isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove most uses of the deprecated Li macro which has no effect.

Browse Source 
Also fix some other incorrect markup.
This commit is contained in:
Todd C. Miller
2022-09-13 19:56:45 -06:00
parent a326411903
commit c341608072
26 changed files with 1398 additions and 1466 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
docs/cvtsudoers.man.in
View File

@@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "CVTSUDOERS" "1" "September 2, 2022" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
.TH "CVTSUDOERS" "1" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "General Commands Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -67,9 +67,8 @@ The options are as follows:
The base DN (distinguished name) that will be used when performing
LDAP queries.
Typically this is of the form
\fRou=SUDOers,dc=my-domain,dc=com\fR
for the domain
\fRmy-domain.com\fR.
\(lqou=SUDOers,dc=my-domain,dc=com\(rq
for the domain my-domain.com.
If this option is not specified, the value of the
\fRSUDOERS_BASE\fR
environment variable will be used instead.
@@ -82,10 +81,10 @@ Defaults to
.TP 12n
\fB\-d\fR \fIdeftypes\fR, \fB\--defaults\fR=\fIdeftypes\fR
Only convert
\fRDefaults\fR
\fIDefaults\fR
entries of the specified types.
One or more
\fRDefaults\fR
\fIDefaults\fR
types may be specified, separated by a comma
(\(oq\&,\(cq).
The supported types are:
@@ -122,7 +121,7 @@ for more information.
If the
\fB\-d\fR
option is not specified, all
\fRDefaults\fR
\fIDefaults\fR
entries will be converted.
.RE
.TP 12n
@@ -265,10 +264,10 @@ For example,
or
\fBhost\fR = \fIwww\fR.
An upper-case
\fRCmnd_Alias\fR,
\fRHost_alias\fR,
\fICmnd_Alias\fR,
\fIHost_alias\fR,
or
\fRUser_Alias\fR
\fIUser_Alias\fR
may be specified as the
\(lqcmnd\(rq,
\(lqhost\(rq,
@@ -441,7 +440,7 @@ Per-user rules are merged and duplicates are removed.
If a host name is specified with the input file,
\fBcvtsudoers\fR
will change rules that specify a host name of
\fRALL\fR
\fBALL\fR
to the host name associated with the policy file being merged.
The merging of rules is currently fairly simplistic but will be
improved in a later release.
@@ -676,7 +675,7 @@ and
Host_Aliases
A JSON object containing one or more
\fIsudoers\fR
\fRHost_Alias\fR
\fIHost_Alias\fR
entries where each named alias has as its value an array
containing one or more objects.
Each object contains a
@@ -711,7 +710,7 @@ For example:
Cmnd_Aliases
A JSON object containing one or more
\fIsudoers\fR
\fRCmnd_Alias\fR
\fICmnd_Alias\fR
entries where each named alias has as its value an array
containing one or more objects.
Each object contains a
@@ -1006,20 +1005,20 @@ defaults_type
The type of
\fIDefaults\fR
setting; one of
\fRdefaults\fR,
\fRdefaults_command\fR,
\fRdefaults_host\fR,
\fRdefaults_runas\fR,
\fIdefaults\fR,
\fIdefaults_command\fR,
\fIdefaults_host\fR,
\fIdefaults_runas\fR,
or
\fRdefaults_user\fR.
\fIdefaults_user\fR.
.TP 10n
binding
For
\fRdefaults_command\fR,
\fRdefaults_host\fR,
\fRdefaults_runas\fR,
\fIdefaults_command\fR,
\fIdefaults_host\fR,
\fIdefaults_runas\fR,
and
\fRdefaults_user\fR
\fIdefaults_user\fR
this is the value that must match for the setting to be applied.
.TP 10n
name
@@ -1051,11 +1050,11 @@ or
.TP 6n
aliases
This section includes any
\fRCmnd_Alias\fR
\fRHost_Alias\fR,
\fRRunas_Alias\fR,
\fICmnd_Alias\fR
\fIHost_Alias\fR,
\fIRunas_Alias\fR,
or
\fRUser_Alias\fR,
\fIUser_Alias\fR,
entries from
\fIsudoers\fR.
The
@@ -1073,11 +1072,11 @@ The fields are as follows:
.TP 10n
alias_type
The type of alias; one of
\fRCmnd_Alias\fR,
\fRHost_Alias\fR,
\fRRunas_Alias\fR,
\fICmnd_Alias\fR,
\fIHost_Alias\fR,
\fIRunas_Alias\fR,
or
\fRUser_Alias\fR.
\fIUser_Alias\fR.
.TP 10n
alias_name
The name of the alias; a string starting with an upper-case letter that
@@ -1127,7 +1126,7 @@ or a netgroup (preceded by a
\(oq+\(cq
character)
or a
\fRUser_Alias\fR.
\fIUser_Alias\fR.
If set to the special value
\fBALL\fR,
it will match any user.
@@ -1138,14 +1137,14 @@ This may also be a netgroup (preceded by a
\(oq+\(cq
character)
or a
\fRHost_Alias\fR.
\fIHost_Alias\fR.
If set to the special value
\fBALL\fR,
it will match any host.
.TP 10n
runusers
An optional comma-separated list of users (or
\fRRunas_Alias\fRes)
\fIRunas_Alias\fRes)
the command may be run as.
If it contains more than one member, the value is surrounded by
double quotes.
@@ -1157,7 +1156,7 @@ If empty, the root user is assumed.
rungroups
.br
An optional comma-separated list of groups (or
\fRRunas_Alias\fRes)
\fIRunas_Alias\fRes)
the command may be run as.
If it contains more than one member, the value is surrounded by
double quotes.

71
docs/cvtsudoers.mdoc.in
View File

@@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd September 2, 2022
.Dd September 13, 2022
.Dt CVTSUDOERS 1
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -65,9 +65,8 @@ The options are as follows:
The base DN (distinguished name) that will be used when performing
LDAP queries.
Typically this is of the form
.Li ou=SUDOers,dc=my-domain,dc=com
for the domain
.Li my-domain.com .
.Dq ou=SUDOers,dc=my-domain,dc=com
for the domain my-domain.com.
If this option is not specified, the value of the
.Ev SUDOERS_BASE
environment variable will be used instead.
@@ -78,10 +77,10 @@ Defaults to
.Pa @sysconfdir@/cvtsudoers.conf .
.It Fl d Ar deftypes , Fl -defaults Ns = Ns Ar deftypes
Only convert
.Li Defaults
.Em Defaults
entries of the specified types.
One or more
.Li Defaults
.Em Defaults
types may be specified, separated by a comma
.Pq Ql \&, .
The supported types are:
@@ -110,7 +109,7 @@ for more information.
If the
.Fl d
option is not specified, all
.Li Defaults
.Em Defaults
entries will be converted.
.It Fl e , Fl -expand-aliases
Expand aliases in
@@ -218,10 +217,10 @@ For example,
or
.Sy host No = Ar www .
An upper-case
.Li Cmnd_Alias ,
.Li Host_alias ,
.Em Cmnd_Alias ,
.Em Host_alias ,
or
.Li User_Alias
.Em User_Alias
may be specified as the
.Dq cmnd ,
.Dq host ,
@@ -365,9 +364,9 @@ subsequent aliases of the same name are renamed with a numeric suffix
separated with a underscore
.Pq Ql _ .
For example, if there are two different aliases named
.Li SERVERS ,
.Dv SERVERS ,
the first will be left as-is and the second will be renamed
.Li SERVERS_1 .
.Dv SERVERS_1 .
References to the renamed alias are also updated in the policy file.
Duplicate aliases (those with identical contents) are pruned.
.It
@@ -384,7 +383,7 @@ Per-user rules are merged and duplicates are removed.
If a host name is specified with the input file,
.Nm
will change rules that specify a host name of
.Li ALL
.Sy ALL
to the host name associated with the policy file being merged.
The merging of rules is currently fairly simplistic but will be
improved in a later release.
@@ -589,7 +588,7 @@ and
.It Host_Aliases
A JSON object containing one or more
.Em sudoers
.Li Host_Alias
.Em Host_Alias
entries where each named alias has as its value an array
containing one or more objects.
Each object contains a
@@ -620,7 +619,7 @@ For example:
.It Cmnd_Aliases
A JSON object containing one or more
.Em sudoers
.Li Cmnd_Alias
.Em Cmnd_Alias
entries where each named alias has as its value an array
containing one or more objects.
Each object contains a
@@ -893,19 +892,19 @@ The fields are as follows:
The type of
.Em Defaults
setting; one of
.Li defaults ,
.Li defaults_command ,
.Li defaults_host ,
.Li defaults_runas ,
.Em defaults ,
.Em defaults_command ,
.Em defaults_host ,
.Em defaults_runas ,
or
.Li defaults_user .
.Em defaults_user .
.It binding
For
.Li defaults_command ,
.Li defaults_host ,
.Li defaults_runas ,
.Em defaults_command ,
.Em defaults_host ,
.Em defaults_runas ,
and
.Li defaults_user
.Em defaults_user
this is the value that must match for the setting to be applied.
.It name
The name of the
@@ -930,11 +929,11 @@ or
.El
.It aliases
This section includes any
.Li Cmnd_Alias
.Li Host_Alias ,
.Li Runas_Alias ,
.Em Cmnd_Alias
.Em Host_Alias ,
.Em Runas_Alias ,
or
.Li User_Alias ,
.Em User_Alias ,
entries from
.Em sudoers .
The
@@ -948,11 +947,11 @@ The fields are as follows:
.Bl -tag -width 8n
.It alias_type
The type of alias; one of
.Li Cmnd_Alias ,
.Li Host_Alias ,
.Li Runas_Alias ,
.Em Cmnd_Alias ,
.Em Host_Alias ,
.Em Runas_Alias ,
or
.Li User_Alias .
.Em User_Alias .
.It alias_name
The name of the alias; a string starting with an upper-case letter that
consists of upper-case letters, digits, or underscores.
@@ -990,7 +989,7 @@ or a netgroup (preceded by a
.Ql +
character)
or a
.Li User_Alias .
.Em User_Alias .
If set to the special value
.Sy ALL ,
it will match any user.
@@ -1000,13 +999,13 @@ This may also be a netgroup (preceded by a
.Ql +
character)
or a
.Li Host_Alias .
.Em Host_Alias .
If set to the special value
.Sy ALL ,
it will match any host.
.It runusers
An optional comma-separated list of users (or
.Li Runas_Alias Ns No es )
.Em Runas_Alias Ns No es )
the command may be run as.
If it contains more than one member, the value is surrounded by
double quotes.
@@ -1016,7 +1015,7 @@ it will match any user.
If empty, the root user is assumed.
.It rungroups
An optional comma-separated list of groups (or
.Li Runas_Alias Ns No es )
.Em Runas_Alias Ns No es )
the command may be run as.
If it contains more than one member, the value is surrounded by
double quotes.

100
docs/sudo.conf.man.in
View File

@@ -70,17 +70,17 @@ Leading white space is removed from the beginning of lines
even when a continuation character is used.
.PP
Non-comment lines that don't begin with
\fRPlugin\fR,
\fRPath\fR,
\fRDebug\fR,
\fIPlugin\fR,
\fIPath\fR,
\fIDebug\fR,
or
\fRSet\fR
\fISet\fR
are silently ignored.
.PP
The
\fBsudo.conf\fR
file is always parsed in the
\(lq\fRC\fR\(rq
\(oqC\(cq
locale.
.SS "Plugin configuration"
\fBsudo\fR
@@ -94,9 +94,9 @@ Plugins are dynamically loaded based on the contents of
\fBsudo.conf\fR.
.PP
A
\fRPlugin\fR
\fIPlugin\fR
line consists of the
\fRPlugin\fR
\fIPlugin\fR
keyword, followed by the
\fIsymbol_name\fR
and the
@@ -105,14 +105,14 @@ to the dynamic shared object that contains the plugin.
The
\fIsymbol_name\fR
is the name of the
\fRapproval_plugin\fR,
\fRaudit_plugin\fR,
\fRio_plugin\fR,
\fIstruct approval_plugin\fR,
\fIstruct audit_plugin\fR,
\fIstruct io_plugin\fR,
or
\fRpolicy_plugin\fR
struct contained in the plugin.
\fIstruct policy_plugin\fR
defined by the plugin.
If a plugin implements multiple plugin types, there must be a
\fRPlugin\fR
\fIPlugin\fR
line for each unique symbol name.
The
\fIpath\fR
@@ -120,7 +120,7 @@ may be fully qualified or relative.
If not fully qualified, it is relative to the directory
specified by the
\fIplugin_dir\fR
\fRPath\fR
\fIPath\fR
setting, which defaults to
\fI@plugindir@\fR.
In other words:
@@ -182,7 +182,7 @@ This limitation does not apply to I/O plugins.
If no
\fBsudo.conf\fR
file is present, or if it contains no
\fRPlugin\fR
\fIPlugin\fR
lines, the
\fBsudoers\fR
plugin will be used as the default security policy, for I/O logging
@@ -221,9 +221,9 @@ sudo_plugin(@mansectform@)
manual.
.SS "Path settings"
A
\fRPath\fR
\fIPath\fR
line consists of the
\fRPath\fR
\fIPath\fR
keyword, followed by the name of the path to set and its value.
For example:
.nf
@@ -238,7 +238,7 @@ Path askpass /usr/X11R6/bin/ssh-askpass
If no path name is specified, features relying on the specified
setting will be disabled.
Disabling
\fRPath\fR
\fIPath\fR
settings is only supported in
\fBsudo\fR
version 1.8.16 and higher.
@@ -277,7 +277,7 @@ If terminal devices may be located in a sub-directory of
that path must be explicitly listed in
\fIdevsearch\fR.
The default value is
\fR/dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev\fR
\fI/dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev\fR
.sp
This option is ignored on systems that support either the
\fBdevname\fR()
@@ -290,15 +290,15 @@ macOS and Solaris.
intercept
.br
The fully-qualified path to a shared library containing a wrappers for the
\fBexecl\fR(),
\fBexecle\fR(),
\fBexeclp\fR(),
\fBexecv\fR(),
\fBexecve\fR(),
\fBexecvp\fR(),
\fBexecvpe\fR(),
execve(2),
execl(3),
execle(3),
execlp(3),
execv(3),
execvp(3),
execvpe(3),
and
\fBsystem\fR()
system(3)
library functions that intercepts attempts to run further commands and
performs a policy check before allowing them to be executed.
This is used to implement the
@@ -312,23 +312,23 @@ The default value is
noexec
The fully-qualified path to a shared library containing wrappers
for the
\fBexecl\fR(),
\fBexecle\fR(),
\fBexeclp\fR(),
\fBexect\fR(),
\fBexecv\fR(),
\fBexecve\fR(),
\fBexecveat\fR(),
\fBexecvP\fR(),
\fBexecvp\fR(),
\fBexecvpe\fR(),
\fBfexecve\fR(),
\fBpopen\fR(),
\fBposix_spawn\fR(),
\fBposix_spawnp\fR(),
\fBsystem\fR(),
execve(2),
execl(3),
execle(3),
execlp(3),
exect(3),
execv(3),
execveat(3),
execvP(3),
execvp(3),
execvpe(3),
fexecve(3),
popen(3),
posix_spawn(3),
posix_spawnp(3),
system(3),
and
\fBwordexp\fR()
wordexp(3)
library functions that prevent the execution of further commands.
This is used to implement the
\fInoexec\fR
@@ -569,9 +569,9 @@ that can log what
is doing internally if there is a problem.
.PP
A
\fRDebug\fR
\fIDebug\fR
line consists of the
\fRDebug\fR
\fIDebug\fR
keyword, followed by the name of the program, plugin, or shared object
to debug, the debug file name, and a comma-separated list of debug flags.
The debug flag syntax used by
@@ -613,25 +613,25 @@ intercept functionality on some systems.
As of
\fBsudo\fR
1.8.12, multiple
\fRDebug\fR
\fIDebug\fR
entries may be specified per program.
Older versions of
\fBsudo\fR
only support a single
\fRDebug\fR
\fIDebug\fR
entry per program.
Plugin-specific
\fRDebug\fR
\fIDebug\fR
entries are also supported starting with
\fBsudo\fR
1.8.12 and are matched by either the base name of the plugin that was loaded
(for example
\fRsudoers.so\fR)
\fIsudoers.so\fR)
or by the plugin's fully-qualified path name.
Previously, the
\fBsudoers\fR
plugin shared the same
\fRDebug\fR
\fIDebug\fR
entry as the
\fBsudo\fR
front-end and could not be configured separately.

100
docs/sudo.conf.mdoc.in
View File

@@ -67,17 +67,17 @@ Leading white space is removed from the beginning of lines
even when a continuation character is used.
.Pp
Non-comment lines that don't begin with
.Li Plugin ,
.Li Path ,
.Li Debug ,
.Em Plugin ,
.Em Path ,
.Em Debug ,
or
.Li Set
.Em Set
are silently ignored.
.Pp
The
.Nm
file is always parsed in the
.Dq Li C
.Ql C
locale.
.Ss Plugin configuration
.Nm sudo
@@ -91,9 +91,9 @@ Plugins are dynamically loaded based on the contents of
.Nm .
.Pp
A
.Li Plugin
.Em Plugin
line consists of the
.Li Plugin
.Em Plugin
keyword, followed by the
.Em symbol_name
and the
@@ -102,14 +102,14 @@ to the dynamic shared object that contains the plugin.
The
.Em symbol_name
is the name of the
.Li approval_plugin ,
.Li audit_plugin ,
.Li io_plugin ,
.Vt struct approval_plugin ,
.Vt struct audit_plugin ,
.Vt struct io_plugin ,
or
.Li policy_plugin
struct contained in the plugin.
.Vt struct policy_plugin
defined by the plugin.
If a plugin implements multiple plugin types, there must be a
.Li Plugin
.Em Plugin
line for each unique symbol name.
The
.Em path
@@ -117,7 +117,7 @@ may be fully qualified or relative.
If not fully qualified, it is relative to the directory
specified by the
.Em plugin_dir
.Li Path
.Em Path
setting, which defaults to
.Pa @plugindir@ .
In other words:
@@ -167,7 +167,7 @@ This limitation does not apply to I/O plugins.
If no
.Nm
file is present, or if it contains no
.Li Plugin
.Em Plugin
lines, the
.Nm sudoers
plugin will be used as the default security policy, for I/O logging
@@ -203,9 +203,9 @@ plugin architecture, see the
manual.
.Ss Path settings
A
.Li Path
.Em Path
line consists of the
.Li Path
.Em Path
keyword, followed by the name of the path to set and its value.
For example:
.Bd -literal -offset 4n
@@ -217,7 +217,7 @@ Path askpass /usr/X11R6/bin/ssh-askpass
If no path name is specified, features relying on the specified
setting will be disabled.
Disabling
.Li Path
.Em Path
settings is only supported in
.Nm sudo
version 1.8.16 and higher.
@@ -254,7 +254,7 @@ If terminal devices may be located in a sub-directory of
that path must be explicitly listed in
.Em devsearch .
The default value is
.Li /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
.Pa /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
.Pp
This option is ignored on systems that support either the
.Fn devname
@@ -265,15 +265,15 @@ functions, for example
macOS and Solaris.
.It intercept
The fully-qualified path to a shared library containing a wrappers for the
.Fn execl ,
.Fn execle ,
.Fn execlp ,
.Fn execv ,
.Fn execve ,
.Fn execvp ,
.Fn execvpe ,
.Xr execve 2 ,
.Xr execl 3 ,
.Xr execle 3 ,
.Xr execlp 3 ,
.Xr execv 3 ,
.Xr execvp 3 ,
.Xr execvpe 3 ,
and
.Fn system
.Xr system 3
library functions that intercepts attempts to run further commands and
performs a policy check before allowing them to be executed.
This is used to implement the
@@ -286,23 +286,23 @@ The default value is
.It noexec
The fully-qualified path to a shared library containing wrappers
for the
.Fn execl ,
.Fn execle ,
.Fn execlp ,
.Fn exect ,
.Fn execv ,
.Fn execve ,
.Fn execveat ,
.Fn execvP ,
.Fn execvp ,
.Fn execvpe ,
.Fn fexecve ,
.Fn popen ,
.Fn posix_spawn ,
.Fn posix_spawnp ,
.Fn system ,
.Xr execve 2 ,
.Xr execl 3 ,
.Xr execle 3 ,
.Xr execlp 3 ,
.Xr exect 3 ,
.Xr execv 3 ,
.Xr execveat 3 ,
.Xr execvP 3 ,
.Xr execvp 3 ,
.Xr execvpe 3 ,
.Xr fexecve 3 ,
.Xr popen 3 ,
.Xr posix_spawn 3 ,
.Xr posix_spawnp 3 ,
.Xr system 3 ,
and
.Fn wordexp
.Xr wordexp 3
library functions that prevent the execution of further commands.
This is used to implement the
.Em noexec
@@ -519,9 +519,9 @@ that can log what
is doing internally if there is a problem.
.Pp
A
.Li Debug
.Em Debug
line consists of the
.Li Debug
.Em Debug
keyword, followed by the name of the program, plugin, or shared object
to debug, the debug file name, and a comma-separated list of debug flags.
The debug flag syntax used by
@@ -557,25 +557,25 @@ intercept functionality on some systems.
As of
.Nm sudo
1.8.12, multiple
.Li Debug
.Em Debug
entries may be specified per program.
Older versions of
.Nm sudo
only support a single
.Li Debug
.Em Debug
entry per program.
Plugin-specific
.Li Debug
.Em Debug
entries are also supported starting with
.Nm sudo
1.8.12 and are matched by either the base name of the plugin that was loaded
(for example
.Li sudoers.so )
.Pa sudoers.so )
or by the plugin's fully-qualified path name.
Previously, the
.Nm sudoers
plugin shared the same
.Li Debug
.Em Debug
entry as the
.Nm sudo
front-end and could not be configured separately.

49
docs/sudo.man.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.TH "SUDO" "@mansectsu@" "August 2, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.TH "SUDO" "@mansectsu@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -135,9 +135,7 @@ time limit.
This limit is policy-specific; the default password prompt timeout
for the
\fIsudoers\fR
security policy is
\fR@password_timeout@\fR
minutes.
security policy is @password_timeout@ minutes.
.PP
Security policies may support credential caching to allow the user
to run
@@ -145,9 +143,7 @@ to run
again for a period of time without requiring authentication.
By default, the
\fIsudoers\fR
policy caches credentials on a per-terminal basis for
\fR@timeout@\fR
minutes.
policy caches credentials on a per-terminal basis for @timeout@ minutes.
See the
\fItimestamp_type\fR
and
@@ -399,7 +395,7 @@ may be either a group name or a numeric group-ID
prefixed with the
\(oq#\(cq
character (e.g.,
\fR#0\fR
\(oq#0\(cq
for GID 0).
When running a command as a GID, many shells require that the
\(oq#\(cq
@@ -574,7 +570,7 @@ policy:
.RS 12n
.PD 0
.TP 4n
\fR%H\fR
%H
expanded to the host name including the domain name (only if the
machine's host name is fully qualified or the
\fIfqdn\fR
@@ -582,10 +578,10 @@ option is set in
sudoers(@mansectform@))
.PD
.TP 4n
\fR%h\fR
%h
expanded to the local host name without the domain name
.TP 4n
\fR%p\fR
%p
expanded to the name of the user whose password is being requested
(respects the
\fIrootpw\fR,
@@ -595,16 +591,16 @@ and
flags in
sudoers(@mansectform@))
.TP 4n
\fR\&%U\fR
\&%U
expanded to the login name of the user the command will be run as
(defaults to root unless the
\fB\-u\fR
option is also specified)
.TP 4n
\fR%u\fR
%u
expanded to the invoking user's login name
.TP 4n
\fR%%\fR
%%
two consecutive
\(oq%\(cq
characters are collapsed into a single
@@ -707,7 +703,7 @@ may be either a user name or a numeric user-ID
prefixed with the
\(oq#\(cq
character (e.g.,
\fR#0\fR
\(oq#0\(cq
for UID 0).
When running commands as a UID, many shells require that the
\(oq#\(cq
@@ -740,9 +736,7 @@ For the
\fIsudoers\fR
plugin, this extends the
\fBsudo\fR
timeout for another
\fR@timeout@\fR
minutes by default, but does not run a command.
timeout for another @timeout@ minutes by default, but does not run a command.
Not all security policies support cached credentials.
.TP 12n
\fB\--\fR
@@ -778,7 +772,7 @@ option is set in
the command to be run has the
\fRSETENV\fR
tag set or the command matched is
\fRALL\fR,
\fBALL\fR,
the user may set variables that would otherwise be forbidden.
See
sudoers(@mansectform@)
@@ -986,7 +980,7 @@ run in a new pty,
may execute the command directly instead of running it as a child process.
.SS "Plugins"
Plugins may be specified via
\fRPlugin\fR
\fIPlugin\fR
directives in the
sudo.conf(@mansectform@)
file.
@@ -997,7 +991,7 @@ binary.
If no
sudo.conf(@mansectform@)
file is present, or if it doesn't contain any
\fRPlugin\fR
\fIPlugin\fR
lines,
\fBsudo\fR
will use
@@ -1086,9 +1080,9 @@ By default,
\fBsudo\fR
will only log the command it explicitly runs.
If a user runs a command such as
\fRsudo su\fR
\(oqsudo su\(cq
or
\fRsudo sh\fR,
\(oqsudo sh\(cq,
subsequent commands run from that shell are not subject to
\fBsudo\fR's
security policy.
@@ -1176,7 +1170,7 @@ or when
is enabled in
\fIsudoers\fR
and
\fIHOME\fR
\fRHOME\fR
is not present in the
\fIenv_keep\fR
list.
@@ -1226,8 +1220,7 @@ Default editor to use in
Set to the group-ID of the user who invoked sudo.
.TP 17n
\fRSUDO_PROMPT\fR
Used as the default password prompt unless
the
Used as the default password prompt unless the
\fB\-p\fR
option was specified.
.TP 17n
@@ -1315,7 +1308,7 @@ $ sudo shutdown -r +15 "quick reboot"
.PP
To make a usage listing of the directories in the /home partition.
The commands are run in a sub-shell to allow the
\fRcd\fR
\(oqcd\(cq
command and file redirection to work.
.nf
.sp
@@ -1500,7 +1493,7 @@ plugin's
functionality.
.PP
It is not meaningful to run the
\fRcd\fR
\(oqcd\(cq
command directly via sudo, e.g.,
.nf
.sp

51
docs/sudo.mdoc.in
View File

@@ -24,7 +24,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.Dd August 2, 2022
.Dd September 13, 2022
.Dt SUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -139,9 +139,7 @@ time limit.
This limit is policy-specific; the default password prompt timeout
for the
.Em sudoers
security policy is
.Li @password_timeout@
minutes.
security policy is @password_timeout@ minutes.
.Pp
Security policies may support credential caching to allow the user
to run
@@ -149,9 +147,7 @@ to run
again for a period of time without requiring authentication.
By default, the
.Em sudoers
policy caches credentials on a per-terminal basis for
.Li @timeout@
minutes.
policy caches credentials on a per-terminal basis for @timeout@ minutes.
See the
.Em timestamp_type
and
@@ -380,7 +376,7 @@ may be either a group name or a numeric group-ID
prefixed with the
.Ql #
character (e.g.,
.Li #0
.Ql #0
for GID 0).
When running a command as a GID, many shells require that the
.Ql #
@@ -537,15 +533,15 @@ escape sequences are supported by the
.Em sudoers
policy:
.Bl -tag -width 2n
.It Li %H
.It %H
expanded to the host name including the domain name (only if the
machine's host name is fully qualified or the
.Em fqdn
option is set in
.Xr sudoers @mansectform@ )
.It Li %h
.It %h
expanded to the local host name without the domain name
.It Li %p
.It %p
expanded to the name of the user whose password is being requested
(respects the
.Em rootpw ,
@@ -554,14 +550,14 @@ and
.Em runaspw
flags in
.Xr sudoers @mansectform@ )
.It Li \&%U
.It \&%U
expanded to the login name of the user the command will be run as
(defaults to root unless the
.Fl u
option is also specified)
.It Li %u
.It %u
expanded to the invoking user's login name
.It Li %%
.It %%
two consecutive
.Ql %
characters are collapsed into a single
@@ -656,7 +652,7 @@ may be either a user name or a numeric user-ID
prefixed with the
.Ql #
character (e.g.,
.Li #0
.Ql #0
for UID 0).
When running commands as a UID, many shells require that the
.Ql #
@@ -687,9 +683,7 @@ For the
.Em sudoers
plugin, this extends the
.Nm
timeout for another
.Li @timeout@
minutes by default, but does not run a command.
timeout for another @timeout@ minutes by default, but does not run a command.
Not all security policies support cached credentials.
.It Fl -
The
@@ -723,9 +717,9 @@ If the
option is set in
.Em sudoers ,
the command to be run has the
.Li SETENV
.Dv SETENV
tag set or the command matched is
.Li ALL ,
.Sy ALL ,
the user may set variables that would otherwise be forbidden.
See
.Xr sudoers @mansectform@
@@ -922,7 +916,7 @@ run in a new pty,
may execute the command directly instead of running it as a child process.
.Ss Plugins
Plugins may be specified via
.Li Plugin
.Em Plugin
directives in the
.Xr sudo.conf @mansectform@
file.
@@ -933,7 +927,7 @@ binary.
If no
.Xr sudo.conf @mansectform@
file is present, or if it doesn't contain any
.Li Plugin
.Em Plugin
lines,
.Nm
will use
@@ -1022,9 +1016,9 @@ By default,
.Nm
will only log the command it explicitly runs.
If a user runs a command such as
.Li sudo su
.Ql sudo su
or
.Li sudo sh ,
.Ql sudo sh ,
subsequent commands run from that shell are not subject to
.Nm sudo Ns 's
security policy.
@@ -1107,7 +1101,7 @@ or when
is enabled in
.Em sudoers
and
.Em HOME
.Ev HOME
is not present in the
.Em env_keep
list.
@@ -1149,8 +1143,7 @@ Default editor to use in
.It Ev SUDO_GID
Set to the group-ID of the user who invoked sudo.
.It Ev SUDO_PROMPT
Used as the default password prompt unless
the
Used as the default password prompt unless the
.Fl p
option was specified.
.It Ev SUDO_PS1
@@ -1217,7 +1210,7 @@ $ sudo shutdown -r +15 "quick reboot"
.Pp
To make a usage listing of the directories in the /home partition.
The commands are run in a sub-shell to allow the
.Li cd
.Ql cd
command and file redirection to work.
.Bd -literal -offset 4n
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
@@ -1385,7 +1378,7 @@ plugin's
functionality.
.Pp
It is not meaningful to run the
.Li cd
.Ql cd
command directly via sudo, e.g.,
.Bd -literal -offset 4n
$ sudo cd /usr/local/protected

4
docs/sudo_logsrv.proto.man.in
View File

@@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_LOGSRV.PROTO" "@mansectform@" "February 16, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDO_LOGSRV.PROTO" "@mansectform@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -93,7 +93,7 @@ message TimeSpec {
A
\fITimeSpec\fR
is the equivalent of a POSIX
\fRstruct timespec\fR,
\fIstruct timespec\fR,
containing seconds and nanoseconds members.
The
\fItv_sec\fR

18
docs/sudo_logsrv.proto.mdoc.in
View File

@@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd February 16, 2022
.Dd September 13, 2022
.Dt SUDO_LOGSRV.PROTO @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -87,7 +87,7 @@ message TimeSpec {
A
.Em TimeSpec
is the equivalent of a POSIX
.Li struct timespec ,
.Vt struct timespec ,
containing seconds and nanoseconds members.
The
.Em tv_sec
@@ -237,10 +237,10 @@ If the command was terminated by a signal, this is set to the
name of the signal without the leading
.Dq SIG .
For example,
.Li INT ,
.Li TERM ,
.Li KILL ,
.Li SEGV .
.Dv INT ,
.Dv TERM ,
.Dv KILL ,
.Dv SEGV .
.It error
A message from the client indicating that the command was terminated
unexpectedly due to an error.
@@ -397,9 +397,9 @@ should be calculated using a monotonic clock where possible.
The signal name without the leading
.Dq SIG .
For example,
.Li STOP ,
.Li TSTP ,
.Li CONT .
.Dv STOP ,
.Dv TSTP ,
.Dv CONT .
.El
.Sh Server Messages
A

85
docs/sudo_logsrvd.conf.man.in
View File

@@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "February 16, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -168,14 +168,16 @@ will enable the TCP keepalive socket option on the client connection.
This enables the periodic transmission of keepalive messages to the client.
If the client does not respond to a message in time, the connection will
be closed.
Defaults to true.
Defaults to
\fItrue\fR.
.TP 10n
timeout = number
The amount of time, in seconds,
\fBsudo_logsrvd\fR
will wait for the client to respond.
A value of 0 will disable the timeout.
The default value is 30.
The default value is
\fI30\fR.
.TP 10n
tls_cacert = path
The path to a certificate authority bundle file, in PEM format,
@@ -202,7 +204,7 @@ authority, the
setting must be set to a CA bundle that contains the CA certificate
used to generate the client certificate.
The default value is
\fRfalse\fR.
\fIfalse\fR.
.TP 10n
tls_ciphers_v12 = string
A list of ciphers to use for connections secured by TLS version 1.2 only,
@@ -214,7 +216,7 @@ section in
openssl-ciphers(1)
for full details.
The default value is
\fRHIGH:!aNULL\fR
\(lqHIGH:!aNULL\(rq
which consists of encryption cipher suites with key lengths larger than
128 bits, and some cipher suites with 128-bit keys.
Cipher suites that offer no authentication are excluded.
@@ -241,7 +243,8 @@ TLS_AES_128_CCM_8_SHA256
.RE
.RS 10n
.sp
The default cipher suite is TLS_AES_256_GCM_SHA384.
The default cipher suite is
\(lqTLS_AES_256_GCM_SHA384\(rq.
.RE
.PD
.TP 10n
@@ -274,7 +277,8 @@ configuration is changed.
If false, no verification is performed of the server certificate.
When using self-signed certificates without a certificate authority,
this setting should be set to false.
The default value is true.
The default value is
\fItrue\fR.
.SS "relay"
The
\fIrelay\fR
@@ -301,7 +305,8 @@ setting controls the amount of time
\fBsudo_logsrvd\fR
will wait for the relay to respond.
A value of 0 will disable the timeout.
The default value is 30.
The default value is
\fI30\fR.
.TP 10n
relay_dir = path
The directory in which log messages are temporarily stored before they
@@ -339,7 +344,8 @@ lines are specified, the first available relay host will be used.
retry_interval = number
The number of seconds to wait after a connection error before making
a new attempt to forward a message to a relay host.
The default value is 30 seconds.
The default value is
\fI30\fR.
.TP 10n
store_first = boolean
If true,
@@ -365,7 +371,8 @@ The amount of time, in seconds,
\fBsudo_logsrvd\fR
will wait for the relay server to respond after a connection has succeeded.
A value of 0 will disable the timeout.
The default value is 30.
The default value is
\fI30\fR.
.TP 10n
tls_cacert = path
The path to a certificate authority bundle file, in PEM format,
@@ -455,7 +462,7 @@ If set, I/O logs will be compressed using
Enabling compression can make it harder to view the logs in real-time as
the program is executing due to buffering.
The default value is
\fRfalse\fR.
\fIfalse\fR.
.TP 10n
iolog_dir = path
The top-level directory to use when constructing the path
@@ -471,30 +478,30 @@ escape sequences are supported:
.RS 10n
.PD 0
.TP 6n
\fR%{seq}\fR
%{seq}
expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
where every two digits are used to form a new directory, e.g.,
\fI01/00/A5\fR
.PD
.TP 6n
\fR%{user}\fR
%{user}
expanded to the invoking user's login name
.TP 6n
\fR%{group}\fR
%{group}
expanded to the name of the invoking user's real group-ID
.TP 6n
\fR%{runas_user}\fR
%{runas_user}
expanded to the login name of the user the command will
be run as (e.g., root)
.TP 6n
\fR%{runas_group}\fR
%{runas_group}
expanded to the group name of the user the command will
be run as (e.g., wheel)
.TP 6n
\fR%{hostname}\fR
%{hostname}
expanded to the local host name without the domain name
.TP 6n
\fR%{command}\fR
%{command}
expanded to the base name of the command being run
.PP
In addition, any escape sequences supported by the system's
@@ -516,7 +523,7 @@ It is possible for
\fIiolog_file\fR
to contain directory components.
The default value is
\fR%{seq}\fR.
\(lq%{seq}\(rq.
.sp
See the
\fIiolog_dir\fR
@@ -526,9 +533,9 @@ escape sequences.
.sp
In addition to the escape sequences, path names that end in six or
more
\fRX\fRs
\fIX\fRs
will have the
\fRX\fRs
\fIX\fRs
replaced with a unique combination of digits and letters, similar to the
mktemp(3)
function.
@@ -542,7 +549,7 @@ overwritten unless
\fIiolog_file\fR
ends in six or
more
\fRX\fRs.
\fIX\fRs.
.TP 10n
iolog_flush = boolean
If set, I/O log data is flushed to disk after each write instead of
@@ -553,7 +560,7 @@ of I/O log compression.
I/O logs are always flushed before sending a commit point to the client
regardless of this setting.
The default value is
\fRtrue\fR.
\fItrue\fR.
.TP 10n
iolog_group = name
The group name to look up when setting the group-ID on new I/O log
@@ -579,7 +586,7 @@ When creating I/O log directories, search (execute) bits are added
to match the read and write bits specified by
\fIiolog_mode\fR.
The default value is
\fR0600\fR.
\fI0600\fR.
.TP 10n
iolog_user = name
The user name to look up when setting the owner of new
@@ -599,7 +606,7 @@ the password will still be present in the I/O log.
If
\fIlog_passwords\fR
is set to
\fRfalse\fR,
\fIfalse\fR,
\fBsudo_logsrvd\fR
will attempt to prevent passwords from being logged.
It does this by using the regular expressions in
@@ -617,16 +624,16 @@ when the
option is set), only the
first character of the password will be replaced in the I/O log.
The default value is
\fRtrue\fR.
\fItrue\fR.
.TP 10n
maxseq = number
The maximum sequence number that will be substituted for the
\(lq\fR%{seq}\fR\(rq
\(lq%{seq}\(rq
escape in the I/O log file (see the
\fIiolog_dir\fR
description above for more information).
While the value substituted for
\(lq\fR%{seq}\fR\(rq
\(lq%{seq}\(rq
is in base 36,
\fImaxseq\fR
itself should be expressed in decimal.
@@ -634,7 +641,8 @@ Values larger than 2176782336 (which corresponds to the
base 36 sequence number
\(lqZZZZZZ\(rq)
will be silently truncated to 2176782336.
The default value is 2176782336.
The default value is
\fI2176782336\fR.
.TP 10n
passprompt_regex = string
One or more POSIX extended regular expressions used to
@@ -669,7 +677,8 @@ log_exit = boolean
If true,
\fBsudo_logsrvd\fR
will log an event when a command exits or is terminated by a signal.
Defaults to false.
Defaults to
\fIfalse\fR.
.TP 6n
log_format = string
The event log format.
@@ -691,7 +700,7 @@ syslog(3).
facility = string
Syslog facility if syslog is being used for logging.
Defaults to
\fR@logfac@\fR.
\fI@logfac@\fR.
.sp
The following syslog facilities are supported:
\fBauthpriv\fR
@@ -714,7 +723,7 @@ accept_priority = string
Syslog priority to use when the user is allowed to run a command and
authentication is successful.
Defaults to
\fR@goodpri@\fR.
\fI@goodpri@\fR.
.sp
The following syslog priorities are supported:
\fBalert\fR,
@@ -735,7 +744,7 @@ reject_priority = string
Syslog priority to use when the user is not allowed to run a command or
when authentication is unsuccessful.
Defaults to
\fR@badpri@\fR.
\fI@badpri@\fR.
.sp
See
\fIaccept_priority\fR
@@ -744,7 +753,7 @@ for the list of supported syslog priorities.
alert_priority = string
Syslog priority to use for event log alert messages received from the client.
Defaults to
\fR@badpri@\fR.
\fI@badpri@\fR.
.sp
See
\fIaccept_priority\fR
@@ -779,7 +788,7 @@ server_facility = string
Syslog facility if syslog is being used for server warning messages.
See above for a list of supported facilities.
Defaults to
\fRdaemon\fR
\fIdaemon\fR
.SS "logfile"
The
\fIlogfile\fR
@@ -800,10 +809,12 @@ Formatting is performed via the system's
strftime(3)
function so any escape sequences supported by that function will be expanded.
The default value is
\(lq\fR%h %e %T\fR\(rq
\(lq%h %e %T\(rq
which produces dates like
\(lqOct 3 07:15:24\(rq
in the C locale.
in the
\(oqC\(cq
locale.
.SH "FILES"
.TP 26n
\fI@sysconfdir@/sudo_logsrvd.conf\fR

85
docs/sudo_logsrvd.conf.mdoc.in
View File

@@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd February 16, 2022
.Dd September 13, 2022
.Dt SUDO_LOGSRVD.CONF @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -152,13 +152,15 @@ will enable the TCP keepalive socket option on the client connection.
This enables the periodic transmission of keepalive messages to the client.
If the client does not respond to a message in time, the connection will
be closed.
Defaults to true.
Defaults to
.Em true .
.It timeout = number
The amount of time, in seconds,
.Nm sudo_logsrvd
will wait for the client to respond.
A value of 0 will disable the timeout.
The default value is 30.
The default value is
.Em 30 .
.It tls_cacert = path
The path to a certificate authority bundle file, in PEM format,
to use instead of the system's default certificate authority database
@@ -182,7 +184,7 @@ authority, the
setting must be set to a CA bundle that contains the CA certificate
used to generate the client certificate.
The default value is
.Li false .
.Em false .
.It tls_ciphers_v12 = string
A list of ciphers to use for connections secured by TLS version 1.2 only,
separated by a colon
@@ -193,7 +195,7 @@ section in
.Xr openssl-ciphers 1
for full details.
The default value is
.Li HIGH:!aNULL
.Dq HIGH:!aNULL
which consists of encryption cipher suites with key lengths larger than
128 bits, and some cipher suites with 128-bit keys.
Cipher suites that offer no authentication are excluded.
@@ -212,7 +214,8 @@ but should include the following:
.It TLS_AES_128_CCM_8_SHA256
.El
.Pp
The default cipher suite is TLS_AES_256_GCM_SHA384.
The default cipher suite is
.Dq TLS_AES_256_GCM_SHA384 .
.It tls_dhparams = path
The path to a file containing custom Diffie-Hellman parameters in PEM format.
This file can be created with the following command:
@@ -235,7 +238,8 @@ configuration is changed.
If false, no verification is performed of the server certificate.
When using self-signed certificates without a certificate authority,
this setting should be set to false.
The default value is true.
The default value is
.Em true .
.El
.Ss relay
The
@@ -263,7 +267,8 @@ setting controls the amount of time
.Nm sudo_logsrvd
will wait for the relay to respond.
A value of 0 will disable the timeout.
The default value is 30.
The default value is
.Em 30 .
.It relay_dir = path
The directory in which log messages are temporarily stored before they
are sent to the relay host.
@@ -298,7 +303,8 @@ lines are specified, the first available relay host will be used.
.It retry_interval = number
The number of seconds to wait after a connection error before making
a new attempt to forward a message to a relay host.
The default value is 30 seconds.
The default value is
.Em 30 .
.It store_first = boolean
If true,
.Nm sudo_logsrvd
@@ -321,7 +327,8 @@ The amount of time, in seconds,
.Nm sudo_logsrvd
will wait for the relay server to respond after a connection has succeeded.
A value of 0 will disable the timeout.
The default value is 30.
The default value is
.Em 30 .
.It tls_cacert = path
The path to a certificate authority bundle file, in PEM format,
to use instead of the system's default certificate authority database
@@ -404,7 +411,7 @@ If set, I/O logs will be compressed using
Enabling compression can make it harder to view the logs in real-time as
the program is executing due to buffering.
The default value is
.Li false .
.Em false .
.It iolog_dir = path
The top-level directory to use when constructing the path
name for the I/O log directory.
@@ -416,23 +423,23 @@ The following percent
.Pq Ql %
escape sequences are supported:
.Bl -tag -width 4n
.It Li %{seq}
.It %{seq}
expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
where every two digits are used to form a new directory, e.g.,
.Pa 01/00/A5
.It Li %{user}
.It %{user}
expanded to the invoking user's login name
.It Li %{group}
.It %{group}
expanded to the name of the invoking user's real group-ID
.It Li %{runas_user}
.It %{runas_user}
expanded to the login name of the user the command will
be run as (e.g., root)
.It Li %{runas_group}
.It %{runas_group}
expanded to the group name of the user the command will
be run as (e.g., wheel)
.It Li %{hostname}
.It %{hostname}
expanded to the local host name without the domain name
.It Li %{command}
.It %{command}
expanded to the base name of the command being run
.El
.Pp
@@ -453,7 +460,7 @@ It is possible for
.Em iolog_file
to contain directory components.
The default value is
.Li %{seq} .
.Dq %{seq} .
.Pp
See the
.Em iolog_dir
@@ -463,9 +470,9 @@ escape sequences.
.Pp
In addition to the escape sequences, path names that end in six or
more
.Li X Ns s
.Em X Ns s
will have the
.Li X Ns s
.Em X Ns s
replaced with a unique combination of digits and letters, similar to the
.Xr mktemp 3
function.
@@ -479,7 +486,7 @@ overwritten unless
.Em iolog_file
ends in six or
more
.Li X Ns s .
.Em X Ns s .
.It iolog_flush = boolean
If set, I/O log data is flushed to disk after each write instead of
buffering it.
@@ -489,7 +496,7 @@ of I/O log compression.
I/O logs are always flushed before sending a commit point to the client
regardless of this setting.
The default value is
.Li true .
.Em true .
.It iolog_group = name
The group name to look up when setting the group-ID on new I/O log
files and directories.
@@ -513,7 +520,7 @@ When creating I/O log directories, search (execute) bits are added
to match the read and write bits specified by
.Em iolog_mode .
The default value is
.Li 0600 .
.Em 0600 .
.It iolog_user = name
The user name to look up when setting the owner of new
I/O log files and directories.
@@ -531,7 +538,7 @@ the password will still be present in the I/O log.
If
.Em log_passwords
is set to
.Li false ,
.Em false ,
.Nm sudo_logsrvd
will attempt to prevent passwords from being logged.
It does this by using the regular expressions in
@@ -549,15 +556,15 @@ when the
option is set), only the
first character of the password will be replaced in the I/O log.
The default value is
.Li true .
.Em true .
.It maxseq = number
The maximum sequence number that will be substituted for the
.Dq Li %{seq}
.Dq %{seq}
escape in the I/O log file (see the
.Em iolog_dir
description above for more information).
While the value substituted for
.Dq Li %{seq}
.Dq %{seq}
is in base 36,
.Em maxseq
itself should be expressed in decimal.
@@ -565,7 +572,8 @@ Values larger than 2176782336 (which corresponds to the
base 36 sequence number
.Dq ZZZZZZ )
will be silently truncated to 2176782336.
The default value is 2176782336.
The default value is
.Em 2176782336 .
.It passprompt_regex = string
One or more POSIX extended regular expressions used to
match password prompts in the terminal output when
@@ -599,7 +607,8 @@ The default value is
If true,
.Nm sudo_logsrvd
will log an event when a command exits or is terminated by a signal.
Defaults to false.
Defaults to
.Em false .
.It log_format = string
The event log format.
Supported log formats are
@@ -621,7 +630,7 @@ section configures how events are logged via
.It facility = string
Syslog facility if syslog is being used for logging.
Defaults to
.Li @logfac@ .
.Em @logfac@ .
.Pp
The following syslog facilities are supported:
.Sy authpriv
@@ -643,7 +652,7 @@ and
Syslog priority to use when the user is allowed to run a command and
authentication is successful.
Defaults to
.Li @goodpri@ .
.Em @goodpri@ .
.Pp
The following syslog priorities are supported:
.Sy alert ,
@@ -663,7 +672,7 @@ will disable logging of successful commands.
Syslog priority to use when the user is not allowed to run a command or
when authentication is unsuccessful.
Defaults to
.Li @badpri@ .
.Em @badpri@ .
.Pp
See
.Em accept_priority
@@ -671,7 +680,7 @@ for the list of supported syslog priorities.
.It alert_priority = string
Syslog priority to use for event log alert messages received from the client.
Defaults to
.Li @badpri@ .
.Em @badpri@ .
.Pp
See
.Em accept_priority
@@ -704,7 +713,7 @@ JSON-format log entries are never split and are not affected by
Syslog facility if syslog is being used for server warning messages.
See above for a list of supported facilities.
Defaults to
.Li daemon
.Em daemon
.El
.Ss logfile
The
@@ -725,10 +734,12 @@ Formatting is performed via the system's
.Xr strftime 3
function so any escape sequences supported by that function will be expanded.
The default value is
.Dq Li "%h %e %T"
.Dq "%h %e %T"
which produces dates like
.Dq Oct 3 07:15:24
in the C locale.
in the
.Ql C
locale.
.El
.Sh FILES
.Bl -tag -width 24n

2
docs/sudo_logsrvd.man.in
View File

@@ -117,7 +117,7 @@ section.
.SS "Debugging sudo_logsrvd"
\fBsudo_logsrvd\fR
supports a flexible debugging framework that is configured via
\fRDebug\fR
\fIDebug\fR
lines in the
sudo.conf(@mansectform@)
file.

2
docs/sudo_logsrvd.mdoc.in
View File

@@ -112,7 +112,7 @@ section.
.Ss Debugging sudo_logsrvd
.Nm
supports a flexible debugging framework that is configured via
.Li Debug
.Em Debug
lines in the
.Xr sudo.conf @mansectform@
file.

10
docs/sudo_plugin.man.in
View File

@@ -236,7 +236,7 @@ Only available starting with API version 1.16.
debug_flags=string
A debug file path name followed by a space and a comma-separated
list of debug flags that correspond to the plugin's
\fRDebug\fR
\fIDebug\fR
entry in
sudo.conf(@mansectform@),
if there is one.
@@ -265,7 +265,7 @@ will only pass
if
sudo.conf(@mansectform@)
contains a plugin-specific
\fRDebug\fR
\fIDebug\fR
entry.
.TP 6n
ignore_ticket=bool
@@ -677,7 +677,7 @@ tty=string
The path to the user's terminal device.
If the user has no terminal device associated with the session,
the value will be empty, as in
\(lq\fRtty=\fR\(rq.
\(oqtty=\(cq.
.TP 6n
uid=uid_t
The real user-ID of the user invoking
@@ -921,10 +921,10 @@ into
\fIargv_out\fR,
separated from the
editor and its arguments by a
\(lq\fR--\fR\(rq
\(oq--\(cq
element.
The
\(lq\fR--\fR\(rq
\(oq--\(cq
will be removed by
\fBsudo\fR
before the editor is executed.

10
docs/sudo_plugin.mdoc.in
View File

@@ -216,7 +216,7 @@ Only available starting with API version 1.16.
.It debug_flags=string
A debug file path name followed by a space and a comma-separated
list of debug flags that correspond to the plugin's
.Li Debug
.Em Debug
entry in
.Xr sudo.conf @mansectform@ ,
if there is one.
@@ -245,7 +245,7 @@ will only pass
if
.Xr sudo.conf @mansectform@
contains a plugin-specific
.Li Debug
.Em Debug
entry.
.It ignore_ticket=bool
Set to true if the user specified the
@@ -603,7 +603,7 @@ Only available starting with API version 1.2.
The path to the user's terminal device.
If the user has no terminal device associated with the session,
the value will be empty, as in
.Dq Li tty= .
.Ql tty= .
.It uid=uid_t
The real user-ID of the user invoking
.Nm sudo .
@@ -819,10 +819,10 @@ into
.Fa argv_out ,
separated from the
editor and its arguments by a
.Dq Li --
.Ql --
element.
The
.Dq Li --
.Ql --
will be removed by
.Nm sudo
before the editor is executed.

2
docs/sudo_sendlog.man.in
View File

@@ -154,7 +154,7 @@ version and exit.
.SS "Debugging sendlog"
\fBsudo_sendlog\fR
supports a flexible debugging framework that is configured via
\fRDebug\fR
\fIDebug\fR
lines in the
sudo.conf(@mansectform@)
file.

2
docs/sudo_sendlog.mdoc.in
View File

@@ -139,7 +139,7 @@ version and exit.
.Ss Debugging sendlog
.Nm
supports a flexible debugging framework that is configured via
.Li Debug
.Em Debug
lines in the
.Xr sudo.conf @mansectform@
file.

232
docs/sudoers.ldap.man.in
View File

@@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDOERS.LDAP" "@mansectform@" "July 25, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDOERS.LDAP" "@mansectform@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -69,16 +69,16 @@ is no need for a specialized tool to check syntax.
The
\fIsudoers\fR
configuration is contained in the
\fRou=SUDOers\fR
\(oqou=SUDOers\(cq
LDAP container.
.PP
Sudo first looks for the
\fRcn=defaults\fR
\(oqcn=defaults\(cq
entry in the SUDOers container.
If found, the multi-valued
\fRsudoOption\fR
\fIsudoOption\fR
attribute is parsed in the same manner as a global
\fRDefaults\fR
\fIDefaults\fR
line in
\fI@sysconfdir@/sudoers\fR.
In the following example, the
@@ -97,7 +97,7 @@ sudoOption: env_keep+=SSH_AUTH_SOCK
.fi
.PP
The equivalent of a sudoer in LDAP is a
\fRsudoRole\fR.
\fIsudoRole\fR.
It consists of the following attributes:
.TP 6n
\fBsudoUser\fR
@@ -120,36 +120,36 @@ Non-Unix group support is only available when an appropriate
\fIgroup_plugin\fR
is defined in the global
\fIdefaults\fR
\fRsudoRole\fR
\fIsudoRole\fR
object.
If a
\fRsudoUser\fR
\fIsudoUser\fR
entry is preceded by an exclamation point,
\(oq\&!\(cq,
and the entry matches, the
\fRsudoRole\fR
\fIsudoRole\fR
in which it resides will be ignored.
Negated
\fRsudoUser\fR
\fIsudoUser\fR
entries are only supported by version 1.9.9 or higher.
.TP 6n
\fBsudoHost\fR
A host name, IP address, IP network, or host netgroup (prefixed with a
\(oq+\(cq).
The special value
\fRALL\fR
\fBALL\fR
will match any host.
Host netgroups are matched using the host (both qualified and unqualified)
and domain members only; the user member is not used when matching.
If a
\fRsudoHost\fR
\fIsudoHost\fR
entry is preceded by an exclamation point,
\(oq\&!\(cq,
and the entry matches, the
\fRsudoRole\fR
\fIsudoRole\fR
in which it resides will be ignored.
Negated
\fRsudoHost\fR
\fIsudoHost\fR
entries are only supported by version 1.8.18 or higher.
.TP 6n
\fBsudoCommand\fR
@@ -160,7 +160,7 @@ If a command name is preceded by an exclamation point,
the user will be prohibited from running that command.
.sp
The built-in command
\(lq\fRsudoedit\fR\(rq
\(lqsudoedit\(rq
is used to permit a user to run
\fBsudo\fR
with the
@@ -169,13 +169,13 @@ option (or as
\fBsudoedit\fR).
It may take command line arguments just as a normal command does.
Unlike other commands,
\(lq\fRsudoedit\fR\(rq
\(lqsudoedit\(rq
is a built into
\fBsudo\fR
itself and must be specified in without a leading path.
.sp
The special value
\fRALL\fR
\fBALL\fR
will match any command.
.sp
If a command name is prefixed with a SHA-2 digest, it will
@@ -205,7 +205,7 @@ Command digests are only supported by version 1.8.7 or higher.
\fBsudoOption\fR
Identical in function to the global options described above, but
specific to the
\fRsudoRole\fR
\fIsudoRole\fR
in which it resides.
.TP 6n
\fBsudoRunAsUser\fR
@@ -217,30 +217,29 @@ or user netgroup (prefixed with a
\(oq+\(cq)
that contains a list of users that commands may be run as.
The special value
\fRALL\fR
\fBALL\fR
will match any user.
If a
\fRsudoRunAsUser\fR
\fIsudoRunAsUser\fR
entry is preceded by an exclamation point,
\(oq\&!\(cq,
and the entry matches, the
\fRsudoRole\fR
\fIsudoRole\fR
in which it resides will be ignored.
If
\fRsudoRunAsUser\fR
\fIsudoRunAsUser\fR
is specified but empty, it will match the invoking user.
If neither
\fRsudoRunAsUser\fR
\fIsudoRunAsUser\fR
nor
\fRsudoRunAsGroup\fR
\fIsudoRunAsGroup\fR
are present, the value of the
\fIrunas_default\fR
\fRsudoOption\fR
is used (defaults to
\fR@runas_default@\fR).
\fIsudoOption\fR
is used (defaults to @runas_default@).
.sp
The
\fRsudoRunAsUser\fR
\fIsudoRunAsUser\fR
attribute is only available in
\fBsudo\fR
versions
@@ -248,10 +247,10 @@ versions
Older versions of
\fBsudo\fR
use the
\fRsudoRunAs\fR
\fIsudoRunAs\fR
attribute instead.
Negated
\fRsudoRunAsUser\fR
\fIsudoRunAsUser\fR
entries are only supported by version 1.8.26 or higher.
.TP 6n
\fBsudoRunAsGroup\fR
@@ -259,34 +258,34 @@ A Unix group or group-ID (prefixed with
\(oq#\(cq)
that commands may be run as.
The special value
\fRALL\fR
\fBALL\fR
will match any group.
If a
\fRsudoRunAsGroup\fR
\fIsudoRunAsGroup\fR
entry is preceded by an exclamation point,
\(oq\&!\(cq,
and the entry matches, the
\fRsudoRole\fR
\fIsudoRole\fR
in which it resides will be ignored.
.sp
The
\fRsudoRunAsGroup\fR
\fIsudoRunAsGroup\fR
attribute is only available in
\fBsudo\fR
versions
1.7.0 and higher.
Negated
\fRsudoRunAsGroup\fR
\fIsudoRunAsGroup\fR
entries are only supported by version 1.8.26 or higher.
.TP 6n
\fBsudoNotBefore\fR
A timestamp in the form
\fRyyyymmddHHMMSSZ\fR
\(oqyyyymmddHHMMSSZ\(cq
that can be used to provide a start date/time for when the
\fRsudoRole\fR
\fIsudoRole\fR
will be valid.
If multiple
\fRsudoNotBefore\fR
\fIsudoNotBefore\fR
entries are present, the earliest is used.
Timestamps must be in Coordinated Universal Time (UTC),
not the local timezone.
@@ -294,7 +293,7 @@ The minute and seconds portions are optional, but some LDAP servers
require that they be present (contrary to the RFC).
.sp
The
\fRsudoNotBefore\fR
\fIsudoNotBefore\fR
attribute is only available in
\fBsudo\fR
versions 1.7.5 and higher and must be explicitly enabled via the
@@ -304,12 +303,12 @@ option in
.TP 6n
\fBsudoNotAfter\fR
A timestamp in the form
\fRyyyymmddHHMMSSZ\fR
\(oqyyyymmddHHMMSSZ\(cq
that indicates an expiration date/time, after which the
\fRsudoRole\fR
\fIsudoRole\fR
will no longer be valid.
If multiple
\fRsudoNotAfter\fR
\fIsudoNotAfter\fR
entries are present, the last one is used.
Timestamps must be in Coordinated Universal Time (UTC),
not the local timezone.
@@ -317,7 +316,7 @@ The minute and seconds portions are optional, but some LDAP servers
require that they be present (contrary to the RFC).
.sp
The
\fRsudoNotAfter\fR
\fIsudoNotAfter\fR
attribute is only available in
\fBsudo\fR
versions
@@ -328,26 +327,26 @@ option in
.TP 6n
\fBsudoOrder\fR
The
\fRsudoRole\fR
\fIsudoRole\fR
entries retrieved from the LDAP directory have no inherent order.
The
\fRsudoOrder\fR
\fIsudoOrder\fR
attribute is an integer (or floating point value for LDAP servers
that support it) that is used to sort the matching entries.
This allows LDAP-based sudoers entries to more closely mimic the behavior
of the sudoers file, where the order of the entries influences the result.
If multiple entries match, the entry with the highest
\fRsudoOrder\fR
\fIsudoOrder\fR
attribute is chosen.
This corresponds to the
\(lqlast match\(rq
behavior of the sudoers file.
If the
\fRsudoOrder\fR
\fIsudoOrder\fR
attribute is not present, a value of 0 is assumed.
.sp
The
\fRsudoOrder\fR
\fIsudoOrder\fR
attribute is only available in
\fBsudo\fR
versions 1.7.5 and higher.
@@ -355,12 +354,12 @@ versions 1.7.5 and higher.
Each attribute listed above should contain a single value, but there
may be multiple instances of each attribute type.
A
\fRsudoRole\fR
\fIsudoRole\fR
must contain at least one
\fRsudoUser\fR,
\fRsudoHost\fR,
\fIsudoUser\fR,
\fIsudoHost\fR,
and
\fRsudoCommand\fR.
\fIsudoCommand\fR.
.PP
The following example allows users in group wheel to run any command
on any host via
@@ -384,7 +383,7 @@ The first query is to parse the global options.
The second is to match against the user's name and the groups that
the user belongs to.
(The special
\fRALL\fR
\fBALL\fR
tag is matched in this query too.)
If no match is returned for the user's name and groups, a third
query returns all entries containing user netgroups and other
@@ -411,12 +410,12 @@ are as follows:
.TP 5n
1.\&
Match all
\fRnisNetgroup\fR
\fInisNetgroup\fR
records with a
\fRnisNetgroupTriple\fR
\fInisNetgroupTriple\fR
containing the user, host, and NIS domain.
The query will match
\fRnisNetgroupTriple\fR
\fInisNetgroupTriple\fR
entries with either the short or long form of the host name or
no host name specified in the tuple.
If the NIS domain is set, the query will match only match entries
@@ -425,13 +424,13 @@ If the NIS domain is
\fInot\fR
set, a wildcard is used to match any domain name but be aware that the
NIS schema used by some LDAP servers may not support wild cards for
\fRnisNetgroupTriple\fR.
\fInisNetgroupTriple\fR.
.TP 5n
2.\&
Repeated queries are performed to find any nested
\fRnisNetgroup\fR
\fInisNetgroup\fR
records with a
\fRmemberNisNetgroup\fR
\fImemberNisNetgroup\fR
entry that refers to an already-matched record.
.PP
For sites with a large number of netgroups, using
@@ -465,7 +464,7 @@ returned in any specific order.
.PP
The order in which different entries are applied can be controlled
using the
\fRsudoOrder\fR
\fIsudoOrder\fR
attribute, but there is no way to guarantee the order of attributes
within a specific entry.
If there are conflicting command rules in an entry, the negative
@@ -519,18 +518,18 @@ These cannot be converted automatically.
For example, a Cmnd_Alias in a
\fIsudoers\fR
file may be converted to a
\fRsudoRole\fR
\fIsudoRole\fR
that contains multiple commands.
Multiple users and/or groups may be assigned to the
\fRsudoRole\fR.
\fIsudoRole\fR.
.PP
Also, host, user, runas, and command-based
\fRDefaults\fR
\fIDefaults\fR
entries are not supported.
However, a
\fRsudoRole\fR
\fIsudoRole\fR
may contain one or more
\fRsudoOption\fR
\fIsudoOption\fR
attributes which can often serve the same purpose.
.PP
Consider the following
@@ -590,7 +589,7 @@ Using a Unix group or netgroup in PAGERS rather than listing each
user would make this easier to maintain.
.PP
Per-user
\fRDefaults\fR
\fIDefaults\fR
entries can be emulated by using one or more sudoOption attributes
in a sudoRole.
Consider the following
@@ -637,7 +636,7 @@ LDAP support, the
schema must be
installed on your LDAP server.
In addition, be sure to index the
\fRsudoUser\fR
\fIsudoUser\fR
attribute.
.PP
The
@@ -797,31 +796,30 @@ The default value is protocol version 3.
\fBNETGROUP_BASE\fR \fIbase\fR
The base DN to use when performing LDAP netgroup queries.
Typically this is of the form
\fRou=netgroup,dc=my-domain,dc=com\fR
for the domain
\fRmy-domain.com\fR.
\(oqou=netgroup,dc=my-domain,dc=com\(cq
for the domain my-domain.com.
Multiple
\fBNETGROUP_BASE\fR
lines may be specified, in which case they are queried in the order specified.
.sp
This option can be used to query a user's netgroups directly via LDAP
which is usually faster than fetching every
\fRsudoRole\fR
\fIsudoRole\fR
object containing a
\fRsudoUser\fR
\fIsudoUser\fR
that begins with a
\(oq+\(cq
prefix.
The NIS schema used by some LDAP servers need a modification to
support querying the
\fRnisNetgroup\fR
\fInisNetgroup\fR
object by its
\fRnisNetgroupTriple\fR
\fInisNetgroupTriple\fR
member.
OpenLDAP's
\fBslapd\fR
requires the following change to the
\fRnisNetgroupTriple\fR
\fInisNetgroupTriple\fR
attribute:
.nf
.sp
@@ -837,13 +835,12 @@ attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
\fBNETGROUP_SEARCH_FILTER\fR \fIldap_filter\fR
An LDAP filter which is used to restrict the set of records returned
when performing an LDAP netgroup query.
Typically, this is of the
form
\fRattribute=value\fR
Typically, this is of the form
\(oqattribute=value\(cq
or
\fR(&(attribute=value)(attribute2=value2))\fR.
\(oq(&(attribute=value)(attribute2=value2))\(cq.
The default search filter is:
\fRobjectClass=nisNetgroup\fR.
\(oqobjectClass=nisNetgroup\(cq.
If
\fIldap_filter\fR
is omitted, no search filter will be used.
@@ -928,10 +925,10 @@ This option is only relevant when using SASL authentication.
If the
\fBSSL\fR
parameter is set to
\fRon\fR,
\fRtrue\fR,
\fIon\fR,
\fItrue\fR,
or
\fRyes\fR
\fIyes\fR
TLS (SSL) encryption is always used when communicating with the LDAP server.
Typically, this involves connecting to the server on port 636 (ldaps).
.TP 6n
@@ -939,7 +936,7 @@ Typically, this involves connecting to the server on port 636 (ldaps).
If the
\fBSSL\fR
parameter is set to
\fRstart_tls\fR,
\fIstart_tls\fR,
the LDAP server connection is initiated normally and TLS encryption is
begun before the bind credentials are sent.
This has the advantage of not requiring a dedicated port for encrypted
@@ -953,9 +950,8 @@ The base DN to use when performing
\fBsudo\fR
LDAP queries.
Typically this is of the form
\fRou=SUDOers,dc=my-domain,dc=com\fR
for the domain
\fRmy-domain.com\fR.
\(oqou=SUDOers,dc=my-domain,dc=com\(cq
for the domain my-domain.com.
Multiple
\fBSUDOERS_BASE\fR
lines may be specified, in which case they are queried in the order specified.
@@ -997,20 +993,20 @@ when performing a
LDAP query.
Typically, this is of the
form
\fRattribute=value\fR
\(oqattribute=value\(cq
or
\fR(&(attribute=value)(attribute2=value2))\fR.
\(oq(&(attribute=value)(attribute2=value2))\(cq.
The default search filter is:
\fRobjectClass=sudoRole\fR.
\(oqobjectClass=sudoRole\(cq.
If
\fIldap_filter\fR
is omitted, no search filter will be used.
.TP 6n
\fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR
Whether or not to evaluate the
\fRsudoNotBefore\fR
\fIsudoNotBefore\fR
and
\fRsudoNotAfter\fR
\fIsudoNotAfter\fR
attributes that implement time-dependent sudoers entries.
.TP 6n
\fBTIMELIMIT\fR \fIseconds\fR
@@ -1062,11 +1058,11 @@ The certificate type depends on the LDAP libraries used.
.PD 0
.TP 6n
OpenLDAP:
\fRtls_cert /etc/ssl/client_cert.pem\fR
\(oqtls_cert /etc/ssl/client_cert.pem\(cq
.PD
.TP 6n
Netscape-derived:
\fRtls_cert /var/ldap/cert7.db\fR
\(oqtls_cert /var/ldap/cert7.db\(cq
.TP 6n
IBM LDAP:
Unused, the key database specified by
@@ -1106,14 +1102,14 @@ The key type depends on the LDAP libraries used.
.PD 0
.TP 6n
OpenLDAP:
\fRtls_key /etc/ssl/client_key.pem\fR
\(oqtls_key /etc/ssl/client_key.pem\(cq
.PD
.TP 6n
Netscape-derived:
\fRtls_key /var/ldap/key3.db\fR
\(oqtls_key /var/ldap/key3.db\(cq
.TP 6n
IBM LDAP:
\fRtls_key /usr/ldap/ldapkey.kdb\fR
\(oqtls_key /usr/ldap/ldapkey.kdb\(cq
.PP
When using IBM LDAP libraries, this file may also contain
Certificate Authority and client certificates and may be encrypted.
@@ -1171,15 +1167,15 @@ The
must have the same path as the file specified by
\fBTLS_KEY\fR,
but use a
\fR.sth\fR
\(oq.sth\(cq
file extension instead of
\fR.kdb\fR,
e.g.,
\fRldapkey.sth\fR.
\(oq.kdb\(cq,
for example
\(oqldapkey.sth\(cq.
The default
\fRldapkey.kdb\fR
\(oqldapkey.kdb\(cq
that ships with the IBM Tivoli Directory Server is encrypted with the password
\fRssl_password\fR.
\(oqssl_password\(cq.
The
\fIgsk8capicmd\fR
utility can be used to manage the key database and create a
@@ -1251,9 +1247,9 @@ the latter being for servers that support TLS (SSL) encryption.
If no
\fIport\fR
is specified, the default is port 389 for
\fRldap://\fR
\(oqldap://\(cq
or port 636 for
\fRldaps://\fR.
\(oqldaps://\(cq.
If no
\fIhostname\fR
is specified,
@@ -1266,9 +1262,9 @@ lines are treated identically to a
\fBURI\fR
line containing multiple entries.
Only systems using the OpenSSL libraries support the mixing of
\fRldap://\fR
\(oqldap://\(cq
and
\fRldaps://\fR
\(oqldaps://\(cq
URIs.
Both the Netscape-derived and IBM LDAP libraries used on most commercial
versions of Unix are only capable of supporting one or the other.
@@ -1297,13 +1293,13 @@ to specify the
\fIsudoers\fR
search order.
Sudo looks for a line beginning with
\fRsudoers\fR:
\fIsudoers\fR:
and uses this to determine the search order.
By default,
\fBsudo\fR
does not stop searching after the first match and later matches take
precedence over earlier ones (unless
\fR[SUCCESS=return]\fR
\(oq[SUCCESS=return]\(cq
is used, see below).
The following sources are recognized:
.PP
@@ -1322,14 +1318,14 @@ read sudoers from LDAP
In addition, a subset of
\fInsswitch.conf\fR-style
action statements is supported, specifically
\fR[SUCCESS=return]\fR
\(oq[SUCCESS=return]\(cq
and
\fR[NOTFOUND=return]\fR.
\(oq[NOTFOUND=return]\(cq.
These will unconditionally terminate the search if the user was either
found
(\fR[SUCCESS=return]\fR)
\(oq[SUCCESS=return]\(cq
or not found
(\fR[NOTFOUND=return]\fR)
\(oq[NOTFOUND=return]\(cq
in the immediately preceding source.
Other action statements tokens are not supported, nor is test
negation with
@@ -1420,11 +1416,11 @@ sudoers = ldap = auth, files
.fi
.PP
In the above example, the
\fRauth\fR
\fIauth\fR
qualifier only affects user lookups; both LDAP and
\fIsudoers\fR
will be queried for
\fRDefaults\fR
\fIDefaults\fR
entries.
.PP
If the
@@ -1449,9 +1445,9 @@ rules.
To use SSSD as the
\fIsudoers\fR
source, you should use
\fRsss\fR
\fIsss\fR
instead of
\fRldap\fR
\fIldap\fR
for the sudoers entry in
\fI@nsswitch_conf@\fR.
The
@@ -1595,7 +1591,7 @@ Simply copy
it to the schema directory (e.g.,
\fI/etc/openldap/schema\fR),
add the proper
\fRinclude\fR
\fIinclude\fR
line in
\fIslapd.conf\fR
and restart

232
docs/sudoers.ldap.mdoc.in
View File

@@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd July 25, 2022
.Dd September 13, 2022
.Dt SUDOERS.LDAP @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -67,16 +67,16 @@ is no need for a specialized tool to check syntax.
The
.Em sudoers
configuration is contained in the
.Li ou=SUDOers
.Ql ou=SUDOers
LDAP container.
.Pp
Sudo first looks for the
.Li cn=defaults
.Ql cn=defaults
entry in the SUDOers container.
If found, the multi-valued
.Li sudoOption
.Em sudoOption
attribute is parsed in the same manner as a global
.Li Defaults
.Em Defaults
line in
.Pa @sysconfdir@/sudoers .
In the following example, the
@@ -92,7 +92,7 @@ sudoOption: env_keep+=SSH_AUTH_SOCK
.Ed
.Pp
The equivalent of a sudoer in LDAP is a
.Li sudoRole .
.Em sudoRole .
It consists of the following attributes:
.Bl -tag -width 4n
.It Sy sudoUser
@@ -115,35 +115,35 @@ Non-Unix group support is only available when an appropriate
.Em group_plugin
is defined in the global
.Em defaults
.Li sudoRole
.Em sudoRole
object.
If a
.Li sudoUser
.Em sudoUser
entry is preceded by an exclamation point,
.Ql \&! ,
and the entry matches, the
.Li sudoRole
.Em sudoRole
in which it resides will be ignored.
Negated
.Li sudoUser
.Em sudoUser
entries are only supported by version 1.9.9 or higher.
.It Sy sudoHost
A host name, IP address, IP network, or host netgroup (prefixed with a
.Ql + ) .
The special value
.Li ALL
.Sy ALL
will match any host.
Host netgroups are matched using the host (both qualified and unqualified)
and domain members only; the user member is not used when matching.
If a
.Li sudoHost
.Em sudoHost
entry is preceded by an exclamation point,
.Ql \&! ,
and the entry matches, the
.Li sudoRole
.Em sudoRole
in which it resides will be ignored.
Negated
.Li sudoHost
.Em sudoHost
entries are only supported by version 1.8.18 or higher.
.It Sy sudoCommand
A fully-qualified Unix command name with optional command line arguments,
@@ -153,7 +153,7 @@ If a command name is preceded by an exclamation point,
the user will be prohibited from running that command.
.Pp
The built-in command
.Dq Li sudoedit
.Dq sudoedit
is used to permit a user to run
.Nm sudo
with the
@@ -162,13 +162,13 @@ option (or as
.Nm sudoedit ) .
It may take command line arguments just as a normal command does.
Unlike other commands,
.Dq Li sudoedit
.Dq sudoedit
is a built into
.Nm sudo
itself and must be specified in without a leading path.
.Pp
The special value
.Li ALL
.Sy ALL
will match any command.
.Pp
If a command name is prefixed with a SHA-2 digest, it will
@@ -192,7 +192,7 @@ Command digests are only supported by version 1.8.7 or higher.
.It Sy sudoOption
Identical in function to the global options described above, but
specific to the
.Li sudoRole
.Em sudoRole
in which it resides.
.It Sy sudoRunAsUser
A user name or user-ID (prefixed with
@@ -203,30 +203,29 @@ or user netgroup (prefixed with a
.Ql + )
that contains a list of users that commands may be run as.
The special value
.Li ALL
.Sy ALL
will match any user.
If a
.Li sudoRunAsUser
.Em sudoRunAsUser
entry is preceded by an exclamation point,
.Ql \&! ,
and the entry matches, the
.Li sudoRole
.Em sudoRole
in which it resides will be ignored.
If
.Li sudoRunAsUser
.Em sudoRunAsUser
is specified but empty, it will match the invoking user.
If neither
.Li sudoRunAsUser
.Em sudoRunAsUser
nor
.Li sudoRunAsGroup
.Em sudoRunAsGroup
are present, the value of the
.Em runas_default
.Li sudoOption
is used (defaults to
.Li @runas_default@ ) .
.Em sudoOption
is used (defaults to @runas_default@).
.Pp
The
.Li sudoRunAsUser
.Em sudoRunAsUser
attribute is only available in
.Nm sudo
versions
@@ -234,43 +233,43 @@ versions
Older versions of
.Nm sudo
use the
.Li sudoRunAs
.Em sudoRunAs
attribute instead.
Negated
.Li sudoRunAsUser
.Em sudoRunAsUser
entries are only supported by version 1.8.26 or higher.
.It Sy sudoRunAsGroup
A Unix group or group-ID (prefixed with
.Ql # )
that commands may be run as.
The special value
.Li ALL
.Sy ALL
will match any group.
If a
.Li sudoRunAsGroup
.Em sudoRunAsGroup
entry is preceded by an exclamation point,
.Ql \&! ,
and the entry matches, the
.Li sudoRole
.Em sudoRole
in which it resides will be ignored.
.Pp
The
.Li sudoRunAsGroup
.Em sudoRunAsGroup
attribute is only available in
.Nm sudo
versions
1.7.0 and higher.
Negated
.Li sudoRunAsGroup
.Em sudoRunAsGroup
entries are only supported by version 1.8.26 or higher.
.It Sy sudoNotBefore
A timestamp in the form
.Li yyyymmddHHMMSSZ
.Ql yyyymmddHHMMSSZ
that can be used to provide a start date/time for when the
.Li sudoRole
.Em sudoRole
will be valid.
If multiple
.Li sudoNotBefore
.Em sudoNotBefore
entries are present, the earliest is used.
Timestamps must be in Coordinated Universal Time (UTC),
not the local timezone.
@@ -278,7 +277,7 @@ The minute and seconds portions are optional, but some LDAP servers
require that they be present (contrary to the RFC).
.Pp
The
.Li sudoNotBefore
.Em sudoNotBefore
attribute is only available in
.Nm sudo
versions 1.7.5 and higher and must be explicitly enabled via the
@@ -287,12 +286,12 @@ option in
.Pa @ldap_conf@ .
.It Sy sudoNotAfter
A timestamp in the form
.Li yyyymmddHHMMSSZ
.Ql yyyymmddHHMMSSZ
that indicates an expiration date/time, after which the
.Li sudoRole
.Em sudoRole
will no longer be valid.
If multiple
.Li sudoNotAfter
.Em sudoNotAfter
entries are present, the last one is used.
Timestamps must be in Coordinated Universal Time (UTC),
not the local timezone.
@@ -300,7 +299,7 @@ The minute and seconds portions are optional, but some LDAP servers
require that they be present (contrary to the RFC).
.Pp
The
.Li sudoNotAfter
.Em sudoNotAfter
attribute is only available in
.Nm sudo
versions
@@ -310,26 +309,26 @@ option in
.Pa @ldap_conf@ .
.It Sy sudoOrder
The
.Li sudoRole
.Em sudoRole
entries retrieved from the LDAP directory have no inherent order.
The
.Li sudoOrder
.Em sudoOrder
attribute is an integer (or floating point value for LDAP servers
that support it) that is used to sort the matching entries.
This allows LDAP-based sudoers entries to more closely mimic the behavior
of the sudoers file, where the order of the entries influences the result.
If multiple entries match, the entry with the highest
.Li sudoOrder
.Em sudoOrder
attribute is chosen.
This corresponds to the
.Dq last match
behavior of the sudoers file.
If the
.Li sudoOrder
.Em sudoOrder
attribute is not present, a value of 0 is assumed.
.Pp
The
.Li sudoOrder
.Em sudoOrder
attribute is only available in
.Nm sudo
versions 1.7.5 and higher.
@@ -338,12 +337,12 @@ versions 1.7.5 and higher.
Each attribute listed above should contain a single value, but there
may be multiple instances of each attribute type.
A
.Li sudoRole
.Em sudoRole
must contain at least one
.Li sudoUser ,
.Li sudoHost ,
.Em sudoUser ,
.Em sudoHost ,
and
.Li sudoCommand .
.Em sudoCommand .
.Pp
The following example allows users in group wheel to run any command
on any host via
@@ -364,7 +363,7 @@ The first query is to parse the global options.
The second is to match against the user's name and the groups that
the user belongs to.
(The special
.Li ALL
.Sy ALL
tag is matched in this query too.)
If no match is returned for the user's name and groups, a third
query returns all entries containing user netgroups and other
@@ -391,12 +390,12 @@ are as follows:
.Bl -enum
.It
Match all
.Li nisNetgroup
.Em nisNetgroup
records with a
.Li nisNetgroupTriple
.Em nisNetgroupTriple
containing the user, host, and NIS domain.
The query will match
.Li nisNetgroupTriple
.Em nisNetgroupTriple
entries with either the short or long form of the host name or
no host name specified in the tuple.
If the NIS domain is set, the query will match only match entries
@@ -405,12 +404,12 @@ If the NIS domain is
.Em not
set, a wildcard is used to match any domain name but be aware that the
NIS schema used by some LDAP servers may not support wild cards for
.Li nisNetgroupTriple .
.Em nisNetgroupTriple .
.It
Repeated queries are performed to find any nested
.Li nisNetgroup
.Em nisNetgroup
records with a
.Li memberNisNetgroup
.Em memberNisNetgroup
entry that refers to an already-matched record.
.El
.Pp
@@ -445,7 +444,7 @@ returned in any specific order.
.Pp
The order in which different entries are applied can be controlled
using the
.Li sudoOrder
.Em sudoOrder
attribute, but there is no way to guarantee the order of attributes
within a specific entry.
If there are conflicting command rules in an entry, the negative
@@ -496,18 +495,18 @@ These cannot be converted automatically.
For example, a Cmnd_Alias in a
.Em sudoers
file may be converted to a
.Li sudoRole
.Em sudoRole
that contains multiple commands.
Multiple users and/or groups may be assigned to the
.Li sudoRole .
.Em sudoRole .
.Pp
Also, host, user, runas, and command-based
.Li Defaults
.Em Defaults
entries are not supported.
However, a
.Li sudoRole
.Em sudoRole
may contain one or more
.Li sudoOption
.Em sudoOption
attributes which can often serve the same purpose.
.Pp
Consider the following
@@ -561,7 +560,7 @@ Using a Unix group or netgroup in PAGERS rather than listing each
user would make this easier to maintain.
.Pp
Per-user
.Li Defaults
.Em Defaults
entries can be emulated by using one or more sudoOption attributes
in a sudoRole.
Consider the following
@@ -602,7 +601,7 @@ LDAP support, the
schema must be
installed on your LDAP server.
In addition, be sure to index the
.Li sudoUser
.Em sudoUser
attribute.
.Pp
The
@@ -748,31 +747,30 @@ The default value is protocol version 3.
.It Sy NETGROUP_BASE Ar base
The base DN to use when performing LDAP netgroup queries.
Typically this is of the form
.Li ou=netgroup,dc=my-domain,dc=com
for the domain
.Li my-domain.com .
.Ql ou=netgroup,dc=my-domain,dc=com
for the domain my-domain.com.
Multiple
.Sy NETGROUP_BASE
lines may be specified, in which case they are queried in the order specified.
.Pp
This option can be used to query a user's netgroups directly via LDAP
which is usually faster than fetching every
.Li sudoRole
.Em sudoRole
object containing a
.Li sudoUser
.Em sudoUser
that begins with a
.Ql +
prefix.
The NIS schema used by some LDAP servers need a modification to
support querying the
.Li nisNetgroup
.Em nisNetgroup
object by its
.Li nisNetgroupTriple
.Em nisNetgroupTriple
member.
OpenLDAP's
.Sy slapd
requires the following change to the
.Li nisNetgroupTriple
.Em nisNetgroupTriple
attribute:
.Bd -literal -offset 4n
attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
@@ -784,13 +782,12 @@ attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
.It Sy NETGROUP_SEARCH_FILTER Ar ldap_filter
An LDAP filter which is used to restrict the set of records returned
when performing an LDAP netgroup query.
Typically, this is of the
form
.Li attribute=value
Typically, this is of the form
.Ql attribute=value
or
.Li (&(attribute=value)(attribute2=value2)) .
.Ql (&(attribute=value)(attribute2=value2)) .
The default search filter is:
.Li objectClass=nisNetgroup .
.Ql objectClass=nisNetgroup .
If
.Ar ldap_filter
is omitted, no search filter will be used.
@@ -867,17 +864,17 @@ This option is only relevant when using SASL authentication.
If the
.Sy SSL
parameter is set to
.Li on ,
.Li true ,
.Em on ,
.Em true ,
or
.Li yes
.Em yes
TLS (SSL) encryption is always used when communicating with the LDAP server.
Typically, this involves connecting to the server on port 636 (ldaps).
.It Sy SSL Ar start_tls
If the
.Sy SSL
parameter is set to
.Li start_tls ,
.Em start_tls ,
the LDAP server connection is initiated normally and TLS encryption is
begun before the bind credentials are sent.
This has the advantage of not requiring a dedicated port for encrypted
@@ -890,9 +887,8 @@ The base DN to use when performing
.Nm sudo
LDAP queries.
Typically this is of the form
.Li ou=SUDOers,dc=my-domain,dc=com
for the domain
.Li my-domain.com .
.Ql ou=SUDOers,dc=my-domain,dc=com
for the domain my-domain.com.
Multiple
.Sy SUDOERS_BASE
lines may be specified, in which case they are queried in the order specified.
@@ -932,19 +928,19 @@ when performing a
LDAP query.
Typically, this is of the
form
.Li attribute=value
.Ql attribute=value
or
.Li (&(attribute=value)(attribute2=value2)) .
.Ql (&(attribute=value)(attribute2=value2)) .
The default search filter is:
.Li objectClass=sudoRole .
.Ql objectClass=sudoRole .
If
.Ar ldap_filter
is omitted, no search filter will be used.
.It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no
Whether or not to evaluate the
.Li sudoNotBefore
.Em sudoNotBefore
and
.Li sudoNotAfter
.Em sudoNotAfter
attributes that implement time-dependent sudoers entries.
.It Sy TIMELIMIT Ar seconds
The
@@ -987,9 +983,9 @@ be used to authenticate the client to the LDAP server.
The certificate type depends on the LDAP libraries used.
.Bl -tag -width 4n
.It OpenLDAP:
.Li tls_cert /etc/ssl/client_cert.pem
.Ql tls_cert /etc/ssl/client_cert.pem
.It Netscape-derived:
.Li tls_cert /var/ldap/cert7.db
.Ql tls_cert /var/ldap/cert7.db
.It IBM LDAP:
Unused, the key database specified by
.Sy TLS_KEY
@@ -1023,11 +1019,11 @@ The private key must not be password-protected.
The key type depends on the LDAP libraries used.
.Bl -tag -width 4n
.It OpenLDAP:
.Li tls_key /etc/ssl/client_key.pem
.Ql tls_key /etc/ssl/client_key.pem
.It Netscape-derived:
.Li tls_key /var/ldap/key3.db
.Ql tls_key /var/ldap/key3.db
.It IBM LDAP:
.Li tls_key /usr/ldap/ldapkey.kdb
.Ql tls_key /usr/ldap/ldapkey.kdb
.El
.Pp
When using IBM LDAP libraries, this file may also contain
@@ -1079,15 +1075,15 @@ The
must have the same path as the file specified by
.Sy TLS_KEY ,
but use a
.Li .sth
.Ql .sth
file extension instead of
.Li .kdb ,
e.g.,
.Li ldapkey.sth .
.Ql .kdb ,
for example
.Ql ldapkey.sth .
The default
.Li ldapkey.kdb
.Ql ldapkey.kdb
that ships with the IBM Tivoli Directory Server is encrypted with the password
.Li ssl_password .
.Ql ssl_password .
The
.Em gsk8capicmd
utility can be used to manage the key database and create a
@@ -1149,9 +1145,9 @@ the latter being for servers that support TLS (SSL) encryption.
If no
.Em port
is specified, the default is port 389 for
.Li ldap://
.Ql ldap://
or port 636 for
.Li ldaps:// .
.Ql ldaps:// .
If no
.Em hostname
is specified,
@@ -1164,9 +1160,9 @@ lines are treated identically to a
.Sy URI
line containing multiple entries.
Only systems using the OpenSSL libraries support the mixing of
.Li ldap://
.Ql ldap://
and
.Li ldaps://
.Ql ldaps://
URIs.
Both the Netscape-derived and IBM LDAP libraries used on most commercial
versions of Unix are only capable of supporting one or the other.
@@ -1194,13 +1190,13 @@ to specify the
.Em sudoers
search order.
Sudo looks for a line beginning with
.Li sudoers :
.Em sudoers :
and uses this to determine the search order.
By default,
.Nm sudo
does not stop searching after the first match and later matches take
precedence over earlier ones (unless
.Li [SUCCESS=return]
.Ql [SUCCESS=return]
is used, see below).
The following sources are recognized:
.Pp
@@ -1215,14 +1211,14 @@ read sudoers from LDAP
In addition, a subset of
.Pa nsswitch.conf Ns -style
action statements is supported, specifically
.Li [SUCCESS=return]
.Ql [SUCCESS=return]
and
.Li [NOTFOUND=return] .
.Ql [NOTFOUND=return] .
These will unconditionally terminate the search if the user was either
found
.Pq Li [SUCCESS=return]
.Ql [SUCCESS=return]
or not found
.Pq Li [NOTFOUND=return]
.Ql [NOTFOUND=return]
in the immediately preceding source.
Other action statements tokens are not supported, nor is test
negation with
@@ -1292,11 +1288,11 @@ sudoers = ldap = auth, files
.Ed
.Pp
In the above example, the
.Li auth
.Em auth
qualifier only affects user lookups; both LDAP and
.Em sudoers
will be queried for
.Li Defaults
.Em Defaults
entries.
.Pp
If the
@@ -1318,9 +1314,9 @@ rules.
To use SSSD as the
.Em sudoers
source, you should use
.Li sss
.Em sss
instead of
.Li ldap
.Em ldap
for the sudoers entry in
.Pa @nsswitch_conf@ .
The
@@ -1461,7 +1457,7 @@ Simply copy
it to the schema directory (e.g.,
.Pa /etc/openldap/schema ) ,
add the proper
.Li include
.Em include
line in
.Pa slapd.conf
and restart

761
docs/sudoers.man.in
View File

File diff suppressed because it is too large Load Diff

911
docs/sudoers.mdoc.in
View File

File diff suppressed because it is too large Load Diff

4
docs/sudoers_timestamp.man.in
View File

@@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDOERS_TIMESTAMP" "@mansectform@" "February 16, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDOERS_TIMESTAMP" "@mansectform@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -29,7 +29,7 @@ plugin uses per-user time stamp files for credential caching.
Once a user has been authenticated, they may use
\fBsudo\fR
without a password for a short period of time
(\fR@timeout@\fR
(\fI@timeout@\fR
minutes unless overridden by the
\fItimestamp_timeout\fR
option)

30
docs/sudoers_timestamp.mdoc.in
View File

@@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd February 16, 2022
.Dd September 13, 2022
.Dt SUDOERS_TIMESTAMP @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -29,7 +29,7 @@ Once a user has been authenticated, they may use
.Nm sudo
without a password for a short period of time
.Po
.Li @timeout@
.Em @timeout@
minutes unless overridden by the
.Em timestamp_timeout
option
@@ -94,19 +94,19 @@ same file but are not inter-operable.
The size of the record in bytes.
.It type
The record type, currently
.Li TS_GLOBAL ,
.Li TS_TTY ,
.Dv TS_GLOBAL ,
.Dv TS_TTY ,
or
.Li TS_PPID .
.Dv TS_PPID .
.It flags
Zero or more record flags which can be bit-wise ORed together.
Supported flags are
.Li TS_DISABLED ,
.Dv TS_DISABLED ,
for records disabled via
.Nm sudo
.Fl k
and
.Li TS_ANYUID ,
.Dv TS_ANYUID ,
which is used only when matching records.
.It auth_uid
The user-ID that was used for authentication.
@@ -120,12 +120,12 @@ the default runas user or the target user.
.It sid
The ID of the user's terminal session, if present.
The session ID is only used when matching records of type
.Li TS_TTY .
.Dv TS_TTY .
.It start_time
The start time of the session leader for records of type
.Li TS_TTY
.Dv TS_TTY
or of the parent process for records of type
.Li TS_PPID .
.Dv TS_PPID .
The
.Em start_time
is used to help prevent re-use of a time stamp record after a
@@ -157,10 +157,10 @@ option, no password is required.
.It u.ttydev
The device number of the terminal associated with the session for
records of type
.Li TS_TTY .
.Dv TS_TTY .
.It u.ppid
The ID of the parent process for records of type
.Li TS_PPID .
.Dv TS_PPID .
.El
.Sh LOCKING
In
@@ -174,7 +174,7 @@ of the entire file and the lock is held for a longer period of time.
This scheme is described below.
.Pp
The first record in the time stamp file is of type
.Li TS_LOCKEXCL
.Dv TS_LOCKEXCL
and is used as a
.Em lock
record to prevent more than one
@@ -182,7 +182,7 @@ record to prevent more than one
process from adding a new record at the same time.
Once the desired time stamp record has been located or created (and
locked), the
.Li TS_LOCKEXCL
.Dv TS_LOCKEXCL
record is unlocked.
The lock on the individual time stamp record, however, is held until
authentication is complete.
@@ -192,7 +192,7 @@ to avoid prompting for a password multiple times when it
is used more than once in a pipeline.
.Pp
Records of type
.Li TS_GLOBAL
.Dv TS_GLOBAL
cannot be locked for a long period of time since doing so would
interfere with other
.Nm sudo

12
docs/sudoreplay.man.in
View File

@@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.TH "SUDOREPLAY" "@mansectsu@" "February 16, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.TH "SUDOREPLAY" "@mansectsu@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -50,7 +50,7 @@ The
\fIID\fR
should either be a six character sequence of digits and
upper case letters, e.g.,
\fR0100A5\fR
\(lq0100A5\(rq
or a path name.
The
\fIID\fR
@@ -76,8 +76,10 @@ with
enabled in the
\fIsudoers\fR
file, a
\fRTSID=ID\fR
string is logged via syslog or to the
\(lqTSID=ID\(rq
string is logged via
syslog(3)
or to the
\fBsudo\fR
log file.
The
@@ -400,7 +402,7 @@ This will be addressed in a future version of
\fBsudoreplay\fR
versions 1.8.4 and higher support a flexible debugging framework
that is configured via
\fRDebug\fR
\fIDebug\fR
lines in the
sudo.conf(@mansectform@)
file.

12
docs/sudoreplay.mdoc.in
View File

@@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd February 16, 2022
.Dd September 13, 2022
.Dt SUDOREPLAY @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -48,7 +48,7 @@ The
.Em ID
should either be a six character sequence of digits and
upper case letters, e.g.,
.Li 0100A5
.Dq 0100A5
or a path name.
The
.Em ID
@@ -74,8 +74,10 @@ with
enabled in the
.Em sudoers
file, a
.Li TSID=ID
string is logged via syslog or to the
.Dq TSID=ID
string is logged via
.Xr syslog 3
or to the
.Nm sudo
log file.
The
@@ -363,7 +365,7 @@ This will be addressed in a future version of
.Nm
versions 1.8.4 and higher support a flexible debugging framework
that is configured via
.Li Debug
.Em Debug
lines in the
.Xr sudo.conf @mansectform@
file.

6
docs/visudo.man.in
View File

@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.TH "VISUDO" "@mansectsu@" "April 23, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.TH "VISUDO" "@mansectsu@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -289,7 +289,7 @@ include file for syntax errors.
\fBvisudo\fR
versions 1.8.4 and higher support a flexible debugging framework
that is configured via
\fRDebug\fR
\fIDebug\fR
lines in the
sudo.conf(@mansectform@)
file.
@@ -450,7 +450,7 @@ file.
The
\fIsudoers\fR
file contains a
\fRDefaults\fR
\fIDefaults\fR
setting not recognized by
\fBvisudo\fR.
.SH "SEE ALSO"

6
docs/visudo.mdoc.in
View File

@@ -20,7 +20,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.Dd April 23, 2022
.Dd September 13, 2022
.Dt VISUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -281,7 +281,7 @@ include file for syntax errors.
.Nm
versions 1.8.4 and higher support a flexible debugging framework
that is configured via
.Li Debug
.Em Debug
lines in the
.Xr sudo.conf @mansectform@
file.
@@ -430,7 +430,7 @@ file.
The
.Em sudoers
file contains a
.Li Defaults
.Em Defaults
setting not recognized by
.Nm .
.El