X-Git-Url: https://git.gag.com/?a=blobdiff_plain;f=doc%2Fsudoers.cat;h=b98c1e5afe5e9d9274d9ccb25358ae8c305b3478;hb=ca5f7615983706c51b50ac5a8bfc4e123263df0e;hp=2459758172ab19510b3a17915ee3c2e4a2fae192;hpb=0b21e55969badb5a284e97d31432c3f9139bed27;p=debian%2Fsudo

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index 2459758..b98c1e5 100644
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -65,10 +65,11 @@ DDEESSCCRRIIPPTTIIOONN
        distinct ways _s_u_d_o_e_r_s can deal with environment variables.
 
        By default, the _e_n_v___r_e_s_e_t option is enabled.  This causes commands to
-       be executed with a minimal environment containing TERM, PATH, HOME,
-       MAIL, SHELL, LOGNAME, USER and USERNAME in addition to variables from
-       the invoking process permitted by the _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options.
-       This is effectively a whitelist for environment variables.
+       be executed with a minimal environment containing the TERM, PATH, HOME,
+       MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in addition
+       to variables from the invoking process permitted by the _e_n_v___c_h_e_c_k and
+       _e_n_v___k_e_e_p options.  This is effectively a whitelist for environment
+       variables.
 
        If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not
        explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited
@@ -97,6 +98,9 @@ DDEESSCCRRIIPPTTIIOONN
        On Linux and AIX systems the contents of _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are also
        included.  All other environment variables are removed.
 
+       Lastly, if the _e_n_v___f_i_l_e option is defined, any variables present in
+       that file will be set to their specified values.
+
 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
        The _s_u_d_o_e_r_s file is composed of two types of entries: aliases
        (basically variables) and user specifications (which specify who may
@@ -560,8 +564,16 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
        A hard limit of 128 nested include files is enforced to prevent include
        file loops.
 
-       The file name may include the %h escape, signifying the short form of
-       the host name.  I.e., if the machine's host name is "xerxes", then
+       If the path to the include file is not fully-qualified (does not begin
+       with a _/), it must be located in the same directory as the sudoers file
+       it was included from.  For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line:
+
+           #include sudoers.local
+
+       the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l.
+
+       The file name may also include the %h escape, signifying the short form
+       of the host name.  I.e., if the machine's host name is "xerxes", then
 
        #include /etc/sudoers.%h
 
@@ -662,15 +674,18 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
                        use the EDITOR or VISUAL if they match a value
                        specified in editor.  This flag is _o_f_f by default.
 
-       env_reset       If set, ssuuddoo will reset the environment to only contain
-                       the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_*
-                       variables.  Any variables in the caller's environment
-                       that match the env_keep and env_check lists are then
-                       added.  The default contents of the env_keep and
-                       env_check lists are displayed when ssuuddoo is run by root
-                       with the _-_V option.  If the _s_e_c_u_r_e___p_a_t_h option is set,
-                       its value will be used for the PATH environment
-                       variable.  This flag is _o_n by default.
+       env_reset       If set, ssuuddoo will run the command in a minimal
+                       environment containing the TERM, PATH, HOME, MAIL,
+                       SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
+                       Any variables in the caller's environment that match
+                       the env_keep and env_check lists are then added,
+                       followed by any variables present in the file specified
+                       by the _e_n_v___f_i_l_e option (if any).  The default contents
+                       of the env_keep and env_check lists are displayed when
+                       ssuuddoo is run by root with the _-_V option.  If the
+                       _s_e_c_u_r_e___p_a_t_h option is set, its value will be used for
+                       the PATH environment variable.  This flag is _o_n by
+                       default.
 
        fast_glob       Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell-
                        style globbing when matching path names.  However,
@@ -1087,9 +1102,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
                        %h will expand to the host name of the machine.
                        Default is *** SECURITY information for %h ***.
 
-       noexec_file     This option is deprecated and will be removed in a
-                       future release of ssuuddoo.  The path to the noexec file
-                       should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
+       noexec_file     This option is no longer supported.  The path to the
+                       noexec file should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
+                       file.
 
        passprompt      The default prompt to use when asking for a password;
                        can be overridden via the --pp option or the SUDO_PROMPT
@@ -1158,8 +1173,8 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
 
        SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
 
-       env_file    The _e_n_v___f_i_l_e options specifies the fully qualified path to
-                   a file containing variables to be set in the environment of
+       env_file    The _e_n_v___f_i_l_e option specifies the fully qualified path to a
+                   file containing variables to be set in the environment of
                    the program being run.  Entries in this file should either
                    be of the form VARIABLE=value or export VARIABLE=value.
                    The value may optionally be surrounded by single or double
@@ -1606,6 +1621,57 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
        privilege escalation.  In the specific case of an editor, a safer
        approach is to give the user permission to run ssuuddooeeddiitt.
 
+DDEEBBUUGG FFLLAAGGSS
+       Versions 1.8.4 and higher of the _s_u_d_o_e_r_s plugin supports a debugging
+       framework that can help track down what the plugin is doing internally
+       if there is a problem.  This can be configured in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
+       file as described in _s_u_d_o(1m).
+
+       The _s_u_d_o_e_r_s plugin uses the same debug flag format as ssuuddoo itself:
+       _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y.
+
+       The priorities used by _s_u_d_o_e_r_s, in order of decreasing severity, are:
+       _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g.  Each priority,
+       when specified, also includes all priorities higher than it.  For
+       example, a priority of _n_o_t_i_c_e would include debug messages logged at
+       _n_o_t_i_c_e and higher.
+
+       The following subsystems are used by _s_u_d_o_e_r_s:
+
+       _a_l_i_a_s     User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
+
+       _a_l_l       matches every subsystem
+
+       _a_u_d_i_t     BSM and Linux audit code
+
+       _a_u_t_h      user authentication
+
+       _d_e_f_a_u_l_t_s  _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings
+
+       _e_n_v       environment handling
+
+       _l_d_a_p      LDAP-based sudoers
+
+       _l_o_g_g_i_n_g   logging support
+
+       _m_a_t_c_h     matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s
+
+       _n_e_t_i_f     network interface handling
+
+       _n_s_s       network service switch handling in _s_u_d_o_e_r_s
+
+       _p_a_r_s_e_r    _s_u_d_o_e_r_s file parsing
+
+       _p_e_r_m_s     permission setting
+
+       _p_l_u_g_i_n    The equivalent of _m_a_i_n for the plugin.
+
+       _p_t_y       pseudo-tty related code
+
+       _r_b_t_r_e_e    redblack tree internals
+
+       _u_t_i_l      utility functions
+
 SSEECCUURRIITTYY NNOOTTEESS
        _s_u_d_o_e_r_s will check the ownership of its time stamp directory
        (_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is
@@ -1683,4 +1749,4 @@ DDIISSCCLLAAIIMMEERR
 
 
 
-1.8.3                         September 16, 2011                    SUDOERS(4)
+1.8.4                          February  5, 2012                    SUDOERS(4)