isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,408 Commits 1 Branch 0 Tags
cfa4879dbd6528e2a1c40517d59ec6a48e4afa16
Commit Graph

200 Commits

Author SHA1 Message Date
Todd C. Miller
fb015fac1b Document that the target user's groups may be specified via the -g option. 2018-10-27 12:52:17 -06:00
Todd C. Miller
675802b71c Use mdoc macros for BSD systems. 
All manuals now pass "make lint"
 2018-10-07 07:34:22 -06:00
Todd C. Miller
dd6a6e4013 Fix problems found by igor. Bug #854 2018-10-06 06:00:56 -06:00
Todd C. Miller
d537daf787 Treat LOGIN, LOGNAME and USER specially. If one is preserved 
or deleted we want to preserve or delete all of them.
 2018-09-24 05:30:28 -06:00
Todd C. Miller
5f61f2c0f4 Remove special handling of the USERNAME environment variable. It 
used to be set on old versions of Fedora but that hasn't been the
case for some time.  It's worth noting that ssh doesn't set USERNAME
either.
 2018-09-24 05:30:03 -06:00
Todd C. Miller
f9b3223edb regen 2018-08-29 06:39:41 -06:00
Todd C. Miller
0484e3d6a9 Fix ambiguity when talking about Aliases. We can't use User_Alias 
in the grammar as both the definition of the Alias as well as its
name.  This adds {User,Runas,Host,Cmnd}_Alias_Spec to help differentiate
between the name of the alias and its definition.  Bug #834
 2018-08-07 10:03:05 -06:00
Todd C. Miller
b67915c6e4 Fix some issues pointed out by mandoc -Tlint 2018-06-13 11:19:35 -06:00
Todd C. Miller
1e26c6043e Describe the special handling of LOGNAME, USER and USERNAME. 
Fix typos reported by aspell.
 2018-04-18 14:14:47 -06:00
Todd C. Miller
3194a00e9e Document that the editor setting is also used by sudoedit. 2018-04-18 09:40:48 -06:00
Todd C. Miller
b6c53ac846 Decrease bullet width to 1n. 2018-03-21 06:52:50 -06:00
Todd C. Miller
e26ef96a65 Add case_insensitive_group and case_insensitive_user sudoers options, 
which are enabled by default.
 2018-03-05 10:42:02 -07:00
Todd C. Miller
12affcd5ef Add missing close parenthesis in "Including other files from within 
sudoers" section.  Bug #824
 2018-02-26 17:59:58 -07:00
Todd C. Miller
525c6a3d94 Use /run in preference to /var/run if it exists. 
Bug #822
 2018-02-19 10:59:12 -07:00
Todd C. Miller
5de49b2d6b The max timeout for kernel time stamps is 60 minutes, not 3600 minutes. 2018-01-30 11:11:48 -07:00
Todd C. Miller
eb8b5c7964 document that kernel tty timestamps don't support negative timeouts 2018-01-24 05:27:54 -07:00
Todd C. Miller
b3601253e6 Fall back to ppid time stamps if timestamp_type == kernel and no 
tty is present.  This is consistent with timestamp_type == tty.
 2018-01-23 11:18:18 -07:00
Todd C. Miller
23ac62cfb5 Also honor SUDO_EDITOR in visudo. Previously is was only used 
by sudoedit.
 2017-12-22 10:22:33 -07:00
Todd C. Miller
feb48b8ebf Add "kernel" as a possible value of timestamp_type. 
Currently only supported on OpenBSD.
 2017-12-20 16:19:54 -07:00
Todd C. Miller
5f3797c754 Document the sudoers time stamp file format. 2017-12-20 13:01:06 -07:00
Todd C. Miller
1709dc7f77 In the timestamp record, include the start time of the terminal 
session leader for tty-based timestamps or the start time of the
parent process for ppid-based timestamps.  Idea from Duncan Overbruck.
 2017-12-16 05:53:05 -07:00
Todd C. Miller
f869086eff regen 2017-12-12 14:19:13 -07:00
Todd C. Miller
1350a30737 Add authfail_message sudoers option to allow the user to override 
the default message of %d incorrect password attempt(s).
 2017-12-11 12:43:58 -07:00
Todd C. Miller
276d83cc98 regen for sudo 1.8.22 2017-12-01 14:37:16 -07:00
Todd C. Miller
1051cf1e6f env_keep and env_check are also taken into account with "sudo -i". 
Bug #806
 2017-09-26 13:08:57 -06:00
Todd C. Miller
7e78fbccfd More accurately describe the use_pty option now that its behavior 
has changed with respect to interposition with a pipe.
Also describe some caveats with log_input.
 2017-09-07 14:59:37 -06:00
Todd C. Miller
54860cf7f5 In the Runas example that uses "boulder" make it clear that "boulder" 
is a host name.
 2017-08-04 14:55:03 -06:00
Todd C. Miller
63d954d1fc Replace tty_tickets option with timestamp_type which can be 
global, ppid or tty.  Defaults to tty (no change in behavior).
Some users want the ppid behavior.
 2017-08-01 16:14:54 -06:00
Todd C. Miller
d76d5eaebc Clarify how the variable prompt options interact with each other 
and PAM.
 2017-07-21 11:18:13 -06:00
Todd C. Miller
d129f306ea Add syslog_pid sudoers option to log sudo's process ID when logging 
via syslog.  This is disabled by default to match historic behavior.
 2017-07-20 16:33:12 -06:00
Todd C. Miller
60146c2959 Fix the man section of sudo_plugin in cross-references. 2017-06-07 16:25:46 -06:00
Todd C. Miller
e1e2162dcf Instead of hard-coding a check for bash functions in env_should_delete(), 
use a "*=()* " pattern in initial_badenv_table[] to match them instead.
This allows the user to remove the check via env_delete.
 2017-06-03 08:43:32 -06:00
Todd C. Miller
0ab00964ec Mac OS X -> macOS 2017-06-02 16:10:37 -06:00
Todd C. Miller
17514b55ea Add support for multiple '*' in env_keep, env_check and env_delete 
entries.
 2017-05-12 10:02:17 -06:00
Todd C. Miller
e51831fab3 Be clear that #includedir diverts control to the files in the 
specified directory and, when parsing of those files is complete,
returns control to the original file.  Bug #775
 2017-05-08 13:55:02 -06:00
Todd C. Miller
8468f13c69 Move syslog_maxlen to the "Integers" section. Move syslog_goodpri and 
syslog_badpri to the "Strings at can be used in a boolean context" section.
 2017-05-03 10:32:21 -06:00
Todd C. Miller
d9bfaa386e Fix a pasto that resulted in an extra (empty) syslog_goodpri list entry. 2017-05-03 10:24:12 -06:00
Todd C. Miller
0b81e0b195 Try to make it clear that when match_group_by_gid is enabled, groups 
in sudoers are looked up by group name instead of group ID.  This
doesn't usually cause problems, but if there are conflicting group
entries (for example, from a local /etc/group file and an LDAP or
AD group database), whether the group is resolved by name or ID can
be used to work around conflicts.
 2017-04-11 16:56:04 -06:00
Todd C. Miller
272a9c8e9b Document that commands matched by "sudo ALL" are not affected by 
fdexec.
 2017-03-27 11:10:18 -06:00
Todd C. Miller
7f26338071 Mention that iolog_user is useful for NFS. 2017-03-24 15:36:03 -06:00
Todd C. Miller
b3af85ddc8 Add restricted_env_file which is like env_file but subject to the 
same restrictions as the user's own environment.
 2017-03-22 13:39:25 -06:00
Todd C. Miller
8d57491dc1 Add PERM_IOLOG so we can create I/O log files on an NFS-mounted 
filesystem where root is remapped to an unprivileged user.
 2017-03-21 13:41:14 -06:00
Todd C. Miller
c4e703696a Add iolog_flush option. 2017-03-20 10:25:58 -06:00
Todd C. Miller
8c8d078f66 Don't allow the user to specify an I/O log file mode that sudo can't 
read or write to.  I/O logs must always be readable and writable
by the owner.
 2017-03-17 10:56:17 -06:00
Todd C. Miller
8b3845c1ca Regenerate the cat pages with newer mandoc which formats double 
quotes as "foo" instead of ``foo''.
 2017-03-14 09:13:25 -06:00
Todd C. Miller
4bdbc6b290 Make it clear that I/O logs will be complete even if the command 
run by sudo is terminated by a signal.  The I/O log buffering just
prevents the logs from being displayed in real-time as the command
is running.
 2017-03-14 09:11:56 -06:00
Todd C. Miller
e5dee1557e Add NOTBEFORE and NOTAFTER command options similar to what is 
already available in LDAP.
 2017-02-18 15:35:48 -07:00
Todd C. Miller
c86a6a23ad Add a command line option to specify the command timeout, as long 
as sudoers does not specify a shorter time limit.
 2017-02-16 09:58:18 -07:00
Todd C. Miller
24cdbb8de1 Split out tags again so they must precede the command and not allow 
them to be mixed in with options.
 2017-02-14 15:56:34 -07:00
Todd C. Miller
3980f1531b Add support for command timeouts in sudoers. After the timeout, 
the command will be terminated.
 2017-02-14 15:56:34 -07:00