isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

typos

Browse Source
This commit is contained in:
Todd C. Miller
1999-06-22 10:38:39 +00:00
parent b3cd9b1f96
commit a11c148681
4 changed files with 93 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
UPGRADE
View File

@@ -26,7 +26,7 @@ o Upgrading from a version prior to 1.6:
millert can run /usr/bin/whoami as daemon and /bin/ls and
/sbin/dump as root. No password need be given for either
command. In other words, the "(root)" sets the dfault runas
command. In other words, the "(root)" sets the default runas
user to root for the rest of the list. If we wanted to require
a password for /bin/ls and /sbin/dump the line could be written
thusly:

120
sudoers.cat
View File

@@ -61,7 +61,7 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN
7/Apr/99 1.6 1
22/Jun/1999 1.6 1
@@ -103,31 +103,31 @@ sudoers(5) FILE FORMATS sudoers(5)
When a _r_u_n_a_s_-_l_i_s_t is specified for an _a_c_c_e_s_s___g_r_o_u_p, it
affects all commands in the _a_c_c_e_s_s___g_r_o_u_p. For example,
given:
oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm
User oper will be able to run /usr/bin/kill and /bin/rm as
rrrrooooooootttt or ssssyyyyssssaaaaddddmmmm on the machine, bigserver. The _r_u_n_a_s_-_l_i_s_t
is "sticky" across entries in the comma-separated
_a_c_c_e_s_s___g_r_o_u_p. You can override the _r_u_n_a_s_-_l_i_s_t with
another one, at which point the new _r_u_n_a_s_-_l_i_s_t becomes the
default for that _a_c_c_e_s_s___g_r_o_u_p. For example, given:
oper bigserver = (root, sysadm) /usr/bin/kill, (root)
/bin/rm, \ /bin/rmdir User oper can still run
/usr/bin/kill as rrrrooooooootttt or ssssyyyyssssaaaaddddmmmm but can only run /bin/rm
and /bin/rmdir as rrrrooooooootttt.
oper bigserver = (root, sysadm) /usr/bin/kill, (root) /bin/rm, \
/bin/rmdir
User oper can still run /usr/bin/kill as rrrrooooooootttt or ssssyyyyssssaaaaddddmmmm
but can only run /bin/rm and /bin/rmdir as rrrrooooooootttt.
Similarly, the NNNNOOOOPPPPAAAASSSSSSSSWWWWDDDD modifier is also persistent across
an _a_c_c_e_s_s___g_r_o_u_p. For example given:
oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm,
/bin/rmdir User oper will be able to run /usr/bin/kill,
/bin/rm, and /bin/rmdir as rrrrooooooootttt without a password. If we
change that to:
oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD:
/bin/rm, /bin/rmdir User oper can still run /usr/bin/kill
without a password but must give a password to run /bin/rm
oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm, /bin/rmdir
7/Apr/99 1.6 2
22/Jun/1999 1.6 2
@@ -136,7 +136,14 @@ sudoers(5) FILE FORMATS sudoers(5)
sudoers(5) FILE FORMATS sudoers(5)
and /bin/rmdir.
User oper will be able to run /usr/bin/kill, /bin/rm, and
/bin/rmdir as rrrrooooooootttt without a password. If we change that
to:
oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD: /bin/rm, /bin/rmdir
User oper can still run /usr/bin/kill without a password
but must give a password to run /bin/rm and /bin/rmdir.
wwwwiiiillllddddccccaaaarrrrddddssss ((((aaaakkkkaaaa mmmmeeeettttaaaa cccchhhhaaaarrrraaaacccctttteeeerrrrssss))))::::
@@ -183,17 +190,10 @@ sudoers(5) FILE FORMATS sudoers(5)
{Host,User,Cmnd}_Alias. DDDDOOOO NNNNOOOOTTTT define an alias of _A_L_L, it
will NNNNOOOOTTTT be used. Note that _A_L_L implies the entire
universe of hosts/users/commands. You can subtract
elements from the universe by using the syntax:
user host=ALL,!ALIAS1,!/sbin/halt...
Commands may have optional command line arguments. If
they do, then the arguments in the _s_u_d_o_e_r_s file must
exactly match those on the command line. It is also
possible to have a command's arguments span multiple lines
7/Apr/99 1.6 3
22/Jun/1999 1.6 3
@@ -202,6 +202,14 @@ sudoers(5) FILE FORMATS sudoers(5)
sudoers(5) FILE FORMATS sudoers(5)
elements from the universe by using the syntax:
user host=ALL,!ALIAS1,!/sbin/halt...
Commands may have optional command line arguments. If
they do, then the arguments in the _s_u_d_o_e_r_s file must
exactly match those on the command line. It is also
possible to have a command's arguments span multiple lines
as long as the line continuance character "\" is used.
The following characters must be escaped with a "\" if
used in command arguments: ",", ":", "=", "\".
@@ -245,6 +253,21 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
steve CSNETS=(operator) /usr/op_commands/
22/Jun/1999 1.6 4
sudoers(5) FILE FORMATS sudoers(5)
HHHHoooosssstttt AAAAlllliiiiaaaassss ssssppppeeeecccciiiiffffiiiiccccaaaattttiiiioooonnnnssss::::
The are four _h_o_s_t _a_l_i_a_s_e_s. The first actually contains
@@ -256,18 +279,6 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
128.138.205.192 nets. The CUNETS alias will match any
host on the 128.138.0.0 (class B) network. Note that
these are nnnneeeettttwwwwoooorrrrkkkk addresses, not ip addresses. Unless an
7/Apr/99 1.6 4
sudoers(5) FILE FORMATS sudoers(5)
explicit netmask is given, the local _n_e_t_m_a_s_k is used to
determine whether or not the current host belongs to a
network.
@@ -310,6 +321,19 @@ sudoers(5) FILE FORMATS sudoers(5)
root on the machines on CUNETS (which is
explicitly listed as a class B network).
22/Jun/1999 1.6 5
sudoers(5) FILE FORMATS sudoers(5)
nieusma The user nieusma may run commands in the
SHUTDOWN alias as well as _/_s_b_i_n_/_r_e_b_o_o_t on
the SERVER machines and any command except
@@ -322,18 +346,6 @@ sudoers(5) FILE FORMATS sudoers(5)
markm The user markm may run any command on the
HUB machines except _/_s_b_i_n_/_s_h_u_t_d_o_w_n,
7/Apr/99 1.6 5
sudoers(5) FILE FORMATS sudoers(5)
_/_s_b_i_n_/_h_a_l_t, and commands listed in the
MISC alias.
@@ -379,19 +391,7 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO
7/Apr/99 1.6 6
22/Jun/1999 1.6 6
@@ -457,6 +457,6 @@ sudoers(5) FILE FORMATS sudoers(5)
7/Apr/99 1.6 7
22/Jun/1999 1.6 7

34
sudoers.man
View File

@@ -2,10 +2,8 @@
''' $RCSfile$$Revision$$Date$
'''
''' $Log$
''' Revision 1.9 1999/04/07 23:18:51 millert
''' You can now specifiy a host list instead of just a host or alias.
''' Ie: user = host1,host2,ALIAS,!host3 my_command
''' now works.
''' Revision 1.10 1999/06/22 10:38:38 millert
''' typos
'''
'''
.de Sh
@@ -98,7 +96,7 @@
.nr % 0
.rr F
.\}
.TH sudoers 5 "1.6" "7/Apr/99" "FILE FORMATS"
.TH sudoers 5 "1.6" "22/Jun/1999" "FILE FORMATS"
.UC
.if n .hy 0
.if n .na
@@ -274,24 +272,36 @@ will be allowed to run the command.
.Sh "persistence of modifiers"
When a \fIrunas-list\fR is specified for an \fIaccess_group\fR, it
affects all commands in the \fIaccess_group\fR. For example, given:
oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm
.PP
.Vb 1
\& oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm
.Ve
User \f(CWoper\fR will be able to run \f(CW/usr/bin/kill\fR and \f(CW/bin/rm\fR
as \fBroot\fR or \fBsysadm\fR on the machine, \f(CWbigserver\fR. The
\fIrunas-list\fR is \*(L"sticky\*(R" across entries in the comma-separated
\fIaccess_group\fR. You can override the \fIrunas-list\fR with another
one, at which point the new \fIrunas-list\fR becomes the default for
that \fIaccess_group\fR. For example, given:
oper bigserver = (root, sysadm) /usr/bin/kill, (root) /bin/rm, \e
/bin/rmdir
.PP
.Vb 2
\& oper bigserver = (root, sysadm) /usr/bin/kill, (root) /bin/rm, \e
\& /bin/rmdir
.Ve
User \f(CWoper\fR can still run \f(CW/usr/bin/kill\fR as \fBroot\fR or \fBsysadm\fR but
can only run \f(CW/bin/rm\fR and \f(CW/bin/rmdir\fR as \fBroot\fR.
.PP
Similarly, the \fB\s-1NOPASSWD\s0\fR modifier is also persistent across an
\fIaccess_group\fR. For example given:
oper bigserver = \s-1NOPASSWD\s0: /usr/bin/kill, /bin/rm, /bin/rmdir
.PP
.Vb 1
\& oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm, /bin/rmdir
.Ve
User \f(CWoper\fR will be able to run \f(CW/usr/bin/kill\fR, \f(CW/bin/rm\fR, and
\f(CW/bin/rmdir\fR as \fBroot\fR without a password. If we change that to:
oper bigserver = \s-1NOPASSWD\s0: /usr/bin/kill, \s-1PASSWD\s0: /bin/rm, /bin/rmdir
.PP
.Vb 1
\& oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD: /bin/rm, /bin/rmdir
.Ve
User \f(CWoper\fR can still run \f(CW/usr/bin/kill\fR without a password but
must give a password to run \f(CW/bin/rm\fR and \f(CW/bin/rmdir\fR.
.Sh "wildcards (aka meta characters):"
@@ -331,8 +341,10 @@ The reserved alias \fI\s-1ALL\s0\fR can be used for both {Host,User,Cmnd}_Alias.
\fB\s-1DO\s0 \s-1NOT\s0\fR define an alias of \fI\s-1ALL\s0\fR, it will \fB\s-1NOT\s0\fR be used.
Note that \fI\s-1ALL\s0\fR implies the entire universe of hosts/users/commands.
You can subtract elements from the universe by using the syntax:
user host=\s-1ALL\s0,!\s-1ALIAS1\s0,!/sbin/halt...
.PP
.Vb 1
\& user host=ALL,!ALIAS1,!/sbin/halt...
.Ve
Commands may have optional command line arguments. If they do,
then the arguments in the \fIsudoers\fR file must exactly match those
on the command line. It is also possible to have a command's

9
sudoers.pod
View File

@@ -77,24 +77,32 @@ will be allowed to run the command.
When a I<runas-list> is specified for an I<access_group>, it
affects all commands in the I<access_group>. For example, given:
oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm
User C<oper> will be able to run C</usr/bin/kill> and C</bin/rm>
as B<root> or B<sysadm> on the machine, C<bigserver>. The
I<runas-list> is "sticky" across entries in the comma-separated
I<access_group>. You can override the I<runas-list> with another
one, at which point the new I<runas-list> becomes the default for
that I<access_group>. For example, given:
oper bigserver = (root, sysadm) /usr/bin/kill, (root) /bin/rm, \
/bin/rmdir
User C<oper> can still run C</usr/bin/kill> as B<root> or B<sysadm> but
can only run C</bin/rm> and C</bin/rmdir> as B<root>.
Similarly, the B<NOPASSWD> modifier is also persistent across an
I<access_group>. For example given:
oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm, /bin/rmdir
User C<oper> will be able to run C</usr/bin/kill>, C</bin/rm>, and
C</bin/rmdir> as B<root> without a password. If we change that to:
oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD: /bin/rm, /bin/rmdir
User C<oper> can still run C</usr/bin/kill> without a password but
must give a password to run C</bin/rm> and C</bin/rmdir>.
@@ -160,6 +168,7 @@ The reserved alias I<ALL> can be used for both {Host,User,Cmnd}_Alias.
B<DO NOT> define an alias of I<ALL>, it will B<NOT> be used.
Note that I<ALL> implies the entire universe of hosts/users/commands.
You can subtract elements from the universe by using the syntax:
user host=ALL,!ALIAS1,!/sbin/halt...
Commands may have optional command line arguments. If they do,