isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add explicit mention of sudo's netgroup semantics since they differ

Browse Source 
from most other netgroup consumers.
This commit is contained in:
Todd C. Miller
2015-09-21 16:04:59 -06:00
parent 80673750cf
commit 824021b51b
6 changed files with 65 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
doc/sudoers.man.in
View File

@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.TH "SUDOERS" "5" "August 7, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDOERS" "5" "September 21, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -632,6 +632,8 @@ An odd number of
\(oq\&!\(cq
operators negate the value of
the item; an even number just cancel each other out.
User netgroups are matched using the user and domain members only;
the host member is not used when matching.
.PP
A
\fRuser name\fR,
@@ -734,13 +736,14 @@ and other aliases.
Again, the value of an item may be negated with the
\(oq\&!\(cq
operator.
If you do not specify a netmask along with the network number,
Host netgroups are matched using the host (both qualified and unqualified)
and domain members only; the user member is not used when matching.
If you specify a network number without a netmask,
\fBsudo\fR
will query each of the local host's network interfaces and,
if the network number corresponds to one of the hosts's network
interfaces, the corresponding netmask will be used.
The netmask
may be specified either in standard IP address notation
interfaces, will use the netmask of that interface.
The netmask may be specified either in standard IP address notation
(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
or CIDR notation (number of bits, e.g.\& 24 or 64).
A host name may include shell-style wildcards (see the
@@ -1911,7 +1914,11 @@ If set, netgroups (prefixed with
\(oq+\(cq),
may be used in place of a user or host.
For LDAP-based sudoers, netgroup support requires an expensive
substring match on the server.
substring match on the server unless the
\fBNETGROUP_BASE\fR
directive is present in the
\fI@ldap_conf@\fR
file.
If netgroups are not needed, this option can be disabled to reduce the
load on the LDAP server.
This flag is