From 824021b51b6400762492c9e21086e4f76a27e53a Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 21 Sep 2015 16:04:59 -0600 Subject: [PATCH] Add explicit mention of sudo's netgroup semantics since they differ from most other netgroup consumers. --- doc/sudoers.cat | 36 ++++++++++++++++++++---------------- doc/sudoers.ldap.cat | 14 +++++++++----- doc/sudoers.ldap.man.in | 6 +++++- doc/sudoers.ldap.mdoc.in | 6 +++++- doc/sudoers.man.in | 19 +++++++++++++------ doc/sudoers.mdoc.in | 19 +++++++++++++------ 6 files changed, 65 insertions(+), 35 deletions(-) diff --git a/doc/sudoers.cat b/doc/sudoers.cat index a3864c131..889f1b02d 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -276,7 +276,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each list item may be prefixed with zero or more `!' operators. An odd number of `!' operators negate the value of the item; an even number just cancel - each other out. + each other out. User netgroups are matched using the user and domain + members only; the host member is not used when matching. A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may be enclosed in double quotes to avoid the need for escaping special @@ -331,17 +332,19 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT A Host_List is made up of one or more host names, IP addresses, network numbers, netgroups (prefixed with `+') and other aliases. Again, the - value of an item may be negated with the `!' operator. If you do not - specify a netmask along with the network number, ssuuddoo will query each of - the local host's network interfaces and, if the network number - corresponds to one of the hosts's network interfaces, the corresponding - netmask will be used. The netmask may be specified either in standard IP - address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR - notation (number of bits, e.g. 24 or 64). A host name may include shell- - style wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host - name command on your machine returns the fully qualified host name, - you'll need to use the _f_q_d_n option for wildcards to be useful. Note that - ssuuddoo only inspects actual network interfaces; this means that IP address + value of an item may be negated with the `!' operator. Host netgroups + are matched using the host (both qualified and unqualified) and domain + members only; the user member is not used when matching. If you specify + a network number without a netmask, ssuuddoo will query each of the local + host's network interfaces and, if the network number corresponds to one + of the hosts's network interfaces, will use the netmask of that + interface. The netmask may be specified either in standard IP address + notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation + (number of bits, e.g. 24 or 64). A host name may include shell-style + wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host name + command on your machine returns the fully qualified host name, you'll + need to use the _f_q_d_n option for wildcards to be useful. Note that ssuuddoo + only inspects actual network interfaces; this means that IP address 127.0.0.1 (localhost) will never match. Also, the host name ``localhost'' will only match if that is the actual host name, which is usually only the case for non-networked systems. @@ -878,9 +881,10 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS use_netgroups If set, netgroups (prefixed with `+'), may be used in place of a user or host. For LDAP-based sudoers, netgroup support requires an expensive substring match - on the server. If netgroups are not needed, this - option can be disabled to reduce the load on the LDAP - server. This flag is _o_n by default. + on the server unless the NNEETTGGRROOUUPP__BBAASSEE directive is + present in the _/_e_t_c_/_l_d_a_p_._c_o_n_f file. If netgroups are + not needed, this option can be disabled to reduce the + load on the LDAP server. This flag is _o_n by default. exec_background By default, ssuuddoo runs a command as the foreground process as long as ssuuddoo itself is running in the @@ -2459,4 +2463,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/license.html for complete details. -Sudo 1.8.15 August 7, 2015 Sudo 1.8.15 +Sudo 1.8.15 September 21, 2015 Sudo 1.8.15 diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat index 0203c364b..0afda9249 100644 --- a/doc/sudoers.ldap.cat +++ b/doc/sudoers.ldap.cat @@ -70,13 +70,17 @@ DDEESSCCRRIIPPTTIIOONN A user name, user ID (prefixed with `#'), Unix group name or ID (prefixed with `%' or `%#' respectively), user netgroup (prefixed with `+'), or non-Unix group name or ID (prefixed with `%:' or - `%:#' respectively). Non-Unix group support is only available when - an appropriate _g_r_o_u_p___p_l_u_g_i_n is defined in the global _d_e_f_a_u_l_t_s - sudoRole object. + `%:#' respectively). User netgroups are matched using the user and + domain members only; the host member is not used when matching. + Non-Unix group support is only available when an appropriate + _g_r_o_u_p___p_l_u_g_i_n is defined in the global _d_e_f_a_u_l_t_s sudoRole object. ssuuddooHHoosstt A host name, IP address, IP network, or host netgroup (prefixed - with a `+'). The special value ALL will match any host. + with a `+'). The special value ALL will match any host. Host + netgroups are matched using the host (both qualified and + unqualified) and domain members only; the user member is not used + when matching. ssuuddooCCoommmmaanndd A fully-qualified Unix command name with optional command line @@ -902,4 +906,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/license.html for complete details. -Sudo 1.8.15 January 30, 2015 Sudo 1.8.15 +Sudo 1.8.15 September 21, 2015 Sudo 1.8.15 diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in index 0e13aae22..f6f95d043 100644 --- a/doc/sudoers.ldap.man.in +++ b/doc/sudoers.ldap.man.in @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "SUDOERS.LDAP" "8" "January 30, 2015" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" +.TH "SUDOERS.LDAP" "8" "September 21, 2015" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh .if n .ad l .SH "NAME" @@ -150,6 +150,8 @@ or non-Unix group name or ID (prefixed with or \(oq%:#\(cq respectively). +User netgroups are matched using the user and domain members only; +the host member is not used when matching. Non-Unix group support is only available when an appropriate \fIgroup_plugin\fR is defined in the global @@ -163,6 +165,8 @@ A host name, IP address, IP network, or host netgroup (prefixed with a The special value \fRALL\fR will match any host. +Host netgroups are matched using the host (both qualified and unqualified) +and domain members only; the user member is not used when matching. .TP 6n \fBsudoCommand\fR A fully-qualified Unix command name with optional command line arguments, diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in index ec0cb7a67..e7aa7718e 100644 --- a/doc/sudoers.ldap.mdoc.in +++ b/doc/sudoers.ldap.mdoc.in @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 30, 2015 +.Dd September 21, 2015 .Dt SUDOERS.LDAP @mansectsu@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -143,6 +143,8 @@ or non-Unix group name or ID (prefixed with or .Ql %:# respectively). +User netgroups are matched using the user and domain members only; +the host member is not used when matching. Non-Unix group support is only available when an appropriate .Em group_plugin is defined in the global @@ -155,6 +157,8 @@ A host name, IP address, IP network, or host netgroup (prefixed with a The special value .Li ALL will match any host. +Host netgroups are matched using the host (both qualified and unqualified) +and domain members only; the user member is not used when matching. .It Sy sudoCommand A fully-qualified Unix command name with optional command line arguments, potentially including globbing characters (aka wild cards). diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index c0c137f1d..dec035938 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDOERS" "5" "August 7, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "5" "September 21, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -632,6 +632,8 @@ An odd number of \(oq\&!\(cq operators negate the value of the item; an even number just cancel each other out. +User netgroups are matched using the user and domain members only; +the host member is not used when matching. .PP A \fRuser name\fR, @@ -734,13 +736,14 @@ and other aliases. Again, the value of an item may be negated with the \(oq\&!\(cq operator. -If you do not specify a netmask along with the network number, +Host netgroups are matched using the host (both qualified and unqualified) +and domain members only; the user member is not used when matching. +If you specify a network number without a netmask, \fBsudo\fR will query each of the local host's network interfaces and, if the network number corresponds to one of the hosts's network -interfaces, the corresponding netmask will be used. -The netmask -may be specified either in standard IP address notation +interfaces, will use the netmask of that interface. +The netmask may be specified either in standard IP address notation (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation (number of bits, e.g.\& 24 or 64). A host name may include shell-style wildcards (see the @@ -1911,7 +1914,11 @@ If set, netgroups (prefixed with \(oq+\(cq), may be used in place of a user or host. For LDAP-based sudoers, netgroup support requires an expensive -substring match on the server. +substring match on the server unless the +\fBNETGROUP_BASE\fR +directive is present in the +\fI@ldap_conf@\fR +file. If netgroups are not needed, this option can be disabled to reduce the load on the LDAP server. This flag is diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index f315290f6..2dd8b2368 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd August 7, 2015 +.Dd September 21, 2015 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -605,6 +605,8 @@ An odd number of .Ql \&! operators negate the value of the item; an even number just cancel each other out. +User netgroups are matched using the user and domain members only; +the host member is not used when matching. .Pp A .Li user name , @@ -700,13 +702,14 @@ and other aliases. Again, the value of an item may be negated with the .Ql \&! operator. -If you do not specify a netmask along with the network number, +Host netgroups are matched using the host (both qualified and unqualified) +and domain members only; the user member is not used when matching. +If you specify a network number without a netmask, .Nm sudo will query each of the local host's network interfaces and, if the network number corresponds to one of the hosts's network -interfaces, the corresponding netmask will be used. -The netmask -may be specified either in standard IP address notation +interfaces, will use the netmask of that interface. +The netmask may be specified either in standard IP address notation (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation (number of bits, e.g.\& 24 or 64). A host name may include shell-style wildcards (see the @@ -1782,7 +1785,11 @@ If set, netgroups (prefixed with .Ql + ) , may be used in place of a user or host. For LDAP-based sudoers, netgroup support requires an expensive -substring match on the server. +substring match on the server unless the +.Sy NETGROUP_BASE +directive is present in the +.Pa @ldap_conf@ +file. If netgroups are not needed, this option can be disabled to reduce the load on the LDAP server. This flag is