isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add explicit mention of sudo's netgroup semantics since they differ

Browse Source 
from most other netgroup consumers.
This commit is contained in:
Todd C. Miller
2015-09-21 16:04:59 -06:00
parent 80673750cf
commit 824021b51b
6 changed files with 65 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
doc/sudoers.cat
View File

@@ -276,7 +276,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
list item may be prefixed with zero or more `!' operators. An odd number
of `!' operators negate the value of the item; an even number just cancel
each other out.
each other out. User netgroups are matched using the user and domain
members only; the host member is not used when matching.
A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
be enclosed in double quotes to avoid the need for escaping special
@@ -331,17 +332,19 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
A Host_List is made up of one or more host names, IP addresses, network
numbers, netgroups (prefixed with `+') and other aliases. Again, the
value of an item may be negated with the `!' operator. If you do not
specify a netmask along with the network number, ssuuddoo will query each of
the local host's network interfaces and, if the network number
corresponds to one of the hosts's network interfaces, the corresponding
netmask will be used. The netmask may be specified either in standard IP
address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR
notation (number of bits, e.g. 24 or 64). A host name may include shell-
style wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host
name command on your machine returns the fully qualified host name,
you'll need to use the _f_q_d_n option for wildcards to be useful. Note that
ssuuddoo only inspects actual network interfaces; this means that IP address
value of an item may be negated with the `!' operator. Host netgroups
are matched using the host (both qualified and unqualified) and domain
members only; the user member is not used when matching. If you specify
a network number without a netmask, ssuuddoo will query each of the local
host's network interfaces and, if the network number corresponds to one
of the hosts's network interfaces, will use the netmask of that
interface. The netmask may be specified either in standard IP address
notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation
(number of bits, e.g. 24 or 64). A host name may include shell-style
wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host name
command on your machine returns the fully qualified host name, you'll
need to use the _f_q_d_n option for wildcards to be useful. Note that ssuuddoo
only inspects actual network interfaces; this means that IP address
127.0.0.1 (localhost) will never match. Also, the host name
``localhost'' will only match if that is the actual host name, which is
usually only the case for non-networked systems.
@@ -878,9 +881,10 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
use_netgroups If set, netgroups (prefixed with `+'), may be used in
place of a user or host. For LDAP-based sudoers,
netgroup support requires an expensive substring match
on the server. If netgroups are not needed, this
option can be disabled to reduce the load on the LDAP
server. This flag is _o_n by default.
on the server unless the NNEETTGGRROOUUPP__BBAASSEE directive is
present in the _/_e_t_c_/_l_d_a_p_._c_o_n_f file. If netgroups are
not needed, this option can be disabled to reduce the
load on the LDAP server. This flag is _o_n by default.
exec_background By default, ssuuddoo runs a command as the foreground
process as long as ssuuddoo itself is running in the
@@ -2459,4 +2463,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/license.html for
complete details.
Sudo 1.8.15 August 7, 2015 Sudo 1.8.15
Sudo 1.8.15 September 21, 2015 Sudo 1.8.15