=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/sudo/Attic/sudoers.5,v retrieving revision 1.6 retrieving revision 1.7 diff -c -r1.6 -r1.7 *** src/usr.bin/sudo/Attic/sudoers.5 2001/01/09 18:15:31 1.6 --- src/usr.bin/sudo/Attic/sudoers.5 2001/09/17 23:49:21 1.7 *************** *** 1,7 **** .rn '' }` ! ''' $RCSfile: sudoers.5,v $$Revision: 1.6 $$Date: 2001/01/09 18:15:31 $ ''' ''' $Log: sudoers.5,v $ ''' Revision 1.6 2001/01/09 18:15:31 krw ''' Typos: 'eg.' -> 'e.g.' ''' --- 1,10 ---- .rn '' }` ! ''' $RCSfile: sudoers.5,v $$Revision: 1.7 $$Date: 2001/09/17 23:49:21 $ ''' ''' $Log: sudoers.5,v $ + ''' Revision 1.7 2001/09/17 23:49:21 pjanzen + ''' Typo and grammar fixes, one from PR/2058 (Dennis Schwarz); ok millert@ + ''' ''' Revision 1.6 2001/01/09 18:15:31 krw ''' Typos: 'eg.' -> 'e.g.' ''' *************** *** 95,101 **** .\" Ip Item .\" X<> Xref (embedded .\" Of course, you have to process the output yourself ! .\" in some meaninful fashion. .if \nF \{ .de IX .tm Index:\\$1\t\\n%\t"\\$2" --- 98,104 ---- .\" Ip Item .\" X<> Xref (embedded .\" Of course, you have to process the output yourself ! .\" in some meaningful fashion. .if \nF \{ .de IX .tm Index:\\$1\t\\n%\t"\\$2" *************** *** 200,214 **** .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" ! The \fIsudoers\fR file is composed two types of entries: aliases (basically variables) and user specifications (which specify who may run what). The grammar of \fIsudoers\fR will be described below in Extended Backus-Naur Form (EBNF). ! Don't despair if you don't know what EBNF is, it is fairly ! simple and the definitions below are annotated. .Sh "Quick guide to \s-1EBNF\s0" \s-1EBNF\s0 is a concise and exact way of describing the grammar of a language. ! Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. Eg. .PP .Vb 1 \& symbol ::= definition | alternate1 | alternate2 ... --- 203,217 ---- .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" ! The \fIsudoers\fR file is composed of two types of entries: aliases (basically variables) and user specifications (which specify who may run what). The grammar of \fIsudoers\fR will be described below in Extended Backus-Naur Form (EBNF). ! Don't despair if you don't know what EBNF is; it is fairly ! simple, and the definitions below are annotated. .Sh "Quick guide to \s-1EBNF\s0" \s-1EBNF\s0 is a concise and exact way of describing the grammar of a language. ! Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g., .PP .Vb 1 \& symbol ::= definition | alternate1 | alternate2 ... *************** *** 232,238 **** we will use single quotes ('') to designate what is a verbatim character string (as opposed to a symbol name). .Sh "Aliases" ! There are four kinds of aliases: the \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, \f(CWHost_Alias\fR and \f(CWCmnd_Alias\fR. .PP .Vb 4 --- 235,241 ---- we will use single quotes ('') to designate what is a verbatim character string (as opposed to a symbol name). .Sh "Aliases" ! There are four kinds of aliases: \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, \f(CWHost_Alias\fR and \f(CWCmnd_Alias\fR. .PP .Vb 4 *************** *** 262,271 **** \& Alias_Type NAME = item1, item2, ... .Ve where \fIAlias_Type\fR is one of \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, \f(CWHost_Alias\fR, ! or \f(CWCmnd_Alias\fR. A \f(CWNAME\fR is a string of upper case letters, numbers, and the underscore characters ('_'). A \f(CWNAME\fR \fBmust\fR start with an ! upper case letter. It is possible to put several alias definitions ! of the same type on a single line, joined by a semicolon (':'). Eg. .PP .Vb 1 \& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 --- 265,274 ---- \& Alias_Type NAME = item1, item2, ... .Ve where \fIAlias_Type\fR is one of \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, \f(CWHost_Alias\fR, ! or \f(CWCmnd_Alias\fR. A \f(CWNAME\fR is a string of uppercase letters, numbers, and the underscore characters ('_'). A \f(CWNAME\fR \fBmust\fR start with an ! uppercase letter. It is possible to put several alias definitions ! of the same type on a single line, joined by a semicolon (':'). E.g., .PP .Vb 1 \& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 *************** *** 287,293 **** (prefixed with \*(L'#'), System groups (prefixed with \*(L'%'), netgroups (prefixed with \*(L'+') and other aliases. Each list item may be prefixed with one or more \*(L'!\*(R' operators. An odd number ! of \*(L'!\*(R' operators negates the value of the item; an even number just cancel each other out. .PP .Vb 2 --- 290,296 ---- (prefixed with \*(L'#'), System groups (prefixed with \*(L'%'), netgroups (prefixed with \*(L'+') and other aliases. Each list item may be prefixed with one or more \*(L'!\*(R' operators. An odd number ! of \*(L'!\*(R' operators negate the value of the item; an even number just cancel each other out. .PP .Vb 2 *************** *** 454,460 **** be confusing. This flag is off by default. .Ip "fqdn" 12 Set this flag if you want to put fully qualified hostnames in the ! \fIsudoers\fR file. Ie: instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example --- 457,463 ---- be confusing. This flag is off by default. .Ip "fqdn" 12 Set this flag if you want to put fully qualified hostnames in the ! \fIsudoers\fR file. I.e.: instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example *************** *** 511,517 **** 80 (use 0 or negate to disable word wrap). .Ip "timestamp_timeout" 12 Number of minutes that can elapse before \fBsudo\fR will ask for a passwd ! again. The default is 5, set this to 0 to always prompt for a password. .Ip "passwd_timeout" 12 Number of minutes before the \fBsudo\fR password prompt times out. The default is 5, set this to 0 for no password timeout. --- 514,520 ---- 80 (use 0 or negate to disable word wrap). .Ip "timestamp_timeout" 12 Number of minutes that can elapse before \fBsudo\fR will ask for a passwd ! again. The default is 5. Set this to 0 to always prompt for a password. .Ip "passwd_timeout" 12 Number of minutes before the \fBsudo\fR password prompt times out. The default is 5, set this to 0 for no password timeout. *************** *** 551,557 **** \fBStrings that can be used in a boolean context\fR: .Ip "logfile" 12 Path to the \fBsudo\fR log file (not the syslog log file). Setting a path ! turns on logging to a file, negating this option turns it off. .Ip "syslog" 12 Syslog facility if syslog is being used for logging (negate to disable syslog logging). Defaults to \*(L"local2\*(R". --- 554,560 ---- \fBStrings that can be used in a boolean context\fR: .Ip "logfile" 12 Path to the \fBsudo\fR log file (not the syslog log file). Setting a path ! turns on logging to a file; negating this option turns it off. .Ip "syslog" 12 Syslog facility if syslog is being used for logging (negate to disable syslog logging). Defaults to \*(L"local2\*(R". *************** *** 561,567 **** .Ip "mailerflags" 12 Flags to use when invoking mailer. Defaults to \f(CW-t\fR. .Ip "mailto" 12 ! Address to send warning and erorr mail to. Defaults to \*(L"root\*(R". .Ip "exempt_group" 12 Users in this group are exempt from password and \s-1PATH\s0 requirements. This is not set by default. --- 564,570 ---- .Ip "mailerflags" 12 Flags to use when invoking mailer. Defaults to \f(CW-t\fR. .Ip "mailto" 12 ! Address to send warning and error mail to. Defaults to \*(L"root\*(R". .Ip "exempt_group" 12 Users in this group are exempt from password and \s-1PATH\s0 requirements. This is not set by default. *************** *** 572,578 **** be separate from the \*(L"user path.\*(R" This is not set by default. .Ip "verifypw" 12 This option controls when a password will be required when a ! user runs \fBsudo\fR with the \fB\-v\fR. It has the following possible values: .Sp .Vb 3 \& all All the user's I entries for the --- 575,581 ---- be separate from the \*(L"user path.\*(R" This is not set by default. .Ip "verifypw" 12 This option controls when a password will be required when a ! user runs \fBsudo\fR with \fB\-v\fR. It has the following possible values: .Sp .Vb 3 \& all All the user's I entries for the *************** *** 643,649 **** .Ve A \fBuser specification\fR determines which commands a user may run (and as what user) on specified hosts. By default, commands are ! run as \fBroot\fR but this can be changed on a per-command basis. .PP Let's break that down into its constituent parts: .Sh "Runas_Spec" --- 646,652 ---- .Ve A \fBuser specification\fR determines which commands a user may run (and as what user) on specified hosts. By default, commands are ! run as \fBroot\fR, but this can be changed on a per-command basis. .PP Let's break that down into its constituent parts: .Sh "Runas_Spec" *************** *** 657,663 **** \& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who .Ve The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and ! \fI/usr/bin/lprm\fR -- but only as \fBoperator\fR. Eg. .PP .Vb 1 \& sudo -u operator /bin/ls. --- 660,666 ---- \& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who .Ve The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and ! \fI/usr/bin/lprm\fR -- but only as \fBoperator\fR. E.g., .PP .Vb 1 \& sudo -u operator /bin/ls. *************** *** 689,695 **** .Vb 1 \& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm .Ve ! Note however, that the \f(CWPASSWD\fR tag has no effect on users who are in the group specified by the exempt_group option. .PP By default, if the \f(CWNOPASSWD\fR tag is applied to any of the entries --- 692,698 ---- .Vb 1 \& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm .Ve ! Note, however, that the \f(CWPASSWD\fR tag has no effect on users who are in the group specified by the exempt_group option. .PP By default, if the \f(CWNOPASSWD\fR tag is applied to any of the entries *************** *** 755,761 **** Long lines can be continued with a backslash (\*(R'\e') as the last character on the line. .PP ! Whitespace between elements in a list as well as specicial syntactic characters in a \fIUser Specification\fR ('=\*(R', \*(L':\*(R', \*(L'(\*(R', \*(L')') is optional. .PP The following characters must be escaped with a backslash (\*(R'\e') when --- 758,764 ---- Long lines can be continued with a backslash (\*(R'\e') as the last character on the line. .PP ! Whitespace between elements in a list as well as special syntactic characters in a \fIUser Specification\fR ('=\*(R', \*(L':\*(R', \*(L'(\*(R', \*(L')') is optional. .PP The following characters must be escaped with a backslash (\*(R'\e') when *************** *** 945,951 **** .Ve Any user may mount or unmount a CD\-ROM on the machines in the CDROM \f(CWHost_Alias\fR (orion, perseus, hercules) without entering a password. ! This is a bit tedious for users to type, so it is a prime candiate for encapsulating in a shell script. .SH "SECURITY NOTES" It is generally not effective to \*(L"subtract\*(R" commands from \f(CWALL\fR --- 948,954 ---- .Ve Any user may mount or unmount a CD\-ROM on the machines in the CDROM \f(CWHost_Alias\fR (orion, perseus, hercules) without entering a password. ! This is a bit tedious for users to type, so it is a prime candidate for encapsulating in a shell script. .SH "SECURITY NOTES" It is generally not effective to \*(L"subtract\*(R" commands from \f(CWALL\fR