summaryrefslogtreecommitdiff
path: root/sudoers.cat
diff options
context:
space:
mode:
authorTodd C. Miller <Todd.Miller@courtesan.com>2000-03-23 00:35:59 +0000
committerTodd C. Miller <Todd.Miller@courtesan.com>2000-03-23 00:35:59 +0000
commit85d4ea90e0ab7cbde522d05574ed6c84fa12b4b8 (patch)
treee77f0000355519cdb80b722abe91ffa7886ba782 /sudoers.cat
parent96fc3f7afa3a87a807d2990ca9c94d58dc1436c3 (diff)
downloadsudo-85d4ea90e0ab7cbde522d05574ed6c84fa12b4b8.tar.gz
Add FreeBSD login.conf support (untested on BSD/OS) based on a patch from
Michael D. Marchionna. configure now does substitution on the man pages, allowing us to fix up the paths and set the section correctly. Based on an idea from Michael D. Marchionna.
Diffstat (limited to 'sudoers.cat')
-rw-r--r--sudoers.cat226
1 files changed, 113 insertions, 113 deletions
diff --git a/sudoers.cat b/sudoers.cat
index 9e7533a87..a98a5db2c 100644
--- a/sudoers.cat
+++ b/sudoers.cat
@@ -61,7 +61,7 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN
-18/Feb/2000 1.6.3 1
+22/Mar/2000 1.6.3 1
@@ -127,7 +127,7 @@ sudoers(5) FILE FORMATS sudoers(5)
-18/Feb/2000 1.6.3 2
+22/Mar/2000 1.6.3 2
@@ -193,7 +193,7 @@ sudoers(5) FILE FORMATS sudoers(5)
-18/Feb/2000 1.6.3 3
+22/Mar/2000 1.6.3 3
@@ -259,7 +259,7 @@ sudoers(5) FILE FORMATS sudoers(5)
-18/Feb/2000 1.6.3 4
+22/Mar/2000 1.6.3 4
@@ -325,7 +325,7 @@ sudoers(5) FILE FORMATS sudoers(5)
-18/Feb/2000 1.6.3 5
+22/Mar/2000 1.6.3 5
@@ -391,7 +391,7 @@ sudoers(5) FILE FORMATS sudoers(5)
-18/Feb/2000 1.6.3 6
+22/Mar/2000 1.6.3 6
@@ -405,6 +405,12 @@ sudoers(5) FILE FORMATS sudoers(5)
root) instead of the password of the invoking
user.
+ use_loginclass
+ If set, sudo will apply the defaults specified
+ for the target user's login class if one
+ exists. Only available if sudo is configured
+ with the --with-logincap option.
+
IIIInnnntttteeeeggggeeeerrrrssss:
passwd_tries
@@ -448,16 +454,10 @@ sudoers(5) FILE FORMATS sudoers(5)
incorrect password. The default is "Sorry,
try again." unless insults are enabled.
- timestampdir
- The directory in which ssssuuuuddddoooo stores its
- timestamp files. The default is either
- /var/run/sudo or /tmp/sudo.
-
-
-18/Feb/2000 1.6.3 7
+22/Mar/2000 1.6.3 7
@@ -466,6 +466,10 @@ sudoers(5) FILE FORMATS sudoers(5)
sudoers(5) FILE FORMATS sudoers(5)
+ timestampdir
+ The directory in which ssssuuuuddddoooo stores its
+ timestamp files. The default is _@_T_I_M_E_D_I_R_@.
+
passprompt The default prompt to use when asking for a
password; can be overridden via the -p option
or the SUDO_PROMPT environment variable.
@@ -492,6 +496,10 @@ sudoers(5) FILE FORMATS sudoers(5)
SSSSttttrrrriiiinnnnggggssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt:
+ logfile Path to the sudo log file (not the syslog log
+ file). Setting a path turns on logging to a
+ file, negating this option turns it off.
+
syslog Syslog facility if syslog is being used for
logging (negate to disable syslog logging).
Defaults to "local2".
@@ -511,19 +519,11 @@ sudoers(5) FILE FORMATS sudoers(5)
and PATH requirements. This is not set by
default.
- secure_path Path used for every command run from ssssuuuuddddoooo. If
- you don't trust the people running sudo to
- have a sane PATH environment variable you may
- want to use this. Another use is if you want
- to have the "root path" be separate from the
- "user path." This is not set by default.
- verifypw This option controls when a password will be
- required when a user runs sudo with the ----vvvv.
-18/Feb/2000 1.6.3 8
+22/Mar/2000 1.6.3 8
@@ -532,6 +532,15 @@ sudoers(5) FILE FORMATS sudoers(5)
sudoers(5) FILE FORMATS sudoers(5)
+ secure_path Path used for every command run from ssssuuuuddddoooo. If
+ you don't trust the people running sudo to
+ have a sane PATH environment variable you may
+ want to use this. Another use is if you want
+ to have the "root path" be separate from the
+ "user path." This is not set by default.
+
+ verifypw This option controls when a password will be
+ required when a user runs sudo with the ----vvvv.
It has the following possible values:
all All the user's I<sudoers> entries for the
@@ -577,26 +586,26 @@ sudoers(5) FILE FORMATS sudoers(5)
Parameter): aaaauuuutttthhhhpppprrrriiiivvvv (if your OS supports it), aaaauuuutttthhhh,
ddddaaaaeeeemmmmoooonnnn, uuuusssseeeerrrr, llllooooccccaaaallll0000, llllooooccccaaaallll1111, llllooooccccaaaallll2222, llllooooccccaaaallll3333, llllooooccccaaaallll4444,
llllooooccccaaaallll5555, llllooooccccaaaallll6666, and llllooooccccaaaallll7777. The following syslog
- priorities are supported: aaaalllleeeerrrrtttt, ccccrrrriiiitttt, ddddeeeebbbbuuuugggg, eeeemmmmeeeerrrrgggg, eeeerrrrrrrr,
- iiiinnnnffffoooo, nnnnoooottttiiiicccceeee, and wwwwaaaarrrrnnnniiiinnnngggg.
- UUUUsssseeeerrrr SSSSppppeeeecccciiiiffffiiiiccccaaaattttiiiioooonnnn
- User_Spec ::= User_list Host_List '=' User_List Cmnd_Spec_List \
- (':' User_Spec)*
+22/Mar/2000 1.6.3 9
-18/Feb/2000 1.6.3 9
+sudoers(5) FILE FORMATS sudoers(5)
+ priorities are supported: aaaalllleeeerrrrtttt, ccccrrrriiiitttt, ddddeeeebbbbuuuugggg, eeeemmmmeeeerrrrgggg, eeeerrrrrrrr,
+ iiiinnnnffffoooo, nnnnoooottttiiiicccceeee, and wwwwaaaarrrrnnnniiiinnnngggg.
+ UUUUsssseeeerrrr SSSSppppeeeecccciiiiffffiiiiccccaaaattttiiiioooonnnn
-sudoers(5) FILE FORMATS sudoers(5)
+ User_Spec ::= User_list Host_List '=' User_List Cmnd_Spec_List \
+ (':' User_Spec)*
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
@@ -643,26 +652,27 @@ sudoers(5) FILE FORMATS sudoers(5)
modified via the NOPASSWD tag. Like a Runas_Spec, the
NOPASSWD tag sets a default for the commands that follow
it in the Cmnd_Spec_List. Conversely, the PASSWD tag can
- be used to reverse things. For example:
- ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
- would allow the user rrrraaaayyyy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and
- _/_u_s_r_/_b_i_n_/_l_p_r_m as root on the machine rushmore as rrrrooooooootttt
- without authenticating himself. If we only want rrrraaaayyyy to be
- able to run _/_b_i_n_/_k_i_l_l without a password the entry would
- be:
+22/Mar/2000 1.6.3 10
-18/Feb/2000 1.6.3 10
+sudoers(5) FILE FORMATS sudoers(5)
-sudoers(5) FILE FORMATS sudoers(5)
+ be used to reverse things. For example:
+
+ ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+ would allow the user rrrraaaayyyy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and
+ _/_u_s_r_/_b_i_n_/_l_p_r_m as root on the machine rushmore as rrrrooooooootttt
+ without authenticating himself. If we only want rrrraaaayyyy to be
+ able to run _/_b_i_n_/_k_i_l_l without a password the entry would
+ be:
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
@@ -705,23 +715,13 @@ sudoers(5) FILE FORMATS sudoers(5)
match /usr/bin/who but not /usr/bin/X11/xterm.
- EEEExxxxcccceeeeppppttttiiiioooonnnnssss ttttoooo wwwwiiiillllddddccccaaaarrrrdddd rrrruuuulllleeeessss::::
- The following exceptions apply to the above rules:
- "" If the empty string "" is the only command line
- argument in the _s_u_d_o_e_r_s entry it means that
- command is not allowed to be run with aaaannnnyyyy
- arguments.
- OOOOtttthhhheeeerrrr ssssppppeeeecccciiiiaaaallll cccchhhhaaaarrrraaaacccctttteeeerrrrssss aaaannnndddd rrrreeeesssseeeerrrrvvvveeeedddd wwwwoooorrrrddddssss::::
- The pound sign ('#') is used to indicate a comment (unless
- it occurs in the context of a user name and is followed by
-
-18/Feb/2000 1.6.3 11
+22/Mar/2000 1.6.3 11
@@ -730,6 +730,19 @@ sudoers(5) FILE FORMATS sudoers(5)
sudoers(5) FILE FORMATS sudoers(5)
+ EEEExxxxcccceeeeppppttttiiiioooonnnnssss ttttoooo wwwwiiiillllddddccccaaaarrrrdddd rrrruuuulllleeeessss::::
+
+ The following exceptions apply to the above rules:
+
+ "" If the empty string "" is the only command line
+ argument in the _s_u_d_o_e_r_s entry it means that
+ command is not allowed to be run with aaaannnnyyyy
+ arguments.
+
+ OOOOtttthhhheeeerrrr ssssppppeeeecccciiiiaaaallll cccchhhhaaaarrrraaaacccctttteeeerrrrssss aaaannnndddd rrrreeeesssseeeerrrrvvvveeeedddd wwwwoooorrrrddddssss::::
+
+ The pound sign ('#') is used to indicate a comment (unless
+ it occurs in the context of a user name and is followed by
one or more digits, in which case it is treated as a uid).
Both the comment character and any text after it, up to
the end of the line, are ignored.
@@ -770,6 +783,19 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim
+
+
+
+
+22/Mar/2000 1.6.3 12
+
+
+
+
+
+sudoers(5) FILE FORMATS sudoers(5)
+
+
# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
@@ -784,18 +810,6 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
-
-
-
-18/Feb/2000 1.6.3 12
-
-
-
-
-
-sudoers(5) FILE FORMATS sudoers(5)
-
-
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
@@ -836,32 +850,32 @@ sudoers(5) FILE FORMATS sudoers(5)
FULLTIMERS ALL = NOPASSWD: ALL
Full time sysadmins (mmmmiiiilllllllleeeerrrrtttt, mmmmiiiikkkkeeeeffff, and ddddoooowwwwddddyyyy) may run
- any command on any host without authenticating themselves.
- PARTTIMERS ALL = ALL
- Part time sysadmins (bbbboooossssttttlllleeeeyyyy, jjjjwwwwffffooooxxxx, and ccccrrrraaaawwwwllll) may run
- any command on any host but they must authenticate
- themselves first (since the entry lacks the NOPASSWD tag).
- jack CSNETS = ALL
+22/Mar/2000 1.6.3 13
- The user jjjjaaaacccckkkk may run any command on the machines in the
- _C_S_N_E_T_S alias (the networks 128.138.243.0, 128.138.204.0,
- and 128.138.242.0). Of those networks, only
- <128.138.204.0> has an explicit netmask (in CIDR notation)
-18/Feb/2000 1.6.3 13
+sudoers(5) FILE FORMATS sudoers(5)
+ any command on any host without authenticating themselves.
+ PARTTIMERS ALL = ALL
-sudoers(5) FILE FORMATS sudoers(5)
+ Part time sysadmins (bbbboooossssttttlllleeeeyyyy, jjjjwwwwffffooooxxxx, and ccccrrrraaaawwwwllll) may run
+ any command on any host but they must authenticate
+ themselves first (since the entry lacks the NOPASSWD tag).
+ jack CSNETS = ALL
+ The user jjjjaaaacccckkkk may run any command on the machines in the
+ _C_S_N_E_T_S alias (the networks 128.138.243.0, 128.138.204.0,
+ and 128.138.242.0). Of those networks, only
+ <128.138.204.0> has an explicit netmask (in CIDR notation)
indicating it is a class C network. For the other
networks in _C_S_N_E_T_S, the local machine's netmask will be
used during matching.
@@ -902,32 +916,32 @@ sudoers(5) FILE FORMATS sudoers(5)
netgroup. SSSSuuuuddddoooo knows that "biglab" is a netgroup due to
the '+' prefix.
- +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
- Users in the sssseeeeccccrrrreeeettttaaaarrrriiiieeeessss netgroup need to help manage the
- printers as well as add and remove users, so they are
- allowed to run those commands on all machines.
- fred ALL = (DB) NOPASSWD: ALL
- The user ffffrrrreeeedddd can run commands as any user in the _D_B
- Runas_Alias (oooorrrraaaacccclllleeee or ssssyyyybbbbaaaasssseeee) without giving a password.
+22/Mar/2000 1.6.3 14
- john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
- On the _A_L_P_H_A machines, user jjjjoooohhhhnnnn may su to anyone except
-18/Feb/2000 1.6.3 14
+sudoers(5) FILE FORMATS sudoers(5)
+ +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+ Users in the sssseeeeccccrrrreeeettttaaaarrrriiiieeeessss netgroup need to help manage the
+ printers as well as add and remove users, so they are
+ allowed to run those commands on all machines.
+ fred ALL = (DB) NOPASSWD: ALL
-sudoers(5) FILE FORMATS sudoers(5)
+ The user ffffrrrreeeedddd can run commands as any user in the _D_B
+ Runas_Alias (oooorrrraaaacccclllleeee or ssssyyyybbbbaaaasssseeee) without giving a password.
+ john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+ On the _A_L_P_H_A machines, user jjjjoooohhhhnnnn may su to anyone except
root but he is not allowed to give _s_u(1) any flags.
jen ALL, !SERVERS = ALL
@@ -967,6 +981,19 @@ sudoers(5) FILE FORMATS sudoers(5)
type, so it is a prime candiate for encapsulating in a
shell script.
+
+
+
+
+22/Mar/2000 1.6.3 15
+
+
+
+
+
+sudoers(5) FILE FORMATS sudoers(5)
+
+
SSSSEEEECCCCUUUURRRRIIIITTTTYYYY NNNNOOOOTTTTEEEESSSS
It is generally not effective to "subtract" commands from
ALL using the '!' operator. A user can trivially
@@ -982,18 +1009,6 @@ SSSSEEEECCCCUUUURRRRIIIITTTTYYYY NNNNOOOOTTTTE
restrictions should be considered advisory at best (and
reinforced by policy).
-
-
-
-18/Feb/2000 1.6.3 15
-
-
-
-
-
-sudoers(5) FILE FORMATS sudoers(5)
-
-
CCCCAAAAVVVVEEEEAAAATTTTSSSS
The _s_u_d_o_e_r_s file should aaaallllwwwwaaaayyyyssss be edited by the vvvviiiissssuuuuddddoooo
command which locks the file and does grammatical
@@ -1036,22 +1051,7 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-18/Feb/2000 1.6.3 16
+22/Mar/2000 1.6.3 16
@@ -1117,6 +1117,6 @@ sudoers(5) FILE FORMATS sudoers(5)
-18/Feb/2000 1.6.3 17
+22/Mar/2000 1.6.3 17
View Lorry Controller Status