to be used in all cases. Also set when the -p flag is used.
Sudo 1.6.9p9 released.
+
+634) Moved LDAP options into a table for simplified parsing/setting.
+
+635) Fixed a problem with how some LDAP options were being applied.
+
+636) Added support for connecting directly to LDAP servers via SSL
+ in addition to the existing start_tls support.
+
+Sudo 1.6.9p10 released.
#
# @configure_input@
#
-# $Sudo: Makefile.in,v 1.246.2.20 2007/12/03 10:34:32 millert Exp $
+# $Sudo: Makefile.in,v 1.246.2.21 2007/12/17 19:18:14 millert Exp $
#
#### Start of system configuration section. ####
LIBOBJS = @LIBOBJS@ @ALLOCA@
-VERSION = 1.6.9p9
+VERSION = 1.6.9p10
DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \
LICENSE Makefile.in PORTING README README.LDAP \
restart slapd. For other LDAP servers, provide this to your LDAP
Administrator. Make sure to index the attribute 'sudoUser'.
-For the SunONE or iPlanet LDAP server, use the schema.iPlanet file.
+For netscape-derived LDAP servers such as SunONE, iPlanet or Fedora
+Directory, use the schema.iPlanet file.
Importing /etc/sudoers to LDAP
==============================
===============================
The equivalent of a sudoer in LDAP is a 'sudoRole'. It contains sudoUser(s),
sudoHost, sudoCommand and optional sudoOption(s) and sudoRunAs(s).
-<put an example here>
+
+The following example allows users in group wheel to run any
+command on any host through sudo:
+
+dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: %wheel
+sudoUser: %wheel
+sudoHost: ALL
+sudoCommand: ALL
Managing LDAP entries
=====================
http://www.mcs.anl.gov/~gawor/ldap
http://ldapmanager.com
- There are dozens of others, some open source, some free, some not.
+ * Apache Directory Studio - Open Source - an Eclipse-based LDAP
+ development platform. Includes an LDAP browser, and LDIF editor,
+ a schema editor and more.
+ http://directory.apache.org/studio
+
+ There are dozens of others, some Open Source, some free, some not.
Configure your /etc/ldap.conf
The /etc/ldap.conf file is meant to be shared between sudo, pam_ldap, nss_ldap
and other ldap applications and modules. IBM Secureway unfortunately uses
the same filename but has a different syntax. If you need to rename where
-this file is stored, recompile SUDO with the -DLDAP_CONFIG compile option.
+this file is stored, re-run configure with the --with-ldap-conf-file=filename
+option.
Make sure you sudoers_base matches exactly with the location you specified
when you imported the sudoers. Below is an example /etc/ldap.conf
- # Either specify a uri or host & port
+ # Either specify a URI or host and port.
+ # If neither is specified sudo will default to localhost port 389.
#host ldapserver
#port 389
#
- # URI will override host & port settings
- # but only works with LDAP SDK's that support
- # ldap_initialize() such as OpenLDAP
+ # URI will override host & port settings but only works with LDAP
+ # SDK's that support ldap_initialize() such as OpenLDAP.
uri ldap://ldapserver
#uri ldaps://secureldapserver
#
#bindpw <password>
#rootbinddn <who to search as, uses /etc/ldap.passwd for bindpw>
#
- # LDAP Protocol Version defaults to 3
+ # LDAP protocol version, defaults to 3
#ldap_version 3
#
+ # Define if you want to use an encrypted LDAP connection.
+ # Typically, you must also set the port to 636 (ldaps).
+ #ssl on
+ #
# Define if you want to use port 389 and switch to
- # encryption before the bind credentials are sent
+ # encryption before the bind credentials are sent.
+ # Only supported by LDAP servers that support the start_tls
+ # extension such as OpenLDAP.
#ssl start_tls
#
- # Additional TLS options follow that allow tweaking
- # of the SSL/TLS connection
+ # Additional TLS options follow that allow tweaking of the
+ # SSL/TLS connection. Only supported when using OpenLDAP.
#
#tls_checkpeer yes # verify server SSL certificate
#tls_checkpeer no # ignore server SSL certificate
#
# If you enable tls_checkpeer, specify either tls_cacertfile
- # or tls_cacertdir.
+ # or tls_cacertdir. Only supported when using OpenLDAP.
#
#tls_cacertfile /etc/certs/trusted_signers.pem
#tls_cacertdir /etc/certs
# For systems that don't have /dev/random
# use this along with PRNGD or EGD.pl to seed the
# random number pool to generate cryptographic session keys.
+ # Only supported when using OpenLDAP.
#
#tls_randfile /etc/egd-pool
#
# You may restrict which ciphers are used. Consult your SSL
# documentation for which options go here.
+ # Only supported when using OpenLDAP.
#
#tls_ciphers <cipher-list>
#
# * Do not password protect the key file.
# * Ensure the keyfile is only readable by root.
#
+ # For OpenLDAP:
#tls_cert /etc/certs/client_cert.pem
#tls_key /etc/certs/client_key.pem
#
+ # For SunONE or iPlanet LDAP, the file specified by tls_cert may
+ # contain CA certs and/or the client's cert. If the client's
+ # cert is included, tls_key should be specified as well.
+ # For backward compatibility, sslpath may be used in place of tls_cert.
+ #tls_cert /var/ldap/cert7.db
+ #tls_key /var/ldap/key3.db
Debugging your LDAP configuration
=================================
# rather, matches all hosts including web01
sudoHost: ALL
sudoHost: !web01
-
-
-Configure your /etc/nsswitch.conf
-=================================
-At the time of this writing, sudo does not consult nsswitch.conf for the
-search order. But if it did, it would look like this:
-This might be implemented in the future. For now just skip this step.
-
- sudoers: files ldap
len += strlen(*user_runas) - 2;
subst = 1;
break;
+ case 'p':
+ p++;
+ if (def_rootpw) {
+ len += 2;
+ }
+ else if (def_targetpw || def_runaspw) {
+ len += strlen(*user_runas) - 2;
+ }
+ else {
+ len += strlen(user_name) - 2;
+ }
+ subst = 1;
+ break;
case '%':
p++;
len--;
goto oflow;
np += n;
continue;
+ case 'p':
+ p++;
+ if (def_rootpw) {
+ n = strlcpy(np, "root", np - endp);
+ }
+ else if (def_targetpw || def_runaspw) {
+ n = strlcpy(np, *user_runas, np - endp);
+ }
+ else {
+ n = strlcpy(np, user_name, np - endp);
+ }
+ if (n >= np - endp)
+ goto oflow;
+ np += n;
+ continue;
case '%':
/* convert %% -> % */
p++;
/* Define to 1 if you have the `ldap_start_tls_s' function. */
#undef HAVE_LDAP_START_TLS_S
+/* Define to 1 if you have the `ldapssl_init' function. */
+#undef HAVE_LDAPSSL_INIT
+
/* Define to 1 if you have the `lockf' function. */
#undef HAVE_LOCKF
--with-goons-insults include the insults from the "Goon Show"
--with-ldap[=DIR] enable LDAP support
--with-ldap-conf-file path to LDAP configuration file
- --with-ldap-secret-file path to LDAP secret pasdword file
+ --with-ldap-secret-file path to LDAP secret password file
--with-pc-insults replace politically incorrect insults with less offensive ones
--with-secure-path override the user's path with a built-in one
--without-interfaces don't try to read the ip addr of ether interfaces
{ echo "$as_me:$LINENO: result: no" >&5
echo "${ECHO_T}no" >&6; }
SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lk5crypto -lcom_err"
+ { echo "$as_me:$LINENO: checking for main in -lkrb5support" >&5
+echo $ECHO_N "checking for main in -lkrb5support... $ECHO_C" >&6; }
+if test "${ac_cv_lib_krb5support_main+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lkrb5support $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+
+int
+main ()
+{
+return main ();
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext &&
+ $as_test_x conftest$ac_exeext; then
+ ac_cv_lib_krb5support_main=yes
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_cv_lib_krb5support_main=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+ conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_krb5support_main" >&5
+echo "${ECHO_T}$ac_cv_lib_krb5support_main" >&6; }
+if test $ac_cv_lib_krb5support_main = yes; then
+ SUDO_LIBS="${SUDO_LIBS} -lkrb5support,"
+fi
fi
-for ac_func in ldap_initialize ldap_start_tls_s
+
+for ac_func in ldap_initialize ldap_start_tls_s ldapssl_init
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
{ echo "$as_me:$LINENO: checking for $ac_func" >&5
dnl
dnl Process this file with GNU autoconf to produce a configure script.
-dnl $Sudo: configure.in,v 1.413.2.30 2007/12/02 00:35:20 millert Exp $
+dnl $Sudo: configure.in,v 1.413.2.34 2007/12/19 19:29:29 millert Exp $
dnl
dnl Copyright (c) 1994-1996,1998-2007 Todd C. Miller <Todd.Miller@courtesan.com>
dnl
esac])
AC_ARG_WITH(ldap-conf-file, [ --with-ldap-conf-file path to LDAP configuration file],
[AC_DEFINE_UNQUOTED(_PATH_LDAP_CONF, "$with_ldap_conf_file", [Path to the ldap.conf file])])
-AC_ARG_WITH(ldap-secret-file, [ --with-ldap-secret-file path to LDAP secret pasdword file],
+AC_ARG_WITH(ldap-secret-file, [ --with-ldap-secret-file path to LDAP secret password file],
[AC_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$with_ldap_secret_file", [Path to the ldap.secret file])])
AC_ARG_WITH(pc-insults, [ --with-pc-insults replace politically incorrect insults with less offensive ones],
], [
AC_MSG_RESULT(no)
SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lk5crypto -lcom_err"
-
+ AC_CHECK_LIB(krb5support, main, [SUDO_LIBS="${SUDO_LIBS} -lkrb5support,"])
])
AUTH_OBJS="$AUTH_OBJS kerb5.o"
_LIBS="$LIBS"
AC_MSG_RESULT([yes])
AC_DEFINE(HAVE_LBER_H)])
- AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s)
+ AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init)
SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"
LIBS="$_LIBS"
+sudo (1.6.9p10-1) unstable; urgency=low
+
+ * new upstream version
+ * tweak default password prompt as %u doesn't make sense. Accept patch from
+ Patrick Schoenfeld (recommend upstream accept it too) that adds a %p and
+ uses it by default, closes: #454409
+ * accept patch from Martin Pitt that adds a prerm making it difficult to
+ "accidentally" remove sudo when there is no root password set on the
+ system, closes: #451241
+
+ -- Bdale Garbee <bdale@gag.com> Fri, 28 Dec 2007 11:44:30 -0700
+
sudo (1.6.9p9-1) unstable; urgency=low
* new upstream version
Priority: optional
Maintainer: Bdale Garbee <bdale@gag.com>
Build-Depends: debhelper (>= 5), libpam0g-dev, libldap2-dev, autotools-dev, bison, flex
-Standards-Version: 3.7.2
+Standards-Version: 3.7.3
Package: sudo
Architecture: any
--- /dev/null
+#!/bin/sh
+
+set -e
+
+check_password() {
+ if [ ! "$SUDO_FORCE_REMOVE" = "yes" ]; then
+ # let's check whether the root account is locked.
+ # if it is, we're not going another step. No Sirreee!
+ passwd=$(getent shadow root|cut -f2 -d:)
+ passwd1=$(echo "$passwd" |cut -c1)
+ # Note: we do need the 'xfoo' syntax here, since POSIX special-cases
+ # the $passwd value '!' as negation.
+ if [ "x$passwd" = "x*" ] || [ "x$passwd1" = "x!" ]; then
+ # yup, password is locked
+ echo "You have asked that the sudo package be removed,"
+ echo "but no root password has been set."
+ echo "Without sudo, you may not be able to gain administrative privileges."
+ echo
+ echo "If you would prefer to access the root account with su(1)"
+ echo "or by logging in directly,"
+ echo "you must set a root password with \"sudo passwd\"."
+ echo
+ echo "If you have arranged other means to access the root account,"
+ echo "and you are sure this is what you want,"
+ echo "you may bypass this check by setting an environment variable "
+ echo "(export SUDO_FORCE_REMOVE=yes)."
+ echo
+ echo "Refusing to remove sudo."
+ exit 1
+ fi
+ fi
+}
+
+case $1 in
+ remove)
+ check_password;
+ ;;
+ *)
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
+
--with-logging=syslog --with-logfac=authpriv \
--with-env-editor --with-editor=/usr/bin/vi \
--with-timeout=15 --with-password-timeout=0 \
- --with-passprompt="[sudo] password for %u:" \
+ --with-passprompt="[sudo] password for %p: " \
--disable-root-mailer --disable-setresuid \
--with-sendmail=/usr/sbin/sendmail \
--mandir=/usr/share/man --libexecdir=/usr/lib/sudo \
--with-logging=syslog --with-logfac=authpriv \
--with-env-editor --with-editor=/usr/bin/vi \
--with-timeout=15 --with-password-timeout=0 \
- --with-passprompt="[sudo] password for %u:" \
+ --with-passprompt="[sudo] password for %p: " \
--disable-root-mailer --disable-setresuid \
--with-sendmail=/usr/sbin/sendmail \
--with-ldap-conf-file=/etc/ldap/ldap.conf \
#include "parse.h"
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.20 2007/11/27 17:06:54 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.28 2007/12/19 19:29:32 millert Exp $";
#endif /* lint */
#ifndef LINE_MAX
# define LDAP_OPT_SUCCESS LDAP_SUCCESS
#endif
-#if defined(LDAP_X_OPT_CONNECT_TIMEOUT) && !defined(LDAP_OPT_X_CONNECT_TIMEOUT)
-#define LDAP_OPT_X_CONNECT_TIMEOUT LDAP_OPT_X_CONNECT_TIMEOUT
-#endif
-
#define DPRINTF(args, level) if (ldap_conf.debug >= level) warnx args
+#define CONF_BOOL 0
+#define CONF_INT 1
+#define CONF_STR 2
+
+#define SUDO_LDAP_SSL 1
+#define SUDO_LDAP_STARTTLS 2
+
+struct ldap_config_table {
+ const char *conf_str; /* config file string */
+ short type; /* CONF_BOOL, CONF_INT, CONF_STR */
+ short connected; /* connection-specific value? */
+ int opt_val; /* LDAP_OPT_* (or -1 for sudo internal) */
+ void *valp; /* pointer into ldap_conf */
+};
+
/* ldap configuration structure */
struct ldap_config {
int port;
int version;
int debug;
+ int ldap_debug;
int tls_checkpeer;
int timelimit;
int bind_timelimit;
+ int ssl_mode;
char *host;
char *uri;
char *binddn;
char *tls_keyfile;
} ldap_conf;
+struct ldap_config_table ldap_conf_table[] = {
+ { "sudoers_debug", CONF_INT, FALSE, -1, &ldap_conf.debug },
+ { "host", CONF_STR, FALSE, -1, &ldap_conf.host },
+ { "port", CONF_INT, FALSE, -1, &ldap_conf.port },
+ { "ssl", CONF_STR, FALSE, -1, &ldap_conf.ssl },
+ { "sslpath", CONF_STR, FALSE, -1, &ldap_conf.tls_certfile },
+ { "uri", CONF_STR, FALSE, -1, &ldap_conf.uri },
+#ifdef LDAP_OPT_DEBUG_LEVEL
+ { "debug", CONF_INT, FALSE, LDAP_OPT_DEBUG_LEVEL, &ldap_conf.ldap_debug },
+#endif
+#ifdef LDAP_OPT_PROTOCOL_VERSION
+ { "ldap_version", CONF_INT, TRUE, LDAP_OPT_PROTOCOL_VERSION,
+ &ldap_conf.version },
+#endif
+#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+ { "tls_checkpeer", CONF_BOOL, FALSE, LDAP_OPT_X_TLS_REQUIRE_CERT,
+ &ldap_conf.tls_checkpeer },
+#endif
+#ifdef LDAP_OPT_X_TLS_CACERTFILE
+ { "tls_cacertfile", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTFILE,
+ &ldap_conf.tls_cacertfile },
+#endif
+#ifdef LDAP_OPT_X_TLS_CACERTDIR
+ { "tls_cacertdir", CONF_STR, FALSE, LDAP_OPT_X_TLS_CACERTDIR,
+ &ldap_conf.tls_cacertdir },
+#endif
+#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
+ { "tls_randfile", CONF_STR, FALSE, LDAP_OPT_X_TLS_RANDOM_FILE,
+ &ldap_conf.tls_random_file },
+#endif
+#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
+ { "tls_ciphers", CONF_STR, FALSE, LDAP_OPT_X_TLS_CIPHER_SUITE,
+ &ldap_conf.tls_cipher_suite },
+#endif
+#ifdef LDAP_OPT_X_TLS_CERTFILE
+ { "tls_cert", CONF_STR, FALSE, LDAP_OPT_X_TLS_CERTFILE,
+ &ldap_conf.tls_certfile },
+#else
+ { "tls_cert", CONF_STR, FALSE, -1, &ldap_conf.tls_certfile },
+#endif
+#ifdef LDAP_OPT_X_TLS_KEYFILE
+ { "tls_key", CONF_STR, FALSE, LDAP_OPT_X_TLS_KEYFILE,
+ &ldap_conf.tls_keyfile },
+#else
+ { "tls_key", CONF_STR, FALSE, -1, &ldap_conf.tls_keyfile },
+#endif
+#ifdef LDAP_OPT_NETWORK_TIMEOUT
+ { "bind_timelimit", CONF_INT, TRUE, -1 /* needs timeval, set manually */,
+ &ldap_conf.bind_timelimit },
+#elif defined(LDAP_X_OPT_CONNECT_TIMEOUT)
+ { "bind_timelimit", CONF_INT, TRUE, LDAP_X_OPT_CONNECT_TIMEOUT,
+ &ldap_conf.bind_timelimit },
+#endif
+ { "timelimit", CONF_INT, TRUE, LDAP_OPT_TIMELIMIT, &ldap_conf.timelimit },
+ { "binddn", CONF_STR, FALSE, -1, &ldap_conf.binddn },
+ { "bindpw", CONF_STR, FALSE, -1, &ldap_conf.bindpw },
+ { "rootbinddn", CONF_STR, FALSE, -1, &ldap_conf.rootbinddn },
+ { "sudoers_base", CONF_STR, FALSE, -1, &ldap_conf.base },
+ { NULL }
+};
+
static void sudo_ldap_update_defaults __P((LDAP *));
static void sudo_ldap_close __P((LDAP *));
static LDAP *sudo_ldap_open __P((void));
{
FILE *f;
char buf[LINE_MAX], *c, *keyword, *value;
+ struct ldap_config_table *cur;
/* defaults */
ldap_conf.version = 3;
- ldap_conf.port = 389;
+ ldap_conf.port = -1;
ldap_conf.tls_checkpeer = -1;
ldap_conf.timelimit = -1;
ldap_conf.bind_timelimit = -1;
if ((f = fopen(_PATH_LDAP_CONF, "r")) == NULL)
return(FALSE);
+
while (fgets(buf, sizeof(buf), f)) {
/* ignore text after comment character */
if ((c = strchr(buf, '#')) != NULL)
while (--c > value && isspace((unsigned char) *c))
*c = '\0';
- /* The following macros make the code much more readable */
-
-#define MATCH_S(x,y) if (!strcasecmp(keyword,x)) \
- { efree(y); y=estrdup(value); }
-#define MATCH_I(x,y) if (!strcasecmp(keyword,x)) { y=atoi(value); }
-#define MATCH_B(x,y) if (!strcasecmp(keyword,x)) { y=_atobool(value); }
-
- /*
- * Parse values using a continues chain of if else if else if else if
- * else ...
- */
- MATCH_S("host", ldap_conf.host)
- else
- MATCH_I("port", ldap_conf.port)
- else
- MATCH_S("ssl", ldap_conf.ssl)
- else
- MATCH_B("tls_checkpeer", ldap_conf.tls_checkpeer)
- else
- MATCH_S("tls_cacertfile", ldap_conf.tls_cacertfile)
- else
- MATCH_S("tls_cacertdir", ldap_conf.tls_cacertdir)
- else
- MATCH_S("tls_randfile", ldap_conf.tls_random_file)
- else
- MATCH_S("tls_ciphers", ldap_conf.tls_cipher_suite)
- else
- MATCH_S("tls_cert", ldap_conf.tls_certfile)
- else
- MATCH_S("tls_key", ldap_conf.tls_keyfile)
- else
- MATCH_I("ldap_version", ldap_conf.version)
- else
- MATCH_I("bind_timelimit", ldap_conf.bind_timelimit)
- else
- MATCH_I("timelimit", ldap_conf.timelimit)
- else
- MATCH_S("uri", ldap_conf.uri)
- else
- MATCH_S("binddn", ldap_conf.binddn)
- else
- MATCH_S("bindpw", ldap_conf.bindpw)
- else
- MATCH_S("rootbinddn", ldap_conf.rootbinddn)
- else
- MATCH_S("sudoers_base", ldap_conf.base)
- else
- MATCH_I("sudoers_debug", ldap_conf.debug)
- else {
-
- /*
- * The keyword was unrecognized. Since this config file is
- * shared by multiple programs, it is appropriate to silently
- * ignore options this program does not understand
- */
+ /* Look up keyword in config table. */
+ for (cur = ldap_conf_table; cur->conf_str != NULL; cur++) {
+ if (strcasecmp(keyword, cur->conf_str) == 0) {
+ switch (cur->type) {
+ case CONF_BOOL:
+ *(int *)(cur->valp) = _atobool(value);
+ break;
+ case CONF_INT:
+ *(int *)(cur->valp) = atoi(value);
+ break;
+ case CONF_STR:
+ efree(*(char **)(cur->valp));
+ *(char **)(cur->valp) = estrdup(value);
+ break;
+ }
+ break;
+ }
}
-
}
fclose(f);
if (!ldap_conf.host)
- ldap_conf.host = estrdup("localhost");
+ ldap_conf.host = "localhost";
if (ldap_conf.bind_timelimit > 0)
ldap_conf.bind_timelimit *= 1000; /* convert to ms */
ldap_conf.binddn : "(anonymous)");
fprintf(stderr, "bindpw %s\n", ldap_conf.bindpw ?
ldap_conf.bindpw : "(anonymous)");
- fprintf(stderr, "bind_timelimit %d\n", ldap_conf.bind_timelimit);
- fprintf(stderr, "timelimit %d\n", ldap_conf.timelimit);
-#ifdef HAVE_LDAP_START_TLS_S
+ if (ldap_conf.bind_timelimit > 0)
+ fprintf(stderr, "bind_timelimit %d\n", ldap_conf.bind_timelimit);
+ if (ldap_conf.timelimit > 0)
+ fprintf(stderr, "timelimit %d\n", ldap_conf.timelimit);
fprintf(stderr, "ssl %s\n", ldap_conf.ssl ?
ldap_conf.ssl : "(no)");
-#endif
+ if (ldap_conf.tls_checkpeer != -1)
+ fprintf(stderr, "tls_checkpeer %s\n", ldap_conf.tls_checkpeer ?
+ "(yes)" : "(no)");
+ if (ldap_conf.tls_cacertfile != NULL)
+ fprintf(stderr, "tls_cacertfile %s\n", ldap_conf.tls_cacertfile);
+ if (ldap_conf.tls_cacertdir != NULL)
+ fprintf(stderr, "tls_cacertdir %s\n", ldap_conf.tls_cacertdir);
+ if (ldap_conf.tls_random_file != NULL)
+ fprintf(stderr, "tls_random_file %s\n", ldap_conf.tls_random_file);
+ if (ldap_conf.tls_cipher_suite != NULL)
+ fprintf(stderr, "tls_cipher_suite %s\n", ldap_conf.tls_cipher_suite);
+ if (ldap_conf.tls_certfile != NULL)
+ fprintf(stderr, "tls_certfile %s\n", ldap_conf.tls_certfile);
+ if (ldap_conf.tls_keyfile != NULL)
+ fprintf(stderr, "tls_keyfile %s\n", ldap_conf.tls_keyfile);
fprintf(stderr, "===================\n");
}
if (!ldap_conf.base)
return(FALSE); /* if no base is defined, ignore LDAP */
+ /*
+ * Interpret SSL option
+ */
+ if (ldap_conf.ssl != NULL) {
+ if (strcasecmp(ldap_conf.ssl, "start_tls") == 0)
+ ldap_conf.ssl_mode = SUDO_LDAP_STARTTLS;
+ else if (_atobool(ldap_conf.ssl))
+ ldap_conf.ssl_mode = SUDO_LDAP_SSL;
+ }
+
+ /* Use port 389 for plaintext LDAP and port 636 for SSL LDAP */
+ if (ldap_conf.port < 0)
+ ldap_conf.port =
+ ldap_conf.ssl_mode == SUDO_LDAP_SSL ? LDAPS_PORT : LDAP_PORT;
+
/* If rootbinddn set, read in /etc/ldap.secret if it exists. */
if (ldap_conf.rootbinddn) {
if ((f = fopen(_PATH_LDAP_SECRET, "r")) != NULL) {
printf("%s", sudo_ldap_cm_list);
}
-/* macros to set option, error on failure plus consistent debugging */
-#define SET_OPTS(opt, val) do { \
- if (ldap_conf.val != NULL) { \
- if (ldap_conf.debug > 1) \
- fprintf(stderr, \
- "ldap_set_option(LDAP_OPT_%s, \"%s\")\n", #opt, ldap_conf.val);\
- rc = ldap_set_option(ld, LDAP_OPT_ ## opt, ldap_conf.val); \
- if (rc != LDAP_OPT_SUCCESS) { \
- fprintf(stderr,"ldap_set_option(LDAP_OPT_%s, \"%s\")=%d: %s\n", \
- #opt, ldap_conf.val, rc, ldap_err2string(rc)); \
- return(NULL); \
- } \
- } \
-} while(0)
-#define SET_OPTI(opt, val) do { \
- if (ldap_conf.val >= 0) { \
- if (ldap_conf.debug > 1) \
- fprintf(stderr, \
- "ldap_set_option(LDAP_OPT_%s, %d)\n", #opt, ldap_conf.val); \
- rc = ldap_set_option(ld, LDAP_OPT_ ## opt, &ldap_conf.val); \
- if (rc != LDAP_OPT_SUCCESS) { \
- fprintf(stderr,"ldap_set_option(LDAP_OPT_%s, %d)=%d: %s\n", \
- #opt, ldap_conf.val, rc, ldap_err2string(rc)); \
- return(NULL); \
- } \
- } \
-} while(0)
-
/*
- * Open a connection to the LDAP server.
+ * Set LDAP options based on the config table.
*/
-static LDAP *
-sudo_ldap_open()
+int
+sudo_ldap_set_options(ld)
+ LDAP *ld;
{
- LDAP *ld = NULL;
+ struct ldap_config_table *cur;
int rc;
- if (!sudo_ldap_read_config())
- return(NULL);
-
- /* attempt to setup ssl options */
-#ifdef LDAP_OPT_X_TLS_CACERTFILE
- SET_OPTS(X_TLS_CACERTFILE, tls_cacertfile);
-#endif /* LDAP_OPT_X_TLS_CACERTFILE */
-
-#ifdef LDAP_OPT_X_TLS_CACERTDIR
- SET_OPTS(X_TLS_CACERTDIR, tls_cacertdir);
-#endif /* LDAP_OPT_X_TLS_CACERTDIR */
-
-#ifdef LDAP_OPT_X_TLS_CERTFILE
- SET_OPTS(X_TLS_CERTFILE, tls_certfile);
-#endif /* LDAP_OPT_X_TLS_CERTFILE */
-
-#ifdef LDAP_OPT_X_TLS_KEYFILE
- SET_OPTS(X_TLS_KEYFILE, tls_keyfile);
-#endif /* LDAP_OPT_X_TLS_KEYFILE */
-
-#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
- SET_OPTS(X_TLS_CIPHER_SUITE, tls_cipher_suite);
-#endif /* LDAP_OPT_X_TLS_CIPHER_SUITE */
+ /* Set ber options */
+#ifdef LBER_OPT_DEBUG_LEVEL
+ if (ldap_conf.ldap_debug)
+ ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL, &ldap_conf.ldap_debug);
+#endif
-#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
- SET_OPTS(X_TLS_RANDOM_FILE, tls_random_file);
-#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
+ /* Set simple LDAP options */
+ for (cur = ldap_conf_table; cur->conf_str != NULL; cur++) {
+ LDAP *conn;
+ int ival;
+ char *sval;
-#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
- /* check the server certificate? */
- SET_OPTI(X_TLS_REQUIRE_CERT, tls_checkpeer);
-#endif /* LDAP_OPT_X_TLS_REQUIRE_CERT */
+ if (cur->opt_val == -1)
+ continue;
- /* set timelimit options */
- SET_OPTI(TIMELIMIT, timelimit);
+ conn = cur->connected ? ld : NULL;
+ switch (cur->type) {
+ case CONF_BOOL:
+ case CONF_INT:
+ ival = *(int *)(cur->valp);
+ if (ival >= 0) {
+ rc = ldap_set_option(conn, cur->opt_val, &ival);
+ if (rc != LDAP_OPT_SUCCESS) {
+ warnx("ldap_set_option: %s -> %d: %s",
+ cur->conf_str, ival, ldap_err2string(rc));
+ return(-1);
+ }
+ DPRINTF(("ldap_set_option: %s -> %d", cur->conf_str, ival), 1);
+ }
+ break;
+ case CONF_STR:
+ sval = *(char **)(cur->valp);
+ if (sval != NULL) {
+ rc = ldap_set_option(conn, cur->opt_val, sval);
+ if (rc != LDAP_OPT_SUCCESS) {
+ warnx("ldap_set_option: %s -> %s: %s",
+ cur->conf_str, sval, ldap_err2string(rc));
+ return(-1);
+ }
+ DPRINTF(("ldap_set_option: %s -> %s", cur->conf_str, sval), 1);
+ }
+ break;
+ }
+ }
#ifdef LDAP_OPT_NETWORK_TIMEOUT
+ /* Convert bind_timelimit to a timeval */
if (ldap_conf.bind_timelimit > 0) {
struct timeval tv;
tv.tv_sec = ldap_conf.bind_timelimit / 1000;
tv.tv_usec = 0;
- if (ldap_conf.debug > 1)
- fprintf(stderr, "ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, %ld)\n",
- tv.tv_sec);
rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
if (rc != LDAP_OPT_SUCCESS) {
- fprintf(stderr,"ldap_set_option(NETWORK_TIMEOUT, %ld)=%d: %s\n",
- tv.tv_sec, rc, ldap_err2string(rc));
- return(NULL);
+ warnx("ldap_set_option(NETWORK_TIMEOUT, %ld): %s",
+ (long)tv.tv_sec, ldap_err2string(rc));
+ return(-1);
}
+ DPRINTF(("ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, %ld)\n",
+ (long)tv.tv_sec), 1);
}
#endif
- /* attempt connect */
-#ifdef HAVE_LDAP_INITIALIZE
- if (ldap_conf.uri) {
+#if defined(LDAP_OPT_X_TLS) && !defined(HAVE_LDAPSSL_INIT)
+ if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
+ int val = LDAP_OPT_X_TLS_HARD;
+ rc = ldap_set_option(ld, LDAP_OPT_X_TLS, &val);
+ if (rc != LDAP_SUCCESS) {
+ warnx("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD): %s",
+ ldap_err2string(rc));
+ return(-1);
+ }
+
+ }
+#endif
+ return(0);
+}
+
+/*
+ * Open a connection to the LDAP server.
+ */
+static LDAP *
+sudo_ldap_open()
+{
+ LDAP *ld = NULL;
+ int rc;
+
+ if (!sudo_ldap_read_config())
+ return(NULL);
- DPRINTF(("ldap_initialize(ld,%s)", ldap_conf.uri), 2);
+#ifdef HAVE_LDAPSSL_INIT
+ if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
+ DPRINTF(("ldapssl_clientauth_init(%s, %s)",
+ ldap_conf.tls_certfile ? ldap_conf.tls_certfile : "NULL",
+ ldap_conf.tls_keyfile ? ldap_conf.tls_keyfile : "NULL"), 2);
+ rc = ldapssl_clientauth_init(ldap_conf.tls_certfile, NULL,
+ ldap_conf.tls_keyfile != NULL, ldap_conf.tls_keyfile, NULL);
+ if (rc != LDAP_SUCCESS) {
+ warnx("unable to initialize SSL cert and key db: %s",
+ ldapssl_err2string(rc));
+ return(NULL);
+ }
+ }
+#endif /* HAVE_LDAPSSL_INIT */
+ /* Connect to LDAP server */
+#ifdef HAVE_LDAP_INITIALIZE
+ if (ldap_conf.uri) {
+ DPRINTF(("ldap_initialize(ld, %s)", ldap_conf.uri), 2);
rc = ldap_initialize(&ld, ldap_conf.uri);
- if (rc) {
- fprintf(stderr, "ldap_initialize()=%d : %s\n",
- rc, ldap_err2string(rc));
+ if (rc != LDAP_SUCCESS) {
+ warnx("unable to initialize LDAP: %s", ldap_err2string(rc));
return(NULL);
}
} else
#endif /* HAVE_LDAP_INITIALIZE */
- if (ldap_conf.host) {
-
- DPRINTF(("ldap_init(%s,%d)", ldap_conf.host, ldap_conf.port), 2);
-
- if ((ld = ldap_init(ldap_conf.host, ldap_conf.port)) == NULL) {
- fprintf(stderr, "ldap_init(): errno=%d : %s\n",
- errno, strerror(errno));
+ {
+#ifdef HAVE_LDAPSSL_INIT
+ DPRINTF(("ldapssl_init(%s, %d, %d)", ldap_conf.host, ldap_conf.port,
+ ldap_conf.ssl_mode == SUDO_LDAP_SSL), 2);
+ ld = ldapssl_init(ldap_conf.host, ldap_conf.port,
+ ldap_conf.ssl_mode == SUDO_LDAP_SSL);
+#else
+ DPRINTF(("ldap_init(%s, %d)", ldap_conf.host, ldap_conf.port), 2);
+ ld = ldap_init(ldap_conf.host, ldap_conf.port);
+#endif /* HAVE_LDAPSSL_INIT */
+ if (ld == NULL) {
+ warn("unable to initialize LDAP");
return(NULL);
}
}
-#ifdef LDAP_OPT_PROTOCOL_VERSION
-
- /* Set the LDAP Protocol version */
- SET_OPTI(PROTOCOL_VERSION, version);
-#endif /* LDAP_OPT_PROTOCOL_VERSION */
+ /* Set LDAP options */
+ if (sudo_ldap_set_options(ld) < 0)
+ return(NULL);
+ if (ldap_conf.ssl_mode == SUDO_LDAP_STARTTLS) {
#ifdef HAVE_LDAP_START_TLS_S
- /* Turn on TLS */
- if (ldap_conf.ssl && !strcasecmp(ldap_conf.ssl, "start_tls")) {
rc = ldap_start_tls_s(ld, NULL, NULL);
if (rc != LDAP_SUCCESS) {
- fprintf(stderr, "ldap_start_tls_s(): %d: %s\n", rc,
- ldap_err2string(rc));
+ warnx("ldap_start_tls_s(): %s", ldap_err2string(rc));
ldap_unbind(ld);
return(NULL);
}
DPRINTF(("ldap_start_tls_s() ok"), 1);
- }
+#else
+ warnx("start_tls specified but LDAP libs do not support ldap_start_tls_s()");
#endif /* HAVE_LDAP_START_TLS_S */
+ }
/* Actually connect */
if ((rc = ldap_simple_bind_s(ld, ldap_conf.binddn, ldap_conf.bindpw))) {
- fprintf(stderr, "ldap_simple_bind_s()=%d : %s\n",
- rc, ldap_err2string(rc));
+ warnx("ldap_simple_bind_s: %s", ldap_err2string(rc));
return(NULL);
}
- DPRINTF(("ldap_bind() ok"), 1);
+ DPRINTF(("ldap_simple_bind_s() ok"), 1);
return(ld);
}
rc = ldap_search_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE,
"cn=defaults", NULL, 0, &result);
- if (!rc && (entry = ldap_first_entry(ld, result))) {
+ if (rc == LDAP_SUCCESS && (entry = ldap_first_entry(ld, result))) {
DPRINTF(("found:%s", ldap_get_dn(ld, entry)), 1);
sudo_ldap_parse_options(ld, entry);
} else
DPRINTF(("ldap search '%s'", filt), 1);
rc = ldap_search_s(ld, ldap_conf.base, LDAP_SCOPE_SUBTREE, filt,
NULL, 0, &result);
- if (rc)
+ if (rc != LDAP_SUCCESS)
DPRINTF(("nothing found for '%s'", filt), 1);
efree(filt);
#endif /* HAVE_EXTENDED_GLOB */
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: parse.c,v 1.160.2.14 2007/10/24 16:43:27 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: parse.c,v 1.160.2.15 2007/12/04 15:26:40 millert Exp $";
#endif /* lint */
/*
return(VALIDATE_OK |
(no_passwd == TRUE ? FLAG_NOPASS : 0) |
(no_execve == TRUE ? FLAG_NOEXEC : 0) |
- (setenv_ok == TRUE ? FLAG_SETENV : 0));
+ (setenv_ok >= TRUE ? FLAG_SETENV : 0));
} else if ((runas_matches == TRUE && cmnd_matches == FALSE) ||
(runas_matches == FALSE && cmnd_matches == TRUE)) {
/*
return(VALIDATE_NOT_OK |
(no_passwd == TRUE ? FLAG_NOPASS : 0) |
(no_execve == TRUE ? FLAG_NOEXEC : 0) |
- (setenv_ok == TRUE ? FLAG_SETENV : 0));
+ (setenv_ok >= TRUE ? FLAG_SETENV : 0));
}
}
top--;
#include "version.h"
#ifndef lint
-__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.33 2007/12/02 17:13:52 millert Exp $";
+__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.34 2007/12/13 14:12:49 millert Exp $";
#endif /* lint */
/*
while (NewArgc > 0) {
if (NewArgv[0][0] == '-') {
- if (NewArgv[0][1] != '\0' && NewArgv[0][2] != '\0')
+ if (NewArgv[0][1] != '\0' && NewArgv[0][2] != '\0') {
warnx("please use single character options");
+ usage(1);
+ }
switch (NewArgv[0][1]) {
case 'p':
-1.6.9p8 December 3, 2007 1
+1.6.9p10 December 17, 2007 1
-1.6.9p8 December 3, 2007 2
+1.6.9p10 December 17, 2007 2
-1.6.9p8 December 3, 2007 3
+1.6.9p10 December 17, 2007 3
-1.6.9p8 December 3, 2007 4
+1.6.9p10 December 17, 2007 4
-1.6.9p8 December 3, 2007 5
+1.6.9p10 December 17, 2007 5
-1.6.9p8 December 3, 2007 6
+1.6.9p10 December 17, 2007 6
-1.6.9p8 December 3, 2007 7
+1.6.9p10 December 17, 2007 7
-1.6.9p8 December 3, 2007 8
+1.6.9p10 December 17, 2007 8
-1.6.9p8 December 3, 2007 9
+1.6.9p10 December 17, 2007 9
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" $Sudo: sudo.man.in,v 1.29.2.16 2007/12/03 10:27:12 millert Exp $
+.\" $Sudo: sudo.man.in,v 1.29.2.17 2007/12/17 22:11:10 millert Exp $
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
.\"
.\" Standard preamble:
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. | will give a
-.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
-.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
-.\" expand to `' in nroff, nothing in troff, for use with C<>.
-.tr \(*W-|\(bv\*(Tr
+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "December 3, 2007" "1.6.9p8" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "December 17, 2007" "1.6.9p10" "MAINTENANCE COMMANDS"
.SH "NAME"
sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS"
To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting
current directory) last when searching for a command in the user's
\&\s-1PATH\s0 (if one or both are in the \s-1PATH\s0). Note, however, that the
-actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed
-unchanged to the program that \fBsudo\fR executes.
+\&\f(CW\*(C`PATH\*(C'\fR environment variable is further modified in Debian because of
+the use of the \fI\s-1SECURE_PATH\s0\fR build option.
.PP
\&\fBsudo\fR will check the ownership of its timestamp directory
(\fI@timedir@\fR by default) and ignore the directory's contents if
file system holding ~yazza is not exported as root:
.PP
.Vb 1
-\& $ sudo -u yazza ls ~yazza
+\& $ sudo \-u yazza ls ~yazza
.Ve
.PP
To edit the \fIindex.html\fR file as user www:
.PP
.Vb 1
-\& $ sudo -u www vi ~www/htdocs/index.html
+\& $ sudo \-u www vi ~www/htdocs/index.html
.Ve
.PP
To shutdown a machine:
.PP
.Vb 1
-\& $ sudo shutdown -r +15 "quick reboot"
+\& $ sudo shutdown \-r +15 "quick reboot"
.Ve
.PP
To make a usage listing of the directories in the /home
to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
.PP
.Vb 1
-\& $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+\& $ sudo sh \-c "cd /home ; du \-s * | sort \-rn > USAGE"
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), \fIlogin_cap\fR\|(3), \fIpasswd\fR\|(@mansectform@),
\&\fIsudoers\fR\|(@mansectform@), \fIvisudo\fR\|(@mansectsu@)
+.PP
+The file /usr/share/doc/sudo/OPTIONS describes the options used for building
+the Debian version of sudo, some of which change default behaviors documented
+elsewhere in this document.
.SH "AUTHORS"
.IX Header "AUTHORS"
Many people have worked on \fBsudo\fR over the years; this
-1.6.9p8 December 3, 2007 1
+1.6.9p10 December 17, 2007 1
-1.6.9p8 December 3, 2007 2
+1.6.9p10 December 17, 2007 2
-1.6.9p8 December 3, 2007 3
+1.6.9p10 December 17, 2007 3
-1.6.9p8 December 3, 2007 4
+1.6.9p10 December 17, 2007 4
-1.6.9p8 December 3, 2007 5
+1.6.9p10 December 17, 2007 5
-1.6.9p8 December 3, 2007 6
+1.6.9p10 December 17, 2007 6
-1.6.9p8 December 3, 2007 7
+1.6.9p10 December 17, 2007 7
-1.6.9p8 December 3, 2007 8
+1.6.9p10 December 17, 2007 8
-1.6.9p8 December 3, 2007 9
+1.6.9p10 December 17, 2007 9
-1.6.9p8 December 3, 2007 10
+1.6.9p10 December 17, 2007 10
-1.6.9p8 December 3, 2007 11
+1.6.9p10 December 17, 2007 11
-1.6.9p8 December 3, 2007 12
+1.6.9p10 December 17, 2007 12
-1.6.9p8 December 3, 2007 13
+1.6.9p10 December 17, 2007 13
-1.6.9p8 December 3, 2007 14
+1.6.9p10 December 17, 2007 14
-1.6.9p8 December 3, 2007 15
+1.6.9p10 December 17, 2007 15
-1.6.9p8 December 3, 2007 16
+1.6.9p10 December 17, 2007 16
-1.6.9p8 December 3, 2007 17
+1.6.9p10 December 17, 2007 17
-1.6.9p8 December 3, 2007 18
+1.6.9p10 December 17, 2007 18
-1.6.9p8 December 3, 2007 19
+1.6.9p10 December 17, 2007 19
-1.6.9p8 December 3, 2007 20
+1.6.9p10 December 17, 2007 20
-1.6.9p8 December 3, 2007 21
+1.6.9p10 December 17, 2007 21
-1.6.9p8 December 3, 2007 22
+1.6.9p10 December 17, 2007 22
-1.6.9p8 December 3, 2007 23
+1.6.9p10 December 17, 2007 23
-1.6.9p8 December 3, 2007 24
+1.6.9p10 December 17, 2007 24
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" $Sudo: sudoers.man.in,v 1.45.2.18 2007/12/03 10:27:12 millert Exp $
+.\" $Sudo: sudoers.man.in,v 1.45.2.19 2007/12/17 22:11:10 millert Exp $
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
.\"
.\" Standard preamble:
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "December 3, 2007" "1.6.9p8" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "December 17, 2007" "1.6.9p10" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
.el .IP "\f(CW%u\fR" 4
.IX Item "%u"
expanded to the invoking user's login name
+.ie n .IP "%p" 4
+.el .IP "\f(CW%p\fR" 4
+.IX Item "%p"
+expanded to the user whose password is asked for (respects the presence of the
+rootpw, targetpw or runaspw options in the configuration)
+
.ie n .IP "\*(C`%%\*(C'" 4
.el .IP "\f(CW\*(C`%%\*(C'\fR" 4
.IX Item "%%"
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
*
- * $Sudo: version.h,v 1.66.2.12 2007/12/03 10:34:32 millert Exp $
+ * $Sudo: version.h,v 1.66.2.13 2007/12/17 19:18:14 millert Exp $
*/
#ifndef _SUDO_VERSION_H
#define _SUDO_VERSION_H
-static const char version[] = "1.6.9p9";
+static const char version[] = "1.6.9p10";
#endif /* _SUDO_VERSION_H */
-1.6.9p8 November 2, 2007 1
+1.6.9p10 December 17, 2007 1
-1.6.9p8 November 2, 2007 2
+1.6.9p10 December 17, 2007 2
-1.6.9p8 November 2, 2007 3
+1.6.9p10 December 17, 2007 3
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" $Sudo: visudo.man.in,v 1.20.2.13 2007/11/02 19:15:16 millert Exp $
+.\" $Sudo: visudo.man.in,v 1.20.2.14 2007/12/17 22:11:10 millert Exp $
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
.\"
.\" Standard preamble:
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "November 2, 2007" "1.6.9p8" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "December 17, 2007" "1.6.9p10" "MAINTENANCE COMMANDS"
.SH "NAME"
visudo \- edit the sudoers file
.SH "SYNOPSIS"