diff --git a/configure b/configure index 6323289cc..24ce6200a 100755 --- a/configure +++ b/configure @@ -2811,9 +2811,9 @@ PROGS="sudo" : ${SUDOERS_GID='0'} DEV="#" LDAP="#" -BAMAN='.\" ' -LCMAN='.\" ' -SEMAN='.\" ' +BAMAN=0 +LCMAN=0 +SEMAN=0 ZLIB= AUTH_OBJS= AUTH_REG= @@ -5421,7 +5421,7 @@ if test "${with_selinux+set}" = set; then : SUDO_LIBS="${SUDO_LIBS} -lselinux" SUDO_OBJS="${SUDO_OBJS} selinux.o" PROGS="${PROGS} sesh" - SEMAN="" + SEMAN=1 ;; no) ;; *) as_fn_error "\"--with-selinux does not take an argument.\"" "$LINENO" 5 @@ -13969,7 +13969,7 @@ if test "x$ac_cv_header_login_cap_h" = x""yes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LOGIN_CAP_H 1 _ACEOF - LOGINCAP_USAGE='[-c class|-] '; LCMAN="" + LOGINCAP_USAGE='[-c class|-] '; LCMAN=1 case "$OS" in freebsd|netbsd) SUDO_LIBS="${SUDO_LIBS} -lutil" ;; @@ -16143,7 +16143,7 @@ if test "x$ac_cv_header_bsd_auth_h" = x""yes; then : AUTH_OBJS="$AUTH_OBJS bsdauth.lo" BSDAUTH_USAGE='[-a auth_type] ' - AUTH_EXCL=BSD_AUTH; BAMAN="" + AUTH_EXCL=BSD_AUTH; BAMAN=1 else as_fn_error "BSD authentication was specified but bsd_auth.h could not be found" "$LINENO" 5 fi diff --git a/configure.in b/configure.in index 609083026..69ccc363c 100644 --- a/configure.in +++ b/configure.in @@ -135,9 +135,9 @@ PROGS="sudo" : ${SUDOERS_GID='0'} DEV="#" LDAP="#" -BAMAN='.\" ' -LCMAN='.\" ' -SEMAN='.\" ' +BAMAN=0 +LCMAN=0 +SEMAN=0 ZLIB= AUTH_OBJS= AUTH_REG= @@ -1272,7 +1272,7 @@ AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support]) SUDO_LIBS="${SUDO_LIBS} -lselinux" SUDO_OBJS="${SUDO_OBJS} selinux.o" PROGS="${PROGS} sesh" - SEMAN="" + SEMAN=1 ;; no) ;; *) AC_MSG_ERROR(["--with-selinux does not take an argument."]) @@ -1851,7 +1851,7 @@ else AC_CHECK_HEADERS(termio.h, [], [AC_MSG_ERROR([Must have either termios.h or termio.h to build sudo])]) fi if test ${with_logincap-'no'} != "no"; then - AC_CHECK_HEADERS(login_cap.h, [LOGINCAP_USAGE='[[-c class|-]] '; LCMAN="" + AC_CHECK_HEADERS(login_cap.h, [LOGINCAP_USAGE='[[-c class|-]] '; LCMAN=1 case "$OS" in freebsd|netbsd) SUDO_LIBS="${SUDO_LIBS} -lutil" ;; @@ -2140,7 +2140,7 @@ if test ${with_bsdauth-'no'} != "no"; then AC_CHECK_HEADER(bsd_auth.h, AC_DEFINE(HAVE_BSD_AUTH_H) [AUTH_OBJS="$AUTH_OBJS bsdauth.lo"] [BSDAUTH_USAGE='[[-a auth_type]] '] - [AUTH_EXCL=BSD_AUTH; BAMAN=""], + [AUTH_EXCL=BSD_AUTH; BAMAN=1], [AC_MSG_ERROR([BSD authentication was specified but bsd_auth.h could not be found])]) fi diff --git a/doc/sudo.man.in b/doc/sudo.man.in index cdcdf27de..8d7c350ba 100644 --- a/doc/sudo.man.in +++ b/doc/sudo.man.in @@ -18,6 +18,10 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" +.nr SL @SEMAN@ +.nr BA @BAMAN@ +.nr LC @LCMAN@ +.\" .\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) .\" .\" Standard preamble: @@ -144,7 +148,7 @@ .\" ======================================================================== .\" .IX Title "SUDO @mansectsu@" -.TH SUDO @mansectsu@ "May 11, 2010" "1.8.0a1" "MAINTENANCE COMMANDS" +.TH SUDO @mansectsu@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -156,31 +160,31 @@ sudo, sudoedit \- execute a command as another user \&\fBsudo\fR [\fB\-D\fR\ \fIlevel\fR] \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR .PP \&\fBsudo\fR \fB\-v\fR [\fB\-AknS\fR] -@BAMAN@[\fB\-a\fR\ \fIauth_type\fR] +.if \n(BA [\fB\-a\fR\ \fIauth_type\fR] [\fB\-D\fR\ \fIlevel\fR] [\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] .PP \&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR] -@BAMAN@[\fB\-a\fR\ \fIauth_type\fR] +.if \n(BA [\fB\-a\fR\ \fIauth_type\fR] [\fB\-D\fR\ \fIlevel\fR] [\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fIcommand\fR] .PP \&\fBsudo\fR [\fB\-AbEHnPS\fR] -@BAMAN@[\fB\-a\fR\ \fIauth_type\fR] +.if \n(BA [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] [\fB\-D\fR\ \fIlevel\fR] -@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] +.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] -@SEMAN@[\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR] +.if \n(SL [\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fB\s-1VAR\s0\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] [\fIcommand\fR] .PP \&\fBsudoedit\fR [\fB\-AnS\fR] -@BAMAN@[\fB\-a\fR\ \fIauth_type\fR] +.if \n(BA [\fB\-a\fR\ \fIauth_type\fR] [\fB\-C\fR\ \fIfd\fR] -@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] +.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-D\fR\ \fIlevel\fR] [\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] file ... @@ -242,14 +246,16 @@ user's password and output the password to the standard output. If the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the path to the helper program. Otherwise, the value specified by the \&\fIaskpass\fR option in \fIsudoers\fR\|(@mansectform@) is used. -@BAMAN@.IP "\-a \fItype\fR" 12 -@BAMAN@.IX Item "-a type" -@BAMAN@The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the -@BAMAN@specified authentication type when validating the user, as allowed -@BAMAN@by \fI/etc/login.conf\fR. The system administrator may specify a list -@BAMAN@of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R" -@BAMAN@entry in \fI/etc/login.conf\fR. This option is only available on systems -@BAMAN@that support \s-1BSD\s0 authentication. +.if \n(BA \{\ +.IP "\-a \fItype\fR" 12 +.IX Item "-a type" +The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the +specified authentication type when validating the user, as allowed +by \fI/etc/login.conf\fR. The system administrator may specify a list +of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R" +entry in \fI/etc/login.conf\fR. This option is only available on systems +that support \s-1BSD\s0 authentication. +\} .IP "\-b" 12 .IX Item "-b" The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given @@ -264,17 +270,19 @@ above the standard error (file descriptor three). Values less than three are not permitted. This option is only available if the administrator has enabled the \fIclosefrom_override\fR option in \&\fIsudoers\fR\|(@mansectform@). -@LCMAN@.IP "\-c \fIclass\fR" 12 -@LCMAN@.IX Item "-c class" -@LCMAN@The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command -@LCMAN@with resources limited by the specified login class. The \fIclass\fR -@LCMAN@argument can be either a class name as defined in \fI/etc/login.conf\fR, -@LCMAN@or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates -@LCMAN@that the command should be run restricted by the default login -@LCMAN@capabilities for the user the command is run as. If the \fIclass\fR -@LCMAN@argument specifies an existing user class, the command must be run -@LCMAN@as root, or the \fBsudo\fR command must be run from a shell that is already -@LCMAN@root. This option is only available on systems with \s-1BSD\s0 login classes. +.if \n(LC \{\ +.IP "\-c \fIclass\fR" 12 +.IX Item "-c class" +The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command +with resources limited by the specified login class. The \fIclass\fR +argument can be either a class name as defined in \fI/etc/login.conf\fR, +or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates +that the command should be run restricted by the default login +capabilities for the user the command is run as. If the \fIclass\fR +argument specifies an existing user class, the command must be run +as root, or the \fBsudo\fR command must be run from a shell that is already +root. This option is only available on systems with \s-1BSD\s0 login classes. +\} .IP "\-D \fIlevel\fR" 12 .IX Item "-D level" Enable debugging of \fBsudo\fR plugins and \fBsudo\fR itself. The \fIlevel\fR @@ -435,10 +443,12 @@ The prompt specified by the \fB\-p\fR option will override the system password prompt on systems that support \s-1PAM\s0 unless the \&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR. .RE -@SEMAN@.IP "\-r \fIrole\fR" 12 -@SEMAN@.IX Item "-r role" -@SEMAN@The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to -@SEMAN@have the role specified by \fIrole\fR. +.if \n(SL \{\ +.IP "\-r \fIrole\fR" 12 +.IX Item "-r role" +The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to +have the role specified by \fIrole\fR. +\} .IP "\-S" 12 .IX Item "-S" The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from @@ -450,11 +460,13 @@ The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\ environment variable if it is set or the shell as specified in \&\fIpasswd\fR\|(@mansectform@). If a command is specified, it is passed to the shell for execution. Otherwise, an interactive shell is executed. -@SEMAN@.IP "\-t \fItype\fR" 12 -@SEMAN@.IX Item "-t type" -@SEMAN@The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to -@SEMAN@have the type specified by \fItype\fR. If no type is specified, the default -@SEMAN@type is derived from the specified role. +.if \n(SL \{\ +.IP "\-t \fItype\fR" 12 +.IX Item "-t type" +The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to +have the type specified by \fItype\fR. If no type is specified, the default +type is derived from the specified role. +\} .IP "\-U \fIuser\fR" 12 .IX Item "-U user" The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR @@ -727,7 +739,7 @@ to make the \f(CW\*(C`cd\*(C'\fR and file redirection work. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), -@LCMAN@\&\fIlogin_cap\fR\|(3), +.if \n(LC \&\fIlogin_cap\fR\|(3), \&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@), \fIvisudo\fR\|(@mansectsu@) .SH "AUTHORS" .IX Header "AUTHORS" diff --git a/doc/sudo.man.pl b/doc/sudo.man.pl index 4d23fbde2..2306c7c0f 100644 --- a/doc/sudo.man.pl +++ b/doc/sudo.man.pl @@ -1,23 +1,32 @@ #!/usr/bin/perl -p BEGIN { - %tags = ( 'a', '@BAMAN@', 'c', '@LCMAN@', 'r', '@SEMAN@', 't', '@SEMAN@'); - $t = undef; + %tags = ( 'a', 'BA', 'c', 'LC', 'r', 'SL', 't', 'SL'); + $cond = -1; } -if (/^\.IP(.*-([acrt]))?/) { - $t = $1 ? $tags{$2} : undef; -} elsif (/-a.*auth_type/) { - $_ = $tags{'a'} . $_; + +# Initialize the numeric register we use for conditionals +if ($cond == -1) { + $_ = ".nr SL \@SEMAN\@\n.nr BA \@BAMAN\@\n.nr LC \@LCMAN\@\n.\\\"\n$_"; + $cond = 0; +} + +# Add conditionals +if (/^\.IP.*-([acrt])/) { + $_ = ".if \\n($tags{$1} \\{\\\n$_"; + $cond = 1; +} elsif ($cond && /^\.(Sh|SS|IP|PP)/) { + $_ = "\\}\n$_"; + $cond = 0; +} + +if (/-a.*auth_type/) { + $_ = ".if \\n($tags{'a'} $_"; } elsif (/(-c.*class.*\||login_cap)/) { - $_ = $tags{'c'} . $_; + $_ = ".if \\n($tags{'c'} $_"; } elsif (/-r.*role.*-t.*type/) { - $_ = $tags{'r'} . $_; + $_ = ".if \\n($tags{'r'} $_"; } # Fix up broken pod2man formatting of F<@foo@/bar> s/\\fI\\f(\(C)?I\@([^\@]*)\\fI\@/\\fI\@$2\@/g; - -# comment out Compile-time-specific lines in DESCRIPTION -if ($t) { - $_ = $t . $_; -} diff --git a/doc/sudoers.cat b/doc/sudoers.cat index eec64df04..560704194 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.8.0a1 April 7, 2010 1 +1.8.0a1 May 25, 2010 1 @@ -127,7 +127,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 2 +1.8.0a1 May 25, 2010 2 @@ -193,7 +193,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 3 +1.8.0a1 May 25, 2010 3 @@ -259,7 +259,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 4 +1.8.0a1 May 25, 2010 4 @@ -325,7 +325,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 5 +1.8.0a1 May 25, 2010 5 @@ -391,7 +391,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 6 +1.8.0a1 May 25, 2010 6 @@ -457,7 +457,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 7 +1.8.0a1 May 25, 2010 7 @@ -523,7 +523,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 8 +1.8.0a1 May 25, 2010 8 @@ -589,7 +589,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS -1.8.0a1 April 7, 2010 9 +1.8.0a1 May 25, 2010 9 @@ -615,7 +615,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) alternative is to place a colon-separated list of editors in the editor variable. vviissuuddoo will then only use the EDITOR or VISUAL if they match a value - specified in editor. This flag is _o_n by default. + specified in editor. This flag is _o_f_f by default. env_reset If set, ssuuddoo will reset the environment to only contain the LOGNAME, SHELL, USER, USERNAME and the SUDO_* @@ -655,7 +655,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 10 +1.8.0a1 May 25, 2010 10 @@ -675,7 +675,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) ignore_dot If set, ssuuddoo will ignore '.' or '' (current dir) in the PATH environment variable; the PATH itself is not - modified. This flag is _o_n by default. + modified. This flag is _o_f_f by default. ignore_local_sudoers If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be @@ -691,7 +691,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) _o_f_f by default. insults If set, ssuuddoo will insult users when they enter an - incorrect password. This flag is _o_n by default. + incorrect password. This flag is _o_f_f by default. log_host If set, the host name will be logged in the (non- syslog) ssuuddoo log file. This flag is _o_f_f by default. @@ -721,7 +721,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 11 +1.8.0a1 May 25, 2010 11 @@ -758,10 +758,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) passprompt_override The password prompt specified by _p_a_s_s_p_r_o_m_p_t will - normally only be used if the password prompt provided by - systems such as PAM matches the string "Password:". If - _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always be - used. This flag is _o_f_f by default. + normally only be used if the password prompt provided + by systems such as PAM matches the string "Password:". + If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always + be used. This flag is _o_f_f by default. preserve_groups By default, ssuuddoo will initialize the group vector to the list of groups the target user is in. When @@ -787,7 +787,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 12 +1.8.0a1 May 25, 2010 12 @@ -853,7 +853,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 13 +1.8.0a1 May 25, 2010 13 @@ -919,7 +919,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 14 +1.8.0a1 May 25, 2010 14 @@ -985,7 +985,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 15 +1.8.0a1 May 25, 2010 15 @@ -1051,7 +1051,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 16 +1.8.0a1 May 25, 2010 16 @@ -1117,7 +1117,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 17 +1.8.0a1 May 25, 2010 17 @@ -1183,7 +1183,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 18 +1.8.0a1 May 25, 2010 18 @@ -1196,7 +1196,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) option is not set by default. syslog Syslog facility if syslog is being used for logging (negate - to disable syslog logging). Defaults to authpriv. + to disable syslog logging). Defaults to local2. verifypw This option controls when a password will be required when a user runs ssuuddoo with the --vv option. It has the following @@ -1249,7 +1249,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 19 +1.8.0a1 May 25, 2010 19 @@ -1315,7 +1315,7 @@ EEXXAAMMPPLLEESS -1.8.0a1 April 7, 2010 20 +1.8.0a1 May 25, 2010 20 @@ -1381,7 +1381,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 21 +1.8.0a1 May 25, 2010 21 @@ -1447,7 +1447,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 22 +1.8.0a1 May 25, 2010 22 @@ -1513,7 +1513,7 @@ SSEECCUURRIITTYY NNOOTTEESS -1.8.0a1 April 7, 2010 23 +1.8.0a1 May 25, 2010 23 @@ -1579,7 +1579,7 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS -1.8.0a1 April 7, 2010 24 +1.8.0a1 May 25, 2010 24 @@ -1616,7 +1616,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) approach is to give the user permission to run ssuuddooeeddiitt. SSEEEE AALLSSOO - _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _s_u_d_o(1m), _v_i_s_u_d_o(8) + _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _s_u_d_o(1m), _v_i_s_u_d_o(1m) CCAAVVEEAATTSS The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which @@ -1645,7 +1645,7 @@ DDIISSCCLLAAIIMMEERR -1.8.0a1 April 7, 2010 25 +1.8.0a1 May 25, 2010 25 @@ -1711,6 +1711,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.8.0a1 April 7, 2010 26 +1.8.0a1 May 25, 2010 26 diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat index 1b5b1e271..52950f9d3 100644 --- a/doc/sudoers.ldap.cat +++ b/doc/sudoers.ldap.cat @@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN -1.7.3b2 December 19, 2009 1 +1.8.0a1 May 25, 2010 1 @@ -127,7 +127,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.3b2 December 19, 2009 2 +1.8.0a1 May 25, 2010 2 @@ -193,7 +193,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.3b2 December 19, 2009 3 +1.8.0a1 May 25, 2010 3 @@ -259,7 +259,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.3b2 December 19, 2009 4 +1.8.0a1 May 25, 2010 4 @@ -325,7 +325,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.3b2 December 19, 2009 5 +1.8.0a1 May 25, 2010 5 @@ -391,7 +391,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.3b2 December 19, 2009 6 +1.8.0a1 May 25, 2010 6 @@ -457,7 +457,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.3b2 December 19, 2009 7 +1.8.0a1 May 25, 2010 7 @@ -523,7 +523,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.3b2 December 19, 2009 8 +1.8.0a1 May 25, 2010 8 @@ -589,7 +589,7 @@ EEXXAAMMPPLLEESS -1.7.3b2 December 19, 2009 9 +1.8.0a1 May 25, 2010 9 @@ -655,7 +655,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.3b2 December 19, 2009 10 +1.8.0a1 May 25, 2010 10 @@ -721,7 +721,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) -1.7.3b2 December 19, 2009 11 +1.8.0a1 May 25, 2010 11 @@ -745,7 +745,7 @@ SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4) ) SSEEEE AALLSSOO - _l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(5) + _l_d_a_p_._c_o_n_f(4), _s_u_d_o_e_r_s(4) CCAAVVEEAATTSS The way that _s_u_d_o_e_r_s is parsed differs between Note that there are @@ -787,6 +787,6 @@ DDIISSCCLLAAIIMMEERR -1.7.3b2 December 19, 2009 12 +1.8.0a1 May 25, 2010 12 diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in index 9096900c3..8daaf03b0 100644 --- a/doc/sudoers.ldap.man.in +++ b/doc/sudoers.ldap.man.in @@ -140,7 +140,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS.LDAP @mansectform@" -.TH SUDOERS.LDAP @mansectform@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS" +.TH SUDOERS.LDAP @mansectform@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -790,7 +790,7 @@ schema directory (e.g. \fI/etc/openldap/schema\fR), add the proper .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(5) +\&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@) .SH "CAVEATS" .IX Header "CAVEATS" The way that \fIsudoers\fR is parsed differs between Note that there diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 166d81932..579960917 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -18,6 +18,10 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" +.nr SL @SEMAN@ +.nr BA @BAMAN@ +.nr LC @LCMAN@ +.\" .\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07) .\" .\" Standard preamble: @@ -144,7 +148,7 @@ .\" ======================================================================== .\" .IX Title "SUDOERS @mansectform@" -.TH SUDOERS @mansectform@ "April 7, 2010" "1.8.0a1" "MAINTENANCE COMMANDS" +.TH SUDOERS @mansectform@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -403,10 +407,15 @@ See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults par \& Cmnd_Spec_List ::= Cmnd_Spec | \& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List \& -\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd +.ie \n(SL \& Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd +.el \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd \& \& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq \& +.if \n(SL \{\ +\& SELinux_Spec ::= (\*(AqROLE=role\*(Aq | \*(AqTYPE=type\*(Aq) +\& +\} \& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq | \& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqTRANSCRIPT:\*(Aq | \*(AqNOTRANSCRIPT:\*(Aq) .Ve @@ -475,6 +484,15 @@ only the group will be set, the command still runs as user \fBtcm\fR. \& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e \& /usr/local/bin/minicom .Ve +.if \n(SL \{\ +.SS "SELinux_Spec" +.IX Subsection "SELinux_Spec" +On systems with SELinux support, \fIsudoers\fR entries may optionally have +an SELinux role and/or type associated with a command. If a role or +type is specified with the command it will override any default values +specified in \fIsudoers\fR. A role or type specified on the command line, +however, will supercede the values in \fIsudoers\fR. +\} .SS "Tag_Spec" .IX Subsection "Tag_Spec" A command may have zero or more tags associated with it. There are @@ -979,11 +997,13 @@ umask in \fIsudoers\fR than the user's own umask and matches historical behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the umask to be the union of the user's umask and what is specified in \&\fIsudoers\fR. This flag is \fIoff\fR by default. -@LCMAN@.IP "use_loginclass" 16 -@LCMAN@.IX Item "use_loginclass" -@LCMAN@If set, \fBsudo\fR will apply the defaults specified for the target user's -@LCMAN@login class if one exists. Only available if \fBsudo\fR is configured with -@LCMAN@the \-\-with\-logincap option. This flag is \fIoff\fR by default. +.if \n(LC \{\ +.IP "use_loginclass" 16 +.IX Item "use_loginclass" +If set, \fBsudo\fR will apply the defaults specified for the target user's +login class if one exists. Only available if \fBsudo\fR is configured with +the \-\-with\-logincap option. This flag is \fIoff\fR by default. +\} .IP "visiblepw" 16 .IX Item "visiblepw" By default, \fBsudo\fR will refuse to run if the user must enter a @@ -1100,12 +1120,14 @@ two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW .Sp The default value is \f(CW\*(C`@passprompt@\*(C'\fR. .RE -@SEMAN@.IP "role" 16 -@SEMAN@.IX Item "role" -@SEMAN@The default SELinux role to use when constructing a new security -@SEMAN@context to run the command. The default role may be overridden on -@SEMAN@a per-command basis in \fIsudoers\fR or via command line options. -@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support. +.if \n(SL \{\ +.IP "role" 16 +.IX Item "role" +The default SELinux role to use when constructing a new security +context to run the command. The default role may be overridden on +a per-command basis in \fIsudoers\fR or via command line options. +This option is only available whe \fBsudo\fR is built with SELinux support. +\} .IP "runas_default" 16 .IX Item "runas_default" The default user to run commands as if the \fB\-u\fR option is not specified @@ -1133,12 +1155,14 @@ The default is \fI@timedir@\fR. .IX Item "timestampowner" The owner of the timestamp directory and the timestamps stored therein. The default is \f(CW\*(C`root\*(C'\fR. -@SEMAN@.IP "type" 16 -@SEMAN@.IX Item "type" -@SEMAN@The default SELinux type to use when constructing a new security -@SEMAN@context to run the command. The default type may be overridden on -@SEMAN@a per-command basis in \fIsudoers\fR or via command line options. -@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support. +.if \n(SL \{\ +.IP "type" 16 +.IX Item "type" +The default SELinux type to use when constructing a new security +context to run the command. The default type may be overridden on +a per-command basis in \fIsudoers\fR or via command line options. +This option is only available whe \fBsudo\fR is built with SELinux support. +\} .PP \&\fBStrings that can be used in a boolean context\fR: .IP "askpass" 12 @@ -1665,7 +1689,7 @@ editor, a safer approach is to give the user permission to run \&\fBsudoedit\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(8) +\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@) .SH "CAVEATS" .IX Header "CAVEATS" The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR diff --git a/doc/sudoers.man.pl b/doc/sudoers.man.pl index 9ee210a44..6e5da2c28 100644 --- a/doc/sudoers.man.pl +++ b/doc/sudoers.man.pl @@ -1,25 +1,39 @@ #!/usr/bin/perl -p BEGIN { - $t = undef; + $cond = -1; } -if (/^\./) { - if (/^\.I[PX].*use_loginclass/) { - $t = '@LCMAN@'; - } elsif (/^\.I[PX].*(role|type)/) { - $t = '@SEMAN@'; - } else { - $t = undef; - } +# Initialize the numeric register we use for conditionals +if ($cond == -1) { + $_ = ".nr SL \@SEMAN\@\n.nr BA \@BAMAN\@\n.nr LC \@LCMAN\@\n.\\\"\n$_"; + $cond = 0; +} + +# Make SELinux_Spec conditional +if (/(.*)SELinux_Spec\? (.*)$/) { + $_ = ".ie \\n(SL $_.el $1$2\n"; +} elsif (/^(.*SELinux_Spec ::=)/) { + $_ = ".if \\n(SL \\{\\\n$_"; +} elsif (/^(.*Tag_Spec ::=)/) { + $_ = "\\}\n$_"; +} + +if (/^\.S[Sh] "SELinux_Spec"/) { + $_ = ".if \\n(SL \\{\\\n$_"; + $cond = 1; +} elsif (/^\.IP "(role|type)"/) { + $_ = ".if \\n(SL \\{\\\n$_"; + $cond = 1; +} elsif (/^\.IP "use_loginclass"/) { + $_ = ".if \\n(LC \\{\\\n$_"; + $cond = 1; +} elsif ($cond && /^\.(Sh|SS|IP|PP)/) { + $_ = "\\}\n$_"; + $cond = 0; } # Fix up broken pod2man formatting of F<@foo@/bar> s/\\fI\\f(\(C)?I\@([^\@]*)\\fI\@/\\fI\@$2\@/g; s/\\f\(\CW\@([^\@]*)\\fR\@/\@$1\@/g; #\f(CW@secure_path\fR@ - -# Comment out Compile-time-specific lines in DESCRIPTION -if ($t) { - $_ = $t . $_; -} diff --git a/doc/sudoreplay.cat b/doc/sudoreplay.cat index f32100b06..055e39b6e 100644 --- a/doc/sudoreplay.cat +++ b/doc/sudoreplay.cat @@ -61,7 +61,7 @@ OOPPTTIIOONNSS -1.7.3b2 December 19, 2009 1 +1.8.0a1 May 25, 2010 1 @@ -127,7 +127,7 @@ SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) -1.7.3b2 December 19, 2009 2 +1.8.0a1 May 25, 2010 2 @@ -193,7 +193,7 @@ SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m) -1.7.3b2 December 19, 2009 3 +1.8.0a1 May 25, 2010 3 @@ -259,7 +259,7 @@ SSUUPPPPOORRTT -1.7.3b2 December 19, 2009 4 +1.8.0a1 May 25, 2010 4 @@ -325,6 +325,6 @@ DDIISSCCLLAAIIMMEERR -1.7.3b2 December 19, 2009 5 +1.8.0a1 May 25, 2010 5 diff --git a/doc/sudoreplay.man.in b/doc/sudoreplay.man.in index 93a1a82cf..2c60af2a3 100644 --- a/doc/sudoreplay.man.in +++ b/doc/sudoreplay.man.in @@ -139,7 +139,7 @@ .\" ======================================================================== .\" .IX Title "SUDOREPLAY @mansectsu@" -.TH SUDOREPLAY @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS" +.TH SUDOREPLAY @mansectsu@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff --git a/doc/visudo.cat b/doc/visudo.cat index 74deba8c6..576fa64d9 100644 --- a/doc/visudo.cat +++ b/doc/visudo.cat @@ -61,7 +61,7 @@ OOPPTTIIOONNSS -1.7.3b2 December 19, 2009 1 +1.8.0a1 May 25, 2010 1 @@ -120,14 +120,14 @@ DDIIAAGGNNOOSSTTIICCSS --ss (strict) mode this is an error, not a warning. SSEEEE AALLSSOO - _v_i(1), _s_u_d_o_e_r_s(4), _s_u_d_o(1m), _v_i_p_w(8) + _v_i(1), _s_u_d_o_e_r_s(4), _s_u_d_o(1m), _v_i_p_w(1m) AAUUTTHHOORR Many people have worked on _s_u_d_o over the years; this version of vviissuuddoo -1.7.3b2 December 19, 2009 2 +1.8.0a1 May 25, 2010 2 @@ -193,6 +193,6 @@ DDIISSCCLLAAIIMMEERR -1.7.3b2 December 19, 2009 3 +1.8.0a1 May 25, 2010 3 diff --git a/doc/visudo.man.in b/doc/visudo.man.in index c5e92779b..ad7e52a74 100644 --- a/doc/visudo.man.in +++ b/doc/visudo.man.in @@ -144,7 +144,7 @@ .\" ======================================================================== .\" .IX Title "VISUDO @mansectsu@" -.TH VISUDO @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS" +.TH VISUDO @mansectsu@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -268,7 +268,7 @@ used. You may wish to comment out or remove the unused alias. In \&\fB\-s\fR (strict) mode this is an error, not a warning. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(8) +\&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(@mansectsu@) .SH "AUTHOR" .IX Header "AUTHOR" Many people have worked on \fIsudo\fR over the years; this version of