isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add explicit mention of sudo's netgroup semantics since they differ

Browse Source 
from most other netgroup consumers.
This commit is contained in:
Todd C. Miller
2015-09-21 16:04:59 -06:00
parent 80673750cf
commit 824021b51b
6 changed files with 65 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
doc/sudoers.cat
View File

@@ -276,7 +276,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
list item may be prefixed with zero or more `!' operators. An odd number list item may be prefixed with zero or more `!' operators. An odd number
of `!' operators negate the value of the item; an even number just cancel of `!' operators negate the value of the item; an even number just cancel
each other out. each other out. User netgroups are matched using the user and domain
members only; the host member is not used when matching.
A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
be enclosed in double quotes to avoid the need for escaping special be enclosed in double quotes to avoid the need for escaping special
@@ -331,17 +332,19 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
A Host_List is made up of one or more host names, IP addresses, network A Host_List is made up of one or more host names, IP addresses, network
numbers, netgroups (prefixed with `+') and other aliases. Again, the numbers, netgroups (prefixed with `+') and other aliases. Again, the
value of an item may be negated with the `!' operator. If you do not value of an item may be negated with the `!' operator. Host netgroups
specify a netmask along with the network number, ssuuddoo will query each of are matched using the host (both qualified and unqualified) and domain
the local host's network interfaces and, if the network number members only; the user member is not used when matching. If you specify
corresponds to one of the hosts's network interfaces, the corresponding a network number without a netmask, ssuuddoo will query each of the local
netmask will be used. The netmask may be specified either in standard IP host's network interfaces and, if the network number corresponds to one
address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR of the hosts's network interfaces, will use the netmask of that
notation (number of bits, e.g. 24 or 64). A host name may include shell- interface. The netmask may be specified either in standard IP address
style wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation
name command on your machine returns the fully qualified host name, (number of bits, e.g. 24 or 64). A host name may include shell-style
you'll need to use the _f_q_d_n option for wildcards to be useful. Note that wildcards (see the _W_i_l_d_c_a_r_d_s section below), but unless the host name
ssuuddoo only inspects actual network interfaces; this means that IP address command on your machine returns the fully qualified host name, you'll
need to use the _f_q_d_n option for wildcards to be useful. Note that ssuuddoo
only inspects actual network interfaces; this means that IP address
127.0.0.1 (localhost) will never match. Also, the host name 127.0.0.1 (localhost) will never match. Also, the host name
``localhost'' will only match if that is the actual host name, which is ``localhost'' will only match if that is the actual host name, which is
usually only the case for non-networked systems. usually only the case for non-networked systems.
@@ -878,9 +881,10 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
use_netgroups If set, netgroups (prefixed with `+'), may be used in use_netgroups If set, netgroups (prefixed with `+'), may be used in
place of a user or host. For LDAP-based sudoers, place of a user or host. For LDAP-based sudoers,
netgroup support requires an expensive substring match netgroup support requires an expensive substring match
on the server. If netgroups are not needed, this on the server unless the NNEETTGGRROOUUPP__BBAASSEE directive is
option can be disabled to reduce the load on the LDAP present in the _/_e_t_c_/_l_d_a_p_._c_o_n_f file. If netgroups are
server. This flag is _o_n by default. not needed, this option can be disabled to reduce the
load on the LDAP server. This flag is _o_n by default.
exec_background By default, ssuuddoo runs a command as the foreground exec_background By default, ssuuddoo runs a command as the foreground
process as long as ssuuddoo itself is running in the process as long as ssuuddoo itself is running in the
@@ -2459,4 +2463,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/license.html for file distributed with ssuuddoo or http://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.15 August 7, 2015 Sudo 1.8.15 Sudo 1.8.15 September 21, 2015 Sudo 1.8.15

14
doc/sudoers.ldap.cat
View File

@@ -70,13 +70,17 @@ DDEESSCCRRIIPPTTIIOONN
A user name, user ID (prefixed with `#'), Unix group name or ID A user name, user ID (prefixed with `#'), Unix group name or ID
(prefixed with `%' or `%#' respectively), user netgroup (prefixed (prefixed with `%' or `%#' respectively), user netgroup (prefixed
with `+'), or non-Unix group name or ID (prefixed with `%:' or with `+'), or non-Unix group name or ID (prefixed with `%:' or
`%:#' respectively). Non-Unix group support is only available when `%:#' respectively). User netgroups are matched using the user and
an appropriate _g_r_o_u_p___p_l_u_g_i_n is defined in the global _d_e_f_a_u_l_t_s domain members only; the host member is not used when matching.
sudoRole object. Non-Unix group support is only available when an appropriate
_g_r_o_u_p___p_l_u_g_i_n is defined in the global _d_e_f_a_u_l_t_s sudoRole object.
ssuuddooHHoosstt ssuuddooHHoosstt
A host name, IP address, IP network, or host netgroup (prefixed A host name, IP address, IP network, or host netgroup (prefixed
with a `+'). The special value ALL will match any host. with a `+'). The special value ALL will match any host. Host
netgroups are matched using the host (both qualified and
unqualified) and domain members only; the user member is not used
when matching.
ssuuddooCCoommmmaanndd ssuuddooCCoommmmaanndd
A fully-qualified Unix command name with optional command line A fully-qualified Unix command name with optional command line
@@ -902,4 +906,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/license.html for file distributed with ssuuddoo or http://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.15 January 30, 2015 Sudo 1.8.15 Sudo 1.8.15 September 21, 2015 Sudo 1.8.15

6
doc/sudoers.ldap.man.in
View File

@@ -16,7 +16,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.TH "SUDOERS.LDAP" "8" "January 30, 2015" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .TH "SUDOERS.LDAP" "8" "September 21, 2015" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -150,6 +150,8 @@ or non-Unix group name or ID (prefixed with
or or
\(oq%:#\(cq \(oq%:#\(cq
respectively). respectively).
User netgroups are matched using the user and domain members only;
the host member is not used when matching.
Non-Unix group support is only available when an appropriate Non-Unix group support is only available when an appropriate
\fIgroup_plugin\fR \fIgroup_plugin\fR
is defined in the global is defined in the global
@@ -163,6 +165,8 @@ A host name, IP address, IP network, or host netgroup (prefixed with a
The special value The special value
\fRALL\fR \fRALL\fR
will match any host. will match any host.
Host netgroups are matched using the host (both qualified and unqualified)
and domain members only; the user member is not used when matching.
.TP 6n .TP 6n
\fBsudoCommand\fR \fBsudoCommand\fR
A fully-qualified Unix command name with optional command line arguments, A fully-qualified Unix command name with optional command line arguments,

6
doc/sudoers.ldap.mdoc.in
View File

@@ -14,7 +14,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd January 30, 2015 .Dd September 21, 2015
.Dt SUDOERS.LDAP @mansectsu@ .Dt SUDOERS.LDAP @mansectsu@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -143,6 +143,8 @@ or non-Unix group name or ID (prefixed with
or or
.Ql %:# .Ql %:#
respectively). respectively).
User netgroups are matched using the user and domain members only;
the host member is not used when matching.
Non-Unix group support is only available when an appropriate Non-Unix group support is only available when an appropriate
.Em group_plugin .Em group_plugin
is defined in the global is defined in the global
@@ -155,6 +157,8 @@ A host name, IP address, IP network, or host netgroup (prefixed with a
The special value The special value
.Li ALL .Li ALL
will match any host. will match any host.
Host netgroups are matched using the host (both qualified and unqualified)
and domain members only; the user member is not used when matching.
.It Sy sudoCommand .It Sy sudoCommand
A fully-qualified Unix command name with optional command line arguments, A fully-qualified Unix command name with optional command line arguments,
potentially including globbing characters (aka wild cards). potentially including globbing characters (aka wild cards).

19
doc/sudoers.man.in
View File

@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.TH "SUDOERS" "5" "August 7, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "5" "September 21, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -632,6 +632,8 @@ An odd number of
\(oq\&!\(cq \(oq\&!\(cq
operators negate the value of operators negate the value of
the item; an even number just cancel each other out. the item; an even number just cancel each other out.
User netgroups are matched using the user and domain members only;
the host member is not used when matching.
.PP .PP
A A
\fRuser name\fR, \fRuser name\fR,
@@ -734,13 +736,14 @@ and other aliases.
Again, the value of an item may be negated with the Again, the value of an item may be negated with the
\(oq\&!\(cq \(oq\&!\(cq
operator. operator.
If you do not specify a netmask along with the network number, Host netgroups are matched using the host (both qualified and unqualified)
and domain members only; the user member is not used when matching.
If you specify a network number without a netmask,
\fBsudo\fR \fBsudo\fR
will query each of the local host's network interfaces and, will query each of the local host's network interfaces and,
if the network number corresponds to one of the hosts's network if the network number corresponds to one of the hosts's network
interfaces, the corresponding netmask will be used. interfaces, will use the netmask of that interface.
The netmask The netmask may be specified either in standard IP address notation
may be specified either in standard IP address notation
(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::), (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
or CIDR notation (number of bits, e.g.\& 24 or 64). or CIDR notation (number of bits, e.g.\& 24 or 64).
A host name may include shell-style wildcards (see the A host name may include shell-style wildcards (see the
@@ -1911,7 +1914,11 @@ If set, netgroups (prefixed with
\(oq+\(cq), \(oq+\(cq),
may be used in place of a user or host. may be used in place of a user or host.
For LDAP-based sudoers, netgroup support requires an expensive For LDAP-based sudoers, netgroup support requires an expensive
substring match on the server. substring match on the server unless the
\fBNETGROUP_BASE\fR
directive is present in the
\fI@ldap_conf@\fR
file.
If netgroups are not needed, this option can be disabled to reduce the If netgroups are not needed, this option can be disabled to reduce the
load on the LDAP server. load on the LDAP server.
This flag is This flag is

19
doc/sudoers.mdoc.in
View File

@@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.Dd August 7, 2015 .Dd September 21, 2015
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -605,6 +605,8 @@ An odd number of
.Ql \&! .Ql \&!
operators negate the value of operators negate the value of
the item; an even number just cancel each other out. the item; an even number just cancel each other out.
User netgroups are matched using the user and domain members only;
the host member is not used when matching.
.Pp .Pp
A A
.Li user name , .Li user name ,
@@ -700,13 +702,14 @@ and other aliases.
Again, the value of an item may be negated with the Again, the value of an item may be negated with the
.Ql \&! .Ql \&!
operator. operator.
If you do not specify a netmask along with the network number, Host netgroups are matched using the host (both qualified and unqualified)
and domain members only; the user member is not used when matching.
If you specify a network number without a netmask,
.Nm sudo .Nm sudo
will query each of the local host's network interfaces and, will query each of the local host's network interfaces and,
if the network number corresponds to one of the hosts's network if the network number corresponds to one of the hosts's network
interfaces, the corresponding netmask will be used. interfaces, will use the netmask of that interface.
The netmask The netmask may be specified either in standard IP address notation
may be specified either in standard IP address notation
(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::), (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
or CIDR notation (number of bits, e.g.\& 24 or 64). or CIDR notation (number of bits, e.g.\& 24 or 64).
A host name may include shell-style wildcards (see the A host name may include shell-style wildcards (see the
@@ -1782,7 +1785,11 @@ If set, netgroups (prefixed with
.Ql + ) , .Ql + ) ,
may be used in place of a user or host. may be used in place of a user or host.
For LDAP-based sudoers, netgroup support requires an expensive For LDAP-based sudoers, netgroup support requires an expensive
substring match on the server. substring match on the server unless the
.Sy NETGROUP_BASE
directive is present in the
.Pa @ldap_conf@
file.
If netgroups are not needed, this option can be disabled to reduce the If netgroups are not needed, this option can be disabled to reduce the
load on the LDAP server. load on the LDAP server.
This flag is This flag is