Define RBAC and mention incompatibility with intercept/log_subcmds.
This commit is contained in:
Todd C. Miller
@@ -25,7 +25,7 @@
|
|||||||
.nr BA @BAMAN@
|
.nr BA @BAMAN@
|
||||||
.nr LC @LCMAN@
|
.nr LC @LCMAN@
|
||||||
.nr PS @PSMAN@
|
.nr PS @PSMAN@
|
||||||
.TH "SUDOERS" "@mansectform@" "September 1, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
|
.TH "SUDOERS" "@mansectform@" "September 3, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
|
||||||
.nh
|
.nh
|
||||||
.if n .ad l
|
.if n .ad l
|
||||||
.SH "NAME"
|
.SH "NAME"
|
||||||
@@ -1411,6 +1411,7 @@ On systems with SELinux support,
|
|||||||
\fIsudoers\fR
|
\fIsudoers\fR
|
||||||
file entries may optionally have an SELinux role and/or type associated
|
file entries may optionally have an SELinux role and/or type associated
|
||||||
with a command.
|
with a command.
|
||||||
|
This can be used to implement a form of role-based access control (RBAC).
|
||||||
If a role or
|
If a role or
|
||||||
type is specified with the command it will override any default values
|
type is specified with the command it will override any default values
|
||||||
specified in
|
specified in
|
||||||
@@ -2874,13 +2875,12 @@ The
|
|||||||
\fIlog_subcmds\fR
|
\fIlog_subcmds\fR
|
||||||
flag uses the same underlying mechanism as the
|
flag uses the same underlying mechanism as the
|
||||||
\fIintercept\fR
|
\fIintercept\fR
|
||||||
and
|
setting.
|
||||||
\fInoexec\fR
|
|
||||||
settings.
|
|
||||||
See
|
See
|
||||||
\fIPreventing shell escapes\fR
|
\fIPreventing shell escapes\fR
|
||||||
for more information on what systems support this option and its limitations.
|
for more information on what systems support this option and its limitations.
|
||||||
This setting is only supported by version 1.9.8 or higher.
|
This setting is only supported by version 1.9.8 or higher
|
||||||
|
and is incompatible with SELinux RBAC support.
|
||||||
.TP 18n
|
.TP 18n
|
||||||
log_year
|
log_year
|
||||||
If set, the four-digit year will be logged in the (non-syslog)
|
If set, the four-digit year will be logged in the (non-syslog)
|
||||||
@@ -3056,7 +3056,8 @@ This flag is
|
|||||||
\fIoff\fR
|
\fIoff\fR
|
||||||
by default.
|
by default.
|
||||||
.sp
|
.sp
|
||||||
This setting is only supported by version 1.9.8 or higher.
|
This setting is only supported by version 1.9.8 or higher
|
||||||
|
and is incompatible with SELinux RBAC support.
|
||||||
.TP 18n
|
.TP 18n
|
||||||
intercept_allow_setid
|
intercept_allow_setid
|
||||||
On most systems, the dynamic loader will ignore
|
On most systems, the dynamic loader will ignore
|
||||||
|
|||||||
@@ -24,7 +24,7 @@
|
|||||||
.nr BA @BAMAN@
|
.nr BA @BAMAN@
|
||||||
.nr LC @LCMAN@
|
.nr LC @LCMAN@
|
||||||
.nr PS @PSMAN@
|
.nr PS @PSMAN@
|
||||||
.Dd September 1, 2021
|
.Dd September 3, 2021
|
||||||
.Dt SUDOERS @mansectform@
|
.Dt SUDOERS @mansectform@
|
||||||
.Os Sudo @PACKAGE_VERSION@
|
.Os Sudo @PACKAGE_VERSION@
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@@ -1339,6 +1339,7 @@ On systems with SELinux support,
|
|||||||
.Em sudoers
|
.Em sudoers
|
||||||
file entries may optionally have an SELinux role and/or type associated
|
file entries may optionally have an SELinux role and/or type associated
|
||||||
with a command.
|
with a command.
|
||||||
|
This can be used to implement a form of role-based access control (RBAC).
|
||||||
If a role or
|
If a role or
|
||||||
type is specified with the command it will override any default values
|
type is specified with the command it will override any default values
|
||||||
specified in
|
specified in
|
||||||
@@ -2706,13 +2707,12 @@ The
|
|||||||
.Em log_subcmds
|
.Em log_subcmds
|
||||||
flag uses the same underlying mechanism as the
|
flag uses the same underlying mechanism as the
|
||||||
.Em intercept
|
.Em intercept
|
||||||
and
|
setting.
|
||||||
.Em noexec
|
|
||||||
settings.
|
|
||||||
See
|
See
|
||||||
.Sx Preventing shell escapes
|
.Sx Preventing shell escapes
|
||||||
for more information on what systems support this option and its limitations.
|
for more information on what systems support this option and its limitations.
|
||||||
This setting is only supported by version 1.9.8 or higher.
|
This setting is only supported by version 1.9.8 or higher
|
||||||
|
and is incompatible with SELinux RBAC support.
|
||||||
.It log_year
|
.It log_year
|
||||||
If set, the four-digit year will be logged in the (non-syslog)
|
If set, the four-digit year will be logged in the (non-syslog)
|
||||||
.Nm sudo
|
.Nm sudo
|
||||||
@@ -2878,7 +2878,8 @@ This flag is
|
|||||||
.Em off
|
.Em off
|
||||||
by default.
|
by default.
|
||||||
.Pp
|
.Pp
|
||||||
This setting is only supported by version 1.9.8 or higher.
|
This setting is only supported by version 1.9.8 or higher
|
||||||
|
and is incompatible with SELinux RBAC support.
|
||||||
.It intercept_allow_setid
|
.It intercept_allow_setid
|
||||||
On most systems, the dynamic loader will ignore
|
On most systems, the dynamic loader will ignore
|
||||||
.Ev LD_PRELOAD
|
.Ev LD_PRELOAD
|
||||||
|
|||||||
Reference in New Issue
Block a user