From c341608072a33c74fa3e534e987d6d3513f19b51 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 13 Sep 2022 19:56:45 -0600 Subject: [PATCH] Remove most uses of the deprecated Li macro which has no effect. Also fix some other incorrect markup. --- docs/cvtsudoers.man.in | 67 ++- docs/cvtsudoers.mdoc.in | 71 ++- docs/sudo.conf.man.in | 100 ++-- docs/sudo.conf.mdoc.in | 100 ++-- docs/sudo.man.in | 49 +- docs/sudo.mdoc.in | 51 +- docs/sudo_logsrv.proto.man.in | 4 +- docs/sudo_logsrv.proto.mdoc.in | 18 +- docs/sudo_logsrvd.conf.man.in | 85 +-- docs/sudo_logsrvd.conf.mdoc.in | 85 +-- docs/sudo_logsrvd.man.in | 2 +- docs/sudo_logsrvd.mdoc.in | 2 +- docs/sudo_plugin.man.in | 10 +- docs/sudo_plugin.mdoc.in | 10 +- docs/sudo_sendlog.man.in | 2 +- docs/sudo_sendlog.mdoc.in | 2 +- docs/sudoers.ldap.man.in | 232 +++++---- docs/sudoers.ldap.mdoc.in | 232 +++++---- docs/sudoers.man.in | 761 +++++++++++++-------------- docs/sudoers.mdoc.in | 911 ++++++++++++++++----------------- docs/sudoers_timestamp.man.in | 4 +- docs/sudoers_timestamp.mdoc.in | 30 +- docs/sudoreplay.man.in | 12 +- docs/sudoreplay.mdoc.in | 12 +- docs/visudo.man.in | 6 +- docs/visudo.mdoc.in | 6 +- 26 files changed, 1398 insertions(+), 1466 deletions(-) diff --git a/docs/cvtsudoers.man.in b/docs/cvtsudoers.man.in index 0a409ade4..ded8f86ec 100644 --- a/docs/cvtsudoers.man.in +++ b/docs/cvtsudoers.man.in @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.TH "CVTSUDOERS" "1" "September 2, 2022" "Sudo @PACKAGE_VERSION@" "General Commands Manual" +.TH "CVTSUDOERS" "1" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "General Commands Manual" .nh .if n .ad l .SH "NAME" @@ -67,9 +67,8 @@ The options are as follows: The base DN (distinguished name) that will be used when performing LDAP queries. Typically this is of the form -\fRou=SUDOers,dc=my-domain,dc=com\fR -for the domain -\fRmy-domain.com\fR. +\(lqou=SUDOers,dc=my-domain,dc=com\(rq +for the domain my-domain.com. If this option is not specified, the value of the \fRSUDOERS_BASE\fR environment variable will be used instead. @@ -82,10 +81,10 @@ Defaults to .TP 12n \fB\-d\fR \fIdeftypes\fR, \fB\--defaults\fR=\fIdeftypes\fR Only convert -\fRDefaults\fR +\fIDefaults\fR entries of the specified types. One or more -\fRDefaults\fR +\fIDefaults\fR types may be specified, separated by a comma (\(oq\&,\(cq). The supported types are: @@ -122,7 +121,7 @@ for more information. If the \fB\-d\fR option is not specified, all -\fRDefaults\fR +\fIDefaults\fR entries will be converted. .RE .TP 12n @@ -265,10 +264,10 @@ For example, or \fBhost\fR = \fIwww\fR. An upper-case -\fRCmnd_Alias\fR, -\fRHost_alias\fR, +\fICmnd_Alias\fR, +\fIHost_alias\fR, or -\fRUser_Alias\fR +\fIUser_Alias\fR may be specified as the \(lqcmnd\(rq, \(lqhost\(rq, @@ -441,7 +440,7 @@ Per-user rules are merged and duplicates are removed. If a host name is specified with the input file, \fBcvtsudoers\fR will change rules that specify a host name of -\fRALL\fR +\fBALL\fR to the host name associated with the policy file being merged. The merging of rules is currently fairly simplistic but will be improved in a later release. @@ -676,7 +675,7 @@ and Host_Aliases A JSON object containing one or more \fIsudoers\fR -\fRHost_Alias\fR +\fIHost_Alias\fR entries where each named alias has as its value an array containing one or more objects. Each object contains a @@ -711,7 +710,7 @@ For example: Cmnd_Aliases A JSON object containing one or more \fIsudoers\fR -\fRCmnd_Alias\fR +\fICmnd_Alias\fR entries where each named alias has as its value an array containing one or more objects. Each object contains a @@ -1006,20 +1005,20 @@ defaults_type The type of \fIDefaults\fR setting; one of -\fRdefaults\fR, -\fRdefaults_command\fR, -\fRdefaults_host\fR, -\fRdefaults_runas\fR, +\fIdefaults\fR, +\fIdefaults_command\fR, +\fIdefaults_host\fR, +\fIdefaults_runas\fR, or -\fRdefaults_user\fR. +\fIdefaults_user\fR. .TP 10n binding For -\fRdefaults_command\fR, -\fRdefaults_host\fR, -\fRdefaults_runas\fR, +\fIdefaults_command\fR, +\fIdefaults_host\fR, +\fIdefaults_runas\fR, and -\fRdefaults_user\fR +\fIdefaults_user\fR this is the value that must match for the setting to be applied. .TP 10n name @@ -1051,11 +1050,11 @@ or .TP 6n aliases This section includes any -\fRCmnd_Alias\fR -\fRHost_Alias\fR, -\fRRunas_Alias\fR, +\fICmnd_Alias\fR +\fIHost_Alias\fR, +\fIRunas_Alias\fR, or -\fRUser_Alias\fR, +\fIUser_Alias\fR, entries from \fIsudoers\fR. The @@ -1073,11 +1072,11 @@ The fields are as follows: .TP 10n alias_type The type of alias; one of -\fRCmnd_Alias\fR, -\fRHost_Alias\fR, -\fRRunas_Alias\fR, +\fICmnd_Alias\fR, +\fIHost_Alias\fR, +\fIRunas_Alias\fR, or -\fRUser_Alias\fR. +\fIUser_Alias\fR. .TP 10n alias_name The name of the alias; a string starting with an upper-case letter that @@ -1127,7 +1126,7 @@ or a netgroup (preceded by a \(oq+\(cq character) or a -\fRUser_Alias\fR. +\fIUser_Alias\fR. If set to the special value \fBALL\fR, it will match any user. @@ -1138,14 +1137,14 @@ This may also be a netgroup (preceded by a \(oq+\(cq character) or a -\fRHost_Alias\fR. +\fIHost_Alias\fR. If set to the special value \fBALL\fR, it will match any host. .TP 10n runusers An optional comma-separated list of users (or -\fRRunas_Alias\fRes) +\fIRunas_Alias\fRes) the command may be run as. If it contains more than one member, the value is surrounded by double quotes. @@ -1157,7 +1156,7 @@ If empty, the root user is assumed. rungroups .br An optional comma-separated list of groups (or -\fRRunas_Alias\fRes) +\fIRunas_Alias\fRes) the command may be run as. If it contains more than one member, the value is surrounded by double quotes. diff --git a/docs/cvtsudoers.mdoc.in b/docs/cvtsudoers.mdoc.in index cfcb3f31b..75cb84784 100644 --- a/docs/cvtsudoers.mdoc.in +++ b/docs/cvtsudoers.mdoc.in @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd September 2, 2022 +.Dd September 13, 2022 .Dt CVTSUDOERS 1 .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -65,9 +65,8 @@ The options are as follows: The base DN (distinguished name) that will be used when performing LDAP queries. Typically this is of the form -.Li ou=SUDOers,dc=my-domain,dc=com -for the domain -.Li my-domain.com . +.Dq ou=SUDOers,dc=my-domain,dc=com +for the domain my-domain.com. If this option is not specified, the value of the .Ev SUDOERS_BASE environment variable will be used instead. @@ -78,10 +77,10 @@ Defaults to .Pa @sysconfdir@/cvtsudoers.conf . .It Fl d Ar deftypes , Fl -defaults Ns = Ns Ar deftypes Only convert -.Li Defaults +.Em Defaults entries of the specified types. One or more -.Li Defaults +.Em Defaults types may be specified, separated by a comma .Pq Ql \&, . The supported types are: @@ -110,7 +109,7 @@ for more information. If the .Fl d option is not specified, all -.Li Defaults +.Em Defaults entries will be converted. .It Fl e , Fl -expand-aliases Expand aliases in @@ -218,10 +217,10 @@ For example, or .Sy host No = Ar www . An upper-case -.Li Cmnd_Alias , -.Li Host_alias , +.Em Cmnd_Alias , +.Em Host_alias , or -.Li User_Alias +.Em User_Alias may be specified as the .Dq cmnd , .Dq host , @@ -365,9 +364,9 @@ subsequent aliases of the same name are renamed with a numeric suffix separated with a underscore .Pq Ql _ . For example, if there are two different aliases named -.Li SERVERS , +.Dv SERVERS , the first will be left as-is and the second will be renamed -.Li SERVERS_1 . +.Dv SERVERS_1 . References to the renamed alias are also updated in the policy file. Duplicate aliases (those with identical contents) are pruned. .It @@ -384,7 +383,7 @@ Per-user rules are merged and duplicates are removed. If a host name is specified with the input file, .Nm will change rules that specify a host name of -.Li ALL +.Sy ALL to the host name associated with the policy file being merged. The merging of rules is currently fairly simplistic but will be improved in a later release. @@ -589,7 +588,7 @@ and .It Host_Aliases A JSON object containing one or more .Em sudoers -.Li Host_Alias +.Em Host_Alias entries where each named alias has as its value an array containing one or more objects. Each object contains a @@ -620,7 +619,7 @@ For example: .It Cmnd_Aliases A JSON object containing one or more .Em sudoers -.Li Cmnd_Alias +.Em Cmnd_Alias entries where each named alias has as its value an array containing one or more objects. Each object contains a @@ -893,19 +892,19 @@ The fields are as follows: The type of .Em Defaults setting; one of -.Li defaults , -.Li defaults_command , -.Li defaults_host , -.Li defaults_runas , +.Em defaults , +.Em defaults_command , +.Em defaults_host , +.Em defaults_runas , or -.Li defaults_user . +.Em defaults_user . .It binding For -.Li defaults_command , -.Li defaults_host , -.Li defaults_runas , +.Em defaults_command , +.Em defaults_host , +.Em defaults_runas , and -.Li defaults_user +.Em defaults_user this is the value that must match for the setting to be applied. .It name The name of the @@ -930,11 +929,11 @@ or .El .It aliases This section includes any -.Li Cmnd_Alias -.Li Host_Alias , -.Li Runas_Alias , +.Em Cmnd_Alias +.Em Host_Alias , +.Em Runas_Alias , or -.Li User_Alias , +.Em User_Alias , entries from .Em sudoers . The @@ -948,11 +947,11 @@ The fields are as follows: .Bl -tag -width 8n .It alias_type The type of alias; one of -.Li Cmnd_Alias , -.Li Host_Alias , -.Li Runas_Alias , +.Em Cmnd_Alias , +.Em Host_Alias , +.Em Runas_Alias , or -.Li User_Alias . +.Em User_Alias . .It alias_name The name of the alias; a string starting with an upper-case letter that consists of upper-case letters, digits, or underscores. @@ -990,7 +989,7 @@ or a netgroup (preceded by a .Ql + character) or a -.Li User_Alias . +.Em User_Alias . If set to the special value .Sy ALL , it will match any user. @@ -1000,13 +999,13 @@ This may also be a netgroup (preceded by a .Ql + character) or a -.Li Host_Alias . +.Em Host_Alias . If set to the special value .Sy ALL , it will match any host. .It runusers An optional comma-separated list of users (or -.Li Runas_Alias Ns No es ) +.Em Runas_Alias Ns No es ) the command may be run as. If it contains more than one member, the value is surrounded by double quotes. @@ -1016,7 +1015,7 @@ it will match any user. If empty, the root user is assumed. .It rungroups An optional comma-separated list of groups (or -.Li Runas_Alias Ns No es ) +.Em Runas_Alias Ns No es ) the command may be run as. If it contains more than one member, the value is surrounded by double quotes. diff --git a/docs/sudo.conf.man.in b/docs/sudo.conf.man.in index e5433a1b0..485c1fd02 100644 --- a/docs/sudo.conf.man.in +++ b/docs/sudo.conf.man.in @@ -70,17 +70,17 @@ Leading white space is removed from the beginning of lines even when a continuation character is used. .PP Non-comment lines that don't begin with -\fRPlugin\fR, -\fRPath\fR, -\fRDebug\fR, +\fIPlugin\fR, +\fIPath\fR, +\fIDebug\fR, or -\fRSet\fR +\fISet\fR are silently ignored. .PP The \fBsudo.conf\fR file is always parsed in the -\(lq\fRC\fR\(rq +\(oqC\(cq locale. .SS "Plugin configuration" \fBsudo\fR @@ -94,9 +94,9 @@ Plugins are dynamically loaded based on the contents of \fBsudo.conf\fR. .PP A -\fRPlugin\fR +\fIPlugin\fR line consists of the -\fRPlugin\fR +\fIPlugin\fR keyword, followed by the \fIsymbol_name\fR and the @@ -105,14 +105,14 @@ to the dynamic shared object that contains the plugin. The \fIsymbol_name\fR is the name of the -\fRapproval_plugin\fR, -\fRaudit_plugin\fR, -\fRio_plugin\fR, +\fIstruct approval_plugin\fR, +\fIstruct audit_plugin\fR, +\fIstruct io_plugin\fR, or -\fRpolicy_plugin\fR -struct contained in the plugin. +\fIstruct policy_plugin\fR +defined by the plugin. If a plugin implements multiple plugin types, there must be a -\fRPlugin\fR +\fIPlugin\fR line for each unique symbol name. The \fIpath\fR @@ -120,7 +120,7 @@ may be fully qualified or relative. If not fully qualified, it is relative to the directory specified by the \fIplugin_dir\fR -\fRPath\fR +\fIPath\fR setting, which defaults to \fI@plugindir@\fR. In other words: @@ -182,7 +182,7 @@ This limitation does not apply to I/O plugins. If no \fBsudo.conf\fR file is present, or if it contains no -\fRPlugin\fR +\fIPlugin\fR lines, the \fBsudoers\fR plugin will be used as the default security policy, for I/O logging @@ -221,9 +221,9 @@ sudo_plugin(@mansectform@) manual. .SS "Path settings" A -\fRPath\fR +\fIPath\fR line consists of the -\fRPath\fR +\fIPath\fR keyword, followed by the name of the path to set and its value. For example: .nf @@ -238,7 +238,7 @@ Path askpass /usr/X11R6/bin/ssh-askpass If no path name is specified, features relying on the specified setting will be disabled. Disabling -\fRPath\fR +\fIPath\fR settings is only supported in \fBsudo\fR version 1.8.16 and higher. @@ -277,7 +277,7 @@ If terminal devices may be located in a sub-directory of that path must be explicitly listed in \fIdevsearch\fR. The default value is -\fR/dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev\fR +\fI/dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev\fR .sp This option is ignored on systems that support either the \fBdevname\fR() @@ -290,15 +290,15 @@ macOS and Solaris. intercept .br The fully-qualified path to a shared library containing a wrappers for the -\fBexecl\fR(), -\fBexecle\fR(), -\fBexeclp\fR(), -\fBexecv\fR(), -\fBexecve\fR(), -\fBexecvp\fR(), -\fBexecvpe\fR(), +execve(2), +execl(3), +execle(3), +execlp(3), +execv(3), +execvp(3), +execvpe(3), and -\fBsystem\fR() +system(3) library functions that intercepts attempts to run further commands and performs a policy check before allowing them to be executed. This is used to implement the @@ -312,23 +312,23 @@ The default value is noexec The fully-qualified path to a shared library containing wrappers for the -\fBexecl\fR(), -\fBexecle\fR(), -\fBexeclp\fR(), -\fBexect\fR(), -\fBexecv\fR(), -\fBexecve\fR(), -\fBexecveat\fR(), -\fBexecvP\fR(), -\fBexecvp\fR(), -\fBexecvpe\fR(), -\fBfexecve\fR(), -\fBpopen\fR(), -\fBposix_spawn\fR(), -\fBposix_spawnp\fR(), -\fBsystem\fR(), +execve(2), +execl(3), +execle(3), +execlp(3), +exect(3), +execv(3), +execveat(3), +execvP(3), +execvp(3), +execvpe(3), +fexecve(3), +popen(3), +posix_spawn(3), +posix_spawnp(3), +system(3), and -\fBwordexp\fR() +wordexp(3) library functions that prevent the execution of further commands. This is used to implement the \fInoexec\fR @@ -569,9 +569,9 @@ that can log what is doing internally if there is a problem. .PP A -\fRDebug\fR +\fIDebug\fR line consists of the -\fRDebug\fR +\fIDebug\fR keyword, followed by the name of the program, plugin, or shared object to debug, the debug file name, and a comma-separated list of debug flags. The debug flag syntax used by @@ -613,25 +613,25 @@ intercept functionality on some systems. As of \fBsudo\fR 1.8.12, multiple -\fRDebug\fR +\fIDebug\fR entries may be specified per program. Older versions of \fBsudo\fR only support a single -\fRDebug\fR +\fIDebug\fR entry per program. Plugin-specific -\fRDebug\fR +\fIDebug\fR entries are also supported starting with \fBsudo\fR 1.8.12 and are matched by either the base name of the plugin that was loaded (for example -\fRsudoers.so\fR) +\fIsudoers.so\fR) or by the plugin's fully-qualified path name. Previously, the \fBsudoers\fR plugin shared the same -\fRDebug\fR +\fIDebug\fR entry as the \fBsudo\fR front-end and could not be configured separately. diff --git a/docs/sudo.conf.mdoc.in b/docs/sudo.conf.mdoc.in index add83a667..20c898edb 100644 --- a/docs/sudo.conf.mdoc.in +++ b/docs/sudo.conf.mdoc.in @@ -67,17 +67,17 @@ Leading white space is removed from the beginning of lines even when a continuation character is used. .Pp Non-comment lines that don't begin with -.Li Plugin , -.Li Path , -.Li Debug , +.Em Plugin , +.Em Path , +.Em Debug , or -.Li Set +.Em Set are silently ignored. .Pp The .Nm file is always parsed in the -.Dq Li C +.Ql C locale. .Ss Plugin configuration .Nm sudo @@ -91,9 +91,9 @@ Plugins are dynamically loaded based on the contents of .Nm . .Pp A -.Li Plugin +.Em Plugin line consists of the -.Li Plugin +.Em Plugin keyword, followed by the .Em symbol_name and the @@ -102,14 +102,14 @@ to the dynamic shared object that contains the plugin. The .Em symbol_name is the name of the -.Li approval_plugin , -.Li audit_plugin , -.Li io_plugin , +.Vt struct approval_plugin , +.Vt struct audit_plugin , +.Vt struct io_plugin , or -.Li policy_plugin -struct contained in the plugin. +.Vt struct policy_plugin +defined by the plugin. If a plugin implements multiple plugin types, there must be a -.Li Plugin +.Em Plugin line for each unique symbol name. The .Em path @@ -117,7 +117,7 @@ may be fully qualified or relative. If not fully qualified, it is relative to the directory specified by the .Em plugin_dir -.Li Path +.Em Path setting, which defaults to .Pa @plugindir@ . In other words: @@ -167,7 +167,7 @@ This limitation does not apply to I/O plugins. If no .Nm file is present, or if it contains no -.Li Plugin +.Em Plugin lines, the .Nm sudoers plugin will be used as the default security policy, for I/O logging @@ -203,9 +203,9 @@ plugin architecture, see the manual. .Ss Path settings A -.Li Path +.Em Path line consists of the -.Li Path +.Em Path keyword, followed by the name of the path to set and its value. For example: .Bd -literal -offset 4n @@ -217,7 +217,7 @@ Path askpass /usr/X11R6/bin/ssh-askpass If no path name is specified, features relying on the specified setting will be disabled. Disabling -.Li Path +.Em Path settings is only supported in .Nm sudo version 1.8.16 and higher. @@ -254,7 +254,7 @@ If terminal devices may be located in a sub-directory of that path must be explicitly listed in .Em devsearch . The default value is -.Li /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev +.Pa /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev .Pp This option is ignored on systems that support either the .Fn devname @@ -265,15 +265,15 @@ functions, for example macOS and Solaris. .It intercept The fully-qualified path to a shared library containing a wrappers for the -.Fn execl , -.Fn execle , -.Fn execlp , -.Fn execv , -.Fn execve , -.Fn execvp , -.Fn execvpe , +.Xr execve 2 , +.Xr execl 3 , +.Xr execle 3 , +.Xr execlp 3 , +.Xr execv 3 , +.Xr execvp 3 , +.Xr execvpe 3 , and -.Fn system +.Xr system 3 library functions that intercepts attempts to run further commands and performs a policy check before allowing them to be executed. This is used to implement the @@ -286,23 +286,23 @@ The default value is .It noexec The fully-qualified path to a shared library containing wrappers for the -.Fn execl , -.Fn execle , -.Fn execlp , -.Fn exect , -.Fn execv , -.Fn execve , -.Fn execveat , -.Fn execvP , -.Fn execvp , -.Fn execvpe , -.Fn fexecve , -.Fn popen , -.Fn posix_spawn , -.Fn posix_spawnp , -.Fn system , +.Xr execve 2 , +.Xr execl 3 , +.Xr execle 3 , +.Xr execlp 3 , +.Xr exect 3 , +.Xr execv 3 , +.Xr execveat 3 , +.Xr execvP 3 , +.Xr execvp 3 , +.Xr execvpe 3 , +.Xr fexecve 3 , +.Xr popen 3 , +.Xr posix_spawn 3 , +.Xr posix_spawnp 3 , +.Xr system 3 , and -.Fn wordexp +.Xr wordexp 3 library functions that prevent the execution of further commands. This is used to implement the .Em noexec @@ -519,9 +519,9 @@ that can log what is doing internally if there is a problem. .Pp A -.Li Debug +.Em Debug line consists of the -.Li Debug +.Em Debug keyword, followed by the name of the program, plugin, or shared object to debug, the debug file name, and a comma-separated list of debug flags. The debug flag syntax used by @@ -557,25 +557,25 @@ intercept functionality on some systems. As of .Nm sudo 1.8.12, multiple -.Li Debug +.Em Debug entries may be specified per program. Older versions of .Nm sudo only support a single -.Li Debug +.Em Debug entry per program. Plugin-specific -.Li Debug +.Em Debug entries are also supported starting with .Nm sudo 1.8.12 and are matched by either the base name of the plugin that was loaded (for example -.Li sudoers.so ) +.Pa sudoers.so ) or by the plugin's fully-qualified path name. Previously, the .Nm sudoers plugin shared the same -.Li Debug +.Em Debug entry as the .Nm sudo front-end and could not be configured separately. diff --git a/docs/sudo.man.in b/docs/sudo.man.in index 8d4f6e30b..8b95deefe 100644 --- a/docs/sudo.man.in +++ b/docs/sudo.man.in @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.TH "SUDO" "@mansectsu@" "August 2, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" +.TH "SUDO" "@mansectsu@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh .if n .ad l .SH "NAME" @@ -135,9 +135,7 @@ time limit. This limit is policy-specific; the default password prompt timeout for the \fIsudoers\fR -security policy is -\fR@password_timeout@\fR -minutes. +security policy is @password_timeout@ minutes. .PP Security policies may support credential caching to allow the user to run @@ -145,9 +143,7 @@ to run again for a period of time without requiring authentication. By default, the \fIsudoers\fR -policy caches credentials on a per-terminal basis for -\fR@timeout@\fR -minutes. +policy caches credentials on a per-terminal basis for @timeout@ minutes. See the \fItimestamp_type\fR and @@ -399,7 +395,7 @@ may be either a group name or a numeric group-ID prefixed with the \(oq#\(cq character (e.g., -\fR#0\fR +\(oq#0\(cq for GID 0). When running a command as a GID, many shells require that the \(oq#\(cq @@ -574,7 +570,7 @@ policy: .RS 12n .PD 0 .TP 4n -\fR%H\fR +%H expanded to the host name including the domain name (only if the machine's host name is fully qualified or the \fIfqdn\fR @@ -582,10 +578,10 @@ option is set in sudoers(@mansectform@)) .PD .TP 4n -\fR%h\fR +%h expanded to the local host name without the domain name .TP 4n -\fR%p\fR +%p expanded to the name of the user whose password is being requested (respects the \fIrootpw\fR, @@ -595,16 +591,16 @@ and flags in sudoers(@mansectform@)) .TP 4n -\fR\&%U\fR +\&%U expanded to the login name of the user the command will be run as (defaults to root unless the \fB\-u\fR option is also specified) .TP 4n -\fR%u\fR +%u expanded to the invoking user's login name .TP 4n -\fR%%\fR +%% two consecutive \(oq%\(cq characters are collapsed into a single @@ -707,7 +703,7 @@ may be either a user name or a numeric user-ID prefixed with the \(oq#\(cq character (e.g., -\fR#0\fR +\(oq#0\(cq for UID 0). When running commands as a UID, many shells require that the \(oq#\(cq @@ -740,9 +736,7 @@ For the \fIsudoers\fR plugin, this extends the \fBsudo\fR -timeout for another -\fR@timeout@\fR -minutes by default, but does not run a command. +timeout for another @timeout@ minutes by default, but does not run a command. Not all security policies support cached credentials. .TP 12n \fB\--\fR @@ -778,7 +772,7 @@ option is set in the command to be run has the \fRSETENV\fR tag set or the command matched is -\fRALL\fR, +\fBALL\fR, the user may set variables that would otherwise be forbidden. See sudoers(@mansectform@) @@ -986,7 +980,7 @@ run in a new pty, may execute the command directly instead of running it as a child process. .SS "Plugins" Plugins may be specified via -\fRPlugin\fR +\fIPlugin\fR directives in the sudo.conf(@mansectform@) file. @@ -997,7 +991,7 @@ binary. If no sudo.conf(@mansectform@) file is present, or if it doesn't contain any -\fRPlugin\fR +\fIPlugin\fR lines, \fBsudo\fR will use @@ -1086,9 +1080,9 @@ By default, \fBsudo\fR will only log the command it explicitly runs. If a user runs a command such as -\fRsudo su\fR +\(oqsudo su\(cq or -\fRsudo sh\fR, +\(oqsudo sh\(cq, subsequent commands run from that shell are not subject to \fBsudo\fR's security policy. @@ -1176,7 +1170,7 @@ or when is enabled in \fIsudoers\fR and -\fIHOME\fR +\fRHOME\fR is not present in the \fIenv_keep\fR list. @@ -1226,8 +1220,7 @@ Default editor to use in Set to the group-ID of the user who invoked sudo. .TP 17n \fRSUDO_PROMPT\fR -Used as the default password prompt unless -the +Used as the default password prompt unless the \fB\-p\fR option was specified. .TP 17n @@ -1315,7 +1308,7 @@ $ sudo shutdown -r +15 "quick reboot" .PP To make a usage listing of the directories in the /home partition. The commands are run in a sub-shell to allow the -\fRcd\fR +\(oqcd\(cq command and file redirection to work. .nf .sp @@ -1500,7 +1493,7 @@ plugin's functionality. .PP It is not meaningful to run the -\fRcd\fR +\(oqcd\(cq command directly via sudo, e.g., .nf .sp diff --git a/docs/sudo.mdoc.in b/docs/sudo.mdoc.in index f5a687e74..82985f2da 100644 --- a/docs/sudo.mdoc.in +++ b/docs/sudo.mdoc.in @@ -24,7 +24,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.Dd August 2, 2022 +.Dd September 13, 2022 .Dt SUDO @mansectsu@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -139,9 +139,7 @@ time limit. This limit is policy-specific; the default password prompt timeout for the .Em sudoers -security policy is -.Li @password_timeout@ -minutes. +security policy is @password_timeout@ minutes. .Pp Security policies may support credential caching to allow the user to run @@ -149,9 +147,7 @@ to run again for a period of time without requiring authentication. By default, the .Em sudoers -policy caches credentials on a per-terminal basis for -.Li @timeout@ -minutes. +policy caches credentials on a per-terminal basis for @timeout@ minutes. See the .Em timestamp_type and @@ -380,7 +376,7 @@ may be either a group name or a numeric group-ID prefixed with the .Ql # character (e.g., -.Li #0 +.Ql #0 for GID 0). When running a command as a GID, many shells require that the .Ql # @@ -537,15 +533,15 @@ escape sequences are supported by the .Em sudoers policy: .Bl -tag -width 2n -.It Li %H +.It %H expanded to the host name including the domain name (only if the machine's host name is fully qualified or the .Em fqdn option is set in .Xr sudoers @mansectform@ ) -.It Li %h +.It %h expanded to the local host name without the domain name -.It Li %p +.It %p expanded to the name of the user whose password is being requested (respects the .Em rootpw , @@ -554,14 +550,14 @@ and .Em runaspw flags in .Xr sudoers @mansectform@ ) -.It Li \&%U +.It \&%U expanded to the login name of the user the command will be run as (defaults to root unless the .Fl u option is also specified) -.It Li %u +.It %u expanded to the invoking user's login name -.It Li %% +.It %% two consecutive .Ql % characters are collapsed into a single @@ -656,7 +652,7 @@ may be either a user name or a numeric user-ID prefixed with the .Ql # character (e.g., -.Li #0 +.Ql #0 for UID 0). When running commands as a UID, many shells require that the .Ql # @@ -687,9 +683,7 @@ For the .Em sudoers plugin, this extends the .Nm -timeout for another -.Li @timeout@ -minutes by default, but does not run a command. +timeout for another @timeout@ minutes by default, but does not run a command. Not all security policies support cached credentials. .It Fl - The @@ -723,9 +717,9 @@ If the option is set in .Em sudoers , the command to be run has the -.Li SETENV +.Dv SETENV tag set or the command matched is -.Li ALL , +.Sy ALL , the user may set variables that would otherwise be forbidden. See .Xr sudoers @mansectform@ @@ -922,7 +916,7 @@ run in a new pty, may execute the command directly instead of running it as a child process. .Ss Plugins Plugins may be specified via -.Li Plugin +.Em Plugin directives in the .Xr sudo.conf @mansectform@ file. @@ -933,7 +927,7 @@ binary. If no .Xr sudo.conf @mansectform@ file is present, or if it doesn't contain any -.Li Plugin +.Em Plugin lines, .Nm will use @@ -1022,9 +1016,9 @@ By default, .Nm will only log the command it explicitly runs. If a user runs a command such as -.Li sudo su +.Ql sudo su or -.Li sudo sh , +.Ql sudo sh , subsequent commands run from that shell are not subject to .Nm sudo Ns 's security policy. @@ -1107,7 +1101,7 @@ or when is enabled in .Em sudoers and -.Em HOME +.Ev HOME is not present in the .Em env_keep list. @@ -1149,8 +1143,7 @@ Default editor to use in .It Ev SUDO_GID Set to the group-ID of the user who invoked sudo. .It Ev SUDO_PROMPT -Used as the default password prompt unless -the +Used as the default password prompt unless the .Fl p option was specified. .It Ev SUDO_PS1 @@ -1217,7 +1210,7 @@ $ sudo shutdown -r +15 "quick reboot" .Pp To make a usage listing of the directories in the /home partition. The commands are run in a sub-shell to allow the -.Li cd +.Ql cd command and file redirection to work. .Bd -literal -offset 4n $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" @@ -1385,7 +1378,7 @@ plugin's functionality. .Pp It is not meaningful to run the -.Li cd +.Ql cd command directly via sudo, e.g., .Bd -literal -offset 4n $ sudo cd /usr/local/protected diff --git a/docs/sudo_logsrv.proto.man.in b/docs/sudo_logsrv.proto.man.in index 5e0e1a91e..fadb8b6ec 100644 --- a/docs/sudo_logsrv.proto.man.in +++ b/docs/sudo_logsrv.proto.man.in @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.TH "SUDO_LOGSRV.PROTO" "@mansectform@" "February 16, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDO_LOGSRV.PROTO" "@mansectform@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -93,7 +93,7 @@ message TimeSpec { A \fITimeSpec\fR is the equivalent of a POSIX -\fRstruct timespec\fR, +\fIstruct timespec\fR, containing seconds and nanoseconds members. The \fItv_sec\fR diff --git a/docs/sudo_logsrv.proto.mdoc.in b/docs/sudo_logsrv.proto.mdoc.in index af9239c29..daa4a551b 100644 --- a/docs/sudo_logsrv.proto.mdoc.in +++ b/docs/sudo_logsrv.proto.mdoc.in @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd February 16, 2022 +.Dd September 13, 2022 .Dt SUDO_LOGSRV.PROTO @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -87,7 +87,7 @@ message TimeSpec { A .Em TimeSpec is the equivalent of a POSIX -.Li struct timespec , +.Vt struct timespec , containing seconds and nanoseconds members. The .Em tv_sec @@ -237,10 +237,10 @@ If the command was terminated by a signal, this is set to the name of the signal without the leading .Dq SIG . For example, -.Li INT , -.Li TERM , -.Li KILL , -.Li SEGV . +.Dv INT , +.Dv TERM , +.Dv KILL , +.Dv SEGV . .It error A message from the client indicating that the command was terminated unexpectedly due to an error. @@ -397,9 +397,9 @@ should be calculated using a monotonic clock where possible. The signal name without the leading .Dq SIG . For example, -.Li STOP , -.Li TSTP , -.Li CONT . +.Dv STOP , +.Dv TSTP , +.Dv CONT . .El .Sh Server Messages A diff --git a/docs/sudo_logsrvd.conf.man.in b/docs/sudo_logsrvd.conf.man.in index 84b5b03e8..ccdcca481 100644 --- a/docs/sudo_logsrvd.conf.man.in +++ b/docs/sudo_logsrvd.conf.man.in @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "February 16, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -168,14 +168,16 @@ will enable the TCP keepalive socket option on the client connection. This enables the periodic transmission of keepalive messages to the client. If the client does not respond to a message in time, the connection will be closed. -Defaults to true. +Defaults to +\fItrue\fR. .TP 10n timeout = number The amount of time, in seconds, \fBsudo_logsrvd\fR will wait for the client to respond. A value of 0 will disable the timeout. -The default value is 30. +The default value is +\fI30\fR. .TP 10n tls_cacert = path The path to a certificate authority bundle file, in PEM format, @@ -202,7 +204,7 @@ authority, the setting must be set to a CA bundle that contains the CA certificate used to generate the client certificate. The default value is -\fRfalse\fR. +\fIfalse\fR. .TP 10n tls_ciphers_v12 = string A list of ciphers to use for connections secured by TLS version 1.2 only, @@ -214,7 +216,7 @@ section in openssl-ciphers(1) for full details. The default value is -\fRHIGH:!aNULL\fR +\(lqHIGH:!aNULL\(rq which consists of encryption cipher suites with key lengths larger than 128 bits, and some cipher suites with 128-bit keys. Cipher suites that offer no authentication are excluded. @@ -241,7 +243,8 @@ TLS_AES_128_CCM_8_SHA256 .RE .RS 10n .sp -The default cipher suite is TLS_AES_256_GCM_SHA384. +The default cipher suite is +\(lqTLS_AES_256_GCM_SHA384\(rq. .RE .PD .TP 10n @@ -274,7 +277,8 @@ configuration is changed. If false, no verification is performed of the server certificate. When using self-signed certificates without a certificate authority, this setting should be set to false. -The default value is true. +The default value is +\fItrue\fR. .SS "relay" The \fIrelay\fR @@ -301,7 +305,8 @@ setting controls the amount of time \fBsudo_logsrvd\fR will wait for the relay to respond. A value of 0 will disable the timeout. -The default value is 30. +The default value is +\fI30\fR. .TP 10n relay_dir = path The directory in which log messages are temporarily stored before they @@ -339,7 +344,8 @@ lines are specified, the first available relay host will be used. retry_interval = number The number of seconds to wait after a connection error before making a new attempt to forward a message to a relay host. -The default value is 30 seconds. +The default value is +\fI30\fR. .TP 10n store_first = boolean If true, @@ -365,7 +371,8 @@ The amount of time, in seconds, \fBsudo_logsrvd\fR will wait for the relay server to respond after a connection has succeeded. A value of 0 will disable the timeout. -The default value is 30. +The default value is +\fI30\fR. .TP 10n tls_cacert = path The path to a certificate authority bundle file, in PEM format, @@ -455,7 +462,7 @@ If set, I/O logs will be compressed using Enabling compression can make it harder to view the logs in real-time as the program is executing due to buffering. The default value is -\fRfalse\fR. +\fIfalse\fR. .TP 10n iolog_dir = path The top-level directory to use when constructing the path @@ -471,30 +478,30 @@ escape sequences are supported: .RS 10n .PD 0 .TP 6n -\fR%{seq}\fR +%{seq} expanded to a monotonically increasing base-36 sequence number, such as 0100A5, where every two digits are used to form a new directory, e.g., \fI01/00/A5\fR .PD .TP 6n -\fR%{user}\fR +%{user} expanded to the invoking user's login name .TP 6n -\fR%{group}\fR +%{group} expanded to the name of the invoking user's real group-ID .TP 6n -\fR%{runas_user}\fR +%{runas_user} expanded to the login name of the user the command will be run as (e.g., root) .TP 6n -\fR%{runas_group}\fR +%{runas_group} expanded to the group name of the user the command will be run as (e.g., wheel) .TP 6n -\fR%{hostname}\fR +%{hostname} expanded to the local host name without the domain name .TP 6n -\fR%{command}\fR +%{command} expanded to the base name of the command being run .PP In addition, any escape sequences supported by the system's @@ -516,7 +523,7 @@ It is possible for \fIiolog_file\fR to contain directory components. The default value is -\fR%{seq}\fR. +\(lq%{seq}\(rq. .sp See the \fIiolog_dir\fR @@ -526,9 +533,9 @@ escape sequences. .sp In addition to the escape sequences, path names that end in six or more -\fRX\fRs +\fIX\fRs will have the -\fRX\fRs +\fIX\fRs replaced with a unique combination of digits and letters, similar to the mktemp(3) function. @@ -542,7 +549,7 @@ overwritten unless \fIiolog_file\fR ends in six or more -\fRX\fRs. +\fIX\fRs. .TP 10n iolog_flush = boolean If set, I/O log data is flushed to disk after each write instead of @@ -553,7 +560,7 @@ of I/O log compression. I/O logs are always flushed before sending a commit point to the client regardless of this setting. The default value is -\fRtrue\fR. +\fItrue\fR. .TP 10n iolog_group = name The group name to look up when setting the group-ID on new I/O log @@ -579,7 +586,7 @@ When creating I/O log directories, search (execute) bits are added to match the read and write bits specified by \fIiolog_mode\fR. The default value is -\fR0600\fR. +\fI0600\fR. .TP 10n iolog_user = name The user name to look up when setting the owner of new @@ -599,7 +606,7 @@ the password will still be present in the I/O log. If \fIlog_passwords\fR is set to -\fRfalse\fR, +\fIfalse\fR, \fBsudo_logsrvd\fR will attempt to prevent passwords from being logged. It does this by using the regular expressions in @@ -617,16 +624,16 @@ when the option is set), only the first character of the password will be replaced in the I/O log. The default value is -\fRtrue\fR. +\fItrue\fR. .TP 10n maxseq = number The maximum sequence number that will be substituted for the -\(lq\fR%{seq}\fR\(rq +\(lq%{seq}\(rq escape in the I/O log file (see the \fIiolog_dir\fR description above for more information). While the value substituted for -\(lq\fR%{seq}\fR\(rq +\(lq%{seq}\(rq is in base 36, \fImaxseq\fR itself should be expressed in decimal. @@ -634,7 +641,8 @@ Values larger than 2176782336 (which corresponds to the base 36 sequence number \(lqZZZZZZ\(rq) will be silently truncated to 2176782336. -The default value is 2176782336. +The default value is +\fI2176782336\fR. .TP 10n passprompt_regex = string One or more POSIX extended regular expressions used to @@ -669,7 +677,8 @@ log_exit = boolean If true, \fBsudo_logsrvd\fR will log an event when a command exits or is terminated by a signal. -Defaults to false. +Defaults to +\fIfalse\fR. .TP 6n log_format = string The event log format. @@ -691,7 +700,7 @@ syslog(3). facility = string Syslog facility if syslog is being used for logging. Defaults to -\fR@logfac@\fR. +\fI@logfac@\fR. .sp The following syslog facilities are supported: \fBauthpriv\fR @@ -714,7 +723,7 @@ accept_priority = string Syslog priority to use when the user is allowed to run a command and authentication is successful. Defaults to -\fR@goodpri@\fR. +\fI@goodpri@\fR. .sp The following syslog priorities are supported: \fBalert\fR, @@ -735,7 +744,7 @@ reject_priority = string Syslog priority to use when the user is not allowed to run a command or when authentication is unsuccessful. Defaults to -\fR@badpri@\fR. +\fI@badpri@\fR. .sp See \fIaccept_priority\fR @@ -744,7 +753,7 @@ for the list of supported syslog priorities. alert_priority = string Syslog priority to use for event log alert messages received from the client. Defaults to -\fR@badpri@\fR. +\fI@badpri@\fR. .sp See \fIaccept_priority\fR @@ -779,7 +788,7 @@ server_facility = string Syslog facility if syslog is being used for server warning messages. See above for a list of supported facilities. Defaults to -\fRdaemon\fR +\fIdaemon\fR .SS "logfile" The \fIlogfile\fR @@ -800,10 +809,12 @@ Formatting is performed via the system's strftime(3) function so any escape sequences supported by that function will be expanded. The default value is -\(lq\fR%h %e %T\fR\(rq +\(lq%h %e %T\(rq which produces dates like \(lqOct 3 07:15:24\(rq -in the C locale. +in the +\(oqC\(cq +locale. .SH "FILES" .TP 26n \fI@sysconfdir@/sudo_logsrvd.conf\fR diff --git a/docs/sudo_logsrvd.conf.mdoc.in b/docs/sudo_logsrvd.conf.mdoc.in index ba017e1a5..d3a388d99 100644 --- a/docs/sudo_logsrvd.conf.mdoc.in +++ b/docs/sudo_logsrvd.conf.mdoc.in @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd February 16, 2022 +.Dd September 13, 2022 .Dt SUDO_LOGSRVD.CONF @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -152,13 +152,15 @@ will enable the TCP keepalive socket option on the client connection. This enables the periodic transmission of keepalive messages to the client. If the client does not respond to a message in time, the connection will be closed. -Defaults to true. +Defaults to +.Em true . .It timeout = number The amount of time, in seconds, .Nm sudo_logsrvd will wait for the client to respond. A value of 0 will disable the timeout. -The default value is 30. +The default value is +.Em 30 . .It tls_cacert = path The path to a certificate authority bundle file, in PEM format, to use instead of the system's default certificate authority database @@ -182,7 +184,7 @@ authority, the setting must be set to a CA bundle that contains the CA certificate used to generate the client certificate. The default value is -.Li false . +.Em false . .It tls_ciphers_v12 = string A list of ciphers to use for connections secured by TLS version 1.2 only, separated by a colon @@ -193,7 +195,7 @@ section in .Xr openssl-ciphers 1 for full details. The default value is -.Li HIGH:!aNULL +.Dq HIGH:!aNULL which consists of encryption cipher suites with key lengths larger than 128 bits, and some cipher suites with 128-bit keys. Cipher suites that offer no authentication are excluded. @@ -212,7 +214,8 @@ but should include the following: .It TLS_AES_128_CCM_8_SHA256 .El .Pp -The default cipher suite is TLS_AES_256_GCM_SHA384. +The default cipher suite is +.Dq TLS_AES_256_GCM_SHA384 . .It tls_dhparams = path The path to a file containing custom Diffie-Hellman parameters in PEM format. This file can be created with the following command: @@ -235,7 +238,8 @@ configuration is changed. If false, no verification is performed of the server certificate. When using self-signed certificates without a certificate authority, this setting should be set to false. -The default value is true. +The default value is +.Em true . .El .Ss relay The @@ -263,7 +267,8 @@ setting controls the amount of time .Nm sudo_logsrvd will wait for the relay to respond. A value of 0 will disable the timeout. -The default value is 30. +The default value is +.Em 30 . .It relay_dir = path The directory in which log messages are temporarily stored before they are sent to the relay host. @@ -298,7 +303,8 @@ lines are specified, the first available relay host will be used. .It retry_interval = number The number of seconds to wait after a connection error before making a new attempt to forward a message to a relay host. -The default value is 30 seconds. +The default value is +.Em 30 . .It store_first = boolean If true, .Nm sudo_logsrvd @@ -321,7 +327,8 @@ The amount of time, in seconds, .Nm sudo_logsrvd will wait for the relay server to respond after a connection has succeeded. A value of 0 will disable the timeout. -The default value is 30. +The default value is +.Em 30 . .It tls_cacert = path The path to a certificate authority bundle file, in PEM format, to use instead of the system's default certificate authority database @@ -404,7 +411,7 @@ If set, I/O logs will be compressed using Enabling compression can make it harder to view the logs in real-time as the program is executing due to buffering. The default value is -.Li false . +.Em false . .It iolog_dir = path The top-level directory to use when constructing the path name for the I/O log directory. @@ -416,23 +423,23 @@ The following percent .Pq Ql % escape sequences are supported: .Bl -tag -width 4n -.It Li %{seq} +.It %{seq} expanded to a monotonically increasing base-36 sequence number, such as 0100A5, where every two digits are used to form a new directory, e.g., .Pa 01/00/A5 -.It Li %{user} +.It %{user} expanded to the invoking user's login name -.It Li %{group} +.It %{group} expanded to the name of the invoking user's real group-ID -.It Li %{runas_user} +.It %{runas_user} expanded to the login name of the user the command will be run as (e.g., root) -.It Li %{runas_group} +.It %{runas_group} expanded to the group name of the user the command will be run as (e.g., wheel) -.It Li %{hostname} +.It %{hostname} expanded to the local host name without the domain name -.It Li %{command} +.It %{command} expanded to the base name of the command being run .El .Pp @@ -453,7 +460,7 @@ It is possible for .Em iolog_file to contain directory components. The default value is -.Li %{seq} . +.Dq %{seq} . .Pp See the .Em iolog_dir @@ -463,9 +470,9 @@ escape sequences. .Pp In addition to the escape sequences, path names that end in six or more -.Li X Ns s +.Em X Ns s will have the -.Li X Ns s +.Em X Ns s replaced with a unique combination of digits and letters, similar to the .Xr mktemp 3 function. @@ -479,7 +486,7 @@ overwritten unless .Em iolog_file ends in six or more -.Li X Ns s . +.Em X Ns s . .It iolog_flush = boolean If set, I/O log data is flushed to disk after each write instead of buffering it. @@ -489,7 +496,7 @@ of I/O log compression. I/O logs are always flushed before sending a commit point to the client regardless of this setting. The default value is -.Li true . +.Em true . .It iolog_group = name The group name to look up when setting the group-ID on new I/O log files and directories. @@ -513,7 +520,7 @@ When creating I/O log directories, search (execute) bits are added to match the read and write bits specified by .Em iolog_mode . The default value is -.Li 0600 . +.Em 0600 . .It iolog_user = name The user name to look up when setting the owner of new I/O log files and directories. @@ -531,7 +538,7 @@ the password will still be present in the I/O log. If .Em log_passwords is set to -.Li false , +.Em false , .Nm sudo_logsrvd will attempt to prevent passwords from being logged. It does this by using the regular expressions in @@ -549,15 +556,15 @@ when the option is set), only the first character of the password will be replaced in the I/O log. The default value is -.Li true . +.Em true . .It maxseq = number The maximum sequence number that will be substituted for the -.Dq Li %{seq} +.Dq %{seq} escape in the I/O log file (see the .Em iolog_dir description above for more information). While the value substituted for -.Dq Li %{seq} +.Dq %{seq} is in base 36, .Em maxseq itself should be expressed in decimal. @@ -565,7 +572,8 @@ Values larger than 2176782336 (which corresponds to the base 36 sequence number .Dq ZZZZZZ ) will be silently truncated to 2176782336. -The default value is 2176782336. +The default value is +.Em 2176782336 . .It passprompt_regex = string One or more POSIX extended regular expressions used to match password prompts in the terminal output when @@ -599,7 +607,8 @@ The default value is If true, .Nm sudo_logsrvd will log an event when a command exits or is terminated by a signal. -Defaults to false. +Defaults to +.Em false . .It log_format = string The event log format. Supported log formats are @@ -621,7 +630,7 @@ section configures how events are logged via .It facility = string Syslog facility if syslog is being used for logging. Defaults to -.Li @logfac@ . +.Em @logfac@ . .Pp The following syslog facilities are supported: .Sy authpriv @@ -643,7 +652,7 @@ and Syslog priority to use when the user is allowed to run a command and authentication is successful. Defaults to -.Li @goodpri@ . +.Em @goodpri@ . .Pp The following syslog priorities are supported: .Sy alert , @@ -663,7 +672,7 @@ will disable logging of successful commands. Syslog priority to use when the user is not allowed to run a command or when authentication is unsuccessful. Defaults to -.Li @badpri@ . +.Em @badpri@ . .Pp See .Em accept_priority @@ -671,7 +680,7 @@ for the list of supported syslog priorities. .It alert_priority = string Syslog priority to use for event log alert messages received from the client. Defaults to -.Li @badpri@ . +.Em @badpri@ . .Pp See .Em accept_priority @@ -704,7 +713,7 @@ JSON-format log entries are never split and are not affected by Syslog facility if syslog is being used for server warning messages. See above for a list of supported facilities. Defaults to -.Li daemon +.Em daemon .El .Ss logfile The @@ -725,10 +734,12 @@ Formatting is performed via the system's .Xr strftime 3 function so any escape sequences supported by that function will be expanded. The default value is -.Dq Li "%h %e %T" +.Dq "%h %e %T" which produces dates like .Dq Oct 3 07:15:24 -in the C locale. +in the +.Ql C +locale. .El .Sh FILES .Bl -tag -width 24n diff --git a/docs/sudo_logsrvd.man.in b/docs/sudo_logsrvd.man.in index c0bccf412..bffa4ecb6 100644 --- a/docs/sudo_logsrvd.man.in +++ b/docs/sudo_logsrvd.man.in @@ -117,7 +117,7 @@ section. .SS "Debugging sudo_logsrvd" \fBsudo_logsrvd\fR supports a flexible debugging framework that is configured via -\fRDebug\fR +\fIDebug\fR lines in the sudo.conf(@mansectform@) file. diff --git a/docs/sudo_logsrvd.mdoc.in b/docs/sudo_logsrvd.mdoc.in index 8c6a1e59a..d2d809d7b 100644 --- a/docs/sudo_logsrvd.mdoc.in +++ b/docs/sudo_logsrvd.mdoc.in @@ -112,7 +112,7 @@ section. .Ss Debugging sudo_logsrvd .Nm supports a flexible debugging framework that is configured via -.Li Debug +.Em Debug lines in the .Xr sudo.conf @mansectform@ file. diff --git a/docs/sudo_plugin.man.in b/docs/sudo_plugin.man.in index 108ac2587..615cf447a 100644 --- a/docs/sudo_plugin.man.in +++ b/docs/sudo_plugin.man.in @@ -236,7 +236,7 @@ Only available starting with API version 1.16. debug_flags=string A debug file path name followed by a space and a comma-separated list of debug flags that correspond to the plugin's -\fRDebug\fR +\fIDebug\fR entry in sudo.conf(@mansectform@), if there is one. @@ -265,7 +265,7 @@ will only pass if sudo.conf(@mansectform@) contains a plugin-specific -\fRDebug\fR +\fIDebug\fR entry. .TP 6n ignore_ticket=bool @@ -677,7 +677,7 @@ tty=string The path to the user's terminal device. If the user has no terminal device associated with the session, the value will be empty, as in -\(lq\fRtty=\fR\(rq. +\(oqtty=\(cq. .TP 6n uid=uid_t The real user-ID of the user invoking @@ -921,10 +921,10 @@ into \fIargv_out\fR, separated from the editor and its arguments by a -\(lq\fR--\fR\(rq +\(oq--\(cq element. The -\(lq\fR--\fR\(rq +\(oq--\(cq will be removed by \fBsudo\fR before the editor is executed. diff --git a/docs/sudo_plugin.mdoc.in b/docs/sudo_plugin.mdoc.in index 9d54941a3..7b6c3adda 100644 --- a/docs/sudo_plugin.mdoc.in +++ b/docs/sudo_plugin.mdoc.in @@ -216,7 +216,7 @@ Only available starting with API version 1.16. .It debug_flags=string A debug file path name followed by a space and a comma-separated list of debug flags that correspond to the plugin's -.Li Debug +.Em Debug entry in .Xr sudo.conf @mansectform@ , if there is one. @@ -245,7 +245,7 @@ will only pass if .Xr sudo.conf @mansectform@ contains a plugin-specific -.Li Debug +.Em Debug entry. .It ignore_ticket=bool Set to true if the user specified the @@ -603,7 +603,7 @@ Only available starting with API version 1.2. The path to the user's terminal device. If the user has no terminal device associated with the session, the value will be empty, as in -.Dq Li tty= . +.Ql tty= . .It uid=uid_t The real user-ID of the user invoking .Nm sudo . @@ -819,10 +819,10 @@ into .Fa argv_out , separated from the editor and its arguments by a -.Dq Li -- +.Ql -- element. The -.Dq Li -- +.Ql -- will be removed by .Nm sudo before the editor is executed. diff --git a/docs/sudo_sendlog.man.in b/docs/sudo_sendlog.man.in index 72e118725..eea3cca14 100644 --- a/docs/sudo_sendlog.man.in +++ b/docs/sudo_sendlog.man.in @@ -154,7 +154,7 @@ version and exit. .SS "Debugging sendlog" \fBsudo_sendlog\fR supports a flexible debugging framework that is configured via -\fRDebug\fR +\fIDebug\fR lines in the sudo.conf(@mansectform@) file. diff --git a/docs/sudo_sendlog.mdoc.in b/docs/sudo_sendlog.mdoc.in index 42edb553e..e8c17ae4e 100644 --- a/docs/sudo_sendlog.mdoc.in +++ b/docs/sudo_sendlog.mdoc.in @@ -139,7 +139,7 @@ version and exit. .Ss Debugging sendlog .Nm supports a flexible debugging framework that is configured via -.Li Debug +.Em Debug lines in the .Xr sudo.conf @mansectform@ file. diff --git a/docs/sudoers.ldap.man.in b/docs/sudoers.ldap.man.in index 3e3bcba88..3fd34f3b0 100644 --- a/docs/sudoers.ldap.man.in +++ b/docs/sudoers.ldap.man.in @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.TH "SUDOERS.LDAP" "@mansectform@" "July 25, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS.LDAP" "@mansectform@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -69,16 +69,16 @@ is no need for a specialized tool to check syntax. The \fIsudoers\fR configuration is contained in the -\fRou=SUDOers\fR +\(oqou=SUDOers\(cq LDAP container. .PP Sudo first looks for the -\fRcn=defaults\fR +\(oqcn=defaults\(cq entry in the SUDOers container. If found, the multi-valued -\fRsudoOption\fR +\fIsudoOption\fR attribute is parsed in the same manner as a global -\fRDefaults\fR +\fIDefaults\fR line in \fI@sysconfdir@/sudoers\fR. In the following example, the @@ -97,7 +97,7 @@ sudoOption: env_keep+=SSH_AUTH_SOCK .fi .PP The equivalent of a sudoer in LDAP is a -\fRsudoRole\fR. +\fIsudoRole\fR. It consists of the following attributes: .TP 6n \fBsudoUser\fR @@ -120,36 +120,36 @@ Non-Unix group support is only available when an appropriate \fIgroup_plugin\fR is defined in the global \fIdefaults\fR -\fRsudoRole\fR +\fIsudoRole\fR object. If a -\fRsudoUser\fR +\fIsudoUser\fR entry is preceded by an exclamation point, \(oq\&!\(cq, and the entry matches, the -\fRsudoRole\fR +\fIsudoRole\fR in which it resides will be ignored. Negated -\fRsudoUser\fR +\fIsudoUser\fR entries are only supported by version 1.9.9 or higher. .TP 6n \fBsudoHost\fR A host name, IP address, IP network, or host netgroup (prefixed with a \(oq+\(cq). The special value -\fRALL\fR +\fBALL\fR will match any host. Host netgroups are matched using the host (both qualified and unqualified) and domain members only; the user member is not used when matching. If a -\fRsudoHost\fR +\fIsudoHost\fR entry is preceded by an exclamation point, \(oq\&!\(cq, and the entry matches, the -\fRsudoRole\fR +\fIsudoRole\fR in which it resides will be ignored. Negated -\fRsudoHost\fR +\fIsudoHost\fR entries are only supported by version 1.8.18 or higher. .TP 6n \fBsudoCommand\fR @@ -160,7 +160,7 @@ If a command name is preceded by an exclamation point, the user will be prohibited from running that command. .sp The built-in command -\(lq\fRsudoedit\fR\(rq +\(lqsudoedit\(rq is used to permit a user to run \fBsudo\fR with the @@ -169,13 +169,13 @@ option (or as \fBsudoedit\fR). It may take command line arguments just as a normal command does. Unlike other commands, -\(lq\fRsudoedit\fR\(rq +\(lqsudoedit\(rq is a built into \fBsudo\fR itself and must be specified in without a leading path. .sp The special value -\fRALL\fR +\fBALL\fR will match any command. .sp If a command name is prefixed with a SHA-2 digest, it will @@ -205,7 +205,7 @@ Command digests are only supported by version 1.8.7 or higher. \fBsudoOption\fR Identical in function to the global options described above, but specific to the -\fRsudoRole\fR +\fIsudoRole\fR in which it resides. .TP 6n \fBsudoRunAsUser\fR @@ -217,30 +217,29 @@ or user netgroup (prefixed with a \(oq+\(cq) that contains a list of users that commands may be run as. The special value -\fRALL\fR +\fBALL\fR will match any user. If a -\fRsudoRunAsUser\fR +\fIsudoRunAsUser\fR entry is preceded by an exclamation point, \(oq\&!\(cq, and the entry matches, the -\fRsudoRole\fR +\fIsudoRole\fR in which it resides will be ignored. If -\fRsudoRunAsUser\fR +\fIsudoRunAsUser\fR is specified but empty, it will match the invoking user. If neither -\fRsudoRunAsUser\fR +\fIsudoRunAsUser\fR nor -\fRsudoRunAsGroup\fR +\fIsudoRunAsGroup\fR are present, the value of the \fIrunas_default\fR -\fRsudoOption\fR -is used (defaults to -\fR@runas_default@\fR). +\fIsudoOption\fR +is used (defaults to @runas_default@). .sp The -\fRsudoRunAsUser\fR +\fIsudoRunAsUser\fR attribute is only available in \fBsudo\fR versions @@ -248,10 +247,10 @@ versions Older versions of \fBsudo\fR use the -\fRsudoRunAs\fR +\fIsudoRunAs\fR attribute instead. Negated -\fRsudoRunAsUser\fR +\fIsudoRunAsUser\fR entries are only supported by version 1.8.26 or higher. .TP 6n \fBsudoRunAsGroup\fR @@ -259,34 +258,34 @@ A Unix group or group-ID (prefixed with \(oq#\(cq) that commands may be run as. The special value -\fRALL\fR +\fBALL\fR will match any group. If a -\fRsudoRunAsGroup\fR +\fIsudoRunAsGroup\fR entry is preceded by an exclamation point, \(oq\&!\(cq, and the entry matches, the -\fRsudoRole\fR +\fIsudoRole\fR in which it resides will be ignored. .sp The -\fRsudoRunAsGroup\fR +\fIsudoRunAsGroup\fR attribute is only available in \fBsudo\fR versions 1.7.0 and higher. Negated -\fRsudoRunAsGroup\fR +\fIsudoRunAsGroup\fR entries are only supported by version 1.8.26 or higher. .TP 6n \fBsudoNotBefore\fR A timestamp in the form -\fRyyyymmddHHMMSSZ\fR +\(oqyyyymmddHHMMSSZ\(cq that can be used to provide a start date/time for when the -\fRsudoRole\fR +\fIsudoRole\fR will be valid. If multiple -\fRsudoNotBefore\fR +\fIsudoNotBefore\fR entries are present, the earliest is used. Timestamps must be in Coordinated Universal Time (UTC), not the local timezone. @@ -294,7 +293,7 @@ The minute and seconds portions are optional, but some LDAP servers require that they be present (contrary to the RFC). .sp The -\fRsudoNotBefore\fR +\fIsudoNotBefore\fR attribute is only available in \fBsudo\fR versions 1.7.5 and higher and must be explicitly enabled via the @@ -304,12 +303,12 @@ option in .TP 6n \fBsudoNotAfter\fR A timestamp in the form -\fRyyyymmddHHMMSSZ\fR +\(oqyyyymmddHHMMSSZ\(cq that indicates an expiration date/time, after which the -\fRsudoRole\fR +\fIsudoRole\fR will no longer be valid. If multiple -\fRsudoNotAfter\fR +\fIsudoNotAfter\fR entries are present, the last one is used. Timestamps must be in Coordinated Universal Time (UTC), not the local timezone. @@ -317,7 +316,7 @@ The minute and seconds portions are optional, but some LDAP servers require that they be present (contrary to the RFC). .sp The -\fRsudoNotAfter\fR +\fIsudoNotAfter\fR attribute is only available in \fBsudo\fR versions @@ -328,26 +327,26 @@ option in .TP 6n \fBsudoOrder\fR The -\fRsudoRole\fR +\fIsudoRole\fR entries retrieved from the LDAP directory have no inherent order. The -\fRsudoOrder\fR +\fIsudoOrder\fR attribute is an integer (or floating point value for LDAP servers that support it) that is used to sort the matching entries. This allows LDAP-based sudoers entries to more closely mimic the behavior of the sudoers file, where the order of the entries influences the result. If multiple entries match, the entry with the highest -\fRsudoOrder\fR +\fIsudoOrder\fR attribute is chosen. This corresponds to the \(lqlast match\(rq behavior of the sudoers file. If the -\fRsudoOrder\fR +\fIsudoOrder\fR attribute is not present, a value of 0 is assumed. .sp The -\fRsudoOrder\fR +\fIsudoOrder\fR attribute is only available in \fBsudo\fR versions 1.7.5 and higher. @@ -355,12 +354,12 @@ versions 1.7.5 and higher. Each attribute listed above should contain a single value, but there may be multiple instances of each attribute type. A -\fRsudoRole\fR +\fIsudoRole\fR must contain at least one -\fRsudoUser\fR, -\fRsudoHost\fR, +\fIsudoUser\fR, +\fIsudoHost\fR, and -\fRsudoCommand\fR. +\fIsudoCommand\fR. .PP The following example allows users in group wheel to run any command on any host via @@ -384,7 +383,7 @@ The first query is to parse the global options. The second is to match against the user's name and the groups that the user belongs to. (The special -\fRALL\fR +\fBALL\fR tag is matched in this query too.) If no match is returned for the user's name and groups, a third query returns all entries containing user netgroups and other @@ -411,12 +410,12 @@ are as follows: .TP 5n 1.\& Match all -\fRnisNetgroup\fR +\fInisNetgroup\fR records with a -\fRnisNetgroupTriple\fR +\fInisNetgroupTriple\fR containing the user, host, and NIS domain. The query will match -\fRnisNetgroupTriple\fR +\fInisNetgroupTriple\fR entries with either the short or long form of the host name or no host name specified in the tuple. If the NIS domain is set, the query will match only match entries @@ -425,13 +424,13 @@ If the NIS domain is \fInot\fR set, a wildcard is used to match any domain name but be aware that the NIS schema used by some LDAP servers may not support wild cards for -\fRnisNetgroupTriple\fR. +\fInisNetgroupTriple\fR. .TP 5n 2.\& Repeated queries are performed to find any nested -\fRnisNetgroup\fR +\fInisNetgroup\fR records with a -\fRmemberNisNetgroup\fR +\fImemberNisNetgroup\fR entry that refers to an already-matched record. .PP For sites with a large number of netgroups, using @@ -465,7 +464,7 @@ returned in any specific order. .PP The order in which different entries are applied can be controlled using the -\fRsudoOrder\fR +\fIsudoOrder\fR attribute, but there is no way to guarantee the order of attributes within a specific entry. If there are conflicting command rules in an entry, the negative @@ -519,18 +518,18 @@ These cannot be converted automatically. For example, a Cmnd_Alias in a \fIsudoers\fR file may be converted to a -\fRsudoRole\fR +\fIsudoRole\fR that contains multiple commands. Multiple users and/or groups may be assigned to the -\fRsudoRole\fR. +\fIsudoRole\fR. .PP Also, host, user, runas, and command-based -\fRDefaults\fR +\fIDefaults\fR entries are not supported. However, a -\fRsudoRole\fR +\fIsudoRole\fR may contain one or more -\fRsudoOption\fR +\fIsudoOption\fR attributes which can often serve the same purpose. .PP Consider the following @@ -590,7 +589,7 @@ Using a Unix group or netgroup in PAGERS rather than listing each user would make this easier to maintain. .PP Per-user -\fRDefaults\fR +\fIDefaults\fR entries can be emulated by using one or more sudoOption attributes in a sudoRole. Consider the following @@ -637,7 +636,7 @@ LDAP support, the schema must be installed on your LDAP server. In addition, be sure to index the -\fRsudoUser\fR +\fIsudoUser\fR attribute. .PP The @@ -797,31 +796,30 @@ The default value is protocol version 3. \fBNETGROUP_BASE\fR \fIbase\fR The base DN to use when performing LDAP netgroup queries. Typically this is of the form -\fRou=netgroup,dc=my-domain,dc=com\fR -for the domain -\fRmy-domain.com\fR. +\(oqou=netgroup,dc=my-domain,dc=com\(cq +for the domain my-domain.com. Multiple \fBNETGROUP_BASE\fR lines may be specified, in which case they are queried in the order specified. .sp This option can be used to query a user's netgroups directly via LDAP which is usually faster than fetching every -\fRsudoRole\fR +\fIsudoRole\fR object containing a -\fRsudoUser\fR +\fIsudoUser\fR that begins with a \(oq+\(cq prefix. The NIS schema used by some LDAP servers need a modification to support querying the -\fRnisNetgroup\fR +\fInisNetgroup\fR object by its -\fRnisNetgroupTriple\fR +\fInisNetgroupTriple\fR member. OpenLDAP's \fBslapd\fR requires the following change to the -\fRnisNetgroupTriple\fR +\fInisNetgroupTriple\fR attribute: .nf .sp @@ -837,13 +835,12 @@ attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' \fBNETGROUP_SEARCH_FILTER\fR \fIldap_filter\fR An LDAP filter which is used to restrict the set of records returned when performing an LDAP netgroup query. -Typically, this is of the -form -\fRattribute=value\fR +Typically, this is of the form +\(oqattribute=value\(cq or -\fR(&(attribute=value)(attribute2=value2))\fR. +\(oq(&(attribute=value)(attribute2=value2))\(cq. The default search filter is: -\fRobjectClass=nisNetgroup\fR. +\(oqobjectClass=nisNetgroup\(cq. If \fIldap_filter\fR is omitted, no search filter will be used. @@ -928,10 +925,10 @@ This option is only relevant when using SASL authentication. If the \fBSSL\fR parameter is set to -\fRon\fR, -\fRtrue\fR, +\fIon\fR, +\fItrue\fR, or -\fRyes\fR +\fIyes\fR TLS (SSL) encryption is always used when communicating with the LDAP server. Typically, this involves connecting to the server on port 636 (ldaps). .TP 6n @@ -939,7 +936,7 @@ Typically, this involves connecting to the server on port 636 (ldaps). If the \fBSSL\fR parameter is set to -\fRstart_tls\fR, +\fIstart_tls\fR, the LDAP server connection is initiated normally and TLS encryption is begun before the bind credentials are sent. This has the advantage of not requiring a dedicated port for encrypted @@ -953,9 +950,8 @@ The base DN to use when performing \fBsudo\fR LDAP queries. Typically this is of the form -\fRou=SUDOers,dc=my-domain,dc=com\fR -for the domain -\fRmy-domain.com\fR. +\(oqou=SUDOers,dc=my-domain,dc=com\(cq +for the domain my-domain.com. Multiple \fBSUDOERS_BASE\fR lines may be specified, in which case they are queried in the order specified. @@ -997,20 +993,20 @@ when performing a LDAP query. Typically, this is of the form -\fRattribute=value\fR +\(oqattribute=value\(cq or -\fR(&(attribute=value)(attribute2=value2))\fR. +\(oq(&(attribute=value)(attribute2=value2))\(cq. The default search filter is: -\fRobjectClass=sudoRole\fR. +\(oqobjectClass=sudoRole\(cq. If \fIldap_filter\fR is omitted, no search filter will be used. .TP 6n \fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR Whether or not to evaluate the -\fRsudoNotBefore\fR +\fIsudoNotBefore\fR and -\fRsudoNotAfter\fR +\fIsudoNotAfter\fR attributes that implement time-dependent sudoers entries. .TP 6n \fBTIMELIMIT\fR \fIseconds\fR @@ -1062,11 +1058,11 @@ The certificate type depends on the LDAP libraries used. .PD 0 .TP 6n OpenLDAP: -\fRtls_cert /etc/ssl/client_cert.pem\fR +\(oqtls_cert /etc/ssl/client_cert.pem\(cq .PD .TP 6n Netscape-derived: -\fRtls_cert /var/ldap/cert7.db\fR +\(oqtls_cert /var/ldap/cert7.db\(cq .TP 6n IBM LDAP: Unused, the key database specified by @@ -1106,14 +1102,14 @@ The key type depends on the LDAP libraries used. .PD 0 .TP 6n OpenLDAP: -\fRtls_key /etc/ssl/client_key.pem\fR +\(oqtls_key /etc/ssl/client_key.pem\(cq .PD .TP 6n Netscape-derived: -\fRtls_key /var/ldap/key3.db\fR +\(oqtls_key /var/ldap/key3.db\(cq .TP 6n IBM LDAP: -\fRtls_key /usr/ldap/ldapkey.kdb\fR +\(oqtls_key /usr/ldap/ldapkey.kdb\(cq .PP When using IBM LDAP libraries, this file may also contain Certificate Authority and client certificates and may be encrypted. @@ -1171,15 +1167,15 @@ The must have the same path as the file specified by \fBTLS_KEY\fR, but use a -\fR.sth\fR +\(oq.sth\(cq file extension instead of -\fR.kdb\fR, -e.g., -\fRldapkey.sth\fR. +\(oq.kdb\(cq, +for example +\(oqldapkey.sth\(cq. The default -\fRldapkey.kdb\fR +\(oqldapkey.kdb\(cq that ships with the IBM Tivoli Directory Server is encrypted with the password -\fRssl_password\fR. +\(oqssl_password\(cq. The \fIgsk8capicmd\fR utility can be used to manage the key database and create a @@ -1251,9 +1247,9 @@ the latter being for servers that support TLS (SSL) encryption. If no \fIport\fR is specified, the default is port 389 for -\fRldap://\fR +\(oqldap://\(cq or port 636 for -\fRldaps://\fR. +\(oqldaps://\(cq. If no \fIhostname\fR is specified, @@ -1266,9 +1262,9 @@ lines are treated identically to a \fBURI\fR line containing multiple entries. Only systems using the OpenSSL libraries support the mixing of -\fRldap://\fR +\(oqldap://\(cq and -\fRldaps://\fR +\(oqldaps://\(cq URIs. Both the Netscape-derived and IBM LDAP libraries used on most commercial versions of Unix are only capable of supporting one or the other. @@ -1297,13 +1293,13 @@ to specify the \fIsudoers\fR search order. Sudo looks for a line beginning with -\fRsudoers\fR: +\fIsudoers\fR: and uses this to determine the search order. By default, \fBsudo\fR does not stop searching after the first match and later matches take precedence over earlier ones (unless -\fR[SUCCESS=return]\fR +\(oq[SUCCESS=return]\(cq is used, see below). The following sources are recognized: .PP @@ -1322,14 +1318,14 @@ read sudoers from LDAP In addition, a subset of \fInsswitch.conf\fR-style action statements is supported, specifically -\fR[SUCCESS=return]\fR +\(oq[SUCCESS=return]\(cq and -\fR[NOTFOUND=return]\fR. +\(oq[NOTFOUND=return]\(cq. These will unconditionally terminate the search if the user was either found -(\fR[SUCCESS=return]\fR) +\(oq[SUCCESS=return]\(cq or not found -(\fR[NOTFOUND=return]\fR) +\(oq[NOTFOUND=return]\(cq in the immediately preceding source. Other action statements tokens are not supported, nor is test negation with @@ -1420,11 +1416,11 @@ sudoers = ldap = auth, files .fi .PP In the above example, the -\fRauth\fR +\fIauth\fR qualifier only affects user lookups; both LDAP and \fIsudoers\fR will be queried for -\fRDefaults\fR +\fIDefaults\fR entries. .PP If the @@ -1449,9 +1445,9 @@ rules. To use SSSD as the \fIsudoers\fR source, you should use -\fRsss\fR +\fIsss\fR instead of -\fRldap\fR +\fIldap\fR for the sudoers entry in \fI@nsswitch_conf@\fR. The @@ -1595,7 +1591,7 @@ Simply copy it to the schema directory (e.g., \fI/etc/openldap/schema\fR), add the proper -\fRinclude\fR +\fIinclude\fR line in \fIslapd.conf\fR and restart diff --git a/docs/sudoers.ldap.mdoc.in b/docs/sudoers.ldap.mdoc.in index ec265f691..39230c243 100644 --- a/docs/sudoers.ldap.mdoc.in +++ b/docs/sudoers.ldap.mdoc.in @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd July 25, 2022 +.Dd September 13, 2022 .Dt SUDOERS.LDAP @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -67,16 +67,16 @@ is no need for a specialized tool to check syntax. The .Em sudoers configuration is contained in the -.Li ou=SUDOers +.Ql ou=SUDOers LDAP container. .Pp Sudo first looks for the -.Li cn=defaults +.Ql cn=defaults entry in the SUDOers container. If found, the multi-valued -.Li sudoOption +.Em sudoOption attribute is parsed in the same manner as a global -.Li Defaults +.Em Defaults line in .Pa @sysconfdir@/sudoers . In the following example, the @@ -92,7 +92,7 @@ sudoOption: env_keep+=SSH_AUTH_SOCK .Ed .Pp The equivalent of a sudoer in LDAP is a -.Li sudoRole . +.Em sudoRole . It consists of the following attributes: .Bl -tag -width 4n .It Sy sudoUser @@ -115,35 +115,35 @@ Non-Unix group support is only available when an appropriate .Em group_plugin is defined in the global .Em defaults -.Li sudoRole +.Em sudoRole object. If a -.Li sudoUser +.Em sudoUser entry is preceded by an exclamation point, .Ql \&! , and the entry matches, the -.Li sudoRole +.Em sudoRole in which it resides will be ignored. Negated -.Li sudoUser +.Em sudoUser entries are only supported by version 1.9.9 or higher. .It Sy sudoHost A host name, IP address, IP network, or host netgroup (prefixed with a .Ql + ) . The special value -.Li ALL +.Sy ALL will match any host. Host netgroups are matched using the host (both qualified and unqualified) and domain members only; the user member is not used when matching. If a -.Li sudoHost +.Em sudoHost entry is preceded by an exclamation point, .Ql \&! , and the entry matches, the -.Li sudoRole +.Em sudoRole in which it resides will be ignored. Negated -.Li sudoHost +.Em sudoHost entries are only supported by version 1.8.18 or higher. .It Sy sudoCommand A fully-qualified Unix command name with optional command line arguments, @@ -153,7 +153,7 @@ If a command name is preceded by an exclamation point, the user will be prohibited from running that command. .Pp The built-in command -.Dq Li sudoedit +.Dq sudoedit is used to permit a user to run .Nm sudo with the @@ -162,13 +162,13 @@ option (or as .Nm sudoedit ) . It may take command line arguments just as a normal command does. Unlike other commands, -.Dq Li sudoedit +.Dq sudoedit is a built into .Nm sudo itself and must be specified in without a leading path. .Pp The special value -.Li ALL +.Sy ALL will match any command. .Pp If a command name is prefixed with a SHA-2 digest, it will @@ -192,7 +192,7 @@ Command digests are only supported by version 1.8.7 or higher. .It Sy sudoOption Identical in function to the global options described above, but specific to the -.Li sudoRole +.Em sudoRole in which it resides. .It Sy sudoRunAsUser A user name or user-ID (prefixed with @@ -203,30 +203,29 @@ or user netgroup (prefixed with a .Ql + ) that contains a list of users that commands may be run as. The special value -.Li ALL +.Sy ALL will match any user. If a -.Li sudoRunAsUser +.Em sudoRunAsUser entry is preceded by an exclamation point, .Ql \&! , and the entry matches, the -.Li sudoRole +.Em sudoRole in which it resides will be ignored. If -.Li sudoRunAsUser +.Em sudoRunAsUser is specified but empty, it will match the invoking user. If neither -.Li sudoRunAsUser +.Em sudoRunAsUser nor -.Li sudoRunAsGroup +.Em sudoRunAsGroup are present, the value of the .Em runas_default -.Li sudoOption -is used (defaults to -.Li @runas_default@ ) . +.Em sudoOption +is used (defaults to @runas_default@). .Pp The -.Li sudoRunAsUser +.Em sudoRunAsUser attribute is only available in .Nm sudo versions @@ -234,43 +233,43 @@ versions Older versions of .Nm sudo use the -.Li sudoRunAs +.Em sudoRunAs attribute instead. Negated -.Li sudoRunAsUser +.Em sudoRunAsUser entries are only supported by version 1.8.26 or higher. .It Sy sudoRunAsGroup A Unix group or group-ID (prefixed with .Ql # ) that commands may be run as. The special value -.Li ALL +.Sy ALL will match any group. If a -.Li sudoRunAsGroup +.Em sudoRunAsGroup entry is preceded by an exclamation point, .Ql \&! , and the entry matches, the -.Li sudoRole +.Em sudoRole in which it resides will be ignored. .Pp The -.Li sudoRunAsGroup +.Em sudoRunAsGroup attribute is only available in .Nm sudo versions 1.7.0 and higher. Negated -.Li sudoRunAsGroup +.Em sudoRunAsGroup entries are only supported by version 1.8.26 or higher. .It Sy sudoNotBefore A timestamp in the form -.Li yyyymmddHHMMSSZ +.Ql yyyymmddHHMMSSZ that can be used to provide a start date/time for when the -.Li sudoRole +.Em sudoRole will be valid. If multiple -.Li sudoNotBefore +.Em sudoNotBefore entries are present, the earliest is used. Timestamps must be in Coordinated Universal Time (UTC), not the local timezone. @@ -278,7 +277,7 @@ The minute and seconds portions are optional, but some LDAP servers require that they be present (contrary to the RFC). .Pp The -.Li sudoNotBefore +.Em sudoNotBefore attribute is only available in .Nm sudo versions 1.7.5 and higher and must be explicitly enabled via the @@ -287,12 +286,12 @@ option in .Pa @ldap_conf@ . .It Sy sudoNotAfter A timestamp in the form -.Li yyyymmddHHMMSSZ +.Ql yyyymmddHHMMSSZ that indicates an expiration date/time, after which the -.Li sudoRole +.Em sudoRole will no longer be valid. If multiple -.Li sudoNotAfter +.Em sudoNotAfter entries are present, the last one is used. Timestamps must be in Coordinated Universal Time (UTC), not the local timezone. @@ -300,7 +299,7 @@ The minute and seconds portions are optional, but some LDAP servers require that they be present (contrary to the RFC). .Pp The -.Li sudoNotAfter +.Em sudoNotAfter attribute is only available in .Nm sudo versions @@ -310,26 +309,26 @@ option in .Pa @ldap_conf@ . .It Sy sudoOrder The -.Li sudoRole +.Em sudoRole entries retrieved from the LDAP directory have no inherent order. The -.Li sudoOrder +.Em sudoOrder attribute is an integer (or floating point value for LDAP servers that support it) that is used to sort the matching entries. This allows LDAP-based sudoers entries to more closely mimic the behavior of the sudoers file, where the order of the entries influences the result. If multiple entries match, the entry with the highest -.Li sudoOrder +.Em sudoOrder attribute is chosen. This corresponds to the .Dq last match behavior of the sudoers file. If the -.Li sudoOrder +.Em sudoOrder attribute is not present, a value of 0 is assumed. .Pp The -.Li sudoOrder +.Em sudoOrder attribute is only available in .Nm sudo versions 1.7.5 and higher. @@ -338,12 +337,12 @@ versions 1.7.5 and higher. Each attribute listed above should contain a single value, but there may be multiple instances of each attribute type. A -.Li sudoRole +.Em sudoRole must contain at least one -.Li sudoUser , -.Li sudoHost , +.Em sudoUser , +.Em sudoHost , and -.Li sudoCommand . +.Em sudoCommand . .Pp The following example allows users in group wheel to run any command on any host via @@ -364,7 +363,7 @@ The first query is to parse the global options. The second is to match against the user's name and the groups that the user belongs to. (The special -.Li ALL +.Sy ALL tag is matched in this query too.) If no match is returned for the user's name and groups, a third query returns all entries containing user netgroups and other @@ -391,12 +390,12 @@ are as follows: .Bl -enum .It Match all -.Li nisNetgroup +.Em nisNetgroup records with a -.Li nisNetgroupTriple +.Em nisNetgroupTriple containing the user, host, and NIS domain. The query will match -.Li nisNetgroupTriple +.Em nisNetgroupTriple entries with either the short or long form of the host name or no host name specified in the tuple. If the NIS domain is set, the query will match only match entries @@ -405,12 +404,12 @@ If the NIS domain is .Em not set, a wildcard is used to match any domain name but be aware that the NIS schema used by some LDAP servers may not support wild cards for -.Li nisNetgroupTriple . +.Em nisNetgroupTriple . .It Repeated queries are performed to find any nested -.Li nisNetgroup +.Em nisNetgroup records with a -.Li memberNisNetgroup +.Em memberNisNetgroup entry that refers to an already-matched record. .El .Pp @@ -445,7 +444,7 @@ returned in any specific order. .Pp The order in which different entries are applied can be controlled using the -.Li sudoOrder +.Em sudoOrder attribute, but there is no way to guarantee the order of attributes within a specific entry. If there are conflicting command rules in an entry, the negative @@ -496,18 +495,18 @@ These cannot be converted automatically. For example, a Cmnd_Alias in a .Em sudoers file may be converted to a -.Li sudoRole +.Em sudoRole that contains multiple commands. Multiple users and/or groups may be assigned to the -.Li sudoRole . +.Em sudoRole . .Pp Also, host, user, runas, and command-based -.Li Defaults +.Em Defaults entries are not supported. However, a -.Li sudoRole +.Em sudoRole may contain one or more -.Li sudoOption +.Em sudoOption attributes which can often serve the same purpose. .Pp Consider the following @@ -561,7 +560,7 @@ Using a Unix group or netgroup in PAGERS rather than listing each user would make this easier to maintain. .Pp Per-user -.Li Defaults +.Em Defaults entries can be emulated by using one or more sudoOption attributes in a sudoRole. Consider the following @@ -602,7 +601,7 @@ LDAP support, the schema must be installed on your LDAP server. In addition, be sure to index the -.Li sudoUser +.Em sudoUser attribute. .Pp The @@ -748,31 +747,30 @@ The default value is protocol version 3. .It Sy NETGROUP_BASE Ar base The base DN to use when performing LDAP netgroup queries. Typically this is of the form -.Li ou=netgroup,dc=my-domain,dc=com -for the domain -.Li my-domain.com . +.Ql ou=netgroup,dc=my-domain,dc=com +for the domain my-domain.com. Multiple .Sy NETGROUP_BASE lines may be specified, in which case they are queried in the order specified. .Pp This option can be used to query a user's netgroups directly via LDAP which is usually faster than fetching every -.Li sudoRole +.Em sudoRole object containing a -.Li sudoUser +.Em sudoUser that begins with a .Ql + prefix. The NIS schema used by some LDAP servers need a modification to support querying the -.Li nisNetgroup +.Em nisNetgroup object by its -.Li nisNetgroupTriple +.Em nisNetgroupTriple member. OpenLDAP's .Sy slapd requires the following change to the -.Li nisNetgroupTriple +.Em nisNetgroupTriple attribute: .Bd -literal -offset 4n attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' @@ -784,13 +782,12 @@ attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' .It Sy NETGROUP_SEARCH_FILTER Ar ldap_filter An LDAP filter which is used to restrict the set of records returned when performing an LDAP netgroup query. -Typically, this is of the -form -.Li attribute=value +Typically, this is of the form +.Ql attribute=value or -.Li (&(attribute=value)(attribute2=value2)) . +.Ql (&(attribute=value)(attribute2=value2)) . The default search filter is: -.Li objectClass=nisNetgroup . +.Ql objectClass=nisNetgroup . If .Ar ldap_filter is omitted, no search filter will be used. @@ -867,17 +864,17 @@ This option is only relevant when using SASL authentication. If the .Sy SSL parameter is set to -.Li on , -.Li true , +.Em on , +.Em true , or -.Li yes +.Em yes TLS (SSL) encryption is always used when communicating with the LDAP server. Typically, this involves connecting to the server on port 636 (ldaps). .It Sy SSL Ar start_tls If the .Sy SSL parameter is set to -.Li start_tls , +.Em start_tls , the LDAP server connection is initiated normally and TLS encryption is begun before the bind credentials are sent. This has the advantage of not requiring a dedicated port for encrypted @@ -890,9 +887,8 @@ The base DN to use when performing .Nm sudo LDAP queries. Typically this is of the form -.Li ou=SUDOers,dc=my-domain,dc=com -for the domain -.Li my-domain.com . +.Ql ou=SUDOers,dc=my-domain,dc=com +for the domain my-domain.com. Multiple .Sy SUDOERS_BASE lines may be specified, in which case they are queried in the order specified. @@ -932,19 +928,19 @@ when performing a LDAP query. Typically, this is of the form -.Li attribute=value +.Ql attribute=value or -.Li (&(attribute=value)(attribute2=value2)) . +.Ql (&(attribute=value)(attribute2=value2)) . The default search filter is: -.Li objectClass=sudoRole . +.Ql objectClass=sudoRole . If .Ar ldap_filter is omitted, no search filter will be used. .It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no Whether or not to evaluate the -.Li sudoNotBefore +.Em sudoNotBefore and -.Li sudoNotAfter +.Em sudoNotAfter attributes that implement time-dependent sudoers entries. .It Sy TIMELIMIT Ar seconds The @@ -987,9 +983,9 @@ be used to authenticate the client to the LDAP server. The certificate type depends on the LDAP libraries used. .Bl -tag -width 4n .It OpenLDAP: -.Li tls_cert /etc/ssl/client_cert.pem +.Ql tls_cert /etc/ssl/client_cert.pem .It Netscape-derived: -.Li tls_cert /var/ldap/cert7.db +.Ql tls_cert /var/ldap/cert7.db .It IBM LDAP: Unused, the key database specified by .Sy TLS_KEY @@ -1023,11 +1019,11 @@ The private key must not be password-protected. The key type depends on the LDAP libraries used. .Bl -tag -width 4n .It OpenLDAP: -.Li tls_key /etc/ssl/client_key.pem +.Ql tls_key /etc/ssl/client_key.pem .It Netscape-derived: -.Li tls_key /var/ldap/key3.db +.Ql tls_key /var/ldap/key3.db .It IBM LDAP: -.Li tls_key /usr/ldap/ldapkey.kdb +.Ql tls_key /usr/ldap/ldapkey.kdb .El .Pp When using IBM LDAP libraries, this file may also contain @@ -1079,15 +1075,15 @@ The must have the same path as the file specified by .Sy TLS_KEY , but use a -.Li .sth +.Ql .sth file extension instead of -.Li .kdb , -e.g., -.Li ldapkey.sth . +.Ql .kdb , +for example +.Ql ldapkey.sth . The default -.Li ldapkey.kdb +.Ql ldapkey.kdb that ships with the IBM Tivoli Directory Server is encrypted with the password -.Li ssl_password . +.Ql ssl_password . The .Em gsk8capicmd utility can be used to manage the key database and create a @@ -1149,9 +1145,9 @@ the latter being for servers that support TLS (SSL) encryption. If no .Em port is specified, the default is port 389 for -.Li ldap:// +.Ql ldap:// or port 636 for -.Li ldaps:// . +.Ql ldaps:// . If no .Em hostname is specified, @@ -1164,9 +1160,9 @@ lines are treated identically to a .Sy URI line containing multiple entries. Only systems using the OpenSSL libraries support the mixing of -.Li ldap:// +.Ql ldap:// and -.Li ldaps:// +.Ql ldaps:// URIs. Both the Netscape-derived and IBM LDAP libraries used on most commercial versions of Unix are only capable of supporting one or the other. @@ -1194,13 +1190,13 @@ to specify the .Em sudoers search order. Sudo looks for a line beginning with -.Li sudoers : +.Em sudoers : and uses this to determine the search order. By default, .Nm sudo does not stop searching after the first match and later matches take precedence over earlier ones (unless -.Li [SUCCESS=return] +.Ql [SUCCESS=return] is used, see below). The following sources are recognized: .Pp @@ -1215,14 +1211,14 @@ read sudoers from LDAP In addition, a subset of .Pa nsswitch.conf Ns -style action statements is supported, specifically -.Li [SUCCESS=return] +.Ql [SUCCESS=return] and -.Li [NOTFOUND=return] . +.Ql [NOTFOUND=return] . These will unconditionally terminate the search if the user was either found -.Pq Li [SUCCESS=return] +.Ql [SUCCESS=return] or not found -.Pq Li [NOTFOUND=return] +.Ql [NOTFOUND=return] in the immediately preceding source. Other action statements tokens are not supported, nor is test negation with @@ -1292,11 +1288,11 @@ sudoers = ldap = auth, files .Ed .Pp In the above example, the -.Li auth +.Em auth qualifier only affects user lookups; both LDAP and .Em sudoers will be queried for -.Li Defaults +.Em Defaults entries. .Pp If the @@ -1318,9 +1314,9 @@ rules. To use SSSD as the .Em sudoers source, you should use -.Li sss +.Em sss instead of -.Li ldap +.Em ldap for the sudoers entry in .Pa @nsswitch_conf@ . The @@ -1461,7 +1457,7 @@ Simply copy it to the schema directory (e.g., .Pa /etc/openldap/schema ) , add the proper -.Li include +.Em include line in .Pa slapd.conf and restart diff --git a/docs/sudoers.man.in b/docs/sudoers.man.in index ab16a3a17..9f68c5c86 100644 --- a/docs/sudoers.man.in +++ b/docs/sudoers.man.in @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.TH "SUDOERS" "@mansectform@" "August 25, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "@mansectform@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -60,7 +60,7 @@ file to determine which plugins to load. If no sudo.conf(@mansectform@) file is present, or if it contains no -\fRPlugin\fR +\fIPlugin\fR lines, \fBsudoers\fR will be used for auditing, policy decisions and I/O logging. @@ -206,7 +206,7 @@ used for such mail is configurable via the \fImailto\fR Defaults entry (described later) and defaults to -\fR@mailto@\fR. +\fI@mailto@\fR. .PP No mail will be sent if an unauthorized user tries to run \fBsudo\fR @@ -258,12 +258,10 @@ terminal session ID, the start time of the session leader (using a monotonic clock if one is available). The user may then use \fBsudo\fR -without a password for a short period of time -(\fR@timeout@\fR -minutes unless overridden by the +without a password for a short period of time (@timeout@ minutes +unless overridden by the \fItimestamp_timeout\fR -option) -\&. +option). By default, \fBsudoers\fR uses a separate record for each terminal, which means that @@ -400,7 +398,7 @@ This avoids an inconsistent environment where one of the variables describing the user name is set to the invoking user and one is set to the target user. Environment variables with a value beginning with -\fR()\fR +\(oq()\(cq are removed unless both the name and value parts are matched by \fIenv_keep\fR or @@ -420,7 +418,7 @@ and options are allowed and their values are inherited from the invoking process. Prior to version 1.8.21, environment variables with a value beginning with -\fR()\fR +\(oq()\(cq were always removed. Beginning with version 1.8.21, a pattern in \fIenv_delete\fR @@ -458,7 +456,7 @@ env_keep += "BASH_FUNC_my_func%%=()*" .fi .PP Without the -\(lq\fR=()*\fR\(rq +\(oq=()*\(cq suffix, this would not match, as \fBbash\fR shell functions are not preserved by default. @@ -613,7 +611,7 @@ By default, uses the operating system's native method of setting resource limits for the target user. On Linux systems, resource limits are usually set by the -\fRpam_limits.so\fR +\fIpam_limits.so\fR PAM module. On some BSD systems, the \fI/etc/login.conf\fR @@ -691,9 +689,13 @@ are only supported by version 1.8.7 or higher. EBNF is a concise and exact way of describing the grammar of a language. Each EBNF definition is made up of \fIproduction rules\fR. -E.g., -.PP -\fRsymbol ::= definition\fR | \fRalternate1\fR | \fRalternate2 ...\fR +For example: +.nf +.sp +.RS 4n +symbol ::= definition | alternate1 | alternate2 ... +.RE +.fi .PP Each \fIproduction rule\fR @@ -706,15 +708,15 @@ Do not, however, confuse them with \(lqwildcard\(rq characters, which have different meanings. .TP 6n -\fR\&?\fR +\&? Means that the preceding symbol (or group of symbols) is optional. That is, it may appear once or not at all. .TP 6n -\fR*\fR +* Means that the preceding symbol (or group of symbols) may appear zero or more times. .TP 6n -\fR+\fR ++ Means that the preceding symbol (or group of symbols) may appear one or more times. .PP @@ -725,17 +727,17 @@ we will use single quotes to designate what is a verbatim character string (as opposed to a symbol name). .SS "Aliases" There are four kinds of aliases: -\fRUser_Alias\fR, -\fRRunas_Alias\fR, -\fRHost_Alias\fR +\fIUser_Alias\fR, +\fIRunas_Alias\fR, +\fIHost_Alias\fR and -\fRCmnd_Alias\fR. +\fICmnd_Alias\fR. Beginning with \fBsudo\fR 1.9.0, -\fRCmd_Alias\fR +\fICmd_Alias\fR may be used in place of -\fRCmnd_Alias\fR +\fICmnd_Alias\fR if desired. .nf .sp @@ -779,11 +781,11 @@ Alias_Type NAME = item1, item2, ... where \fIAlias_Type\fR is one of -\fRUser_Alias\fR, -\fRRunas_Alias\fR, -\fRHost_Alias\fR, +\fIUser_Alias\fR, +\fIRunas_Alias\fR, +\fIHost_Alias\fR, or -\fRCmnd_Alias\fR. +\fICmnd_Alias\fR. A \fRNAME\fR is a string of uppercase letters, numbers, @@ -797,7 +799,7 @@ uppercase letter. It is possible to put several alias definitions of the same type on a single line, joined by a colon (\(oq:\&\(cq). -E.g., +For example: .nf .sp .RS 0n @@ -832,7 +834,7 @@ User ::= '!'* user name | .fi .PP A -\fRUser_List\fR +\fIUser_List\fR is made up of one or more user names, user-IDs (prefixed with \(oq#\(cq), @@ -847,7 +849,7 @@ non-Unix group names and IDs (prefixed with and \(oq%:#\(cq respectively), and -\fRUser_Alias\fRes. +\fIUser_Alias\fRes. Each list item may be prefixed with zero or more \(oq\&!\(cq operators. @@ -859,14 +861,14 @@ User netgroups are matched using the user and domain members only; the host member is not used when matching. .PP A -\fRuser name\fR, -\fRuser-ID\fR, -\fRgroup\fR, -\fRgroup-ID\fR, -\fRnetgroup\fR, -\fRnonunix_group\fR +\fIuser name\fR, +\fIuser-ID\fR, +\fIgroup\fR, +\fIgroup-ID\fR, +\fInetgroup\fR, +\fInonunix_group\fR or -\fRnonunix_gid\fR +\fInonunix_gid\fR may be enclosed in double quotes to avoid the need for escaping special characters. Alternately, special characters @@ -876,9 +878,9 @@ using double quotes, any prefix characters must be included inside the quotes. .PP The actual -\fRnonunix_group\fR +\fInonunix_group\fR and -\fRnonunix_gid\fR +\fInonunix_gid\fR syntax depends on the underlying group provider plugin. For instance, the QAS AD plugin supports the following formats: @@ -923,21 +925,21 @@ Runas_Member ::= '!'* user name | .fi .PP A -\fRRunas_List\fR +\fIRunas_List\fR is similar to a -\fRUser_List\fR +\fIUser_List\fR except that instead of -\fRUser_Alias\fRes +\fIUser_Alias\fRes it can contain -\fRRunas_Alias\fRes. +\fIRunas_Alias\fRes. User names and groups are matched as strings. In other words, two users (groups) with the same user (group) ID are considered to be distinct. If you wish to match all user names with the same user-ID (e.g., root and toor), you can use a user-ID instead of a name (#0 in the example given). The user-ID or group-ID specified in a -\fRRunas_Member\fR +\fIRunas_Member\fR need not be listed in the password or group database. .nf .sp @@ -955,7 +957,7 @@ Host ::= '!'* host name | .fi .PP A -\fRHost_List\fR +\fIHost_List\fR is made up of one or more host names, IP addresses, network numbers, netgroups (prefixed with \(oq+\(cq), @@ -977,7 +979,7 @@ A host name may include shell-style wildcards (see the \fIWildcards\fR section below), but unless the -\fRhost name\fR +\fIhostname\fR command on your machine returns the fully qualified host name, you'll need to use the \fIfqdn\fR @@ -1027,7 +1029,7 @@ Cmnd ::= Digest_List? '!'* command | .fi .PP A -\fRCmnd_List\fR +\fICmnd_List\fR is a list of one or more commands, directories, or aliases. A command is a fully qualified file name, which may include shell-style wildcards (see the @@ -1044,7 +1046,7 @@ A directory is a fully qualified path name ending in a \(oq/\(cq. When you specify a directory in a -\fRCmnd_List\fR, +\fICmnd_List\fR, the user will be able to run any file within that directory (but not in any sub-directories therein). If no command line arguments are specified, the user may run the @@ -1055,19 +1057,19 @@ expression that starts with and ends with \(oq$\(cq. If the command line arguments consist of -\fR\&""\fR, +\(oq\&""\(cq, the command may only be run with \fIno\fR arguments. .PP If a -\fRCmnd\fR +\fICmnd\fR has associated command line arguments, the arguments in the -\fRCmnd\fR +\fICmnd\fR must match those given by the user on the command line. If the arguments in a -\fRCmnd\fR +\fICmnd\fR begin with the \(oq^\(cq character, they will be interpreted as a regular expression @@ -1082,7 +1084,7 @@ if they are used in command arguments: \(oq=\&\(cq, \(oq\e\(cq. To prevent arguments in a -\fRCmnd\fR +\fICmnd\fR that begin with a \(oq^\(cq character from being interpreted as a regular expression, the @@ -1091,7 +1093,7 @@ must be escaped with a \(oq\e\(cq. .PP The built-in command -\(lq\fRsudoedit\fR\(rq +\(lqsudoedit\(rq is used to permit a user to run \fBsudo\fR with the @@ -1100,7 +1102,7 @@ option (or as \fBsudoedit\fR). It may take command line arguments just as a normal command does. Unlike other commands, -\(lq\fRsudoedit\fR\(rq +\(lqsudoedit\(rq is built into \fBsudo\fR itself and must be specified in the @@ -1111,27 +1113,27 @@ a leading path. If a leading path is present, for example \fI/usr/bin/sudoedit\fR, the path name will be silently converted to -\(lq\fRsudoedit\fR\(rq. +\(lqsudoedit\(rq. A fully-qualified path for \fBsudoedit\fR is treated as an error by \fBvisudo\fR. .PP A -\fRcommand\fR +\fIcommand\fR may be preceded by a -\fRDigest_List\fR, +\fIDigest_List\fR, a comma-separated list of one or more -\fRDigest_Spec\fR +\fIDigest_Spec\fR entries. If a -\fRDigest_List\fR +\fIDigest_List\fR is present, the command will only match successfully if it can be verified using one of the SHA-2 digests in the list. Starting with version 1.9.0, the \fBALL\fR reserved word can be used in conjunction with a -\fRDigest_List\fR. +\fIDigest_List\fR. The following digest formats are supported: sha224, sha256, sha384, and sha512. The string may be specified in either hex or base64 format (base64 is more compact). @@ -1161,7 +1163,7 @@ Warning, if the user has write access to the command itself (directly or via a command), it may be possible for the user to replace the command after the digest check has been performed but before the command is executed. A similar race condition exists on systems that lack the -\fBfexecve\fR() +fexecve(2) system call when the directory in which the command is located is writable by the user. See the description of the @@ -1174,13 +1176,13 @@ Command digests are only supported by version 1.8.7 or higher. .SS "Defaults" Certain configuration options may be changed from their default values at run-time via one or more -\fRDefault_Entry\fR +\fIDefault_Entry\fR lines. These may affect all users on any host, all users on a specific host, a specific user, a specific command, or commands being run as a specific user. Per-command entries may not include command line arguments. If you need to specify arguments, define a -\fRCmnd_Alias\fR +\fICmnd_Alias\fR and reference that instead. .nf @@ -1241,16 +1243,16 @@ regexec(3) function. .PP Lists have two additional assignment operators, -\fR+=\fR +\(oq+=\(cq and -\fR-=\fR. +\(oq-=\(cq. These operators are used to add to and delete from a list respectively. It is not an error to use the -\fR-=\fR +\(oq-=\(cq operator to remove an element that does not exist in a list. .PP -Defaults entries are parsed in the following order: generic, host, +Defaults entries are parsed in the following order: global, host, user, and runas Defaults first, then command defaults. If there are multiple Defaults settings of the same type, the last matching setting is used. @@ -1326,18 +1328,18 @@ The basic structure of a user specification is Let's break that down into its constituent parts: .SS "Runas_Spec" A -\fRRunas_Spec\fR +\fIRunas_Spec\fR determines the user and/or the group that a command may be run as. A fully-specified -\fRRunas_Spec\fR +\fIRunas_Spec\fR consists of two -\fRRunas_List\fRs +\fIRunas_List\fRs (as defined above) separated by a colon (\(oq:\&\(cq) and enclosed in a set of parentheses. The first -\fRRunas_List\fR +\fIRunas_List\fR indicates which users the command may be run as via the \fB\-u\fR option. @@ -1345,24 +1347,24 @@ The second defines a list of groups that may be specified via the \fB\-g\fR option (in addition to any of the target user's groups). If both -\fRRunas_List\fRs +\fIRunas_List\fRs are specified, the command may be run with any combination of users and groups listed in their respective -\fRRunas_List\fRs. +\fIRunas_List\fRs. If only the first is specified, the command may be run as any user in the list and, optionally, with any group the target user belongs to. If the first -\fRRunas_List\fR +\fIRunas_List\fR is empty but the second is specified, the command may be run as the invoking user with the group set to any listed in the -\fRRunas_List\fR. +\fIRunas_List\fR. If both -\fRRunas_List\fRs +\fIRunas_List\fRs are empty, the command may only be run as the invoking user and the group, if specified, must be one that the invoking user is a member of. If no -\fRRunas_Spec\fR +\fIRunas_Spec\fR is specified, the command may only be run as \fBroot\fR and the group, if specified, must be one that @@ -1370,7 +1372,7 @@ and the group, if specified, must be one that is a member of. .PP A -\fRRunas_Spec\fR +\fIRunas_Spec\fR sets the default for the commands that follow it. What this means is that for the entry: .nf @@ -1391,7 +1393,7 @@ on the host boulder\(embut only as \fBoperator\fR. -E.g., +For example: .nf .sp .RS 0n @@ -1400,7 +1402,7 @@ $ sudo -u operator /bin/ls .fi .PP It is also possible to override a -\fRRunas_Spec\fR +\fIRunas_Spec\fR later on in an entry. If we modify the entry like so: .nf @@ -1426,7 +1428,7 @@ as We can extend this to allow \fBdgb\fR to run -\fR/bin/ls\fR +\fI/bin/ls\fR with either the user or group set to \fBoperator\fR: @@ -1439,7 +1441,7 @@ dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e .fi .PP While the group portion of the -\fRRunas_Spec\fR +\fIRunas_Spec\fR permits the user to run as command with that group, it does not force the user to do so. @@ -1470,7 +1472,7 @@ tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e .PP In this example only the group will be set, the command still runs as user \fBtcm\fR. -E.g.\& +For example: .nf .sp .RS 0n @@ -1479,7 +1481,7 @@ $ sudo -g dialer /usr/bin/cu .fi .PP Multiple users and groups may be present in a -\fRRunas_Spec\fR, +\fIRunas_Spec\fR, in which case the user may select any combination of users and groups via the \fB\-u\fR and @@ -1499,7 +1501,7 @@ may run any command as either user root or bin, optionally setting the group to operator or system. .SS "Option_Spec" A -\fRCmnd\fR +\fICmnd\fR may have zero or more options associated with it. Options may consist of .if \n(SL \{\ @@ -1511,11 +1513,11 @@ Solaris privileges sets, .\} start and/or end dates and command timeouts. Once an option is set for a -\fRCmnd\fR, +\fICmnd\fR, subsequent -\fRCmnd\fRs +\fICmnd\fRs in the -\fRCmnd_Spec_List\fR, +\fICmnd_Spec_List\fR, inherit that option unless it is overridden by another option. Option names are reserved words in \fIsudoers\fR. @@ -1565,7 +1567,8 @@ the user may run any command as root under confinement by the profile \(oqmy-profile\(cq. You can also stack profiles, or allow a user to run commands unconfined by -any profile. E.g., +any profile. +For example: .nf .sp .RS 0n @@ -1642,10 +1645,10 @@ and \fRNOTAFTER\fR settings. The time stamp must be specified in -\fIGeneralized Time\fR +\(lqGeneralized Time\(rq as defined by RFC 4517. The format is effectively -\fRyyyymmddHHMMSSZ\fR +\(oqyyyymmddHHMMSSZ\(cq where the minutes and seconds are optional. The \(oqZ\(cq @@ -1679,7 +1682,7 @@ minutes, and seconds with a single-letter case-insensitive suffix that indicates the unit of time. For example, a timeout of 7 days, 8 hours, 30 minutes, and 10 seconds would be written as -\fR7d8h30m10s\fR. +\(oq7d8h30m10s\(cq. If a number is specified without a unit, seconds are assumed. Any of the days, minutes, hours, or seconds may be omitted. The order must be from largest to smallest unit and a unit @@ -1688,17 +1691,17 @@ may not be specified more than once. The following are all \fIvalid\fR timeout values: -\fR7d8h30m10s\fR, -\fR14d\fR, -\fR8h30m\fR, -\fR600s\fR, -\fR3600\fR. +\(oq7d8h30m10s\(cq, +\(oq14d\(cq, +\(oq8h30m\(cq, +\(oq600s\(cq, +\(oq3600\(cq. The following are \fIinvalid\fR timeout values: -\fR12m2w1d\fR, -\fR30s10m4h\fR, -\fR1d2d3h\fR. +\(oq12m2w1d\(cq, +\(oq30s10m4h\(cq, +\(oq1d2d3h\(cq. .PP This setting is only supported by version 1.8.20 or higher. .SS "Chdir_Spec" @@ -1726,7 +1729,7 @@ directory, unless the \fB\-i\fR option is given. Path names of the form -\fR~user/path/name\fR +\fI~user/path/name\fR are interpreted as being relative to the named user's home directory. If the user name is omitted, the path will be relative to the runas user's home directory. @@ -1759,7 +1762,7 @@ similar to the chroot(@mansectsu@) utility. Path names of the form -\fR~user/path/name\fR +\fI~user/path/name\fR are interpreted as being relative to the named user's home directory. If the user name is omitted, the path will be relative to the runas user's home directory. @@ -1786,11 +1789,11 @@ The following tag values are supported: and \fRNOSETENV\fR. Once a tag is set on a -\fRCmnd\fR, +\fICmnd\fR, subsequent -\fRCmnd\fRs +\fICmnd\fRs in the -\fRCmnd_Spec_List\fR, +\fICmnd_Spec_List\fR, inherit the tag unless it is overridden by the opposite tag (in other words, \fRPASSWD\fR overrides @@ -1800,7 +1803,7 @@ and overrides \fREXEC\fR). .TP 2n -\fIEXEC\fR and \fINOEXEC\fR +\fREXEC\fR and \fRNOEXEC\fR .sp If \fBsudo\fR @@ -1833,16 +1836,17 @@ section below for more details on how works and whether or not it will work on your system. .RE .TP 2n -\fIFOLLOW\fR and \fINOFOLLOW\fR +\fRFOLLOW\fR and \fRNOFOLLOW\fR +.sp Starting with version 1.8.15, \fBsudoedit\fR will not open a file that is a symbolic link unless the \fIsudoedit_follow\fR flag is enabled. The -\fIFOLLOW\fR +\fRFOLLOW\fR and -\fINOFOLLOW\fR +\fRNOFOLLOW\fR tags override the value of \fIsudoedit_follow\fR and can be used to permit (or deny) the editing of symbolic links @@ -1851,7 +1855,7 @@ These tags are only effective for the \fIsudoedit\fR command and are ignored for all other commands. .TP 2n -\fILOG_INPUT\fR and \fINOLOG_INPUT\fR +\fRLOG_INPUT\fR and \fRNOLOG_INPUT\fR .sp These tags override the value of the \fIlog_input\fR @@ -1862,7 +1866,7 @@ in the \fISUDOERS OPTIONS\fR section below. .TP 2n -\fILOG_OUTPUT\fR and \fINOLOG_OUTPUT\fR +\fRLOG_OUTPUT\fR and \fRNOLOG_OUTPUT\fR .sp These tags override the value of the \fIlog_output\fR @@ -1873,7 +1877,7 @@ in the \fISUDOERS OPTIONS\fR section below. .TP 2n -\fIMAIL\fR and \fINOMAIL\fR +\fRMAIL\fR and \fRNOMAIL\fR .sp These tags provide fine-grained control over whether mail will be sent when a user runs a command by @@ -1888,7 +1892,7 @@ or \fB\-v\fR options. A -\fINOMAIL\fR +\fRNOMAIL\fR tag will also override the \fImail_always\fR and @@ -1903,7 +1907,7 @@ in the \fISUDOERS OPTIONS\fR section below. .TP 2n -\fIPASSWD\fR and \fINOPASSWD\fR +\fRPASSWD\fR and \fRNOPASSWD\fR .sp By default, \fBsudo\fR @@ -1913,12 +1917,12 @@ This behavior can be modified via the \fRNOPASSWD\fR tag. Like a -\fRRunas_Spec\fR, +\fIRunas_Spec\fR, the \fRNOPASSWD\fR tag sets a default for the commands that follow it in the -\fRCmnd_Spec_List\fR. +\fICmnd_Spec_List\fR. Conversely, the \fRPASSWD\fR tag can be used to reverse things. @@ -1966,10 +1970,10 @@ By default, if the \fRNOPASSWD\fR tag is applied to any of a user's entries for the current host, the user will be able to run -\(lq\fRsudo -l\fR\(rq +\(oqsudo -l\(cq without a password. Additionally, a user may only run -\(lq\fRsudo -v\fR\(rq +\(oqsudo -v\(cq without a password if all of the user's entries for the current host have the \fRNOPASSWD\fR @@ -1981,7 +1985,7 @@ and options. .RE .TP 2n -\fISETENV\fR and \fINOSETENV\fR +\fRSETENV\fR and \fRNOSETENV\fR .sp These tags override the value of the \fIsetenv\fR @@ -2008,7 +2012,7 @@ tag is implied for that command; this default may be overridden by use of the \fRNOSETENV\fR tag. .TP 2n -\fIINTERCEPT\fR and \fINOINTERCEPT\fR +\fRINTERCEPT\fR and \fRNOINTERCEPT\fR .sp If \fBsudo\fR @@ -2063,21 +2067,21 @@ fnmatch(3) functions as specified by IEEE Std 1003.1 (\(lqPOSIX.1\(rq). .TP 10n -\fR*\fR +* Matches any set of zero or more characters (including white space). .TP 10n -\fR\&?\fR +\&? Matches any single character (including white space). .TP 10n -\fR[...]\fR +[...] Matches any character in the specified range. .TP 10n -\fR[!...]\fR +[!...] Matches any character \fInot\fR in the specified range. .TP 10n -\fR\ex\fR +\ex For any character \(oqx\(cq, evaluates to @@ -2149,9 +2153,9 @@ below. .SS "Exceptions to wildcard rules" The following exceptions apply to the above rules: .TP 10n -\fR\&""\fR +\&"" If the empty string -\fR\&""\fR +\(oq\&""\(cq is the only command line argument in the \fIsudoers\fR file entry it means that command is not allowed to be run with @@ -2279,14 +2283,14 @@ It is possible to include other files from within the \fIsudoers\fR file currently being parsed using the -\fR@include\fR +\fI@include\fR and -\fR@includedir\fR +\fI@includedir\fR directives. For compatibility with sudo versions prior to 1.9.1, -\fR#include\fR +\fI#include\fR and -\fR#includedir\fR +\fI#includedir\fR are also accepted. .PP An include file can be used, for example, to keep a site-wide @@ -2347,7 +2351,7 @@ contains the line: .nf .sp .RS 4n -\fR@include sudoers.local\fR +@include sudoers.local .RE .fi .PP @@ -2355,7 +2359,7 @@ the file that will be included is \fI/etc/sudoers.local\fR. .PP The file name may also include the -\fR%h\fR +\(oq%h\(cq escape, signifying the short form of the host name. In other words, if the machine's host name is \(lqxerxes\(rq, @@ -2373,7 +2377,7 @@ to include the file \fI/etc/sudoers.xerxes\fR. .PP The -\fR@includedir\fR +\fI@includedir\fR directive can be used to create a \fIsudoers.d\fR directory that the system package manager can drop @@ -2396,6 +2400,7 @@ or contain a \(oq.\&\(cq character to avoid causing problems with package manager or editor temporary/backup files. +.PP Files are parsed in sorted lexical order. That is, \fI/etc/sudoers.d/01_first\fR @@ -2410,14 +2415,14 @@ Using a consistent number of leading zeroes in the file names can be used to avoid such problems. After parsing the files in the directory, control returns to the file that contained the -\fR@includedir\fR +\fI@includedir\fR directive. .PP Unlike files included via -\fR@include\fR, +\fI@include\fR, \fBvisudo\fR will not edit the files in a -\fR@includedir\fR +\fI@includedir\fR directory unless one of them contains a syntax error. It is still possible to run \fBvisudo\fR @@ -2443,11 +2448,11 @@ is a built-in \fIalias\fR that always causes a match to succeed. It can be used wherever one might otherwise use a -\fRCmnd_Alias\fR, -\fRUser_Alias\fR, -\fRRunas_Alias\fR, +\fICmnd_Alias\fR, +\fIUser_Alias\fR, +\fIRunas_Alias\fR, or -\fRHost_Alias\fR. +\fIHost_Alias\fR. Attempting to define an \fIalias\fR named @@ -2460,7 +2465,7 @@ can be dangerous since in a command context, it allows the user to run command on the system. .PP The following option names permitted in an -\fROption_Spec\fR +\fIOption_Spec\fR are also considered reserved words: \fRCHROOT\fR, .if \n(PS \{\ @@ -2491,7 +2496,7 @@ can be used as a logical operator in a list or \fIalias\fR as well as in front of a -\fRCmnd\fR. +\fICmnd\fR. This allows one to exclude certain values. For the \(oq\&!\(cq @@ -2500,7 +2505,7 @@ For example, to match all users except for root one would use: .nf .sp .RS 4n -ALL,!root +ALL, !root .RE .fi .PP @@ -2555,7 +2560,7 @@ when used as part of a word (e.g., a user name or host name): .SH "SUDOERS OPTIONS" \fBsudo\fR's behavior can be modified by -\fRDefault_Entry\fR +\fIDefault_Entry\fR lines, as explained earlier. A list of all supported Defaults parameters, grouped by type, are listed below. .PP @@ -2564,9 +2569,12 @@ A list of all supported Defaults parameters, grouped by type, are listed below. always_query_group_plugin If a \fIgroup_plugin\fR -is configured, use it to resolve groups of the form %group as long -as there is not also a system group of the same name. -Normally, only groups of the form %:group are passed to the +is configured, use it to resolve groups of the form +\(oq%group\(cq +as long as there is not also a system group of the same name. +Normally, only groups of the form +\(oq%:group\(cq +are passed to the \fIgroup_plugin\fR. This flag is \fIoff\fR @@ -2683,10 +2691,10 @@ automatic restarting of system calls. Unfortunately, not all operating systems do this by default, and even those that do may have bugs. For example, macOS fails to restart the -\fBtcgetattr\fR() +tcgetattr(3) and -\fBtcsetattr\fR() -system calls (this is a bug in macOS). +tcsetattr(3) +functions (this is a bug in macOS). Furthermore, because this behavior depends on the command stopping with the \fRSIGTTIN\fR or @@ -2770,17 +2778,17 @@ Any variables in the caller's environment or in the file specified by the \fIrestricted_env_file\fR setting that match the -\fRenv_keep\fR +\fIenv_keep\fR and -\fRenv_check\fR +\fIenv_check\fR lists are then added, followed by any variables present in the file specified by the \fIenv_file\fR setting (if any). The contents of the -\fRenv_keep\fR +\fIenv_keep\fR and -\fRenv_check\fR +\fIenv_check\fR lists, as modified by global Defaults parameters in \fIsudoers\fR, are displayed when @@ -2874,16 +2882,16 @@ fqdn Set this flag if you want to put fully qualified host names in the \fIsudoers\fR file when the local host name (as returned by the -\fRhostname\fR +\(oqhostname\(cq command) does not contain the domain name. In other words, instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). This flag is only effective when the \(lqcanonical\(rq host name, as returned by the -\fBgetaddrinfo\fR() +getaddrinfo(3) or -\fBgethostbyname\fR() +gethostbyname(3) function, is a fully-qualified domain name. This is usually the case when the system is configured to use DNS for host name resolution. @@ -2933,11 +2941,8 @@ from the network). Just like with the hosts file, you must use the \(lqcanonical\(rq name as DNS knows it. -That is, you may not use a host alias -(\fRCNAME\fR -entry) -due to performance issues and the fact that there is no way to get all -aliases from DNS. +That is, you may not use a host alias (CNAME entry) due to performance +issues and the fact that there is no way to get all aliases from DNS. .sp This flag is \fI@fqdn@\fR @@ -2963,7 +2968,7 @@ by default. ignore_dot If set, \fBsudo\fR -will ignore "." or "" (both denoting current directory) in the +will ignore "." or "" (both denoting the current directory) in the \fRPATH\fR environment variable; the \fRPATH\fR @@ -3002,7 +3007,7 @@ ignore_local_sudoers If set via LDAP, parsing of \fI@sysconfdir@/sudoers\fR will be skipped. -This is intended for Enterprises that wish to prevent the usage of local +This is intended for sites that wish to prevent the usage of local sudoers files so that only LDAP is used. This thwarts the efforts of rogue operators who would attempt to add roles to \fI@sysconfdir@/sudoers\fR. @@ -3013,7 +3018,7 @@ Since this flag tells \fBsudo\fR how to behave when no specific LDAP entries have been matched, this sudoOption is only meaningful for the -\fRcn=defaults\fR +\(oqcn=defaults\(cq section. This flag is \fIoff\fR @@ -3150,15 +3155,15 @@ If set, \fBsudoers\fR will log when a command spawns a child process and executes a program using the -\fBexecl\fR(), -\fBexecle\fR(), -\fBexeclp\fR(), -\fBexecv\fR(), -\fBexecve\fR(), -\fBexecvp\fR(), -\fBexecvpe\fR(), +execve(2), +execl(3), +execle(3), +execlp(3), +execv(3), +execvp(3), +execvpe(3), or -\fBsystem\fR() +system(3) library functions. For example, if a shell is run by \fBsudo\fR, @@ -3294,7 +3299,7 @@ This works well on systems where the number of groups listed in the \fIsudoers\fR file is larger than the number of groups a typical user belongs to. On systems where group lookups are slow, where users may belong -to a large number of groups, and where the number of groups listed +to a large number of groups, or where the number of groups listed in the \fIsudoers\fR file is relatively small, it may be prohibitively expensive and @@ -3346,7 +3351,7 @@ tag has been set, unless overridden by an \fRNOINTERCEPT\fR tag. See the description of -\fIINTERCEPT and NOINTERCEPT\fR +\fRINTERCEPT and NOINTERCEPT\fR above as well as the \fIPreventing shell escapes\fR section at the end of this manual. @@ -3373,7 +3378,7 @@ is enable. This flag has no effect unless the \fIintercept\fR flag is enabled or the -\fIINTERCEPT\fR +\fRINTERCEPT\fR tag has been set for the command. This flag is \fIon\fR @@ -3396,7 +3401,7 @@ subsequent commands will need to be authenticated. This flag has no effect unless the \fIintercept\fR flag is enabled or the -\fIINTERCEPT\fR +\fRINTERCEPT\fR tag has been set for the command. This flag is \fIoff\fR @@ -3436,7 +3441,7 @@ file system is available. This flag has no effect unless the \fIintercept\fR flag is enabled or the -\fIINTERCEPT\fR +\fRINTERCEPT\fR tag has been set for the command and the \fIintercept_type\fR option is set to @@ -3453,9 +3458,9 @@ tuple: host name, user name, and domain (if one is set). Historically, \fBsudo\fR only matched the user name and domain for netgroups used in a -\fRUser_List\fR +\fIUser_List\fR and only matched the host name and domain for netgroups used in a -\fRHost_List\fR. +\fIHost_List\fR. This flag is \fIoff\fR by default. @@ -3469,7 +3474,7 @@ tag has been set, unless overridden by an \fREXEC\fR tag. See the description of -\fIEXEC and NOEXEC\fR +\fREXEC and NOEXEC\fR above as well as the \fIPreventing shell escapes\fR section at the end of this manual. @@ -3685,7 +3690,7 @@ Disabling this prevents users from \(lqchaining\(rq \fBsudo\fR commands to get a root shell by doing something like -\(lq\fRsudo sudo /bin/sh\fR\(rq. +\(oqsudo sudo /bin/sh\(cq. Note, however, that turning off \fIroot_sudo\fR will also prevent root from running @@ -3710,7 +3715,7 @@ runas_allow_unknown_id If enabled, allow matching of runas user and group IDs that are not present in the password or group databases. In addition to explicitly matching unknown user or group IDs in a -\fRRunas_List\fR, +\fIRunas_List\fR, this option also allows the \fBALL\fR alias to match unknown IDs. @@ -3730,7 +3735,7 @@ If enabled, will only run commands as a user whose shell appears in the \fI/etc/shells\fR file, even if the invoking user's -\fRRunas_List\fR +\fIRunas_List\fR would otherwise permit it. If no \fI/etc/shells\fR @@ -3750,8 +3755,7 @@ If set, \fBsudo\fR will prompt for the password of the user defined by the \fIrunas_default\fR -option (defaults to -\fR@runas_default@\fR) +option (defaults to @runas_default@) instead of the password of the invoking user when running a command or editing a file. This flag is @@ -3926,9 +3930,9 @@ option can be enabled to allow \fBsudoedit\fR to open symbolic links. It may be overridden on a per-command basis by the -\fIFOLLOW\fR +\fRFOLLOW\fR and -\fINOFOLLOW\fR +\fRNOFOLLOW\fR tags. This flag is \fIoff\fR @@ -3952,8 +3956,7 @@ If set, will prompt for the password of the user specified by the \fB\-u\fR -option (defaults to -\fRroot\fR) +option (defaults to root) instead of the password of the invoking user when running a command or editing a file. This flag precludes the use of a user-ID not listed in the passwd @@ -4058,7 +4061,7 @@ If a timeout is specified both in the \fIsudoers\fR file and on the command line, the smaller of the two timeouts will be used. See the -\fRTimeout_Spec\fR +\fITimeout_Spec\fR section for a description of the timeout syntax. This flag is \fIoff\fR @@ -4088,7 +4091,7 @@ flag is set, \fBsudo\fR will prompt for a password even when it would be visible on the screen. This makes it possible to run things like -\(lq\fRssh somehost sudo ls\fR\(rq +\(oqssh somehost sudo ls\(cq since by default, ssh(1) does @@ -4108,14 +4111,13 @@ The \fIclosefrom\fR option can be used to specify a different file descriptor at which to start closing. -The default is -\fR3\fR. +The default is 3. .TP 18n command_timeout The maximum amount of time a command is allowed to run before it is terminated. See the -\fRTimeout_Spec\fR +\fITimeout_Spec\fR section for a description of the timeout syntax. .sp This setting is only supported by version 1.8.20 or higher. @@ -4124,7 +4126,7 @@ log_server_timeout The maximum amount of time to wait when connecting to a log server or waiting for a server response. See the -\fRTimeout_Spec\fR +\fITimeout_Spec\fR section for a description of the timeout syntax. The default value is 30 seconds. .sp @@ -4132,12 +4134,12 @@ This setting is only supported by version 1.9.0 or higher. .TP 18n maxseq The maximum sequence number that will be substituted for the -\(lq\fR%{seq}\fR\(rq +\(oq%{seq}\(cq escape in the I/O log file (see the \fIiolog_dir\fR description below for more information). While the value substituted for -\(lq\fR%{seq}\fR\(rq +\(oq%{seq}\(cq is in base 36, \fImaxseq\fR itself should be expressed in decimal. @@ -4161,8 +4163,7 @@ passwd_tries The number of tries a user gets to enter his/her password before \fBsudo\fR logs the failure and exits. -The default is -\fR@passwd_tries@\fR. +The default is @passwd_tries@. .TP 18n syslog_maxlen On many systems, @@ -4194,22 +4195,15 @@ loglinelen Number of characters per line for the file log. This value is used to decide when to wrap lines for nicer log files. This has no effect on the syslog log file, only the file log. -The default is -\fR@loglen@\fR -(use 0 or negate the option to disable word wrap). +The default is @loglen@ (use 0 or negate the option to disable word wrap). .TP 18n passwd_timeout Number of minutes before the \fBsudo\fR -password prompt times out, or -\fR0\fR -for no timeout. +password prompt times out, or 0 for no timeout. The timeout may include a fractional component -if minute granularity is insufficient, for example -\fR2.5\fR. -The -default is -\fR@password_timeout@\fR. +if minute granularity is insufficient, for example 2.5. +The default is @password_timeout@. .TP 18n timestamp_timeout .br @@ -4217,20 +4211,15 @@ Number of minutes that can elapse before \fBsudo\fR will ask for a password again. The timeout may include a fractional component if -minute granularity is insufficient, for example -\fR2.5\fR. -The default is -\fR@timeout@\fR. -Set this to -\fR0\fR -to always prompt for a password. -If set to a value less than -\fR0\fR -the user's time stamp will not expire until the system is rebooted. +minute granularity is insufficient, for example 2.5. +The default is @timeout@. +Set this to 0 to always prompt for a password. +If set to a value less than 0 the user's time stamp will not expire +until the system is rebooted. This can be used to allow users to create or delete their own time stamps via -\(lq\fRsudo -v\fR\(rq +\(oqsudo -v\(cq and -\(lq\fRsudo -k\fR\(rq +\(oqsudo -k\(cq respectively. .TP 18n umask @@ -4243,10 +4232,8 @@ Unless the flag is set, the actual umask will be the union of the user's umask and the value of the \fIumask\fR -setting, which defaults to -\fR@sudo_umask@\fR. -This guarantees -that +setting, which defaults to @sudo_umask@. +This guarantees that \fBsudo\fR never lowers the umask when running a command. .sp @@ -4274,7 +4261,7 @@ The default can be overridden for individual \fIsudoers\fR entries by specifying the -\fIAPPARMOR_PROFILE\fR +\fRAPPARMOR_PROFILE\fR option. This option is only available when sudo is built with AppArmor support. @@ -4285,12 +4272,12 @@ The message may include the \(oq%d\(cq escape which will expand to the number of failed password attempts. If set, it overrides the default message, -\fR%d incorrect password attempt(s)\fR. +\(lq%d incorrect password attempt(s)\(rq. .TP 18n badpass_message Message that is displayed if a user enters an incorrect password. The default is -\fR@badpass_message@\fR +\(lq@badpass_message@\(rq unless insults are enabled. .TP 18n editor @@ -4348,15 +4335,15 @@ It has the following possible values: .TP 8n dso Preload a dynamic shared object (shared library) that intercepts the -\fBexecl\fR(), -\fBexecle\fR(), -\fBexeclp\fR(), -\fBexecv\fR(), -\fBexecve\fR(), -\fBexecvp\fR(), -\fBexecvpe\fR(), +execve(2), +execl(3), +execle(3), +execlp(3), +execv(3), +execvp(3), +execvpe(3), and -\fBsystem\fR() +system(3) library functions. A value of \fIdso\fR @@ -4416,30 +4403,30 @@ escape sequences are supported: .RS 18n .PD 0 .TP 6n -\fR%{seq}\fR +%{seq} expanded to a monotonically increasing base-36 sequence number, such as 0100A5, where every two digits are used to form a new directory, e.g., \fI01/00/A5\fR .PD .TP 6n -\fR%{user}\fR +%{user} expanded to the invoking user's login name .TP 6n -\fR%{group}\fR +%{group} expanded to the name of the invoking user's real group-ID .TP 6n -\fR%{runas_user}\fR +%{runas_user} expanded to the login name of the user the command will be run as (e.g., root) .TP 6n -\fR%{runas_group}\fR +%{runas_group} expanded to the group name of the user the command will be run as (e.g., wheel) .TP 6n -\fR%{hostname}\fR +%{hostname} expanded to the local host name without the domain name .TP 6n -\fR%{command}\fR +%{command} expanded to the base name of the command being run .PP In addition, any escape sequences supported by the system's @@ -4468,7 +4455,7 @@ tags are present for a command. \fIiolog_file\fR may contain directory components. The default is -\(lq\fR%{seq}\fR\(rq. +\(oq%{seq}\(cq. .sp See the \fIiolog_dir\fR @@ -4478,9 +4465,9 @@ escape sequences. .sp In addition to the escape sequences, path names that end in six or more -\fRX\fRs +\fIX\fRs will have the -\fRX\fRs +\fIX\fRs replaced with a unique combination of digits and letters, similar to the mktemp(3) function. @@ -4494,7 +4481,7 @@ overwritten unless \fIiolog_file\fR ends in six or more -\fRX\fRs. +\fIX\fRs. .TP 18n iolog_flush If set, @@ -4629,10 +4616,10 @@ Subject of the mail sent to the \fImailto\fR user. The escape -\fR%h\fR +\(oq%h\(cq will expand to the host name of the machine. Default is -\(lq\fR@mailsub@\fR\(rq. +\(lq@mailsub@\(rq. .TP 18n noexec_file As of @@ -4648,9 +4635,9 @@ name used when the \fB\-A\fR option is specified. The default value is either -\(lq\fR@pam_service@\fR\(rq +\(oq@pam_service@\(cq or -\(lq\fR@pam_login_service@\fR\(rq, +\(oq@pam_login_service@\(cq, depending on whether or not the \fB\-i\fR option is also specified. @@ -4667,7 +4654,7 @@ name used when the \fB\-i\fR option is specified. The default value is -\(lq\fR@pam_login_service@\fR\(rq. +\(oq@pam_login_service@\(cq. See the description of \fIpam_service\fR for more information. @@ -4683,7 +4670,7 @@ file or a file in the \fI/etc/pam.d\fR directory. The default value is -\(lq\fRsudo\fR\(rq. +\(oqsudo\(cq. .sp This setting is only supported by version 1.8.8 or higher. .TP 18n @@ -4700,17 +4687,17 @@ escape sequences are supported: .RS 18n .PD 0 .TP 6n -\fR%H\fR +%H expanded to the local host name including the domain name (only if the machine's host name is fully qualified or the \fIfqdn\fR option is set) .PD .TP 6n -\fR%h\fR +%h expanded to the local host name without the domain name .TP 6n -\fR%p\fR +%p expanded to the user whose password is being asked for (respects the \fIrootpw\fR, \fItargetpw\fR @@ -4719,18 +4706,18 @@ and flags in \fIsudoers\fR) .TP 6n -\fR\&%U\fR +\&%U expanded to the login name of the user the command will be run as (defaults to root) .TP 6n -\fR%u\fR +%u expanded to the invoking user's login name .TP 6n -\fR%%\fR +%% two consecutive -\fR%\fR +\(oq%\(cq characters are collapsed into a single -\fR%\fR +\(oq%\(cq character .PP On systems that use PAM for authentication, @@ -4747,7 +4734,7 @@ The flag can be used to change this behavior. .sp The default value is -\(lq\fR@passprompt@\fR\(rq. +\(oq@passprompt@\(cq. .RE .if \n(PS \{\ .TP 18n @@ -4785,15 +4772,14 @@ runas_default The default user to run commands as if the \fB\-u\fR option is not specified on the command line. -This defaults to -\fR@runas_default@\fR. +This defaults to @runas_default@. .TP 18n sudoers_locale Locale to use when parsing the sudoers file, logging commands, and sending email. Changing the locale may affect how sudoers is interpreted. Defaults to -\(lq\fRC\fR\(rq. +\(oqC\(cq. .TP 18n timestamp_type \fBsudoers\fR @@ -4820,10 +4806,7 @@ process ID (usually the shell). Commands run from the same shell (or other common parent process) will not require a password for \fItimestamp_timeout\fR -minutes -(\fR@timeout@\fR -by default) -\&. +minutes (@timeout@ by default). Commands run via \fBsudo\fR with a different parent process ID, for example from a shell script, @@ -4836,10 +4819,7 @@ If no terminal is present, the behavior is the same as \fIppid\fR. Commands run from the same terminal will not require a password for \fItimestamp_timeout\fR -minutes -(\fR@timeout@\fR -by default) -\&. +minutes (@timeout@ by default). .TP 8n kernel The time stamp is stored in the kernel as an attribute of the terminal @@ -4870,8 +4850,7 @@ The default is timestampowner The owner of the lecture status directory, time stamp directory and all files stored therein. -The default is -\fRroot\fR. +The default is root. .if \n(SL \{\ .TP 18n type @@ -4902,7 +4881,7 @@ is configured with the \fR--enable-admin-flag\fR option. The default value is -\fR~/.sudo_as_admin_successful\fR. +\fI~/.sudo_as_admin_successful\fR. .TP 14n env_file The @@ -4910,9 +4889,9 @@ The option specifies the fully qualified path to a file containing variables to be set in the environment of the program being run. Entries in this file should either be of the form -\(lq\fRVARIABLE=value\fR\(rq +\(oqVARIABLE=value\(cq or -\(lq\fRexport VARIABLE=value\fR\(rq. +\(oqexport VARIABLE=value\(cq. The value may optionally be enclosed in single or double quotes. Variables in this file are only added if the variable does not already exist in the environment. @@ -4927,7 +4906,7 @@ and exempt_group Users in this group are exempt from password and PATH requirements. The group name specified should not include a -\fR%\fR +\(oq%\(cq prefix. This is not set by default. .TP 14n @@ -4980,7 +4959,7 @@ alias. .sp This setting is only supported by version 1.8.20 or higher. If the operating system does not support the -\fBfexecve\fR() +fexecve(2) system call, this setting has no effect. .RE .TP 14n @@ -5173,7 +5152,7 @@ The address should be enclosed in double quotes to protect against \fBsudo\fR interpreting the -\fR@\fR +\(oq@\(cq sign. Defaults to the name of the user running \fBsudo\fR. @@ -5187,10 +5166,9 @@ The address should be enclosed in double quotes to protect against \fBsudo\fR interpreting the -\fR@\fR +\(oq@\(cq sign. -Defaults to -\fR@mailto@\fR. +Defaults to @mailto@. .TP 14n rlimit_as The maximum size to which the process's address space may grow (in bytes), @@ -5269,9 +5247,9 @@ The option specifies the fully qualified path to a file containing variables to be set in the environment of the program being run. Entries in this file should either be of the form -\(lq\fRVARIABLE=value\fR\(rq +\(oqVARIABLE=value\(cq or -\(lq\fRexport VARIABLE=value\fR\(rq. +\(oqexport VARIABLE=value\(cq. The value may optionally be enclosed in single or double quotes. Variables in this file are only added if the variable does not already exist in the environment. @@ -5316,7 +5294,7 @@ It is only possible to use \fIrunchroot\fR as a command-specific Defaults setting if the command exists with the same path both inside and outside the chroot jail. -This restriction does not apply to generic, host, or user-based +This restriction does not apply to global, host, or user-based Defaults settings or to a \fICmnd_Spec\fR that includes a @@ -5361,8 +5339,7 @@ This option is @secure_path@ by default. syslog Syslog facility if syslog is being used for logging (negate to disable syslog logging). -Defaults to -\fR@logfac@\fR. +Defaults to @logfac@. .sp The following syslog facilities are supported: \fBauthpriv\fR @@ -5385,8 +5362,7 @@ syslog_badpri .br Syslog priority to use when the user is not allowed to run a command or when authentication is unsuccessful. -Defaults to -\fR@badpri@\fR. +Defaults to @badpri@. .sp The following syslog priorities are supported: \fBalert\fR, @@ -5406,8 +5382,7 @@ will disable logging of unsuccessful commands. syslog_goodpri Syslog priority to use when the user is allowed to run a command and authentication is successful. -Defaults to -\fR@goodpri@\fR. +Defaults to @goodpri@. .sp See \fIsyslog_badpri\fR @@ -5511,16 +5486,16 @@ The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the -\fR=\fR, -\fR+=\fR, -\fR-=\fR, +\(oq=\(cq, +\(oq+=\(cq, +\(oq-=\(cq, and -\fR\&!\fR +\(oq\&!\(cq operators respectively. Regardless of whether the -\fRenv_reset\fR +\fIenv_reset\fR option is enabled or disabled, variables specified by -\fRenv_check\fR +\fIenv_check\fR will be preserved in the environment if they pass the aforementioned check. The global list of environment variables to check is displayed when \fBsudo\fR @@ -5537,11 +5512,11 @@ option is not in effect. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the -\fR=\fR, -\fR+=\fR, -\fR-=\fR, +\(oq=\(cq, +\(oq+=\(cq, +\(oq-=\(cq, and -\fR\&!\fR +\(oq\&!\(cq operators respectively. The global list of environment variables to remove is displayed when \fBsudo\fR @@ -5562,11 +5537,11 @@ processes will receive. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the -\fR=\fR, -\fR+=\fR, -\fR-=\fR, +\(oq=\(cq, +\(oq+=\(cq, +\(oq-=\(cq, and -\fR\&!\fR +\(oq\&!\(cq operators respectively. The global list of variables to keep is displayed when @@ -5664,7 +5639,7 @@ plugin supports its own plugin interface to allow non-Unix group lookups which can query a group source other than the standard Unix group database. This can be used to implement support for the -\fRnonunix_group\fR +\fInonunix_group\fR syntax described earlier. .PP Group provider plugins are specified via the @@ -5703,9 +5678,9 @@ system_group The \fIsystem_group\fR plugin supports group lookups via the standard C library functions -\fBgetgrnam\fR() +getgrnam(3) and -\fBgetgrid\fR(). +getgrid(3). This plugin can be used in instances where the user belongs to groups not present in the user's supplemental group vector. This plugin takes no options: @@ -5819,7 +5794,7 @@ The actual command that was executed. Messages are logged using the locale specified by \fIsudoers_locale\fR, which defaults to the -\(lq\fRC\fR\(rq +\(oqC\(cq locale. .SS "Denied command log entries" If the user is not allowed to run the command, the reason for the denial @@ -5909,7 +5884,7 @@ is the user-ID that owns the \fIsudoers\fR file) to the end of the \fBsudoers\fR -\fRPlugin\fR +\fIPlugin\fR line in the sudo.conf(@mansectform@) file. @@ -5938,7 +5913,7 @@ is the user-ID that owns the \fIsudoers\fR file) to the \fBsudoers\fR -\fRPlugin\fR +\fIPlugin\fR line in the sudo.conf(@mansectform@) file. @@ -5955,7 +5930,7 @@ The default mode may be changed via the \(lqsudoers_mode\(rq option to the \fBsudoers\fR -\fRPlugin\fR +\fIPlugin\fR line in the sudo.conf(@mansectform@) file. @@ -5974,7 +5949,7 @@ is the group-ID that owns the \fIsudoers\fR file) to the \fBsudoers\fR -\fRPlugin\fR +\fIPlugin\fR line in the sudo.conf(@mansectform@) file. @@ -6021,7 +5996,7 @@ The and \fIprogname\fR fields are added by the system's -\fBsyslog\fR() +syslog(3) function, not \fBsudoers\fR itself. @@ -6088,7 +6063,7 @@ by default) using a unique session ID that is included in the \fBsudo\fR log line, prefixed with -\(lq\fRTSID=\fR\(rq. +\(oqTSID=\(cq. The \fIiolog_file\fR option may be used to control the format of the session ID. @@ -6155,12 +6130,12 @@ if no terminal was present. .TP 10n runargv A JSON array representing the command's argument vector as passed to the -\fBexecve\fR() +execve(2) system call. .TP 10n runenv A JSON array representing the command's environment as passed to the -\fBexecve\fR() +execve(2) system call. .TP 10n rungid @@ -6414,12 +6389,12 @@ or \fRUSER\fR environment variables when running commands as root. Additionally, on the machines in the -\fISERVERS\fR -\fRHost_Alias\fR, +\fRSERVERS\fR +\fIHost_Alias\fR, we keep an additional local log file and make sure we log the year in each log line since the log entries will be kept around for several years. Lastly, we disable shell escapes for the commands in the PAGERS -\fRCmnd_Alias\fR +\fICmnd_Alias\fR (\fI/usr/bin/more\fR, \fI/usr/bin/pg\fR and @@ -6497,17 +6472,12 @@ jack CSNETS = ALL The user \fBjack\fR may run any command on the machines in the -\fICSNETS\fR -alias (the networks -\fR128.138.243.0\fR, -\fR128.138.204.0\fR, -and -\fR128.138.242.0\fR). -Of those networks, only -\fR128.138.204.0\fR -has an explicit netmask (in CIDR notation) indicating it is a class C network. +\fRCSNETS\fR +alias (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). +Of those networks, only 128.138.204.0 has an explicit netmask (in +CIDR notation) indicating it is a class C network. For the other networks in -\fICSNETS\fR, +\fRCSNETS\fR, the local machine's netmask will be used during matching. .nf .sp @@ -6519,9 +6489,8 @@ lisa CUNETS = ALL The user \fBlisa\fR may run any command on any host in the -\fICUNETS\fR -alias (the class B network -\fR128.138.0.0\fR). +\fRCUNETS\fR +alias (the class B network 128.138.0.0). .nf .sp .RS 0n @@ -6573,8 +6542,8 @@ group may run commands in \fI/usr/sbin/\fR as themselves with any group in the -\fIADMINGRP\fR -\fRRunas_Alias\fR +\fRADMINGRP\fR +\fIRunas_Alias\fR (the \fBadm\fR and @@ -6585,7 +6554,7 @@ The user \fBpete\fR is allowed to change anyone's password except for root on the -\fIHPPA\fR +\fRHPPA\fR machines. Because command line arguments are matched as a single, concatenated string, the @@ -6620,12 +6589,12 @@ bob SPARC = (OP) ALL : SGI = (OP) ALL The user \fBbob\fR may run anything on the -\fISPARC\fR +\fRSPARC\fR and -\fISGI\fR +\fRSGI\fR machines as any user listed in the -\fIOP\fR -\fRRunas_Alias\fR +\fROP\fR +\fIRunas_Alias\fR (\fBroot\fR and \fBoperator\fR.) @@ -6668,8 +6637,8 @@ fred ALL = (DB) NOPASSWD: ALL The user \fBfred\fR can run commands as any user in the -\fIDB\fR -\fRRunas_Alias\fR +\fRDB\fR +\fIRunas_Alias\fR (\fBoracle\fR or \fBsybase\fR) @@ -6682,7 +6651,7 @@ john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* .fi .PP On the -\fIALPHA\fR +\fRALPHA\fR machines, user \fBjohn\fR may su to anyone except root but he is not allowed to specify any options @@ -6699,8 +6668,8 @@ jen ALL, !SERVERS = ALL The user \fBjen\fR may run any command on any machine except for those in the -\fISERVERS\fR -\fRHost_Alias\fR +\fRSERVERS\fR +\fIHost_Alias\fR (primary, mail, www, and ns). .nf .sp @@ -6710,21 +6679,21 @@ jill SERVERS = /usr/bin/, !SU, !SHELLS .fi .PP For any machine in the -\fISERVERS\fR -\fRHost_Alias\fR, +\fRSERVERS\fR +\fIHost_Alias\fR, \fBjill\fR may run any commands in the directory \fI/usr/bin/\fR except for those commands belonging to the -\fISU\fR +\fRSU\fR and -\fISHELLS\fR -\fRCmnd_Aliases\fR. +\fRSHELLS\fR +\fICmnd_Aliases\fR. While not specifically mentioned in the rule, the commands in the -\fIPAGERS\fR -\fRCmnd_Alias\fR +\fRPAGERS\fR +\fICmnd_Alias\fR all reside in \fI/usr/bin\fR and have the @@ -6759,8 +6728,8 @@ WEBADMIN www = (www) ALL, (root) /usr/bin/su www .fi .PP On the host www, any user in the -\fIWEBADMIN\fR -\fRUser_Alias\fR +\fRWEBADMIN\fR +\fIUser_Alias\fR (will, wendy, and wim), may run any command as user www (which owns the web pages) or simply su(1) @@ -6774,7 +6743,7 @@ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e .fi .PP Any user may mount or unmount a CD-ROM on the machines in the CDROM -\fRHost_Alias\fR +\fIHost_Alias\fR (orion, perseus, hercules) without entering a password. This is a bit tedious for users to type, so it is a prime candidate for encapsulating in a shell script. @@ -6800,9 +6769,9 @@ bill ALL = ALL, !SU, !SHELLS Doesn't really prevent \fBbill\fR from running the commands listed in -\fISU\fR +\fRSU\fR or -\fISHELLS\fR +\fRSHELLS\fR since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered @@ -6839,13 +6808,13 @@ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e User \fBjohn\fR can still run -\fR/usr/bin/passwd root\fR +\(oq/usr/bin/passwd root\(cq if \fIfast_glob\fR is enabled by changing to \fI/usr/bin\fR and running -\fR./passwd root\fR +\(oq./passwd root\(cq instead. .PP Another potential issue is that when @@ -6982,15 +6951,15 @@ It does this by setting an environment variable (usually \fRLD_PRELOAD\fR) to the path of a dynamic shared object, or shared library, containing custom versions of the -\fBexecl\fR(), -\fBexecle\fR(), -\fBexeclp\fR(), -\fBexecv\fR(), -\fBexecve\fR(), -\fBexecvp\fR(), -\fBexecvpe\fR(), +execve(2), +execl(3), +execle(3), +execlp(3), +execv(3), +execvp(3), +execvpe(3), and -\fBsystem\fR() +system(3) library functions that connect back to \fBsudo\fR for a policy decision. @@ -7134,26 +7103,26 @@ The \fInoexec\fR functionality is capable of blocking execution of commands run via the -\fBexecl\fR(), -\fBexecle\fR(), -\fBexeclp\fR(), -\fBexect\fR(), -\fBexecv\fR(), -\fBexecve\fR(), -\fBexecveat\fR(), -\fBexecvP\fR(), -\fBexecvp\fR(), -\fBexecvpe\fR(), -\fBfexecve\fR(), -\fBpopen\fR(), -\fBposix_spawn\fR(), -\fBposix_spawnp\fR(), -\fBsystem\fR(), +execve(2), +execl(3), +execle(3), +execlp(3), +exect(3), +execv(3), +execveat(3), +execvP(3), +execvp(3), +execvpe(3), +fexecve(3), +popen(3), +posix_spawn(3), +posix_spawnp(3), +system(3), and -\fBwordexp\fR() +wordexp(3) functions. On Linux, a -\fBseccomp\fR() +seccomp(2) filter is used to implement \fInoexec\fR. On Solaris 10 and higher, @@ -7396,11 +7365,11 @@ The following subsystems are used by the plugin: .TP 10n \fIalias\fR -\fRUser_Alias\fR, -\fRRunas_Alias\fR, -\fRHost_Alias\fR +\fIUser_Alias\fR, +\fIRunas_Alias\fR, +\fIHost_Alias\fR and -\fRCmnd_Alias\fR +\fICmnd_Alias\fR processing .TP 10n \fIall\fR @@ -7530,7 +7499,7 @@ When using netgroups of machines (as opposed to users), if you store fully qualified host name in the netgroup (as is usually the case), you either need to have the machine's host name be fully qualified as returned by the -\fRhostname\fR +\fIhostname\fR command or use the \fIfqdn\fR option in diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in index 823bd209a..5e93a2c77 100644 --- a/docs/sudoers.mdoc.in +++ b/docs/sudoers.mdoc.in @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.Dd August 25, 2022 +.Dd September 13, 2022 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -60,7 +60,7 @@ file to determine which plugins to load. If no .Xr sudo.conf @mansectform@ file is present, or if it contains no -.Li Plugin +.Em Plugin lines, .Nm will be used for auditing, policy decisions and I/O logging. @@ -195,7 +195,7 @@ used for such mail is configurable via the .Em mailto Defaults entry (described later) and defaults to -.Li @mailto@ . +.Em @mailto@ . .Pp No mail will be sent if an unauthorized user tries to run .Nm sudo @@ -247,13 +247,10 @@ terminal session ID, the start time of the session leader (using a monotonic clock if one is available). The user may then use .Nm sudo -without a password for a short period of time -.Po -.Li @timeout@ -minutes unless overridden by the +without a password for a short period of time (@timeout@ minutes +unless overridden by the .Em timestamp_timeout -option -.Pc . +option). By default, .Nm uses a separate record for each terminal, which means that @@ -298,9 +295,9 @@ the and .Em log_output options as well as the -.Li LOG_INPUT +.Dv LOG_INPUT and -.Li LOG_OUTPUT +.Dv LOG_OUTPUT command tags. See .Sx "I/O LOG FILES" @@ -390,7 +387,7 @@ This avoids an inconsistent environment where one of the variables describing the user name is set to the invoking user and one is set to the target user. Environment variables with a value beginning with -.Li () +.Ql () are removed unless both the name and value parts are matched by .Em env_keep or @@ -410,7 +407,7 @@ and options are allowed and their values are inherited from the invoking process. Prior to version 1.8.21, environment variables with a value beginning with -.Li () +.Ql () were always removed. Beginning with version 1.8.21, a pattern in .Em env_delete @@ -445,7 +442,7 @@ env_keep += "BASH_FUNC_my_func%%=()*" .Ed .Pp Without the -.Dq Li =()* +.Ql =()* suffix, this would not match, as .Sy bash shell functions are not preserved by default. @@ -600,7 +597,7 @@ By default, uses the operating system's native method of setting resource limits for the target user. On Linux systems, resource limits are usually set by the -.Li pam_limits.so +.Pa pam_limits.so PAM module. On some BSD systems, the .Pa /etc/login.conf @@ -674,9 +671,10 @@ are only supported by version 1.8.7 or higher. EBNF is a concise and exact way of describing the grammar of a language. Each EBNF definition is made up of .Em production rules . -E.g., -.Pp -.Li symbol ::= definition | alternate1 | alternate2 ... +For example: +.Bd -literal -offset 4n +symbol ::= definition | alternate1 | alternate2 ... +.Ed .Pp Each .Em production rule @@ -689,13 +687,13 @@ Do not, however, confuse them with .Dq wildcard characters, which have different meanings. .Bl -tag -width 4n -.It Li \&? +.It \&? Means that the preceding symbol (or group of symbols) is optional. That is, it may appear once or not at all. -.It Li * +.It * Means that the preceding symbol (or group of symbols) may appear zero or more times. -.It Li + +.It + Means that the preceding symbol (or group of symbols) may appear one or more times. .El @@ -707,17 +705,17 @@ we will use single quotes to designate what is a verbatim character string (as opposed to a symbol name). .Ss Aliases There are four kinds of aliases: -.Li User_Alias , -.Li Runas_Alias , -.Li Host_Alias +.Em User_Alias , +.Em Runas_Alias , +.Em Host_Alias and -.Li Cmnd_Alias . +.Em Cmnd_Alias . Beginning with .Nm sudo 1.9.0, -.Li Cmd_Alias +.Em Cmd_Alias may be used in place of -.Li Cmnd_Alias +.Em Cmnd_Alias if desired. .Bd -literal Alias ::= 'User_Alias' User_Alias_Spec (':' User_Alias_Spec)* | @@ -755,25 +753,25 @@ Alias_Type NAME = item1, item2, ... where .Em Alias_Type is one of -.Li User_Alias , -.Li Runas_Alias , -.Li Host_Alias , +.Em User_Alias , +.Em Runas_Alias , +.Em Host_Alias , or -.Li Cmnd_Alias . +.Em Cmnd_Alias . A -.Li NAME +.Dv NAME is a string of uppercase letters, numbers, and underscore characters .Pq Ql _ . A -.Li NAME +.Dv NAME .Sy must start with an uppercase letter. It is possible to put several alias definitions of the same type on a single line, joined by a colon .Pq Ql :\& . -E.g., +For example: .Bd -literal Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 .Ed @@ -802,7 +800,7 @@ User ::= '!'* user name | .Ed .Pp A -.Li User_List +.Em User_List is made up of one or more user names, user-IDs (prefixed with .Ql # ) , @@ -817,7 +815,7 @@ non-Unix group names and IDs (prefixed with and .Ql %:# respectively), and -.Li User_Alias Ns es. +.Em User_Alias Ns es. Each list item may be prefixed with zero or more .Ql \&! operators. @@ -829,14 +827,14 @@ User netgroups are matched using the user and domain members only; the host member is not used when matching. .Pp A -.Li user name , -.Li user-ID , -.Li group , -.Li group-ID , -.Li netgroup , -.Li nonunix_group +.Em user name , +.Em user-ID , +.Em group , +.Em group-ID , +.Em netgroup , +.Em nonunix_group or -.Li nonunix_gid +.Em nonunix_gid may be enclosed in double quotes to avoid the need for escaping special characters. Alternately, special characters @@ -846,9 +844,9 @@ using double quotes, any prefix characters must be included inside the quotes. .Pp The actual -.Li nonunix_group +.Em nonunix_group and -.Li nonunix_gid +.Em nonunix_gid syntax depends on the underlying group provider plugin. For instance, the QAS AD plugin supports the following formats: @@ -889,21 +887,21 @@ Runas_Member ::= '!'* user name | .Ed .Pp A -.Li Runas_List +.Em Runas_List is similar to a -.Li User_List +.Em User_List except that instead of -.Li User_Alias Ns es +.Em User_Alias Ns es it can contain -.Li Runas_Alias Ns es . +.Em Runas_Alias Ns es . User names and groups are matched as strings. In other words, two users (groups) with the same user (group) ID are considered to be distinct. If you wish to match all user names with the same user-ID (e.g., root and toor), you can use a user-ID instead of a name (#0 in the example given). The user-ID or group-ID specified in a -.Li Runas_Member +.Em Runas_Member need not be listed in the password or group database. .Bd -literal Host_List ::= Host | @@ -918,7 +916,7 @@ Host ::= '!'* host name | .Ed .Pp A -.Li Host_List +.Em Host_List is made up of one or more host names, IP addresses, network numbers, netgroups (prefixed with .Ql + ) , @@ -940,7 +938,7 @@ A host name may include shell-style wildcards (see the .Sx Wildcards section below), but unless the -.Li host name +.Em hostname command on your machine returns the fully qualified host name, you'll need to use the .Em fqdn @@ -987,7 +985,7 @@ Cmnd ::= Digest_List? '!'* command | .Ed .Pp A -.Li Cmnd_List +.Em Cmnd_List is a list of one or more commands, directories, or aliases. A command is a fully qualified file name, which may include shell-style wildcards (see the @@ -1004,7 +1002,7 @@ A directory is a fully qualified path name ending in a .Ql / . When you specify a directory in a -.Li Cmnd_List , +.Em Cmnd_List , the user will be able to run any file within that directory (but not in any sub-directories therein). If no command line arguments are specified, the user may run the @@ -1015,19 +1013,19 @@ expression that starts with and ends with .Ql $ . If the command line arguments consist of -.Li \&"" , +.Ql \&"" , the command may only be run with .Em no arguments. .Pp If a -.Li Cmnd +.Em Cmnd has associated command line arguments, the arguments in the -.Li Cmnd +.Em Cmnd must match those given by the user on the command line. If the arguments in a -.Li Cmnd +.Em Cmnd begin with the .Ql ^ character, they will be interpreted as a regular expression @@ -1042,7 +1040,7 @@ if they are used in command arguments: .Ql =\& , .Ql \e . To prevent arguments in a -.Li Cmnd +.Em Cmnd that begin with a .Ql ^ character from being interpreted as a regular expression, the @@ -1051,7 +1049,7 @@ must be escaped with a .Ql \e . .Pp The built-in command -.Dq Li sudoedit +.Dq sudoedit is used to permit a user to run .Nm sudo with the @@ -1060,7 +1058,7 @@ option (or as .Nm sudoedit ) . It may take command line arguments just as a normal command does. Unlike other commands, -.Dq Li sudoedit +.Dq sudoedit is built into .Nm sudo itself and must be specified in the @@ -1071,27 +1069,27 @@ a leading path. If a leading path is present, for example .Pa /usr/bin/sudoedit , the path name will be silently converted to -.Dq Li sudoedit . +.Dq sudoedit . A fully-qualified path for .Nm sudoedit is treated as an error by .Nm visudo . .Pp A -.Li command +.Em command may be preceded by a -.Li Digest_List , +.Em Digest_List , a comma-separated list of one or more -.Li Digest_Spec +.Em Digest_Spec entries. If a -.Li Digest_List +.Em Digest_List is present, the command will only match successfully if it can be verified using one of the SHA-2 digests in the list. Starting with version 1.9.0, the .Sy ALL reserved word can be used in conjunction with a -.Li Digest_List . +.Em Digest_List . The following digest formats are supported: sha224, sha256, sha384, and sha512. The string may be specified in either hex or base64 format (base64 is more compact). @@ -1115,7 +1113,7 @@ Warning, if the user has write access to the command itself (directly or via a command), it may be possible for the user to replace the command after the digest check has been performed but before the command is executed. A similar race condition exists on systems that lack the -.Fn fexecve +.Xr fexecve 2 system call when the directory in which the command is located is writable by the user. See the description of the @@ -1128,13 +1126,13 @@ Command digests are only supported by version 1.8.7 or higher. .Ss Defaults Certain configuration options may be changed from their default values at run-time via one or more -.Li Default_Entry +.Em Default_Entry lines. These may affect all users on any host, all users on a specific host, a specific user, a specific command, or commands being run as a specific user. Per-command entries may not include command line arguments. If you need to specify arguments, define a -.Li Cmnd_Alias +.Em Cmnd_Alias and reference that instead. .Bd -literal @@ -1192,16 +1190,16 @@ or function. .Pp Lists have two additional assignment operators, -.Li += +.Ql += and -.Li -= . +.Ql -= . These operators are used to add to and delete from a list respectively. It is not an error to use the -.Li -= +.Ql -= operator to remove an element that does not exist in a list. .Pp -Defaults entries are parsed in the following order: generic, host, +Defaults entries are parsed in the following order: global, host, user, and runas Defaults first, then command defaults. If there are multiple Defaults settings of the same type, the last matching setting is used. @@ -1283,18 +1281,18 @@ The basic structure of a user specification is Let's break that down into its constituent parts: .Ss Runas_Spec A -.Li Runas_Spec +.Em Runas_Spec determines the user and/or the group that a command may be run as. A fully-specified -.Li Runas_Spec +.Em Runas_Spec consists of two -.Li Runas_List Ns s +.Em Runas_List Ns s (as defined above) separated by a colon .Pq Ql :\& and enclosed in a set of parentheses. The first -.Li Runas_List +.Em Runas_List indicates which users the command may be run as via the .Fl u option. @@ -1302,24 +1300,24 @@ The second defines a list of groups that may be specified via the .Fl g option (in addition to any of the target user's groups). If both -.Li Runas_List Ns s +.Em Runas_List Ns s are specified, the command may be run with any combination of users and groups listed in their respective -.Li Runas_List Ns s. +.Em Runas_List Ns s. If only the first is specified, the command may be run as any user in the list and, optionally, with any group the target user belongs to. If the first -.Li Runas_List +.Em Runas_List is empty but the second is specified, the command may be run as the invoking user with the group set to any listed in the -.Li Runas_List . +.Em Runas_List . If both -.Li Runas_List Ns s +.Em Runas_List Ns s are empty, the command may only be run as the invoking user and the group, if specified, must be one that the invoking user is a member of. If no -.Li Runas_Spec +.Em Runas_Spec is specified, the command may only be run as .Sy root and the group, if specified, must be one that @@ -1327,7 +1325,7 @@ and the group, if specified, must be one that is a member of. .Pp A -.Li Runas_Spec +.Em Runas_Spec sets the default for the commands that follow it. What this means is that for the entry: .Bd -literal @@ -1345,13 +1343,13 @@ on the host .No boulder Ns \(em Ns but only as .Sy operator . -E.g., +For example: .Bd -literal $ sudo -u operator /bin/ls .Ed .Pp It is also possible to override a -.Li Runas_Spec +.Em Runas_Spec later on in an entry. If we modify the entry like so: .Bd -literal @@ -1374,7 +1372,7 @@ as We can extend this to allow .Sy dgb to run -.Li /bin/ls +.Pa /bin/ls with either the user or group set to .Sy operator : @@ -1384,7 +1382,7 @@ dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e .Ed .Pp While the group portion of the -.Li Runas_Spec +.Em Runas_Spec permits the user to run as command with that group, it does not force the user to do so. @@ -1409,13 +1407,13 @@ tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e .Pp In this example only the group will be set, the command still runs as user .Sy tcm . -E.g.\& +For example: .Bd -literal $ sudo -g dialer /usr/bin/cu .Ed .Pp Multiple users and groups may be present in a -.Li Runas_Spec , +.Em Runas_Spec , in which case the user may select any combination of users and groups via the .Fl u and @@ -1432,7 +1430,7 @@ may run any command as either user root or bin, optionally setting the group to operator or system. .Ss Option_Spec A -.Li Cmnd +.Em Cmnd may have zero or more options associated with it. Options may consist of .if \n(SL \{\ @@ -1446,11 +1444,11 @@ Solaris privileges sets, .\} start and/or end dates and command timeouts. Once an option is set for a -.Li Cmnd , +.Em Cmnd , subsequent -.Li Cmnd Ns s +.Em Cmnd Ns s in the -.Li Cmnd_Spec_List , +.Em Cmnd_Spec_List , inherit that option unless it is overridden by another option. Option names are reserved words in .Em sudoers . @@ -1498,7 +1496,8 @@ the user may run any command as root under confinement by the profile .Ql my-profile . You can also stack profiles, or allow a user to run commands unconfined by -any profile. E.g., +any profile. +For example: .Bd -literal bob ALL = (root) APPARMOR_PROFILE=foo//&bar /usr/bin/vi cathy ALL = (root) APPARMOR_PROFILE=unconfined /bin/ls @@ -1563,15 +1562,15 @@ character. .Ss Date_Spec .Nm rules can be specified with a start and end date via the -.Li NOTBEFORE +.Dv NOTBEFORE and -.Li NOTAFTER +.Dv NOTAFTER settings. The time stamp must be specified in -.Em Generalized Time +.Dq Generalized Time as defined by RFC 4517. The format is effectively -.Li yyyymmddHHMMSSZ +.Ql yyyymmddHHMMSSZ where the minutes and seconds are optional. The .Ql Z @@ -1602,7 +1601,7 @@ minutes, and seconds with a single-letter case-insensitive suffix that indicates the unit of time. For example, a timeout of 7 days, 8 hours, 30 minutes, and 10 seconds would be written as -.Li 7d8h30m10s . +.Ql 7d8h30m10s . If a number is specified without a unit, seconds are assumed. Any of the days, minutes, hours, or seconds may be omitted. The order must be from largest to smallest unit and a unit @@ -1611,23 +1610,23 @@ may not be specified more than once. The following are all .Em valid timeout values: -.Li 7d8h30m10s , -.Li 14d , -.Li 8h30m , -.Li 600s , -.Li 3600 . +.Ql 7d8h30m10s , +.Ql 14d , +.Ql 8h30m , +.Ql 600s , +.Ql 3600 . The following are .Em invalid timeout values: -.Li 12m2w1d , -.Li 30s10m4h , -.Li 1d2d3h . +.Ql 12m2w1d , +.Ql 30s10m4h , +.Ql 1d2d3h . .Pp This setting is only supported by version 1.8.20 or higher. .Ss Chdir_Spec The working directory that the command will be run in can be specified using the -.Li CWD +.Dv CWD setting. The .Fa directory @@ -1649,7 +1648,7 @@ directory, unless the .Fl i option is given. Path names of the form -.Li ~user/path/name +.Pa ~user/path/name are interpreted as being relative to the named user's home directory. If the user name is omitted, the path will be relative to the runas user's home directory. @@ -1658,7 +1657,7 @@ This setting is only supported by version 1.9.3 or higher. .Ss Chroot_Spec The root directory that the command will be run in can be specified using the -.Li CHROOT +.Dv CHROOT setting. The .Fa directory @@ -1682,7 +1681,7 @@ similar to the .Xr chroot @mansectsu@ utility. Path names of the form -.Li ~user/path/name +.Pa ~user/path/name are interpreted as being relative to the named user's home directory. If the user name is omitted, the path will be relative to the runas user's home directory. @@ -1691,46 +1690,46 @@ This setting is only supported by version 1.9.3 or higher. .Ss Tag_Spec A command may have zero or more tags associated with it. The following tag values are supported: -.Li EXEC , -.Li NOEXEC , -.Li FOLLOW , -.Li NOFOLLOW , -.Li LOG_INPUT , -.Li NOLOG_INPUT , -.Li LOG_OUTPUT , -.Li NOLOG_OUTPUT , -.Li MAIL , -.Li NOMAIL , -.Li INTERCEPT , -.Li NOINTERCEPT , -.Li PASSWD , -.Li NOPASSWD , -.Li SETENV , +.Dv EXEC , +.Dv NOEXEC , +.Dv FOLLOW , +.Dv NOFOLLOW , +.Dv LOG_INPUT , +.Dv NOLOG_INPUT , +.Dv LOG_OUTPUT , +.Dv NOLOG_OUTPUT , +.Dv MAIL , +.Dv NOMAIL , +.Dv INTERCEPT , +.Dv NOINTERCEPT , +.Dv PASSWD , +.Dv NOPASSWD , +.Dv SETENV , and -.Li NOSETENV . +.Dv NOSETENV . Once a tag is set on a -.Li Cmnd , +.Em Cmnd , subsequent -.Li Cmnd Ns s +.Em Cmnd Ns s in the -.Li Cmnd_Spec_List , +.Em Cmnd_Spec_List , inherit the tag unless it is overridden by the opposite tag (in other words, -.Li PASSWD +.Dv PASSWD overrides -.Li NOPASSWD +.Dv NOPASSWD and -.Li NOEXEC +.Dv NOEXEC overrides -.Li EXEC ) . +.Dv EXEC ) . .Bl -hang -width 0n -.It Em EXEC No and Em NOEXEC +.It Dv EXEC No and Dv NOEXEC .sp If .Nm sudo has been compiled with .Em noexec support and the underlying operating system supports it, the -.Li NOEXEC +.Dv NOEXEC tag can be used to prevent a dynamically-linked executable from running further commands itself. .Pp @@ -1748,18 +1747,19 @@ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi See the .Sx Preventing shell escapes section below for more details on how -.Li NOEXEC +.Dv NOEXEC works and whether or not it will work on your system. -.It Em FOLLOW No and Em NOFOLLOW +.It Dv FOLLOW No and Dv NOFOLLOW +.sp Starting with version 1.8.15, .Nm sudoedit will not open a file that is a symbolic link unless the .Em sudoedit_follow flag is enabled. The -.Em FOLLOW +.Dv FOLLOW and -.Em NOFOLLOW +.Dv NOFOLLOW tags override the value of .Em sudoedit_follow and can be used to permit (or deny) the editing of symbolic links @@ -1767,7 +1767,7 @@ on a per-command basis. These tags are only effective for the .Em sudoedit command and are ignored for all other commands. -.It Em LOG_INPUT No and Em NOLOG_INPUT +.It Dv LOG_INPUT No and Dv NOLOG_INPUT .sp These tags override the value of the .Em log_input @@ -1777,7 +1777,7 @@ For more information, see the description of in the .Sx SUDOERS OPTIONS section below. -.It Em LOG_OUTPUT No and Em NOLOG_OUTPUT +.It Dv LOG_OUTPUT No and Dv NOLOG_OUTPUT .sp These tags override the value of the .Em log_output @@ -1787,7 +1787,7 @@ For more information, see the description of in the .Sx SUDOERS OPTIONS section below. -.It Em MAIL No and Em NOMAIL +.It Dv MAIL No and Dv NOMAIL .sp These tags provide fine-grained control over whether mail will be sent when a user runs a command by @@ -1802,7 +1802,7 @@ or .Fl v options. A -.Em NOMAIL +.Dv NOMAIL tag will also override the .Em mail_always and @@ -1816,24 +1816,24 @@ and in the .Sx SUDOERS OPTIONS section below. -.It Em PASSWD No and Em NOPASSWD +.It Dv PASSWD No and Dv NOPASSWD .sp By default, .Nm sudo requires that a user authenticate before running a command. This behavior can be modified via the -.Li NOPASSWD +.Dv NOPASSWD tag. Like a -.Li Runas_Spec , +.Em Runas_Spec , the -.Li NOPASSWD +.Dv NOPASSWD tag sets a default for the commands that follow it in the -.Li Cmnd_Spec_List . +.Em Cmnd_Spec_List . Conversely, the -.Li PASSWD +.Dv PASSWD tag can be used to reverse things. For example: .Bd -literal @@ -1863,35 +1863,35 @@ ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm .Ed .Pp Note, however, that the -.Li PASSWD +.Dv PASSWD tag has no effect on users who are in the group specified by the .Em exempt_group setting. .Pp By default, if the -.Li NOPASSWD +.Dv NOPASSWD tag is applied to any of a user's entries for the current host, the user will be able to run -.Dq Li sudo -l +.Ql sudo -l without a password. Additionally, a user may only run -.Dq Li sudo -v +.Ql sudo -v without a password if all of the user's entries for the current host have the -.Li NOPASSWD +.Dv NOPASSWD tag. This behavior may be overridden via the .Em verifypw and .Em listpw options. -.It Em SETENV No and Em NOSETENV +.It Dv SETENV No and Dv NOSETENV .sp These tags override the value of the .Em setenv flag on a per-command basis. If -.Li SETENV +.Dv SETENV has been set for a command, the user may disable the .Em env_reset flag from the command line via the @@ -1907,18 +1907,18 @@ As such, only trusted users should be allowed to set variables in this manner. If the command matched is .Sy ALL , the -.Li SETENV +.Dv SETENV tag is implied for that command; this default may be overridden by use of the -.Li NOSETENV +.Dv NOSETENV tag. -.It Em INTERCEPT No and Em NOINTERCEPT +.It Dv INTERCEPT No and Dv NOINTERCEPT .sp If .Nm sudo has been compiled with .Em intercept support and the underlying operating system supports it, the -.Li INTERCEPT +.Dv INTERCEPT tag can be used to cause programs spawned by a command to be validated against .Em sudoers and logged just like they would be if run through @@ -1944,7 +1944,7 @@ chuck research = INTERCEPT: ALL See the .Sx Preventing shell escapes section below for more details on how -.Li INTERCEPT +.Dv INTERCEPT works and whether or not it will work on your system. .El .Ss Wildcards @@ -1962,17 +1962,17 @@ and functions as specified by .St -p1003.1 . .Bl -tag -width 8n -.It Li * +.It * Matches any set of zero or more characters (including white space). -.It Li \&? +.It \&? Matches any single character (including white space). -.It Li [...] +.It [...] Matches any character in the specified range. -.It Li [!...] +.It [!...] Matches any character .Em not in the specified range. -.It Li \ex +.It \ex For any character .Sq x , evaluates to @@ -2043,9 +2043,9 @@ below. .Ss Exceptions to wildcard rules The following exceptions apply to the above rules: .Bl -tag -width 8n -.It Li \&"" +.It \&"" If the empty string -.Li \&"" +.Ql \&"" is the only command line argument in the .Em sudoers file entry it means that command is not allowed to be run with @@ -2164,14 +2164,14 @@ It is possible to include other files from within the .Em sudoers file currently being parsed using the -.Li @include +.Em @include and -.Li @includedir +.Em @includedir directives. For compatibility with sudo versions prior to 1.9.1, -.Li #include +.Em #include and -.Li #includedir +.Em #includedir are also accepted. .Pp An include file can be used, for example, to keep a site-wide @@ -2227,14 +2227,14 @@ For example, if .Pa /etc/sudoers contains the line: .Bd -literal -offset 4n -.Li @include sudoers.local +@include sudoers.local .Ed .Pp the file that will be included is .Pa /etc/sudoers.local . .Pp The file name may also include the -.Li %h +.Ql %h escape, signifying the short form of the host name. In other words, if the machine's host name is .Dq xerxes , @@ -2249,7 +2249,7 @@ to include the file .Pa /etc/sudoers.xerxes . .Pp The -.Li @includedir +.Em @includedir directive can be used to create a .Pa sudoers.d directory that the system package manager can drop @@ -2269,6 +2269,7 @@ or contain a .Ql .\& character to avoid causing problems with package manager or editor temporary/backup files. +.Pp Files are parsed in sorted lexical order. That is, .Pa /etc/sudoers.d/01_first @@ -2283,14 +2284,14 @@ Using a consistent number of leading zeroes in the file names can be used to avoid such problems. After parsing the files in the directory, control returns to the file that contained the -.Li @includedir +.Em @includedir directive. .Pp Unlike files included via -.Li @include , +.Em @include , .Nm visudo will not edit the files in a -.Li @includedir +.Em @includedir directory unless one of them contains a syntax error. It is still possible to run .Nm visudo @@ -2316,11 +2317,11 @@ is a built-in .Em alias that always causes a match to succeed. It can be used wherever one might otherwise use a -.Li Cmnd_Alias , -.Li User_Alias , -.Li Runas_Alias , +.Em Cmnd_Alias , +.Em User_Alias , +.Em Runas_Alias , or -.Li Host_Alias . +.Em Host_Alias . Attempting to define an .Em alias named @@ -2333,22 +2334,22 @@ can be dangerous since in a command context, it allows the user to run command on the system. .Pp The following option names permitted in an -.Li Option_Spec +.Em Option_Spec are also considered reserved words: -.Li CHROOT , +.Dv CHROOT , .if \n(PS \{\ -.Li PRIVS , -.Li LIMITPRIVS , +.Dv PRIVS , +.Dv LIMITPRIVS , .\} .if \n(SL \{\ -.Li ROLE , -.Li TYPE , +.Dv ROLE , +.Dv TYPE , .\} -.Li TIMEOUT , -.Li CWD , -.Li NOTBEFORE +.Dv TIMEOUT , +.Dv CWD , +.Dv NOTBEFORE and -.Li NOTAFTER . +.Dv NOTAFTER . Attempting to define an .Em alias with the same name as one of the options will result in a syntax error. @@ -2360,14 +2361,14 @@ can be used as a logical operator in a list or .Em alias as well as in front of a -.Li Cmnd . +.Em Cmnd . This allows one to exclude certain values. For the .Ql \&! operator to be effective, there must be something for it to exclude. For example, to match all users except for root one would use: .Bd -literal -offset 4n -ALL,!root +ALL, !root .Ed .Pp If the @@ -2420,7 +2421,7 @@ when used as part of a word (e.g., a user name or host name): .Sh SUDOERS OPTIONS .Nm sudo Ns 's behavior can be modified by -.Li Default_Entry +.Em Default_Entry lines, as explained earlier. A list of all supported Defaults parameters, grouped by type, are listed below. .Pp @@ -2429,9 +2430,12 @@ A list of all supported Defaults parameters, grouped by type, are listed below. .It always_query_group_plugin If a .Em group_plugin -is configured, use it to resolve groups of the form %group as long -as there is not also a system group of the same name. -Normally, only groups of the form %:group are passed to the +is configured, use it to resolve groups of the form +.Ql %group +as long as there is not also a system group of the same name. +Normally, only groups of the form +.Ql %:group +are passed to the .Em group_plugin . This flag is .Em off @@ -2459,9 +2463,9 @@ by default. If set, users must authenticate themselves via a password (or other means of authentication) before they may run commands. This default may be overridden via the -.Li PASSWD +.Dv PASSWD and -.Li NOPASSWD +.Dv NOPASSWD tags. This flag is .Em on @@ -2541,10 +2545,10 @@ automatic restarting of system calls. Unfortunately, not all operating systems do this by default, and even those that do may have bugs. For example, macOS fails to restart the -.Fn tcgetattr +.Xr tcgetattr 3 and -.Fn tcsetattr -system calls (this is a bug in macOS). +.Xr tcsetattr 3 +functions (this is a bug in macOS). Furthermore, because this behavior depends on the command stopping with the .Dv SIGTTIN or @@ -2626,17 +2630,17 @@ Any variables in the caller's environment or in the file specified by the .Em restricted_env_file setting that match the -.Li env_keep +.Em env_keep and -.Li env_check +.Em env_check lists are then added, followed by any variables present in the file specified by the .Em env_file setting (if any). The contents of the -.Li env_keep +.Em env_keep and -.Li env_check +.Em env_check lists, as modified by global Defaults parameters in .Em sudoers , are displayed when @@ -2727,16 +2731,16 @@ This setting is only supported by version 1.9.10 or higher. Set this flag if you want to put fully qualified host names in the .Em sudoers file when the local host name (as returned by the -.Li hostname +.Ql hostname command) does not contain the domain name. In other words, instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). This flag is only effective when the .Dq canonical host name, as returned by the -.Fn getaddrinfo +.Xr getaddrinfo 3 or -.Fn gethostbyname +.Xr gethostbyname 3 function, is a fully-qualified domain name. This is usually the case when the system is configured to use DNS for host name resolution. @@ -2783,13 +2787,8 @@ from the network). Just like with the hosts file, you must use the .Dq canonical name as DNS knows it. -That is, you may not use a host alias -.Po -.Li CNAME -entry -.Pc -due to performance issues and the fact that there is no way to get all -aliases from DNS. +That is, you may not use a host alias (CNAME entry) due to performance +issues and the fact that there is no way to get all aliases from DNS. .Pp This flag is .Em @fqdn@ @@ -2812,7 +2811,7 @@ by default. .It ignore_dot If set, .Nm sudo -will ignore "." or "" (both denoting current directory) in the +will ignore "." or "" (both denoting the current directory) in the .Ev PATH environment variable; the .Ev PATH @@ -2848,7 +2847,7 @@ by default. If set via LDAP, parsing of .Pa @sysconfdir@/sudoers will be skipped. -This is intended for Enterprises that wish to prevent the usage of local +This is intended for sites that wish to prevent the usage of local sudoers files so that only LDAP is used. This thwarts the efforts of rogue operators who would attempt to add roles to .Pa @sysconfdir@/sudoers . @@ -2859,7 +2858,7 @@ Since this flag tells .Nm sudo how to behave when no specific LDAP entries have been matched, this sudoOption is only meaningful for the -.Li cn=defaults +.Ql cn=defaults section. This flag is .Em off @@ -2984,15 +2983,15 @@ If set, .Nm will log when a command spawns a child process and executes a program using the -.Fn execl , -.Fn execle , -.Fn execlp , -.Fn execv , -.Fn execve , -.Fn execvp , -.Fn execvpe , +.Xr execve 2 , +.Xr execl 3 , +.Xr execle 3 , +.Xr execlp 3 , +.Xr execv 3 , +.Xr execvp 3 , +.Xr execvpe 3 , or -.Fn system +.Xr system 3 library functions. For example, if a shell is run by .Nm sudo , @@ -3119,7 +3118,7 @@ This works well on systems where the number of groups listed in the .Em sudoers file is larger than the number of groups a typical user belongs to. On systems where group lookups are slow, where users may belong -to a large number of groups, and where the number of groups listed +to a large number of groups, or where the number of groups listed in the .Em sudoers file is relatively small, it may be prohibitively expensive and @@ -3165,12 +3164,12 @@ This setting is only supported by version 1.8.18 or higher. If set, all commands run via .Nm sudo will behave as if the -.Li INTERCEPT +.Dv INTERCEPT tag has been set, unless overridden by an -.Li NOINTERCEPT +.Dv NOINTERCEPT tag. See the description of -.Em INTERCEPT and NOINTERCEPT +.Dv INTERCEPT and NOINTERCEPT above as well as the .Sx Preventing shell escapes section at the end of this manual. @@ -3196,7 +3195,7 @@ is enable. This flag has no effect unless the .Em intercept flag is enabled or the -.Em INTERCEPT +.Dv INTERCEPT tag has been set for the command. This flag is .Em on @@ -3218,7 +3217,7 @@ subsequent commands will need to be authenticated. This flag has no effect unless the .Em intercept flag is enabled or the -.Em INTERCEPT +.Dv INTERCEPT tag has been set for the command. This flag is .Em off @@ -3257,7 +3256,7 @@ file system is available. This flag has no effect unless the .Em intercept flag is enabled or the -.Em INTERCEPT +.Dv INTERCEPT tag has been set for the command and the .Em intercept_type option is set to @@ -3273,9 +3272,9 @@ tuple: host name, user name, and domain (if one is set). Historically, .Nm sudo only matched the user name and domain for netgroups used in a -.Li User_List +.Em User_List and only matched the host name and domain for netgroups used in a -.Li Host_List . +.Em Host_List . This flag is .Em off by default. @@ -3283,12 +3282,12 @@ by default. If set, all commands run via .Nm sudo will behave as if the -.Li NOEXEC +.Dv NOEXEC tag has been set, unless overridden by an -.Li EXEC +.Dv EXEC tag. See the description of -.Em EXEC and NOEXEC +.Dv EXEC and NOEXEC above as well as the .Sx Preventing shell escapes section at the end of this manual. @@ -3492,7 +3491,7 @@ Disabling this prevents users from .Dq chaining .Nm sudo commands to get a root shell by doing something like -.Dq Li sudo sudo /bin/sh . +.Ql sudo sudo /bin/sh . Note, however, that turning off .Em root_sudo will also prevent root from running @@ -3515,7 +3514,7 @@ by default. If enabled, allow matching of runas user and group IDs that are not present in the password or group databases. In addition to explicitly matching unknown user or group IDs in a -.Li Runas_List , +.Em Runas_List , this option also allows the .Sy ALL alias to match unknown IDs. @@ -3533,7 +3532,7 @@ If enabled, will only run commands as a user whose shell appears in the .Pa /etc/shells file, even if the invoking user's -.Li Runas_List +.Em Runas_List would otherwise permit it. If no .Pa /etc/shells @@ -3552,8 +3551,7 @@ If set, .Nm sudo will prompt for the password of the user defined by the .Em runas_default -option (defaults to -.Li @runas_default@ ) +option (defaults to @runas_default@) instead of the password of the invoking user when running a command or editing a file. This flag is @@ -3718,9 +3716,9 @@ option can be enabled to allow .Nm sudoedit to open symbolic links. It may be overridden on a per-command basis by the -.Em FOLLOW +.Dv FOLLOW and -.Em NOFOLLOW +.Dv NOFOLLOW tags. This flag is .Em off @@ -3742,8 +3740,7 @@ If set, will prompt for the password of the user specified by the .Fl u -option (defaults to -.Li root ) +option (defaults to root) instead of the password of the invoking user when running a command or editing a file. This flag precludes the use of a user-ID not listed in the passwd @@ -3842,7 +3839,7 @@ If a timeout is specified both in the .Pa sudoers file and on the command line, the smaller of the two timeouts will be used. See the -.Li Timeout_Spec +.Em Timeout_Spec section for a description of the timeout syntax. This flag is .Em off @@ -3870,7 +3867,7 @@ flag is set, .Nm sudo will prompt for a password even when it would be visible on the screen. This makes it possible to run things like -.Dq Li ssh somehost sudo ls +.Ql ssh somehost sudo ls since by default, .Xr ssh 1 does @@ -3891,13 +3888,12 @@ The .Em closefrom option can be used to specify a different file descriptor at which to start closing. -The default is -.Li 3 . +The default is 3. .It command_timeout The maximum amount of time a command is allowed to run before it is terminated. See the -.Li Timeout_Spec +.Em Timeout_Spec section for a description of the timeout syntax. .Pp This setting is only supported by version 1.8.20 or higher. @@ -3905,19 +3901,19 @@ This setting is only supported by version 1.8.20 or higher. The maximum amount of time to wait when connecting to a log server or waiting for a server response. See the -.Li Timeout_Spec +.Em Timeout_Spec section for a description of the timeout syntax. The default value is 30 seconds. .Pp This setting is only supported by version 1.9.0 or higher. .It maxseq The maximum sequence number that will be substituted for the -.Dq Li %{seq} +.Ql %{seq} escape in the I/O log file (see the .Em iolog_dir description below for more information). While the value substituted for -.Dq Li %{seq} +.Ql %{seq} is in base 36, .Em maxseq itself should be expressed in decimal. @@ -3940,8 +3936,7 @@ This setting is only supported by version 1.8.7 or higher. The number of tries a user gets to enter his/her password before .Nm sudo logs the failure and exits. -The default is -.Li @passwd_tries@ . +The default is @passwd_tries@. .It syslog_maxlen On many systems, .Xr syslog 3 @@ -3973,40 +3968,28 @@ This setting is only supported by version 1.8.19 or higher. Number of characters per line for the file log. This value is used to decide when to wrap lines for nicer log files. This has no effect on the syslog log file, only the file log. -The default is -.Li @loglen@ -(use 0 or negate the option to disable word wrap). +The default is @loglen@ (use 0 or negate the option to disable word wrap). .It passwd_timeout Number of minutes before the .Nm sudo -password prompt times out, or -.Li 0 -for no timeout. +password prompt times out, or 0 for no timeout. The timeout may include a fractional component -if minute granularity is insufficient, for example -.Li 2.5 . -The -default is -.Li @password_timeout@ . +if minute granularity is insufficient, for example 2.5. +The default is @password_timeout@. .It timestamp_timeout Number of minutes that can elapse before .Nm sudo will ask for a password again. The timeout may include a fractional component if -minute granularity is insufficient, for example -.Li 2.5 . -The default is -.Li @timeout@ . -Set this to -.Li 0 -to always prompt for a password. -If set to a value less than -.Li 0 -the user's time stamp will not expire until the system is rebooted. +minute granularity is insufficient, for example 2.5. +The default is @timeout@. +Set this to 0 to always prompt for a password. +If set to a value less than 0 the user's time stamp will not expire +until the system is rebooted. This can be used to allow users to create or delete their own time stamps via -.Dq Li sudo -v +.Ql sudo -v and -.Dq Li sudo -k +.Ql sudo -k respectively. .It umask File mode creation mask to use when running the command. @@ -4018,10 +4001,8 @@ Unless the flag is set, the actual umask will be the union of the user's umask and the value of the .Em umask -setting, which defaults to -.Li @sudo_umask@ . -This guarantees -that +setting, which defaults to @sudo_umask@. +This guarantees that .Nm sudo never lowers the umask when running a command. .Pp @@ -4051,7 +4032,7 @@ The default can be overridden for individual .Em sudoers entries by specifying the -.Em APPARMOR_PROFILE +.Dv APPARMOR_PROFILE option. This option is only available when sudo is built with AppArmor support. @@ -4062,11 +4043,11 @@ The message may include the .Ql %d escape which will expand to the number of failed password attempts. If set, it overrides the default message, -.Li %d incorrect password attempt(s) . +.Dq %d incorrect password attempt(s) . .It badpass_message Message that is displayed if a user enters an incorrect password. The default is -.Li @badpass_message@ +.Dq @badpass_message@ unless insults are enabled. .It editor A colon @@ -4119,15 +4100,15 @@ It has the following possible values: .Bl -tag -width 6n .It dso Preload a dynamic shared object (shared library) that intercepts the -.Fn execl , -.Fn execle , -.Fn execlp , -.Fn execv , -.Fn execve , -.Fn execvp , -.Fn execvpe , +.Xr execve 2 , +.Xr execl 3 , +.Xr execle 3 , +.Xr execlp 3 , +.Xr execv 3 , +.Xr execvp 3 , +.Xr execvpe 3 , and -.Fn system +.Xr system 3 library functions. A value of .Em dso @@ -4169,9 +4150,9 @@ Only used if the or .Em log_output options are enabled or when the -.Li LOG_INPUT +.Dv LOG_INPUT or -.Li LOG_OUTPUT +.Dv LOG_OUTPUT tags are present for a command. The session sequence number, if any, is stored in the directory. The default is @@ -4181,23 +4162,23 @@ The following percent .Pq Ql % escape sequences are supported: .Bl -tag -width 4n -.It Li %{seq} +.It %{seq} expanded to a monotonically increasing base-36 sequence number, such as 0100A5, where every two digits are used to form a new directory, e.g., .Pa 01/00/A5 -.It Li %{user} +.It %{user} expanded to the invoking user's login name -.It Li %{group} +.It %{group} expanded to the name of the invoking user's real group-ID -.It Li %{runas_user} +.It %{runas_user} expanded to the login name of the user the command will be run as (e.g., root) -.It Li %{runas_group} +.It %{runas_group} expanded to the group name of the user the command will be run as (e.g., wheel) -.It Li %{hostname} +.It %{hostname} expanded to the local host name without the domain name -.It Li %{command} +.It %{command} expanded to the base name of the command being run .El .Pp @@ -4218,14 +4199,14 @@ in which to store input/output logs when the or .Em log_output options are enabled or when the -.Li LOG_INPUT +.Dv LOG_INPUT or -.Li LOG_OUTPUT +.Dv LOG_OUTPUT tags are present for a command. .Em iolog_file may contain directory components. The default is -.Dq Li %{seq} . +.Ql %{seq} . .Pp See the .Em iolog_dir @@ -4235,9 +4216,9 @@ escape sequences. .Pp In addition to the escape sequences, path names that end in six or more -.Li X Ns s +.Em X Ns s will have the -.Li X Ns s +.Em X Ns s replaced with a unique combination of digits and letters, similar to the .Xr mktemp 3 function. @@ -4251,7 +4232,7 @@ overwritten unless .Em iolog_file ends in six or more -.Li X Ns s . +.Em X Ns s . .It iolog_flush If set, .Nm sudo @@ -4376,10 +4357,10 @@ Subject of the mail sent to the .Em mailto user. The escape -.Li %h +.Ql %h will expand to the host name of the machine. Default is -.Dq Li @mailsub@ . +.Dq @mailsub@ . .It noexec_file As of .Nm sudo @@ -4393,9 +4374,9 @@ name used when the .Fl A option is specified. The default value is either -.Dq Li @pam_service@ +.Ql @pam_service@ or -.Dq Li @pam_login_service@ , +.Ql @pam_login_service@ , depending on whether or not the .Fl i option is also specified. @@ -4410,7 +4391,7 @@ name used when the .Fl i option is specified. The default value is -.Dq Li @pam_login_service@ . +.Ql @pam_login_service@ . See the description of .Em pam_service for more information. @@ -4425,7 +4406,7 @@ file or a file in the .Pa /etc/pam.d directory. The default value is -.Dq Li sudo . +.Ql sudo . .Pp This setting is only supported by version 1.8.8 or higher. .It passprompt @@ -4438,14 +4419,14 @@ The following percent .Pq Ql % escape sequences are supported: .Bl -tag -width 4n -.It Li %H +.It %H expanded to the local host name including the domain name (only if the machine's host name is fully qualified or the .Em fqdn option is set) -.It Li %h +.It %h expanded to the local host name without the domain name -.It Li %p +.It %p expanded to the user whose password is being asked for (respects the .Em rootpw , .Em targetpw @@ -4453,16 +4434,16 @@ and .Em runaspw flags in .Em sudoers ) -.It Li \&%U +.It \&%U expanded to the login name of the user the command will be run as (defaults to root) -.It Li %u +.It %u expanded to the invoking user's login name -.It Li %% +.It %% two consecutive -.Li % +.Ql % characters are collapsed into a single -.Li % +.Ql % character .El .Pp @@ -4480,7 +4461,7 @@ The flag can be used to change this behavior. .Pp The default value is -.Dq Li "@passprompt@" . +.Ql "@passprompt@" . .if \n(PS \{\ .It privs The default Solaris privileges to use when constructing a new @@ -4514,14 +4495,13 @@ is built with SELinux support. The default user to run commands as if the .Fl u option is not specified on the command line. -This defaults to -.Li @runas_default@ . +This defaults to @runas_default@. .It sudoers_locale Locale to use when parsing the sudoers file, logging commands, and sending email. Changing the locale may affect how sudoers is interpreted. Defaults to -.Dq Li C . +.Ql C . .It timestamp_type .Nm uses per-user time stamp files for credential caching. @@ -4542,11 +4522,7 @@ process ID (usually the shell). Commands run from the same shell (or other common parent process) will not require a password for .Em timestamp_timeout -minutes -.Po -.Li @timeout@ -by default -.Pc . +minutes (@timeout@ by default). Commands run via .Nm sudo with a different parent process ID, for example from a shell script, @@ -4558,11 +4534,7 @@ If no terminal is present, the behavior is the same as .Em ppid . Commands run from the same terminal will not require a password for .Em timestamp_timeout -minutes -.Po -.Li @timeout@ -by default -.Pc . +minutes (@timeout@ by default). .It kernel The time stamp is stored in the kernel as an attribute of the terminal device. @@ -4590,8 +4562,7 @@ The default is .It timestampowner The owner of the lecture status directory, time stamp directory and all files stored therein. -The default is -.Li root . +The default is root. .if \n(SL \{\ .It type The default SELinux type to use when constructing a new security @@ -4623,16 +4594,16 @@ is configured with the .Li --enable-admin-flag option. The default value is -.Li ~/.sudo_as_admin_successful . +.Pa ~/.sudo_as_admin_successful . .It env_file The .Em env_file option specifies the fully qualified path to a file containing variables to be set in the environment of the program being run. Entries in this file should either be of the form -.Dq Li VARIABLE=value +.Ql VARIABLE=value or -.Dq Li export VARIABLE=value . +.Ql export VARIABLE=value . The value may optionally be enclosed in single or double quotes. Variables in this file are only added if the variable does not already exist in the environment. @@ -4646,7 +4617,7 @@ and .It exempt_group Users in this group are exempt from password and PATH requirements. The group name specified should not include a -.Li % +.Ql % prefix. This is not set by default. .It fdexec @@ -4693,7 +4664,7 @@ alias. .Pp This setting is only supported by version 1.8.20 or higher. If the operating system does not support the -.Fn fexecve +.Xr fexecve 2 system call, this setting has no effect. .It group_plugin A string containing a @@ -4780,7 +4751,7 @@ All the user's .Em sudoers file entries for the current host must have the -.Li NOPASSWD +.Dv NOPASSWD flag set to avoid entering a password. .It always The user must always enter a password to use the @@ -4791,7 +4762,7 @@ At least one of the user's .Em sudoers file entries for the current host must have the -.Li NOPASSWD +.Dv NOPASSWD flag set to avoid entering a password. .It never The user need never enter a password to use the @@ -4858,7 +4829,7 @@ The address should be enclosed in double quotes to protect against .Nm sudo interpreting the -.Li @ +.Ql @ sign. Defaults to the name of the user running .Nm sudo . @@ -4871,10 +4842,9 @@ The address should be enclosed in double quotes to protect against .Nm sudo interpreting the -.Li @ +.Ql @ sign. -Defaults to -.Li @mailto@ . +Defaults to @mailto@. .It rlimit_as The maximum size to which the process's address space may grow (in bytes), if supported by the operating system. @@ -4940,9 +4910,9 @@ The option specifies the fully qualified path to a file containing variables to be set in the environment of the program being run. Entries in this file should either be of the form -.Dq Li VARIABLE=value +.Ql VARIABLE=value or -.Dq Li export VARIABLE=value . +.Ql export VARIABLE=value . The value may optionally be enclosed in single or double quotes. Variables in this file are only added if the variable does not already exist in the environment. @@ -4986,7 +4956,7 @@ It is only possible to use .Em runchroot as a command-specific Defaults setting if the command exists with the same path both inside and outside the chroot jail. -This restriction does not apply to generic, host, or user-based +This restriction does not apply to global, host, or user-based Defaults settings or to a .Em Cmnd_Spec that includes a @@ -5028,8 +4998,7 @@ This option is @secure_path@ by default. .It syslog Syslog facility if syslog is being used for logging (negate to disable syslog logging). -Defaults to -.Li @logfac@ . +Defaults to @logfac@. .Pp The following syslog facilities are supported: .Sy authpriv @@ -5050,8 +5019,7 @@ and .It syslog_badpri Syslog priority to use when the user is not allowed to run a command or when authentication is unsuccessful. -Defaults to -.Li @badpri@ . +Defaults to @badpri@. .Pp The following syslog priorities are supported: .Sy alert , @@ -5070,8 +5038,7 @@ will disable logging of unsuccessful commands. .It syslog_goodpri Syslog priority to use when the user is allowed to run a command and authentication is successful. -Defaults to -.Li @goodpri@ . +Defaults to @goodpri@. .Pp See .Em syslog_badpri @@ -5091,7 +5058,7 @@ It has the following possible values: All the user's .Em sudoers file entries for the current host must have the -.Li NOPASSWD +.Dv NOPASSWD flag set to avoid entering a password. .It always The user must always enter a password to use the @@ -5101,7 +5068,7 @@ option. At least one of the user's .Em sudoers file entries for the current host must have the -.Li NOPASSWD +.Dv NOPASSWD flag set to avoid entering a password. .It never The user need never enter a password to use the @@ -5126,7 +5093,7 @@ Environment variables to be removed from the user's environment unless they are considered .Dq safe . For all variables except -.Li TZ , +.Ev TZ , .Dq safe means that the variable's value does not contain any .Ql % @@ -5136,7 +5103,7 @@ characters. This can be used to guard against printf-style format vulnerabilities in poorly-written programs. The -.Li TZ +.Ev TZ variable is considered unsafe if any of the following are true: .Bl -bullet -width 1n .It @@ -5154,23 +5121,23 @@ path element. It contains white space or non-printable characters. .It It is longer than the value of -.Li PATH_MAX . +.Dv PATH_MAX . .El .Pp The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the -.Li = , -.Li += , -.Li -= , +.Ql = , +.Ql += , +.Ql -= , and -.Li \&! +.Ql \&! operators respectively. Regardless of whether the -.Li env_reset +.Em env_reset option is enabled or disabled, variables specified by -.Li env_check +.Em env_check will be preserved in the environment if they pass the aforementioned check. The global list of environment variables to check is displayed when .Nm sudo @@ -5185,11 +5152,11 @@ option is not in effect. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the -.Li = , -.Li += , -.Li -= , +.Ql = , +.Ql += , +.Ql -= , and -.Li \&! +.Ql \&! operators respectively. The global list of environment variables to remove is displayed when .Nm sudo @@ -5209,11 +5176,11 @@ processes will receive. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the -.Li = , -.Li += , -.Li -= , +.Ql = , +.Ql += , +.Ql -= , and -.Li \&! +.Ql \&! operators respectively. The global list of variables to keep is displayed when @@ -5310,7 +5277,7 @@ plugin supports its own plugin interface to allow non-Unix group lookups which can query a group source other than the standard Unix group database. This can be used to implement support for the -.Li nonunix_group +.Em nonunix_group syntax described earlier. .Pp Group provider plugins are specified via the @@ -5345,9 +5312,9 @@ Defaults group_plugin="group_file.so /etc/sudo-group" The .Em system_group plugin supports group lookups via the standard C library functions -.Fn getgrnam +.Xr getgrnam 3 and -.Fn getgrid . +.Xr getgrid 3 . This plugin can be used in instances where the user belongs to groups not present in the user's supplemental group vector. This plugin takes no options: @@ -5447,7 +5414,7 @@ The actual command that was executed. Messages are logged using the locale specified by .Em sudoers_locale , which defaults to the -.Dq Li C +.Ql C locale. .Ss Denied command log entries If the user is not allowed to run the command, the reason for the denial @@ -5530,7 +5497,7 @@ is the user-ID that owns the .Em sudoers file) to the end of the .Nm -.Li Plugin +.Em Plugin line in the .Xr sudo.conf @mansectform@ file. @@ -5556,7 +5523,7 @@ is the user-ID that owns the .Em sudoers file) to the .Nm -.Li Plugin +.Em Plugin line in the .Xr sudo.conf @mansectform@ file. @@ -5572,7 +5539,7 @@ The default mode may be changed via the .Dq sudoers_mode option to the .Nm -.Li Plugin +.Em Plugin line in the .Xr sudo.conf @mansectform@ file. @@ -5590,7 +5557,7 @@ is the group-ID that owns the .Em sudoers file) to the .Nm -.Li Plugin +.Em Plugin line in the .Xr sudo.conf @mansectform@ file. @@ -5634,7 +5601,7 @@ The and .Em progname fields are added by the system's -.Fn syslog +.Xr syslog 3 function, not .Nm itself. @@ -5702,7 +5669,7 @@ by default using a unique session ID that is included in the .Nm sudo log line, prefixed with -.Dq Li TSID= . +.Ql TSID= . The .Em iolog_file option may be used to control the format of the session ID. @@ -5759,11 +5726,11 @@ The number of lines of the terminal the command ran on, or zero if no terminal was present. .It runargv A JSON array representing the command's argument vector as passed to the -.Fn execve +.Xr execve 2 system call. .It runenv A JSON array representing the command's environment as passed to the -.Fn execve +.Xr execve 2 system call. .It rungid The group ID the command ran as. @@ -5866,7 +5833,7 @@ log file unencrypted. In most cases, logging the command output via .Em log_output or -.Li LOG_OUTPUT +.Dv LOG_OUTPUT is all that is required. .Pp Since each session's I/O logs are stored in a separate directory, @@ -5980,12 +5947,12 @@ or .Ev USER environment variables when running commands as root. Additionally, on the machines in the -.Em SERVERS -.Li Host_Alias , +.Dv SERVERS +.Em Host_Alias , we keep an additional local log file and make sure we log the year in each log line since the log entries will be kept around for several years. Lastly, we disable shell escapes for the commands in the PAGERS -.Li Cmnd_Alias +.Em Cmnd_Alias .Po .Pa /usr/bin/more , .Pa /usr/bin/pg @@ -6042,7 +6009,7 @@ and .Sy crawl ) may run any command on any host but they must authenticate themselves first (since the entry lacks the -.Li NOPASSWD +.Dv NOPASSWD tag). .Bd -literal jack CSNETS = ALL @@ -6051,17 +6018,12 @@ jack CSNETS = ALL The user .Sy jack may run any command on the machines in the -.Em CSNETS -alias (the networks -.Li 128.138.243.0 , -.Li 128.138.204.0 , -and -.Li 128.138.242.0 ) . -Of those networks, only -.Li 128.138.204.0 -has an explicit netmask (in CIDR notation) indicating it is a class C network. +.Dv CSNETS +alias (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). +Of those networks, only 128.138.204.0 has an explicit netmask (in +CIDR notation) indicating it is a class C network. For the other networks in -.Em CSNETS , +.Dv CSNETS , the local machine's netmask will be used during matching. .Bd -literal lisa CUNETS = ALL @@ -6070,9 +6032,8 @@ lisa CUNETS = ALL The user .Sy lisa may run any command on any host in the -.Em CUNETS -alias (the class B network -.Li 128.138.0.0 ) . +.Dv CUNETS +alias (the class B network 128.138.0.0). .Bd -literal operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e sudoedit /etc/printcap, /usr/oper/bin/ @@ -6086,7 +6047,7 @@ printing system, shutting down the system, and any commands in the directory .Pa /usr/oper/bin/ . One command in the -.Li DUMPS +.Dv DUMPS Cmnd_Alias includes a sha224 digest, .Pa /home/operator/bin/start_backups . This is because the directory containing the script is writable by the @@ -6115,8 +6076,8 @@ group may run commands in .Pa /usr/sbin/ as themselves with any group in the -.Em ADMINGRP -.Li Runas_Alias +.Dv ADMINGRP +.Em Runas_Alias (the .Sy adm and @@ -6127,7 +6088,7 @@ The user .Sy pete is allowed to change anyone's password except for root on the -.Em HPPA +.Dv HPPA machines. Because command line arguments are matched as a single, concatenated string, the @@ -6156,12 +6117,12 @@ bob SPARC = (OP) ALL : SGI = (OP) ALL The user .Sy bob may run anything on the -.Em SPARC +.Dv SPARC and -.Em SGI +.Dv SGI machines as any user listed in the -.Em OP -.Li Runas_Alias +.Dv OP +.Em Runas_Alias .Po .Sy root and @@ -6197,8 +6158,8 @@ fred ALL = (DB) NOPASSWD: ALL The user .Sy fred can run commands as any user in the -.Em DB -.Li Runas_Alias +.Dv DB +.Em Runas_Alias .Po .Sy oracle or @@ -6210,7 +6171,7 @@ john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* .Ed .Pp On the -.Em ALPHA +.Dv ALPHA machines, user .Sy john may su to anyone except root but he is not allowed to specify any options @@ -6224,29 +6185,29 @@ jen ALL, !SERVERS = ALL The user .Sy jen may run any command on any machine except for those in the -.Em SERVERS -.Li Host_Alias +.Dv SERVERS +.Em Host_Alias (primary, mail, www, and ns). .Bd -literal jill SERVERS = /usr/bin/, !SU, !SHELLS .Ed .Pp For any machine in the -.Em SERVERS -.Li Host_Alias , +.Dv SERVERS +.Em Host_Alias , .Sy jill may run any commands in the directory .Pa /usr/bin/ except for those commands belonging to the -.Em SU +.Dv SU and -.Em SHELLS -.Li Cmnd_Aliases . +.Dv SHELLS +.Em Cmnd_Aliases . While not specifically mentioned in the rule, the commands in the -.Em PAGERS -.Li Cmnd_Alias +.Dv PAGERS +.Em Cmnd_Alias all reside in .Pa /usr/bin and have the @@ -6272,8 +6233,8 @@ WEBADMIN www = (www) ALL, (root) /usr/bin/su www .Ed .Pp On the host www, any user in the -.Em WEBADMIN -.Li User_Alias +.Dv WEBADMIN +.Em User_Alias (will, wendy, and wim), may run any command as user www (which owns the web pages) or simply .Xr su 1 @@ -6284,7 +6245,7 @@ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e .Ed .Pp Any user may mount or unmount a CD-ROM on the machines in the CDROM -.Li Host_Alias +.Em Host_Alias (orion, perseus, hercules) without entering a password. This is a bit tedious for users to type, so it is a prime candidate for encapsulating in a shell script. @@ -6307,9 +6268,9 @@ bill ALL = ALL, !SU, !SHELLS Doesn't really prevent .Sy bill from running the commands listed in -.Em SU +.Dv SU or -.Em SHELLS +.Dv SHELLS since he can simply copy those commands to a different name, or use a shell escape from an editor or other program. Therefore, these kind of restrictions should be considered @@ -6343,13 +6304,13 @@ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e User .Sy john can still run -.Li /usr/bin/passwd root +.Ql /usr/bin/passwd root if .Em fast_glob is enabled by changing to .Pa /usr/bin and running -.Li ./passwd root +.Ql ./passwd root instead. .Pp Another potential issue is that when @@ -6472,15 +6433,15 @@ It does this by setting an environment variable (usually .Ev LD_PRELOAD ) to the path of a dynamic shared object, or shared library, containing custom versions of the -.Fn execl , -.Fn execle , -.Fn execlp , -.Fn execv , -.Fn execve , -.Fn execvp , -.Fn execvpe , +.Xr execve 2 , +.Xr execl 3 , +.Xr execle 3 , +.Xr execlp 3 , +.Xr execv 3 , +.Xr execvp 3 , +.Xr execvpe 3 , and -.Fn system +.Xr system 3 library functions that connect back to .Nm sudo for a policy decision. @@ -6538,7 +6499,7 @@ It is not possible to intercept shell built-in commands or restrict the ability to read or write sensitive files from within a shell. .Pp To enable intercept mode on a per-command basis, use the -.Li INTERCEPT +.Dv INTERCEPT tag as documented in the User Specification section above. Here is that example again: .Bd -literal @@ -6617,26 +6578,26 @@ The .Em noexec functionality is capable of blocking execution of commands run via the -.Fn execl , -.Fn execle , -.Fn execlp , -.Fn exect , -.Fn execv , -.Fn execve , -.Fn execveat , -.Fn execvP , -.Fn execvp , -.Fn execvpe , -.Fn fexecve , -.Fn popen , -.Fn posix_spawn , -.Fn posix_spawnp , -.Fn system , +.Xr execve 2 , +.Xr execl 3 , +.Xr execle 3 , +.Xr execlp 3 , +.Xr exect 3 , +.Xr execv 3 , +.Xr execveat 3 , +.Xr execvP 3 , +.Xr execvp 3 , +.Xr execvpe 3 , +.Xr fexecve 3 , +.Xr popen 3 , +.Xr posix_spawn 3 , +.Xr posix_spawnp 3 , +.Xr system 3 , and -.Fn wordexp +.Xr wordexp 3 functions. On Linux, a -.Fn seccomp +.Xr seccomp 2 filter is used to implement .Em noexec . On Solaris 10 and higher, @@ -6648,7 +6609,7 @@ environment variable. To enable .Em noexec for a command, use the -.Li NOEXEC +.Dv NOEXEC tag as documented in the User Specification section above. Here is that example again: .Bd -literal @@ -6752,7 +6713,7 @@ will refuse to open a symbolic link unless either the option is enabled or the .Em sudoedit command is prefixed with the -.Li FOLLOW +.Dv FOLLOW tag in the .Em sudoers file. @@ -6803,7 +6764,7 @@ if the system supports it. .Nm will not honor time stamps set far in the future. Time stamps with a date greater than current_time + 2 * -.Li TIMEOUT +.Dv TIMEOUT will be ignored and .Nm will log and complain. @@ -6871,11 +6832,11 @@ The following subsystems are used by the plugin: .Bl -tag -width 8n .It Em alias -.Li User_Alias , -.Li Runas_Alias , -.Li Host_Alias +.Em User_Alias , +.Em Runas_Alias , +.Em Host_Alias and -.Li Cmnd_Alias +.Em Cmnd_Alias processing .It Em all matches every subsystem @@ -6985,7 +6946,7 @@ When using netgroups of machines (as opposed to users), if you store fully qualified host name in the netgroup (as is usually the case), you either need to have the machine's host name be fully qualified as returned by the -.Li hostname +.Em hostname command or use the .Em fqdn option in diff --git a/docs/sudoers_timestamp.man.in b/docs/sudoers_timestamp.man.in index ca5c30916..e824029a2 100644 --- a/docs/sudoers_timestamp.man.in +++ b/docs/sudoers_timestamp.man.in @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.TH "SUDOERS_TIMESTAMP" "@mansectform@" "February 16, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS_TIMESTAMP" "@mansectform@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -29,7 +29,7 @@ plugin uses per-user time stamp files for credential caching. Once a user has been authenticated, they may use \fBsudo\fR without a password for a short period of time -(\fR@timeout@\fR +(\fI@timeout@\fR minutes unless overridden by the \fItimestamp_timeout\fR option) diff --git a/docs/sudoers_timestamp.mdoc.in b/docs/sudoers_timestamp.mdoc.in index 1dbfeac62..633cc7555 100644 --- a/docs/sudoers_timestamp.mdoc.in +++ b/docs/sudoers_timestamp.mdoc.in @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd February 16, 2022 +.Dd September 13, 2022 .Dt SUDOERS_TIMESTAMP @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -29,7 +29,7 @@ Once a user has been authenticated, they may use .Nm sudo without a password for a short period of time .Po -.Li @timeout@ +.Em @timeout@ minutes unless overridden by the .Em timestamp_timeout option @@ -94,19 +94,19 @@ same file but are not inter-operable. The size of the record in bytes. .It type The record type, currently -.Li TS_GLOBAL , -.Li TS_TTY , +.Dv TS_GLOBAL , +.Dv TS_TTY , or -.Li TS_PPID . +.Dv TS_PPID . .It flags Zero or more record flags which can be bit-wise ORed together. Supported flags are -.Li TS_DISABLED , +.Dv TS_DISABLED , for records disabled via .Nm sudo .Fl k and -.Li TS_ANYUID , +.Dv TS_ANYUID , which is used only when matching records. .It auth_uid The user-ID that was used for authentication. @@ -120,12 +120,12 @@ the default runas user or the target user. .It sid The ID of the user's terminal session, if present. The session ID is only used when matching records of type -.Li TS_TTY . +.Dv TS_TTY . .It start_time The start time of the session leader for records of type -.Li TS_TTY +.Dv TS_TTY or of the parent process for records of type -.Li TS_PPID . +.Dv TS_PPID . The .Em start_time is used to help prevent re-use of a time stamp record after a @@ -157,10 +157,10 @@ option, no password is required. .It u.ttydev The device number of the terminal associated with the session for records of type -.Li TS_TTY . +.Dv TS_TTY . .It u.ppid The ID of the parent process for records of type -.Li TS_PPID . +.Dv TS_PPID . .El .Sh LOCKING In @@ -174,7 +174,7 @@ of the entire file and the lock is held for a longer period of time. This scheme is described below. .Pp The first record in the time stamp file is of type -.Li TS_LOCKEXCL +.Dv TS_LOCKEXCL and is used as a .Em lock record to prevent more than one @@ -182,7 +182,7 @@ record to prevent more than one process from adding a new record at the same time. Once the desired time stamp record has been located or created (and locked), the -.Li TS_LOCKEXCL +.Dv TS_LOCKEXCL record is unlocked. The lock on the individual time stamp record, however, is held until authentication is complete. @@ -192,7 +192,7 @@ to avoid prompting for a password multiple times when it is used more than once in a pipeline. .Pp Records of type -.Li TS_GLOBAL +.Dv TS_GLOBAL cannot be locked for a long period of time since doing so would interfere with other .Nm sudo diff --git a/docs/sudoreplay.man.in b/docs/sudoreplay.man.in index 9b1b4c5a0..34d4f3013 100644 --- a/docs/sudoreplay.man.in +++ b/docs/sudoreplay.man.in @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.TH "SUDOREPLAY" "@mansectsu@" "February 16, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" +.TH "SUDOREPLAY" "@mansectsu@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh .if n .ad l .SH "NAME" @@ -50,7 +50,7 @@ The \fIID\fR should either be a six character sequence of digits and upper case letters, e.g., -\fR0100A5\fR +\(lq0100A5\(rq or a path name. The \fIID\fR @@ -76,8 +76,10 @@ with enabled in the \fIsudoers\fR file, a -\fRTSID=ID\fR -string is logged via syslog or to the +\(lqTSID=ID\(rq +string is logged via +syslog(3) +or to the \fBsudo\fR log file. The @@ -400,7 +402,7 @@ This will be addressed in a future version of \fBsudoreplay\fR versions 1.8.4 and higher support a flexible debugging framework that is configured via -\fRDebug\fR +\fIDebug\fR lines in the sudo.conf(@mansectform@) file. diff --git a/docs/sudoreplay.mdoc.in b/docs/sudoreplay.mdoc.in index b9e8086fe..518e34551 100644 --- a/docs/sudoreplay.mdoc.in +++ b/docs/sudoreplay.mdoc.in @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd February 16, 2022 +.Dd September 13, 2022 .Dt SUDOREPLAY @mansectsu@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -48,7 +48,7 @@ The .Em ID should either be a six character sequence of digits and upper case letters, e.g., -.Li 0100A5 +.Dq 0100A5 or a path name. The .Em ID @@ -74,8 +74,10 @@ with enabled in the .Em sudoers file, a -.Li TSID=ID -string is logged via syslog or to the +.Dq TSID=ID +string is logged via +.Xr syslog 3 +or to the .Nm sudo log file. The @@ -363,7 +365,7 @@ This will be addressed in a future version of .Nm versions 1.8.4 and higher support a flexible debugging framework that is configured via -.Li Debug +.Em Debug lines in the .Xr sudo.conf @mansectform@ file. diff --git a/docs/visudo.man.in b/docs/visudo.man.in index b64ec2532..6610ada53 100644 --- a/docs/visudo.man.in +++ b/docs/visudo.man.in @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "VISUDO" "@mansectsu@" "April 23, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" +.TH "VISUDO" "@mansectsu@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh .if n .ad l .SH "NAME" @@ -289,7 +289,7 @@ include file for syntax errors. \fBvisudo\fR versions 1.8.4 and higher support a flexible debugging framework that is configured via -\fRDebug\fR +\fIDebug\fR lines in the sudo.conf(@mansectform@) file. @@ -450,7 +450,7 @@ file. The \fIsudoers\fR file contains a -\fRDefaults\fR +\fIDefaults\fR setting not recognized by \fBvisudo\fR. .SH "SEE ALSO" diff --git a/docs/visudo.mdoc.in b/docs/visudo.mdoc.in index 725e71cfc..fec556c6d 100644 --- a/docs/visudo.mdoc.in +++ b/docs/visudo.mdoc.in @@ -20,7 +20,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd April 23, 2022 +.Dd September 13, 2022 .Dt VISUDO @mansectsu@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -281,7 +281,7 @@ include file for syntax errors. .Nm versions 1.8.4 and higher support a flexible debugging framework that is configured via -.Li Debug +.Em Debug lines in the .Xr sudo.conf @mansectform@ file. @@ -430,7 +430,7 @@ file. The .Em sudoers file contains a -.Li Defaults +.Em Defaults setting not recognized by .Nm . .El