \@LCMAN\@\n.\\\"\n$_";
$cond = 0;
}
# Make SELinux_Spec conditional
if (/(.*)SELinux_Spec\? (.*)$/) {
$_ = ".ie \\n(SL $_.el $1$2\n";
} elsif (/^(.*SELinux_Spec ::=)/) {
$_ = ".if \\n(SL \\{\\\n$_";
} elsif (/^(.*Tag_Spec ::=)/) {
$_ = "\\}\n$_";
}
if (/^\.S[Sh] "SELinux_Spec"/) {
$_ = ".if \\n(SL \\{\\\n$_";
$cond = 1;
} elsif (/^\.IP "(role|type)"/) {
$_ = ".if \\n(SL \\{\\\n$_";
$cond = 1;
} elsif (/^\.IP "use_loginclass"/) {
$_ = ".if \\n(LC \\{\\\n$_";
$cond = 1;
} elsif ($cond && /^\.(Sh|SS|IP|PP)/) {
$_ = "\\}\n$_";
$cond = 0;
}
# Fix up broken pod2man formatting of F<@foo@/bar>
s/\\fI\\f(\(C)?I\@([^\@]*)\\fI\@/\\fI\@$2\@/g;
s/\\f\(\CW\@([^\@]*)\\fR\@/\@$1\@/g;
#\f(CW@secure_path\fR@
# Comment out Compile-time-specific lines in DESCRIPTION
if ($t) {
$_ = $t . $_;
}

10
doc/sudoreplay.cat
View File

@@ -61,7 +61,7 @@ OOPPTTIIOONNSS
1.7.3b2 December 19, 2009 1
1.8.0a1 May 25, 2010 1
@@ -127,7 +127,7 @@ SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
1.7.3b2 December 19, 2009 2
1.8.0a1 May 25, 2010 2
@@ -193,7 +193,7 @@ SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
1.7.3b2 December 19, 2009 3
1.8.0a1 May 25, 2010 3
@@ -259,7 +259,7 @@ SSUUPPPPOORRTT
1.7.3b2 December 19, 2009 4
1.8.0a1 May 25, 2010 4
@@ -325,6 +325,6 @@ DDIISSCCLLAAIIMMEERR
1.7.3b2 December 19, 2009 5
1.8.0a1 May 25, 2010 5

2
doc/sudoreplay.man.in
View File

@@ -139,7 +139,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOREPLAY @mansectsu@"
.TH SUDOREPLAY @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
.TH SUDOREPLAY @mansectsu@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l

8
doc/visudo.cat
View File

@@ -61,7 +61,7 @@ OOPPTTIIOONNSS
1.7.3b2 December 19, 2009 1
1.8.0a1 May 25, 2010 1
@@ -120,14 +120,14 @@ DDIIAAGGNNOOSSTTIICCSS
--ss (strict) mode this is an error, not a warning.
SSEEEE AALLSSOO
_v_i(1), _s_u_d_o_e_r_s(4), _s_u_d_o(1m), _v_i_p_w(8)
_v_i(1), _s_u_d_o_e_r_s(4), _s_u_d_o(1m), _v_i_p_w(1m)
AAUUTTHHOORR
Many people have worked on _s_u_d_o over the years; this version of vviissuuddoo
1.7.3b2 December 19, 2009 2
1.8.0a1 May 25, 2010 2
@@ -193,6 +193,6 @@ DDIISSCCLLAAIIMMEERR
1.7.3b2 December 19, 2009 3
1.8.0a1 May 25, 2010 3

4
doc/visudo.man.in
View File

@@ -144,7 +144,7 @@
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
.TH VISUDO @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
.TH VISUDO @mansectsu@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -268,7 +268,7 @@ used. You may wish to comment out or remove the unused alias. In
\&\fB\-s\fR (strict) mode this is an error, not a warning.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(8)
\&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(@mansectsu@)
.SH "AUTHOR"
.IX Header "AUTHOR"
Many people have worked on \fIsudo\fR over the years; this version of