isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Define RBAC and mention incompatibility with intercept/log_subcmds.

Browse Source
This commit is contained in:
Todd C. Miller
2021-09-03 14:19:32 -06:00
parent 157ceadfab
commit aac09cf7be
2 changed files with 14 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
doc/sudoers.man.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.TH "SUDOERS" "@mansectform@" "September 1, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDOERS" "@mansectform@" "September 3, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -1411,6 +1411,7 @@ On systems with SELinux support,
\fIsudoers\fR
file entries may optionally have an SELinux role and/or type associated
with a command.
This can be used to implement a form of role-based access control (RBAC).
If a role or
type is specified with the command it will override any default values
specified in
@@ -2874,13 +2875,12 @@ The
\fIlog_subcmds\fR
flag uses the same underlying mechanism as the
\fIintercept\fR
and
\fInoexec\fR
settings.
setting.
See
\fIPreventing shell escapes\fR
for more information on what systems support this option and its limitations.
This setting is only supported by version 1.9.8 or higher.
This setting is only supported by version 1.9.8 or higher
and is incompatible with SELinux RBAC support.
.TP 18n
log_year
If set, the four-digit year will be logged in the (non-syslog)
@@ -3056,7 +3056,8 @@ This flag is
\fIoff\fR
by default.
.sp
This setting is only supported by version 1.9.8 or higher.
This setting is only supported by version 1.9.8 or higher
and is incompatible with SELinux RBAC support.
.TP 18n
intercept_allow_setid
On most systems, the dynamic loader will ignore

13
doc/sudoers.mdoc.in
View File

@@ -24,7 +24,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.Dd September 1, 2021
.Dd September 3, 2021
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -1339,6 +1339,7 @@ On systems with SELinux support,
.Em sudoers
file entries may optionally have an SELinux role and/or type associated
with a command.
This can be used to implement a form of role-based access control (RBAC).
If a role or
type is specified with the command it will override any default values
specified in
@@ -2706,13 +2707,12 @@ The
.Em log_subcmds
flag uses the same underlying mechanism as the
.Em intercept
and
.Em noexec
settings.
setting.
See
.Sx Preventing shell escapes
for more information on what systems support this option and its limitations.
This setting is only supported by version 1.9.8 or higher.
This setting is only supported by version 1.9.8 or higher
and is incompatible with SELinux RBAC support.
.It log_year
If set, the four-digit year will be logged in the (non-syslog)
.Nm sudo
@@ -2878,7 +2878,8 @@ This flag is
.Em off
by default.
.Pp
This setting is only supported by version 1.9.8 or higher.
This setting is only supported by version 1.9.8 or higher
and is incompatible with SELinux RBAC support.
.It intercept_allow_setid
On most systems, the dynamic loader will ignore
.Ev LD_PRELOAD