isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add non-unix group bits, adapted from Quest

Browse Source
This commit is contained in:
Todd C. Miller
2009-06-15 21:19:47 +00:00
parent 3086f937f0
commit d2efb0a55a
2 changed files with 46 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
sudo.pod
View File

@@ -583,15 +583,23 @@ To get a file listing of an unreadable directory:
$ sudo ls /usr/local/protected $ sudo ls /usr/local/protected
To list the home directory of user yazza on a machine where the To list the home directory of user yaz on a machine where the
file system holding ~yazza is not exported as root: file system holding ~yaz is not exported as root:
$ sudo -u yazza ls ~yazza $ sudo -u yaz ls ~yaz
To edit the F<index.html> file as user www: To edit the F<index.html> file as user www:
$ sudo -u www vi ~www/htdocs/index.html $ sudo -u www vi ~www/htdocs/index.html
To view system logs only accessible to root and users in the adm group:
$ sudo -g adm view /var/log/syslog
To run an editor as jim with a different primary group:
$ sudo -u jim -g audio vi ~jim/sound.txt
To shutdown a machine: To shutdown a machine:
$ sudo shutdown -r +15 "quick reboot" $ sudo shutdown -r +15 "quick reboot"

35
sudoers.pod
View File

@@ -116,6 +116,7 @@ The definitions of what constitutes a valid I<alias> member follow.
'!'* '#'uid | '!'* '#'uid |
'!'* '%'group | '!'* '%'group |
'!'* '+'netgroup | '!'* '+'netgroup |
'!'* '%:'nonunix_group |
'!'* User_Alias '!'* User_Alias
A C<User_List> is made up of one or more usernames, uids (prefixed A C<User_List> is made up of one or more usernames, uids (prefixed
@@ -124,6 +125,33 @@ with '+') and C<User_Alias>es. Each list item may be prefixed with
zero or more '!' operators. An odd number of '!' operators negate zero or more '!' operators. An odd number of '!' operators negate
the value of the item; an even number just cancel each other out. the value of the item; an even number just cancel each other out.
A C<username>, C<group>, C<netgroup> and C<nonunix_groups> may
be enclosed in double quotes to avoid the need for escaping special
characters. Alternately, special characters may be specified in
escaped hex mode, e.g. \x20 for space.
The C<nonunix_group> syntax depends on the underlying implementation.
For instance, the QAS AD backend supports the following formats:
=over 4
=item *
Group in the same domain: "Group Name"
=item *
Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
=item *
Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
=back
Note that quotes around group names are optional. Unquoted strings must
use a backslash (\) to escape spaces and the '@' symbol.
Runas_List ::= Runas_Member | Runas_List ::= Runas_Member |
Runas_Member ',' Runas_List Runas_Member ',' Runas_List
@@ -1259,6 +1287,7 @@ these are a bit contrived. First, we define our I<aliases>:
# Runas alias specification # Runas alias specification
Runas_Alias OP = root, operator Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase Runas_Alias DB = oracle, sybase
Runas_Alias ADMINGRP = adm, oper
# Host alias specification # Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
@@ -1352,6 +1381,12 @@ The user B<joe> may only L<su(1)> to operator.
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
%opers ALL = (: ADMINGRP) /usr/sbin/
Users in the B<opers> group may run commands in F</usr/sbin/> as themselves
with any group in the I<ADMINGRP> C<Runas_Alias> (the B<adm> and B<oper>
groups).
The user B<pete> is allowed to change anyone's password except for The user B<pete> is allowed to change anyone's password except for
root on the I<HPPA> machines. Note that this assumes L<passwd(1)> root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
does not take multiple usernames on the command line. does not take multiple usernames on the command line.