isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

regen

Browse Source
This commit is contained in:
Todd C. Miller
2007-09-05 22:50:55 +00:00
parent 6e05465b97
commit a06ae77c5a
2 changed files with 275 additions and 209 deletions
Download Patch File Download Diff File Expand all files Collapse all files

448
sudoers.cat
View File

@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.7 August 15, 2007 1
1.7 September 5, 2007 1
@@ -105,29 +105,29 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
User ',' User_List
User ::= '!'* username |
'!'* '#'uid |
'!'* '%'group |
'!'* '+'netgroup |
'!'* User_Alias
A User_List is made up of one or more usernames, system
groups (prefixed with '%'), netgroups (prefixed with '+')
and other aliases. Each list item may be prefixed with
one or more '!' operators. An odd number of '!' operators
negate the value of the item; an even number just cancel
each other out.
A User_List is made up of one or more usernames, uids
(prefixed with '#'), system groups (prefixed with '%'),
netgroups (prefixed with '+') and User_Aliases. Each list
item may be prefixed with zero or more '!' operators. An
odd number of '!' operators negate the value of the item;
an even number just cancel each other out.
Runas_List ::= Runas_User |
Runas_User ',' Runas_List
Runas_User ::= '!'* username |
'!'* '#'uid |
'!'* '%'group |
'!'* +netgroup |
'!'* Runas_Alias
1.7 August 15, 2007 2
1.7 September 5, 2007 2
@@ -136,9 +136,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
A Runas_List is similar to a User_List except that it can
also contain uids (prefixed with '#') and instead of
User_Aliases it can contain Runas_Aliases. Note that
Runas_User ::= '!'* username |
'!'* '#'uid |
'!'* '%'group |
'!'* +netgroup |
'!'* Runas_Alias
A Runas_List is similar to a User_List except that instead
of User_Aliases it can contain Runas_Aliases. Note that
usernames and groups are matched as strings. In other
words, two users (groups) with the same uid (gid) are con-
sidered to be distinct. If you wish to match all user-
@@ -185,15 +190,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
A Cmnd_List is a list of one or more commandnames, direc-
tories, and other aliases. A commandname is a fully qual-
ified filename which may include shell-style wildcards
(see the Wildcards section below). A simple filename
allows the user to run the command with any arguments
he/she wishes. However, you may also specify command line
arguments (including wildcards). Alternately, you can
specify "" to indicate that the command may only be run
1.7 August 15, 2007 3
1.7 September 5, 2007 3
@@ -202,6 +202,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
(see the Wildcards section below). A simple filename
allows the user to run the command with any arguments
he/she wishes. However, you may also specify command line
arguments (including wildcards). Alternately, you can
specify "" to indicate that the command may only be run
wwiitthhoouutt command line arguments. A directory is a fully
qualified pathname ending in a '/'. When you specify a
directory in a Cmnd_List, the user will be able to run any
@@ -230,10 +235,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
reference that instead.
Default_Type ::= 'Defaults' |
'Defaults' '@' Host |
'Defaults' ':' User |
'Defaults' '!' Cmnd |
'Defaults' '>' RunasUser
'Defaults' '@' Host_List |
'Defaults' ':' User_List |
'Defaults' '!' Cmnd_List |
'Defaults' '>' Runas_List
Default_Entry ::= Default_Type Parameter_List
@@ -251,15 +256,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
parameters may also be used in a boolean context to dis-
able them. Values may be enclosed in double quotes (")
when they contain multiple words. Special characters may
be escaped with a backslash (\).
Lists have two additional assignment operators, += and -=.
These operators are used to add to and delete from a list
respectively. It is not an error to use the -= operator
1.7 August 15, 2007 4
1.7 September 5, 2007 4
@@ -268,6 +268,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
be escaped with a backslash (\).
Lists have two additional assignment operators, += and -=.
These operators are used to add to and delete from a list
respectively. It is not an error to use the -= operator
to remove an element that does not exist in a list.
See "SUDOERS OPTIONS" for a list of supported Defaults
@@ -317,15 +322,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr,
but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
1.7 August 15, 2007 5
1.7 September 5, 2007 5
@@ -334,6 +334,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
TTaagg__SSppeecc
A command may have zero or more tags associated with it.
@@ -386,12 +388,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more
details on how NOEXEC works and whether or not it will
work on your system.
1.7 August 15, 2007 6
1.7 September 5, 2007 6
@@ -400,6 +400,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
details on how NOEXEC works and whether or not it will
work on your system.
_S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V
These tags override the value of the _s_e_t_e_n_v option on a
@@ -451,13 +454,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
It is possible to include other _s_u_d_o_e_r_s files from within
the _s_u_d_o_e_r_s file currently being parsed using the #include
directive, similar to the one used by the C preprocessor.
This is useful, for example, for keeping a site-wide _s_u_d_o_-
_e_r_s file in addition to a per-machine local one. For the
sake of this example the site-wide _s_u_d_o_e_r_s will be
1.7 August 15, 2007 7
1.7 September 5, 2007 7
@@ -466,6 +466,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
This is useful, for example, for keeping a site-wide _s_u_d_o_-
_e_r_s file in addition to a per-machine local one. For the
sake of this example the site-wide _s_u_d_o_e_r_s will be
_/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be _/_e_t_c_/_s_u_d_o_-
_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from _/_e_t_c_/_s_u_d_o_-
_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s:
@@ -516,14 +519,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
('\') when used as part of a word (e.g. a username or
hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
SSUUDDOOEERRSS OOPPTTIIOONNSS
ssuuddoo's behavior can be modified by Default_Entry lines, as
explained earlier. A list of all supported Defaults
parameters, grouped by type, are listed below.
1.7 August 15, 2007 8
1.7 September 5, 2007 8
@@ -532,6 +532,11 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SSUUDDOOEERRSS OOPPTTIIOONNSS
ssuuddoo's behavior can be modified by Default_Entry lines, as
explained earlier. A list of all supported Defaults
parameters, grouped by type, are listed below.
FFllaaggss:
always_set_home If set, ssuuddoo will set the HOME environment
@@ -581,15 +586,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
default.
fqdn Set this flag if you want to put fully
qualified hostnames in the _s_u_d_o_e_r_s file.
I.e., instead of myhost you would use
myhost.mydomain.edu. You may still use
the short form if you wish (and even mix
the two). Beware that turning on _f_q_d_n
1.7 August 15, 2007 9
1.7 September 5, 2007 9
@@ -598,6 +598,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
qualified hostnames in the _s_u_d_o_e_r_s file.
I.e., instead of myhost you would use
myhost.mydomain.edu. You may still use
the short form if you wish (and even mix
the two). Beware that turning on _f_q_d_n
requires ssuuddoo to make DNS lookups which
may make ssuuddoo unusable if DNS stops work-
ing (for example if the machine is not
@@ -647,15 +652,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
flag is _o_f_f by default.
long_otp_prompt When validating with a One Time Password
(OPT) scheme such as SS//KKeeyy or OOPPIIEE, a two-
line prompt is used to make it easier to
cut and paste the challenge to a local
window. It's not as pretty as the default
but some people find it more convenient.
1.7 August 15, 2007 10
1.7 September 5, 2007 10
@@ -664,6 +664,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
(OPT) scheme such as SS//KKeeyy or OOPPIIEE, a two-
line prompt is used to make it easier to
cut and paste the challenge to a local
window. It's not as pretty as the default
but some people find it more convenient.
This flag is _o_f_f by default.
mail_always Send mail to the _m_a_i_l_t_o user every time a
@@ -713,15 +718,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
preserve_groups By default ssuuddoo will initialize the group
vector to the list of groups the target
user is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set,
the user's existing group vector is left
unaltered. The real and effective group
IDs, however, are still set to match the
target user. This flag is _o_f_f by default.
1.7 August 15, 2007 11
1.7 September 5, 2007 11
@@ -730,6 +730,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
user is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set,
the user's existing group vector is left
unaltered. The real and effective group
IDs, however, are still set to match the
target user. This flag is _o_f_f by default.
requiretty If set, ssuuddoo will only run when the user
is logged in to a real tty. This will
disallow things like "rsh somehost sudo
@@ -777,17 +783,11 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
since some programs (including the RCS
revision control system) use LOGNAME to
determine the real identity of the user,
it may be desirable to change this behav-
ior. This can be done by negating the
set_logname option. Note that if the
_e_n_v___r_e_s_e_t option has not been disabled,
entries in the _e_n_v___k_e_e_p list will override
the value of _s_e_t___l_o_g_n_a_m_e. This flag is
_o_f_f by default.
it may be desirable to change this
1.7 August 15, 2007 12
1.7 September 5, 2007 12
@@ -796,6 +796,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
behavior. This can be done by negating
the set_logname option. Note that if the
_e_n_v___r_e_s_e_t option has not been disabled,
entries in the _e_n_v___k_e_e_p list will override
the value of _s_e_t___l_o_g_n_a_m_e. This flag is
_o_f_f by default.
setenv Allow the user to disable the _e_n_v___r_e_s_e_t
option from the command line. Addition-
ally, environment variables set via the
@@ -843,17 +850,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
as the user running it. With this flag
enabled, ssuuddoo will use a file named for
the tty the user is logged in on in that
directory. This flag is _o_f_f by default.
use_loginclass If set, ssuuddoo will apply the defaults spec-
ified for the target user's login class if
one exists. Only available if ssuuddoo is
configured with the --with-logincap
option. This flag is _o_f_f by default.
1.7 August 15, 2007 13
1.7 September 5, 2007 13
@@ -862,6 +862,14 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
directory. This flag is _o_f_f by default.
use_loginclass If set, ssuuddoo will apply the defaults spec-
ified for the target user's login class if
one exists. Only available if ssuuddoo is
configured with the --with-logincap
option. This flag is _o_f_f by default.
IInntteeggeerrss:
closefrom Before it executes a command, ssuuddoo will
@@ -908,18 +916,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SSttrriinnggss:
badpass_message Message that is displayed if a user enters
an incorrect password. The default is
Sorry, try again. unless insults are
enabled.
editor A colon (':') separated list of editors
allowed to be used with vviissuuddoo. vviissuuddoo
will choose the editor that matches the
user's EDITOR environment variable if
1.7 August 15, 2007 14
1.7 September 5, 2007 14
@@ -928,7 +928,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
possible, or the first editor in the list
an incorrect password. The default is
Sorry, try again. unless insults are
enabled.
editor A colon (':') separated list of editors
allowed to be used with vviissuuddoo. vviissuuddoo
will choose the editor that matches the
user's EDITOR environment variable if pos-
sible, or the first editor in the list
that exists and is executable. The
default is the path to vi on your system.
@@ -974,18 +982,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
runas_default The default user to run commands as if the
--uu flag is not specified on the command
line. This defaults to root. Note that
if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur
before any Runas_Alias specifications.
syslog_badpri Syslog priority to use when user authenti-
cates unsuccessfully. Defaults to alert.
syslog_goodpri Syslog priority to use when user
1.7 August 15, 2007 15
1.7 September 5, 2007 15
@@ -994,8 +994,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
authenticates successfully. Defaults to
notice.
line. This defaults to root. Note that
if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur
before any Runas_Alias specifications.
syslog_badpri Syslog priority to use when user authenti-
cates unsuccessfully. Defaults to alert.
syslog_goodpri Syslog priority to use when user authenti-
cates successfully. Defaults to notice.
timestampdir The directory in which ssuuddoo stores its
timestamp files. The default is
@@ -1042,16 +1049,9 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
current host must have the NOPASSWD
flag set to avoid entering a password.
always The user must always enter a password
to use the --ll flag.
any At least one of the user's _s_u_d_o_e_r_s
entries for the current host must have
the NOPASSWD flag set to avoid
1.7 August 15, 2007 16
1.7 September 5, 2007 16
@@ -1060,7 +1060,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
entering a password.
always The user must always enter a password
to use the --ll flag.
any At least one of the user's _s_u_d_o_e_r_s
entries for the current host must have
the NOPASSWD flag set to avoid enter-
ing a password.
never The user need never enter a password
to use the --ll flag.
@@ -1108,16 +1114,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
current host must have the NOPASSWD
flag set to avoid entering a password.
always The user must always enter a password
to use the --vv flag.
any At least one of the user's _s_u_d_o_e_r_s
entries for the current host must have
the NOPASSWD flag set to avoid
1.7 August 15, 2007 17
1.7 September 5, 2007 17
@@ -1126,7 +1126,13 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
entering a password.
always The user must always enter a password
to use the --vv flag.
any At least one of the user's _s_u_d_o_e_r_s
entries for the current host must have
the NOPASSWD flag set to avoid enter-
ing a password.
never The user need never enter a password
to use the --vv flag.
@@ -1174,16 +1180,10 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
env_keep Environment variables to be preserved in
the user's environment when the _e_n_v___r_e_s_e_t
option is in effect. This allows fine-
grained control over the environment
ssuuddoo-spawned processes will receive. The
argument may be a double-quoted, space-
separated list or a single value without
double-quotes. The list can be replaced,
added to, deleted from, or disabled by
1.7 August 15, 2007 18
1.7 September 5, 2007 18
@@ -1192,6 +1192,12 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
grained control over the environment
ssuuddoo-spawned processes will receive. The
argument may be a double-quoted, space-
separated list or a single value without
double-quotes. The list can be replaced,
added to, deleted from, or disabled by
using the =, +=, -=, and ! operators
respectively. The default list of vari-
ables to keep is displayed when ssuuddoo is
@@ -1233,6 +1239,25 @@ EEXXAAMMPPLLEESS
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
1.7 September 5, 2007 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
@@ -1247,17 +1272,6 @@ EEXXAAMMPPLLEESS
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1.7 August 15, 2007 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Here we override some of the compiled in default values.
We want ssuuddoo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility
in all cases. We don't want to subject the full time
@@ -1299,6 +1313,17 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
any command on any host but they must authenticate them-
selves first (since the entry lacks the NOPASSWD tag).
1.7 September 5, 2007 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
jack CSNETS = ALL
The user jjaacckk may run any command on the machines in the
@@ -1313,17 +1338,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
The user lliissaa may run any command on any host in the
_C_U_N_E_T_S alias (the class B network 128.138.0.0).
1.7 August 15, 2007 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/
@@ -1364,6 +1378,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
fred ALL = (DB) NOPASSWD: ALL
The user ffrreedd can run commands as any user in the _D_B
1.7 September 5, 2007 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
@@ -1379,17 +1405,6 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
jill SERVERS = /usr/bin/, !SU, !SHELLS
1.7 August 15, 2007 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run
any commands in the directory _/_u_s_r_/_b_i_n_/ except for those
commands belonging to the _S_U and _S_H_E_L_L_S Cmnd_Aliases.
@@ -1428,9 +1443,21 @@ SSEECCUURRIITTYY NNOOTTEESS
bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent bbiillll from running the commands
listed in _S_U or _S_H_E_L_L_S since he can simply copy those com-
mands to a different name, or use a shell escape from an
editor or other program. Therefore, these kind of
listed in _S_U or _S_H_E_L_L_S since he can simply copy those
1.7 September 5, 2007 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
commands to a different name, or use a shell escape from
an editor or other program. Therefore, these kind of
restrictions should be considered advisory at best (and
reinforced by policy).
@@ -1445,17 +1472,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
There are two basic approaches to this problem:
1.7 August 15, 2007 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
restrict Avoid giving users access to commands that allow
the user to run arbitrary commands. Many edi-
tors have a restricted mode where shell escapes
@@ -1494,6 +1510,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
_n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c should
work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
UNIX, MacOS X, and HP-UX 11.x. It is known nnoott
1.7 September 5, 2007 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
to work on AIX and UnixWare. _n_o_e_x_e_c is expected
to work on most operating systems that support
the LD_PRELOAD environment variable. Check your
@@ -1509,20 +1537,8 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and
_/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will
1.7 August 15, 2007 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
prevent those two commands from executing other
_/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will pre-
vent those two commands from executing other
commands (such as a shell). If you are unsure
whether or not your system is capable of sup-
porting _n_o_e_x_e_c you can always just try it out
@@ -1561,6 +1577,17 @@ SSUUPPPPOORRTT
man/listinfo/sudo-users to subscribe or search the
archives.
1.7 September 5, 2007 24
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
DDIISSCCLLAAIIMMEERR
ssuuddoo is provided ``AS IS'' and any express or implied war-
ranties, including, but not limited to, the implied war-
@@ -1579,6 +1606,45 @@ DDIISSCCLLAAIIMMEERR
1.7 August 15, 2007 24
1.7 September 5, 2007 25

36
sudoers.man.in
View File

@@ -150,7 +150,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
.TH SUDOERS @mansectform@ "August 15, 2007" "1.7" "MAINTENANCE COMMANDS"
.TH SUDOERS @mansectform@ "September 5, 2007" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
@@ -254,18 +254,19 @@ The definitions of what constitutes a valid \fIalias\fR member follow.
\& User ',' User_List
.Ve
.PP
.Vb 4
.Vb 5
\& User ::= '!'* username |
\& '!'* '#'uid |
\& '!'* '%'group |
\& '!'* '+'netgroup |
\& '!'* User_Alias
.Ve
.PP
A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, system groups
(prefixed with '%'), netgroups (prefixed with '+') and other aliases.
Each list item may be prefixed with one or more '!' operators.
An odd number of '!' operators negate the value of the item; an even
number just cancel each other out.
A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, uids (prefixed
with '#'), system groups (prefixed with '%'), netgroups (prefixed
with '+') and \f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with
zero or more '!' operators. An odd number of '!' operators negate
the value of the item; an even number just cancel each other out.
.PP
.Vb 2
\& Runas_List ::= Runas_User |
@@ -280,13 +281,12 @@ number just cancel each other out.
\& '!'* Runas_Alias
.Ve
.PP
A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that it can
also contain uids (prefixed with '#') and instead of \f(CW\*(C`User_Alias\*(C'\fRes
it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that usernames and groups
are matched as strings. In other words, two users (groups) with
the same uid (gid) are considered to be distinct. If you wish to
match all usernames with the same uid (e.g.\ root and toor), you
can use a uid instead (#0 in the example given).
A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that
usernames and groups are matched as strings. In other words, two
users (groups) with the same uid (gid) are considered to be distinct.
If you wish to match all usernames with the same uid (e.g.\ root
and toor), you can use a uid instead (#0 in the example given).
.PP
.Vb 2
\& Host_List ::= Host |
@@ -365,10 +365,10 @@ that instead.
.PP
.Vb 5
\& Default_Type ::= 'Defaults' |
\& 'Defaults' '@' Host |
\& 'Defaults' ':' User |
\& 'Defaults' '!' Cmnd |
\& 'Defaults' '>' RunasUser
\& 'Defaults' '@' Host_List |
\& 'Defaults' ':' User_List |
\& 'Defaults' '!' Cmnd_List |
\& 'Defaults' '>' Runas_List
.Ve
.PP
.Vb 1