isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

typos

Browse Source
This commit is contained in:
Todd C. Miller
1999-06-22 10:38:39 +00:00
parent b3cd9b1f96
commit a11c148681
4 changed files with 93 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
UPGRADE
View File

@@ -26,7 +26,7 @@ o Upgrading from a version prior to 1.6:
millert can run /usr/bin/whoami as daemon and /bin/ls and millert can run /usr/bin/whoami as daemon and /bin/ls and
/sbin/dump as root. No password need be given for either /sbin/dump as root. No password need be given for either
command. In other words, the "(root)" sets the dfault runas command. In other words, the "(root)" sets the default runas
user to root for the rest of the list. If we wanted to require user to root for the rest of the list. If we wanted to require
a password for /bin/ls and /sbin/dump the line could be written a password for /bin/ls and /sbin/dump the line could be written
thusly: thusly:

120
sudoers.cat
View File

@@ -61,7 +61,7 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN
7/Apr/99 1.6 1 22/Jun/1999 1.6 1
@@ -103,31 +103,31 @@ sudoers(5) FILE FORMATS sudoers(5)
When a _r_u_n_a_s_-_l_i_s_t is specified for an _a_c_c_e_s_s___g_r_o_u_p, it When a _r_u_n_a_s_-_l_i_s_t is specified for an _a_c_c_e_s_s___g_r_o_u_p, it
affects all commands in the _a_c_c_e_s_s___g_r_o_u_p. For example, affects all commands in the _a_c_c_e_s_s___g_r_o_u_p. For example,
given: given:
oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm
User oper will be able to run /usr/bin/kill and /bin/rm as User oper will be able to run /usr/bin/kill and /bin/rm as
rrrrooooooootttt or ssssyyyyssssaaaaddddmmmm on the machine, bigserver. The _r_u_n_a_s_-_l_i_s_t rrrrooooooootttt or ssssyyyyssssaaaaddddmmmm on the machine, bigserver. The _r_u_n_a_s_-_l_i_s_t
is "sticky" across entries in the comma-separated is "sticky" across entries in the comma-separated
_a_c_c_e_s_s___g_r_o_u_p. You can override the _r_u_n_a_s_-_l_i_s_t with _a_c_c_e_s_s___g_r_o_u_p. You can override the _r_u_n_a_s_-_l_i_s_t with
another one, at which point the new _r_u_n_a_s_-_l_i_s_t becomes the another one, at which point the new _r_u_n_a_s_-_l_i_s_t becomes the
default for that _a_c_c_e_s_s___g_r_o_u_p. For example, given: default for that _a_c_c_e_s_s___g_r_o_u_p. For example, given:
oper bigserver = (root, sysadm) /usr/bin/kill, (root)
/bin/rm, \ /bin/rmdir User oper can still run oper bigserver = (root, sysadm) /usr/bin/kill, (root) /bin/rm, \
/usr/bin/kill as rrrrooooooootttt or ssssyyyyssssaaaaddddmmmm but can only run /bin/rm /bin/rmdir
and /bin/rmdir as rrrrooooooootttt.
User oper can still run /usr/bin/kill as rrrrooooooootttt or ssssyyyyssssaaaaddddmmmm
but can only run /bin/rm and /bin/rmdir as rrrrooooooootttt.
Similarly, the NNNNOOOOPPPPAAAASSSSSSSSWWWWDDDD modifier is also persistent across Similarly, the NNNNOOOOPPPPAAAASSSSSSSSWWWWDDDD modifier is also persistent across
an _a_c_c_e_s_s___g_r_o_u_p. For example given: an _a_c_c_e_s_s___g_r_o_u_p. For example given:
oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm,
/bin/rmdir User oper will be able to run /usr/bin/kill, oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm, /bin/rmdir
/bin/rm, and /bin/rmdir as rrrrooooooootttt without a password. If we
change that to:
oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD:
/bin/rm, /bin/rmdir User oper can still run /usr/bin/kill
without a password but must give a password to run /bin/rm
7/Apr/99 1.6 2
22/Jun/1999 1.6 2
@@ -136,7 +136,14 @@ sudoers(5) FILE FORMATS sudoers(5)
sudoers(5) FILE FORMATS sudoers(5) sudoers(5) FILE FORMATS sudoers(5)
and /bin/rmdir. User oper will be able to run /usr/bin/kill, /bin/rm, and
/bin/rmdir as rrrrooooooootttt without a password. If we change that
to:
oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD: /bin/rm, /bin/rmdir
User oper can still run /usr/bin/kill without a password
but must give a password to run /bin/rm and /bin/rmdir.
wwwwiiiillllddddccccaaaarrrrddddssss ((((aaaakkkkaaaa mmmmeeeettttaaaa cccchhhhaaaarrrraaaacccctttteeeerrrrssss)))):::: wwwwiiiillllddddccccaaaarrrrddddssss ((((aaaakkkkaaaa mmmmeeeettttaaaa cccchhhhaaaarrrraaaacccctttteeeerrrrssss))))::::
@@ -183,17 +190,10 @@ sudoers(5) FILE FORMATS sudoers(5)
{Host,User,Cmnd}_Alias. DDDDOOOO NNNNOOOOTTTT define an alias of _A_L_L, it {Host,User,Cmnd}_Alias. DDDDOOOO NNNNOOOOTTTT define an alias of _A_L_L, it
will NNNNOOOOTTTT be used. Note that _A_L_L implies the entire will NNNNOOOOTTTT be used. Note that _A_L_L implies the entire
universe of hosts/users/commands. You can subtract universe of hosts/users/commands. You can subtract
elements from the universe by using the syntax:
user host=ALL,!ALIAS1,!/sbin/halt...
Commands may have optional command line arguments. If
they do, then the arguments in the _s_u_d_o_e_r_s file must
exactly match those on the command line. It is also
possible to have a command's arguments span multiple lines
7/Apr/99 1.6 3 22/Jun/1999 1.6 3
@@ -202,6 +202,14 @@ sudoers(5) FILE FORMATS sudoers(5)
sudoers(5) FILE FORMATS sudoers(5) sudoers(5) FILE FORMATS sudoers(5)
elements from the universe by using the syntax:
user host=ALL,!ALIAS1,!/sbin/halt...
Commands may have optional command line arguments. If
they do, then the arguments in the _s_u_d_o_e_r_s file must
exactly match those on the command line. It is also
possible to have a command's arguments span multiple lines
as long as the line continuance character "\" is used. as long as the line continuance character "\" is used.
The following characters must be escaped with a "\" if The following characters must be escaped with a "\" if
used in command arguments: ",", ":", "=", "\". used in command arguments: ",", ":", "=", "\".
@@ -245,6 +253,21 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
steve CSNETS=(operator) /usr/op_commands/ steve CSNETS=(operator) /usr/op_commands/
22/Jun/1999 1.6 4
sudoers(5) FILE FORMATS sudoers(5)
HHHHoooosssstttt AAAAlllliiiiaaaassss ssssppppeeeecccciiiiffffiiiiccccaaaattttiiiioooonnnnssss:::: HHHHoooosssstttt AAAAlllliiiiaaaassss ssssppppeeeecccciiiiffffiiiiccccaaaattttiiiioooonnnnssss::::
The are four _h_o_s_t _a_l_i_a_s_e_s. The first actually contains The are four _h_o_s_t _a_l_i_a_s_e_s. The first actually contains
@@ -256,18 +279,6 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
128.138.205.192 nets. The CUNETS alias will match any 128.138.205.192 nets. The CUNETS alias will match any
host on the 128.138.0.0 (class B) network. Note that host on the 128.138.0.0 (class B) network. Note that
these are nnnneeeettttwwwwoooorrrrkkkk addresses, not ip addresses. Unless an these are nnnneeeettttwwwwoooorrrrkkkk addresses, not ip addresses. Unless an
7/Apr/99 1.6 4
sudoers(5) FILE FORMATS sudoers(5)
explicit netmask is given, the local _n_e_t_m_a_s_k is used to explicit netmask is given, the local _n_e_t_m_a_s_k is used to
determine whether or not the current host belongs to a determine whether or not the current host belongs to a
network. network.
@@ -310,6 +321,19 @@ sudoers(5) FILE FORMATS sudoers(5)
root on the machines on CUNETS (which is root on the machines on CUNETS (which is
explicitly listed as a class B network). explicitly listed as a class B network).
22/Jun/1999 1.6 5
sudoers(5) FILE FORMATS sudoers(5)
nieusma The user nieusma may run commands in the nieusma The user nieusma may run commands in the
SHUTDOWN alias as well as _/_s_b_i_n_/_r_e_b_o_o_t on SHUTDOWN alias as well as _/_s_b_i_n_/_r_e_b_o_o_t on
the SERVER machines and any command except the SERVER machines and any command except
@@ -322,18 +346,6 @@ sudoers(5) FILE FORMATS sudoers(5)
markm The user markm may run any command on the markm The user markm may run any command on the
HUB machines except _/_s_b_i_n_/_s_h_u_t_d_o_w_n, HUB machines except _/_s_b_i_n_/_s_h_u_t_d_o_w_n,
7/Apr/99 1.6 5
sudoers(5) FILE FORMATS sudoers(5)
_/_s_b_i_n_/_h_a_l_t, and commands listed in the _/_s_b_i_n_/_h_a_l_t, and commands listed in the
MISC alias. MISC alias.
@@ -379,19 +391,7 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO
22/Jun/1999 1.6 6
7/Apr/99 1.6 6
@@ -457,6 +457,6 @@ sudoers(5) FILE FORMATS sudoers(5)
7/Apr/99 1.6 7 22/Jun/1999 1.6 7

34
sudoers.man
View File

@@ -2,10 +2,8 @@
''' $RCSfile$$Revision$$Date$ ''' $RCSfile$$Revision$$Date$
''' '''
''' $Log$ ''' $Log$
''' Revision 1.9 1999/04/07 23:18:51 millert ''' Revision 1.10 1999/06/22 10:38:38 millert
''' You can now specifiy a host list instead of just a host or alias. ''' typos
''' Ie: user = host1,host2,ALIAS,!host3 my_command
''' now works.
''' '''
''' '''
.de Sh .de Sh
@@ -98,7 +96,7 @@
.nr % 0 .nr % 0
.rr F .rr F
.\} .\}
.TH sudoers 5 "1.6" "7/Apr/99" "FILE FORMATS" .TH sudoers 5 "1.6" "22/Jun/1999" "FILE FORMATS"
.UC .UC
.if n .hy 0 .if n .hy 0
.if n .na .if n .na
@@ -274,24 +272,36 @@ will be allowed to run the command.
.Sh "persistence of modifiers" .Sh "persistence of modifiers"
When a \fIrunas-list\fR is specified for an \fIaccess_group\fR, it When a \fIrunas-list\fR is specified for an \fIaccess_group\fR, it
affects all commands in the \fIaccess_group\fR. For example, given: affects all commands in the \fIaccess_group\fR. For example, given:
oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm .PP
.Vb 1
\& oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm
.Ve
User \f(CWoper\fR will be able to run \f(CW/usr/bin/kill\fR and \f(CW/bin/rm\fR User \f(CWoper\fR will be able to run \f(CW/usr/bin/kill\fR and \f(CW/bin/rm\fR
as \fBroot\fR or \fBsysadm\fR on the machine, \f(CWbigserver\fR. The as \fBroot\fR or \fBsysadm\fR on the machine, \f(CWbigserver\fR. The
\fIrunas-list\fR is \*(L"sticky\*(R" across entries in the comma-separated \fIrunas-list\fR is \*(L"sticky\*(R" across entries in the comma-separated
\fIaccess_group\fR. You can override the \fIrunas-list\fR with another \fIaccess_group\fR. You can override the \fIrunas-list\fR with another
one, at which point the new \fIrunas-list\fR becomes the default for one, at which point the new \fIrunas-list\fR becomes the default for
that \fIaccess_group\fR. For example, given: that \fIaccess_group\fR. For example, given:
oper bigserver = (root, sysadm) /usr/bin/kill, (root) /bin/rm, \e .PP
/bin/rmdir .Vb 2
\& oper bigserver = (root, sysadm) /usr/bin/kill, (root) /bin/rm, \e
\& /bin/rmdir
.Ve
User \f(CWoper\fR can still run \f(CW/usr/bin/kill\fR as \fBroot\fR or \fBsysadm\fR but User \f(CWoper\fR can still run \f(CW/usr/bin/kill\fR as \fBroot\fR or \fBsysadm\fR but
can only run \f(CW/bin/rm\fR and \f(CW/bin/rmdir\fR as \fBroot\fR. can only run \f(CW/bin/rm\fR and \f(CW/bin/rmdir\fR as \fBroot\fR.
.PP .PP
Similarly, the \fB\s-1NOPASSWD\s0\fR modifier is also persistent across an Similarly, the \fB\s-1NOPASSWD\s0\fR modifier is also persistent across an
\fIaccess_group\fR. For example given: \fIaccess_group\fR. For example given:
oper bigserver = \s-1NOPASSWD\s0: /usr/bin/kill, /bin/rm, /bin/rmdir .PP
.Vb 1
\& oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm, /bin/rmdir
.Ve
User \f(CWoper\fR will be able to run \f(CW/usr/bin/kill\fR, \f(CW/bin/rm\fR, and User \f(CWoper\fR will be able to run \f(CW/usr/bin/kill\fR, \f(CW/bin/rm\fR, and
\f(CW/bin/rmdir\fR as \fBroot\fR without a password. If we change that to: \f(CW/bin/rmdir\fR as \fBroot\fR without a password. If we change that to:
oper bigserver = \s-1NOPASSWD\s0: /usr/bin/kill, \s-1PASSWD\s0: /bin/rm, /bin/rmdir .PP
.Vb 1
\& oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD: /bin/rm, /bin/rmdir
.Ve
User \f(CWoper\fR can still run \f(CW/usr/bin/kill\fR without a password but User \f(CWoper\fR can still run \f(CW/usr/bin/kill\fR without a password but
must give a password to run \f(CW/bin/rm\fR and \f(CW/bin/rmdir\fR. must give a password to run \f(CW/bin/rm\fR and \f(CW/bin/rmdir\fR.
.Sh "wildcards (aka meta characters):" .Sh "wildcards (aka meta characters):"
@@ -331,8 +341,10 @@ The reserved alias \fI\s-1ALL\s0\fR can be used for both {Host,User,Cmnd}_Alias.
\fB\s-1DO\s0 \s-1NOT\s0\fR define an alias of \fI\s-1ALL\s0\fR, it will \fB\s-1NOT\s0\fR be used. \fB\s-1DO\s0 \s-1NOT\s0\fR define an alias of \fI\s-1ALL\s0\fR, it will \fB\s-1NOT\s0\fR be used.
Note that \fI\s-1ALL\s0\fR implies the entire universe of hosts/users/commands. Note that \fI\s-1ALL\s0\fR implies the entire universe of hosts/users/commands.
You can subtract elements from the universe by using the syntax: You can subtract elements from the universe by using the syntax:
user host=\s-1ALL\s0,!\s-1ALIAS1\s0,!/sbin/halt...
.PP .PP
.Vb 1
\& user host=ALL,!ALIAS1,!/sbin/halt...
.Ve
Commands may have optional command line arguments. If they do, Commands may have optional command line arguments. If they do,
then the arguments in the \fIsudoers\fR file must exactly match those then the arguments in the \fIsudoers\fR file must exactly match those
on the command line. It is also possible to have a command's on the command line. It is also possible to have a command's

9
sudoers.pod
View File

@@ -77,24 +77,32 @@ will be allowed to run the command.
When a I<runas-list> is specified for an I<access_group>, it When a I<runas-list> is specified for an I<access_group>, it
affects all commands in the I<access_group>. For example, given: affects all commands in the I<access_group>. For example, given:
oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm
User C<oper> will be able to run C</usr/bin/kill> and C</bin/rm> User C<oper> will be able to run C</usr/bin/kill> and C</bin/rm>
as B<root> or B<sysadm> on the machine, C<bigserver>. The as B<root> or B<sysadm> on the machine, C<bigserver>. The
I<runas-list> is "sticky" across entries in the comma-separated I<runas-list> is "sticky" across entries in the comma-separated
I<access_group>. You can override the I<runas-list> with another I<access_group>. You can override the I<runas-list> with another
one, at which point the new I<runas-list> becomes the default for one, at which point the new I<runas-list> becomes the default for
that I<access_group>. For example, given: that I<access_group>. For example, given:
oper bigserver = (root, sysadm) /usr/bin/kill, (root) /bin/rm, \ oper bigserver = (root, sysadm) /usr/bin/kill, (root) /bin/rm, \
/bin/rmdir /bin/rmdir
User C<oper> can still run C</usr/bin/kill> as B<root> or B<sysadm> but User C<oper> can still run C</usr/bin/kill> as B<root> or B<sysadm> but
can only run C</bin/rm> and C</bin/rmdir> as B<root>. can only run C</bin/rm> and C</bin/rmdir> as B<root>.
Similarly, the B<NOPASSWD> modifier is also persistent across an Similarly, the B<NOPASSWD> modifier is also persistent across an
I<access_group>. For example given: I<access_group>. For example given:
oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm, /bin/rmdir oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm, /bin/rmdir
User C<oper> will be able to run C</usr/bin/kill>, C</bin/rm>, and User C<oper> will be able to run C</usr/bin/kill>, C</bin/rm>, and
C</bin/rmdir> as B<root> without a password. If we change that to: C</bin/rmdir> as B<root> without a password. If we change that to:
oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD: /bin/rm, /bin/rmdir oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD: /bin/rm, /bin/rmdir
User C<oper> can still run C</usr/bin/kill> without a password but User C<oper> can still run C</usr/bin/kill> without a password but
must give a password to run C</bin/rm> and C</bin/rmdir>. must give a password to run C</bin/rm> and C</bin/rmdir>.
@@ -160,6 +168,7 @@ The reserved alias I<ALL> can be used for both {Host,User,Cmnd}_Alias.
B<DO NOT> define an alias of I<ALL>, it will B<NOT> be used. B<DO NOT> define an alias of I<ALL>, it will B<NOT> be used.
Note that I<ALL> implies the entire universe of hosts/users/commands. Note that I<ALL> implies the entire universe of hosts/users/commands.
You can subtract elements from the universe by using the syntax: You can subtract elements from the universe by using the syntax:
user host=ALL,!ALIAS1,!/sbin/halt... user host=ALL,!ALIAS1,!/sbin/halt...
Commands may have optional command line arguments. If they do, Commands may have optional command line arguments. If they do,