document that ALL implies SETENV

2007-11-21 19:26:06 +00:00
parent e6c0ba72f3
commit c9f393e4de
2 changed files with 6 additions and 4 deletions
--- a/sudo.pod
+++ b/sudo.pod
@@ -321,9 +321,9 @@ on the command line in the form of B<VAR>=I<value>, e.g.
 B<LD_LIBRARY_PATH>=I</usr/local/pkg/lib>.  Variables passed on the
 command line are subject to the same restrictions as normal environment
 variables with one important exception.  If the I<setenv> option
-is set in I<sudoers> or the command to be run has the C<SETENV> tag
-set the user may set variables that would overwise be forbidden.
-See L<sudoers(5)> for more information.
+is set in I<sudoers>, the command to be run has the C<SETENV> tag
+set or the command matched is C<ALL>, the user may set variables
+that would overwise be forbidden.  See L<sudoers(5)> for more information.

 =head1 RETURN VALUES

--- a/sudoers.pod
+++ b/sudoers.pod
@@ -340,7 +340,9 @@ basis.  Note that if C<SETENV> has been set for a command, any
 environment variables set on the command line way are not subject
 to the restrictions imposed by I<env_check>, I<env_delete>, or
 I<env_keep>.  As such, only trusted users should be allowed to set
-variables in this manner.
+variables in this manner.  If the command matched is B<ALL>, the
+C<SETENV> tag is implied for that command; this default may
+be overridden by use of the C<UNSETENV> tag.

 =head2 Wildcards