isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use "Nm sudoers" when talking about the plugin and "Em sudoers" when

Browse Source 
talking about the sudoers file.
This commit is contained in:
Todd C. Miller
2016-01-16 16:46:17 -07:00
parent 12a8becd70
commit ad8c96403d
3 changed files with 250 additions and 250 deletions
Download Patch File Download Diff File Expand all files Collapse all files

202
doc/sudoers.cat
View File

@@ -7,7 +7,7 @@ DDEESSCCRRIIPPTTIIOONN
The ssuuddooeerrss policy plugin determines a user's ssuuddoo privileges. It is the
default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s
file or, optionally in LDAP. The policy format is described in detail in
the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing _s_u_d_o_e_r_s
the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing ssuuddooeerrss
policy information in LDAP, please see sudoers.ldap(4).
CCoonnffiigguurriinngg ssuuddoo..ccoonnff ffoorr ssuuddooeerrss
@@ -61,11 +61,11 @@ DDEESSCCRRIIPPTTIIOONN
manual.
AAuutthheennttiiccaattiioonn aanndd llooggggiinngg
The _s_u_d_o_e_r_s security policy requires that most users authenticate
The ssuuddooeerrss security policy requires that most users authenticate
themselves before they can use ssuuddoo. A password is not required if the
invoking user is root, if the target user is the same as the invoking
user, or if the policy has disabled authentication for the user or
command. Unlike su(1), when _s_u_d_o_e_r_s requires authentication, it
command. Unlike su(1), when ssuuddooeerrss requires authentication, it
validates the invoking user's credentials, not the target user's (or
root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and
_r_u_n_a_s_p_w flags, described later.
@@ -83,25 +83,24 @@ DDEESSCCRRIIPPTTIIOONN
regardless of whether or not mail is sent.
If ssuuddoo is run by root and the SUDO_USER environment variable is set, the
_s_u_d_o_e_r_s policy will use this value to determine who the actual user is.
ssuuddooeerrss policy will use this value to determine who the actual user is.
This can be used by a user to log commands through sudo even when a root
shell has been invoked. It also allows the --ee option to remain useful
even when invoked via a sudo-run script or program. Note, however, that
the _s_u_d_o_e_r_s lookup is still done for root, not the user specified by
the _s_u_d_o_e_r_s file lookup is still done for root, not the user specified by
SUDO_USER.
_s_u_d_o_e_r_s uses per-user time stamp files for credential caching. Once a
ssuuddooeerrss uses per-user time stamp files for credential caching. Once a
user has been authenticated, a record is written containing the uid that
was used to authenticate, the terminal session ID, and a time stamp
(using a monotonic clock if one is available). The user may then use
ssuuddoo without a password for a short period of time (5 minutes unless
overridden by the _t_i_m_e_o_u_t option). By default, _s_u_d_o_e_r_s uses a separate
overridden by the _t_i_m_e_o_u_t option). By default, ssuuddooeerrss uses a separate
record for each tty, which means that a user's login sessions are
authenticated separately. The _t_t_y___t_i_c_k_e_t_s option can be disabled to
force the use of a single time stamp for all of a user's sessions.
_s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as
errors) to syslog(3), a log file, or both. By default, _s_u_d_o_e_r_s will log
ssuuddooeerrss can log both successful and unsuccessful attempts (as well as
errors) to syslog(3), a log file, or both. By default, ssuuddooeerrss will log
via syslog(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e Defaults
settings.
@@ -111,10 +110,10 @@ DDEESSCCRRIIPPTTIIOONN
tags.
CCoommmmaanndd eennvviirroonnmmeenntt
Since environment variables can influence program behavior, _s_u_d_o_e_r_s
Since environment variables can influence program behavior, ssuuddooeerrss
provides a means to restrict which variables from the user's environment
are inherited by the command to be run. There are two distinct ways
_s_u_d_o_e_r_s can deal with environment variables.
ssuuddooeerrss can deal with environment variables.
By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to be
executed with a new, minimal environment. On AIX (and Linux systems
@@ -173,7 +172,7 @@ DDEESSCCRRIIPPTTIIOONN
them.
As a special case, if ssuuddoo's --ii option (initial login) is specified,
_s_u_d_o_e_r_s will initialize the environment regardless of the value of
ssuuddooeerrss will initialize the environment regardless of the value of
_e_n_v___r_e_s_e_t. The DISPLAY, PATH and TERM variables remain unchanged; HOME,
MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX
(and Linux systems without PAM), the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are
@@ -193,8 +192,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
there are multiple matches, the last match is used (which is not
necessarily the most specific match).
The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur Form
(EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
The _s_u_d_o_e_r_s file grammar will be described below in Extended Backus-Naur
Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
simple, and the definitions below are annotated.
QQuuiicckk gguuiiddee ttoo EEBBNNFF
@@ -388,7 +387,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may
take command line arguments just as a normal command does. Note that
``sudoedit'' is a command built into ssuuddoo itself and must be specified in
_s_u_d_o_e_r_s without a leading path.
the _s_u_d_o_e_r_s file without a leading path.
If a command name is prefixed with a Digest_Spec, the command will only
match successfully if it can be verified using the specified SHA-2
@@ -556,14 +555,14 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
setting the group to operator or system.
SSEELLiinnuuxx__SSppeecc
On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an
SELinux role and/or type associated with a command. If a role or type is
specified with the command it will override any default values specified
in _s_u_d_o_e_r_s. A role or type specified on the command line, however, will
supersede the values in _s_u_d_o_e_r_s.
On systems with SELinux support, _s_u_d_o_e_r_s file entries may optionally have
an SELinux role and/or type associated with a command. If a role or type
is specified with the command it will override any default values
specified in _s_u_d_o_e_r_s. A role or type specified on the command line,
however, will supersede the values in _s_u_d_o_e_r_s.
SSoollaarriiss__PPrriivv__SSppeecc
On Solaris systems, _s_u_d_o_e_r_s entries may optionally specify Solaris
On Solaris systems, _s_u_d_o_e_r_s file entries may optionally specify Solaris
privilege set and/or limit privilege set associated with a command. If
privileges or limit privileges are specified with the command it will
override any default values specified in _s_u_d_o_e_r_s.
@@ -736,14 +735,15 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
$ sudo cat /var/log/messages /etc/shadow
which is probably not what was intended. In most cases it is better to
do command line processing outside of _s_u_d_o_e_r_s in a scripting language.
do command line processing outside of the _s_u_d_o_e_r_s file in a scripting
language.
EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
The following exceptions apply to the above rules:
"" If the empty string "" is the only command line argument in the
_s_u_d_o_e_r_s entry it means that command is not allowed to be run
with _a_n_y arguments.
_s_u_d_o_e_r_s file entry it means that command is not allowed to be
run with _a_n_y arguments.
sudoedit Command line arguments to the _s_u_d_o_e_d_i_t built-in command should
always be path names, so a forward slash (`/') will not be
@@ -756,8 +756,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in
addition to a local, per-machine file. For the sake of this example the
site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will be
_/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within
site-wide _s_u_d_o_e_r_s file will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will
be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within
_/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s:
#include /etc/sudoers.local
@@ -785,8 +785,8 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s.
The #includedir directive can be used to create a _s_u_d_o_e_r_s_._d directory
that the system package manager can drop _s_u_d_o_e_r_s rules into as part of
package installation. For example, given:
that the system package manager can drop _s_u_d_o_e_r_s file rules into as part
of package installation. For example, given:
#includedir /etc/sudoers.d
@@ -967,9 +967,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
names that include globbing characters are used with
the negation operator, `!', as such rules can be
trivially bypassed. As such, this option should not be
used when _s_u_d_o_e_r_s contains rules that contain negated
path names which include globbing characters. This
flag is _o_f_f by default.
used when the _s_u_d_o_e_r_s file contains rules that contain
negated path names which include globbing characters.
This flag is _o_f_f by default.
fqdn Set this flag if you want to put fully qualified host
names in the _s_u_d_o_e_r_s file when the local host name (as
@@ -1039,7 +1039,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
log_host If set, the host name will be logged in the (non-
syslog) ssuuddoo log file. This flag is _o_f_f by default.
log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o_-_t_t_y and
log_input If set, ssuuddoo will run the command in a pseudo-tty and
log all user input. If the standard input is not
connected to the user's tty, due to I/O redirection or
because the command is part of a pipeline, that input
@@ -1064,7 +1064,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
unencrypted. In most cases, logging the command output
via _l_o_g___o_u_t_p_u_t is all that is required.
log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o_-_t_t_y and
log_output If set, ssuuddoo will run the command in a pseudo-tty and
log all output that is sent to the screen, similar to
the script(1) command. If the standard output or
standard error is not connected to the user's tty, due
@@ -1112,7 +1112,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo
does not enter the correct password. If the command
the user is attempting to run is not permitted by
_s_u_d_o_e_r_s and one of the _m_a_i_l___a_l_l___c_m_n_d_s, _m_a_i_l___a_l_w_a_y_s,
ssuuddooeerrss and one of the _m_a_i_l___a_l_l___c_m_n_d_s, _m_a_i_l___a_l_w_a_y_s,
_m_a_i_l___n_o___h_o_s_t, _m_a_i_l___n_o___p_e_r_m_s or _m_a_i_l___n_o___u_s_e_r flags are
set, this flag will have no effect. This flag is _o_f_f
by default.
@@ -1323,13 +1323,14 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
single record is used for all login sessions. This
flag is _o_n by default.
umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s
without modification. This makes it possible to
specify a more permissive umask in _s_u_d_o_e_r_s than the
user's own umask and matches historical behavior. If
_u_m_a_s_k___o_v_e_r_r_i_d_e is not set, ssuuddoo will set the umask to
be the union of the user's umask and what is specified
in _s_u_d_o_e_r_s. This flag is _o_f_f by default.
umask_override If set, ssuuddoo will set the umask as specified in the
_s_u_d_o_e_r_s file without modification. This makes it
possible to specify a umask in the _s_u_d_o_e_r_s file that is
more permissive than the user's own umask and matches
historical behavior. If _u_m_a_s_k___o_v_e_r_r_i_d_e is not set,
ssuuddoo will set the umask to be the union of the user's
umask and what is specified in _s_u_d_o_e_r_s. This flag is
_o_f_f by default.
use_loginclass If set, ssuuddoo will apply the defaults specified for the
target user's login class if one exists. Only
@@ -1588,8 +1589,8 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
role The default SELinux role to use when constructing a new
security context to run the command. The default role
may be overridden on a per-command basis in _s_u_d_o_e_r_s or
via command line options. This option is only
may be overridden on a per-command basis in the _s_u_d_o_e_r_s
file or via command line options. This option is only
available when ssuuddoo is built with SELinux support.
runas_default The default user to run commands as if the --uu option is
@@ -1623,8 +1624,8 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
type The default SELinux type to use when constructing a new
security context to run the command. The default type
may be overridden on a per-command basis in _s_u_d_o_e_r_s or
via command line options. This option is only
may be overridden on a per-command basis in the _s_u_d_o_e_r_s
file or via command line options. This option is only
available when ssuuddoo is built with SELinux support.
SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
@@ -1642,7 +1643,7 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
requirements. The group name specified should not include
a % prefix. This is not set by default.
group_plugin A string containing a _s_u_d_o_e_r_s group plugin with optional
group_plugin A string containing a ssuuddooeerrss group plugin with optional
arguments. The string should consist of the plugin path,
either fully-qualified or relative to the
_/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o directory, followed by any
@@ -1675,16 +1676,16 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
a user runs ssuuddoo with the --ll option. It has the following
possible values:
all All the user's _s_u_d_o_e_r_s entries for the current
host must have the NOPASSWD flag set to avoid
entering a password.
all All the user's _s_u_d_o_e_r_s file entries for the
current host must have the NOPASSWD flag set to
avoid entering a password.
always The user must always enter a password to use the
--ll option.
any At least one of the user's _s_u_d_o_e_r_s entries for
the current host must have the NOPASSWD flag set
to avoid entering a password.
any At least one of the user's _s_u_d_o_e_r_s file entries
for the current host must have the NOPASSWD flag
set to avoid entering a password.
never The user need never enter a password to use the
--ll option.
@@ -1730,15 +1731,15 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
a user runs ssuuddoo with the --vv option. It has the following
possible values:
all All the user's _s_u_d_o_e_r_s entries for the current host
must have the NOPASSWD flag set to avoid entering a
password.
all All the user's _s_u_d_o_e_r_s file entries for the current
host must have the NOPASSWD flag set to avoid
entering a password.
always The user must always enter a password to use the --vv
option.
any At least one of the user's _s_u_d_o_e_r_s entries for the
current host must have the NOPASSWD flag set to
any At least one of the user's _s_u_d_o_e_r_s file entries for
the current host must have the NOPASSWD flag set to
avoid entering a password.
never The user need never enter a password to use the --vv
@@ -1938,8 +1939,8 @@ LLOOGG FFOORRMMAATT
unable to open/read /etc/sudoers
The _s_u_d_o_e_r_s file could not be opened for reading. This can happen
when the _s_u_d_o_e_r_s file is located on a remote file system that maps
user ID 0 to a different value. Normally, ssuuddooeerrss tries to open
_s_u_d_o_e_r_s using group permissions to avoid this problem. Consider
user ID 0 to a different value. Normally, ssuuddooeerrss tries to open the
_s_u_d_o_e_r_s file using group permissions to avoid this problem. Consider
either changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s or adding an argument
like ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s
file) to the end of the ssuuddooeerrss Plugin line in the sudo.conf(4) file.
@@ -1971,29 +1972,29 @@ LLOOGG FFOORRMMAATT
line in the sudo.conf(4) file.
unable to open /var/run/sudo/ts/username
_s_u_d_o_e_r_s was unable to read or create the user's time stamp file. This
ssuuddooeerrss was unable to read or create the user's time stamp file. This
can happen when _t_i_m_e_s_t_a_m_p_o_w_n_e_r is set to a user other than root and
the mode on _/_v_a_r_/_r_u_n_/_s_u_d_o is not searchable by group or other. The
default mode for _/_v_a_r_/_r_u_n_/_s_u_d_o is 0711.
unable to write to /var/run/sudo/ts/username
_s_u_d_o_e_r_s was unable to write to the user's time stamp file.
ssuuddooeerrss was unable to write to the user's time stamp file.
/var/run/sudo/ts is owned by uid X, should be Y
The time stamp directory is owned by a user other than _t_i_m_e_s_t_a_m_p_o_w_n_e_r.
This can occur when the value of _t_i_m_e_s_t_a_m_p_o_w_n_e_r has been changed.
_s_u_d_o_e_r_s will ignore the time stamp directory until the owner is
ssuuddooeerrss will ignore the time stamp directory until the owner is
corrected.
/var/run/sudo/ts is group writable
The time stamp directory is group-writable; it should be writable only
by _t_i_m_e_s_t_a_m_p_o_w_n_e_r. The default mode for the time stamp directory is
0700. _s_u_d_o_e_r_s will ignore the time stamp directory until the mode is
0700. ssuuddooeerrss will ignore the time stamp directory until the mode is
corrected.
NNootteess oonn llooggggiinngg vviiaa ssyysslloogg
By default, _s_u_d_o_e_r_s logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and
_p_r_o_g_n_a_m_e fields are added by the syslog daemon, not _s_u_d_o_e_r_s itself. As
By default, ssuuddooeerrss logs messages via syslog(3). The _d_a_t_e, _h_o_s_t_n_a_m_e, and
_p_r_o_g_n_a_m_e fields are added by the syslog daemon, not ssuuddooeerrss itself. As
such, they may vary in format on different systems.
On most systems, syslog(3) has a relatively small log buffer. To prevent
@@ -2004,8 +2005,8 @@ LLOOGG FFOORRMMAATT
and before the continued command line arguments.
NNootteess oonn llooggggiinngg ttoo aa ffiillee
If the _l_o_g_f_i_l_e option is set, _s_u_d_o_e_r_s will log to a local file, such as
_/_v_a_r_/_l_o_g_/_s_u_d_o. When logging to a file, _s_u_d_o_e_r_s uses a format similar to
If the _l_o_g_f_i_l_e option is set, ssuuddooeerrss will log to a local file, such as
_/_v_a_r_/_l_o_g_/_s_u_d_o. When logging to a file, ssuuddooeerrss uses a format similar to
syslog(3), with a few important differences:
1. The _p_r_o_g_n_a_m_e and _h_o_s_t_n_a_m_e fields are not present.
@@ -2032,18 +2033,18 @@ FFIILLEESS
_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files
_/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s Directory containing time stamps for the
_s_u_d_o_e_r_s security policy
ssuuddooeerrss security policy
_/_v_a_r_/_a_d_m_/_s_u_d_o_/_l_e_c_t_u_r_e_d Directory containing lecture status files for
the _s_u_d_o_e_r_s security policy
the ssuuddooeerrss security policy
_/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and
Linux systems
EEXXAAMMPPLLEESS
Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit
contrived. First, we allow a few environment variables to pass and then
define our _a_l_i_a_s_e_s:
Below are example _s_u_d_o_e_r_s file entries. Admittedly, some of these are a
bit contrived. First, we allow a few environment variables to pass and
then define our _a_l_i_a_s_e_s:
# Run X applications through sudo; HOME is used to find the
# .Xauthority file. Note that other programs use HOME to find
@@ -2265,7 +2266,7 @@ SSEECCUURRIITTYY NNOOTTEESS
that grant privileges, it can result in a security issue for rules that
subtract or revoke privileges.
For example, given the following _s_u_d_o_e_r_s entry:
For example, given the following _s_u_d_o_e_r_s file entry:
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
@@ -2331,13 +2332,13 @@ SSEECCUURRIITTYY NNOOTTEESS
give the user permission to run ssuuddooeeddiitt (see below).
SSeeccuurree eeddiittiinngg
The _s_u_d_o_e_r_s plugin includes ssuuddooeeddiitt support which allows users to
The ssuuddooeerrss plugin includes ssuuddooeeddiitt support which allows users to
securely edit files with the editor of their choice. As ssuuddooeeddiitt is a
built-in command, it must be specified in _s_u_d_o_e_r_s without a leading path.
However, it may take command line arguments just as a normal command
does. Wildcards used in _s_u_d_o_e_d_i_t command line arguments are expected to
be path names, so a forward slash (`/') will not be matched by a
wildcard.
built-in command, it must be specified in the _s_u_d_o_e_r_s file without a
leading path. However, it may take command line arguments just as a
normal command does. Wildcards used in _s_u_d_o_e_d_i_t command line arguments
are expected to be path names, so a forward slash (`/') will not be
matched by a wildcard.
Unlike other ssuuddoo commands, the editor is run with the permissions of the
invoking user and with the environment unmodified. More information may
@@ -2368,7 +2369,7 @@ SSEECCUURRIITTYY NNOOTTEESS
same file system.
TTiimmee ssttaammpp ffiillee cchheecckkss
_s_u_d_o_e_r_s will check the ownership of its time stamp directory
ssuuddooeerrss will check the ownership of its time stamp directory
(_/_v_a_r_/_r_u_n_/_s_u_d_o_/_t_s by default) and ignore the directory's contents if it
is not owned by root or if it is writable by a user other than root.
Older versions of ssuuddoo stored time stamp files in _/_t_m_p; this is no longer
@@ -2378,33 +2379,33 @@ SSEECCUURRIITTYY NNOOTTEESS
While the time stamp directory _s_h_o_u_l_d be cleared at reboot time, not all
systems contain a _/_v_a_r_/_r_u_n directory. To avoid potential problems,
_s_u_d_o_e_r_s will ignore time stamp files that date from before the machine
ssuuddooeerrss will ignore time stamp files that date from before the machine
booted on systems where the boot time is available.
Some systems with graphical desktop environments allow unprivileged users
to change the system clock. Since _s_u_d_o_e_r_s relies on the system clock for
to change the system clock. Since ssuuddooeerrss relies on the system clock for
time stamp validation, it may be possible on such systems for a user to
run ssuuddoo for longer than _t_i_m_e_s_t_a_m_p___t_i_m_e_o_u_t by setting the clock back. To
combat this, _s_u_d_o_e_r_s uses a monotonic clock (which never moves backwards)
combat this, ssuuddooeerrss uses a monotonic clock (which never moves backwards)
for its time stamps if the system supports it.
_s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps
ssuuddooeerrss will not honor time stamps set far in the future. Time stamps
with a date greater than current_time + 2 * TIMEOUT will be ignored and
_s_u_d_o_e_r_s will log and complain.
ssuuddooeerrss will log and complain.
Since time stamp files live in the file system, they can outlive a user's
login session. As a result, a user may be able to login, run a command
with ssuuddoo after authenticating, logout, login again, and run ssuuddoo without
authenticating so long as the record's time stamp is within 5 minutes (or
whatever value the timeout is set to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s
option is enabled, the time stamp record includes the device number of
the terminal the user authenticated with. This provides per-tty
granularity but time stamp records still may outlive the user's session.
The time stamp record also includes the session ID of the process that
last authenticated. This prevents processes in different terminal
sessions from using the same time stamp record. It also helps reduce the
chance that a user will be able to run ssuuddoo without entering a password
when logging out and back in again on the same terminal.
whatever value the timeout is set to in the _s_u_d_o_e_r_s file). When the
_t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp record includes the device
number of the terminal the user authenticated with. This provides per-
tty granularity but time stamp records still may outlive the user's
session. The time stamp record also includes the session ID of the
process that last authenticated. This prevents processes in different
terminal sessions from using the same time stamp record. It also helps
reduce the chance that a user will be able to run ssuuddoo without entering a
password when logging out and back in again on the same terminal.
DDEEBBUUGGGGIINNGG
Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible
@@ -2431,7 +2432,7 @@ DDEEBBUUGGGGIINNGG
_a_u_t_h user authentication
_d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings
_d_e_f_a_u_l_t_s _s_u_d_o_e_r_s file _D_e_f_a_u_l_t_s settings
_e_n_v environment handling
@@ -2439,11 +2440,12 @@ DDEEBBUUGGGGIINNGG
_l_o_g_g_i_n_g logging support
_m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s
_m_a_t_c_h matching of users, groups, hosts and netgroups in the _s_u_d_o_e_r_s
file
_n_e_t_i_f network interface handling
_n_s_s network service switch handling in _s_u_d_o_e_r_s
_n_s_s network service switch handling in ssuuddooeerrss
_p_a_r_s_e_r _s_u_d_o_e_r_s file parsing
@@ -2480,8 +2482,8 @@ AAUUTTHHOORRSS
CCAAVVEEAATTSS
The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which
locks the file and does grammatical checking. It is imperative that
_s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a
locks the file and does grammatical checking. It is imperative that the
_s_u_d_o_e_r_s file be free of syntax errors since ssuuddoo will not run with a
syntactically incorrect _s_u_d_o_e_r_s file.
When using netgroups of machines (as opposed to users), if you store