Add explicit mention of sudo's netgroup semantics since they differ

from most other netgroup consumers.
2015-09-21 16:04:59 -06:00
parent 80673750cf
commit 824021b51b
6 changed files with 65 additions and 35 deletions
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -276,7 +276,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
     IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
     list item may be prefixed with zero or more `!' operators.  An odd number
     of `!' operators negate the value of the item; an even number just cancel
-     each other out.
+     each other out.  User netgroups are matched using the user and domain
+     members only; the host member is not used when matching.

     A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
     be enclosed in double quotes to avoid the need for escaping special
@@ -331,17 +332,19 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT

     A Host_List is made up of one or more host names, IP addresses, network
     numbers, netgroups (prefixed with `+') and other aliases.  Again, the
-     value of an item may be negated with the `!' operator.  If you do not
-     specify a netmask along with the network number, ssuuddoo will query each of
-     the local host's network interfaces and, if the network number
-     corresponds to one of the hosts's network interfaces, the corresponding
-     netmask will be used.  The netmask may be specified either in standard IP
-     address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR
-     notation (number of bits, e.g. 24 or 64).  A host name may include shell-
-     style wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host
-     name command on your machine returns the fully qualified host name,
-     you'll need to use the _f_q_d_n option for wildcards to be useful.  Note that
-     ssuuddoo only inspects actual network interfaces; this means that IP address
+     value of an item may be negated with the `!' operator.  Host netgroups
+     are matched using the host (both qualified and unqualified) and domain
+     members only; the user member is not used when matching.  If you specify
+     a network number without a netmask, ssuuddoo will query each of the local
+     host's network interfaces and, if the network number corresponds to one
+     of the hosts's network interfaces, will use the netmask of that
+     interface.  The netmask may be specified either in standard IP address
+     notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation
+     (number of bits, e.g. 24 or 64).  A host name may include shell-style
+     wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host name
+     command on your machine returns the fully qualified host name, you'll
+     need to use the _f_q_d_n option for wildcards to be useful.  Note that ssuuddoo
+     only inspects actual network interfaces; this means that IP address
     127.0.0.1 (localhost) will never match.  Also, the host name
     ``localhost'' will only match if that is the actual host name, which is
     usually only the case for non-networked systems.
@@ -878,9 +881,10 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
     use_netgroups     If set, netgroups (prefixed with `+'), may be used in
                       place of a user or host.  For LDAP-based sudoers,
                       netgroup support requires an expensive substring match
-                       on the server.  If netgroups are not needed, this
-                       option can be disabled to reduce the load on the LDAP
-                       server.  This flag is _o_n by default.
+                       on the server unless the NNEETTGGRROOUUPP__BBAASSEE directive is
+                       present in the _/_e_t_c_/_l_d_a_p_._c_o_n_f file.  If netgroups are
+                       not needed, this option can be disabled to reduce the
+                       load on the LDAP server.  This flag is _o_n by default.

     exec_background   By default, ssuuddoo runs a command as the foreground
                       process as long as ssuuddoo itself is running in the
@@ -2459,4 +2463,4 @@ DDIISSCCLLAAIIMMEERR
     file distributed with ssuuddoo or http://www.sudo.ws/license.html for
     complete details.

-Sudo 1.8.15                     August 7, 2015                     Sudo 1.8.15
+Sudo 1.8.15                   September 21, 2015                   Sudo 1.8.15
--- a/doc/sudoers.ldap.cat
+++ b/doc/sudoers.ldap.cat
@@ -70,13 +70,17 @@ DDEESSCCRRIIPPTTIIOONN
           A user name, user ID (prefixed with `#'), Unix group name or ID
           (prefixed with `%' or `%#' respectively), user netgroup (prefixed
           with `+'), or non-Unix group name or ID (prefixed with `%:' or
-           `%:#' respectively).  Non-Unix group support is only available when
-           an appropriate _g_r_o_u_p___p_l_u_g_i_n is defined in the global _d_e_f_a_u_l_t_s
-           sudoRole object.
+           `%:#' respectively).  User netgroups are matched using the user and
+           domain members only; the host member is not used when matching.
+           Non-Unix group support is only available when an appropriate
+           _g_r_o_u_p___p_l_u_g_i_n is defined in the global _d_e_f_a_u_l_t_s sudoRole object.

     ssuuddooHHoosstt
           A host name, IP address, IP network, or host netgroup (prefixed
-           with a `+').  The special value ALL will match any host.
+           with a `+').  The special value ALL will match any host.  Host
+           netgroups are matched using the host (both qualified and
+           unqualified) and domain members only; the user member is not used
+           when matching.

     ssuuddooCCoommmmaanndd
           A fully-qualified Unix command name with optional command line
@@ -902,4 +906,4 @@ DDIISSCCLLAAIIMMEERR
     file distributed with ssuuddoo or http://www.sudo.ws/license.html for
     complete details.

-Sudo 1.8.15                    January 30, 2015                    Sudo 1.8.15
+Sudo 1.8.15                   September 21, 2015                   Sudo 1.8.15
--- a/doc/sudoers.ldap.man.in
+++ b/doc/sudoers.ldap.man.in
@@ -16,7 +16,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "SUDOERS.LDAP" "8" "January 30, 2015" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "SUDOERS.LDAP" "8" "September 21, 2015" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -150,6 +150,8 @@ or non-Unix group name or ID (prefixed with
 or
 \(oq%:#\(cq
 respectively).
+User netgroups are matched using the user and domain members only;
+the host member is not used when matching.
 Non-Unix group support is only available when an appropriate
 \fIgroup_plugin\fR
 is defined in the global
@@ -163,6 +165,8 @@ A host name, IP address, IP network, or host netgroup (prefixed with a
 The special value
 \fRALL\fR
 will match any host.
+Host netgroups are matched using the host (both qualified and unqualified)
+and domain members only; the user member is not used when matching.
 .TP 6n
 \fBsudoCommand\fR
 A fully-qualified Unix command name with optional command line arguments,
--- a/doc/sudoers.ldap.mdoc.in
+++ b/doc/sudoers.ldap.mdoc.in
@@ -14,7 +14,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd January 30, 2015
+.Dd September 21, 2015
 .Dt SUDOERS.LDAP @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -143,6 +143,8 @@ or non-Unix group name or ID (prefixed with
 or
 .Ql %:#
 respectively).
+User netgroups are matched using the user and domain members only;
+the host member is not used when matching.
 Non-Unix group support is only available when an appropriate
 .Em group_plugin
 is defined in the global
@@ -155,6 +157,8 @@ A host name, IP address, IP network, or host netgroup (prefixed with a
 The special value
 .Li ALL
 will match any host.
+Host netgroups are matched using the host (both qualified and unqualified)
+and domain members only; the user member is not used when matching.
 .It Sy sudoCommand
 A fully-qualified Unix command name with optional command line arguments,
 potentially including globbing characters (aka wild cards).
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "5" "August 7, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "September 21, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -632,6 +632,8 @@ An odd number of
 \(oq\&!\(cq
 operators negate the value of
 the item; an even number just cancel each other out.
+User netgroups are matched using the user and domain members only;
+the host member is not used when matching.
 .PP
 A
 \fRuser name\fR,
@@ -734,13 +736,14 @@ and other aliases.
 Again, the value of an item may be negated with the
 \(oq\&!\(cq
 operator.
-If you do not specify a netmask along with the network number,
+Host netgroups are matched using the host (both qualified and unqualified)
+and domain members only; the user member is not used when matching.
+If you specify a network number without a netmask,
 \fBsudo\fR
 will query each of the local host's network interfaces and,
 if the network number corresponds to one of the hosts's network
-interfaces, the corresponding netmask will be used.
-The netmask
-may be specified either in standard IP address notation
+interfaces, will use the netmask of that interface.
+The netmask may be specified either in standard IP address notation
 (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
 or CIDR notation (number of bits, e.g.\& 24 or 64).
 A host name may include shell-style wildcards (see the
@@ -1911,7 +1914,11 @@ If set, netgroups (prefixed with
 \(oq+\(cq),
 may be used in place of a user or host.
 For LDAP-based sudoers, netgroup support requires an expensive
-substring match on the server.
+substring match on the server unless the
+\fBNETGROUP_BASE\fR
+directive is present in the
+\fI@ldap_conf@\fR
+file.
 If netgroups are not needed, this option can be disabled to reduce the
 load on the LDAP server.
 This flag is
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd August 7, 2015
+.Dd September 21, 2015
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -605,6 +605,8 @@ An odd number of
 .Ql \&!
 operators negate the value of
 the item; an even number just cancel each other out.
+User netgroups are matched using the user and domain members only;
+the host member is not used when matching.
 .Pp
 A
 .Li user name ,
@@ -700,13 +702,14 @@ and other aliases.
 Again, the value of an item may be negated with the
 .Ql \&!
 operator.
-If you do not specify a netmask along with the network number,
+Host netgroups are matched using the host (both qualified and unqualified)
+and domain members only; the user member is not used when matching.
+If you specify a network number without a netmask,
 .Nm sudo
 will query each of the local host's network interfaces and,
 if the network number corresponds to one of the hosts's network
-interfaces, the corresponding netmask will be used.
-The netmask
-may be specified either in standard IP address notation
+interfaces, will use the netmask of that interface.
+The netmask may be specified either in standard IP address notation
 (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
 or CIDR notation (number of bits, e.g.\& 24 or 64).
 A host name may include shell-style wildcards (see the
@@ -1782,7 +1785,11 @@ If set, netgroups (prefixed with
 .Ql + ) ,
 may be used in place of a user or host.
 For LDAP-based sudoers, netgroup support requires an expensive
-substring match on the server.
+substring match on the server unless the
+.Sy NETGROUP_BASE
+directive is present in the
+.Pa @ldap_conf@
+file.
 If netgroups are not needed, this option can be disabled to reduce the
 load on the LDAP server.
 This flag is