+2013-04-11 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * NEWS, configure, configure.in:
+ Update for sudo 1.8.6p8
+ [1d2d78415eed]
+
+ * plugins/sudoers/auth/passwd.c, plugins/sudoers/auth/secureware.c:
+ Check for crypt() returning NULL. Traditionally, crypt() never
+ returned NULL but newer versions of eglibc have a crypt() that does.
+ Bug #598
+ [887b9df243df]
+
+2013-04-10 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * src/ttyname.c:
+ AIX may have a 64-bit pr_ttydev that we need to convert to 32-bit
+ before we try to match it against st_rdev.
+ [5dab449fb962]
+
+ * src/ttyname.c:
+ Break out of the loop if sudo_ttyname_scan() returns non-NULL. Fixes
+ a problem finding the tty name when it is not in /dev/pts.
+ [6c205d087fa0]
+
+2013-02-25 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/check.c:
+ Completely ignore time stamp file if it is set to the epoch,
+ regardless of what gettimeofday() returns.
+ [ebd6cc75020f]
+
+ * plugins/sudoers/check.c, plugins/sudoers/sudoers.c,
+ plugins/sudoers/sudoers.h:
+ Store the session ID in the tty ticket file too. A tty may only be
+ in one session at a time so if the session ID doesn't match we
+ ignore the ticket.
+ [049a12a5cc14]
+
+ * configure, configure.in:
+ Sudo 1.8.6p7
+ [3334bc872111]
+
+ * NEWS:
+ Update for Sudo 1.8.6p7
+ [3b853ddc529c]
+
+2013-02-11 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * NEWS:
+ Add Sudo 1.8.6p7
+ [77480be0f378]
+
+2013-01-31 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * NEWS:
+ Clarify ttyname changes.
+ [9963ed81732d]
+
+ * NEWS:
+ Add 1.8.6p6
+ [162ea7fae117]
+
+ * src/ttyname.c:
+ Remove ttyname() fall back code on systems where we can query the
+ kernel for the tty device via /proc or sysctl(). If there is no
+ controlling tty, it is better to just treat the tty as unknown
+ rather than to blindly use what is hooked up to std{in,out,err}.
+ [2f3225a2a4a4]
+
+2013-01-24 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/iolog.c:
+ Add __dso_public to extern declaration of declaration to match
+ actual definition.
+ [e16ecb5c6677]
+
+ * configure, configure.in:
+ Sudo 1.8.6p5
+ [8d7c8bd159c5]
+
+ * NEWS:
+ Add 1.8.6p5
+ [1cb9b7c4f626]
+
+2013-01-23 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/visudo.c:
+ Fix potential stack overflow due to infinite recursion in alias
+ cycle detection. From Daniel Kopecek.
+ [77f2228877bc]
+
+2013-01-18 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * compat/getgrouplist.c, config.h.in, configure, configure.in:
+ Use _getgroupsbymember() on Solaris to get the groups list. Fixes
+ performance problems with the getgroupslist() compat on Solaris
+ systems with network-based group databases.
+ [6ab76bea5ea4]
+
+2013-01-13 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * src/sudo.c:
+ Add missing call to save_signals().
+ [708b8db3b30e]
+
+2013-01-11 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * configure, configure.in:
+ Use -fstack-protector-all in preference to -fstack-protector where
+ supported.
+ [52ac4eadf5c9]
+
+2013-01-10 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * configure, configure.in:
+ Only test for -fstack-protector and -fvisibility=hidden on GNU
+ compatible compilers.
+ [5f31c5b4edc9]
+
+2013-01-03 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * NEWS:
+ Add Sudo 1.8.6p4
+ [88358d481baa]
+
+ * configure, configure.in:
+ Sudo 1.8.6p4
+ [e8032237c4b1]
+
+ * common/Makefile.in, compat/Makefile.in, configure, configure.in,
+ plugins/sample/Makefile.in, plugins/sample_group/Makefile.in,
+ plugins/sudoers/Makefile.in, plugins/system_group/Makefile.in,
+ src/Makefile.in:
+ Break out stack smashing protector options into SSP_CFLAGS and
+ SSP_LDFLAGS so we can use it everywhere (unlike LT_LDFLAGS).
+ [9c3662776afa]
+
+2013-01-01 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * doc/CONTRIBUTORS, plugins/sudoers/redblack.c:
+ In rbrepair(), make sure we never try to change the color of the
+ sentinel node, which is the first entry, not the root. From Michael
+ King
+ [24ebb817e1ee]
+
+2012-12-27 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * configure, configure.in:
+ Disable PIE on FreeBSD/ia64, otherwise sudo will segfault.
+ [ce07ef64d410]
+
+2012-11-25 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/visudo.c:
+ Avoid NULL deref for unknown Defaults in strict mode.
+ [4c2d9717d91e]
+
+2012-11-06 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/audit.c, plugins/sudoers/logging.c,
+ plugins/sudoers/logging.h, plugins/sudoers/sudoers.c:
+ Do not inform the user that the command was not permitted by the
+ policy if they do not successfully authenticate. This is a
+ regression introduced in sudo 1.8.6.
+ [e5c1e760954e]
+
+ * src/parse_args.c:
+ The -a option should be #ifdef HAVE_BSD_AUTH_H, not -A.
+ [4e112e7da105]
+
+2012-10-26 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * doc/CONTRIBUTORS, plugins/sudoers/sudo_nss.c:
+ Allow sudo to be build with sss support without also including ldap
+ support. From Stephane Graber.
+ [7e0bd9191589]
+
+2012-09-24 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * src/exec_pty.c:
+ Fix running commands that need the terminal in the background when
+ I/O logging is enabled. E.g. "sudo vi &". When the command is
+ foregrounded, it will now resume properly.
+ [c30ec73a5da8]
+
+2012-11-13 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/Makefile.in:
+ Fold preinstall into install-plugin and pass the path to the plugin
+ binary to the preinstall command.
+ [994f8f58495e]
+
+2012-11-06 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/Makefile.in:
+ Add preinstall target that runs SUDO_PREINSTALL_CMD. Used to fixup
+ the rpath in HP-UX SOM shared libraries for the LDAP libs.
+ [685796ea58fe]
+
+ * NEWS, configure, configure.in:
+ sudo 1.8.6p3
+ [97fef3d9ed65]
+
+2012-09-17 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * doc/fixman.sh:
+ Don't use embedded newline when matching, use \n. This got expanded
+ at some point. Bug #573
+ [6652f834b8f5]
+
+ * plugins/sudoers/sudoreplay.c:
+ Fall back on lstat(2) if d_type in struct dirent is DT_UNKNOWN. Not
+ all file systems support d_type. Bug #572
+ [8b861c62945f]
+
+ * plugins/sudoers/sudoreplay.c:
+ Avoid calling fclose(NULL) in the error path when we cannot open an
+ I/O log file.
+ [9401d5c4bb05]
+
+2012-09-16 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * NEWS, configure, configure.in:
+ Sudo 1.8.6p2
+ [6e32496280f2]
+
+ * src/exec.c:
+ When setting the signal handler for SIGTSTP to the default value in
+ non-I/O log mode, store the old handler value for when we restore it
+ after resume.
+ [242628694e42]
+
+2012-09-12 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * NEWS:
+ Mention support for SUCCESS=return in /etc/nsswitch.conf
+ [ef1f35aa0863]
+
+ * NEWS, configure, configure.in:
+ sudo 1.8.6p1
+ [73a5e1f004b3]
+
+2012-09-11 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/env.c:
+ Avoid setting LOGNAME, USER and USERNAME variables twice when
+ set_logname is enabled.
+ [0de4f5fbd1d4]
+
+ * plugins/sudoers/env.c:
+ Fix duplicate detection in sudo_putenv(), do not prune out the
+ variable we just set when overwriting an existing instance. Fixes
+ bug #570
+ [854ee714c831]
+
+ * plugins/sudoers/env.c:
+ Add some debuggging
+ [a25cd3305823]
+
+2012-09-04 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/sudo_nss.c:
+ Disable word wrap in list mode when stdout is a pipe to make "sudo
+ -l | grep ..." more useful. Adapted from a diff by Daniel Kopecek.
+ [65ade04511fd]
+
+ * common/lbuf.c:
+ Print a trailing newline in lbuf_print() when there is not enough
+ space to do word wrapping and the lbuf does not end with a newline.
+ [c0200e19cd09]
+
+ * plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c:
+ Add support for [SUCCESS=return] in nsswitch.conf; from Daniel
+ Kopecek
+ [5c480316e3ce]
+
+ * MANIFEST:
+ Add sssd.c
+ [9cadd014ef97]
+
+2012-09-01 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/po/da.mo, plugins/sudoers/po/fi.mo,
+ plugins/sudoers/po/hr.mo, plugins/sudoers/po/sl.mo,
+ plugins/sudoers/po/uk.mo, src/po/fi.mo, src/po/hr.mo, src/po/it.mo,
+ src/po/ru.mo, src/po/sl.mo, src/po/uk.mo, src/po/vi.mo:
+ regen .po files
+ [62423d4d143d]
+
+ * MANIFEST, plugins/sudoers/po/vi.mo:
+ Add Vietnamese sudoers translation from translationproject.org
+ [33666a605525]
+
+ * NEWS:
+ mention PIE
+ [05032e5304c6]
+
+ * MANIFEST, plugins/sudoers/po/vi.po:
+ Add Vietnamese sudoers translation from translationproject.org
+ [015c2204bae2]
+
+2012-08-29 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * Makefile.in, compat/Makefile.in, mkdep.pl:
+ Add missing signame dependency
+ [e493bfb01929]
+
+ * src/exec.c, src/ttyname.c:
+ Silence compiler warnings.
+ [1c5374b66d9b]
+
+ * MANIFEST, compat/Makefile.in, compat/sig2str.c, compat/strsigname.c,
+ config.h.in, configure, configure.in, include/missing.h, mkdep.pl,
+ src/exec.c, src/exec_pty.c:
+ Replace strsigname() with sig2str(), emulating it as needed.
+ [1e348cca1fa6]
+
+ * config.h.in, configure, configure.in, src/utmp.c:
+ Use fseeko() for legacy utmp handling if available.
+ [b4bbd8d2c0e9]
+
+2012-08-28 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * compat/strsigname.c, config.h.in, configure, configure.in:
+ Detect sys_sigabbrev[] and use it in place of sys_signame[] if
+ present. For some reason glibc does not declare sys_sigabbrev so we
+ must add an extern definition of our own.
+ [b38f3fbd7078]
+
+ * compat/strsignal.c, compat/strsigname.c:
+ Handle NULL entries in sys_siglist and sys_signame.
+ [a388959d9654]
+
+ * compat/mksiglist.c, compat/mksiglist.h, compat/mksigname.c,
+ compat/mksigname.h, compat/strsignal.c, compat/strsigname.c:
+ Convert my_sys_sig{list,name} -> sudo_sys_sig{list,name}
+ [711e41aba59a]
+
+2012-08-27 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * NEWS:
+ sync
+ [5a2522488754]
+
+ * src/exec.c:
+ Pass on SIGTSTP to the command if it was sent by a user process (not
+ the kernel or the terminal) when we are not I/O logging and set the
+ default SIGTSTP handler when we re-send the signal to ourself,
+ restoring our handler after we resume.
+ [4259c47e31c0]
+
+ * src/exec.c:
+ Shells typically change their process group when they start up so
+ that they can implement job control. Most well-behaved shells
+ change the pgrp back to its original value before suspending so we
+ must not try to restore in that case, lest we race with the child
+ upon resume, potentially stopping sudo with SIGTTOU while the
+ command continues to run. Some shells, such as pdksh, just suspend
+ the shell by sending SIGSTOP to themselves without restoring the
+ pgrp. In this case we need to change the pgrp back for them. Should
+ fix bug #568
+ [6ac6751ffd17]
+
+2012-08-26 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * MANIFEST, compat/Makefile.in, compat/mksigname.c,
+ compat/mksigname.h, compat/strsignal.c, compat/strsigname.c,
+ config.h.in, configure, configure.in, include/missing.h, mkdep.pl,
+ src/exec.c, src/exec_pty.c:
+ Use strsigname() to print signal names in the debug output. If the
+ system has no strsigname(), use our own.
+ [0735f18906b9]
+
+2012-08-23 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/regress/testsudoers/test5.inc,
+ plugins/sudoers/regress/testsudoers/test5.sh:
+ Remove generated file and change path for temporary include file.
+ [4e9fa830c6b5]
+
+ * plugins/sudoers/Makefile.in:
+ When running regress tests, list pass/fail rate for each dir
+ (testsudoers and visudo) instead of the total. Also prevent the
+ result files from clobbering each other by keeping them in the
+ relevant directories.
+ [6aac53baff7d]
+
+ * plugins/sudoers/gram.c, plugins/sudoers/gram.y,
+ plugins/sudoers/toke.c, plugins/sudoers/toke.l:
+ Don't print an error message in yyerror() if open_sudoers() fails,
+ we've already printed an error message. Also restore the check for
+ sudoers_warnings in yyerror().
+ [aa6036df5fb2]
+
+ * plugins/sudoers/gram.c, plugins/sudoers/gram.y,
+ plugins/sudoers/toke.c, plugins/sudoers/toke.h,
+ plugins/sudoers/toke.l:
+ Avoid printing the >>> parse error <<< message for testsudoers when
+ the -t flag is specified.
+ [76f3433c8992]
+
+2012-08-22 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/parse.c:
+ Fix NULL deref when an entry has no Runas_Entry
+ [4b14983ff6e7]
+
+ * plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po,
+ plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po,
+ plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po,
+ src/po/ja.mo, src/po/ja.po, src/po/pl.mo, src/po/pl.po,
+ src/po/zh_CN.mo, src/po/zh_CN.po:
+ sync with translationproject.org
+ [440e9c9b37de]
+
+ * NEWS:
+ sync
+ [3142ba2dce60]
+
+ * plugins/sudoers/check.c:
+ Correct the check_user() comment header.
+ [73da30308fff]
+
+ * plugins/sudoers/auth/sudo_auth.c:
+ Change a log_fatal() into log_error() when no auth methods are
+ configured. The caller already checks the return value.
+ [05f5c39793a7]
+
+ * plugins/sudoers/logging.c:
+ Add missing debug_return
+ [3a76bb7c2fe7]
+
+2012-08-21 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in,
+ doc/sudo_plugin.cat, doc/sudo_plugin.man.in,
+ doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.ldap.cat,
+ doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in,
+ doc/sudoers.man.in, doc/sudoers.mdoc.in:
+ Make the capitalization consistent for .Ss and .Sx
+ [5c5735ee4b2f]
+
+ * doc/Makefile.in, doc/fixman.sh, doc/fixmdoc.sh, doc/sudo.cat,
+ doc/sudo.man.in, doc/sudo.mdoc.in:
+ Add COMMAND EXECUTION section that describes how sudo runs the
+ command, the extra sudo processes and signal handling.
+ [dff2d88e984e]
+
+2012-08-18 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * Makefile.in:
+ Happy Easter
+ [4b9d697c6b83]
+
+2012-08-17 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * compat/Makefile.in:
+ Don't echo the awk command when building siglist.in
+ [21daa72921e6]
+
+ * doc/fixman.sh, doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in,
+ doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in:
+ Cosmetic changes.
+ [19259528e9ad]
+
+ * doc/Makefile.in:
+ The HISTORY, LICENSE and CONTRIBUTORS files are not longer
+ generated.
+ [ea6ac9e981e6]
+
+ * MANIFEST, plugins/sudoers/po/da.po, plugins/sudoers/po/fi.po,
+ plugins/sudoers/po/hr.po, plugins/sudoers/po/it.mo,
+ plugins/sudoers/po/it.po, plugins/sudoers/po/sl.po,
+ plugins/sudoers/po/uk.po, src/po/de.mo, src/po/de.po, src/po/fi.po,
+ src/po/hr.po, src/po/it.po, src/po/ru.po, src/po/sl.po,
+ src/po/uk.po, src/po/vi.po:
+ Sync with translationproject.org and add Italian sudoers
+ translation.
+ [9276740aea59]
+
+2012-08-16 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in:
+ Expand description of fqdn to talk about systems where the hosts
+ file is searched before DNS.
+ [4ee812ca6116]
+
+2012-08-15 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * doc/Makefile.in:
+ For cat pages there is nothing to make unless DEVEL is set.
+ [fab4a5b68708]
+
+ * configure, configure.in, doc/Makefile.in:
+ Always use mandoc to format cat pages and remove now-extraneous
+ nroff configure tests.
+ [5747f4ed5762]
+
+ * pp:
+ sync polypkg from git
+ [89ddf6ea3e3f]
+
+ * plugins/sudoers/sudoers.c:
+ Use AI_FQDN instead of AI_CANONNAME if available since "canonical"
+ is not always the same as "fully qualified".
+ [7c1d9c098386]
+
+2012-08-14 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * doc/sudoers.mdoc.in:
+ Fix some typos. Describe error messages not related to policy
+ permissions.
+ [f5ebf9030d85]
+
+ * plugins/sudoers/defaults.c, plugins/sudoers/defaults.h,
+ plugins/sudoers/visudo.c:
+ Add new check_defaults() function to check (but not update) the
+ Defaults entries. Visudo can now use this instead of
+ update_defaults to check all the defaults regardless instead of just
+ the global Defaults entries.
+ [3fa879ce1b65]
+
+2012-08-13 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in:
+ Document sudoers log format.
+ [08998a7061ab]
+
+ * NEWS:
+ Update for sudo 1.8.5p3
+ [6e102a5d4e8d]
+
+ * src/load_plugins.c:
+ Add missing check for I/O plugin API version when checking for the
+ presence of I/O plugin hooks.
+ [ef05c7eeaf81]
+
+ * src/hooks.c:
+ Can't call debug code in the process_hooks_xxx functions() since
+ ctime() may look up the timezone via the TZ environment variable.
+ [2179fb26bd8e]
+
+2012-08-10 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * src/exec_common.c, src/sesh.c, src/utmp.c:
+ Include signal.h before sudo_exec.h since it uses sigset_t * in the
+ fork_pty prototype.
+ [94fc0d859600]
+
+ * doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in, doc/sudoreplay.cat,
+ doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.cat,
+ doc/visudo.man.in, doc/visudo.mdoc.in:
+ Remove OPTIONS section; options now go inside DESCRIPTION
+ [a619fc58a746]
+
+ * plugins/sudoers/po/sudoers.pot, src/po/sudo.pot:
+ regen
+ [44719d80bc06]
+
+ * MANIFEST, NEWS, plugins/sudoers/po/da.mo, plugins/sudoers/po/da.po,
+ plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po,
+ plugins/sudoers/po/fi.mo, plugins/sudoers/po/fi.po,
+ plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po,
+ plugins/sudoers/po/ja.mo, plugins/sudoers/po/ja.po,
+ plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po,
+ plugins/sudoers/po/sl.mo, plugins/sudoers/po/sl.po,
+ plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po,
+ plugins/sudoers/po/zh_CN.mo, plugins/sudoers/po/zh_CN.po,
+ src/po/da.mo, src/po/da.po, src/po/hr.mo, src/po/hr.po,
+ src/po/sl.mo, src/po/sl.po, src/po/vi.mo, src/po/vi.po:
+ Sync with translationproject.org and add new Slovenian translation.
+ [34b4b966bbac]
+
+ * common/alloc.c, plugins/sudoers/check.c, plugins/sudoers/env.c,
+ plugins/sudoers/linux_audit.c, plugins/sudoers/sudoers.c,
+ plugins/sudoers/testsudoers.c:
+ Reduce the number of "internal error, foo overflow" messages that
+ need to be translated.
+ [93ffa2b3d53f]
+
+ * NEWS:
+ Mention HP-UX reboot fix.
+ [1e39b5aa32ac]
+
+ * INSTALL, NEWS, common/sudo_debug.c, configure, configure.in,
+ doc/CONTRIBUTORS, include/sudo_debug.h, mkdep.pl, pathnames.h.in,
+ plugins/sudoers/Makefile.in, plugins/sudoers/sssd.c,
+ plugins/sudoers/sudo_nss.c, plugins/sudoers/sudoers.c:
+ Support for using SSSD (http://fedorahosted.org/sssd/) as a sudoers
+ data source. From Daniel Kopecek and Pavel Brezina.
+ [3f85e95d6928]
+
+2012-08-09 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * common/sudo_conf.c, src/load_plugins.c:
+ If sudo.conf contains an I/O plugin but no policy plugin, use
+ sudoers for the policy plugin. If a policy plugin is specified
+ without an I/O plugin, only the policy plugin will be loaded.
+ [ea192df2439d]
+
+ * doc/Makefile.in, doc/sudoers.man.in:
+ Do not modify the .Os section when building the .man.in file from
+ .mdoc.in.
+ [a9f9628e147f]
+
+ * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in:
+ Add a note about wildcards matching multiple words and include an
+ example. Also mention that for sudoedit, a wildcard in command line
+ args does not match a slash.
+ [fcb9fbac14e0]
+
+2012-08-07 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * src/exec_pty.c, src/sudo_exec.h:
+ Fix a comment, update a variable name in a prototype; all cosmetic.
+ [e89f10cbd6e1]
+
+ * plugins/sudoers/iolog.c:
+ Cast 2nd argument of lseek() to off_t if it is a constant for
+ systems with 64-bit off_t but without a proper lseek() prototype.
+ [d8779da135d0]
+
+ * compat/getline.c, plugins/sudoers/check.c, plugins/sudoers/env.c,
+ plugins/sudoers/gram.c, plugins/sudoers/gram.y,
+ plugins/sudoers/visudo.c:
+ Fix some warnings from clang checker-267
+ [1e44ef7860b5]
+
+ * plugins/sample/sample_plugin.c:
+ Fix memory leak found by clang checker-267
+ [f8a43617fdfb]
+
+2012-08-06 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * src/exec.c, src/exec_pty.c, src/sudo.h, src/sudo_exec.h:
+ If we receive a signal from the command we executed, do not forward
+ it back to the command. This fixes a problem with BSD-derived
+ versions of the reboot command which send SIGTERM to all other
+ processes, including the sudo process. Sudo would then deliver
+ SIGTERM to reboot which would die before calling the reboot() system
+ call, effectively leaving the system in single user mode.
+ [4ffab9ab9e98]
+
+2012-08-03 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * doc/fixman.sh, doc/fixmdoc.sh:
+ Remove section about Solaris 10 on other systems. Add missing
+ sudoers.man.in bit to fixman.sh.
+ [176559199ba7]
+
+2012-08-02 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in:
+ Expand section on Solaris privileges.
+ [3a1bfa2f1743]
+
+ * NEWS:
+ Expand a bit on the Solaris priv set changes.
+ [bffb78b4a520]
+
+ * plugins/sudoers/gram.c, plugins/sudoers/gram.y,
+ plugins/sudoers/parse.c, plugins/sudoers/parse.h,
+ plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
+ The second argument to init_parser() is now bool.
+ [fb727a4fb651]
+
+ * plugins/sudoers/gram.c, plugins/sudoers/gram.y:
+ Fix printing of parse error message to stderr.
+ [dea6b420b84f]
+
+ * plugins/sudoers/check.c, plugins/sudoers/defaults.c,
+ plugins/sudoers/match.c, plugins/sudoers/parse.c,
+ plugins/sudoers/parse.h, plugins/sudoers/sudoers.c,
+ plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c:
+ If a command matches using an empty Runas_List (i.e. Runas_List is
+ present but empty) and the -u option was not specified, set runas_pw
+ to user_pw instead of using runas_default. This is intended to be
+ used in conjunction with the Solaris Privilege Set support for rules
+ that grant privileges without changing the user.
+ [e84a081f3c11]
+
+ * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.mdoc.in,
+ plugins/sudoers/gram.c, plugins/sudoers/gram.h,
+ plugins/sudoers/gram.y, plugins/sudoers/match.c,
+ plugins/sudoers/parse.c, plugins/sudoers/sudoers_version.h:
+ Add support for parsing an empty Runas_List, which only allows the
+ command to be run as the invoking user. This can be used in
+ conjunction with the Solaris Privilege Set support to grant
+ privileges without changing the user.
+ [dc34373792fc]
+
+2012-08-01 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * doc/fixman.sh:
+ Fix HP-UX, just use ".TH name section" like the vendor manuals.
+ [559738237c92]
+
+ * plugins/sudoers/toke.c, plugins/sudoers/toke.l:
+ Fix compilation on Solaris
+ [2d310302207c]
+
+ * .hgignore, MANIFEST, doc/Makefile.in, doc/fixman.sh, doc/fixmdoc.sh,
+ doc/sudo.man.sh, doc/sudo.mdoc.sh, doc/sudoers.man.sh,
+ doc/sudoers.mdoc.sh:
+ Generate a sed script file when munging *.mdoc or *.man instead of
+ passing sed expressions on the command line. Older seds do not
+ support \n in a replacement so generate and run a sed script
+ instead.
+ [0bcce3f1ca18]
+
+ * doc/Makefile.in, doc/sudo.man.in, doc/sudo_plugin.man.in,
+ doc/sudoers.ldap.man.in, doc/sudoers.man.in, doc/sudoreplay.man.in,
+ doc/visudo.man.in:
+ Use "Sudo VERSION" as the 4th arg to .TH instead of just "VERSION"
+ [fe0f10b63776]
+
+2012-07-31 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * src/exec.c:
+ When checking whether a signal is user-generated, compare si_code
+ against SI_USER instead of <= 0 since on HP-UX, terminal-related
+ signals get a code of 0.
+ [4e9021243343]
+
+ * src/sudo.c:
+ SuSE Enterprise Linux uses RLIMIT_NPROC and _SC_CHILD_MAX
+ interchangably. This causes problems when setting RLIMIT_NPROC to
+ RLIM_INFINITY due to a bug in bash where bash tries to honor the
+ value of _SC_CHILD_MAX but treats a value of -1 as an error, and
+ uses a default value of 32 instead.
+
+ Previously, we just checked RLIMIT_NPROC and, if it was unlimited,
+ restored the previous value of RLIMIT_NPROC. However, that makes it
+ impossible to set nproc to unlimited. We now only restore the nproc
+ resource limit if sysconf(_SC_CHILD_MAX) is negative. In most
+ cases, pam_limits will set RLIMIT_NPROC for us.
+ [cb71cc8d0b08]
+
+2012-07-30 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/ldap.c:
+ Active Directory apparently requires that tenths of a second be
+ present in a date so append .0 to the "now" value in the time
+ filter. Also remove space for the global AND from TIMEFILTER_LENGTH
+ since it was not being used consistently. Buffers of
+ TIMEFILTER_LENGTH now need to account for the terminating NUL byte.
+ [d28619ff6e45]
+
+ * plugins/sudoers/toke.c, plugins/sudoers/toke.l:
+ Fix SELinux build
+ [cc0d1f4e851b]
+
+2012-07-29 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * MANIFEST:
+ Remove pod versinons of HISTORY, CONTRIBUTORS and LICENSE as they
+ were not being kept in sync.
+ [fc3ad1847cb1]
+
+ * doc/HISTORY, doc/Makefile.in, doc/contributors.pod, doc/history.pod,
+ doc/license.pod:
+ Remove pod versinons of HISTORY, CONTRIBUTORS and LICENSE as they
+ were not being kept in sync.
+ [950363dffe3a]
+
+2012-07-27 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/logging.c:
+ Fix printing of the permission denied message to standard error when
+ a user is not allowed to run a command. This got broken by the
+ recent logging changes.
+ [b7af63da3ca1]
+
+ * plugins/sudoers/sudoers_version.h:
+ Bump grammar version for Solaris privs.
+ [2a2baf024477]
+
+ * doc/schema.ActiveDirectory:
+ Fix errors introduced when sudoNotBefore, sudoNotAfter and sudoOrder
+ were added. From David Hicks.
+ [3fc432a8edb4]
+
+2012-07-26 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/Makefile.in:
+ Remove lex.yy.c when building toke.c
+ [72bb9e62b289]
+
+ * doc/Makefile.in:
+ Fix building docs in a build dir.
+ [7a6f435af022]
+
+ * doc/sudo.man.pl, doc/sudo.pod, doc/sudo_plugin.pod,
+ doc/sudoers.ldap.pod, doc/sudoers.man.pl, doc/sudoers.pod,
+ doc/sudoreplay.pod, doc/visudo.pod:
+ Remove pod versions of the manual; we now use mdoc.
+ [5c967d2dd5db]
+
+ * MANIFEST, doc/Makefile.in, doc/sudo.man.sh, doc/sudo.mdoc.sh,
+ doc/sudoers.man.sh, doc/sudoers.mdoc.sh:
+ Add post-processing scripts to strip out login class, BSD auth,
+ SELinux and privilege set bits when they are not supported.
+ [d0d51f72f597]
+
+ * NEWS, configure.in, doc/CONTRIBUTORS, doc/Makefile.in,
+ doc/contributors.pod, doc/sudoers.cat, doc/sudoers.man.in,
+ doc/sudoers.man.pl, doc/sudoers.mdoc.in, doc/sudoers.pod,
+ plugins/sudoers/def_data.c, plugins/sudoers/def_data.h,
+ plugins/sudoers/def_data.in, plugins/sudoers/gram.c,
+ plugins/sudoers/gram.h, plugins/sudoers/gram.y,
+ plugins/sudoers/parse.c, plugins/sudoers/parse.h,
+ plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h,
+ plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c,
+ plugins/sudoers/toke.l, src/sudo.c, src/sudo.h:
+ Merge in Solaris privilege support by Darren Moffat and John
+ Zolnowsky
+ [3aa0a64f2f5c]
+
+2012-07-25 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * doc/contributors.pod:
+ Sync with CONTRIBUTORS file
+ [9a0852306ad9]
+
+ * doc/sudo.man.in, doc/sudo_plugin.man.in, doc/sudoers.ldap.man.in,
+ doc/sudoers.man.in, doc/sudoreplay.man.in:
+ Regen .man.in files with my private mandoc.
+ [dc3c9fc449eb]
+
+ * doc/Makefile.in:
+ add MANDOC variable
+ [35527e66afc5]
+
+2012-07-20 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * doc/sudo.man.in, doc/sudo_plugin.man.in, doc/sudoers.ldap.man.in,
+ doc/sudoers.man.in, doc/sudoreplay.man.in, doc/visudo.man.in:
+ Regen .man.in files with hacked mandoc to avoid issues with historic
+ nroff.
+ [d45cfa7d665f]
+
+2012-07-19 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * doc/sudo.mdoc.in, doc/sudoers.mdoc.in:
+ Fix groff warnings.
+ [111d522ca807]
+
+ * doc/Makefile.in:
+ Fix dependencies for .man.in files.
+ [aefeffe1af2b]
+
+ * .hgignore:
+ Add doc/*.mdoc to ignore file
+ [1e4de6ef2ad8]
+
+ * INSTALL, MANIFEST, NEWS, configure, configure.in, doc/Makefile.in,
+ doc/sudo.cat, doc/sudo.man.in, doc/sudo.mdoc.in,
+ doc/sudo_plugin.cat, doc/sudo_plugin.man.in,
+ doc/sudo_plugin.mdoc.in, doc/sudoers.cat, doc/sudoers.ldap.cat,
+ doc/sudoers.ldap.man.in, doc/sudoers.ldap.mdoc.in,
+ doc/sudoers.man.in, doc/sudoers.mdoc.in, doc/sudoreplay.cat,
+ doc/sudoreplay.man.in, doc/sudoreplay.mdoc.in, doc/visudo.cat,
+ doc/visudo.man.in, doc/visudo.mdoc.in:
+ Build .man.in and .cat files from .mdoc.in files. Add new --with-man
+ and --with-mdoc configure options.
+ [c963fd7e8f80]
+
+2012-07-18 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * doc/sudo.mdoc.in, doc/sudo_plugin.mdoc.in, doc/sudoers.ldap.mdoc.in,
+ doc/sudoers.mdoc.in, doc/sudoreplay.mdoc.in, doc/visudo.mdoc.in:
+ Sudo manuals formatted in mdoc, to replace the pod versions.
+ [e6dca4030451]
+
+ * doc/sudo_plugin.cat, doc/sudo_plugin.man.in, doc/sudo_plugin.pod,
+ doc/sudoers.cat, doc/sudoers.ldap.cat, doc/sudoers.ldap.man.in,
+ doc/sudoers.ldap.pod, doc/sudoers.man.in, doc/sudoers.pod,
+ doc/sudoreplay.cat, doc/sudoreplay.man.in, doc/sudoreplay.pod,
+ doc/visudo.cat, doc/visudo.man.in, doc/visudo.pod:
+ More minor costmetic fixes.
+ [a7287a68385a]
+
+2012-07-12 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * doc/sudo.cat, doc/sudo.man.in, doc/sudo.pod:
+ Minor cosmetic fixes.
+ [9c48bdaf3946]
+
+2012-07-11 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/logging.c, plugins/sudoers/po/sudoers.pot:
+ Use "a password is required" instead of "password required" when the
+ -n flag is used and we need to read a password.
+ [a3c30fc41648]
+
+2012-07-10 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * NEWS:
+ Mention logging changes.
+ [8238fd6e02e8]
+
+ * plugins/sudoers/po/sudoers.pot:
+ regen
+ [e2cf634ba63b]
+
+ * doc/sudoers.cat, doc/sudoers.man.in, doc/sudoers.pod:
+ Document that other mail_* flags have precedence over mail_badpass.
+ [9f4cc9188f40]
+
+ * plugins/sudoers/auth/sudo_auth.c, plugins/sudoers/check.c,
+ plugins/sudoers/logging.c, plugins/sudoers/logging.h,
+ plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
+ Move log_denial() calls and logic to log_failure(). Move
+ authentication failure logging to log_auth_failure(). Both of these
+ call audit_failure() for us.
+
+ This subtly changes logging for commands that are denied by sudoers
+ but where the user failed to enter the correct password.
+ Previously, these would be logged as "N incorrect password attempts"
+ but now are logged as "command not allowed". Fixes bug #563
+ [cad35f0b3ad7]
+
+2012-07-06 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * common/aix.c:
+ Do not set a resource limit to zero when we are unable to fetch a
+ value from /etc/security/limits.
+ [62bfb0a7895e]
+
+2012-07-05 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * sudo.pp:
+ Add "Provides: sudo" to debian sudo-ldap package
+ [beb8afa0beb2]
+
+2012-07-02 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * configure, configure.in, zlib/Makefile.in:
+ Define NO_VIZ for zlib when gcc doesn't support symbol visibility
+ attributes.
+ [9fdcbf526386]
+
+ * configure, configure.in:
+ Use the autoconf cache when checking for symbol export control
+ support.
+ [03c2cce8711f]
+
+ * INSTALL, common/Makefile.in, compat/Makefile.in, configure,
+ configure.in, mkpkg, plugins/sample/Makefile.in,
+ plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in,
+ plugins/system_group/Makefile.in, src/Makefile.in:
+ Add configure check for building PIE executables instead of doing it
+ in mkpkg.
+ [02b5b78ef258]
+
+ * sudo.pp:
+ MacOS pp backend doesn't like modes longer than 4 characters.
+ [01b49022bf01]
+
+2012-07-01 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * configure, configure.in:
+ Add -Wc,-fstack-protector to LT_LDFLAGS instead of adding
+ -fstack-protector to LDFLAGS so it doesn't get stripped out. Libtool
+ will strip -fstack-protector from the linker flags and we always
+ link with libtool.
+ [0a0a0250ac2b]
+
+2012-06-29 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * doc/sudo.cat, doc/sudo.man.in, doc/sudo_plugin.cat,
+ doc/sudo_plugin.man.in, doc/sudoers.cat, doc/sudoers.ldap.cat,
+ doc/sudoers.ldap.man.in, doc/sudoers.man.in, doc/sudoreplay.cat,
+ doc/sudoreplay.man.in, doc/visudo.cat, doc/visudo.man.in:
+ Regen for sudo 1.8.6
+ [1657ee28b496]
+
+ * NEWS, doc/sudoers.ldap.pod:
+ Document improved Tivoli Directory Server support.
+ [fb411edf4687]
+
+ * config.h.in, configure, configure.in, plugins/sudoers/ldap.c:
+ Add support for ldaps using Tivoli LDAP libraries. Add ldap.conf
+ option to specify Tivoli key db password. Allow TLS ciphers to be
+ configured for Tivoli.
+ [737e17c91e60]
+
+2012-06-28 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/ldap.c:
+ Tivoli Directory Server 6.3 libs always return a (bogus) error when
+ setting LDAP_OPT_CONNECT_TIMEOUT.
+ [504406637c38]
+
+ * NEWS:
+ Update
+ [687a755604e8]
+
+ * plugins/sudoers/ldap.c:
+ Treat LDAP_OPT_CONNECT_TIMEOUT (Tivoli Directory Server 6.3) the
+ same as LDAP_OPT_CONNECT_TIMEOUT (OpenSSH). Don't make failure to a
+ set an ldap option fatal.
+ [17cf93ae3304]
+
+2012-06-27 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/sudoers.c:
+ Zero pointers in sudo_user struct after freeing, just in case.
+ [8eff1f80b943]
+
+ * plugins/sudoers/sudoers.c:
+ Free user_gids in close function if it has not already been freed.
+ [cbce28877f37]
+
+ * plugins/sudoers/pwutil.c, plugins/sudoers/sudoers.c,
+ plugins/sudoers/sudoers.h:
+ Defer group ID to name resolution until we actually need it.
+ [463e75b81e89]
+
+ * src/sudo.c:
+ It is safe to read in sudo.conf before calling user_info().
+ [3290b6434e3c]
+
+ * plugins/sudoers/env.c, plugins/sudoers/ldap.c:
+ Use MAX_UID_T_LEN + 1 for uid/gid buffers, not MAX_UID_T_LEN to
+ prevent potential truncation. Bug #562.
+ [29d9fc4e0c4e]
+
+2012-06-25 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * sudo.pp:
+ If installing with installp, error out if there is already an
+ instance of the rpm package installed.
+ [ec24c6faba22]
+
+ * mkpkg:
+ Add --disable-nls for AIX
+ [192ac2f7d65e]
+
+2012-06-22 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * sudo.pp:
+ Debian sudo-ldap packages should now depend on libldap-2.4-2, not
+ libldap2.
+ [cbcec71e6b58]
+
+2012-06-21 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * sudo.pp:
+ Add Homepage and Bugs to debian control file.
+ [0f19d7d14e66]
+
+2012-06-20 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * mkpkg:
+ fix typo when setting aix_freeware
+ [2fd6feb50195]
+
+ * common/Makefile.in, compat/Makefile.in, configure, configure.in,
+ doc/Makefile.in, include/Makefile.in, plugins/sample/Makefile.in,
+ plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in,
+ plugins/system_group/Makefile.in, src/Makefile.in, zlib/Makefile.in:
+ Don't run regress tests or sudoers sanity check (using the newly-
+ built visudo) when cross compiling. Bug #560
+ [0c4e3f68b2f5]
+
+ * MANIFEST, configure, configure.in, plugins/sample/Makefile.in,
+ plugins/sample/sample_plugin.exp, plugins/sample/sample_plugin.map,
+ plugins/sample/sample_plugin.sym, plugins/sample_group/Makefile.in,
+ plugins/sample_group/sample_group.exp,
+ plugins/sample_group/sample_group.map,
+ plugins/sample_group/sample_group.sym, plugins/sudoers/Makefile.in,
+ plugins/sudoers/sudoers.exp, plugins/sudoers/sudoers.map,
+ plugins/sudoers/sudoers.sym, plugins/system_group/Makefile.in,
+ plugins/system_group/system_group.exp,
+ plugins/system_group/system_group.map,
+ plugins/system_group/system_group.sym:
+ Rename foo.sym -> foo.exp Remove foo.map from the repo and generate
+ it on demand Use a loader option file for HP-UX ld to explicitly
+ export symbols
+ [2402ff5302ab]
+
+ * src/Makefile.in:
+ Remove extraneous backslash
+ [8ca054de138c]
+
+ * plugins/sudoers/regress/check_symbols/check_symbols.c:
+ Don't check for errorx as an exported symbols as it is now a macro.
+ Check for user_in_group() instead.
+ [7b02c8ecd3ea]
+
+2012-06-19 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * configure, configure.in:
+ Adjust ld map file support to use an anonymous scope to match the
+ updated .map files.
+ [49be44282d9e]
+
+2012-06-18 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * config.h.in, configure, configure.in, include/gettext.h:
+ Older versions of Solaris lack ngettext()
+ [028af10dfa5f]
+
+ * configure, configure.in:
+ Move the check for -static-libgcc until after AC_LANG_WERROR has
+ been called and use AX_CHECK_COMPILE_FLAG().
+ [a7b09120e7ff]
+
+ * include/gettext.h:
+ Sudo defines HAVE_SETLOCALE not HAVE_LOCALE_H
+ [3aa2780d4a4e]
+
+ * include/error.h, include/sudo_debug.h:
+ Fix gcc 2.x variant macro support.
+ [8e71c2370997]
+
+ * plugins/sudoers/logging.c, plugins/sudoers/sudoreplay.c:
+ Fix compilation on gcc 2.95 and other compilers that only allow
+ variable declarations at the beginning of a block.
+ [9d80c802bb46]
+
+ * configure, configure.in, plugins/sudoers/Makefile.in:
+ Link check_symbols with SUDO_LIBS to make sure we link with the
+ requisite libraries to successfully dlopen sudoers.so. This is
+ needed on HP-UX where a program dlopen()ing a shared object that
+ uses pthreads must also be linked with pthreads (and HP-UX LDAP uses
+ pthreads).
+ [b8961cd82337]
+
+ * plugins/sudoers/regress/check_symbols/check_symbols.c:
+ Add check for exported local symbols. This will cause a "make
+ check" failure on systems where we don't support symbol hiding.
+ [8aa549389bb1]
+
+ * configure, configure.in:
+ Additional ${foo} -> $(foo) Makefile tweaks.
+ [046bbde18f52]
+
+ * plugins/sample/sample_plugin.map,
+ plugins/sample_group/sample_group.map, plugins/sudoers/sudoers.map,
+ plugins/system_group/system_group.map:
+ No need to provide a name for the scope in the map file since we
+ don't use the it for versioning.
+ [5ed4b997560d]
+
+2012-06-17 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * MANIFEST, plugins/sudoers/Makefile.in,
+ plugins/sudoers/regress/check_symbols/check_symbols.c:
+ Add regress test for symbol visibility.
+ [9adddd4e0518]
+
+2012-06-15 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * NEWS, configure, configure.in:
+ sudo 1.8.6
+ [57008a7afb77]
+
+ * configure, configure.in, include/missing.h:
+ Add support for controlling symbol visibility using the HP and
+ Solaris C compilers.
+ [46d5b468979e]
+
+ * plugins/sudoers/iolog.c, plugins/sudoers/iolog_path.c,
+ plugins/sudoers/regress/iolog_path/check_iolog_path.c,
+ plugins/sudoers/sudoers.h:
+ Use the expanded io log dir when updating the sequence number.
+ Includes a workaround for older versions of sudo where the sequence
+ number was stored in the unexpanded io log dir.
+ [210797dab9a8]
+
+2012-06-14 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * src/parse_args.c:
+ Simplify "sudo -s" argv rewriting.
+ [7be143dae7c5]
+
+ * MANIFEST, configure, configure.in, plugins/sample/Makefile.in,
+ plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in,
+ plugins/system_group/Makefile.in, src/Makefile.in,
+ src/sudo_noexec.map:
+ Don't use a map file for sudo_noexec.so since Solaris ld doesn't
+ allow '*' in the global section. The libtool export flag is now
+ added to LT_LDFLAGS instead of commenting/uncommenting lines.
+ [38fc37a66b04]
+
+2012-06-13 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * config.h.in, configure, configure.in, include/missing.h:
+ The visibility attribute was actually added in gcc 3.3.x, not 4.0.
+ Just assume that if -fvisibility=hidden works that the attribute is
+ usable.
+ [d3904d6faf14]
+
+ * plugins/sudoers/check.c, plugins/sudoers/iolog.c,
+ plugins/sudoers/iolog_path.c, plugins/sudoers/ldap.c,
+ plugins/sudoers/match.c, plugins/sudoers/pwutil.c,
+ plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c,
+ plugins/sudoers/sudoers.h, plugins/sudoers/sudoers.map,
+ plugins/sudoers/sudoers.sym, plugins/sudoers/testsudoers.c,
+ plugins/system_group/system_group.c:
+ Export group cache from sudoers.so for system_group.so to use.
+ [16695d207fc5]
+
+ * MANIFEST, configure, configure.in, include/missing.h,
+ plugins/sample/Makefile.in, plugins/sample/sample_plugin.map,
+ plugins/sample_group/Makefile.in,
+ plugins/sample_group/sample_group.map, plugins/sudoers/Makefile.in,
+ plugins/sudoers/iolog.c, plugins/sudoers/sudoers.c,
+ plugins/sudoers/sudoers.map, plugins/system_group/Makefile.in,
+ plugins/system_group/system_group.map, src/sudo_noexec.c,
+ src/sudo_noexec.map:
+ Use gcc's visibility attribute to specify when symbols are visible
+ or hidden, if available. If not available, use an ELF version
+ script if it is supported. If all else fails, fall back to using
+ libtool's -export-symbols.
+ [64e889921727]
+
+2012-06-12 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * sudo.pp:
+ Add mode for installed locale files but leave the directories with
+ default mode and owner.
+ [142237dbb31f]
+
+2012-06-11 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * mkpkg, sudo.pp:
+ Install AIX packages under /opt/freeware with links in /usr/bin and
+ /usr/sbin. This matches the layout of the sudo package from AIX
+ freeware.
+ [0b79d47bbe01]
+
+ * Makefile.in, configure, configure.in, plugins/sample/Makefile.in,
+ plugins/sample_group/Makefile.in, plugins/sudoers/Makefile.in,
+ plugins/system_group/Makefile.in, src/Makefile.in, sudo.pp:
+ Install shared objects with mode 0644 except on HP-UX which needs
+ the executable bit set.
+ [ae416af0ba6c]
+
+ * Makefile.in, doc/Makefile.in, include/Makefile.in,
+ plugins/sudoers/Makefile.in, src/Makefile.in:
+ Make installed file modes consistent with the file modes in the sudo
+ package.
+ [307386373289]
+
+2012-06-08 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * doc/sudoers.pod:
+ Add "%:" prefix when talking about QAS non-Unix group support.
+ [7cb25f6861f8]
+
+ * pp, sudo.pp:
+ Fix packaging of symbolic links on HP-UX when the link source
+ already exists in the filesystem.
+ [c9bb48031596]
+
+ * mkpkg:
+ Only specify prefix if we are overriding the default value. Fixes
+ the man dir (/usr/local/man vs. /usr/local/share/man).
+ [65351b6c1697]
+
+ * sudo.pp:
+ Fix setting of sudoedit_man variable.
+ [9beed9ae5bba]
+
+ * doc/Makefile.in:
+ Echo the command when linking the sudoedit manual.
+ [6c83b5657b55]
+
+2012-06-07 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * mkpkg, sudo.pp:
+ Build .deb packages with selinux support.
+ [3fd9cb1b4526]
+
+2012-06-04 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * sudo.pp:
+ Don't list paths for unstripped binaries in the lintial overrides.
+ [4c8e16f1773b]
+
+ * pp:
+ Add support for Installed-Size header in control file, required by
+ newer debian versions.
+ [e97d76234bee]
+
+ * pp:
+ Fix extended description in .deb files.
+ [d35e27ace146]
+
+ * sudo.pp:
+ Add Depends, Replaces and Conflicts headers for .deb packages.
+ [76eb6c4b3278]
+
+2012-06-01 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/sudo_nss.c:
+ If there are no privs to print, write the message to the lbuf
+ instead of printing it directly.
+ [ecd56226abb7]
+
+2012-05-31 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * sudo.pp:
+ Set -e in %pos and %preun for debian to quiet a lintian warning.
+ [8bb908514df9]
+
+ * doc/Makefile.in, src/Makefile.in, sudo.pp:
+ Install sudoedit and the sudoedit manual as symbolic links, not hard
+ links and package them as such.
+ [f317ff3cf3e7]
+
+ * sudo.pp:
+ Make sudo binary permissions 755 instead of 111 Add lintian
+ overrides file for .deb files.
+ [991cd7d7f0e1]
+
+ * configure, configure.in, doc/Makefile.in, mkpkg:
+ Replace out of date MAN_POSTINSTALL with MANCOMPRESS and
+ MANCOMPRESSEXT which can be used to compress the installed manual
+ pages. Compress the man pages for .deb files to appease lintian.
+ [4e34083b41d2]
+
+ * sudo.pp:
+ Debian fixes:
+ * fix modes to be more in line with what Debian expects
+ * add section
+ * install LICENSE as copyright and ChangeLog as changelog
+ * create stub changelog.debian
+ [7f6c5647f588]
+
+ * pp:
+ Fix find command to properly skip files in the DEBIAN dir when
+ building md5sums.
+ [8918bde941fa]
+
+ * pp, sudo.pp:
+ Use a debian-compliant package maintainer field.
+ [fc51a94170eb]
+
+2012-05-30 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/sudoreplay.c:
+ No need to loop over atomic_writev(), it guarantees to write all
+ data or return an error.
+
+ Fix handling of stdout/stderr that contains "\r\n" and handle a
+ "\r\n" pair that spans a buffer.
+ [8aaf02d90c45]
+
2012-05-29 Todd C. Miller <Todd.Miller@courtesan.com>
* NEWS:
Update for sudo 1.8.5p2
[d369d4d40a19]
+ * plugins/sudoers/sudoreplay.c:
+ Instead of doing extra write()s when replaying stdout, build up a
+ vector for writev() instead. This results in far fewer system
+ calls.
+ [303d866c025c]
+
2012-05-27 Todd C. Miller <Todd.Miller@courtesan.com>
* src/env_hooks.c, src/sudo.h, src/tgetpass.c:
DISPLAY and SUDO_ASKPASS in the environment.
[04dbdccf4a14]
+2012-05-25 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/sudoreplay.c:
+ When replaying a log of stdout or stderr, do newline to carriage
+ return + linefeed conversion. We cannot have termios do this for us
+ since we've disabled output postprocessing (POST) when setting raw
+ mode.
+ [61352a7d996f]
+
+2012-05-24 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * configure, configure.in:
+ When checking for -fstack-protector, treat warnings as fatal errors.
+ [4124cd12d511]
+
+2012-05-22 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * configure, configure.in:
+ Fix test for -z relro
+ [548bdb6f5c4a]
+
+ * MANIFEST:
+ Add m4/ax_check_compile_flag.m4 and m4/ax_check_link_flag.m4
+ [ed063264a2a1]
+
+ * INSTALL, aclocal.m4, configure, configure.in,
+ m4/ax_check_compile_flag.m4, m4/ax_check_link_flag.m4:
+ Build with -fstack-protector and link with -zrelo where supported.
+ Added --disable-hardening option to disable hardening options.
+ [0b6c1a1ceb03]
+
2012-05-21 Todd C. Miller <Todd.Miller@courtesan.com>
+ * plugins/sudoers/Makefile.in,
+ plugins/sudoers/regress/testsudoers/test1.sh,
+ plugins/sudoers/regress/testsudoers/test2.sh,
+ plugins/sudoers/regress/testsudoers/test3.sh,
+ plugins/sudoers/regress/testsudoers/test4.out.ok,
+ plugins/sudoers/regress/testsudoers/test4.sh,
+ plugins/sudoers/regress/testsudoers/test5.inc,
+ plugins/sudoers/regress/testsudoers/test5.out.ok,
+ plugins/sudoers/regress/testsudoers/test5.sh,
+ plugins/sudoers/testsudoers.c:
+ Add tests for sudoers mode, owner and group checks.
+ [a7607443aba0]
+
* plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c:
If sudoers_mode is group-readable but the actual sudoers file is
not, open the file as uid 0, not uid 1. This fixes a problem when
group-readable bit.
[c056b6003e6f]
+ * INSTALL, common/secure_path.c, config.h.in, configure, configure.in:
+ No longer throw an error if sudoers is a symbolic link. Deprecated
+ the --with-stow option as that is now (effectively) the default.
+ [8ce783e54886]
+
+2012-05-18 Todd C. Miller <Todd.Miller@courtesan.com>
+
+ * plugins/sudoers/Makefile.in,
+ plugins/sudoers/regress/testsudoers/test2.inc,
+ plugins/sudoers/regress/testsudoers/test2.out.ok,
+ plugins/sudoers/regress/testsudoers/test2.sh,
+ plugins/sudoers/regress/testsudoers/test3.d/root,
+ plugins/sudoers/regress/testsudoers/test3.out.ok,
+ plugins/sudoers/regress/testsudoers/test3.sh:
+ Add basic tests for #include and #includedir
+ [b303e4218951]
+
+ * plugins/sudoers/testsudoers.c:
+ Add -U sudoers_uid option to testsudoers.
+ [3f8ed13501ba]
+
2012-05-17 Todd C. Miller <Todd.Miller@courtesan.com>
* NEWS, configure, configure.in:
this file instead of /etc/ldap.secret to read the secret password
when rootbinddn is specified in the ldap config file.
+ --with-sssd
+ Enable support for using the System Security Services Daemon
+ (SSSD) as a sudoers data source. For more informaton on
+ SSD, see http://fedorahosted.org/sssd/
+
+ --with-sssd-lib=PATH
+ Specify the path to the SSSD shared library, which is loaded
+ at run-time.
+
--with-nsswitch[=PATH]
Path to nsswitch.conf or "no" to disable nsswitch support.
If specified, sudo uses this file instead of /etc/nsswitch.conf.
--with-otp-only
This option is now just an alias for --without-passwd.
- --with-stow
- Properly handle GNU stow packaging. The sudoers file will
- physically live in ${prefix}/etc and /etc/sudoers will be
- a symbolic link.
-
--with-selinux
Enable support for role based access control (RBAC) on
systems that support SELinux.
+ --with-man
+ Use the "man" macros for manual pages. By default, mdoc
+ versions of the manuals are installed. This can be used
+ to override configure's test for "nroff -mdoc" support.
+
+ --with-mdoc
+ Use the "mdoc" macros for manual pages. By default, mdoc
+ versions of the manuals are installed. This can be used
+ to override configure's test for "nroff -mdoc" support.
+
The following options are also configurable at runtime:
--with-long-otp-prompt
--enable-werror
Enable the -Werror compiler option when building sudo with gcc.
+ --disable-hardening
+ Disable the use of compiler/linker exploit mitigation options
+ which are enabled by default. This includes compiling with
+ _FORTIFY_SOURCE defined to 2, building with -fstack-protector
+ and linking with -zrelro, where supported.
+
+ --disable-pie
+ Disable the creation of position independent executables (PIE)
+ even when the compiler and linker support them.
+ By default, sudo will be built as a PIE where possible.
+
--enable-admin-flag
Enable the creation of an Ubuntu-style admin flag file
the first time sudo is run.
compat/memrchr.c
compat/mksiglist.c
compat/mksiglist.h
+compat/mksigname.c
+compat/mksigname.h
compat/mktemp.c
compat/nanosleep.c
compat/pw_dup.c
compat/regress/glob/files
compat/regress/glob/globtest.c
compat/regress/glob/globtest.in
+compat/sig2str.c
compat/siglist.in
compat/snprintf.c
compat/stdbool.h
doc/Makefile.in
doc/TROUBLESHOOTING
doc/UPGRADE
-doc/contributors.pod
-doc/history.pod
-doc/license.pod
+doc/fixman.sh
+doc/fixmdoc.sh
doc/sample.pam
doc/sample.sudo.conf
doc/sample.sudoers
doc/schema.iPlanet
doc/sudo.cat
doc/sudo.man.in
-doc/sudo.man.pl
-doc/sudo.pod
+doc/sudo.mdoc.in
doc/sudo_plugin.cat
doc/sudo_plugin.man.in
-doc/sudo_plugin.pod
+doc/sudo_plugin.mdoc.in
doc/sudoers.cat
doc/sudoers.ldap.cat
doc/sudoers.ldap.man.in
-doc/sudoers.ldap.pod
+doc/sudoers.ldap.mdoc.in
doc/sudoers.man.in
-doc/sudoers.man.pl
-doc/sudoers.pod
+doc/sudoers.mdoc.in
doc/sudoreplay.cat
doc/sudoreplay.man.in
-doc/sudoreplay.pod
+doc/sudoreplay.mdoc.in
doc/visudo.cat
doc/visudo.man.in
-doc/visudo.pod
+doc/visudo.mdoc.in
include/Makefile.in
include/alloc.h
include/error.h
indent.pro
install-sh
ltmain.sh
+m4/ax_check_compile_flag.m4
+m4/ax_check_link_flag.m4
m4/libtool.m4
m4/ltoptions.m4
m4/ltsugar.m4
pathnames.h.in
plugins/sample/Makefile.in
plugins/sample/sample_plugin.c
-plugins/sample/sample_plugin.sym
+plugins/sample/sample_plugin.exp
plugins/sample_group/Makefile.in
plugins/sample_group/getgrent.c
plugins/sample_group/plugin_test.c
plugins/sample_group/sample_group.c
-plugins/sample_group/sample_group.sym
-plugins/system_group/Makefile.in
-plugins/system_group/system_group.c
-plugins/system_group/system_group.sym
+plugins/sample_group/sample_group.exp
plugins/sudoers/Makefile.in
plugins/sudoers/aixcrypt.exp
plugins/sudoers/alias.c
plugins/sudoers/po/fi.po
plugins/sudoers/po/hr.mo
plugins/sudoers/po/hr.po
+plugins/sudoers/po/it.mo
+plugins/sudoers/po/it.po
plugins/sudoers/po/ja.mo
plugins/sudoers/po/ja.po
plugins/sudoers/po/lt.mo
plugins/sudoers/po/lt.po
plugins/sudoers/po/pl.mo
plugins/sudoers/po/pl.po
+plugins/sudoers/po/sl.mo
+plugins/sudoers/po/sl.po
plugins/sudoers/po/sudoers.pot
plugins/sudoers/po/sv.mo
plugins/sudoers/po/sv.po
plugins/sudoers/po/uk.mo
plugins/sudoers/po/uk.po
+plugins/sudoers/po/vi.mo
+plugins/sudoers/po/vi.po
plugins/sudoers/po/zh_CN.mo
plugins/sudoers/po/zh_CN.po
plugins/sudoers/pwutil.c
plugins/sudoers/redblack.c
plugins/sudoers/redblack.h
+plugins/sudoers/regress/check_symbols/check_symbols.c
plugins/sudoers/regress/iolog_path/check_iolog_path.c
plugins/sudoers/regress/iolog_path/data
plugins/sudoers/regress/logging/check_wrap.c
plugins/sudoers/regress/testsudoers/test1.out.ok
plugins/sudoers/regress/testsudoers/test1.sh
plugins/sudoers/set_perms.c
+plugins/sudoers/sssd.c
plugins/sudoers/sudo_nss.c
plugins/sudoers/sudo_nss.h
plugins/sudoers/sudoers.c
+plugins/sudoers/sudoers.exp
plugins/sudoers/sudoers.h
plugins/sudoers/sudoers.in
-plugins/sudoers/sudoers.sym
plugins/sudoers/sudoers2ldif
plugins/sudoers/sudoers_version.h
plugins/sudoers/sudoreplay.c
plugins/sudoers/tsgetgrpw.c
plugins/sudoers/tsgetgrpw.h
plugins/sudoers/visudo.c
+plugins/system_group/Makefile.in
+plugins/system_group/system_group.c
+plugins/system_group/system_group.exp
pp
src/Makefile.in
src/conversation.c
src/po/pl.po
src/po/ru.mo
src/po/ru.po
+src/po/sl.mo
+src/po/sl.po
src/po/sr.mo
src/po/sr.po
src/po/sudo.pot
sudoers_uid = @SUDOERS_UID@
sudoers_gid = @SUDOERS_GID@
sudoers_mode = @SUDOERS_MODE@
+shlib_mode = @SHLIB_MODE@
SUBDIRS = compat common @ZLIB_SRC@ plugins/sudoers src include doc
autoconf:
autoconf -I m4
-siglist.c:
+siglist.c signame.c:
(cd compat && exec $(MAKE) $@)
-depend: siglist.c
+depend: siglist.c signame.c
@if test "$(srcdir)" != "."; then \
echo "make depend only supported in the source directory"; \
exit 1; \
test -s $$podir/$$lang.mo || continue; \
echo $(ECHO_N) " $$lang$(ECHO_C)"; \
$(SHELL) $(top_srcdir)/mkinstalldirs $(DESTDIR)$(localedir)/$$lang/LC_MESSAGES; \
- $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0444 $$podir/$$lang.mo $(DESTDIR)$(localedir)/$$lang/LC_MESSAGES/$$domain.mo; \
+ $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 $$podir/$$lang.mo $(DESTDIR)$(localedir)/$$lang/LC_MESSAGES/$$domain.mo; \
done; \
echo ""; \
done; \
sudoers_uid=$(sudoers_uid) \
sudoers_gid=$(sudoers_gid) \
sudoers_mode=$(sudoers_mode) \
+ shlib_mode=$(shlib_mode) \
version=$(VERSION) $(PPVARS)
clean: config.status
realclean: distclean
-.PHONY: ChangeLog
+me:
+
+a:
+
+sandwich:
+ @if test -n "$$SUDO_USER"; then \
+ echo "Okay."; \
+ else \
+ echo "What? Make it yourself!"; \
+ fi
+
+.PHONY: ChangeLog me a sandwhich
+What's new in Sudo 1.8.6p8?
+
+ * Terminal dection now works properly on 64-bit AIX kernels.
+ This was broken by the removal of the ttyname() fallback in Sudo
+ 1.8.6p6. Sudo is now able to map an AIX 64-bit device number
+ to the corresponding device file in /dev.
+
+ * Sudo now checks for crypt() returning NULL when performing
+ passwd-based authentication.
+
+What's new in Sudo 1.8.6p7?
+
+ * A time stamp file with the date set to the epoch by "sudo -k"
+ is now completely ignored regardless of what the local clock is
+ set to. Previously, if the local clock was set to a value between
+ the epoch and the time stamp timeout value, a time stamp reset
+ by "sudo -k" would be considered current.
+
+ * The tty-specific time stamp file now includes the session ID
+ of the sudo process that created it. If a process with the same
+ tty but a different session ID runs sudo, the user will now be
+ prompted for a password (assuming authentication is required for
+ the command).
+
+What's new in Sudo 1.8.6p6?
+
+ * On systems where the controlling tty can be determined via /proc
+ or sysctl(), sudo will no longer fall back to using ttyname()
+ if the process has no controlling tty. This prevents sudo from
+ using a non-controlling tty for logging and time stamp purposes.
+
+What's new in Sudo 1.8.6p5?
+
+ * Fixed a potential crash in visudo's alias cycle detection.
+
+ * Improved performance on Solaris when retrieving the group list
+ for the target user. On systems with a large number of groups
+ where the group database is not local (NIS, LDAP, AD), fetching
+ the group list could take a minute or more.
+
+What's new in Sudo 1.8.6p4?
+
+ * The -fstack-protector is now used when linking visudo, sudoreplay
+ and testsudoers.
+
+ * Avoid building PIE binaries on FreeBSD/ia64 as they don't run
+ properly.
+
+ * Fixed a crash in visudo strict mode when an unknown Defaults
+ setting is encountered.
+
+ * Do not inform the user that the command was not permitted by the
+ policy if they do not successfully authenticate. This is a
+ regression introduced in sudo 1.8.6.
+
+ * Allow sudo to be build with sss support without also including
+ ldap support.
+
+ * Fix running commands that need the terminal in the background
+ when I/O logging is enabled. E.g. "sudo vi &". When the command
+ is foregrounded, it will now resume properly.
+
+What's new in Sudo 1.8.6p3?
+
+ * Fixed post-processing of the man pages on systems with legacy
+ versions of sed.
+
+ * Fixed "sudoreplay -l" on Linux systems with file systems that
+ set DT_UNKNOWN in the d_type field of struct dirent.
+
+What's new in Sudo 1.8.6p2?
+
+ * Fixed suspending a command after it has already been resumed
+ once when I/O logging (or use_pty) is not enabled.
+ This was a regression introduced in version 1.8.6.
+
+What's new in Sudo 1.8.6p1?
+
+ * Fixed the setting of LOGNAME, USER and USERNAME variables in the
+ command's environment when env_reset is enabled (the default).
+ This was a regression introduced in version 1.8.6.
+
+ * Sudo now honors SUCCESS=return in /etc/nsswitch.conf.
+
+What's new in Sudo 1.8.6?
+
+ * Sudo is now built with the -fstack-protector flag if the the
+ compiler supports it. Also, the -zrelro linker flag is used if
+ supported. The --disable-hardening configure option can be used
+ to build sudo without stack smashing protection.
+
+ * Sudo is now built as a Position Independent Executable (PIE)
+ if supported by the compiler and linker.
+
+ * If the user is a member of the "exempt" group in sudoers, they
+ will no longer be prompted for a password even if the -k flag
+ is specified with the command. This makes "sudo -k command"
+ consistent with the behavior one would get if the user ran "sudo
+ -k" immediately before running the command.
+
+ * The sudoers file may now be a symbolic link. Previously, sudo
+ would refuse to read sudoers unless it was a regular file.
+
+ * The sudoreplay command can now properly replay sessions where
+ no tty was present.
+
+ * The sudoers plugin now takes advantage of symbol visibility
+ controls when supported by the compiler or linker. As a result,
+ only a small number of symbols are exported which significantly
+ reduces the chances of a conflict with other shared objects.
+
+ * Improved support for the Tivoli Directory Server LDAP client
+ libraries. This includes support for using LDAP over SSL (ldaps)
+ as well as support for the BIND_TIMELIMIT, TLS_KEY and TLS_CIPHERS
+ ldap.conf options. A new ldap.conf option, TLS_KEYPW can be
+ used to specify a password to decrypt the key database.
+
+ * When constructing a time filter for use with LDAP sudoNotBefore
+ and sudoNotAfter attributes, the current time now includes tenths
+ of a second. This fixes a problem with timed entries on Active
+ Directory.
+
+ * If a user fails to authenticate and the command would be rejected
+ by sudoers, it is now logged with "command not allowed" instead
+ of "N incorrect password attempts". Likewise, the "mail_no_perms"
+ sudoers option now takes precedence over "mail_badpass".
+
+ * The sudo manuals are now formatted using the mdoc macros. Versions
+ using the legacy man macros are provided for systems that lack mdoc.
+
+ * New support for Solaris privilege sets. This makes it possible
+ to specify fine-grained privileges in the sudoers file on Solaris
+ 10 and above. A Runas_Spec that contains no Runas_Lists can be
+ used to give a user the ability to run a command as themselves
+ but with an expanded privilege set.
+
+ * Fixed a problem with the reboot and shutdown commands on some
+ systems (such as HP-UX and BSD). On these systems, reboot sends
+ all processes (except itself) SIGTERM. When sudo received
+ SIGTERM, it would relay it to the reboot process, thus killing
+ reboot before it had a chance to actually reboot the system.
+
+ * Support for using the System Security Services Daemon (SSSD) as
+ a source of sudoers data.
+
+ * Slovenian translation for sudo and sudoers from translationproject.org.
+
+ * Visudo will now warn about unknown Defaults entries that are
+ per-host, per-user, per-runas or per-command.
+
+ * Fixed a race condition that could cause sudo to receive SIGTTOU
+ (and stop) when resuming a shell that was run via sudo when I/O
+ logging (and use_pty) is not enabled.
+
+ * Sending SIGTSTP directly to the sudo process will now suspend the
+ running command when I/O logging (and use_pty) is not enabled.
+
+What's new in Sudo 1.8.5p3?
+
+ * Fixed the loading of I/O plugins that conform to a plugin API
+ version older than 1.2.
+
What's new in Sudo 1.8.5p2?
* Fixed use of the SUDO_ASKPASS environment variable which was
* Fixed a crash in the monitor process on Solaris when NOPASSWD
was specified or when authentication was disabled.
-
+
* Fixed matching of a Runas_Alias in the group section of a
Runas_Spec.
m4_include([ltsugar.m4])
m4_include([ltversion.m4])
m4_include([lt~obsolete.m4])
+dnl
+dnl Pull in other non-standard macros
+dnl
+m4_include([ax_check_compile_flag.m4])
+m4_include([ax_check_link_flag.m4])
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
incdir = $(top_srcdir)/include
+cross_compiling = @CROSS_COMPILING@
# Where to install things...
prefix = @prefix@
# Usually -O and/or -g
CFLAGS = @CFLAGS@
+# PIE flags
+PIE_CFLAGS = @PIE_CFLAGS@
+PIE_LDFLAGS = @PIE_LDFLAGS@
+
+# Stack smashing protection flags
+SSP_CFLAGS = @SSP_CFLAGS@
+SSP_LDFLAGS = @SSP_LDFLAGS@
+
# OS dependent defines
DEFS = @OSDEFS@ -D_PATH_SUDO_CONF=\"$(sysconfdir)/sudo.conf\"
.SUFFIXES: .c .h .lo
.c.lo:
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $<
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $<
libcommon.la: $(LTOBJS)
$(LIBTOOL) --mode=link $(CC) -o $@ $(LTOBJS) -no-install
aix.lo: $(srcdir)/aix.c $(top_builddir)/config.h $(incdir)/missing.h \
$(incdir)/alloc.h $(incdir)/error.h $(incdir)/sudo_debug.h \
$(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/aix.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/aix.c
alloc.lo: $(srcdir)/alloc.c $(top_builddir)/config.h $(incdir)/missing.h \
$(incdir)/alloc.h $(incdir)/error.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/alloc.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/alloc.c
atobool.lo: $(srcdir)/atobool.c $(top_builddir)/config.h $(incdir)/missing.h \
$(incdir)/sudo_debug.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/atobool.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/atobool.c
fileops.lo: $(srcdir)/fileops.c $(top_builddir)/config.h \
$(top_srcdir)/compat/stdbool.h $(top_srcdir)/compat/timespec.h \
$(incdir)/missing.h $(incdir)/fileops.h $(incdir)/sudo_debug.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/fileops.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/fileops.c
fmt_string.lo: $(srcdir)/fmt_string.c $(top_builddir)/config.h \
$(incdir)/missing.h $(incdir)/sudo_debug.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/fmt_string.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/fmt_string.c
lbuf.lo: $(srcdir)/lbuf.c $(top_builddir)/config.h $(incdir)/missing.h \
$(incdir)/alloc.h $(incdir)/error.h $(incdir)/lbuf.h \
$(incdir)/sudo_debug.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/lbuf.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/lbuf.c
list.lo: $(srcdir)/list.c $(top_builddir)/config.h $(incdir)/missing.h \
$(incdir)/list.h $(incdir)/error.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/list.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/list.c
secure_path.lo: $(srcdir)/secure_path.c $(top_builddir)/config.h \
$(incdir)/missing.h $(incdir)/sudo_debug.h \
$(incdir)/secure_path.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/secure_path.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/secure_path.c
setgroups.lo: $(srcdir)/setgroups.c $(top_builddir)/config.h \
$(incdir)/missing.h $(incdir)/sudo_debug.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/setgroups.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/setgroups.c
sudo_conf.lo: $(srcdir)/sudo_conf.c $(top_builddir)/config.h \
$(top_srcdir)/compat/stdbool.h $(incdir)/missing.h \
$(incdir)/alloc.h $(incdir)/error.h $(incdir)/fileops.h \
$(top_builddir)/pathnames.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_conf.h $(incdir)/list.h $(incdir)/sudo_debug.h \
$(incdir)/secure_path.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/sudo_conf.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/sudo_conf.c
sudo_debug.lo: $(srcdir)/sudo_debug.c $(top_builddir)/config.h \
$(top_srcdir)/compat/stdbool.h $(incdir)/missing.h \
$(incdir)/alloc.h $(incdir)/error.h $(incdir)/gettext.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/sudo_debug.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/sudo_debug.c
term.lo: $(srcdir)/term.c $(top_builddir)/config.h $(incdir)/missing.h \
$(incdir)/sudo_debug.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/term.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/term.c
ttysize.lo: $(srcdir)/ttysize.c $(top_builddir)/config.h $(incdir)/missing.h \
$(incdir)/sudo_debug.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/ttysize.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/ttysize.c
zero_bytes.lo: $(srcdir)/zero_bytes.c $(top_builddir)/config.h \
$(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/zero_bytes.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/zero_bytes.c
else
rlim.rlim_cur = rlim.rlim_max; /* soft not specd, use hard */
} else {
- /* No hard limit set, try soft limit. */
- if (aix_getlimit(user, aix_limits[n].soft, &val) == 0)
- rlim.rlim_cur = val == -1 ? RLIM64_INFINITY : val * aix_limits[n].factor;
+ /* No hard limit set, try soft limit, if it exists. */
+ if (aix_getlimit(user, aix_limits[n].soft, &val) == -1)
+ continue;
+ rlim.rlim_cur = val == -1 ? RLIM64_INFINITY : val * aix_limits[n].factor;
/* Set hard limit per AIX /etc/security/limits documentation. */
switch (aix_limits[n].resource) {
if (nmemb == 0 || size == 0)
errorx2(1, _("internal error, tried to emalloc2(0)"));
if (nmemb > SIZE_MAX / size)
- errorx2(1, _("internal error, emalloc2() overflow"));
+ errorx2(1, _("internal error, %s overflow"), "emalloc2()");
size *= nmemb;
if ((ptr = malloc(size)) == NULL)
errorx2(1, _("internal error, tried to ecalloc(0)"));
if (nmemb != 1) {
if (nmemb > SIZE_MAX / size)
- errorx2(1, _("internal error, ecalloc() overflow"));
+ errorx2(1, _("internal error, %s overflow"), "ecalloc()");
size *= nmemb;
}
if ((ptr = malloc(size)) == NULL)
if (nmemb == 0 || size == 0)
errorx2(1, _("internal error, tried to erealloc3(0)"));
if (nmemb > SIZE_MAX / size)
- errorx2(1, _("internal error, erealloc3() overflow"));
+ errorx2(1, _("internal error, %s overflow"), "erealloc3()");
size *= nmemb;
ptr = ptr ? realloc(ptr, size) : malloc(size);
size_t size;
if (nmemb == 0 || msize == 0)
- errorx2(1, _("internal error, tried to erealloc3(0)"));
+ errorx2(1, _("internal error, tried to erecalloc(0)"));
if (nmemb > SIZE_MAX / msize)
- errorx2(1, _("internal error, erealloc3() overflow"));
+ errorx2(1, _("internal error, %s overflow"), "erecalloc()");
size = nmemb * msize;
ptr = ptr ? realloc(ptr, size) : malloc(size);
/* For very small widths just give up... */
len = lbuf->continuation ? strlen(lbuf->continuation) : 0;
if (lbuf->cols <= lbuf->indent + len + 20) {
- lbuf->buf[lbuf->len] = '\0';
- lbuf->output(lbuf->buf);
+ if (lbuf->len > 0) {
+ lbuf->buf[lbuf->len] = '\0';
+ lbuf->output(lbuf->buf);
+ if (lbuf->buf[lbuf->len - 1] != '\n')
+ lbuf->output("\n");
+ }
goto done;
}
int rval = SUDO_PATH_MISSING;
debug_decl(sudo_secure_path, SUDO_DEBUG_UTIL)
- if (path != NULL && stat_sudoers(path, &sb) == 0) {
+ if (path != NULL && stat(path, &sb) == 0) {
if ((sb.st_mode & _S_IFMT) != type) {
rval = SUDO_PATH_BAD_TYPE;
} else if (uid != (uid_t)-1 && sb.st_uid != uid) {
sudo_conf_read(void)
{
struct sudo_conf_table *cur;
- struct plugin_info *info;
struct stat sb;
FILE *fp;
char *cp;
}
}
fclose(fp);
-
done:
- if (tq_empty(&sudo_conf_data.plugins)) {
- /* Default policy plugin */
- info = ecalloc(1, sizeof(*info));
- info->symbol_name = "sudoers_policy";
- info->path = SUDOERS_PLUGIN;
- /* info->options = NULL; */
- info->prev = info;
- /* info->next = NULL; */
- tq_append(&sudo_conf_data.plugins, info);
-
- /* Default I/O plugin */
- info = ecalloc(1, sizeof(*info));
- info->symbol_name = "sudoers_io";
- info->path = SUDOERS_PLUGIN;
- /* info->options = NULL; */
- info->prev = info;
- /* info->next = NULL; */
- tq_append(&sudo_conf_data.plugins, info);
- }
+ return;
}
"perms",
"plugin",
"hooks",
+ "sssd",
NULL
};
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
incdir = $(top_srcdir)/include
+cross_compiling = @CROSS_COMPILING@
# Where to install things...
prefix = @prefix@
# Usually -O and/or -g
CFLAGS = @CFLAGS@
+# PIE flags
+PIE_CFLAGS = @PIE_CFLAGS@
+PIE_LDFLAGS = @PIE_LDFLAGS@
+
+# Stack smashing protection flags
+SSP_CFLAGS = @SSP_CFLAGS@
+SSP_LDFLAGS = @SSP_LDFLAGS@
+
# OS dependent defines
DEFS = @OSDEFS@
TEST_PROGS = @COMPAT_TEST_PROGS@
-LIBOBJDIR =
+LIBOBJDIR =
LTLIBOBJS = @LTLIBOBJS@
.SUFFIXES: .o .c .h .lo
.c.o:
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $<
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $<
.c.lo:
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $<
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $<
libreplace.la: $(LTLIBOBJS)
$(LIBTOOL) --mode=link $(CC) -o $@ $(LTLIBOBJS) -no-install
siglist.c: mksiglist
./mksiglist > $@
+signame.c: mksigname
+ ./mksigname > $@
+
mksiglist: $(srcdir)/mksiglist.c $(srcdir)/mksiglist.h $(incdir)/missing.h $(top_builddir)/config.h
- $(CC) $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/mksiglist.c -o $@
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/mksiglist.c -o $@
+
+mksigname: $(srcdir)/mksigname.c $(srcdir)/mksigname.h $(incdir)/missing.h $(top_builddir)/config.h
+ $(CC) $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/mksigname.c -o $@
fnm_test: fnm_test.o libreplace.la
$(LIBTOOL) --mode=link $(CC) -o $@ fnm_test.o libreplace.la
$(LIBTOOL) --mode=link $(CC) -o $@ globtest.o libreplace.la
$(srcdir)/mksiglist.h: $(srcdir)/siglist.in
- if [ -n "$(DEVEL)" ]; then \
- awk 'BEGIN {print "/* public domain */\n"} /^ [A-Z]/ {printf("#ifdef SIG%s\n if (my_sys_siglist[SIG%s] == NULL)\n\tmy_sys_siglist[SIG%s] = \"%s\";\n#endif\n", $$1, $$1, $$1, substr($$0, 13))}' < $(srcdir)/siglist.in > $@; \
+ @if [ -n "$(DEVEL)" ]; then \
+ awk 'BEGIN {print "/* public domain */\n"} /^ [A-Z]/ {printf("#ifdef SIG%s\n if (sudo_sys_siglist[SIG%s] == NULL)\n\tsudo_sys_siglist[SIG%s] = \"%s\";\n#endif\n", $$1, $$1, $$1, substr($$0, 13))}' < $(srcdir)/siglist.in > $@; \
+ fi
+
+$(srcdir)/mksigname.h: $(srcdir)/siglist.in
+ @if [ -n "$(DEVEL)" ]; then \
+ awk 'BEGIN {print "/* public domain */\n"} /^ [A-Z]/ {printf("#ifdef SIG%s\n if (sudo_sys_signame[SIG%s] == NULL)\n\tsudo_sys_signame[SIG%s] = \"%s\";\n#endif\n", $$1, $$1, $$1, $$1)}' < $(srcdir)/siglist.in > $@; \
fi
pre-install:
uninstall:
check: $(TEST_PROGS)
- @if [ -f fnm_test ]; then \
- ./fnm_test $(srcdir)/regress/fnmatch/fnm_test.in; \
- fi
- @if [ -f globtest ]; then \
- mkdir -p `sed 's@/[^/]*$$@@' $(srcdir)/regress/glob/files | sort -u`; \
- touch `cat $(srcdir)/regress/glob/files`; \
- chmod 0755 `grep '/r[^/]*$$' $(srcdir)/regress/glob/files`; \
- chmod 0444 `grep '/s[^/]*$$' $(srcdir)/regress/glob/files`; \
- chmod 0711 `grep '/t[^/]*$$' $(srcdir)/regress/glob/files`; \
- ./globtest $(srcdir)/regress/glob/globtest.in; \
- rval=$$?; \
- rm -rf fake; \
- exit $$rval; \
+ @if test X"$(cross_compiling)" != X"yes"; then \
+ if test -f fnm_test; then \
+ ./fnm_test $(srcdir)/regress/fnmatch/fnm_test.in; \
+ fi; \
+ if test -f globtest; then \
+ mkdir -p `sed 's@/[^/]*$$@@' $(srcdir)/regress/glob/files | sort -u`; \
+ touch `cat $(srcdir)/regress/glob/files`; \
+ chmod 0755 `grep '/r[^/]*$$' $(srcdir)/regress/glob/files`; \
+ chmod 0444 `grep '/s[^/]*$$' $(srcdir)/regress/glob/files`; \
+ chmod 0711 `grep '/t[^/]*$$' $(srcdir)/regress/glob/files`; \
+ ./globtest $(srcdir)/regress/glob/globtest.in; \
+ rval=$$?; \
+ rm -rf fake; \
+ exit $$rval; \
+ fi; \
fi
clean:
- -$(LIBTOOL) --mode=clean rm -f $(TEST_PROGS) mksiglist siglist.c *.lo *.o *.la *.a stamp-* core *.core core.*
+ -$(LIBTOOL) --mode=clean rm -f $(TEST_PROGS) mksiglist mksigname siglist.c signame.c *.lo *.o *.la *.a stamp-* core *.core core.*
mostlyclean: clean
# Autogenerated dependencies, do not modify
closefrom.lo: $(srcdir)/closefrom.c $(top_builddir)/config.h $(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/closefrom.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/closefrom.c
dlopen.lo: $(srcdir)/dlopen.c $(top_builddir)/config.h \
$(top_srcdir)/compat/dlfcn.h $(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/dlopen.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/dlopen.c
fnm_test.o: $(srcdir)/regress/fnmatch/fnm_test.c $(top_builddir)/config.h \
$(top_srcdir)/compat/fnmatch.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/regress/fnmatch/fnm_test.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/regress/fnmatch/fnm_test.c
fnmatch.lo: $(srcdir)/fnmatch.c $(top_builddir)/config.h $(incdir)/missing.h \
$(top_srcdir)/compat/charclass.h $(top_srcdir)/compat/fnmatch.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/fnmatch.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/fnmatch.c
getcwd.lo: $(srcdir)/getcwd.c $(top_builddir)/config.h $(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/getcwd.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/getcwd.c
getgrouplist.lo: $(srcdir)/getgrouplist.c $(top_builddir)/config.h \
$(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/getgrouplist.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/getgrouplist.c
getline.lo: $(srcdir)/getline.c $(top_builddir)/config.h $(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/getline.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/getline.c
getprogname.lo: $(srcdir)/getprogname.c $(top_builddir)/config.h \
$(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/getprogname.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/getprogname.c
glob.lo: $(srcdir)/glob.c $(top_builddir)/config.h $(incdir)/missing.h \
$(top_srcdir)/compat/glob.h $(top_srcdir)/compat/charclass.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/glob.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/glob.c
globtest.o: $(srcdir)/regress/glob/globtest.c $(top_builddir)/config.h \
$(top_srcdir)/compat/glob.h $(incdir)/missing.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/regress/glob/globtest.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/regress/glob/globtest.c
isblank.lo: $(srcdir)/isblank.c $(top_builddir)/config.h $(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/isblank.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/isblank.c
memrchr.lo: $(srcdir)/memrchr.c $(top_builddir)/config.h $(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/memrchr.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/memrchr.c
mksiglist.lo: $(srcdir)/mksiglist.c $(top_builddir)/config.h \
$(incdir)/missing.h $(top_srcdir)/compat/mksiglist.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/mksiglist.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/mksiglist.c
+mksigname.lo: $(srcdir)/mksigname.c $(top_builddir)/config.h \
+ $(incdir)/missing.h $(top_srcdir)/compat/mksigname.h
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/mksigname.c
mktemp.lo: $(srcdir)/mktemp.c $(top_builddir)/config.h $(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/mktemp.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/mktemp.c
nanosleep.lo: $(srcdir)/nanosleep.c $(top_builddir)/config.h \
$(top_srcdir)/compat/timespec.h $(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/nanosleep.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/nanosleep.c
pw_dup.lo: $(srcdir)/pw_dup.c $(top_builddir)/config.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/pw_dup.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/pw_dup.c
+sig2str.lo: $(srcdir)/sig2str.c $(top_builddir)/config.h $(incdir)/missing.h
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/sig2str.c
siglist.lo: siglist.c $(top_builddir)/config.h $(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) siglist.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) siglist.c
+signame.lo: signame.c $(top_builddir)/config.h $(incdir)/missing.h
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) signame.c
snprintf.lo: $(srcdir)/snprintf.c $(top_builddir)/config.h $(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/snprintf.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/snprintf.c
strlcat.lo: $(srcdir)/strlcat.c $(top_builddir)/config.h $(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/strlcat.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/strlcat.c
strlcpy.lo: $(srcdir)/strlcpy.c $(top_builddir)/config.h $(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/strlcpy.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/strlcpy.c
strsignal.lo: $(srcdir)/strsignal.c $(top_builddir)/config.h \
$(incdir)/missing.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/strsignal.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/strsignal.c
utimes.lo: $(srcdir)/utimes.c $(top_builddir)/config.h \
$(top_srcdir)/compat/utime.h $(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/utimes.c
+ $(LIBTOOL) --mode=compile $(CC) -c -o $@ $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/utimes.c
/*
- * Copyright (c) 2010 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2010, 2011, 2013 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
#include "missing.h"
-#ifdef HAVE_GETGRSET
+#if defined(HAVE_GETGRSET)
/*
* BSD-compatible getgrouplist(3) using getgrset(3)
*/
return rval;
}
-#else /* HAVE_GETGRSET */
+#elif defined(HAVE__GETGROUPSBYMEMBER)
+
+/*
+ * BSD-compatible getgrouplist(3) using _getgroupsbymember(3)
+ */
+int
+getgrouplist(const char *name, gid_t basegid, gid_t *groups, int *ngroupsp)
+{
+ int ngroups, grpsize = *ngroupsp;
+ int rval = -1;
+
+ if (grpsize > 0) {
+ /* We support BSD semantics where the first element is the base gid */
+ groups[0] = basegid;
+
+ /* The last arg is 1 because we already filled in the base gid. */
+ ngroups = _getgroupsbymember(name, groups, grpsize, 1);
+ if (ngroups != -1) {
+ rval = 0;
+ *ngroupsp = ngroups;
+ }
+ }
+ return rval;
+}
+
+#else /* !HAVE_GETGRSET && !HAVE__GETGROUPSBYMEMBER */
/*
* BSD-compatible getgrouplist(3) using getgrent(3)
return rval;
}
-#endif /* HAVE_GETGRSET */
+#endif /* !HAVE_GETGRSET && !HAVE__GETGROUPSBYMEMBER */
buf = fgetln(fp, &len);
if (buf) {
bufsize = *bufp ? *bufsizep : 0;
- if (bufsize < len + 1) {
+ if (bufsize == 0 || bufsize - 1 < len) {
bufsize = len + 1;
cp = *bufp ? realloc(*bufp, bufsize) : malloc(bufsize);
if (cp == NULL)
int
main(int argc, char *argv[])
{
- static char *my_sys_siglist[NSIG];
+ static char *sudo_sys_siglist[NSIG];
int i;
#include "compat/mksiglist.h"
printf("#include <config.h>\n");
printf("#include <signal.h>\n");
printf("#include \"missing.h\"\n\n");
- printf("const char *const my_sys_siglist[NSIG] = {\n");
+ printf("const char *const sudo_sys_siglist[NSIG] = {\n");
for (i = 0; i < NSIG; i++) {
- if (my_sys_siglist[i] != NULL) {
- printf(" \"%s\",\n", my_sys_siglist[i]);
+ if (sudo_sys_siglist[i] != NULL) {
+ printf(" \"%s\",\n", sudo_sys_siglist[i]);
} else {
printf(" \"Signal %d\",\n", i);
}
/* public domain */
#ifdef SIGHUP
- if (my_sys_siglist[SIGHUP] == NULL)
- my_sys_siglist[SIGHUP] = "Hangup";
+ if (sudo_sys_siglist[SIGHUP] == NULL)
+ sudo_sys_siglist[SIGHUP] = "Hangup";
#endif
#ifdef SIGINT
- if (my_sys_siglist[SIGINT] == NULL)
- my_sys_siglist[SIGINT] = "Interrupt";
+ if (sudo_sys_siglist[SIGINT] == NULL)
+ sudo_sys_siglist[SIGINT] = "Interrupt";
#endif
#ifdef SIGQUIT
- if (my_sys_siglist[SIGQUIT] == NULL)
- my_sys_siglist[SIGQUIT] = "Quit";
+ if (sudo_sys_siglist[SIGQUIT] == NULL)
+ sudo_sys_siglist[SIGQUIT] = "Quit";
#endif
#ifdef SIGILL
- if (my_sys_siglist[SIGILL] == NULL)
- my_sys_siglist[SIGILL] = "Illegal instruction";
+ if (sudo_sys_siglist[SIGILL] == NULL)
+ sudo_sys_siglist[SIGILL] = "Illegal instruction";
#endif
#ifdef SIGTRAP
- if (my_sys_siglist[SIGTRAP] == NULL)
- my_sys_siglist[SIGTRAP] = "Trace trap";
+ if (sudo_sys_siglist[SIGTRAP] == NULL)
+ sudo_sys_siglist[SIGTRAP] = "Trace trap";
#endif
#ifdef SIGABRT
- if (my_sys_siglist[SIGABRT] == NULL)
- my_sys_siglist[SIGABRT] = "Abort";
+ if (sudo_sys_siglist[SIGABRT] == NULL)
+ sudo_sys_siglist[SIGABRT] = "Abort";
#endif
#ifdef SIGIOT
- if (my_sys_siglist[SIGIOT] == NULL)
- my_sys_siglist[SIGIOT] = "IOT instruction";
+ if (sudo_sys_siglist[SIGIOT] == NULL)
+ sudo_sys_siglist[SIGIOT] = "IOT instruction";
#endif
#ifdef SIGEMT
- if (my_sys_siglist[SIGEMT] == NULL)
- my_sys_siglist[SIGEMT] = "EMT trap";
+ if (sudo_sys_siglist[SIGEMT] == NULL)
+ sudo_sys_siglist[SIGEMT] = "EMT trap";
#endif
#ifdef SIGFPE
- if (my_sys_siglist[SIGFPE] == NULL)
- my_sys_siglist[SIGFPE] = "Floating point exception";
+ if (sudo_sys_siglist[SIGFPE] == NULL)
+ sudo_sys_siglist[SIGFPE] = "Floating point exception";
#endif
#ifdef SIGKILL
- if (my_sys_siglist[SIGKILL] == NULL)
- my_sys_siglist[SIGKILL] = "Killed";
+ if (sudo_sys_siglist[SIGKILL] == NULL)
+ sudo_sys_siglist[SIGKILL] = "Killed";
#endif
#ifdef SIGUNUSED
- if (my_sys_siglist[SIGUNUSED] == NULL)
- my_sys_siglist[SIGUNUSED] = "Unused";
+ if (sudo_sys_siglist[SIGUNUSED] == NULL)
+ sudo_sys_siglist[SIGUNUSED] = "Unused";
#endif
#ifdef SIGBUS
- if (my_sys_siglist[SIGBUS] == NULL)
- my_sys_siglist[SIGBUS] = "Bus error";
+ if (sudo_sys_siglist[SIGBUS] == NULL)
+ sudo_sys_siglist[SIGBUS] = "Bus error";
#endif
#ifdef SIGSEGV
- if (my_sys_siglist[SIGSEGV] == NULL)
- my_sys_siglist[SIGSEGV] = "Memory fault";
+ if (sudo_sys_siglist[SIGSEGV] == NULL)
+ sudo_sys_siglist[SIGSEGV] = "Memory fault";
#endif
#ifdef SIGSYS
- if (my_sys_siglist[SIGSYS] == NULL)
- my_sys_siglist[SIGSYS] = "Bad system call";
+ if (sudo_sys_siglist[SIGSYS] == NULL)
+ sudo_sys_siglist[SIGSYS] = "Bad system call";
#endif
#ifdef SIGPIPE
- if (my_sys_siglist[SIGPIPE] == NULL)
- my_sys_siglist[SIGPIPE] = "Broken pipe";
+ if (sudo_sys_siglist[SIGPIPE] == NULL)
+ sudo_sys_siglist[SIGPIPE] = "Broken pipe";
#endif
#ifdef SIGALRM
- if (my_sys_siglist[SIGALRM] == NULL)
- my_sys_siglist[SIGALRM] = "Alarm clock";
+ if (sudo_sys_siglist[SIGALRM] == NULL)
+ sudo_sys_siglist[SIGALRM] = "Alarm clock";
#endif
#ifdef SIGTERM
- if (my_sys_siglist[SIGTERM] == NULL)
- my_sys_siglist[SIGTERM] = "Terminated";
+ if (sudo_sys_siglist[SIGTERM] == NULL)
+ sudo_sys_siglist[SIGTERM] = "Terminated";
#endif
#ifdef SIGSTKFLT
- if (my_sys_siglist[SIGSTKFLT] == NULL)
- my_sys_siglist[SIGSTKFLT] = "Stack fault";
+ if (sudo_sys_siglist[SIGSTKFLT] == NULL)
+ sudo_sys_siglist[SIGSTKFLT] = "Stack fault";
#endif
#ifdef SIGIO
- if (my_sys_siglist[SIGIO] == NULL)
- my_sys_siglist[SIGIO] = "I/O possible";
+ if (sudo_sys_siglist[SIGIO] == NULL)
+ sudo_sys_siglist[SIGIO] = "I/O possible";
#endif
#ifdef SIGXCPU
- if (my_sys_siglist[SIGXCPU] == NULL)
- my_sys_siglist[SIGXCPU] = "CPU time limit exceeded";
+ if (sudo_sys_siglist[SIGXCPU] == NULL)
+ sudo_sys_siglist[SIGXCPU] = "CPU time limit exceeded";
#endif
#ifdef SIGXFSZ
- if (my_sys_siglist[SIGXFSZ] == NULL)
- my_sys_siglist[SIGXFSZ] = "File size limit exceeded";
+ if (sudo_sys_siglist[SIGXFSZ] == NULL)
+ sudo_sys_siglist[SIGXFSZ] = "File size limit exceeded";
#endif
#ifdef SIGVTALRM
- if (my_sys_siglist[SIGVTALRM] == NULL)
- my_sys_siglist[SIGVTALRM] = "Virtual timer expired";
+ if (sudo_sys_siglist[SIGVTALRM] == NULL)
+ sudo_sys_siglist[SIGVTALRM] = "Virtual timer expired";
#endif
#ifdef SIGPROF
- if (my_sys_siglist[SIGPROF] == NULL)
- my_sys_siglist[SIGPROF] = "Profiling timer expired";
+ if (sudo_sys_siglist[SIGPROF] == NULL)
+ sudo_sys_siglist[SIGPROF] = "Profiling timer expired";
#endif
#ifdef SIGWINCH
- if (my_sys_siglist[SIGWINCH] == NULL)
- my_sys_siglist[SIGWINCH] = "Window size change";
+ if (sudo_sys_siglist[SIGWINCH] == NULL)
+ sudo_sys_siglist[SIGWINCH] = "Window size change";
#endif
#ifdef SIGLOST
- if (my_sys_siglist[SIGLOST] == NULL)
- my_sys_siglist[SIGLOST] = "File lock lost";
+ if (sudo_sys_siglist[SIGLOST] == NULL)
+ sudo_sys_siglist[SIGLOST] = "File lock lost";
#endif
#ifdef SIGUSR1
- if (my_sys_siglist[SIGUSR1] == NULL)
- my_sys_siglist[SIGUSR1] = "User defined signal 1";
+ if (sudo_sys_siglist[SIGUSR1] == NULL)
+ sudo_sys_siglist[SIGUSR1] = "User defined signal 1";
#endif
#ifdef SIGUSR2
- if (my_sys_siglist[SIGUSR2] == NULL)
- my_sys_siglist[SIGUSR2] = "User defined signal 2";
+ if (sudo_sys_siglist[SIGUSR2] == NULL)
+ sudo_sys_siglist[SIGUSR2] = "User defined signal 2";
#endif
#ifdef SIGPWR
- if (my_sys_siglist[SIGPWR] == NULL)
- my_sys_siglist[SIGPWR] = "Power-fail/Restart";
+ if (sudo_sys_siglist[SIGPWR] == NULL)
+ sudo_sys_siglist[SIGPWR] = "Power-fail/Restart";
#endif
#ifdef SIGPOLL
- if (my_sys_siglist[SIGPOLL] == NULL)
- my_sys_siglist[SIGPOLL] = "Pollable event occurred";
+ if (sudo_sys_siglist[SIGPOLL] == NULL)
+ sudo_sys_siglist[SIGPOLL] = "Pollable event occurred";
#endif
#ifdef SIGSTOP
- if (my_sys_siglist[SIGSTOP] == NULL)
- my_sys_siglist[SIGSTOP] = "Stopped (signal)";
+ if (sudo_sys_siglist[SIGSTOP] == NULL)
+ sudo_sys_siglist[SIGSTOP] = "Stopped (signal)";
#endif
#ifdef SIGTSTP
- if (my_sys_siglist[SIGTSTP] == NULL)
- my_sys_siglist[SIGTSTP] = "Stopped";
+ if (sudo_sys_siglist[SIGTSTP] == NULL)
+ sudo_sys_siglist[SIGTSTP] = "Stopped";
#endif
#ifdef SIGCONT
- if (my_sys_siglist[SIGCONT] == NULL)
- my_sys_siglist[SIGCONT] = "Continued";
+ if (sudo_sys_siglist[SIGCONT] == NULL)
+ sudo_sys_siglist[SIGCONT] = "Continued";
#endif
#ifdef SIGCHLD
- if (my_sys_siglist[SIGCHLD] == NULL)
- my_sys_siglist[SIGCHLD] = "Child exited";
+ if (sudo_sys_siglist[SIGCHLD] == NULL)
+ sudo_sys_siglist[SIGCHLD] = "Child exited";
#endif
#ifdef SIGCLD
- if (my_sys_siglist[SIGCLD] == NULL)
- my_sys_siglist[SIGCLD] = "Child exited";
+ if (sudo_sys_siglist[SIGCLD] == NULL)
+ sudo_sys_siglist[SIGCLD] = "Child exited";
#endif
#ifdef SIGTTIN
- if (my_sys_siglist[SIGTTIN] == NULL)
- my_sys_siglist[SIGTTIN] = "Stopped (tty input)";
+ if (sudo_sys_siglist[SIGTTIN] == NULL)
+ sudo_sys_siglist[SIGTTIN] = "Stopped (tty input)";
#endif
#ifdef SIGTTOU
- if (my_sys_siglist[SIGTTOU] == NULL)
- my_sys_siglist[SIGTTOU] = "Stopped (tty output)";
+ if (sudo_sys_siglist[SIGTTOU] == NULL)
+ sudo_sys_siglist[SIGTTOU] = "Stopped (tty output)";
#endif
#ifdef SIGINFO
- if (my_sys_siglist[SIGINFO] == NULL)
- my_sys_siglist[SIGINFO] = "Information request";
+ if (sudo_sys_siglist[SIGINFO] == NULL)
+ sudo_sys_siglist[SIGINFO] = "Information request";
#endif
#ifdef SIGURG
- if (my_sys_siglist[SIGURG] == NULL)
- my_sys_siglist[SIGURG] = "Urgent I/O condition";
+ if (sudo_sys_siglist[SIGURG] == NULL)
+ sudo_sys_siglist[SIGURG] = "Urgent I/O condition";
#endif
#ifdef SIGWAITING
- if (my_sys_siglist[SIGWAITING] == NULL)
- my_sys_siglist[SIGWAITING] = "No runnable LWPs";
+ if (sudo_sys_siglist[SIGWAITING] == NULL)
+ sudo_sys_siglist[SIGWAITING] = "No runnable LWPs";
#endif
#ifdef SIGLWP
- if (my_sys_siglist[SIGLWP] == NULL)
- my_sys_siglist[SIGLWP] = "Inter-LWP signal";
+ if (sudo_sys_siglist[SIGLWP] == NULL)
+ sudo_sys_siglist[SIGLWP] = "Inter-LWP signal";
#endif
#ifdef SIGFREEZE
- if (my_sys_siglist[SIGFREEZE] == NULL)
- my_sys_siglist[SIGFREEZE] = "Checkpoint freeze";
+ if (sudo_sys_siglist[SIGFREEZE] == NULL)
+ sudo_sys_siglist[SIGFREEZE] = "Checkpoint freeze";
#endif
#ifdef SIGTHAW
- if (my_sys_siglist[SIGTHAW] == NULL)
- my_sys_siglist[SIGTHAW] = "Checkpoint thaw";
+ if (sudo_sys_siglist[SIGTHAW] == NULL)
+ sudo_sys_siglist[SIGTHAW] = "Checkpoint thaw";
#endif
#ifdef SIGCANCEL
- if (my_sys_siglist[SIGCANCEL] == NULL)
- my_sys_siglist[SIGCANCEL] = "Thread cancellation";
+ if (sudo_sys_siglist[SIGCANCEL] == NULL)
+ sudo_sys_siglist[SIGCANCEL] = "Thread cancellation";
#endif
--- /dev/null
+/*
+ * Copyright (c) 2010-2012 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#include <config.h>
+
+#include <sys/types.h>
+
+#include <stdio.h>
+#ifdef STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# ifdef HAVE_STDLIB_H
+# include <stdlib.h>
+# endif
+#endif /* STDC_HEADERS */
+#include <signal.h>
+
+#include "missing.h"
+
+int
+main(int argc, char *argv[])
+{
+ static char *sudo_sys_signame[NSIG];
+ int i;
+
+#include "compat/mksigname.h"
+
+ printf("#include <config.h>\n");
+ printf("#include <signal.h>\n");
+ printf("#include \"missing.h\"\n\n");
+ printf("const char *const sudo_sys_signame[NSIG] = {\n");
+ for (i = 0; i < NSIG; i++) {
+ if (sudo_sys_signame[i] != NULL) {
+ printf(" \"%s\",\n", sudo_sys_signame[i]);
+ } else {
+ printf(" \"Signal %d\",\n", i);
+ }
+ }
+ printf("};\n");
+
+ exit(0);
+}
--- /dev/null
+/* public domain */
+
+sudo_sys_signame[0] = "Signal 0";
+#ifdef SIGHUP
+ if (sudo_sys_signame[SIGHUP] == NULL)
+ sudo_sys_signame[SIGHUP] = "HUP";
+#endif
+#ifdef SIGINT
+ if (sudo_sys_signame[SIGINT] == NULL)
+ sudo_sys_signame[SIGINT] = "INT";
+#endif
+#ifdef SIGQUIT
+ if (sudo_sys_signame[SIGQUIT] == NULL)
+ sudo_sys_signame[SIGQUIT] = "QUIT";
+#endif
+#ifdef SIGILL
+ if (sudo_sys_signame[SIGILL] == NULL)
+ sudo_sys_signame[SIGILL] = "ILL";
+#endif
+#ifdef SIGTRAP
+ if (sudo_sys_signame[SIGTRAP] == NULL)
+ sudo_sys_signame[SIGTRAP] = "TRAP";
+#endif
+#ifdef SIGABRT
+ if (sudo_sys_signame[SIGABRT] == NULL)
+ sudo_sys_signame[SIGABRT] = "ABRT";
+#endif
+#ifdef SIGIOT
+ if (sudo_sys_signame[SIGIOT] == NULL)
+ sudo_sys_signame[SIGIOT] = "IOT";
+#endif
+#ifdef SIGEMT
+ if (sudo_sys_signame[SIGEMT] == NULL)
+ sudo_sys_signame[SIGEMT] = "EMT";
+#endif
+#ifdef SIGFPE
+ if (sudo_sys_signame[SIGFPE] == NULL)
+ sudo_sys_signame[SIGFPE] = "FPE";
+#endif
+#ifdef SIGKILL
+ if (sudo_sys_signame[SIGKILL] == NULL)
+ sudo_sys_signame[SIGKILL] = "KILL";
+#endif
+#ifdef SIGUNUSED
+ if (sudo_sys_signame[SIGUNUSED] == NULL)
+ sudo_sys_signame[SIGUNUSED] = "UNUSED";
+#endif
+#ifdef SIGBUS
+ if (sudo_sys_signame[SIGBUS] == NULL)
+ sudo_sys_signame[SIGBUS] = "BUS";
+#endif
+#ifdef SIGSEGV
+ if (sudo_sys_signame[SIGSEGV] == NULL)
+ sudo_sys_signame[SIGSEGV] = "SEGV";
+#endif
+#ifdef SIGSYS
+ if (sudo_sys_signame[SIGSYS] == NULL)
+ sudo_sys_signame[SIGSYS] = "SYS";
+#endif
+#ifdef SIGPIPE
+ if (sudo_sys_signame[SIGPIPE] == NULL)
+ sudo_sys_signame[SIGPIPE] = "PIPE";
+#endif
+#ifdef SIGALRM
+ if (sudo_sys_signame[SIGALRM] == NULL)
+ sudo_sys_signame[SIGALRM] = "ALRM";
+#endif
+#ifdef SIGTERM
+ if (sudo_sys_signame[SIGTERM] == NULL)
+ sudo_sys_signame[SIGTERM] = "TERM";
+#endif
+#ifdef SIGSTKFLT
+ if (sudo_sys_signame[SIGSTKFLT] == NULL)
+ sudo_sys_signame[SIGSTKFLT] = "STKFLT";
+#endif
+#ifdef SIGIO
+ if (sudo_sys_signame[SIGIO] == NULL)
+ sudo_sys_signame[SIGIO] = "IO";
+#endif
+#ifdef SIGXCPU
+ if (sudo_sys_signame[SIGXCPU] == NULL)
+ sudo_sys_signame[SIGXCPU] = "XCPU";
+#endif
+#ifdef SIGXFSZ
+ if (sudo_sys_signame[SIGXFSZ] == NULL)
+ sudo_sys_signame[SIGXFSZ] = "XFSZ";
+#endif
+#ifdef SIGVTALRM
+ if (sudo_sys_signame[SIGVTALRM] == NULL)
+ sudo_sys_signame[SIGVTALRM] = "VTALRM";
+#endif
+#ifdef SIGPROF
+ if (sudo_sys_signame[SIGPROF] == NULL)
+ sudo_sys_signame[SIGPROF] = "PROF";
+#endif
+#ifdef SIGWINCH
+ if (sudo_sys_signame[SIGWINCH] == NULL)
+ sudo_sys_signame[SIGWINCH] = "WINCH";
+#endif
+#ifdef SIGLOST
+ if (sudo_sys_signame[SIGLOST] == NULL)
+ sudo_sys_signame[SIGLOST] = "LOST";
+#endif
+#ifdef SIGUSR1
+ if (sudo_sys_signame[SIGUSR1] == NULL)
+ sudo_sys_signame[SIGUSR1] = "USR1";
+#endif
+#ifdef SIGUSR2
+ if (sudo_sys_signame[SIGUSR2] == NULL)
+ sudo_sys_signame[SIGUSR2] = "USR2";
+#endif
+#ifdef SIGPWR
+ if (sudo_sys_signame[SIGPWR] == NULL)
+ sudo_sys_signame[SIGPWR] = "PWR";
+#endif
+#ifdef SIGPOLL
+ if (sudo_sys_signame[SIGPOLL] == NULL)
+ sudo_sys_signame[SIGPOLL] = "POLL";
+#endif
+#ifdef SIGSTOP
+ if (sudo_sys_signame[SIGSTOP] == NULL)
+ sudo_sys_signame[SIGSTOP] = "STOP";
+#endif
+#ifdef SIGTSTP
+ if (sudo_sys_signame[SIGTSTP] == NULL)
+ sudo_sys_signame[SIGTSTP] = "TSTP";
+#endif
+#ifdef SIGCONT
+ if (sudo_sys_signame[SIGCONT] == NULL)
+ sudo_sys_signame[SIGCONT] = "CONT";
+#endif
+#ifdef SIGCHLD
+ if (sudo_sys_signame[SIGCHLD] == NULL)
+ sudo_sys_signame[SIGCHLD] = "CHLD";
+#endif
+#ifdef SIGCLD
+ if (sudo_sys_signame[SIGCLD] == NULL)
+ sudo_sys_signame[SIGCLD] = "CLD";
+#endif
+#ifdef SIGTTIN
+ if (sudo_sys_signame[SIGTTIN] == NULL)
+ sudo_sys_signame[SIGTTIN] = "TTIN";
+#endif
+#ifdef SIGTTOU
+ if (sudo_sys_signame[SIGTTOU] == NULL)
+ sudo_sys_signame[SIGTTOU] = "TTOU";
+#endif
+#ifdef SIGINFO
+ if (sudo_sys_signame[SIGINFO] == NULL)
+ sudo_sys_signame[SIGINFO] = "INFO";
+#endif
+#ifdef SIGURG
+ if (sudo_sys_signame[SIGURG] == NULL)
+ sudo_sys_signame[SIGURG] = "URG";
+#endif
+#ifdef SIGWAITING
+ if (sudo_sys_signame[SIGWAITING] == NULL)
+ sudo_sys_signame[SIGWAITING] = "WAITING";
+#endif
+#ifdef SIGLWP
+ if (sudo_sys_signame[SIGLWP] == NULL)
+ sudo_sys_signame[SIGLWP] = "LWP";
+#endif
+#ifdef SIGFREEZE
+ if (sudo_sys_signame[SIGFREEZE] == NULL)
+ sudo_sys_signame[SIGFREEZE] = "FREEZE";
+#endif
+#ifdef SIGTHAW
+ if (sudo_sys_signame[SIGTHAW] == NULL)
+ sudo_sys_signame[SIGTHAW] = "THAW";
+#endif
+#ifdef SIGCANCEL
+ if (sudo_sys_signame[SIGCANCEL] == NULL)
+ sudo_sys_signame[SIGCANCEL] = "CANCEL";
+#endif
--- /dev/null
+/*
+ * Copyright (c) 2012 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+
+#include <errno.h>
+#include <stdio.h>
+#ifdef STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# ifdef HAVE_STDLIB_H
+# include <stdlib.h>
+# endif
+#endif /* STDC_HEADERS */
+#ifdef HAVE_STRING_H
+# include <string.h>
+#endif /* HAVE_STRING_H */
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif /* HAVE_STRINGS_H */
+#include <signal.h>
+
+#include "missing.h"
+
+#if defined(HAVE_DECL_SYS_SIGNAME) && HAVE_DECL_SYS_SIGNAME == 1
+# define sudo_sys_signame sys_signame
+#elif defined(HAVE_DECL__SYS_SIGNAME) && HAVE_DECL__SYS_SIGNAME == 1
+# define sudo_sys_signame _sys_signame
+#elif defined(HAVE_DECL___SYS_SIGNAME) && HAVE_DECL___SYS_SIGNAME == 1
+# define sudo_sys_signame __sys_signame
+#elif defined(HAVE_DECL_SYS_SIGABBREV) && HAVE_DECL_SYS_SIGABBREV == 1
+# define sudo_sys_signame sys_sigabbrev
+#else
+# ifdef HAVE_SYS_SIGABBREV
+ /* sys_sigabbrev is not declared by glibc */
+# define sudo_sys_signame sys_sigabbrev
+# endif
+extern const char *const sudo_sys_signame[NSIG];
+#endif
+
+/*
+ * Translate signal number to name.
+ */
+int
+sig2str(int signo, char *signame)
+{
+#if defined(SIGRTMIN) && defined(SIGRTMAX)
+ /* Realtime signal support as per Solaris. */
+ if (signo >= SIGRTMIN && signo <= SIGRTMAX) {
+ snprintf(signame, SIG2STR_MAX, "RTMIN+%d", (signo - SIGRTMIN));
+ return 0;
+ }
+#endif
+ if (signo > 0 && signo < NSIG && sudo_sys_signame[signo] != NULL) {
+ strlcpy(signame, sudo_sys_signame[signo], SIG2STR_MAX);
+ return 0;
+ }
+ errno = EINVAL;
+ return -1;
+}
#include "gettext.h"
#if defined(HAVE_DECL_SYS_SIGLIST) && HAVE_DECL_SYS_SIGLIST == 1
-# define my_sys_siglist sys_siglist
+# define sudo_sys_siglist sys_siglist
#elif defined(HAVE_DECL__SYS_SIGLIST) && HAVE_DECL__SYS_SIGLIST == 1
-# define my_sys_siglist _sys_siglist
+# define sudo_sys_siglist _sys_siglist
#elif defined(HAVE_DECL___SYS_SIGLIST) && HAVE_DECL___SYS_SIGLIST == 1
-# define my_sys_siglist __sys_siglist
+# define sudo_sys_siglist __sys_siglist
#else
-extern const char *const my_sys_siglist[NSIG];
+extern const char *const sudo_sys_siglist[NSIG];
#endif
/*
char *
strsignal(int signo)
{
- if (signo > 0 && signo < NSIG)
- return (char *)my_sys_siglist[signo];
+ if (signo > 0 && signo < NSIG && sudo_sys_siglist[signo] != NULL)
+ return (char *)sudo_sys_siglist[signo];
+ /* XXX - should be "Unknown signal: %d" */
return _("Unknown signal");
}
don't. */
#undef HAVE_DECL_H_ERRNO
+/* Define to 1 if you have the declaration of `sys_sigabbrev', and to 0 if you
+ don't. */
+#undef HAVE_DECL_SYS_SIGABBREV
+
/* Define to 1 if you have the declaration of `sys_siglist', and to 0 if you
don't. */
#undef HAVE_DECL_SYS_SIGLIST
+/* Define to 1 if you have the declaration of `sys_signame', and to 0 if you
+ don't. */
+#undef HAVE_DECL_SYS_SIGNAME
+
/* Define to 1 if you have the declaration of `_sys_siglist', and to 0 if you
don't. */
#undef HAVE_DECL__SYS_SIGLIST
+/* Define to 1 if you have the declaration of `_sys_signame', and to 0 if you
+ don't. */
+#undef HAVE_DECL__SYS_SIGNAME
+
/* Define to 1 if you have the declaration of `__sys_siglist', and to 0 if you
don't. */
#undef HAVE_DECL___SYS_SIGLIST
+/* Define to 1 if you have the declaration of `__sys_signame', and to 0 if you
+ don't. */
+#undef HAVE_DECL___SYS_SIGNAME
+
/* Define to 1 if you have the <dirent.h> header file, and it defines `DIR'.
*/
#undef HAVE_DIRENT_H
/* Define to 1 if you have the `dlopen' function. */
#undef HAVE_DLOPEN
+/* Define to 1 if the compiler supports the __visibility__ attribute. */
+#undef HAVE_DSO_VISIBILITY
+
/* Define to 1 if your system has the F_CLOSEM fcntl. */
#undef HAVE_FCNTL_CLOSEM
/* Define to 1 if you have the `freeifaddrs' function. */
#undef HAVE_FREEIFADDRS
+/* Define to 1 if you have the `fseeko' function. */
+#undef HAVE_FSEEKO
+
/* Define to 1 if you have the `futime' function. */
#undef HAVE_FUTIME
/* Define to 1 if you have the <ldap_ssl.h> header file. */
#undef HAVE_LDAP_SSL_H
+/* Define to 1 if you have the `ldap_ssl_init' function. */
+#undef HAVE_LDAP_SSL_INIT
+
/* Define to 1 if you have the `ldap_start_tls_s' function. */
#undef HAVE_LDAP_START_TLS_S
/* Define to 1 if you have the <netgroup.h> header file. */
#undef HAVE_NETGROUP_H
+/* Define to 1 if you have the `ngettext' function. */
+#undef HAVE_NGETTEXT
+
/* Define to 1 if you have the `nl_langinfo' function. */
#undef HAVE_NL_LANGINFO
/* Define to 1 if you have the `sia_ses_init' function. */
#undef HAVE_SIA_SES_INIT
+/* Define to 1 if you have the `sig2str' function. */
+#undef HAVE_SIG2STR
+
/* Define to 1 if the system has the type `sigaction_t'. */
#undef HAVE_SIGACTION_T
/* Define to 1 if you have the <spawn.h> header file. */
#undef HAVE_SPAWN_H
+/* Define to 1 to enable SSSD support. */
+#undef HAVE_SSSD
+
/* Define to 1 if stdbool.h conforms to C99. */
#undef HAVE_STDBOOL_H
/* Define to 1 if you have the <sys/select.h> header file. */
#undef HAVE_SYS_SELECT_H
+/* Define to 1 if your libc has the `sys_sigabbrev' symbol. */
+#undef HAVE_SYS_SIGABBREV
+
/* Define to 1 if you have the <sys/sockio.h> header file. */
#undef HAVE_SYS_SOCKIO_H
/* Define to 1 if the system has the type `_Bool'. */
#undef HAVE__BOOL
+/* Define to 1 if you have the `_getgroupsbymember' function. */
+#undef HAVE__GETGROUPSBYMEMBER
+
/* Define to 1 if you have the `_getpty' function. */
#undef HAVE__GETPTY
# define ignore_result(x) (void)(x)
#endif
-/* GNU stow needs /etc/sudoers to be a symlink. */
-#ifdef USE_STOW
-# define stat_sudoers stat
-#else
-# define stat_sudoers lstat
-#endif
-
/* Macros to set/clear/test flags. */
#undef SET
#define SET(t, f) ((t) |= (f))
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for sudo 1.8.5p2.
+# Generated by GNU Autoconf 2.68 for sudo 1.8.6p8.
#
# Report bugs to <http://www.sudo.ws/bugs/>.
#
# Identity of this package.
PACKAGE_NAME='sudo'
PACKAGE_TARNAME='sudo'
-PACKAGE_VERSION='1.8.5p2'
-PACKAGE_STRING='sudo 1.8.5p2'
+PACKAGE_VERSION='1.8.6p8'
+PACKAGE_STRING='sudo 1.8.6p8'
PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/'
PACKAGE_URL=''
# include <unistd.h>
#endif"
+ac_c_werror_flag=
ac_subst_vars='LTLIBOBJS
KRB5CONFIG
LIBOBJS
YFLAGS
YACC
NROFFPROG
+MANDOCPROG
TRPROG
UNAMEPROG
OTOOL64
secure_path
netsvc_conf
nsswitch_conf
+sssd_lib
ldap_secret
ldap_conf
path_info
timeout
timedir
iolog_dir
+NO_VIZ
+SSP_CFLAGS
+SSP_LDFLAGS
+PIE_CFLAGS
+PIE_LDFLAGS
+CROSS_COMPILING
COMPAT_TEST_PROGS
SUDO_NLS
LIBINTL
mansectsu
devdir
SEMAN
+PSMAN
LCMAN
BAMAN
DEVEL
SUDOERS_GID
SUDOERS_UID
SUDOERS_MODE
-MAN_POSTINSTALL
+SHLIB_MODE
+MANCOMPRESSEXT
+MANCOMPRESS
+MANDIRTYPE
MANTYPE
AUTH_OBJS
OSDEFS
SUDO_OBJS
SUDOERS_OBJS
COMMON_OBJS
-LTLDFLAGS
+LT_LDEXPORTS
+LT_LDDEP
+LT_LDOPT
+LT_LDMAP
+LT_LDFLAGS
SUDOERS_LDFLAGS
LDFLAGS
CPPFLAGS
with_blibpath
with_bsm_audit
with_linux_audit
+with_sssd
+with_sssd_lib
with_incpath
with_libpath
with_libraries
with_stow
with_askpass
with_plugindir
+with_man
+with_mdoc
enable_authentication
enable_root_mailer
enable_setreuid
enable_env_reset
enable_warnings
enable_werror
+enable_hardening
+enable_pie
enable_admin_flag
enable_nls
with_selinux
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures sudo 1.8.5p2 to adapt to many kinds of systems.
+\`configure' configures sudo 1.8.6p8 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of sudo 1.8.5p2:";;
+ short | recursive ) echo "Configuration of sudo 1.8.6p8:";;
esac
cat <<\_ACEOF
--enable-env-reset Whether to enable environment resetting by default.
--enable-warnings Whether to enable compiler warnings
--enable-werror Whether to enable the -Werror compiler option
+ --disable-hardening Do not use compiler/linker exploit mitigation
+ options
+ --disable-pie Do not build position independent executables, even
+ if the compiler/linker supports them
--enable-admin-flag Whether to create a Ubuntu-style admin flag file
--disable-nls Disable natural language support using gettext
--enable-gss-krb5-ccache-name
--with-blibpath=PATH pass -blibpath flag to ld for additional lib paths
--with-bsm-audit enable BSM audit support
--with-linux-audit enable Linux audit support
+ --with-sssd enable SSSD support
+ --with-sssd-lib path to the SSSD library
--with-incpath additional places to look for include files
--with-libpath additional places to look for libraries
--with-libraries additional libraries to link with
offensive ones
--with-secure-path override the user's path with a built-in one
--without-interfaces don't try to read the ip addr of ether interfaces
- --with-stow properly handle GNU stow packaging
+ --with-stow deprecated
--with-askpass=PATH Fully qualified pathname of askpass helper
--with-plugindir set directory to load plugins from
+ --with-man manual pages use man macros
+ --with-mdoc manual pages use mdoc macros
--with-selinux enable SELinux support
--with-pic[=PKGS] try to use only PIC/non-PIC objects [default=use
both]
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-sudo configure 1.8.5p2
+sudo configure 1.8.6p8
generated by GNU Autoconf 2.68
Copyright (C) 2010 Free Software Foundation, Inc.
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by sudo $as_me 1.8.5p2, which was
+It was created by sudo $as_me 1.8.6p8, which was
generated by GNU Autoconf 2.68. Invocation command line was
$ $0 $@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
INSTALL_NOEXEC=
devdir='$(srcdir)'
PROGS="sudo"
-: ${MANTYPE='man'}
+: ${MANDIRTYPE='man'}
: ${mansrcdir='.'}
+: ${SHLIB_MODE='0644'}
: ${SUDOERS_MODE='0440'}
: ${SUDOERS_UID='0'}
: ${SUDOERS_GID='0'}
LDAP="#"
BAMAN=0
LCMAN=0
+PSMAN=0
SEMAN=0
LIBINTL=
ZLIB=
AUTH_EXCL_DEF=
AUTH_DEF=passwd
SUDO_NLS=disabled
+LT_LDEXPORTS="-export-symbols \$(shlib_exp)"
+LT_LDDEP="\$(shlib_exp)"
+NO_VIZ="-DNO_VIZ"
CHECKSHADOW=true
shadow_defs=
+# Check whether --with-sssd was given.
+if test "${with_sssd+set}" = set; then :
+ withval=$with_sssd; case $with_sssd in
+ yes) SUDOERS_OBJS="${SUDOERS_OBJS} sssd.lo"
+ $as_echo "#define HAVE_SSSD 1" >>confdefs.h
+
+ ;;
+ no) ;;
+ *) as_fn_error $? "\"--with-sssd does not take an argument.\"" "$LINENO" 5
+ ;;
+esac
+fi
+
+
+
+# Check whether --with-sssd-lib was given.
+if test "${with_sssd_lib+set}" = set; then :
+ withval=$with_sssd_lib;
+fi
+
+sssd_lib="\"LIBDIR\""
+test -n "$with_sssd_lib" && sssd_lib="$with_sssd_lib"
+cat >>confdefs.h <<EOF
+#define _PATH_SSSD_LIB "$sssd_lib"
+EOF
+
+
+
# Check whether --with-incpath was given.
if test "${with_incpath+set}" = set; then :
withval=$with_incpath; case $with_incpath in
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether stow should be used" >&5
-$as_echo_n "checking whether stow should be used... " >&6; }
# Check whether --with-stow was given.
if test "${with_stow+set}" = set; then :
withval=$with_stow; case $with_stow in
- yes) { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- $as_echo "#define USE_STOW 1" >>confdefs.h
-
- ;;
- no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- ;;
- *) as_fn_error $? "\"--with-stow does not take an argument.\"" "$LINENO" 5
+ *) { $as_echo "$as_me:${as_lineno-$LINENO}: --with-stow option deprecated, now is defalt behavior" >&5
+$as_echo "$as_me: --with-stow option deprecated, now is defalt behavior" >&6;}
;;
esac
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
fi
+# Check whether --with-man was given.
+if test "${with_man+set}" = set; then :
+ withval=$with_man; case $with_man in
+ yes) MANTYPE=man
+ ;;
+ no) as_fn_error $? "\"--without-man not supported.\"" "$LINENO" 5
+ ;;
+ *) as_fn_error $? "\"ignoring unknown argument to --with-man: $with_man.\"" "$LINENO" 5
+ ;;
+esac
+fi
+
+
+
+# Check whether --with-mdoc was given.
+if test "${with_mdoc+set}" = set; then :
+ withval=$with_mdoc; case $with_mdoc in
+ yes) MANTYPE=mdoc
+ ;;
+ no) as_fn_error $? "\"--without-mdoc not supported.\"" "$LINENO" 5
+ ;;
+ *) as_fn_error $? "\"ignoring unknown argument to --with-mdoc: $with_mdoc.\"" "$LINENO" 5
+ ;;
+esac
+fi
+
+
+
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to do user authentication by default" >&5
$as_echo_n "checking whether to do user authentication by default... " >&6; }
# Check whether --enable-authentication was given.
fi
+# Check whether --enable-hardening was given.
+if test "${enable_hardening+set}" = set; then :
+ enableval=$enable_hardening;
+else
+ enable_hardening=yes
+fi
+
+
+# Check whether --enable-pie was given.
+if test "${enable_pie+set}" = set; then :
+ enableval=$enable_pie;
+else
+ enable_pie=yes
+fi
+
+
# Check whether --enable-admin-flag was given.
if test "${enable_admin_flag+set}" = set; then :
enableval=$enable_admin_flag; case "$enableval" in
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_noexec" >&5
$as_echo "$with_noexec" >&6; }
NOEXECFILE="sudo_noexec$_shrext"
-NOEXECDIR="`echo $with_noexec|sed 's:^\(.*\)/[^/]*:\1:'`"
+NOEXECDIR="`echo $with_noexec|sed -e 's:^${\([^}]*\)}:$(\1):' -e 's:^\(.*\)/[^/]*:\1:'`"
# Extract the first word of "uname", so it can be a program name with args.
set dummy uname; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_prog_UNAMEPROG+:} false; then :
+if ${ac_cv_path_UNAMEPROG+:} false; then :
$as_echo_n "(cached) " >&6
else
- if test -n "$UNAMEPROG"; then
- ac_cv_prog_UNAMEPROG="$UNAMEPROG" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+ case $UNAMEPROG in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_UNAMEPROG="$UNAMEPROG" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
- ac_cv_prog_UNAMEPROG="uname"
+ ac_cv_path_UNAMEPROG="$as_dir/$ac_word$ac_exec_ext"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
IFS=$as_save_IFS
+ test -z "$ac_cv_path_UNAMEPROG" && ac_cv_path_UNAMEPROG="uname"
+ ;;
+esac
fi
-fi
-UNAMEPROG=$ac_cv_prog_UNAMEPROG
+UNAMEPROG=$ac_cv_path_UNAMEPROG
if test -n "$UNAMEPROG"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $UNAMEPROG" >&5
$as_echo "$UNAMEPROG" >&6; }
set dummy tr; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_prog_TRPROG+:} false; then :
+if ${ac_cv_path_TRPROG+:} false; then :
$as_echo_n "(cached) " >&6
else
- if test -n "$TRPROG"; then
- ac_cv_prog_TRPROG="$TRPROG" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+ case $TRPROG in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_TRPROG="$TRPROG" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
- ac_cv_prog_TRPROG="tr"
+ ac_cv_path_TRPROG="$as_dir/$ac_word$ac_exec_ext"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
IFS=$as_save_IFS
+ test -z "$ac_cv_path_TRPROG" && ac_cv_path_TRPROG="tr"
+ ;;
+esac
fi
-fi
-TRPROG=$ac_cv_prog_TRPROG
+TRPROG=$ac_cv_path_TRPROG
if test -n "$TRPROG"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $TRPROG" >&5
$as_echo "$TRPROG" >&6; }
fi
-for ac_prog in nroff mandoc
-do
- # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
+# Extract the first word of "mandoc", so it can be a program name with args.
+set dummy mandoc; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_prog_NROFFPROG+:} false; then :
+if ${ac_cv_path_MANDOCPROG+:} false; then :
$as_echo_n "(cached) " >&6
else
- if test -n "$NROFFPROG"; then
- ac_cv_prog_NROFFPROG="$NROFFPROG" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+ case $MANDOCPROG in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_MANDOCPROG="$MANDOCPROG" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
- ac_cv_prog_NROFFPROG="$ac_prog"
+ ac_cv_path_MANDOCPROG="$as_dir/$ac_word$ac_exec_ext"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
IFS=$as_save_IFS
+ test -z "$ac_cv_path_MANDOCPROG" && ac_cv_path_MANDOCPROG="mandoc"
+ ;;
+esac
fi
-fi
-NROFFPROG=$ac_cv_prog_NROFFPROG
-if test -n "$NROFFPROG"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NROFFPROG" >&5
-$as_echo "$NROFFPROG" >&6; }
+MANDOCPROG=$ac_cv_path_MANDOCPROG
+if test -n "$MANDOCPROG"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MANDOCPROG" >&5
+$as_echo "$MANDOCPROG" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
- test -n "$NROFFPROG" && break
+if test "$MANDOCPROG" != "mandoc"; then
+ : ${MANTYPE='mdoc'}
+else
+ # Extract the first word of "nroff", so it can be a program name with args.
+set dummy nroff; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_NROFFPROG+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ case $NROFFPROG in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_NROFFPROG="$NROFFPROG" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_path_NROFFPROG="$as_dir/$ac_word$ac_exec_ext"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
done
+ done
+IFS=$as_save_IFS
+ ;;
+esac
+fi
+NROFFPROG=$ac_cv_path_NROFFPROG
if test -n "$NROFFPROG"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $NROFFPROG supports the -c option" >&5
-$as_echo_n "checking whether $NROFFPROG supports the -c option... " >&6; }
-if ${sudo_cv_var_nroff_opt_c+:} false; then :
- $as_echo_n "(cached) " >&6
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NROFFPROG" >&5
+$as_echo "$NROFFPROG" >&6; }
else
- if $NROFFPROG -c </dev/null >/dev/null 2>&1; then
- sudo_cv_var_nroff_opt_c=yes
- else
- sudo_cv_var_nroff_opt_c=no
- fi
-
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_nroff_opt_c" >&5
-$as_echo "$sudo_cv_var_nroff_opt_c" >&6; }
- if test "$sudo_cv_var_nroff_opt_c" = "yes"; then
- NROFFPROG="$NROFFPROG -c"
- fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $NROFFPROG supports the -Tascii option" >&5
-$as_echo_n "checking whether $NROFFPROG supports the -Tascii option... " >&6; }
-if ${sudo_cv_var_nroff_opt_Tascii+:} false; then :
+
+
+ if test -n "$NROFFPROG"; then
+ test -n "$MANTYPE" && sudo_cv_var_mantype="$MANTYPE"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking which macro set to use for manual pages" >&5
+$as_echo_n "checking which macro set to use for manual pages... " >&6; }
+if ${sudo_cv_var_mantype+:} false; then :
$as_echo_n "(cached) " >&6
else
- if $NROFFPROG -Tascii </dev/null >/dev/null 2>&1; then
- sudo_cv_var_nroff_opt_Tascii=yes
- else
- sudo_cv_var_nroff_opt_Tascii=no
- fi
- if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then
- NROFFPROG="$NROFFPROG -Tascii"
- fi
+
+ sudo_cv_var_mantype="man"
+ echo ".Sh NAME" > conftest
+ echo ".Nm sudo" >> conftest
+ echo ".Nd sudo" >> conftest
+ echo ".Sh DESCRIPTION" >> conftest
+ echo "sudo" >> conftest
+ if $NROFFPROG -mdoc conftest >/dev/null 2>&1; then
+ sudo_cv_var_mantype="mdoc"
+ fi
+ rm -f conftest
+
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_nroff_opt_Tascii" >&5
-$as_echo "$sudo_cv_var_nroff_opt_Tascii" >&6; }
-else
- MANTYPE="cat"
- mansrcdir='$(srcdir)'
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_mantype" >&5
+$as_echo "$sudo_cv_var_mantype" >&6; }
+ MANTYPE="$sudo_cv_var_mantype"
+ else
+ MANTYPE=cat
+ MANDIRTYPE=cat
+ mansrcdir='$(srcdir)'
+ fi
fi
if test -n "$sudo_cv_prev_host"; then
# LD_PRELOAD is space-delimited
RTLD_PRELOAD_DELIM=" "
+ # For implementing getgrouplist()
+ for ac_func in _getgroupsbymember
+do :
+ ac_fn_c_check_func "$LINENO" "_getgroupsbymember" "ac_cv_func__getgroupsbymember"
+if test "x$ac_cv_func__getgroupsbymember" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE__GETGROUPSBYMEMBER 1
+_ACEOF
+
+fi
+done
+
+
# To get the crypt(3) prototype (so we pass -Wall)
OSDEFS="${OSDEFS} -D__EXTENSIONS__"
# AFS support needs -lucb
cat >>confdefs.h <<_ACEOF
#define HAVE_PRIV_SET 1
_ACEOF
-
+ PSMAN=1
fi
done
*-*-hiuxmpp*)
: ${mansectsu='1m'}
: ${mansectform='4'}
+
+ # HP-UX shared libs must be executable
+ SHLIB_MODE=0755
;;
*-*-hpux*)
# AFS support needs -lBSD
: ${mansectsu='1m'}
: ${mansectform='4'}
+ # HP-UX shared libs must be executable
+ SHLIB_MODE=0755
+
# The HP bundled compiler cannot generate shared libs
if test -z "$GCC"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for HP bundled C compiler" >&5
;;
*-dec-osf*)
# ignore envariables wrt dynamic lib path
+ # XXX - sudo LDFLAGS instead?
SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -Wl,-no_library_replacement"
: ${CHECKSIA='true'}
*-*-irix*)
OSDEFS="${OSDEFS} -D_BSD_TYPES"
if test -z "$NROFFPROG"; then
- MAN_POSTINSTALL=' /bin/rm -f $(mandirsu)/sudo.$(mansectsu).z $(mandirsu)/visudo.$(mansectsu).z $(mandirform)/sudoers.$(mansectform).z ; /usr/bin/pack $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudoers.$(mansectform)'
if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then
if test -d /usr/share/catman/local; then
mandir="/usr/share/catman/local"
mandir="/usr/catman/local"
fi
fi
+ # Compress cat pages with pack
+ MANCOMPRESS='pack'
+ MANCOMPRESSEXT='.z'
else
if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then
if test -d "/usr/share/man/local"; then
CHECKSHADOW="false"
test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
: ${with_logincap='maybe'}
+ # PIE is broken on FreeBSD/ia64
+ case "$host_cpu" in
+ ia64*)
+ enable_pie=no;;
+ esac
;;
*-*-*openbsd*)
# OpenBSD has a real setreuid(2) starting with 3.3 but
as_fn_error $? "Your C compiler doesn't support variadic macros, try building with gcc instead" "$LINENO" 5
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-if test X"$with_gnu_ld" != "yes" -a -n "$GCC"; then
- _CFLAGS="$CFLAGS"
- CFLAGS="$CFLAGS -static-libgcc"
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC understands -static-libgcc" >&5
-$as_echo_n "checking whether $CC understands -static-libgcc... " >&6; }
-if ${sudo_cv_var_gcc_static_libgcc+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-int
-main ()
-{
-
- ;
- return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
- sudo_cv_var_gcc_static_libgcc=yes
-else
- sudo_cv_var_gcc_static_libgcc=no
-
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_gcc_static_libgcc" >&5
-$as_echo "$sudo_cv_var_gcc_static_libgcc" >&6; }
- CFLAGS="$_CFLAGS"
- if test "$sudo_cv_var_gcc_static_libgcc" = "yes"; then
- LTLDFLAGS="$LTLDFLAGS -Wc,-static-libgcc"
- fi
-fi
for ac_prog in 'bison -y' byacc
do
# Extract the first word of "$ac_prog", so it can be a program name with args.
fi
done
-O_CPPFLAGS="$CPPFLAGS"
-CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2"
-ac_fn_c_check_func "$LINENO" "__sprintf_chk" "ac_cv_func___sprintf_chk"
+if test "$enable_hardening" != "no"; then
+ O_CPPFLAGS="$CPPFLAGS"
+ CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2"
+ ac_fn_c_check_func "$LINENO" "__sprintf_chk" "ac_cv_func___sprintf_chk"
if test "x$ac_cv_func___sprintf_chk" = xyes; then :
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
int
fi
-CPPFLAGS="$O_CPPFLAGS"
+ CPPFLAGS="$O_CPPFLAGS"
+fi
utmp_style=LEGACY
for ac_func in getutxid getutid
#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
_ACEOF
break
+fi
+done
+
+ for ac_func in fseeko
+do :
+ ac_fn_c_check_func "$LINENO" "fseeko" "ac_cv_func_fseeko"
+if test "x$ac_cv_func_fseeko" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_FSEEKO 1
+_ACEOF
+
fi
done
eval gettext_result="\$$gettext_name"
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gettext_result" >&5
$as_echo "$gettext_result" >&6; }
- test "$gettext_result" = "yes" && break
+ if test "$gettext_result" = "yes"; then
+ for ac_func in ngettext
+do :
+ ac_fn_c_check_func "$LINENO" "ngettext" "ac_cv_func_ngettext"
+if test "x$ac_cv_func_ngettext" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_NGETTEXT 1
+_ACEOF
+
+fi
+done
+
+ break
+ fi
done
LIBS="$OLIBS"
done
-if test ${with_netsvc-"no"} != "no"; then
- cat >>confdefs.h <<EOF
-#define _PATH_NETSVC_CONF "${with_netsvc-/etc/netsvc.conf}"
-EOF
+for ac_func in sig2str
+do :
+ ac_fn_c_check_func "$LINENO" "sig2str" "ac_cv_func_sig2str"
+if test "x$ac_cv_func_sig2str" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_SIG2STR 1
+_ACEOF
- netsvc_conf=${with_netsvc-/etc/netsvc.conf}
-elif test ${with_nsswitch-"yes"} != "no"; then
- cat >>confdefs.h <<EOF
-#define _PATH_NSSWITCH_CONF "${with_nsswitch-/etc/nsswitch.conf}"
-EOF
+else
- nsswitch_conf=${with_nsswitch-/etc/nsswitch.conf}
+ case " $LIBOBJS " in
+ *" sig2str.$ac_objext "* ) ;;
+ *) LIBOBJS="$LIBOBJS sig2str.$ac_objext"
+ ;;
+esac
+
+ HAVE_SIGNAME="false"
+ ac_fn_c_check_decl "$LINENO" "sys_signame" "ac_cv_have_decl_sys_signame" "
+$ac_includes_default
+#include <signal.h>
+
+"
+if test "x$ac_cv_have_decl_sys_signame" = xyes; then :
+ ac_have_decl=1
+else
+ ac_have_decl=0
fi
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_SYS_SIGNAME $ac_have_decl
+_ACEOF
+if test $ac_have_decl = 1; then :
+
+ HAVE_SIGNAME="true"
+ break
-if test -z "${AUTH_EXCL}${AUTH_REG}" -a -n "$AUTH_EXCL_DEF"; then
- for auth in $AUTH_EXCL_DEF; do
- case $auth in
- AIX_AUTH) with_aixauth=maybe;;
- BSD_AUTH) with_bsdauth=maybe;;
- PAM) with_pam=maybe;;
- SIA) CHECKSIA=true;;
- esac
- done
fi
+ac_fn_c_check_decl "$LINENO" "_sys_signame" "ac_cv_have_decl__sys_signame" "
+$ac_includes_default
+#include <signal.h>
-if test ${with_pam-"no"} != "no"; then
- #
- # Check for pam_start() in libpam first, then for pam_appl.h.
- #
- found_pam_lib=no
- as_ac_Lib=`$as_echo "ac_cv_lib_pam_pam_start$lt_cv_dlopen_libs" | $as_tr_sh`
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5
-$as_echo_n "checking for pam_start in -lpam... " >&6; }
-if eval \${$as_ac_Lib+:} false; then :
- $as_echo_n "(cached) " >&6
+"
+if test "x$ac_cv_have_decl__sys_signame" = xyes; then :
+ ac_have_decl=1
else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpam $lt_cv_dlopen_libs $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
+ ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL__SYS_SIGNAME $ac_have_decl
+_ACEOF
+if test $ac_have_decl = 1; then :
+
+ HAVE_SIGNAME="true"
+ break
+
+fi
+ac_fn_c_check_decl "$LINENO" "__sys_signame" "ac_cv_have_decl___sys_signame" "
+$ac_includes_default
+#include <signal.h>
+
+"
+if test "x$ac_cv_have_decl___sys_signame" = xyes; then :
+ ac_have_decl=1
+else
+ ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL___SYS_SIGNAME $ac_have_decl
+_ACEOF
+if test $ac_have_decl = 1; then :
+
+ HAVE_SIGNAME="true"
+ break
+
+fi
+ac_fn_c_check_decl "$LINENO" "sys_sigabbrev" "ac_cv_have_decl_sys_sigabbrev" "
+$ac_includes_default
+#include <signal.h>
+
+"
+if test "x$ac_cv_have_decl_sys_sigabbrev" = xyes; then :
+ ac_have_decl=1
+else
+ ac_have_decl=0
+fi
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_SYS_SIGABBREV $ac_have_decl
+_ACEOF
+if test $ac_have_decl = 1; then :
+
+ HAVE_SIGNAME="true"
+ break
+
+fi
+
+ if test "$HAVE_SIGNAME" != "true"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for undeclared sys_sigabbrev" >&5
+$as_echo_n "checking for undeclared sys_sigabbrev... " >&6; }
+if ${sudo_cv_var_sys_sigabbrev+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+extern char **sys_sigabbrev;
+int
+main ()
+{
+return sys_sigabbrev[1];
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ sudo_cv_var_sys_sigabbrev=yes
+else
+ sudo_cv_var_sys_sigabbrev=no
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_sys_sigabbrev" >&5
+$as_echo "$sudo_cv_var_sys_sigabbrev" >&6; }
+ if test "$sudo_cv_var_sys_sigabbrev" = yes; then
+ $as_echo "#define HAVE_SYS_SIGABBREV 1" >>confdefs.h
+
+ else
+ case " $LIBOBJS " in
+ *" signame.$ac_objext "* ) ;;
+ *) LIBOBJS="$LIBOBJS signame.$ac_objext"
+ ;;
+esac
+
+ fi
+ fi
+
+fi
+done
+
+
+if test ${with_netsvc-"no"} != "no"; then
+ cat >>confdefs.h <<EOF
+#define _PATH_NETSVC_CONF "${with_netsvc-/etc/netsvc.conf}"
+EOF
+
+ netsvc_conf=${with_netsvc-/etc/netsvc.conf}
+elif test ${with_nsswitch-"yes"} != "no"; then
+ cat >>confdefs.h <<EOF
+#define _PATH_NSSWITCH_CONF "${with_nsswitch-/etc/nsswitch.conf}"
+EOF
+
+ nsswitch_conf=${with_nsswitch-/etc/nsswitch.conf}
+fi
+
+
+if test -z "${AUTH_EXCL}${AUTH_REG}" -a -n "$AUTH_EXCL_DEF"; then
+ for auth in $AUTH_EXCL_DEF; do
+ case $auth in
+ AIX_AUTH) with_aixauth=maybe;;
+ BSD_AUTH) with_bsdauth=maybe;;
+ PAM) with_pam=maybe;;
+ SIA) CHECKSIA=true;;
+ esac
+ done
+fi
+
+if test ${with_pam-"no"} != "no"; then
+ #
+ # Check for pam_start() in libpam first, then for pam_appl.h.
+ #
+ found_pam_lib=no
+ as_ac_Lib=`$as_echo "ac_cv_lib_pam_pam_start$lt_cv_dlopen_libs" | $as_tr_sh`
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5
+$as_echo_n "checking for pam_start in -lpam... " >&6; }
+if eval \${$as_ac_Lib+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpam $lt_cv_dlopen_libs $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
done
- for ac_func in ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np
+ for ac_func in ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_init ldap_ssl_client_init ldap_start_tls_s_np
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
SUDOERS_LIBS="${SUDOERS_LIBS} $LIBDL"
fi
-# On HP-UX, you cannot dlopen() a shared object that uses pthreads
-# unless the main program is linked against -lpthread. Since we
-# have no knowledge what libraries a plugin may depend on, we always
-# link against -lpthread on HP-UX if it is available.
+# On HP-UX, you cannot dlopen() a shared object that uses pthreads unless
+# the main program is linked against -lpthread. We have no knowledge of
+# what libraries a plugin may depend on (e.g. HP-UX LDAP which uses pthreads)
+# so always link against -lpthread on HP-UX if it is available.
# This check should go after all other libraries tests.
case "$host" in
*-*-hpux*)
$as_echo "$iolog_dir" >&6; }
+
+ac_c_werror_flag=yes
+
+if test -n "$GCC" -a "$lt_cv_prog_gnu_ld" != "yes" -a -n "$GCC"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -static-libgcc" >&5
+$as_echo_n "checking whether C compiler accepts -static-libgcc... " >&6; }
+if ${ax_cv_check_cflags___static_libgcc+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+ ax_check_save_flags=$CFLAGS
+ CFLAGS="$CFLAGS -static-libgcc"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ ax_cv_check_cflags___static_libgcc=yes
+else
+ ax_cv_check_cflags___static_libgcc=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___static_libgcc" >&5
+$as_echo "$ax_cv_check_cflags___static_libgcc" >&6; }
+if test x"$ax_cv_check_cflags___static_libgcc" = xyes; then :
+ LT_LDFLAGS="$LT_LDFLAGS -Wc,-static-libgcc"
+else
+ :
+fi
+
+fi
+
+if test -n "$GCC"; then
+ as_CACHEVAR=`$as_echo "ax_cv_check_cflags__-fvisibility=hidden" | $as_tr_sh`
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fvisibility=hidden" >&5
+$as_echo_n "checking whether C compiler accepts -fvisibility=hidden... " >&6; }
+if eval \${$as_CACHEVAR+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+ ax_check_save_flags=$CFLAGS
+ CFLAGS="$CFLAGS -fvisibility=hidden"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ eval "$as_CACHEVAR=yes"
+else
+ eval "$as_CACHEVAR=no"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ CFLAGS=$ax_check_save_flags
+fi
+eval ac_res=\$$as_CACHEVAR
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then :
+
+ $as_echo "#define HAVE_DSO_VISIBILITY 1" >>confdefs.h
+
+ CFLAGS="${CFLAGS} -fvisibility=hidden"
+ LT_LDEXPORTS=
+ LT_LDDEP=
+ NO_VIZ=
+
+else
+ :
+fi
+
+else
+ case "$host" in
+ *-*-hpux*)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Bhidden_def" >&5
+$as_echo_n "checking whether C compiler accepts -Bhidden_def... " >&6; }
+if ${ax_cv_check_cflags___Bhidden_def+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+ ax_check_save_flags=$CFLAGS
+ CFLAGS="$CFLAGS -Bhidden_def"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ ax_cv_check_cflags___Bhidden_def=yes
+else
+ ax_cv_check_cflags___Bhidden_def=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___Bhidden_def" >&5
+$as_echo "$ax_cv_check_cflags___Bhidden_def" >&6; }
+if test x"$ax_cv_check_cflags___Bhidden_def" = xyes; then :
+
+ $as_echo "#define HAVE_DSO_VISIBILITY 1" >>confdefs.h
+
+ CFLAGS="${CFLAGS} -Bhidden_def"
+ LT_LDEXPORTS=
+ LT_LDDEP=
+
+else
+ :
+fi
+
+ ;;
+ *-*-solaris2*)
+ as_CACHEVAR=`$as_echo "ax_cv_check_cflags__-xldscope=hidden" | $as_tr_sh`
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -xldscope=hidden" >&5
+$as_echo_n "checking whether C compiler accepts -xldscope=hidden... " >&6; }
+if eval \${$as_CACHEVAR+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+ ax_check_save_flags=$CFLAGS
+ CFLAGS="$CFLAGS -xldscope=hidden"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ eval "$as_CACHEVAR=yes"
+else
+ eval "$as_CACHEVAR=no"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ CFLAGS=$ax_check_save_flags
+fi
+eval ac_res=\$$as_CACHEVAR
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+if test x"`eval 'as_val=${'$as_CACHEVAR'};$as_echo "$as_val"'`" = xyes; then :
+
+ $as_echo "#define HAVE_DSO_VISIBILITY 1" >>confdefs.h
+
+ CFLAGS="${CFLAGS} -xldscope=hidden"
+ LT_LDEXPORTS=
+ LT_LDDEP=
+
+else
+ :
+fi
+
+ ;;
+ esac
+fi
+
+if test -n "$LT_LDEXPORTS"; then
+ if test "$lt_cv_prog_gnu_ld" = "yes"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ld supports anonymous map files" >&5
+$as_echo_n "checking whether ld supports anonymous map files... " >&6; }
+if ${sudo_cv_var_gnu_ld_anon_map+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+ cat > conftest.map <<-EOF
+ {
+ global: foo;
+ local: *;
+ };
+EOF
+ _CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $lt_prog_compiler_pic"
+ _LDFLAGS="$LDFLAGS"
+ LDFLAGS="$LDFLAGS -fpic -shared -Wl,--version-script,./conftest.map"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+int foo;
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+ sudo_cv_var_gnu_ld_anon_map=yes
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ CFLAGS="$_CFLAGS"
+ LDFLAGS="$_LDFLAGS"
+
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_gnu_ld_anon_map" >&5
+$as_echo "$sudo_cv_var_gnu_ld_anon_map" >&6; }
+ if test "$sudo_cv_var_gnu_ld_anon_map" = "yes"; then
+ LT_LDEXPORTS=; LT_LDDEP="\$(shlib_map)"; LT_LDMAP="-Wl,--version-script,\$(shlib_map)"
+ fi
+ else
+ case "$host" in
+ *-*-solaris2*)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ld supports anonymous map files" >&5
+$as_echo_n "checking whether ld supports anonymous map files... " >&6; }
+if ${sudo_cv_var_solaris_ld_anon_map+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+ cat > conftest.map <<-EOF
+ {
+ global: foo;
+ local: *;
+ };
+EOF
+ _CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $lt_prog_compiler_pic"
+ _LDFLAGS="$LDFLAGS"
+ LDFLAGS="$LDFLAGS -shared -Wl,-M,./conftest.map"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+int foo;
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+ sudo_cv_var_solaris_ld_anon_map=yes
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ CFLAGS="$_CFLAGS"
+ LDFLAGS="$_LDFLAGS"
+
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_solaris_ld_anon_map" >&5
+$as_echo "$sudo_cv_var_solaris_ld_anon_map" >&6; }
+ if test "$sudo_cv_var_solaris_ld_anon_map" = "yes"; then
+ LT_LDEXPORTS=; LT_LDDEP="\$(shlib_map)"; LT_LDMAP="-Wl,-M,\$(shlib_map)"
+ fi
+ ;;
+ *-*-hpux*)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ld supports controlling exported symbols" >&5
+$as_echo_n "checking whether ld supports controlling exported symbols... " >&6; }
+if ${sudo_cv_var_hpux_ld_symbol_export+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+ echo "+e foo" > conftest.opt
+ _CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $lt_prog_compiler_pic"
+ _LDFLAGS="$LDFLAGS"
+ if test -n "$GCC"; then
+ LDFLAGS="$LDFLAGS -shared -Wl,-c,./conftest.opt"
+ else
+ LDFLAGS="$LDFLAGS -Wl,-b -Wl,-c,./conftest.opt"
+ fi
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+int foo;
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+ sudo_cv_var_hpux_ld_symbol_export=yes
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ CFLAGS="$_CFLAGS"
+ LDFLAGS="$_LDFLAGS"
+
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_hpux_ld_symbol_export" >&5
+$as_echo "$sudo_cv_var_hpux_ld_symbol_export" >&6; }
+ if test "$sudo_cv_var_hpux_ld_symbol_export" = "yes"; then
+ LT_LDEXPORTS=; LT_LDDEP="\$(shlib_opt)"; LT_LDOPT="-Wl,-c,\$(shlib_opt)"
+ fi
+ ;;
+ esac
+ fi
+fi
+
+if test "$enable_pie" != "no" -a -n "$GCC"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fPIE" >&5
+$as_echo_n "checking whether C compiler accepts -fPIE... " >&6; }
+if ${ax_cv_check_cflags___fPIE+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+ ax_check_save_flags=$CFLAGS
+ CFLAGS="$CFLAGS -fPIE"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ ax_cv_check_cflags___fPIE=yes
+else
+ ax_cv_check_cflags___fPIE=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fPIE" >&5
+$as_echo "$ax_cv_check_cflags___fPIE" >&6; }
+if test x"$ax_cv_check_cflags___fPIE" = xyes; then :
+
+ _CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -fPIE"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -pie" >&5
+$as_echo_n "checking whether the linker accepts -pie... " >&6; }
+if ${ax_cv_check_ldflags___pie+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+ ax_check_save_flags=$LDFLAGS
+ LDFLAGS="$LDFLAGS -pie"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ax_cv_check_ldflags___pie=yes
+else
+ ax_cv_check_ldflags___pie=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ LDFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___pie" >&5
+$as_echo "$ax_cv_check_ldflags___pie" >&6; }
+if test x"$ax_cv_check_ldflags___pie" = xyes; then :
+
+ PIE_CFLAGS="-fPIE"
+ PIE_LDFLAGS="-pie"
+
+else
+ :
+fi
+
+ CFLAGS="$_CFLAGS"
+
+else
+ :
+fi
+
+fi
+
+if test "$enable_hardening" != "no"; then
+ if test -n "$GCC"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector-all" >&5
+$as_echo_n "checking whether C compiler accepts -fstack-protector-all... " >&6; }
+if ${ax_cv_check_cflags___fstack_protector_all+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+ ax_check_save_flags=$CFLAGS
+ CFLAGS="$CFLAGS -fstack-protector-all"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ ax_cv_check_cflags___fstack_protector_all=yes
+else
+ ax_cv_check_cflags___fstack_protector_all=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector_all" >&5
+$as_echo "$ax_cv_check_cflags___fstack_protector_all" >&6; }
+if test x"$ax_cv_check_cflags___fstack_protector_all" = xyes; then :
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-protector-all" >&5
+$as_echo_n "checking whether the linker accepts -fstack-protector-all... " >&6; }
+if ${ax_cv_check_ldflags___fstack_protector_all+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+ ax_check_save_flags=$LDFLAGS
+ LDFLAGS="$LDFLAGS -fstack-protector-all"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ax_cv_check_ldflags___fstack_protector_all=yes
+else
+ ax_cv_check_ldflags___fstack_protector_all=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ LDFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fstack_protector_all" >&5
+$as_echo "$ax_cv_check_ldflags___fstack_protector_all" >&6; }
+if test x"$ax_cv_check_ldflags___fstack_protector_all" = xyes; then :
+
+ SSP_CFLAGS="-fstack-protector-all"
+ SSP_LDFLAGS="-Wc,-fstack-protector-all"
+
+else
+ :
+fi
+
+
+else
+ :
+fi
+
+ if test -z "$SSP_CFLAGS"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector" >&5
+$as_echo_n "checking whether C compiler accepts -fstack-protector... " >&6; }
+if ${ax_cv_check_cflags___fstack_protector+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+ ax_check_save_flags=$CFLAGS
+ CFLAGS="$CFLAGS -fstack-protector"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ ax_cv_check_cflags___fstack_protector=yes
+else
+ ax_cv_check_cflags___fstack_protector=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ CFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___fstack_protector" >&5
+$as_echo "$ax_cv_check_cflags___fstack_protector" >&6; }
+if test x"$ax_cv_check_cflags___fstack_protector" = xyes; then :
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -fstack-protector" >&5
+$as_echo_n "checking whether the linker accepts -fstack-protector... " >&6; }
+if ${ax_cv_check_ldflags___fstack_protector+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+ ax_check_save_flags=$LDFLAGS
+ LDFLAGS="$LDFLAGS -fstack-protector"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ax_cv_check_ldflags___fstack_protector=yes
+else
+ ax_cv_check_ldflags___fstack_protector=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ LDFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___fstack_protector" >&5
+$as_echo "$ax_cv_check_ldflags___fstack_protector" >&6; }
+if test x"$ax_cv_check_ldflags___fstack_protector" = xyes; then :
+
+ SSP_CFLAGS="-fstack-protector"
+ SSP_LDFLAGS="-Wc,-fstack-protector"
+
+else
+ :
+fi
+
+
+else
+ :
+fi
+
+ fi
+ fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,-z,relro" >&5
+$as_echo_n "checking whether the linker accepts -Wl,-z,relro... " >&6; }
+if ${ax_cv_check_ldflags___Wl__z_relro+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+ ax_check_save_flags=$LDFLAGS
+ LDFLAGS="$LDFLAGS -Wl,-z,relro"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ax_cv_check_ldflags___Wl__z_relro=yes
+else
+ ax_cv_check_ldflags___Wl__z_relro=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ LDFLAGS=$ax_check_save_flags
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl__z_relro" >&5
+$as_echo "$ax_cv_check_ldflags___Wl__z_relro" >&6; }
+if test x"$ax_cv_check_ldflags___Wl__z_relro" = xyes; then :
+ LDFLAGS="${LDFLAGS} -Wl,-z,relro"
+else
+ :
+fi
+
+fi
+
case "$with_passwd" in
yes|maybe)
AUTH_OBJS="$AUTH_OBJS getspwuid.lo passwd.lo"
fi
fi
+CROSS_COMPILING="$cross_compiling"
+
test "$exec_prefix" = "NONE" && exec_prefix='$(prefix)'
if test X"$with_noexec" != X"no" -o X"$with_selinux" != X"no"; then
test "$includedir" = '${prefix}/include' && includedir='$(prefix)/include'
test "$datarootdir" = '${prefix}/share' && datarootdir='$(prefix)/share'
test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
+test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
+test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'
test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc'
ac_config_files="$ac_config_files Makefile common/Makefile compat/Makefile doc/Makefile include/Makefile src/sudo_usage.h src/Makefile plugins/sample/Makefile plugins/sample_group/Makefile plugins/system_group/Makefile plugins/sudoers/Makefile plugins/sudoers/sudoers"
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by sudo $as_me 1.8.5p2, which was
+This file was extended by sudo $as_me 1.8.6p8, which was
generated by GNU Autoconf 2.68. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-sudo config.status 1.8.5p2
+sudo config.status 1.8.6p8
configured by $0, generated by GNU Autoconf 2.68,
with options \\"\$ac_cs_config\\"
+
+
+
dnl
dnl Process this file with GNU autoconf to produce a configure script.
dnl
-dnl Copyright (c) 1994-1996,1998-2012 Todd C. Miller <Todd.Miller@courtesan.com>
+dnl Copyright (c) 1994-1996,1998-2013 Todd C. Miller <Todd.Miller@courtesan.com>
dnl
-AC_INIT([sudo], [1.8.5p2], [http://www.sudo.ws/bugs/], [sudo])
+AC_INIT([sudo], [1.8.6p8], [http://www.sudo.ws/bugs/], [sudo])
AC_CONFIG_HEADER([config.h pathnames.h])
dnl
dnl Note: this must come after AC_INIT
AC_SUBST([CPPFLAGS])
AC_SUBST([LDFLAGS])
AC_SUBST([SUDOERS_LDFLAGS])
-AC_SUBST([LTLDFLAGS])
+AC_SUBST([LT_LDFLAGS])
+AC_SUBST([LT_LDMAP])
+AC_SUBST([LT_LDOPT])
+AC_SUBST([LT_LDDEP])
+AC_SUBST([LT_LDEXPORTS])
AC_SUBST([COMMON_OBJS])
AC_SUBST([SUDOERS_OBJS])
AC_SUBST([SUDO_OBJS])
AC_SUBST([OSDEFS])
AC_SUBST([AUTH_OBJS])
AC_SUBST([MANTYPE])
-AC_SUBST([MAN_POSTINSTALL])
+AC_SUBST([MANDIRTYPE])
+AC_SUBST([MANCOMPRESS])
+AC_SUBST([MANCOMPRESSEXT])
+AC_SUBST([SHLIB_MODE])
AC_SUBST([SUDOERS_MODE])
AC_SUBST([SUDOERS_UID])
AC_SUBST([SUDOERS_GID])
AC_SUBST([DEVEL])
AC_SUBST([BAMAN])
AC_SUBST([LCMAN])
+AC_SUBST([PSMAN])
AC_SUBST([SEMAN])
AC_SUBST([devdir])
AC_SUBST([mansectsu])
AC_SUBST([LIBINTL])
AC_SUBST([SUDO_NLS])
AC_SUBST([COMPAT_TEST_PROGS])
+AC_SUBST([CROSS_COMPILING])
+AC_SUBST([PIE_LDFLAGS])
+AC_SUBST([PIE_CFLAGS])
+AC_SUBST([SSP_LDFLAGS])
+AC_SUBST([SSP_CFLAGS])
+AC_SUBST([NO_VIZ])
dnl
dnl Variables that get substituted in docs (not overridden by environment)
dnl
AC_SUBST([path_info])
AC_SUBST([ldap_conf])
AC_SUBST([ldap_secret])
+AC_SUBST([sssd_lib])
AC_SUBST([nsswitch_conf])
AC_SUBST([netsvc_conf])
AC_SUBST([secure_path])
INSTALL_NOEXEC=
devdir='$(srcdir)'
PROGS="sudo"
-: ${MANTYPE='man'}
+: ${MANDIRTYPE='man'}
: ${mansrcdir='.'}
+: ${SHLIB_MODE='0644'}
: ${SUDOERS_MODE='0440'}
: ${SUDOERS_UID='0'}
: ${SUDOERS_GID='0'}
LDAP="#"
BAMAN=0
LCMAN=0
+PSMAN=0
SEMAN=0
LIBINTL=
ZLIB=
AUTH_EXCL_DEF=
AUTH_DEF=passwd
SUDO_NLS=disabled
+LT_LDEXPORTS="-export-symbols \$(shlib_exp)"
+LT_LDDEP="\$(shlib_exp)"
+NO_VIZ="-DNO_VIZ"
dnl
dnl Other vaiables
;;
esac])
+dnl
+dnl Handle SSSD support.
+dnl
+AC_ARG_WITH(sssd, [AS_HELP_STRING([--with-sssd], [enable SSSD support])],
+[case $with_sssd in
+ yes) SUDOERS_OBJS="${SUDOERS_OBJS} sssd.lo"
+ AC_DEFINE(HAVE_SSSD)
+ ;;
+ no) ;;
+ *) AC_MSG_ERROR(["--with-sssd does not take an argument."])
+ ;;
+esac])
+
+AC_ARG_WITH(sssd-lib, [AS_HELP_STRING([--with-sssd-lib], [path to the SSSD library])])
+sssd_lib="\"LIBDIR\""
+test -n "$with_sssd_lib" && sssd_lib="$with_sssd_lib"
+SUDO_DEFINE_UNQUOTED(_PATH_SSSD_LIB, "$sssd_lib", [Path to the SSSD library])
+
AC_ARG_WITH(incpath, [AS_HELP_STRING([--with-incpath], [additional places to look for include files])],
[case $with_incpath in
yes) AC_MSG_ERROR(["must give --with-incpath an argument."])
;;
esac], AC_MSG_RESULT(yes))
-AC_MSG_CHECKING(whether stow should be used)
-AC_ARG_WITH(stow, [AS_HELP_STRING([--with-stow], [properly handle GNU stow packaging])],
+AC_ARG_WITH(stow, [AS_HELP_STRING([--with-stow], [deprecated])],
[case $with_stow in
- yes) AC_MSG_RESULT(yes)
- AC_DEFINE(USE_STOW)
+ *) AC_MSG_NOTICE([--with-stow option deprecated, now is defalt behavior])
;;
- no) AC_MSG_RESULT(no)
- ;;
- *) AC_MSG_ERROR(["--with-stow does not take an argument."])
- ;;
-esac], AC_MSG_RESULT(no))
+esac])
AC_MSG_CHECKING(whether to use an askpass helper)
AC_ARG_WITH(askpass, [AS_HELP_STRING([--with-askpass=PATH], [Fully qualified pathname of askpass helper])],
*) ;;
esac], [with_plugindir="$libexecdir"])
+AC_ARG_WITH(man, [AS_HELP_STRING([--with-man], [manual pages use man macros])],
+[case $with_man in
+ yes) MANTYPE=man
+ ;;
+ no) AC_MSG_ERROR(["--without-man not supported."])
+ ;;
+ *) AC_MSG_ERROR(["ignoring unknown argument to --with-man: $with_man."])
+ ;;
+esac])
+
+AC_ARG_WITH(mdoc, [AS_HELP_STRING([--with-mdoc], [manual pages use mdoc macros])],
+[case $with_mdoc in
+ yes) MANTYPE=mdoc
+ ;;
+ no) AC_MSG_ERROR(["--without-mdoc not supported."])
+ ;;
+ *) AC_MSG_ERROR(["ignoring unknown argument to --with-mdoc: $with_mdoc."])
+ ;;
+esac])
+
dnl
dnl Options for --enable
dnl
esac
])
+AC_ARG_ENABLE(hardening,
+[AS_HELP_STRING([--disable-hardening], [Do not use compiler/linker exploit mitigation options])],
+[], [enable_hardening=yes])
+
+AC_ARG_ENABLE(pie,
+[AS_HELP_STRING([--disable-pie], [Do not build position independent executables, even if the compiler/linker supports them])],
+[], [enable_pie=yes])
+
AC_ARG_ENABLE(admin-flag,
[AS_HELP_STRING([--enable-admin-flag], [Whether to create a Ubuntu-style admin flag file])],
[ case "$enableval" in
esac], [with_noexec="$libexecdir/sudo_noexec$_shrext"])
AC_MSG_RESULT($with_noexec)
NOEXECFILE="sudo_noexec$_shrext"
-NOEXECDIR="`echo $with_noexec|sed 's:^\(.*\)/[[^/]]*:\1:'`"
+NOEXECDIR="`echo $with_noexec|sed -e 's:^${\([[^}]]*\)}:$(\1):' -e 's:^\(.*\)/[[^/]]*:\1:'`"
dnl
dnl Find programs we use
dnl
-AC_CHECK_PROG(UNAMEPROG, [uname], [uname])
-AC_CHECK_PROG(TRPROG, [tr], [tr])
-AC_CHECK_PROGS(NROFFPROG, [nroff mandoc])
-if test -n "$NROFFPROG"; then
- AC_CACHE_CHECK([whether $NROFFPROG supports the -c option],
- [sudo_cv_var_nroff_opt_c],
- [if $NROFFPROG -c </dev/null >/dev/null 2>&1; then
- sudo_cv_var_nroff_opt_c=yes
- else
- sudo_cv_var_nroff_opt_c=no
- fi]
- )
- if test "$sudo_cv_var_nroff_opt_c" = "yes"; then
- NROFFPROG="$NROFFPROG -c"
- fi
- AC_CACHE_CHECK([whether $NROFFPROG supports the -Tascii option],
- [sudo_cv_var_nroff_opt_Tascii],
- [if $NROFFPROG -Tascii </dev/null >/dev/null 2>&1; then
- sudo_cv_var_nroff_opt_Tascii=yes
- else
- sudo_cv_var_nroff_opt_Tascii=no
- fi]
- if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then
- NROFFPROG="$NROFFPROG -Tascii"
- fi
- )
+AC_PATH_PROG(UNAMEPROG, [uname], [uname])
+AC_PATH_PROG(TRPROG, [tr], [tr])
+AC_PATH_PROG(MANDOCPROG, [mandoc], [mandoc])
+if test "$MANDOCPROG" != "mandoc"; then
+ : ${MANTYPE='mdoc'}
else
- MANTYPE="cat"
- mansrcdir='$(srcdir)'
+ AC_PATH_PROG(NROFFPROG, [nroff])
+ if test -n "$NROFFPROG"; then
+ test -n "$MANTYPE" && sudo_cv_var_mantype="$MANTYPE"
+ AC_CACHE_CHECK([which macro set to use for manual pages],
+ [sudo_cv_var_mantype],
+ [
+ sudo_cv_var_mantype="man"
+ echo ".Sh NAME" > conftest
+ echo ".Nm sudo" >> conftest
+ echo ".Nd sudo" >> conftest
+ echo ".Sh DESCRIPTION" >> conftest
+ echo "sudo" >> conftest
+ if $NROFFPROG -mdoc conftest >/dev/null 2>&1; then
+ sudo_cv_var_mantype="mdoc"
+ fi
+ rm -f conftest
+ ]
+ )
+ MANTYPE="$sudo_cv_var_mantype"
+ else
+ MANTYPE=cat
+ MANDIRTYPE=cat
+ mansrcdir='$(srcdir)'
+ fi
fi
dnl
# LD_PRELOAD is space-delimited
RTLD_PRELOAD_DELIM=" "
+ # For implementing getgrouplist()
+ AC_CHECK_FUNCS(_getgroupsbymember)
+
# To get the crypt(3) prototype (so we pass -Wall)
OSDEFS="${OSDEFS} -D__EXTENSIONS__"
# AFS support needs -lucb
: ${mansectform='4'}
: ${with_rpath='yes'}
test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
- AC_CHECK_FUNCS(priv_set)
+ AC_CHECK_FUNCS(priv_set, [PSMAN=1])
;;
*-*-aix*)
# To get all prototypes (so we pass -Wall)
*-*-hiuxmpp*)
: ${mansectsu='1m'}
: ${mansectform='4'}
+
+ # HP-UX shared libs must be executable
+ SHLIB_MODE=0755
;;
*-*-hpux*)
# AFS support needs -lBSD
: ${mansectsu='1m'}
: ${mansectform='4'}
+ # HP-UX shared libs must be executable
+ SHLIB_MODE=0755
+
# The HP bundled compiler cannot generate shared libs
if test -z "$GCC"; then
AC_CACHE_CHECK([for HP bundled C compiler],
;;
*-dec-osf*)
# ignore envariables wrt dynamic lib path
+ # XXX - sudo LDFLAGS instead?
SUDOERS_LDFLAGS="${SUDOERS_LDFLAGS} -Wl,-no_library_replacement"
: ${CHECKSIA='true'}
*-*-irix*)
OSDEFS="${OSDEFS} -D_BSD_TYPES"
if test -z "$NROFFPROG"; then
- MAN_POSTINSTALL=' /bin/rm -f $(mandirsu)/sudo.$(mansectsu).z $(mandirsu)/visudo.$(mansectsu).z $(mandirform)/sudoers.$(mansectform).z ; /usr/bin/pack $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudoers.$(mansectform)'
if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then
if test -d /usr/share/catman/local; then
mandir="/usr/share/catman/local"
mandir="/usr/catman/local"
fi
fi
+ # Compress cat pages with pack
+ MANCOMPRESS='pack'
+ MANCOMPRESSEXT='.z'
else
if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then
if test -d "/usr/share/man/local"; then
CHECKSHADOW="false"
test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
: ${with_logincap='maybe'}
+ # PIE is broken on FreeBSD/ia64
+ case "$host_cpu" in
+ ia64*)
+ enable_pie=no;;
+ esac
;;
*-*-*openbsd*)
# OpenBSD has a real setreuid(2) starting with 3.3 but
# define sudo_fprintf(fp, ...) fprintf((fp), __VA_ARGS__)
#endif
], [sudo_fprintf(stderr, "a %s", "test");])], [], [AC_MSG_ERROR([Your C compiler doesn't support variadic macros, try building with gcc instead])])
-if test X"$with_gnu_ld" != "yes" -a -n "$GCC"; then
- _CFLAGS="$CFLAGS"
- CFLAGS="$CFLAGS -static-libgcc"
- AC_CACHE_CHECK([whether $CC understands -static-libgcc],
- [sudo_cv_var_gcc_static_libgcc],
- [AC_LINK_IFELSE(
- [AC_LANG_PROGRAM([[]], [[]])],
- [sudo_cv_var_gcc_static_libgcc=yes],
- [sudo_cv_var_gcc_static_libgcc=no]
- )
- ]
- )
- CFLAGS="$_CFLAGS"
- if test "$sudo_cv_var_gcc_static_libgcc" = "yes"; then
- LTLDFLAGS="$LTLDFLAGS -Wc,-static-libgcc"
- fi
-fi
+
dnl
dnl Program checks
dnl
dnl
dnl If libc supports _FORTIFY_SOURCE check functions, use it.
dnl
-O_CPPFLAGS="$CPPFLAGS"
-CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2"
-AC_CHECK_FUNC(__sprintf_chk, [
- AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]])], [OSDEFS="${OSDEFS} -D_FORTIFY_SOURCE=2"], [])
-], [])
-CPPFLAGS="$O_CPPFLAGS"
+if test "$enable_hardening" != "no"; then
+ O_CPPFLAGS="$CPPFLAGS"
+ CPPFLAGS="$CPPFLAGS -D_FORTIFY_SOURCE=2"
+ AC_CHECK_FUNC(__sprintf_chk, [
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]])], [OSDEFS="${OSDEFS} -D_FORTIFY_SOURCE=2"], [])
+ ], [])
+ CPPFLAGS="$O_CPPFLAGS"
+fi
utmp_style=LEGACY
AC_CHECK_FUNCS(getutxid getutid, [utmp_style=POSIX; break])
if test "$utmp_style" = "LEGACY"; then
AC_CHECK_FUNCS(getttyent ttyslot, [break])
+ AC_CHECK_FUNCS(fseeko)
fi
AC_CHECK_FUNCS(sysctl, [AC_CHECK_MEMBERS([struct kinfo_proc.ki_tdev], [],
])
eval gettext_result="\$$gettext_name"
AC_MSG_RESULT($gettext_result)
- test "$gettext_result" = "yes" && break
+ if test "$gettext_result" = "yes"; then
+ AC_CHECK_FUNCS(ngettext)
+ break
+ fi
done
LIBS="$OLIBS"
fi
])
+dnl
+dnl Check for sig2str(), sys_signame or sys_sigabbrev
+dnl
+AC_CHECK_FUNCS(sig2str, [], [
+ AC_LIBOBJ(sig2str)
+ HAVE_SIGNAME="false"
+ AC_CHECK_DECLS([sys_signame, _sys_signame, __sys_signame, sys_sigabbrev], [
+ HAVE_SIGNAME="true"
+ break
+ ], [ ], [
+AC_INCLUDES_DEFAULT
+#include <signal.h>
+ ])
+ if test "$HAVE_SIGNAME" != "true"; then
+ AC_CACHE_CHECK([for undeclared sys_sigabbrev],
+ [sudo_cv_var_sys_sigabbrev],
+ [AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM([[extern char **sys_sigabbrev;]], [[return sys_sigabbrev[1];]])],
+ [sudo_cv_var_sys_sigabbrev=yes],
+ [sudo_cv_var_sys_sigabbrev=no]
+ )
+ ]
+ )
+ if test "$sudo_cv_var_sys_sigabbrev" = yes; then
+ AC_DEFINE(HAVE_SYS_SIGABBREV)
+ else
+ AC_LIBOBJ(signame)
+ fi
+ fi
+])
+
dnl
dnl nsswitch.conf and its equivalents
dnl
for dir in "" "/usr/local" "/usr/contrib"; do
test -n "$dir" && CPPFLAGS="$O_CPPFLAGS -I${dir}/include"
AC_CHECK_HEADER([skey.h], [found=yes; break], [],
- [#include <stdio.h>])
+ [#include <stdio.h>])
done
if test "$found" = "no" -o -z "$dir"; then
CPPFLAGS="$O_CPPFLAGS"
AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s)], [break])
AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
- AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np)
+ AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_init ldap_ssl_client_init ldap_start_tls_s_np)
AC_CHECK_FUNCS(ldap_search_ext_s ldap_search_st, [break])
if test X"$check_gss_krb5_ccache_name" = X"yes"; then
SUDOERS_LIBS="${SUDOERS_LIBS} $LIBDL"
fi
-# On HP-UX, you cannot dlopen() a shared object that uses pthreads
-# unless the main program is linked against -lpthread. Since we
-# have no knowledge what libraries a plugin may depend on, we always
-# link against -lpthread on HP-UX if it is available.
+# On HP-UX, you cannot dlopen() a shared object that uses pthreads unless
+# the main program is linked against -lpthread. We have no knowledge of
+# what libraries a plugin may depend on (e.g. HP-UX LDAP which uses pthreads)
+# so always link against -lpthread on HP-UX if it is available.
# This check should go after all other libraries tests.
case "$host" in
*-*-hpux*)
SUDO_TIMEDIR
SUDO_IO_LOGDIR
+dnl
+dnl Turn warnings into errors.
+dnl All compiler/loader tests after this point will fail if
+dnl a warning is displayed (nornally, warnings are not fata).
+dnl
+AC_LANG_WERROR
+
+dnl
+dnl If compiler supports the -static-libgcc flag use it unless we have
+dnl GNU ld (which can avoid linking in libgcc when it is not needed).
+dnl This test relies on AC_LANG_WERROR
+dnl
+if test -n "$GCC" -a "$lt_cv_prog_gnu_ld" != "yes" -a -n "$GCC"; then
+ AX_CHECK_COMPILE_FLAG([-static-libgcc], [LT_LDFLAGS="$LT_LDFLAGS -Wc,-static-libgcc"])
+fi
+
+dnl
+dnl Check for symbol visibility support.
+dnl This test relies on AC_LANG_WERROR
+dnl
+if test -n "$GCC"; then
+ AX_CHECK_COMPILE_FLAG([-fvisibility=hidden], [
+ AC_DEFINE(HAVE_DSO_VISIBILITY)
+ CFLAGS="${CFLAGS} -fvisibility=hidden"
+ LT_LDEXPORTS=
+ LT_LDDEP=
+ NO_VIZ=
+ ])
+else
+ case "$host" in
+ *-*-hpux*)
+ AX_CHECK_COMPILE_FLAG([-Bhidden_def], [
+ AC_DEFINE(HAVE_DSO_VISIBILITY)
+ CFLAGS="${CFLAGS} -Bhidden_def"
+ LT_LDEXPORTS=
+ LT_LDDEP=
+ ])
+ ;;
+ *-*-solaris2*)
+ AX_CHECK_COMPILE_FLAG([-xldscope=hidden], [
+ AC_DEFINE(HAVE_DSO_VISIBILITY)
+ CFLAGS="${CFLAGS} -xldscope=hidden"
+ LT_LDEXPORTS=
+ LT_LDDEP=
+ ])
+ ;;
+ esac
+fi
+
+dnl
+dnl If the compiler doesn't have symbol visibility support, it may
+dnl support version scripts (only GNU and Solaris ld).
+dnl This test relies on AC_LANG_WERROR
+dnl
+if test -n "$LT_LDEXPORTS"; then
+ if test "$lt_cv_prog_gnu_ld" = "yes"; then
+ AC_CACHE_CHECK([whether ld supports anonymous map files],
+ [sudo_cv_var_gnu_ld_anon_map],
+ [
+ cat > conftest.map <<-EOF
+ {
+ global: foo;
+ local: *;
+ };
+EOF
+ _CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $lt_prog_compiler_pic"
+ _LDFLAGS="$LDFLAGS"
+ LDFLAGS="$LDFLAGS -fpic -shared -Wl,--version-script,./conftest.map"
+ AC_TRY_LINK([int foo;], [], [
+ sudo_cv_var_gnu_ld_anon_map=yes
+ ])
+ CFLAGS="$_CFLAGS"
+ LDFLAGS="$_LDFLAGS"
+ ]
+ )
+ if test "$sudo_cv_var_gnu_ld_anon_map" = "yes"; then
+ LT_LDEXPORTS=; LT_LDDEP="\$(shlib_map)"; LT_LDMAP="-Wl,--version-script,\$(shlib_map)"
+ fi
+ else
+ case "$host" in
+ *-*-solaris2*)
+ AC_CACHE_CHECK([whether ld supports anonymous map files],
+ [sudo_cv_var_solaris_ld_anon_map],
+ [
+ cat > conftest.map <<-EOF
+ {
+ global: foo;
+ local: *;
+ };
+EOF
+ _CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $lt_prog_compiler_pic"
+ _LDFLAGS="$LDFLAGS"
+ LDFLAGS="$LDFLAGS -shared -Wl,-M,./conftest.map"
+ AC_TRY_LINK([int foo;], [], [
+ sudo_cv_var_solaris_ld_anon_map=yes
+ ])
+ CFLAGS="$_CFLAGS"
+ LDFLAGS="$_LDFLAGS"
+ ]
+ )
+ if test "$sudo_cv_var_solaris_ld_anon_map" = "yes"; then
+ LT_LDEXPORTS=; LT_LDDEP="\$(shlib_map)"; LT_LDMAP="-Wl,-M,\$(shlib_map)"
+ fi
+ ;;
+ *-*-hpux*)
+ AC_CACHE_CHECK([whether ld supports controlling exported symbols],
+ [sudo_cv_var_hpux_ld_symbol_export],
+ [
+ echo "+e foo" > conftest.opt
+ _CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $lt_prog_compiler_pic"
+ _LDFLAGS="$LDFLAGS"
+ if test -n "$GCC"; then
+ LDFLAGS="$LDFLAGS -shared -Wl,-c,./conftest.opt"
+ else
+ LDFLAGS="$LDFLAGS -Wl,-b -Wl,-c,./conftest.opt"
+ fi
+ AC_TRY_LINK([int foo;], [], [
+ sudo_cv_var_hpux_ld_symbol_export=yes
+ ])
+ CFLAGS="$_CFLAGS"
+ LDFLAGS="$_LDFLAGS"
+ ]
+ )
+ if test "$sudo_cv_var_hpux_ld_symbol_export" = "yes"; then
+ LT_LDEXPORTS=; LT_LDDEP="\$(shlib_opt)"; LT_LDOPT="-Wl,-c,\$(shlib_opt)"
+ fi
+ ;;
+ esac
+ fi
+fi
+
+dnl
+dnl Check for PIE executable support if using gcc.
+dnl This test relies on AC_LANG_WERROR
+dnl
+if test "$enable_pie" != "no" -a -n "$GCC"; then
+ AX_CHECK_COMPILE_FLAG([-fPIE], [
+ _CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS -fPIE"
+ AX_CHECK_LINK_FLAG([-pie], [
+ PIE_CFLAGS="-fPIE"
+ PIE_LDFLAGS="-pie"
+ ])
+ CFLAGS="$_CFLAGS"
+ ])
+fi
+
+dnl
+dnl Check for -fstack-protector and -z relro support
+dnl This test relies on AC_LANG_WERROR
+dnl
+if test "$enable_hardening" != "no"; then
+ if test -n "$GCC"; then
+ AX_CHECK_COMPILE_FLAG([-fstack-protector-all], [
+ AX_CHECK_LINK_FLAG([-fstack-protector-all], [
+ SSP_CFLAGS="-fstack-protector-all"
+ SSP_LDFLAGS="-Wc,-fstack-protector-all"
+ ])
+ ])
+ if test -z "$SSP_CFLAGS"; then
+ AX_CHECK_COMPILE_FLAG([-fstack-protector], [
+ AX_CHECK_LINK_FLAG([-fstack-protector], [
+ SSP_CFLAGS="-fstack-protector"
+ SSP_LDFLAGS="-Wc,-fstack-protector"
+ ])
+ ])
+ fi
+ fi
+ AX_CHECK_LINK_FLAG([-Wl,-z,relro], [LDFLAGS="${LDFLAGS} -Wl,-z,relro"])
+fi
+
dnl
dnl Use passwd auth module?
dnl
fi
fi
+dnl
+dnl Skip regress tests and sudoers sanity check if cross compiling.
+dnl
+CROSS_COMPILING="$cross_compiling"
+
dnl
dnl Set exec_prefix
dnl
test "$includedir" = '${prefix}/include' && includedir='$(prefix)/include'
test "$datarootdir" = '${prefix}/share' && datarootdir='$(prefix)/share'
test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
+test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
+test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'
test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc'
dnl
dnl Substitute into the Makefile and man pages
dnl
-dnl AC_CONFIG_FILES([doc/sudo.man doc/visudo.man doc/sudoers.man doc/sudoers.ldap.man doc/sudoreplay.man src/Makefile src/sudo_usage.h])
AC_CONFIG_FILES([Makefile common/Makefile compat/Makefile doc/Makefile include/Makefile src/sudo_usage.h src/Makefile plugins/sample/Makefile plugins/sample_group/Makefile plugins/system_group/Makefile plugins/sudoers/Makefile plugins/sudoers/sudoers])
AC_OUTPUT
AH_TEMPLATE(HAVE_LDAP, [Define to 1 if you use LDAP for sudoers.])
AH_TEMPLATE(HAVE_LIBINTL_H, [Define to 1 if you have the <libintl.h> header file.])
AH_TEMPLATE(HAVE_LINUX_AUDIT, [Define to 1 to enable Linux audit support.])
+AH_TEMPLATE(HAVE_SSSD, [Define to 1 to enable SSSD support.])
AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.])
AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.])
AH_TEMPLATE(HAVE_PAM_LOGIN, [Define to 1 if you use a specific PAM session for sudo -i.])
AH_TEMPLATE(RTLD_PRELOAD_ENABLE_VAR, [An extra environment variable that is required to enable preloading (if any).])
AH_TEMPLATE(RTLD_PRELOAD_DELIM, [The delimiter to use when defining multiple preloaded objects.])
AH_TEMPLATE(RTLD_PRELOAD_DEFAULT, [The default value of preloaded objects (if any).])
+AH_TEMPLATE(HAVE_DSO_VISIBILITY, [Define to 1 if the compiler supports the __visibility__ attribute.])
+AH_TEMPLATE(HAVE_SYS_SIGABBREV, [Define to 1 if your libc has the `sys_sigabbrev' symbol.])
dnl
dnl Bits to copy verbatim into config.h.in
# define ignore_result(x) (void)(x)
#endif
-/* GNU stow needs /etc/sudoers to be a symlink. */
-#ifdef USE_STOW
-# define stat_sudoers stat
-#else
-# define stat_sudoers lstat
-#endif
-
/* Macros to set/clear/test flags. */
#undef SET
#define SET(t, f) ((t) |= (f))
Keith Garry Boyce
Michael Brantley
Rob Braun
+ Pavel Brezina
Piete Brooks
Jerry Brown
Michael E Burr
Marc Espie
Ariel Faigon
Brian Farrell
+ Stephane Graber
Steve Fobes
Mike Frysinger
Jean-loup Gailly
Stepan Kasal
Mike Kienenberger
Dale King
+ Michael King
Jim Knoble
Tim Knox
Alek O. Komarnitsky
Michael Meskes
Todd C. Miller
Loic Minier
+ Darren Moffat
Jan Thomas Moldung
Charles Morris
Andreas Mueller
Diego Elio Petteno
Joel Pickett
Alex Plotnick
- Tran Ngoc Quan
+ Tran Ngoc Quan
Gudleik Rasch
Matt Richards
Guido van Rossum
Marco van Wieringen
David Wood
Gustavo Zacarias
+ John Zolnowsky
Todd C. Miller <Todd.Miller@courtesan.com>
Todd continues to enhance sudo and fix bugs.
-
#
-# Copyright (c) 2011 Todd C. Miller <Todd.Miller@courtesan.com>
+# Copyright (c) 2010-2012 Todd C. Miller <Todd.Miller@courtesan.com>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
docdir = @docdir@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
+cross_compiling = @CROSS_COMPILING@
# Tools to use
-NROFF = @NROFFPROG@
+SED = @SED@
+MANDOC = @MANDOCPROG@
+MANCOMPRESS = @MANCOMPRESS@
+MANCOMPRESSEXT = @MANCOMPRESSEXT@
+TR = @TRPROG@
# Our install program supports extra flags...
INSTALL = $(SHELL) $(top_srcdir)/install-sh -c
mantype = @MANTYPE@
mansectsu = @mansectsu@
mansectform = @mansectform@
-mandirsu = $(mandir)/$(mantype)$(mansectsu)
-mandirform = $(mandir)/$(mantype)$(mansectform)
+mandirsu = $(mandir)/@MANDIRTYPE@$(mansectsu)
+mandirform = $(mandir)/@MANDIRTYPE@$(mansectform)
# User and group ids the installed files should be "owned" by
install_uid = 0
SHELL = @SHELL@
-DOCS = sudo.man visudo.man sudoers.man sudoers.ldap.man sudoers.man \
- sudoreplay.man sudo_plugin.man
+DOCS = sudo.$(mantype) visudo.$(mantype) sudoers.$(mantype) \
+ sudoers.ldap.$(mantype) sudoers.$(mantype) \
+ sudoreplay.$(mantype) sudo_plugin.$(mantype)
DEVDOCS = $(srcdir)/sudo.man.in $(srcdir)/sudo.cat \
$(srcdir)/visudo.man.in $(srcdir)/visudo.cat \
$(srcdir)/sudoers.ldap.man.in $(srcdir)/sudoers.ldap.cat \
$(srcdir)/sudoers.man.in $(srcdir)/sudoers.cat \
$(srcdir)/sudoreplay.man.in $(srcdir)/sudoreplay.cat \
- $(srcdir)/sudo_plugin.man.in $(srcdir)/sudo_plugin.cat \
- $(srcdir)/HISTORY $(srcdir)/LICENSE $(srcdir)/CONTRIBUTORS
+ $(srcdir)/sudo_plugin.man.in $(srcdir)/sudo_plugin.cat
OTHER_DOCS = $(top_srcdir)/ChangeLog $(top_srcdir)/README \
$(top_srcdir)/NEWS $(srcdir)/HISTORY $(srcdir)/CONTRIBUTORS \
varsub: $(top_srcdir)/configure.in
@if [ -n "$(DEVEL)" ]; then \
- printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#4#g\ns#@%s@#1m#g\n' SEMAN BAMAN LCMAN sysconfdir prefix mansectform mansectsu > $@; \
- sed -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(top_srcdir)/configure.in | sed -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@; \
+ printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#5#g\ns#@%s@#8#g\ns#@%s@#%s#\n' SEMAN BAMAN LCMAN PSMAN sysconfdir prefix mansectform mansectsu PACKAGE_VERSION $(VERSION) > $@; \
+ $(SED) -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(top_srcdir)/configure.in | $(SED) -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@; \
fi
-$(srcdir)/sudo.man.in: $(srcdir)/sudo.pod
+$(srcdir)/sudo.man.in: $(srcdir)/sudo.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
- mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \
- mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \
- sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudo.pod > $@; \
- pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudo.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" | perl -p $(srcdir)/sudo.man.pl >> $@; \
+ mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
+ mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
+ printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
+ printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in\n' >> $@; \
+ $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudo.mdoc.in >> $@; \
+ $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
fi
-sudo.man: $(srcdir)/sudo.man.in
- (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
+sudo.man.sed: $(srcdir)/fixman.sh
+ BAMAN=@BAMAN@ LCMAN=@LCMAN@ SEMAN=@SEMAN@ PSMAN=@PSMAN@ $(SHELL) $(srcdir)/fixman.sh $@
-$(srcdir)/sudo.cat: varsub $(srcdir)/sudo.man.in
- @if [ -n "$(DEVEL)" ]; then \
- echo "Generating $@"; \
- sed -f varsub $(srcdir)/sudo.man.in | $(NROFF) -man > $@; \
- fi
+sudo.man: $(srcdir)/sudo.man.in sudo.man.sed
+ (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@
-$(srcdir)/visudo.man.in: $(srcdir)/visudo.pod
- @if [ -n "$(DEVEL)" ]; then \
- echo "Generating $@"; \
- mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \
- mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \
- sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/visudo.pod > $@; \
- pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/visudo.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@; \
- fi
+sudo.mdoc.sed: $(srcdir)/fixmdoc.sh
+ BAMAN=@BAMAN@ LCMAN=@LCMAN@ SEMAN=@SEMAN@ PSMAN=@PSMAN@ $(SHELL) $(srcdir)/fixmdoc.sh $@
-visudo.man: $(srcdir)/visudo.man.in
- (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
+sudo.mdoc: $(srcdir)/sudo.mdoc.in sudo.mdoc.sed
+ (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@
-$(srcdir)/visudo.cat: varsub $(srcdir)/visudo.man.in
+$(srcdir)/sudo.cat: varsub $(srcdir)/sudo.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
- sed -f varsub $(srcdir)/visudo.man.in | $(NROFF) -man > $@; \
+ $(SED) -f varsub $(srcdir)/sudo.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
fi
-$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.pod
+sudo.cat: $(srcdir)/sudo.cat
+
+$(srcdir)/visudo.man.in: $(srcdir)/visudo.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
- mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \
- mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \
- sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudoers.pod > $@; \
- pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudoers.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" | perl -p $(srcdir)/sudoers.man.pl >> $@; \
+ mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
+ mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
+ printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
+ printf '.\\" IT IS GENERATED AUTOMATICALLY FROM visudo.mdoc.in\n' >> $@; \
+ $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/visudo.mdoc.in >> $@; \
+ $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/visudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "VISUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
fi
-sudoers.man: $(srcdir)/sudoers.man.in
+visudo.man.sed: $(srcdir)/fixman.sh
+ $(SHELL) $(srcdir)/fixman.sh $@
+
+visudo.man: $(srcdir)/visudo.man.in visudo.man.sed
+ (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@
+
+visudo.mdoc: $(srcdir)/visudo.mdoc.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
-$(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.man.in
+$(srcdir)/visudo.cat: varsub $(srcdir)/visudo.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
- sed -f varsub $(srcdir)/sudoers.man.in | $(NROFF) -man > $@; \
+ $(SED) -f varsub $(srcdir)/visudo.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
fi
-$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.pod
+visudo.cat: $(srcdir)/visudo.cat
+
+$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
- mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \
- mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \
- sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudoers.ldap.pod > $@; \
- pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudoers.ldap.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@; \
+ mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
+ mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
+ printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
+ printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in\n' >> $@; \
+ $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudoers.mdoc.in >> $@; \
+ $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
fi
-sudoers.ldap.man: $(srcdir)/sudoers.ldap.man.in
- (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
+sudoers.man.sed: $(srcdir)/fixman.sh
+ LCMAN=@LCMAN@ SEMAN=@SEMAN@ PSMAN=@PSMAN@ $(SHELL) $(srcdir)/fixman.sh $@
+
+sudoers.man: $(srcdir)/sudoers.man.in sudoers.man.sed
+ (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@
+
+sudoers.mdoc.sed: $(srcdir)/fixmdoc.sh
+ LCMAN=@LCMAN@ SEMAN=@SEMAN@ PSMAN=@PSMAN@ $(SHELL) $(srcdir)/fixmdoc.sh $@
+
+sudoers.mdoc: $(srcdir)/sudoers.mdoc.in sudoers.mdoc.sed
+ (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@
-$(srcdir)/sudoers.ldap.cat: varsub $(srcdir)/sudoers.ldap.man.in
+$(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
- sed -f varsub $(srcdir)/sudoers.ldap.man.in | $(NROFF) -man > $@; \
+ $(SED) -f varsub $(srcdir)/sudoers.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
fi
-$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.pod
+sudoers.cat: $(srcdir)/sudoers.cat
+
+$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
- mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \
- mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \
- sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudoreplay.pod > $@; \
- pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudoreplay.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@; \
+ mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
+ mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
+ printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
+ printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in\n' >> $@; \
+ $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudoers.ldap.mdoc.in >> $@; \
+ $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.ldap.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS.LDAP" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
fi
-sudoreplay.man: $(srcdir)/sudoreplay.man.in
+sudoers.ldap.man.sed: $(srcdir)/fixman.sh
+ $(SHELL) $(srcdir)/fixman.sh $@
+
+sudoers.ldap.man: $(srcdir)/sudoers.ldap.man.in sudoers.ldap.man.sed
+ (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@
+
+sudoers.ldap.mdoc: $(srcdir)/sudoers.ldap.mdoc.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
-$(srcdir)/sudoreplay.cat: varsub $(srcdir)/sudoreplay.man.in
+$(srcdir)/sudoers.ldap.cat: varsub $(srcdir)/sudoers.ldap.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
- sed -f varsub $(srcdir)/sudoreplay.man.in | $(NROFF) -man > $@; \
+ $(SED) -f varsub $(srcdir)/sudoers.ldap.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
fi
-$(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.pod
+sudoers.ldap.cat: $(srcdir)/sudoers.ldap.cat
+
+$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
- mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; \
- mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; \
- sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudo_plugin.pod > $@; \
- pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudo_plugin.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@; \
+ mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
+ mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
+ printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
+ printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudoreplay.mdoc.in\n' >> $@; \
+ $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudoreplay.mdoc.in >> $@; \
+ $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoreplay.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOREPLAY" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
fi
-sudo_plugin.man: $(srcdir)/sudo_plugin.man.in
+sudoreplay.man.sed: $(srcdir)/fixman.sh
+ $(SHELL) $(srcdir)/fixman.sh $@
+
+sudoreplay.man: $(srcdir)/sudoreplay.man.in sudoreplay.man.sed
+ (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@
+
+sudoreplay.mdoc: $(srcdir)/sudoreplay.mdoc.in
(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
-$(srcdir)/sudo_plugin.cat: varsub $(srcdir)/sudo_plugin.man.in
+$(srcdir)/sudoreplay.cat: varsub $(srcdir)/sudoreplay.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
- sed -f varsub $(srcdir)/sudo_plugin.man.in | $(NROFF) -man > $@; \
+ $(SED) -f varsub $(srcdir)/sudoreplay.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
fi
-CONTRIBUTORS: $(srcdir)/contributors.pod
- @if [ -n "$(DEVEL)" ]; then \
- echo "Generating $@"; \
- pod2text -l -i0 $(srcdir)/contributors.pod | sed '1,3d' > $@; \
- fi
+sudoreplay.cat: $(srcdir)/sudoreplay.cat
-HISTORY: $(srcdir)/history.pod
+$(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
- pod2text -l -i0 $(srcdir)/history.pod > $@; \
+ mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
+ mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
+ printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
+ printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudo_plugin.mdoc.in\n' >> $@; \
+ $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudo_plugin.mdoc.in >> $@; \
+ $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo_plugin.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO_PLUGIN" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
fi
-LICENSE: $(srcdir)/license.pod
+sudo_plugin.man.sed: $(srcdir)/fixman.sh
+ $(SHELL) $(srcdir)/fixman.sh $@
+
+sudo_plugin.man: $(srcdir)/sudo_plugin.man.in sudo_plugin.man.sed
+ (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@
+
+sudo_plugin.mdoc: $(srcdir)/sudo_plugin.mdoc.in
+ (cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
+
+$(srcdir)/sudo_plugin.cat: varsub $(srcdir)/sudo_plugin.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
- pod2text -l -i0 $(srcdir)/license.pod | sed '1,3d' > $@; \
+ $(SED) -f varsub $(srcdir)/sudo_plugin.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
fi
+sudo_plugin.cat: $(srcdir)/sudo_plugin.cat
+
pre-install:
install: install-doc
install-includes:
install-doc: install-dirs
- for f in $(OTHER_DOCS); do $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0444 $$f $(DESTDIR)$(docdir); done
- @LDAP@for f in $(OTHER_DOCS_LDAP); do $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0444 $$f $(DESTDIR)$(docdir); done
- $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0444 @mansrcdir@/sudo.$(mantype) $(DESTDIR)$(mandirsu)/sudo.$(mansectsu)
- @rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)
- ln $(DESTDIR)$(mandirsu)/sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)
- $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0444 @mansrcdir@/sudo_plugin.$(mantype) $(DESTDIR)$(mandirsu)/sudo_plugin.$(mansectsu)
- $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0444 @mansrcdir@/sudoreplay.$(mantype) $(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu)
- $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0444 @mansrcdir@/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu)
- $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0444 @mansrcdir@/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform)
- @LDAP@$(INSTALL) -O $(install_uid) -G $(install_gid) -m 0444 @mansrcdir@/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
-@MAN_POSTINSTALL@
+ for f in $(OTHER_DOCS); do $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 $$f $(DESTDIR)$(docdir); done
+ @LDAP@for f in $(OTHER_DOCS_LDAP); do $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 $$f $(DESTDIR)$(docdir); done
+ $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudo.$(mantype) $(DESTDIR)$(mandirsu)/sudo.$(mansectsu)
+ $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudo_plugin.$(mantype) $(DESTDIR)$(mandirsu)/sudo_plugin.$(mansectsu)
+ $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudoreplay.$(mantype) $(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu)
+ $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu)
+ $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform)
+ @LDAP@$(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 @mansrcdir@/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
+ @if test -n "$(MANCOMPRESS)"; then \
+ for f in $(mandirsu)/sudo.$(mansectsu) $(mandirsu)/sudo_plugin.$(mansectsu) $(mandirsu)/sudoreplay.$(mansectsu) $(mandirsu)/visudo.$(mansectsu) $(mandirform)/sudoers.$(mansectform) $(mandirform)/sudoers.ldap.$(mansectform); do \
+ if test -f $(DESTDIR)$$f; then \
+ echo $(MANCOMPRESS) -f $(DESTDIR)$$f; \
+ $(MANCOMPRESS) -f $(DESTDIR)$$f; \
+ fi; \
+ done; \
+ rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
+ echo ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
+ ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
+ else \
+ rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
+ echo ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
+ ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
+ fi
install-plugin:
check:
clean:
- -rm -f varsub
+ -rm -f varsub *.sed
mostlyclean: clean
+++ /dev/null
-=head1 Sudo Contributors
-
-=head4
-The following list of people, sorted by last name, have contributed
-code or patches to this implementation of sudo since I began
-maintaining it in 1993. This list is known to be incomplete--if
-you believe you should be listed, please send a note to sudo@sudo.ws.
-
- Matt Ackeret
- Mark Adler
- Russ Allbery
- Nick Andrew
- Dimitry Andric
- Danny Barron
- Tom Bates
- Zdenek Behan
- Ray Bellis
- Elias Benali
- Jamie Beverly
- Spider Boardman
- Jakub Bogusz
- P.J. Bostley
- Keith Bowes
- Keith Garry Boyce
- Michael Brantley
- Rob Braun
- Piete Brooks
- Jerry Brown
- Michael E Burr
- Andreas Bussjaeger
- Gary Calvin
- Aaron Campbell
- Milo Casagrande
- Yuri Chornoivan
- Vitezslav Cizek
- Chris Coleman
- Deven T. Corzine
- Frank Cusack
- Theo de Raadt
- David Dill
- Theo Van Dinter
- Jeff Earickson
- Drew Eckhardt
- Ben Edgington
- Marc Esipovich
- Marc Espie
- Ariel Faigon
- Brian Farrell
- Steve Fobes
- Mike Frysinger
- Jean-loup Gailly
- Simon J. Gerraty
- B. Guillory
- Joe Hansen
- Randy M. Hayman
- Joachim Henke
- YOSHIFUJI Hideaki
- Dave Hieb
- Nick Holloway
- Adam Hoover
- Michael T. Hunter
- Eric Irrgang
- Brian Jackson
- Richard L. Jackson Jr
- John R. Jackson
- Mark Janssen
- Chris Jepeway
- Timo Juhani
- Ayamura KIKUCHI
- Kevin Kadow
- Jorma Karvonen
- Stepan Kasal
- Mike Kienenberger
- Dale King
- Jim Knoble
- Tim Knox
- Alek O. Komarnitsky
- Daniel Kopecek
- Yuri Kozlov
- Paul Kranenburg
- David Krause
- Case Larsen
- Dmitry V. Levin
- Kendall Libby
- Phillip E. Lobbes
- Jason McIntyre
- David J. MacKenzie
- Tom McLaughlin
- Jeff Makey
- Michael D. Marchionna
- Paul Markham
- Emin Martinian
- Pavel Maryanov
- Michael Meskes
- Todd C. Miller
- Loic Minier
- Jan Thomas Moldung
- Charles Morris
- Andreas Mueller
- Dworkin Muller
- Jeff Nieusma
- Peter A. Nikitser
- Miroslav Nikolic
- Ludwig Nussel
- Eric Paquet
- Chantal Paradis
- Ted Percival
- Christian S.J. Peron
- Alexander Peslyak
- Toby Peterson
- Diego Elio Petteno
- Joel Pickett
- Alex Plotnick
- Gudleik Rasch
- Matt Richards
- Guido van Rossum
- John P. Rouillard
- William A. Rowe Jr.
- Alain Roy
- Elan Ruusamae
- Eygene Ryabinkin
- Yuichi SATO
- Wilfredo Sanchez
- Jean-Francois Saucier
- Patrick Schoenfeld
- Arno Schuring
- Dougal Scott
- Abel Sendón
- Nick Sieger
- Thor Lancelot Simon
- Marc Slemko
- Andy Smith
- Igor Sobrado
- Aaron Spangler
- Cloyce D. Spradling
- Matthew Stier
- Tobias Stoeckmann
- Russell Street
- Tilo Stritzky
- Michael Stroucken
- Yasuaki Taniguchi
- Robert Tarrall
- Matthew Thomas
- Giles Todd
- Martin Toft
- Chris Torek
- Darren Tucker
- Robert Uhl
- Mikel Olasagasti Uranga
- Petr Uzel
- Reznic Valery
- Martynas Venckus
- Klaus Wagner
- Dan Walsh
- Wylmer Wang
- John Warburton
- Kirk Webb
- Timm Wetzel
- Marco van Wieringen
- David Wood
--- /dev/null
+#!/bin/sh
+
+OUTFILE="$1"
+rm -f "$OUTFILE"
+> "$OUTFILE"
+
+# HP-UX friendly header/footer for all man pages
+if [ X"`uname 2>&1`" = X"HP-UX" ]; then
+ cat >>"$OUTFILE" <<-'EOF'
+ s/^\.TH \("[^"]*"\) \("[^"]*"\) "\([^"]*\)" "\([^"]*\)" \("[^"]*"\)/.TH \1 \2\
+ .ds )H \4\
+ .ds ]W \3/
+EOF
+fi
+
+# Page specific hacks
+case "$OUTFILE" in
+ sudo.man.sed)
+ # Replace "0 minutes" with "unlimited"
+ cat >>"$OUTFILE" <<-'EOF'
+ /^\\fR0\\fR$/ {
+ N
+ s/^\\fR0\\fR\nminutes\.$/unlimited./
+ }
+ EOF
+
+ # BSD auth
+ if [ X"$BAMAN" != X"1" ]; then
+ cat >>"$OUTFILE" <<-'EOF'
+ /^\[\\fB\\-a\\fR\\ \\fIauth_type\\fR/d
+ /^\\fB\\-a\\fR \\fItype\\fR$/,/^\.TP 12n$/ {
+ /^\.PD$/!d
+ }
+ EOF
+ fi
+
+ # BSD login class
+ if [ X"$LCMAN" != X"1" ]; then
+ cat >>"$OUTFILE" <<-'EOF'
+ /^\[\\fB\\-c\\fR\\ \\fIclass\\fR/d
+ /^\\fB\\-c\\fR \\fIclass\\fR$/,/^\.TP 12n$/ {
+ /^\.PD$/!d
+ }
+ /^login_cap(3),$/d
+ /^BSD login class$/ {
+ N
+ N
+ /^BSD login class\n\.TP 4n\n\\fBo\\fR$/d
+ }
+ EOF
+ fi
+
+ # SELinux
+ if [ X"$SEMAN" != X"1" ]; then
+ cat >>"$OUTFILE" <<-'EOF'
+ /^\[\\fB\\-[rt]\\fR\\ \\fI[rt][oy][lp]e\\fR/d
+ /^\\fB\\-[rt]\\fR \\fI[rt][oy][lp]e\\fR$/,/^\.TP 12n$/ {
+ /^\.PD$/!d
+ }
+ /^SELinux role and type$/ {
+ N
+ N
+ /^SELinux role and type\n\.TP 4n\n\\fBo\\fR$/d
+ }
+ EOF
+ fi
+
+ # Solaris privileges
+ if [ X"$PSMAN" != X"1" ]; then
+ cat >>"$OUTFILE" <<-'EOF'
+ /^Solaris project$/ {
+ N
+ N
+ N
+ N
+ N
+ /^Solaris project\n\.TP 4n\n\\fBo\\fR\nSolaris privileges\n\.TP 4n\n\\fBo\\fR$/d
+ }
+ EOF
+ fi
+ ;;
+ sudoers.man.sed)
+ # Subsections to remove (SELinux and Solaris are adjacent)
+ RM_SS=
+ if [ X"$PSMAN" != X"1" ]; then
+ if [ X"$SEMAN" != X"1" ]; then
+ RM_SS='/^\.SS "SELinux_Spec"/,/^\.SS "[^S]/{;/^\.SS "[^S][^o][^l]/!d;};'
+ else
+ RM_SS='/^\.SS "Solaris_Priv_Spec"/,/^\.SS/{;/^\.SS "[^S][^o][^l]/!d;};'
+ fi
+ elif [ X"$SEMAN" != X"1" ]; then
+ RM_SS='/^\.SS "SELinux_Spec"/,/^\.SS/{;/^\.SS "[^S][^E][^L]/!d;};'
+ fi
+ if [ -n "$RM_SS" ]; then
+ cat >>"$OUTFILE" <<-EOF
+ $RM_SS
+ EOF
+ fi
+
+ # BSD login class
+ if [ X"$LCMAN" != X"1" ]; then
+ cat >>"$OUTFILE" <<-EOF
+ /^On BSD systems/,/\.$/ {
+ d
+ }
+ /^use_loginclass$/,/^\.TP 18n$/ {
+ /^\.PD$/!d
+ }
+ EOF
+ fi
+
+ # Solaris PrivSpec
+ if [ X"$PSMAN" != X"1" ]; then
+ cat >>"$OUTFILE" <<-EOF
+ s/Solaris_Priv_Spec? //
+ /^Solaris_Priv_Spec ::=/ {
+ N
+ d
+ }
+ /^l*i*m*i*t*privs$/,/^\.TP 18n$/ {
+ /^\.PD$/!d
+ }
+ /^On Solaris 10/,/^\.[sP][pP]/ {
+ d
+ }
+ EOF
+ fi
+
+ # SELinux
+ if [ X"$SEMAN" != X"1" ]; then
+ cat >>"$OUTFILE" <<-EOF
+ s/SELinux_Spec? //
+ /^SELinux_Spec ::=/ {
+ N
+ d
+ }
+ /^[rt][oy][lp]e$/,/^\.TP 18n$/ {
+ /^\.PD$/!d
+ }
+ EOF
+ fi
+ ;;
+esac
--- /dev/null
+#!/bin/sh
+
+OUTFILE="$1"
+rm -f "$OUTFILE"
+> "$OUTFILE"
+
+# Page specific hacks
+case "$OUTFILE" in
+ sudo.mdoc.sed)
+ # Replace "0 minutes" with "unlimited"
+ cat >>"$OUTFILE" <<-'EOF'
+ /^\.Li 0$/ {
+ N
+ s/^\.Li 0\nminutes\.$/unlimited./
+ }
+ EOF
+
+ # BSD auth
+ BA_FLAG=
+ if [ X"$BAMAN" != X"1" ]; then
+ BA_FLAG='/^.*\n\.Op Fl a Ar auth_type/{;N;/^.*\n\.Ek$/d;};'
+ cat >>"$OUTFILE" <<-'EOF'
+ /^\.It Fl a Ar type/,/BSD authentication\.$/ {
+ d
+ }
+ EOF
+ fi
+
+ # BSD login class
+ LC_FLAG=
+ if [ X"$LCMAN" != X"1" ]; then
+ LC_FLAG='/^.*\n\.Op Fl c Ar class/{;N;/^.*\n\.Ek$/d;};'
+ cat >>"$OUTFILE" <<-'EOF'
+ /^\.It Fl c Ar class/,/BSD login classes\.$/ {
+ d
+ }
+ /^\.Xr login_cap 3 ,$/d
+ /^BSD login class$/ {
+ N
+ /^BSD login class\n\.It$/d
+ }
+ EOF
+ fi
+
+ # SELinux
+ SE_FLAG=
+ if [ X"$SEMAN" != X"1" ]; then
+ SE_FLAG='/^.*\n\.Op Fl r Ar role/{;N;/^.*\n\.Ek$/d;};/^.*\n\.Op Fl t Ar type/{;N;/^.*\n\.Ek$/d;};'
+ cat >>"$OUTFILE" <<-'EOF'
+ /^\.It Fl r Ar role/,/newline character\.$/ {
+ d
+ }
+ /^\.It Fl t Ar type/,/specified role\.$/ {
+ d
+ }
+ /^SELinux role and type$/ {
+ N
+ /^SELinux role and type\n\.It$/d
+ }
+ EOF
+ fi
+
+ # Solaris privileges
+ if [ X"$PSMAN" != X"1" ]; then
+ cat >>"$OUTFILE" <<-'EOF'
+ /^Solaris project$/ {
+ N
+ N
+ N
+ /^Solaris project\n\.It\nSolaris privileges\n\.It$/d
+ }
+ EOF
+ fi
+
+ # Unsupported flags must be removed together
+ if [ -n "$BA_FLAG$LC_FLAG$SE_FLAG" ]; then
+ cat >>"$OUTFILE" <<-EOF
+ /^\.Bk -words\$/ {
+ N
+ $BA_FLAG$LC_FLAG$SE_FLAG
+ }
+ EOF
+ fi
+ ;;
+ sudoers.mdoc.sed)
+ # Subsections to remove (SELinux and Solaris are adjacent)
+ RM_SS=
+ if [ X"$PSMAN" != X"1" ]; then
+ if [ X"$SEMAN" != X"1" ]; then
+ RM_SS='/^\.Ss SELinux_Spec/,/^\.Ss [^S]/{;/^\.Ss [^S][^o][^l]/!d;};'
+ else
+ RM_SS='/^\.Ss Solaris_Priv_Spec/,/^\.Ss/{;/^\.Ss [^S][^o][^l]/!d;};'
+ fi
+ elif [ X"$SEMAN" != X"1" ]; then
+ RM_SS='/^\.Ss SELinux_Spec/,/^\.Ss/{;/^\.Ss [^S][^E][^L]/!d;};'
+ fi
+ if [ -n "$RM_SS" ]; then
+ cat >>"$OUTFILE" <<-EOF
+ $RM_SS
+ EOF
+ fi
+
+ # BSD login class
+ if [ X"$LCMAN" != X"1" ]; then
+ cat >>"$OUTFILE" <<-'EOF'
+ /^On BSD systems/,/\.$/ {
+ d
+ }
+ /^\.It use_loginclass$/,/^\.It/ {
+ /^\.It [^u][^s][^e][^_][^l]/!d
+ }
+ EOF
+ fi
+
+ # Solaris PrivSpec
+ if [ X"$PSMAN" != X"1" ]; then
+ cat >>"$OUTFILE" <<-'EOF'
+ s/Solaris_Priv_Spec? //
+ /^Solaris_Priv_Spec ::=/ {
+ N
+ d
+ }
+ /^\.It limitprivs$/,/^\.It/ {
+ /^\.It [^l][^i][^m][^i][^t]/!d
+ }
+ /^\.It privs$/,/^\.It/ {
+ /^\.It [^p][^r][^i][^v][^s]$/!d
+ }
+ /^On Solaris 10/,/^\.Pp/ {
+ d
+ }
+ EOF
+ fi
+
+ # SELinux
+ if [ X"$SEMAN" != X"1" ]; then
+ cat >>"$OUTFILE" <<-'EOF'
+ s/SELinux_Spec? //
+ /^SELinux_Spec ::=/ {
+ N
+ d
+ }
+ /^\.It [rt][oy][lp]e$/,/^\.It/ {
+ /^\.It [^rt][^oy][^lp][^e]$/!d
+ }
+ EOF
+ fi
+ ;;
+esac
+++ /dev/null
-=head1 A Brief History of Sudo:
-
-=head3 The Early Years
-
-Sudo was first conceived and implemented by Bob Coggeshall and Cliff
-Spencer around 1980 at the Department of Computer Science at
-SUNY/Buffalo. It ran on a VAX-11/750 running 4.1BSD. An updated
-version, credited to Phil Betchel, Cliff Spencer, Gretchen Phillips,
-John LoVerso and Don Gworek, was posted to the net.sources Usenet
-newsgroup in December of 1985.
-
-=head3 Sudo at CU-Boulder
-
-In the Summer of 1986, Garth Snyder released an enhanced version
-of sudo. For the next 5 years, sudo was fed and watered by a handful
-of folks at CU-Boulder, including Bob Coggeshall, Bob Manchek, and
-Trent Hein.
-
-=head3 Root Group Sudo
-
-In 1991, Dave Hieb and Jeff Nieusma wrote a new version of sudo
-with an enhanced sudoers format under contract to a consulting firm
-called "The Root Group". This version was later released under the
-GNU public license.
-
-=head3 CU Sudo
-
-In 1994, after maintaining sudo informally within CU-Boulder for
-some time, Todd C. Miller made a public release of "CU sudo" (version
-1.3) with bug fixes and support for more operating systems. The
-"CU" was added to differentiate it from the "official" version from
-"The Root Group".
-
-In 1995, a new parser for the sudoers file was contributed by Chris
-Jepeway. The new parser was a proper grammar (unlike the old one)
-and could work with both sudo and visudo (previously they had
-slightly different parsers).
-
-In 1996, Todd, who had been maintaining sudo for several years in
-his spare time, moved distribution of sudo from a CU-Boulder ftp
-site to his domain, courtesan.com.
-
-=head3 Just Plain Sudo
-
-In 1999, the "CU" prefix was dropped from the name since there had
-been no formal release of sudo from "The Root Group" since 1991
-(the original authors now work elsewhere). As of version 1.6, Sudo
-no longer contains any of the original "Root Group" code and is
-available under an ISC-style license.
-
-In 2001, the sudo web site, ftp site and mailing lists were moved
-from courtesan.com to the sudo.ws domain (sudo.org was already
-taken).
-
-=head3 LDAP Integration
-
-In 2003, Nationwide Mutual Insurance Company contributed code written
-by Aaron Spangler to store the sudoers data in LDAP. These changes
-were incorporated into Sudo 1.6.8.
-
-=head3 New Parser
-
-In 2005, Todd rewrote the sudoers parser to better support the
-features that had been added in the past ten years. This new parser
-removes some limitations of the previous one, removes ordering
-constraints and adds support for including multiple sudoers files.
-
-=head3 Quest Sponsorship
-
-In 2010, Quest Software began sponsoring Sudo development by hiring
-Todd to work on Sudo as part of his full-time job.
-
-=head3 Present Day
-
-Sudo, in its current form, is maintained by:
-
- Todd C. Miller <Todd.Miller@courtesan.com>
-
-Todd continues to enhance sudo and fix bugs.
+++ /dev/null
-=head1 Sudo License
-
-=head3
-Sudo is distributed under the following ISC-style license:
-
- Copyright (c) 1994-1996, 1998-2011
- Todd C. Miller <Todd.Miller@courtesan.com>
-
- Permission to use, copy, modify, and distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
- Sponsored in part by the Defense Advanced Research Projects
- Agency (DARPA) and Air Force Research Laboratory, Air Force
- Materiel Command, USAF, under agreement number F39502-99-1-0512.
-
-=head3
-The files fnmatch.c, fnmatch.h, getcwd.c, glob.c, glob.h and snprintf.c
-bear the following UCB license:
-
- Copyright (c) 1987, 1989, 1990, 1991, 1992, 1993, 1994
- The Regents of the University of California. All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
- 3. Neither the name of the University nor the names of its contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
-
-=head3
-The embedded copy of zlib bears the following license:
-
- Copyright (C) 1995-2010 Jean-loup Gailly and Mark Adler
-
- This software is provided 'as-is', without any express or implied
- warranty. In no event will the authors be held liable for any damages
- arising from the use of this software.
-
- Permission is granted to anyone to use this software for any purpose,
- including commercial applications, and to alter it and redistribute it
- freely, subject to the following restrictions:
-
- 1. The origin of this software must not be misrepresented; you must not
- claim that you wrote the original software. If you use this software
- in a product, an acknowledgment in the product documentation would be
- appreciated but is not required.
- 2. Altered source versions must be plainly marked as such, and must not be
- misrepresented as being the original software.
- 3. This notice may not be removed or altered from any source distribution.
-
- Jean-loup Gailly Mark Adler
- jloup@gzip.org madler@alumni.caltech.edu
schemaIDGUID:: xJhSt/Yd3RGJPTB1VtiVkw==\r
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X\r
\r
-dn: CN=sudoNotBefore,CN=Schema,CN=Configuration,DC=X
-changetype: add
-objectClass: top
-objectClass: attributeSchema
-cn: sudoNotBefore
-distinguishedName: CN=sudoNotBefore,CN=Schema,CN=Configuration,DC=X
-instanceType: 4
-attributeID: 1.3.6.1.4.1.15953.9.1.8
-attributeSyntax: 1.3.6.1.4.1.1466.115.121.1.24
-isSingleValued: TRUE
-showInAdvancedViewOnly: TRUE
-adminDisplayName: sudoNotBefore
-adminDescription: Start of time interval for which the entry is valid
-oMSyntax: 22
-lDAPDisplayName: sudoNotBefore
-name: sudoNotBefore
-schemaIDGUID:: xJhSt/Yd3RGJPTB1VtiVkw==
-objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
+dn: CN=sudoNotBefore,CN=Schema,CN=Configuration,DC=X\r
+changetype: add\r
+objectClass: top\r
+objectClass: attributeSchema\r
+cn: sudoNotBefore\r
+distinguishedName: CN=sudoNotBefore,CN=Schema,CN=Configuration,DC=X\r
+instanceType: 4\r
+attributeID: 1.3.6.1.4.1.15953.9.1.8\r
+attributeSyntax: 2.5.5.11\r
+isSingleValued: TRUE\r
+showInAdvancedViewOnly: TRUE\r
+adminDisplayName: sudoNotBefore\r
+adminDescription: Start of time interval for which the entry is valid\r
+oMSyntax: 24\r
+lDAPDisplayName: sudoNotBefore\r
+name: sudoNotBefore\r
+schemaIDGUID:: dm1HnRfY4RGf4gopYYhwmw==
+objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X\r
-dn: CN=sudoNotAfter,CN=Schema,CN=Configuration,DC=X
-changetype: add
-objectClass: top
-objectClass: attributeSchema
-cn: sudoNotAfter
-distinguishedName: CN=sudoNotAfter,CN=Schema,CN=Configuration,DC=X
-instanceType: 4
-attributeID: 1.3.6.1.4.1.15953.9.1.9
-attributeSyntax: 1.3.6.1.4.1.1466.115.121.1.24
-isSingleValued: TRUE
-showInAdvancedViewOnly: TRUE
-adminDisplayName: sudoNotAfter
-adminDescription: End of time interval for which the entry is valid
-oMSyntax: 22
-lDAPDisplayName: sudoNotAfter
-name: sudoNotAfter
-schemaIDGUID:: xJhSt/Yd3RGJPTB1VtiVkw==
-objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
+dn: CN=sudoNotAfter,CN=Schema,CN=Configuration,DC=X\r
+changetype: add\r
+objectClass: top\r
+objectClass: attributeSchema\r
+cn: sudoNotAfter\r
+distinguishedName: CN=sudoNotAfter,CN=Schema,CN=Configuration,DC=X\r
+instanceType: 4\r
+attributeID: 1.3.6.1.4.1.15953.9.1.9\r
+attributeSyntax: 2.5.5.11\r
+isSingleValued: TRUE\r
+showInAdvancedViewOnly: TRUE\r
+adminDisplayName: sudoNotAfter\r
+adminDescription: End of time interval for which the entry is valid\r
+oMSyntax: 24\r
+lDAPDisplayName: sudoNotAfter\r
+name: sudoNotAfter\r
+schemaIDGUID:: OAr/pBfY4RG9dBIpYYhwmw==
+objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X\r
-dn: CN=sudoOrder,CN=Schema,CN=Configuration,DC=X
-changetype: add
-objectClass: top
-objectClass: attributeSchema
-cn: sudoOrder
-distinguishedName: CN=sudoOrder,CN=Schema,CN=Configuration,DC=X
-instanceType: 4
-attributeID: 1.3.6.1.4.1.15953.9.1.10
-attributeSyntax: 1.3.6.1.4.1.1466.115.121.1.27
-isSingleValued: TRUE
-showInAdvancedViewOnly: TRUE
-adminDisplayName: sudoOrder
-adminDescription: an integer to order the sudoRole entries
-oMSyntax: 22
-lDAPDisplayName: sudoOrder
-name: sudoOrder
-schemaIDGUID:: xJhSt/Yd3RGJPTB1VtiVkw==
-objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X
+dn: CN=sudoOrder,CN=Schema,CN=Configuration,DC=X\r
+changetype: add\r
+objectClass: top\r
+objectClass: attributeSchema\r
+cn: sudoOrder\r
+distinguishedName: CN=sudoOrder,CN=Schema,CN=Configuration,DC=X\r
+instanceType: 4\r
+attributeID: 1.3.6.1.4.1.15953.9.1.10\r
+attributeSyntax: 2.5.5.9\r
+isSingleValued: TRUE\r
+showInAdvancedViewOnly: TRUE\r
+adminDisplayName: sudoOrder\r
+adminDescription: an integer to order the sudoRole entries\r
+oMSyntax: 2\r
+lDAPDisplayName: sudoOrder\r
+name: sudoOrder\r
+schemaIDGUID:: 0J8yrRfY4RGIYBUpYYhwmw==
+objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=X\r
dn:\r
changetype: modify\r
mayContain: sudoRunAsUser\r
mayContain: sudoRunAsGroup\r
mayContain: sudoUser\r
-mayContain: sudoNotBefore
-mayContain: sudoNotAfter
-mayContain: sudoOrder
+mayContain: sudoNotBefore\r
+mayContain: sudoNotAfter\r
+mayContain: sudoOrder\r
rDNAttID: cn\r
showInAdvancedViewOnly: FALSE\r
adminDisplayName: sudoRole\r
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
+SUDO(1m) System Manager's Manual SUDO(1m)
N\bNA\bAM\bME\bE
- sudo, sudoedit - execute a command as another user
+ s\bsu\bud\bdo\bo, s\bsu\bud\bdo\boe\bed\bdi\bit\bt - execute a command as another user
S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-V\bV
-
- s\bsu\bud\bdo\bo -\b-v\bv [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
- [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd]
-
- s\bsu\bud\bdo\bo -\b-l\bl[\b[l\bl]\b] [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
- [-\b-U\bU _\bu_\bs_\be_\br _\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
-
- s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHn\bnP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
- [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-r\br _\br_\bo_\bl_\be] [-\b-t\bt _\bt_\by_\bp_\be]
- [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] [-\b-i\bi | -\b-s\bs] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
-
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
- [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
+ s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-V\bV
+ s\bsu\bud\bdo\bo -\b-v\bv [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be | _\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be | _\b#_\bu_\bi_\bd]
+ s\bsu\bud\bdo\bo -\b-l\bl[_\bl] [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be | _\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ [-\b-U\bU _\bu_\bs_\be_\br _\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be | _\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHn\bnP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs | _\b-]
+ [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be | _\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-r\br _\br_\bo_\bl_\be] [-\b-t\bt _\bt_\by_\bp_\be]
+ [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be | _\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] -\b-i\bi | -\b-s\bs [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs | _\b-]
+ [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be | _\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be | _\b#_\bu_\bi_\bd] file
+ ...
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- s\bsu\bud\bdo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the superuser or
- another user, as specified by the security policy. The real and
- effective uid and gid are set to match those of the target user, as
- specified in the password database, and the group vector is initialized
- based on the group database (unless the -\b-P\bP option was specified).
-
- s\bsu\bud\bdo\bo supports a plugin architecture for security policies and
- input/output logging. Third parties can develop and distribute their
- own policy and I/O logging modules to work seamlessly with the s\bsu\bud\bdo\bo
- front end. The default security policy is _\bs_\bu_\bd_\bo_\be_\br_\bs, which is configured
- via the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs, or via LDAP. See the PLUGINS section for
- more information.
-
- The security policy determines what privileges, if any, a user has to
- run s\bsu\bud\bdo\bo. The policy may require that users authenticate themselves
- with a password or another authentication mechanism. If authentication
- is required, s\bsu\bud\bdo\bo will exit if the user's password is not entered
- within a configurable time limit. This limit is policy-specific; the
- default password prompt timeout for the _\bs_\bu_\bd_\bo_\be_\br_\bs security policy is 5
- minutes.
-
- Security policies may support credential caching to allow the user to
- run s\bsu\bud\bdo\bo again for a period of time without requiring authentication.
- The _\bs_\bu_\bd_\bo_\be_\br_\bs policy caches credentials for 5 minutes, unless overridden
- in _\bs_\bu_\bd_\bo_\be_\br_\bs(4). By running s\bsu\bud\bdo\bo with the -\b-v\bv option, a user can update
- the cached credentials without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd.
-
- When invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt, the -\b-e\be option (described below), is implied.
-
- Security policies may log successful and failed attempts to use s\bsu\bud\bdo\bo.
- If an I/O plugin is configured, the running command's input and output
- may be logged as well.
-
-O\bOP\bPT\bTI\bIO\bON\bNS\bS
- s\bsu\bud\bdo\bo accepts the following command line options:
-
- -A Normally, if s\bsu\bud\bdo\bo requires a password, it will read it from
- the user's terminal. If the -\b-A\bA (_\ba_\bs_\bk_\bp_\ba_\bs_\bs) option is
- specified, a (possibly graphical) helper program is
- executed to read the user's password and output the
- password to the standard output. If the SUDO_ASKPASS
- environment variable is set, it specifies the path to the
- helper program. Otherwise, if _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf contains a
- line specifying the askpass program, that value will be
- used. For example:
-
- # Path to askpass helper program
- Path askpass /usr/X11R6/bin/ssh-askpass
-
- If no askpass program is available, sudo will exit with an
- error.
-
- -a _\bt_\by_\bp_\be The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use the
- specified authentication type when validating the user, as
- allowed by _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The system administrator may
- specify a list of sudo-specific authentication methods by
- adding an "auth-sudo" entry in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. This
- option is only available on systems that support BSD
- authentication.
-
- -b The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given
- command in the background. Note that if you use the -\b-b\bb
- option you cannot use shell job control to manipulate the
- process. Most interactive commands will fail to work
- properly in background mode.
-
- -C _\bf_\bd Normally, s\bsu\bud\bdo\bo will close all open file descriptors other
- than standard input, standard output and standard error.
- The -\b-C\bC (_\bc_\bl_\bo_\bs_\be _\bf_\br_\bo_\bm) option allows the user to specify a
- starting point above the standard error (file descriptor
- three). Values less than three are not permitted. The
- security policy may restrict the user's ability to use the
- -\b-C\bC option. The _\bs_\bu_\bd_\bo_\be_\br_\bs policy only permits use of the -\b-C\bC
- option when the administrator has enabled the
- _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be option.
-
- -c _\bc_\bl_\ba_\bs_\bs The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
- command with resources limited by the specified login
- class. The _\bc_\bl_\ba_\bs_\bs argument can be either a class name as
- defined in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf, or a single '-' character.
- Specifying a _\bc_\bl_\ba_\bs_\bs of - indicates that the command should
- be run restricted by the default login capabilities for the
- user the command is run as. If the _\bc_\bl_\ba_\bs_\bs argument
- specifies an existing user class, the command must be run
- as root, or the s\bsu\bud\bdo\bo command must be run from a shell that
- is already root. This option is only available on systems
- with BSD login classes.
-
- -E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option indicates to the
- security policy that the user wishes to preserve their
- existing environment variables. The security policy may
- return an error if the -\b-E\bE option is specified and the user
- does not have permission to preserve the environment.
-
- -e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of running a
- command, the user wishes to edit one or more files. In
- lieu of a command, the string "sudoedit" is used when
- consulting the security policy. If the user is authorized
- by the policy, the following steps are taken:
-
- 1. Temporary copies are made of the files to be edited
+ s\bsu\bud\bdo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the superuser or
+ another user, as specified by the security policy.
+
+ s\bsu\bud\bdo\bo supports a plugin architecture for security policies and
+ input/output logging. Third parties can develop and distribute their own
+ policy and I/O logging plugins to work seamlessly with the s\bsu\bud\bdo\bo front
+ end. The default security policy is _\bs_\bu_\bd_\bo_\be_\br_\bs, which is configured via the
+ file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs, or via LDAP. See the _\bP_\bL_\bU_\bG_\bI_\bN_\bS section for more
+ information.
+
+ The security policy determines what privileges, if any, a user has to run
+ s\bsu\bud\bdo\bo. The policy may require that users authenticate themselves with a
+ password or another authentication mechanism. If authentication is
+ required, s\bsu\bud\bdo\bo will exit if the user's password is not entered within a
+ configurable time limit. This limit is policy-specific; the default
+ password prompt timeout for the _\bs_\bu_\bd_\bo_\be_\br_\bs security policy is 5 minutes.
+
+ Security policies may support credential caching to allow the user to run
+ s\bsu\bud\bdo\bo again for a period of time without requiring authentication. The
+ _\bs_\bu_\bd_\bo_\be_\br_\bs policy caches credentials for 5 minutes, unless overridden in
+ sudoers(4). By running s\bsu\bud\bdo\bo with the -\b-v\bv option, a user can update the
+ cached credentials without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd.
+
+ When invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt, the -\b-e\be option (described below), is implied.
+
+ Security policies may log successful and failed attempts to use s\bsu\bud\bdo\bo. If
+ an I/O plugin is configured, the running command's input and output may
+ be logged as well.
+
+ The options are as follows:
+
+ -\b-A\bA Normally, if s\bsu\bud\bdo\bo requires a password, it will read it from
+ the user's terminal. If the -\b-A\bA (_\ba_\bs_\bk_\bp_\ba_\bs_\bs) option is
+ specified, a (possibly graphical) helper program is executed
+ to read the user's password and output the password to the
+ standard output. If the SUDO_ASKPASS environment variable is
+ set, it specifies the path to the helper program. Otherwise,
+ if _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf contains a line specifying the askpass
+ program, that value will be used. For example:
+
+ # Path to askpass helper program
+ Path askpass /usr/X11R6/bin/ssh-askpass
+
+ If no askpass program is available, s\bsu\bud\bdo\bo will exit with an
+ error.
+
+ -\b-a\ba _\bt_\by_\bp_\be The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use the
+ specified authentication type when validating the user, as
+ allowed by _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The system administrator may
+ specify a list of sudo-specific authentication methods by
+ adding an ``auth-sudo'' entry in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. This
+ option is only available on systems that support BSD
+ authentication.
+
+ -\b-b\bb The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given
+ command in the background. Note that if you use the -\b-b\bb
+ option you cannot use shell job control to manipulate the
+ process. Most interactive commands will fail to work
+ properly in background mode.
+
+ -\b-C\bC _\bf_\bd Normally, s\bsu\bud\bdo\bo will close all open file descriptors other
+ than standard input, standard output and standard error. The
+ -\b-C\bC (_\bc_\bl_\bo_\bs_\be _\bf_\br_\bo_\bm) option allows the user to specify a starting
+ point above the standard error (file descriptor three).
+ Values less than three are not permitted. The security
+ policy may restrict the user's ability to use the -\b-C\bC option.
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs policy only permits use of the -\b-C\bC option when the
+ administrator has enabled the _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be option.
+
+ -\b-c\bc _\bc_\bl_\ba_\bs_\bs The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
+ command with resources limited by the specified login class.
+ The _\bc_\bl_\ba_\bs_\bs argument can be either a class name as defined in
+ _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf, or a single `-' character. Specifying a
+ _\bc_\bl_\ba_\bs_\bs of - indicates that the command should be run
+ restricted by the default login capabilities for the user the
+ command is run as. If the _\bc_\bl_\ba_\bs_\bs argument specifies an
+ existing user class, the command must be run as root, or the
+ s\bsu\bud\bdo\bo command must be run from a shell that is already root.
+ This option is only available on systems with BSD login
+ classes.
+
+ -\b-E\bE The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option indicates to the
+ security policy that the user wishes to preserve their
+ existing environment variables. The security policy may
+ return an error if the -\b-E\bE option is specified and the user
+ does not have permission to preserve the environment.
+
+ -\b-e\be The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of running a
+ command, the user wishes to edit one or more files. In lieu
+ of a command, the string "sudoedit" is used when consulting
+ the security policy. If the user is authorized by the
+ policy, the following steps are taken:
+
+ 1. Temporary copies are made of the files to be edited
with the owner set to the invoking user.
- 2. The editor specified by the policy is run to edit the
+ 2. The editor specified by the policy is run to edit the
temporary files. The _\bs_\bu_\bd_\bo_\be_\br_\bs policy uses the
SUDO_EDITOR, VISUAL and EDITOR environment variables
(in that order). If none of SUDO_EDITOR, VISUAL or
EDITOR are set, the first program listed in the _\be_\bd_\bi_\bt_\bo_\br
- _\bs_\bu_\bd_\bo_\be_\br_\bs(4) option is used.
+ sudoers(4) option is used.
- 3. If they have been modified, the temporary files are
+ 3. If they have been modified, the temporary files are
copied back to their original location and the
temporary versions are removed.
- If the specified file does not exist, it will be created.
- Note that unlike most commands run by s\bsu\bud\bdo\bo, the editor is
- run with the invoking user's environment unmodified. If,
- for some reason, s\bsu\bud\bdo\bo is unable to update a file with its
- edited version, the user will receive a warning and the
- edited copy will remain in a temporary file.
-
- -g _\bg_\br_\bo_\bu_\bp Normally, s\bsu\bud\bdo\bo runs a command with the primary group set to
- the one specified by the password database for the user the
- command is being run as (by default, root). The -\b-g\bg (_\bg_\br_\bo_\bu_\bp)
- option causes s\bsu\bud\bdo\bo to run the command with the primary
- group set to _\bg_\br_\bo_\bu_\bp instead. To specify a _\bg_\bi_\bd instead of a
- _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be, use _\b#_\bg_\bi_\bd. When running commands as a _\bg_\bi_\bd, many
- shells require that the '#' be escaped with a backslash
- ('\'). If no -\b-u\bu option is specified, the command will be
- run as the invoking user (not root). In either case, the
- primary group will be set to _\bg_\br_\bo_\bu_\bp.
-
- -H The -\b-H\bH (_\bH_\bO_\bM_\bE) option requests that the security policy set
- the HOME environment variable to the home directory of the
- target user (root by default) as specified by the password
- database. Depending on the policy, this may be the default
- behavior.
-
- -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a short help
- message to the standard output and exit.
-
- -i [command]
- The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell
- specified by the password database entry of the target user
- as a login shell. This means that login-specific resource
- files such as .profile or .login will be read by the shell.
- If a command is specified, it is passed to the shell for
- execution via the shell's -\b-c\bc option. If no command is
- specified, an interactive shell is executed. s\bsu\bud\bdo\bo attempts
- to change to that user's home directory before running the
- shell. The security policy shall initialize the
- environment to a minimal set of variables, similar to what
- is present when a user logs in. The _\bC_\bo_\bm_\bm_\ba_\bn_\bd _\bE_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt
- section in the _\bs_\bu_\bd_\bo_\be_\br_\bs(4) manual documents how the -\b-i\bi
- option affects the environment in which a command is run
- when the _\bs_\bu_\bd_\bo_\be_\br_\bs policy is in use.
-
- -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it removes
- the user's cached credentials entirely and may not be used
- in conjunction with a command or other option. This option
- does not require a password. Not all security policies
- support credential caching.
-
- -k [command]
- When used alone, the -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo invalidates
- the user's cached credentials. The next time s\bsu\bud\bdo\bo is run a
- password will be required. This option does not require a
- password and was added to allow a user to revoke s\bsu\bud\bdo\bo
- permissions from a .logout file. Not all security policies
- support credential caching.
-
- When used in conjunction with a command or an option that
- may require a password, the -\b-k\bk option will cause s\bsu\bud\bdo\bo to
- ignore the user's cached credentials. As a result, s\bsu\bud\bdo\bo
- will prompt for a password (if one is required by the
- security policy) and will not update the user's cached
- credentials.
-
- -l[l] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- If no _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified, the -\b-l\bl (_\bl_\bi_\bs_\bt) option will list
- the allowed (and forbidden) commands for the invoking user
- (or the user specified by the -\b-U\bU option) on the current
- host. If a _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified and is permitted by the
- security policy, the fully-qualified path to the command is
- displayed along with any command line arguments. If
- _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified but not allowed, s\bsu\bud\bdo\bo will exit with a
- status value of 1. If the -\b-l\bl option is specified with an l\bl
- argument (i.e. -\b-l\bll\bl), or if -\b-l\bl is specified multiple times,
- a longer list format is used.
-
- -n The -\b-n\bn (_\bn_\bo_\bn_\b-_\bi_\bn_\bt_\be_\br_\ba_\bc_\bt_\bi_\bv_\be) option prevents s\bsu\bud\bdo\bo from
- prompting the user for a password. If a password is
- required for the command to run, s\bsu\bud\bdo\bo will display an error
- messages and exit.
-
- -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
- preserve the invoking user's group vector unaltered. By
- default, the _\bs_\bu_\bd_\bo_\be_\br_\bs policy will initialize the group
- vector to the list of groups the target user is in. The
- real and effective group IDs, however, are still set to
- match the target user.
-
- -p _\bp_\br_\bo_\bm_\bp_\bt The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the default
- password prompt and use a custom one. The following
- percent (`%') escapes are supported by the _\bs_\bu_\bd_\bo_\be_\br_\bs policy:
-
- %H expanded to the host name including the domain name (on
- if the machine's host name is fully qualified or the
- _\bf_\bq_\bd_\bn option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(4))
-
- %h expanded to the local host name without the domain name
-
- %p expanded to the name of the user whose password is
- being requested (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and
- _\br_\bu_\bn_\ba_\bs_\bp_\bw flags in _\bs_\bu_\bd_\bo_\be_\br_\bs(4))
-
- %U expanded to the login name of the user the command will
- be run as (defaults to root unless the -u option is
- also specified)
-
- %u expanded to the invoking user's login name
-
- %% two consecutive % characters are collapsed into a
- single % character
-
- The prompt specified by the -\b-p\bp option will override the
- system password prompt on systems that support PAM unless
- the _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-
- -r _\br_\bo_\bl_\be The -\b-r\br (_\br_\bo_\bl_\be) option causes the new (SELinux) security
- context to have the role specified by _\br_\bo_\bl_\be.
-
- -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password from
- the standard input instead of the terminal device. The
- password must be followed by a newline character.
-
- -s [command]
- The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the _\bS_\bH_\bE_\bL_\bL
- environment variable if it is set or the shell as specified
- in the password database. If a command is specified, it is
- passed to the shell for execution via the shell's -\b-c\bc
- option. If no command is specified, an interactive shell
- is executed.
-
- -t _\bt_\by_\bp_\be The -\b-t\bt (_\bt_\by_\bp_\be) option causes the new (SELinux) security
- context to have the type specified by _\bt_\by_\bp_\be. If no type is
- specified, the default type is derived from the specified
- role.
-
- -U _\bu_\bs_\be_\br The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with the
- -\b-l\bl option to specify the user whose privileges should be
- listed. The security policy may restrict listing other
- users' privileges. The _\bs_\bu_\bd_\bo_\be_\br_\bs policy only allows root or
- a user with the ALL privilege on the current host to use
- this option.
-
- -u _\bu_\bs_\be_\br The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified
- command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
- instead of a _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. When running commands as
- a _\bu_\bi_\bd, many shells require that the '#' be escaped with a
- backslash ('\'). Security policies may restrict _\bu_\bi_\bds to
- those listed in the password database. The _\bs_\bu_\bd_\bo_\be_\br_\bs policy
- allows _\bu_\bi_\bds that are not in the password database as long
- as the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw option is not set. Other security policies
- may not support this.
-
- -V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print its version
- string and the version string of the security policy plugin
- and any I/O plugins. If the invoking user is already root
- the -\b-V\bV option will display the arguments passed to
- configure when _\bs_\bu_\bd_\bo was built and plugins may display more
- verbose information such as default options.
-
- -v When given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update the
- user's cached credentials, authenticating the user's
- password if necessary. For the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin, this
- extends the s\bsu\bud\bdo\bo timeout for another 5 minutes (or whatever
- the timeout is set to in _\bs_\bu_\bd_\bo_\be_\br_\bs) but does not run a
- command. Not all security policies support cached
- credentials.
-
- -- The -\b--\b- option indicates that s\bsu\bud\bdo\bo should stop processing
- command line arguments.
-
- Environment variables to be set for the command may also be passed on
- the command line in the form of V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be, e.g.
- L\bLD\bD_\b_L\bLI\bIB\bBR\bRA\bAR\bRY\bY_\b_P\bPA\bAT\bTH\bH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. Variables passed on the command
- line are subject to the same restrictions as normal environment
- variables with one important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in
- _\bs_\bu_\bd_\bo_\be_\br_\bs, the command to be run has the SETENV tag set or the command
- matched is ALL, the user may set variables that would otherwise be
- forbidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(4) for more information.
+ If the specified file does not exist, it will be created.
+ Note that unlike most commands run by _\bs_\bu_\bd_\bo, the editor is run
+ with the invoking user's environment unmodified. If, for
+ some reason, s\bsu\bud\bdo\bo is unable to update a file with its edited
+ version, the user will receive a warning and the edited copy
+ will remain in a temporary file.
+
+ -\b-g\bg _\bg_\br_\bo_\bu_\bp Normally, s\bsu\bud\bdo\bo runs a command with the primary group set to
+ the one specified by the password database for the user the
+ command is being run as (by default, root). The -\b-g\bg (_\bg_\br_\bo_\bu_\bp)
+ option causes s\bsu\bud\bdo\bo to run the command with the primary group
+ set to _\bg_\br_\bo_\bu_\bp instead. To specify a _\bg_\bi_\bd instead of a _\bg_\br_\bo_\bu_\bp
+ _\bn_\ba_\bm_\be, use _\b#_\bg_\bi_\bd. When running commands as a _\bg_\bi_\bd, many shells
+ require that the `#' be escaped with a backslash (`\'). If
+ no -\b-u\bu option is specified, the command will be run as the
+ invoking user (not root). In either case, the primary group
+ will be set to _\bg_\br_\bo_\bu_\bp.
+
+ -\b-H\bH The -\b-H\bH (_\bH_\bO_\bM_\bE) option requests that the security policy set
+ the HOME environment variable to the home directory of the
+ target user (root by default) as specified by the password
+ database. Depending on the policy, this may be the default
+ behavior.
+
+ -\b-h\bh The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a short help
+ message to the standard output and exit.
+
+ -\b-i\bi [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell
+ specified by the password database entry of the target user
+ as a login shell. This means that login-specific resource
+ files such as _\b._\bp_\br_\bo_\bf_\bi_\bl_\be or _\b._\bl_\bo_\bg_\bi_\bn will be read by the shell.
+ If a command is specified, it is passed to the shell for
+ execution via the shell's -\b-c\bc option. If no command is
+ specified, an interactive shell is executed. s\bsu\bud\bdo\bo attempts
+ to change to that user's home directory before running the
+ shell. The security policy shall initialize the environment
+ to a minimal set of variables, similar to what is present
+ when a user logs in. The _\bC_\bo_\bm_\bm_\ba_\bn_\bd _\bE_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt section in the
+ sudoers(4) manual documents how the -\b-i\bi option affects the
+ environment in which a command is run when the _\bs_\bu_\bd_\bo_\be_\br_\bs policy
+ is in use.
+
+ -\b-K\bK The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it removes
+ the user's cached credentials entirely and may not be used in
+ conjunction with a command or other option. This option does
+ not require a password. Not all security policies support
+ credential caching.
+
+ -\b-k\bk [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ When used alone, the -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo invalidates the
+ user's cached credentials. The next time s\bsu\bud\bdo\bo is run a
+ password will be required. This option does not require a
+ password and was added to allow a user to revoke s\bsu\bud\bdo\bo
+ permissions from a _\b._\bl_\bo_\bg_\bo_\bu_\bt file. Not all security policies
+ support credential caching.
+
+ When used in conjunction with a command or an option that may
+ require a password, the -\b-k\bk option will cause s\bsu\bud\bdo\bo to ignore
+ the user's cached credentials. As a result, s\bsu\bud\bdo\bo will prompt
+ for a password (if one is required by the security policy)
+ and will not update the user's cached credentials.
+
+ -\b-l\bl[l\bl] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ If no _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified, the -\b-l\bl (_\bl_\bi_\bs_\bt) option will list
+ the allowed (and forbidden) commands for the invoking user
+ (or the user specified by the -\b-U\bU option) on the current host.
+ If a _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified and is permitted by the security
+ policy, the fully-qualified path to the command is displayed
+ along with any command line arguments. If _\bc_\bo_\bm_\bm_\ba_\bn_\bd is
+ specified but not allowed, s\bsu\bud\bdo\bo will exit with a status value
+ of 1. If the -\b-l\bl option is specified with an _\bl argument (i.e.
+ -\b-l\bll\bl), or if -\b-l\bl is specified multiple times, a longer list
+ format is used.
+
+ -\b-n\bn The -\b-n\bn (_\bn_\bo_\bn_\b-_\bi_\bn_\bt_\be_\br_\ba_\bc_\bt_\bi_\bv_\be) option prevents s\bsu\bud\bdo\bo from prompting
+ the user for a password. If a password is required for the
+ command to run, s\bsu\bud\bdo\bo will display an error message and exit.
+
+ -\b-P\bP The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to preserve
+ the invoking user's group vector unaltered. By default, the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs policy will initialize the group vector to the list
+ of groups the target user is in. The real and effective
+ group IDs, however, are still set to match the target user.
+
+ -\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the default
+ password prompt and use a custom one. The following percent
+ (`%') escapes are supported by the _\bs_\bu_\bd_\bo_\be_\br_\bs policy:
+
+ %H expanded to the host name including the domain name (on
+ if the machine's host name is fully qualified or the _\bf_\bq_\bd_\bn
+ option is set in sudoers(4))
+
+ %h expanded to the local host name without the domain name
+
+ %p expanded to the name of the user whose password is being
+ requested (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw, and _\br_\bu_\bn_\ba_\bs_\bp_\bw
+ flags in sudoers(4))
+
+ %U expanded to the login name of the user the command will
+ be run as (defaults to root unless the -\b-u\bu option is also
+ specified)
+
+ %u expanded to the invoking user's login name
+
+ %% two consecutive `%' characters are collapsed into a
+ single `%' character
+
+ The prompt specified by the -\b-p\bp option will override the
+ system password prompt on systems that support PAM unless the
+ _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+
+ -\b-r\br _\br_\bo_\bl_\be The -\b-r\br (_\br_\bo_\bl_\be) option causes the new (SELinux) security
+ context to have the role specified by _\br_\bo_\bl_\be.
+
+ -\b-S\bS The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password from
+ the standard input instead of the terminal device. The
+ password must be followed by a newline character.
+
+ -\b-s\bs [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the SHELL
+ environment variable if it is set or the shell as specified
+ in the password database. If a command is specified, it is
+ passed to the shell for execution via the shell's -\b-c\bc option.
+ If no command is specified, an interactive shell is executed.
+
+ -\b-t\bt _\bt_\by_\bp_\be The -\b-t\bt (_\bt_\by_\bp_\be) option causes the new (SELinux) security
+ context to have the type specified by _\bt_\by_\bp_\be. If no type is
+ specified, the default type is derived from the specified
+ role.
+
+ -\b-U\bU _\bu_\bs_\be_\br The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with the -\b-l\bl
+ option to specify the user whose privileges should be listed.
+ The security policy may restrict listing other users'
+ privileges. The _\bs_\bu_\bd_\bo_\be_\br_\bs policy only allows root or a user
+ with the ALL privilege on the current host to use this
+ option.
+
+ -\b-u\bu _\bu_\bs_\be_\br The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified command
+ as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd instead of a
+ _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, _\b#_\bu_\bi_\bd. When running commands as a _\bu_\bi_\bd, many shells
+ require that the `#' be escaped with a backslash (`\').
+ Security policies may restrict _\bu_\bi_\bds to those listed in the
+ password database. The _\bs_\bu_\bd_\bo_\be_\br_\bs policy allows _\bu_\bi_\bds that are
+ not in the password database as long as the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw option
+ is not set. Other security policies may not support this.
+
+ -\b-V\bV The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print its version
+ string and the version string of the security policy plugin
+ and any I/O plugins. If the invoking user is already root
+ the -\b-V\bV option will display the arguments passed to configure
+ when s\bsu\bud\bdo\bo was built and plugins may display more verbose
+ information such as default options.
+
+ -\b-v\bv When given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update the
+ user's cached credentials, authenticating the user's password
+ if necessary. For the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin, this extends the s\bsu\bud\bdo\bo
+ timeout for another 5 minutes (or whatever the timeout is set
+ to by the security policy) but does not run a command. Not
+ all security policies support cached credentials.
+
+ -\b--\b- The -\b--\b- option indicates that s\bsu\bud\bdo\bo should stop processing
+ command line arguments.
+
+ Environment variables to be set for the command may also be passed on the
+ command line in the form of V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be, e.g.
+ L\bLD\bD_\b_L\bLI\bIB\bBR\bRA\bAR\bRY\bY_\b_P\bPA\bAT\bTH\bH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. Variables passed on the command line
+ are subject to the same restrictions as normal environment variables with
+ one important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs, the
+ command to be run has the SETENV tag set or the command matched is ALL,
+ the user may set variables that would otherwise be forbidden. See
+ sudoers(4) for more information.
+
+C\bCO\bOM\bMM\bMA\bAN\bND\bD E\bEX\bXE\bEC\bCU\bUT\bTI\bIO\bON\bN
+ When s\bsu\bud\bdo\bo executes a command, the security policy specifies the execution
+ envionment for the command. Typically, the real and effective uid and
+ gid are set to match those of the target user, as specified in the
+ password database, and the group vector is initialized based on the group
+ database (unless the -\b-P\bP option was specified).
+
+ The following parameters may be specified by security policy:
+
+ o\bo real and effective user ID
+
+ o\bo real and effective group ID
+
+ o\bo supplementary group IDs
+
+ o\bo the environment list
+
+ o\bo current working directory
+
+ o\bo file creation mode mask (umask)
+
+ o\bo SELinux role and type
+
+ o\bo Solaris project
+
+ o\bo Solaris privileges
+
+ o\bo BSD login class
+
+ o\bo scheduling priority (aka nice value)
+
+ P\bPr\bro\boc\bce\bes\bss\bs m\bmo\bod\bde\bel\bl
+ When s\bsu\bud\bdo\bo runs a command, it calls fork(2), sets up the execution
+ environment as described above, and calls the execve system call in the
+ child process. The main s\bsu\bud\bdo\bo process waits until the command has
+ completed, then passes the command's exit status to the security policy's
+ close method and exits. If an I/O logging plugin is configured, a new
+ pseudo-terminal (``pty'') is created and a second s\bsu\bud\bdo\bo process is used to
+ relay job control signals between the user's existing pty and the new pty
+ the command is being run in. This extra process makes it possible to,
+ for example, suspend and resume the command. Without it, the command
+ would be in what POSIX terms an ``orphaned process group'' and it would
+ not receive any job control signals.
+
+ S\bSi\big\bgn\bna\bal\bl h\bha\ban\bnd\bdl\bli\bin\bng\bg
+ Because the command is run as a child of the s\bsu\bud\bdo\bo process, s\bsu\bud\bdo\bo will
+ relay signals it receives to the command. Unless the command is being
+ run in a new pty, the SIGHUP, SIGINT and SIGQUIT signals are not relayed
+ unless they are sent by a user process, not the kernel. Otherwise, the
+ command would receive SIGINT twice every time the user entered control-C.
+ Some signals, such as SIGSTOP and SIGKILL, cannot be caught and thus will
+ not be relayed to the command. As a general rule, SIGTSTP should be used
+ instead of SIGSTOP when you wish to suspend a command being run by s\bsu\bud\bdo\bo.
+
+ As a special case, s\bsu\bud\bdo\bo will not relay signals that were sent by the
+ command it is running. This prevents the command from accidentally
+ killing itself. On some systems, the reboot(1m) command sends SIGTERM to
+ all non-system processes other than itself before rebooting the systyem.
+ This prevents s\bsu\bud\bdo\bo from relaying the SIGTERM signal it received back to
+ reboot(1m), which might then exit before the system was actually rebooted,
+ leaving it in a half-dead state similar to single user mode. Note,
+ however, that this check only applies to the command run by s\bsu\bud\bdo\bo and not
+ any other processes that the command may create. As a result, running a
+ script that calls reboot(1m) or shutdown(1m) via s\bsu\bud\bdo\bo may cause the system
+ to end up in this undefined state unless the reboot(1m) or shutdown(1m) are
+ run using the e\bex\bxe\bec\bc() family of functions instead of s\bsy\bys\bst\bte\bem\bm() (which
+ interposes a shell between the command and the calling process).
P\bPL\bLU\bUG\bGI\bIN\bNS\bS
- Plugins are dynamically loaded based on the contents of the
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file. If no _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file is present, or it
- contains no Plugin lines, s\bsu\bud\bdo\bo will use the traditional _\bs_\bu_\bd_\bo_\be_\br_\bs
- security policy and I/O logging, which corresponds to the following
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
-
- #
- # Default /etc/sudo.conf file
- #
- # Format:
- # Plugin plugin_name plugin_path plugin_options ...
- # Path askpass /path/to/askpass
- # Path noexec /path/to/sudo_noexec.so
- # Debug sudo /var/log/sudo_debug all@warn
- # Set disable_coredump true
- #
- # The plugin_path is relative to /usr/local/libexec unless
- # fully qualified.
- # The plugin_name corresponds to a global symbol in the plugin
- # that contains the plugin interface structure.
- # The plugin_options are optional.
- #
- Plugin policy_plugin sudoers.so
- Plugin io_plugin sudoers.so
-
- A Plugin line consists of the Plugin keyword, followed by the
- _\bs_\by_\bm_\bb_\bo_\bl_\b__\bn_\ba_\bm_\be and the _\bp_\ba_\bt_\bh to the shared object containing the plugin.
- The _\bs_\by_\bm_\bb_\bo_\bl_\b__\bn_\ba_\bm_\be is the name of the struct policy_plugin or struct
- io_plugin in the plugin shared object. The _\bp_\ba_\bt_\bh may be fully qualified
- or relative. If not fully qualified it is relative to the
- _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc directory. Any additional parameters after the _\bp_\ba_\bt_\bh
- are passed as arguments to the plugin's _\bo_\bp_\be_\bn function. Lines that
- don't begin with Plugin, Path, Debug or Set are silently ignored.
-
- For more information, see the _\bs_\bu_\bd_\bo_\b__\bp_\bl_\bu_\bg_\bi_\bn(1m) manual.
+ Plugins are dynamically loaded based on the contents of the
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file. If no _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file is present, or it
+ contains no Plugin lines, s\bsu\bud\bdo\bo will use the traditional _\bs_\bu_\bd_\bo_\be_\br_\bs security
+ policy and I/O logging, which corresponds to the following _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
+ file.
+
+ #
+ # Default /etc/sudo.conf file
+ #
+ # Format:
+ # Plugin plugin_name plugin_path plugin_options ...
+ # Path askpass /path/to/askpass
+ # Path noexec /path/to/sudo_noexec.so
+ # Debug sudo /var/log/sudo_debug all@warn
+ # Set disable_coredump true
+ #
+ # The plugin_path is relative to /usr/local/libexec unless
+ # fully qualified.
+ # The plugin_name corresponds to a global symbol in the plugin
+ # that contains the plugin interface structure.
+ # The plugin_options are optional.
+ #
+ Plugin policy_plugin sudoers.so
+ Plugin io_plugin sudoers.so
+
+ A Plugin line consists of the Plugin keyword, followed by the _\bs_\by_\bm_\bb_\bo_\bl_\b__\bn_\ba_\bm_\be
+ and the _\bp_\ba_\bt_\bh to the shared object containing the plugin. The _\bs_\by_\bm_\bb_\bo_\bl_\b__\bn_\ba_\bm_\be
+ is the name of the struct policy_plugin or struct io_plugin in the plugin
+ shared object. The _\bp_\ba_\bt_\bh may be fully qualified or relative. If not
+ fully qualified it is relative to the _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc directory. Any
+ additional parameters after the _\bp_\ba_\bt_\bh are passed as arguments to the
+ plugin's _\bo_\bp_\be_\bn function. Lines that don't begin with Plugin, Path, Debug,
+ or Set are silently ignored.
+
+ For more information, see the sudo_plugin(1m) manual.
P\bPA\bAT\bTH\bHS\bS
- A Path line consists of the Path keyword, followed by the name of the
- path to set and its value. E.g.
-
- Path noexec /usr/local/libexec/sudo_noexec.so
- Path askpass /usr/X11R6/bin/ssh-askpass
-
- The following plugin-agnostic paths may be set in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
- file.
-
- askpass The fully qualified path to a helper program used to
- read the user's password when no terminal is available.
- This may be the case when s\bsu\bud\bdo\bo is executed from a
- graphical (as opposed to text-based) application. The
- program specified by _\ba_\bs_\bk_\bp_\ba_\bs_\bs should display the
- argument passed to it as the prompt and write the
- user's password to the standard output. The value of
- _\ba_\bs_\bk_\bp_\ba_\bs_\bs may be overridden by the SUDO_ASKPASS
- environment variable.
-
- noexec The fully-qualified path to a shared library containing
- dummy versions of the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b)
- library functions that just return an error. This is
- used to implement the _\bn_\bo_\be_\bx_\be_\bc functionality on systems
- that support LD_PRELOAD or its equivalent. Defaults to
- _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
+ A Path line consists of the Path keyword, followed by the name of the
+ path to set and its value. E.g.
+
+ Path noexec /usr/local/libexec/sudo_noexec.so
+ Path askpass /usr/X11R6/bin/ssh-askpass
+
+ The following plugin-agnostic paths may be set in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
+ file:
+
+ askpass The fully qualified path to a helper program used to read the
+ user's password when no terminal is available. This may be the
+ case when s\bsu\bud\bdo\bo is executed from a graphical (as opposed to
+ text-based) application. The program specified by _\ba_\bs_\bk_\bp_\ba_\bs_\bs
+ should display the argument passed to it as the prompt and
+ write the user's password to the standard output. The value of
+ _\ba_\bs_\bk_\bp_\ba_\bs_\bs may be overridden by the SUDO_ASKPASS environment
+ variable.
+
+ noexec The fully-qualified path to a shared library containing dummy
+ versions of the e\bex\bxe\bec\bcv\bv(), e\bex\bxe\bec\bcv\bve\be() and f\bfe\bex\bxe\bec\bcv\bve\be() library
+ functions that just return an error. This is used to implement
+ the _\bn_\bo_\be_\bx_\be_\bc functionality on systems that support LD_PRELOAD or
+ its equivalent. Defaults to _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
D\bDE\bEB\bBU\bUG\bG F\bFL\bLA\bAG\bGS\bS
- s\bsu\bud\bdo\bo versions 1.8.4 and higher support a flexible debugging framework
- that can help track down what s\bsu\bud\bdo\bo is doing internally if there is a
- problem.
+ s\bsu\bud\bdo\bo versions 1.8.4 and higher support a flexible debugging framework
+ that can help track down what s\bsu\bud\bdo\bo is doing internally if there is a
+ problem.
- A Debug line consists of the Debug keyword, followed by the name of the
- program to debug (s\bsu\bud\bdo\bo, v\bvi\bis\bsu\bud\bdo\bo, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by), the debug file name and a
- comma-separated list of debug flags. The debug flag syntax used by
- s\bsu\bud\bdo\bo and the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin is _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by but the plugin is
- free to use a different format so long as it does not include a command
- ,.
+ A Debug line consists of the Debug keyword, followed by the name of the
+ program to debug (s\bsu\bud\bdo\bo, v\bvi\bis\bsu\bud\bdo\bo, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by), the debug file name and a
+ comma-separated list of debug flags. The debug flag syntax used by s\bsu\bud\bdo\bo
+ and the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin is _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by but the plugin is free to
+ use a different format so long as it does not include a comma (`,').
- For instance:
+ For instance:
- Debug sudo /var/log/sudo_debug all@warn,plugin@info
+ Debug sudo /var/log/sudo_debug all@warn,plugin@info
- would log all debugging statements at the _\bw_\ba_\br_\bn level and higher in
- addition to those at the _\bi_\bn_\bf_\bo level for the plugin subsystem.
+ would log all debugging statements at the _\bw_\ba_\br_\bn level and higher in
+ addition to those at the _\bi_\bn_\bf_\bo level for the plugin subsystem.
- Currently, only one Debug entry per program is supported. The sudo
- Debug entry is shared by the s\bsu\bud\bdo\bo front end, s\bsu\bud\bdo\boe\bed\bdi\bit\bt and the plugins.
- A future release may add support for per-plugin Debug lines and/or
- support for multiple debugging files for a single program.
+ Currently, only one Debug entry per program is supported. The s\bsu\bud\bdo\bo Debug
+ entry is shared by the s\bsu\bud\bdo\bo front end, s\bsu\bud\bdo\boe\bed\bdi\bit\bt and the plugins. A
+ future release may add support for per-plugin Debug lines and/or support
+ for multiple debugging files for a single program.
- The priorities used by the s\bsu\bud\bdo\bo front end, in order of decreasing
- severity, are: _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg.
- Each priority, when specified, also includes all priorities higher than
- it. For example, a priority of _\bn_\bo_\bt_\bi_\bc_\be would include debug messages
- logged at _\bn_\bo_\bt_\bi_\bc_\be and higher.
+ The priorities used by the s\bsu\bud\bdo\bo front end, in order of decreasing
+ severity, are: _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg.
+ Each priority, when specified, also includes all priorities higher than
+ it. For example, a priority of _\bn_\bo_\bt_\bi_\bc_\be would include debug messages
+ logged at _\bn_\bo_\bt_\bi_\bc_\be and higher.
- The following subsystems are used by s\bsu\bud\bdo\bo:
+ The following subsystems are used by the s\bsu\bud\bdo\bo front-end:
- _\ba_\bl_\bl matches every subsystem
+ _\ba_\bl_\bl matches every subsystem
- _\ba_\br_\bg_\bs command line argument processing
+ _\ba_\br_\bg_\bs command line argument processing
- _\bc_\bo_\bn_\bv user conversation
+ _\bc_\bo_\bn_\bv user conversation
- _\be_\bd_\bi_\bt sudoedit
+ _\be_\bd_\bi_\bt sudoedit
- _\be_\bx_\be_\bc command execution
+ _\be_\bx_\be_\bc command execution
- _\bm_\ba_\bi_\bn s\bsu\bud\bdo\bo main function
+ _\bm_\ba_\bi_\bn s\bsu\bud\bdo\bo main function
- _\bn_\be_\bt_\bi_\bf network interface handling
+ _\bn_\be_\bt_\bi_\bf network interface handling
- _\bp_\bc_\bo_\bm_\bm communication with the plugin
+ _\bp_\bc_\bo_\bm_\bm communication with the plugin
- _\bp_\bl_\bu_\bg_\bi_\bn plugin configuration
+ _\bp_\bl_\bu_\bg_\bi_\bn plugin configuration
- _\bp_\bt_\by pseudo-tty related code
+ _\bp_\bt_\by pseudo-tty related code
- _\bs_\be_\bl_\bi_\bn_\bu_\bx SELinux-specific handling
+ _\bs_\be_\bl_\bi_\bn_\bu_\bx SELinux-specific handling
- _\bu_\bt_\bi_\bl utility functions
+ _\bu_\bt_\bi_\bl utility functions
- _\bu_\bt_\bm_\bp utmp handling
+ _\bu_\bt_\bm_\bp utmp handling
-R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
- Upon successful execution of a program, the exit status from s\bsu\bud\bdo\bo will
- simply be the exit status of the program that was executed.
+E\bEX\bXI\bIT\bT V\bVA\bAL\bLU\bUE\bE
+ Upon successful execution of a program, the exit status from _\bs_\bu_\bd_\bo will
+ simply be the exit status of the program that was executed.
- Otherwise, s\bsu\bud\bdo\bo exits with a value of 1 if there is a
- configuration/permission problem or if s\bsu\bud\bdo\bo cannot execute the given
- command. In the latter case the error string is printed to the
- standard error. If s\bsu\bud\bdo\bo cannot _\bs_\bt_\ba_\bt(2) one or more entries in the
- user's PATH, an error is printed on stderr. (If the directory does not
- exist or if it is not really a directory, the entry is ignored and no
- error is printed.) This should not happen under normal circumstances.
- The most common reason for _\bs_\bt_\ba_\bt(2) to return "permission denied" is if
- you are running an automounter and one of the directories in your PATH
- is on a machine that is currently unreachable.
+ Otherwise, s\bsu\bud\bdo\bo exits with a value of 1 if there is a
+ configuration/permission problem or if s\bsu\bud\bdo\bo cannot execute the given
+ command. In the latter case the error string is printed to the standard
+ error. If s\bsu\bud\bdo\bo cannot stat(2) one or more entries in the user's PATH, an
+ error is printed on stderr. (If the directory does not exist or if it is
+ not really a directory, the entry is ignored and no error is printed.)
+ This should not happen under normal circumstances. The most common
+ reason for stat(2) to return ``permission denied'' is if you are running
+ an automounter and one of the directories in your PATH is on a machine
+ that is currently unreachable.
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
- s\bsu\bud\bdo\bo tries to be safe when executing external commands.
-
- To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both denoting
- current directory) last when searching for a command in the user's PATH
- (if one or both are in the PATH). Note, however, that the actual PATH
- environment variable is _\bn_\bo_\bt modified and is passed unchanged to the
- program that s\bsu\bud\bdo\bo executes.
-
- Please note that s\bsu\bud\bdo\bo will normally only log the command it explicitly
- runs. If a user runs a command such as sudo su or sudo sh, subsequent
- commands run from that shell are not subject to s\bsu\bud\bdo\bo's security policy.
- The same is true for commands that offer shell escapes (including most
- editors). If I/O logging is enabled, subsequent commands will have
- their input and/or output logged, but there will not be traditional
- logs for those commands. Because of this, care must be taken when
- giving users access to commands via s\bsu\bud\bdo\bo to verify that the command
- does not inadvertently give the user an effective root shell. For more
- information, please see the PREVENTING SHELL ESCAPES section in
- _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
-
- To prevent the disclosure of potentially sensitive information, s\bsu\bud\bdo\bo
- disables core dumps by default while it is executing (they are re-
- enabled for the command that is run). To aid in debugging s\bsu\bud\bdo\bo
- crashes, you may wish to re-enable core dumps by setting
- "disable_coredump" to false in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
-
- Set disable_coredump false
-
- Note that by default, most operating systems disable core dumps from
- setuid programs, which includes s\bsu\bud\bdo\bo. To actually get a s\bsu\bud\bdo\bo core file
- you may need to enable core dumps for setuid processes. On BSD and
- Linux systems this is accomplished via the sysctl command, on Solaris
- the coreadm command can be used.
+ s\bsu\bud\bdo\bo tries to be safe when executing external commands.
+
+ To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both denoting
+ current directory) last when searching for a command in the user's PATH
+ (if one or both are in the PATH). Note, however, that the actual PATH
+ environment variable is _\bn_\bo_\bt modified and is passed unchanged to the
+ program that s\bsu\bud\bdo\bo executes.
+
+ Please note that s\bsu\bud\bdo\bo will normally only log the command it explicitly
+ runs. If a user runs a command such as sudo su or sudo sh, subsequent
+ commands run from that shell are not subject to s\bsu\bud\bdo\bo's security policy.
+ The same is true for commands that offer shell escapes (including most
+ editors). If I/O logging is enabled, subsequent commands will have their
+ input and/or output logged, but there will not be traditional logs for
+ those commands. Because of this, care must be taken when giving users
+ access to commands via s\bsu\bud\bdo\bo to verify that the command does not
+ inadvertently give the user an effective root shell. For more
+ information, please see the _\bP_\bR_\bE_\bV_\bE_\bN_\bT_\bI_\bN_\bG _\bS_\bH_\bE_\bL_\bL _\bE_\bS_\bC_\bA_\bP_\bE_\bS section in
+ sudoers(4).
+
+ To prevent the disclosure of potentially sensitive information, s\bsu\bud\bdo\bo
+ disables core dumps by default while it is executing (they are re-enabled
+ for the command that is run). To aid in debugging s\bsu\bud\bdo\bo crashes, you may
+ wish to re-enable core dumps by setting ``disable_coredump'' to false in
+ the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file as follows:
+
+ Set disable_coredump false
+
+ Note that by default, most operating systems disable core dumps from
+ setuid programs, which includes s\bsu\bud\bdo\bo. To actually get a s\bsu\bud\bdo\bo core file
+ you may need to enable core dumps for setuid processes. On BSD and Linux
+ systems this is accomplished via the sysctl command, on Solaris the
+ coreadm command can be used.
E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
- s\bsu\bud\bdo\bo utilizes the following environment variables. The security policy
- has control over the content of the command's environment.
+ s\bsu\bud\bdo\bo utilizes the following environment variables. The security policy
+ has control over the actual content of the command's environment.
- EDITOR Default editor to use in -\b-e\be (sudoedit) mode if neither
- SUDO_EDITOR nor VISUAL is set
+ EDITOR Default editor to use in -\b-e\be (sudoedit) mode if neither
+ SUDO_EDITOR nor VISUAL is set.
- MAIL In -\b-i\bi mode or when _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, set
- to the mail spool of the target user
+ MAIL In -\b-i\bi mode or when _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, set
+ to the mail spool of the target user.
- HOME Set to the home directory of the target user if -\b-i\bi or
- -\b-H\bH are specified, _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt or _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be are set
- in _\bs_\bu_\bd_\bo_\be_\br_\bs, or when the -\b-s\bs option is specified and
- _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is set in _\bs_\bu_\bd_\bo_\be_\br_\bs
+ HOME Set to the home directory of the target user if -\b-i\bi or -\b-H\bH
+ are specified, _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt or _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be are set in
+ _\bs_\bu_\bd_\bo_\be_\br_\bs, or when the -\b-s\bs option is specified and _\bs_\be_\bt_\b__\bh_\bo_\bm_\be
+ is set in _\bs_\bu_\bd_\bo_\be_\br_\bs.
- PATH May be overridden by the security policy.
+ PATH May be overridden by the security policy.
- SHELL Used to determine shell to run with -s option
+ SHELL Used to determine shell to run with -\b-s\bs option.
- SUDO_ASKPASS Specifies the path to a helper program used to read the
- password if no terminal is available or if the -A
- option is specified.
+ SUDO_ASKPASS Specifies the path to a helper program used to read the
+ password if no terminal is available or if the -\b-A\bA option
+ is specified.
- SUDO_COMMAND Set to the command run by sudo
+ SUDO_COMMAND Set to the command run by sudo.
- SUDO_EDITOR Default editor to use in -\b-e\be (sudoedit) mode
+ SUDO_EDITOR Default editor to use in -\b-e\be (sudoedit) mode.
- SUDO_GID Set to the group ID of the user who invoked sudo
+ SUDO_GID Set to the group ID of the user who invoked sudo.
- SUDO_PROMPT Used as the default password prompt
+ SUDO_PROMPT Used as the default password prompt.
- SUDO_PS1 If set, PS1 will be set to its value for the program
- being run
+ SUDO_PS1 If set, PS1 will be set to its value for the program
+ being run.
- SUDO_UID Set to the user ID of the user who invoked sudo
+ SUDO_UID Set to the user ID of the user who invoked sudo.
- SUDO_USER Set to the login of the user who invoked sudo
+ SUDO_USER Set to the login name of the user who invoked sudo.
- USER Set to the target user (root unless the -\b-u\bu option is
- specified)
+ USER Set to the target user (root unless the -\b-u\bu option is
+ specified).
- VISUAL Default editor to use in -\b-e\be (sudoedit) mode if
- SUDO_EDITOR is not set
+ VISUAL Default editor to use in -\b-e\be (sudoedit) mode if
+ SUDO_EDITOR is not set.
F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf s\bsu\bud\bdo\bo front end configuration
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf s\bsu\bud\bdo\bo front end configuration
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Note: the following examples assume a properly configured security
- policy.
+ Note: the following examples assume a properly configured security
+ policy.
- To get a file listing of an unreadable directory:
+ To get a file listing of an unreadable directory:
- $ sudo ls /usr/local/protected
+ $ sudo ls /usr/local/protected
- To list the home directory of user yaz on a machine where the file
- system holding ~yaz is not exported as root:
+ To list the home directory of user yaz on a machine where the file system
+ holding ~yaz is not exported as root:
- $ sudo -u yaz ls ~yaz
+ $ sudo -u yaz ls ~yaz
- To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
+ To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
- $ sudo -u www vi ~www/htdocs/index.html
+ $ sudo -u www vi ~www/htdocs/index.html
- To view system logs only accessible to root and users in the adm group:
+ To view system logs only accessible to root and users in the adm group:
- $ sudo -g adm view /var/log/syslog
+ $ sudo -g adm view /var/log/syslog
- To run an editor as jim with a different primary group:
+ To run an editor as jim with a different primary group:
- $ sudo -u jim -g audio vi ~jim/sound.txt
+ $ sudo -u jim -g audio vi ~jim/sound.txt
- To shutdown a machine:
+ To shut down a machine:
- $ sudo shutdown -r +15 "quick reboot"
+ $ sudo shutdown -r +15 "quick reboot"
- To make a usage listing of the directories in the /home partition.
- Note that this runs the commands in a sub-shell to make the cd and file
- redirection work.
+ To make a usage listing of the directories in the /home partition. Note
+ that this runs the commands in a sub-shell to make the cd and file
+ redirection work.
- $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+ $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(4),
- _\bs_\bu_\bd_\bo_\b__\bp_\bl_\bu_\bg_\bi_\bn(1m), _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m), _\bv_\bi_\bs_\bu_\bd_\bo(1m)
+ grep(1), su(1), stat(2), login_cap(3), passwd(4), sudoers(4),
+ sudo_plugin(1m), sudoreplay(1m), visudo(1m)
-A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists
- of code written primarily by:
+H\bHI\bIS\bST\bTO\bOR\bRY\bY
+ See the HISTORY file in the s\bsu\bud\bdo\bo distribution
+ (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
- Todd C. Miller
+A\bAU\bUT\bTH\bHO\bOR\bRS\bS
+ Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists of
+ code written primarily by:
- See the CONTRIBUTORS file in the s\bsu\bud\bdo\bo distribution
- (http://www.sudo.ws/sudo/contributors.html) for a list of people who
- have contributed to s\bsu\bud\bdo\bo.
+ Todd C. Miller
-H\bHI\bIS\bST\bTO\bOR\bRY\bY
- See the HISTORY file in the s\bsu\bud\bdo\bo distribution
- (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
+ See the CONTRIBUTORS file in the s\bsu\bud\bdo\bo distribution
+ (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of
+ people who have contributed to s\bsu\bud\bdo\bo.
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- There is no easy way to prevent a user from gaining a root shell if
- that user is allowed to run arbitrary commands via s\bsu\bud\bdo\bo. Also, many
- programs (such as editors) allow the user to run commands via shell
- escapes, thus avoiding s\bsu\bud\bdo\bo's checks. However, on most systems it is
- possible to prevent shell escapes with the _\bs_\bu_\bd_\bo_\be_\br_\bs(4) module's _\bn_\bo_\be_\bx_\be_\bc
- functionality.
+ There is no easy way to prevent a user from gaining a root shell if that
+ user is allowed to run arbitrary commands via s\bsu\bud\bdo\bo. Also, many programs
+ (such as editors) allow the user to run commands via shell escapes, thus
+ avoiding s\bsu\bud\bdo\bo's checks. However, on most systems it is possible to
+ prevent shell escapes with the sudoers(4) plugin's _\bn_\bo_\be_\bx_\be_\bc functionality.
- It is not meaningful to run the cd command directly via sudo, e.g.,
+ It is not meaningful to run the cd command directly via sudo, e.g.,
- $ sudo cd /usr/local/protected
+ $ sudo cd /usr/local/protected
- since when the command exits the parent process (your shell) will still
- be the same. Please see the EXAMPLES section for more information.
+ since when the command exits the parent process (your shell) will still
+ be the same. Please see the _\bE_\bX_\bA_\bM_\bP_\bL_\bE_\bS section for more information.
- Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel bugs that
- make setuid shell scripts unsafe on some operating systems (if your OS
- has a /dev/fd/ directory, setuid shell scripts are generally safe).
+ Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel bugs that make
+ setuid shell scripts unsafe on some operating systems (if your OS has a
+ /dev/fd/ directory, setuid shell scripts are generally safe).
B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
- http://www.sudo.ws/sudo/bugs/
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+ http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
+ archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
- including, but not limited to, the implied warranties of
- merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with s\bsu\bud\bdo\bo or
- http://www.sudo.ws/sudo/license.html for complete details.
-
-
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantability
+ and fitness for a particular purpose are disclaimed. See the LICENSE
+ file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
+ complete details.
-1.8.5 March 15, 2012 SUDO(1m)
+Sudo 1.8.6 July 10, 2012 Sudo 1.8.6
+.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
+.\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in
+.\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
-.\" Todd C. Miller <Todd.Miller@courtesan.com>
-.\"
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
-.\"
+.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
+.\"
.\" Sponsored in part by the Defense Advanced Research Projects
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
-.\"
-.nr SL @SEMAN@
-.nr BA @BAMAN@
-.nr LC @LCMAN@
-.nr PT @password_timeout@
-.\"
-.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings. \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. \*(C+ will
-.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-. ds -- \(*W-
-. ds PI pi
-. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
-. ds L" ""
-. ds R" ""
-. ds C`
-. ds C'
-'br\}
-.el\{\
-. ds -- \|\(em\|
-. ds PI \(*p
-. ds L" ``
-. ds R" ''
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el .ds Aq '
-.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD. Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
-..
-. nr % 0
-. rr F
-.\}
-.el \{\
-. de IX
-..
-.\}
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear. Run. Save yourself. No user-serviceable parts.
-. \" fudge factors for nroff and troff
-.if n \{\
-. ds #H 0
-. ds #V .8m
-. ds #F .3m
-. ds #[ \f1
-. ds #] \fP
-.\}
-.if t \{\
-. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-. ds #V .6m
-. ds #F 0
-. ds #[ \&
-. ds #] \&
-.\}
-. \" simple accents for nroff and troff
-.if n \{\
-. ds ' \&
-. ds ` \&
-. ds ^ \&
-. ds , \&
-. ds ~ ~
-. ds /
-.\}
-.if t \{\
-. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-. \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-. \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-. \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-. ds : e
-. ds 8 ss
-. ds o a
-. ds d- d\h'-1'\(ga
-. ds D- D\h'-1'\(hy
-. ds th \o'bp'
-. ds Th \o'LP'
-. ds ae ae
-. ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
.\"
-.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "March 15, 2012" "1.8.5" "MAINTENANCE COMMANDS"
-.\" For nroff, turn off justification. Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
+.TH "SUDO" "@mansectsu@" "July 10, 2012" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
+.if n .ad l
.SH "NAME"
-sudo, sudoedit \- execute a command as another user
+\fBsudo\fR,
+\fBsudoedit\fR
+\- execute a command as another user
.SH "SYNOPSIS"
-.IX Header "SYNOPSIS"
-\&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-V\fR
-.PP
-\&\fBsudo\fR \fB\-v\fR [\fB\-AknS\fR]
-.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
-[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
-[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR]
-.PP
-\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR]
-.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
-[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
-[\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fIcommand\fR]
-.PP
-\&\fBsudo\fR [\fB\-AbEHnPS\fR]
-.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
+.HP 5n
+\fBsudo\fR
+\fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-V\fR
+.PD 0
+.HP 5n
+\fBsudo\fR
+\fB\-v\fR
+[\fB\-AknS\fR]
+[\fB\-a\fR\ \fIauth_type\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR]
+[\fB\-p\fR\ \fIprompt\fR]
+[\fB\-u\fR\ \fIuser\ name\fR\ |\ \fI#uid\fR]
+.br
+.HP 5n
+\fBsudo\fR
+\fB\-l\fR[\fIl\fR]
+[\fB\-AknS\fR]
+[\fB\-a\fR\ \fIauth_type\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR]
+[\fB\-p\fR\ \fIprompt\fR]
+[\fB\-U\fR\ \fIuser\ name\fR]
+[\fB\-u\fR\ \fIuser\ name\fR\ |\ \fI#uid\fR]
+[\fIcommand\fR]
+.br
+.HP 5n
+\fBsudo\fR
+[\fB\-AbEHnPS\fR]
+[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
-.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
-[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
-.if \n(SL [\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
-[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR]
-[\fB\s-1VAR\s0\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] [\fIcommand\fR]
-.PP
-\&\fBsudoedit\fR [\fB\-AnS\fR]
-.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
+[\fB\-c\fR\ \fIclass\fR\ |\ \fI-\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR]
+[\fB\-p\fR\ \fIprompt\fR]
+[\fB\-r\fR\ \fIrole\fR]
+[\fB\-t\fR\ \fItype\fR]
+[\fB\-u\fR\ \fIuser\ name\fR\ |\ \fI#uid\fR]
+[\fBVAR\fR=\fIvalue\fR]
+\fB\-i\fR\ |\ \fB\-s\fR
+[\fIcommand\fR]
+.br
+.HP 9n
+\fBsudoedit\fR
+[\fB\-AnS\fR]
+[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
-.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
-[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
-[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] file ...
+[\fB\-c\fR\ \fIclass\fR\ |\ \fI-\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR]
+[\fB\-p\fR\ \fIprompt\fR]
+[\fB\-u\fR\ \fIuser\ name\fR\ |\ \fI#uid\fR]
+file ...
+.PD
.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-\&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the
-superuser or another user, as specified by the security policy.
-The real and effective uid and gid are set to match those of the
-target user, as specified in the password database, and the group
-vector is initialized based on the group database (unless the \fB\-P\fR
-option was specified).
+\fBsudo\fR
+allows a permitted user to execute a
+\fIcommand\fR
+as the superuser or another user, as specified by the security
+policy.
.PP
-\&\fBsudo\fR supports a plugin architecture for security policies and
-input/output logging. Third parties can develop and distribute
-their own policy and I/O logging modules to work seamlessly with
-the \fBsudo\fR front end. The default security policy is \fIsudoers\fR,
-which is configured via the file \fI@sysconfdir@/sudoers\fR, or via
-\&\s-1LDAP\s0. See the \s-1PLUGINS\s0 section for more information.
+\fBsudo\fR
+supports a plugin architecture for security policies and input/output
+logging.
+Third parties can develop and distribute their own policy and I/O
+logging plugins to work seamlessly with the
+\fBsudo\fR
+front end.
+The default security policy is
+\fIsudoers\fR,
+which is configured via the file
+\fI@sysconfdir@/sudoers\fR,
+or via LDAP.
+See the
+\fIPLUGINS\fR
+section for more information.
.PP
The security policy determines what privileges, if any, a user has
-to run \fBsudo\fR. The policy may require that users authenticate
-themselves with a password or another authentication mechanism. If
-authentication is required, \fBsudo\fR will exit if the user's password
-is not entered within a configurable time limit. This limit is
-policy-specific; the default password prompt timeout for the
-\&\fIsudoers\fR security policy is
-.ie \n(PT \f(CW\*(C`@password_timeout@\*(C'\fR minutes.
-.el unlimited.
+to run
+\fBsudo\fR.
+The policy may require that users authenticate themselves with a
+password or another authentication mechanism.
+If authentication is required,
+\fBsudo\fR
+will exit if the user's password is not entered within a configurable
+time limit.
+This limit is policy-specific; the default password prompt timeout
+for the
+\fIsudoers\fR
+security policy is
+\fR@password_timeout@\fR
+minutes.
.PP
Security policies may support credential caching to allow the user
-to run \fBsudo\fR again for a period of time without requiring
-authentication. The \fIsudoers\fR policy caches credentials for
-\&\f(CW\*(C`@timeout@\*(C'\fR minutes, unless overridden in \fIsudoers\fR\|(@mansectform@). By
-running \fBsudo\fR with the \fB\-v\fR option, a user can update the cached
-credentials without running a \fIcommand\fR.
+to run
+\fBsudo\fR
+again for a period of time without requiring authentication.
+The
+\fIsudoers\fR
+policy caches credentials for
+\fR@timeout@\fR
+minutes, unless overridden in
+sudoers(@mansectform@).
+By running
+\fBsudo\fR
+with the
+\fB\-v\fR
+option, a user can update the cached credentials without running a
+\fIcommand\fR.
.PP
-When invoked as \fBsudoedit\fR, the \fB\-e\fR option (described below),
-is implied.
+When invoked as
+\fBsudoedit\fR,
+the
+\fB\-e\fR
+option (described below), is implied.
.PP
Security policies may log successful and failed attempts to use
-\&\fBsudo\fR. If an I/O plugin is configured, the running command's
-input and output may be logged as well.
-.SH "OPTIONS"
-.IX Header "OPTIONS"
-\&\fBsudo\fR accepts the following command line options:
-.IP "\-A" 12
-.IX Item "-A"
-Normally, if \fBsudo\fR requires a password, it will read it from the
-user's terminal. If the \fB\-A\fR (\fIaskpass\fR) option is specified,
-a (possibly graphical) helper program is executed to read the user's
-password and output the password to the standard output. If the
-\&\f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the path
-to the helper program. Otherwise, if \fI@sysconfdir@/sudo.conf\fR
+\fBsudo\fR.
+If an I/O plugin is configured, the running command's input and
+output may be logged as well.
+.PP
+The options are as follows:
+.TP 12n
+\fB\-A\fR
+Normally, if
+\fBsudo\fR
+requires a password, it will read it from the user's terminal.
+If the
+\fB\-A\fR (\fIaskpass\fR)
+option is specified, a (possibly graphical) helper program is
+executed to read the user's password and output the password to the
+standard output.
+If the
+\fRSUDO_ASKPASS\fR
+environment variable is set, it specifies the path to the helper
+program.
+Otherwise, if
+\fI@sysconfdir@/sudo.conf\fR
contains a line specifying the askpass program, that value will be
-used. For example:
-.Sp
-.Vb 2
-\& # Path to askpass helper program
-\& Path askpass /usr/X11R6/bin/ssh\-askpass
-.Ve
-.Sp
-If no askpass program is available, sudo will exit with an error.
-.if \n(BA \{\
-.IP "\-a \fItype\fR" 12
-.IX Item "-a type"
-The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
-specified authentication type when validating the user, as allowed
-by \fI/etc/login.conf\fR. The system administrator may specify a list
-of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R"
-entry in \fI/etc/login.conf\fR. This option is only available on systems
-that support \s-1BSD\s0 authentication.
-\}
-.IP "\-b" 12
-.IX Item "-b"
-The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given
-command in the background. Note that if you use the \fB\-b\fR
+used.
+For example:
+.RS
+.nf
+.sp
+.RS 4n
+# Path to askpass helper program
+Path askpass /usr/X11R6/bin/ssh-askpass
+.RE
+.fi
+.sp
+If no askpass program is available,
+\fBsudo\fR
+will exit with an error.
+.PP
+.RE
+.PD 0
+.TP 12n
+\fB\-a\fR \fItype\fR
+The
+\fB\-a\fR (\fIauthentication type\fR)
+option causes
+\fBsudo\fR
+to use the specified authentication type when validating the user,
+as allowed by
+\fI/etc/login.conf\fR.
+The system administrator may specify a list of sudo-specific
+authentication methods by adding an
+``auth-sudo''
+entry in
+\fI/etc/login.conf\fR.
+This option is only available on systems that support BSD authentication.
+.PD
+.TP 12n
+\fB\-b\fR
+The
+\fB\-b\fR (\fIbackground\fR)
+option tells
+\fBsudo\fR
+to run the given command in the background.
+Note that if you use the
+\fB\-b\fR
option you cannot use shell job control to manipulate the process.
Most interactive commands will fail to work properly in background
mode.
-.IP "\-C \fIfd\fR" 12
-.IX Item "-C fd"
-Normally, \fBsudo\fR will close all open file descriptors other than
-standard input, standard output and standard error. The \fB\-C\fR
-(\fIclose from\fR) option allows the user to specify a starting point
-above the standard error (file descriptor three). Values less than
-three are not permitted. The security policy may restrict the
-user's ability to use the \fB\-C\fR option. The \fIsudoers\fR policy only
-permits use of the \fB\-C\fR option when the administrator has enabled
-the \fIclosefrom_override\fR option.
-.if \n(LC \{\
-.IP "\-c \fIclass\fR" 12
-.IX Item "-c class"
-The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
-with resources limited by the specified login class. The \fIclass\fR
-argument can be either a class name as defined in \fI/etc/login.conf\fR,
-or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
-that the command should be run restricted by the default login
-capabilities for the user the command is run as. If the \fIclass\fR
+.TP 12n
+\fB\-C\fR \fIfd\fR
+Normally,
+\fBsudo\fR
+will close all open file descriptors other than standard input,
+standard output and standard error.
+The
+\fB\-C\fR (\fIclose from\fR)
+option allows the user to specify a starting point above the standard
+error (file descriptor three).
+Values less than three are not permitted.
+The security policy may restrict the user's ability to use the
+\fB\-C\fR
+option.
+The
+\fIsudoers\fR
+policy only permits use of the
+\fB\-C\fR
+option when the administrator has enabled the
+\fIclosefrom_override\fR
+option.
+.TP 12n
+\fB\-c\fR \fIclass\fR
+The
+\fB\-c\fR (\fIclass\fR)
+option causes
+\fBsudo\fR
+to run the specified command with resources limited by the specified
+login class.
+The
+\fIclass\fR
+argument can be either a class name as defined in
+\fI/etc/login.conf\fR,
+or a single
+`\-'
+character.
+Specifying a
+\fIclass\fR
+of
+\fR-\fR
+indicates that the command should be run restricted by the default
+login capabilities for the user the command is run as.
+If the
+\fIclass\fR
argument specifies an existing user class, the command must be run
-as root, or the \fBsudo\fR command must be run from a shell that is already
-root. This option is only available on systems with \s-1BSD\s0 login classes.
-\}
-.IP "\-E" 12
-.IX Item "-E"
-The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option indicates to the
-security policy that the user wishes to preserve their existing
-environment variables. The security policy may return an error if
-the \fB\-E\fR option is specified and the user does not have permission
-to preserve the environment.
-.IP "\-e" 12
-.IX Item "-e"
-The \fB\-e\fR (\fIedit\fR) option indicates that, instead of running a
-command, the user wishes to edit one or more files. In lieu of a
-command, the string \*(L"sudoedit\*(R" is used when consulting the security
-policy. If the user is authorized by the policy, the following
-steps are taken:
-.RS 12
-.IP "1." 4
+as root, or the
+\fBsudo\fR
+command must be run from a shell that is already root.
+This option is only available on systems with BSD login classes.
+.TP 12n
+\fB\-E\fR
+The
+\fB\-E\fR (\fIpreserve environment\fR)
+option indicates to the security policy that the user wishes to
+preserve their existing environment variables.
+The security policy may return an error if the
+\fB\-E\fR
+option is specified and the user does not have permission to preserve
+the environment.
+.TP 12n
+\fB\-e\fR
+The
+\fB\-e\fR (\fIedit\fR)
+option indicates that, instead of running a command, the user wishes
+to edit one or more files.
+In lieu of a command, the string "sudoedit" is used when consulting
+the security policy.
+If the user is authorized by the policy, the following steps are
+taken:
+.RS
+.TP 5n
+1.
Temporary copies are made of the files to be edited with the owner
set to the invoking user.
-.IP "2." 4
-The editor specified by the policy is run to edit the temporary files.
-The \fIsudoers\fR policy uses the \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR and \f(CW\*(C`EDITOR\*(C'\fR
-environment variables (in that order). If none of \f(CW\*(C`SUDO_EDITOR\*(C'\fR,
-\&\f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR are set, the first program listed in the
-\&\fIeditor\fR \fIsudoers\fR\|(@mansectform@) option is used.
-.IP "3." 4
+.TP 5n
+2.
+The editor specified by the policy is run to edit the temporary
+files.
+The
+\fIsudoers\fR
+policy uses the
+\fRSUDO_EDITOR\fR,
+\fRVISUAL\fR
+and
+\fREDITOR\fR
+environment variables (in that order).
+If none of
+\fRSUDO_EDITOR\fR,
+\fRVISUAL\fR
+or
+\fREDITOR\fR
+are set, the first program listed in the
+\fIeditor\fR
+sudoers(@mansectform@)
+option is used.
+.TP 5n
+3.
If they have been modified, the temporary files are copied back to
their original location and the temporary versions are removed.
+.PP
+If the specified file does not exist, it will be created.
+Note that unlike most commands run by
+\fIsudo\fR,
+the editor is run with the invoking user's environment unmodified.
+If, for some reason,
+\fBsudo\fR
+is unable to update a file with its edited version, the user will
+receive a warning and the edited copy will remain in a temporary
+file.
+.PP
.RE
-.RS 12
-.Sp
-If the specified file does not exist, it will be created. Note
-that unlike most commands run by \fBsudo\fR, the editor is run with
-the invoking user's environment unmodified. If, for some reason,
-\&\fBsudo\fR is unable to update a file with its edited version, the
-user will receive a warning and the edited copy will remain in a
-temporary file.
-.RE
-.IP "\-g \fIgroup\fR" 12
-.IX Item "-g group"
-Normally, \fBsudo\fR runs a command with the primary group set to the
-one specified by the password database for the user the command is
-being run as (by default, root). The \fB\-g\fR (\fIgroup\fR) option causes
-\&\fBsudo\fR to run the command with the primary group set to \fIgroup\fR
-instead. To specify a \fIgid\fR instead of a \fIgroup name\fR, use
-\&\fI#gid\fR. When running commands as a \fIgid\fR, many shells require
-that the '#' be escaped with a backslash ('\e'). If no \fB\-u\fR option
-is specified, the command will be run as the invoking user (not
-root). In either case, the primary group will be set to \fIgroup\fR.
-.IP "\-H" 12
-.IX Item "-H"
-The \fB\-H\fR (\fI\s-1HOME\s0\fR) option requests that the security policy set
-the \f(CW\*(C`HOME\*(C'\fR environment variable to the home directory of the target
-user (root by default) as specified by the password database.
+.PD 0
+.TP 12n
+\fB\-g\fR \fIgroup\fR
+Normally,
+\fBsudo\fR
+runs a command with the primary group set to the one specified by
+the password database for the user the command is being run as (by
+default, root).
+The
+\fB\-g\fR (\fIgroup\fR)
+option causes
+\fBsudo\fR
+to run the command with the primary group set to
+\fIgroup\fR
+instead.
+To specify a
+\fIgid\fR
+instead of a
+\fIgroup name\fR,
+use
+\fI#gid\fR.
+When running commands as a
+\fIgid\fR,
+many shells require that the
+`#'
+be escaped with a backslash
+(`\e').
+If no
+\fB\-u\fR
+option is specified, the command will be run as the invoking user
+(not root).
+In either case, the primary group will be set to
+\fIgroup\fR.
+.PD
+.TP 12n
+\fB\-H\fR
+The
+\fB\-H\fR (\fIHOME\fR)
+option requests that the security policy set the
+\fRHOME\fR
+environment variable to the home directory of the target user (root
+by default) as specified by the password database.
Depending on the policy, this may be the default behavior.
-.IP "\-h" 12
-.IX Item "-h"
-The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a short help message
-to the standard output and exit.
-.IP "\-i [command]" 12
-.IX Item "-i [command]"
-The \fB\-i\fR (\fIsimulate initial login\fR) option runs the shell specified
-by the password database entry of the target user as a login shell.
-This means that login-specific resource files such as \f(CW\*(C`.profile\*(C'\fR
-or \f(CW\*(C`.login\*(C'\fR will be read by the shell. If a command is specified,
-it is passed to the shell for execution via the shell's \fB\-c\fR option.
+.TP 12n
+\fB\-h\fR
+The
+\fB\-h\fR (\fIhelp\fR)
+option causes
+\fBsudo\fR
+to print a short help message to the standard output and exit.
+.TP 12n
+\fB\-i\fR [\fIcommand\fR]
+The
+\fB\-i\fR (\fIsimulate initial login\fR)
+option runs the shell specified by the password database entry of
+the target user as a login shell.
+This means that login-specific resource files such as
+\fI.profile\fR
+or
+\fI.login\fR
+will be read by the shell.
+If a command is specified, it is passed to the shell for execution
+via the shell's
+\fB\-c\fR
+option.
If no command is specified, an interactive shell is executed.
-\&\fBsudo\fR attempts to change to that user's home directory before
-running the shell. The security policy shall initialize the
-environment to a minimal set of variables, similar to what is present
-when a user logs in. The \fICommand Environment\fR section in the
-\&\fIsudoers\fR\|(@mansectform@) manual documents how the \fB\-i\fR option affects the
-environment in which a command is run when the \fIsudoers\fR policy
-is in use.
-.IP "\-K" 12
-.IX Item "-K"
-The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes
-the user's cached credentials entirely and may not be used in
-conjunction with a command or other option. This option does not
-require a password. Not all security policies support credential
-caching.
-.IP "\-k [command]" 12
-.IX Item "-k [command]"
-When used alone, the \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates
-the user's cached credentials. The next time \fBsudo\fR is run a
-password will be required. This option does not require a password
-and was added to allow a user to revoke \fBsudo\fR permissions from a
-\&.logout file. Not all security policies support credential
-caching.
-.Sp
+\fBsudo\fR
+attempts to change to that user's home directory before running the
+shell.
+The security policy shall initialize the environment to a minimal
+set of variables, similar to what is present when a user logs in.
+The
+\fICommand Environment\fR
+section in the
+sudoers(@mansectform@)
+manual documents how the
+\fB\-i\fR
+option affects the environment in which a command is run when the
+\fIsudoers\fR
+policy is in use.
+.TP 12n
+\fB\-K\fR
+The
+\fB\-K\fR (sure \fIkill\fR)
+option is like
+\fB\-k\fR
+except that it removes the user's cached credentials entirely and
+may not be used in conjunction with a command or other option.
+This option does not require a password.
+Not all security policies support credential caching.
+.TP 12n
+\fB\-k\fR [\fIcommand\fR]
+When used alone, the
+\fB\-k\fR (\fIkill\fR)
+option to
+\fBsudo\fR
+invalidates the user's cached credentials.
+The next time
+\fBsudo\fR
+is run a password will be required.
+This option does not require a password and was added to allow a
+user to revoke
+\fBsudo\fR
+permissions from a
+\fI.logout\fR
+file.
+Not all security policies support credential caching.
+.sp
When used in conjunction with a command or an option that may require
-a password, the \fB\-k\fR option will cause \fBsudo\fR to ignore the user's
-cached credentials. As a result, \fBsudo\fR will prompt for a password
-(if one is required by the security policy) and will not update the
-user's cached credentials.
-.IP "\-l[l] [\fIcommand\fR]" 12
-.IX Item "-l[l] [command]"
-If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list
-the allowed (and forbidden) commands for the invoking user (or the
-user specified by the \fB\-U\fR option) on the current host. If a
-\&\fIcommand\fR is specified and is permitted by the security policy,
-the fully-qualified path to the command is displayed along with any
-command line arguments. If \fIcommand\fR is specified but not allowed,
-\&\fBsudo\fR will exit with a status value of 1. If the \fB\-l\fR option
-is specified with an \fBl\fR argument (i.e. \fB\-ll\fR), or if \fB\-l\fR is
-specified multiple times, a longer list format is used.
-.IP "\-n" 12
-.IX Item "-n"
-The \fB\-n\fR (\fInon-interactive\fR) option prevents \fBsudo\fR from prompting
-the user for a password. If a password is required for the command
-to run, \fBsudo\fR will display an error messages and exit.
-.IP "\-P" 12
-.IX Item "-P"
-The \fB\-P\fR (\fIpreserve\fR \fIgroup vector\fR) option causes \fBsudo\fR to
-preserve the invoking user's group vector unaltered. By default,
-the \fIsudoers\fR policy will initialize the group vector to the list
-of groups the target user is in. The real and effective group IDs,
-however, are still set to match the target user.
-.IP "\-p \fIprompt\fR" 12
-.IX Item "-p prompt"
-The \fB\-p\fR (\fIprompt\fR) option allows you to override the default
-password prompt and use a custom one. The following percent (`\f(CW\*(C`%\*(C'\fR')
-escapes are supported by the \fIsudoers\fR policy:
-.RS 12
-.ie n .IP "%H" 4
-.el .IP "\f(CW%H\fR" 4
-.IX Item "%H"
-expanded to the host name including the domain name (on if
-the machine's host name is fully qualified or the \fIfqdn\fR option
-is set in \fIsudoers\fR\|(@mansectform@))
-.ie n .IP "%h" 4
-.el .IP "\f(CW%h\fR" 4
-.IX Item "%h"
+a password, the
+\fB\-k\fR
+option will cause
+\fBsudo\fR
+to ignore the user's cached credentials.
+As a result,
+\fBsudo\fR
+will prompt for a password (if one is required by the security
+policy) and will not update the user's cached credentials.
+.TP 12n
+\fB\-l\fR[\fBl\fR] [\fIcommand\fR]
+If no
+\fIcommand\fR
+is specified, the
+\fB\-l\fR (\fIlist\fR)
+option will list the allowed (and forbidden) commands for the
+invoking user (or the user specified by the
+\fB\-U\fR
+option) on the current host.
+If a
+\fIcommand\fR
+is specified and is permitted by the security policy, the fully-qualified
+path to the command is displayed along with any command line
+arguments.
+If
+\fIcommand\fR
+is specified but not allowed,
+\fBsudo\fR
+will exit with a status value of 1.
+If the
+\fB\-l\fR
+option is specified with an
+\fIl\fR
+argument
+(i.e.\& \fB\-ll\fR),
+or if
+\fB\-l\fR
+is specified multiple times, a longer list format is used.
+.TP 12n
+\fB\-n\fR
+The
+\fB\-n\fR (\fInon-interactive\fR)
+option prevents
+\fBsudo\fR
+from prompting the user for a password.
+If a password is required for the command to run,
+\fBsudo\fR
+will display an error message and exit.
+.TP 12n
+\fB\-P\fR
+The
+\fB\-P\fR (\fIpreserve group vector\fR)
+option causes
+\fBsudo\fR
+to preserve the invoking user's group vector unaltered.
+By default, the
+\fIsudoers\fR
+policy will initialize the group vector to the list of groups the
+target user is in.
+The real and effective group IDs, however, are still set to match
+the target user.
+.TP 12n
+\fB\-p\fR \fIprompt\fR
+The
+\fB\-p\fR (\fIprompt\fR)
+option allows you to override the default password prompt and use
+a custom one.
+The following percent
+(`%')
+escapes are supported by the
+\fIsudoers\fR
+policy:
+.RS
+.TP 4n
+\fR%H\fR
+expanded to the host name including the domain name (on if the
+machine's host name is fully qualified or the
+\fIfqdn\fR
+option is set in
+sudoers(@mansectform@))
+.TP 4n
+\fR%h\fR
expanded to the local host name without the domain name
-.ie n .IP "%p" 4
-.el .IP "\f(CW%p\fR" 4
-.IX Item "%p"
+.TP 4n
+\fR%p\fR
expanded to the name of the user whose password is being requested
-(respects the \fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in
-\&\fIsudoers\fR\|(@mansectform@))
-.ie n .IP "%U" 4
-.el .IP "\f(CW%U\fR" 4
-.IX Item "%U"
+(respects the
+\fIrootpw\fR,
+\fItargetpw\fR,
+and
+\fIrunaspw\fR
+flags in
+sudoers(@mansectform@))
+.TP 4n
+\fR\&%U\fR
expanded to the login name of the user the command will be run as
-(defaults to root unless the \f(CW\*(C`\-u\*(C'\fR option is also specified)
-.ie n .IP "%u" 4
-.el .IP "\f(CW%u\fR" 4
-.IX Item "%u"
+(defaults to root unless the
+\fB\-u\fR
+option is also specified)
+.TP 4n
+\fR%u\fR
expanded to the invoking user's login name
-.ie n .IP "\*(C`%%\*(C'" 4
-.el .IP "\f(CW\*(C`%%\*(C'\fR" 4
-.IX Item "%%"
-two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
-.RE
-.RS 12
-.Sp
-The prompt specified by the \fB\-p\fR option will override the system
-password prompt on systems that support \s-1PAM\s0 unless the
-\&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR.
+.TP 4n
+\fR%%\fR
+two consecutive
+`%'
+characters are collapsed into a single
+`%'
+character
+.PP
+The prompt specified by the
+\fB\-p\fR
+option will override the system password prompt on systems that
+support PAM unless the
+\fIpassprompt_override\fR
+flag is disabled in
+\fIsudoers\fR.
+.PP
.RE
-.if \n(SL \{\
-.IP "\-r \fIrole\fR" 12
-.IX Item "-r role"
-The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
-have the role specified by \fIrole\fR.
-\}
-.IP "\-S" 12
-.IX Item "-S"
-The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
-the standard input instead of the terminal device. The password must
-be followed by a newline character.
-.IP "\-s [command]" 12
-.IX Item "-s [command]"
-The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR
+.PD 0
+.TP 12n
+\fB\-r\fR \fIrole\fR
+The
+\fB\-r\fR (\fIrole\fR)
+option causes the new (SELinux) security context to have the role
+specified by
+\fIrole\fR.
+.PD
+.TP 12n
+\fB\-S\fR
+The
+\fB\-S\fR (\fIstdin\fR)
+option causes
+\fBsudo\fR
+to read the password from the standard input instead of the terminal
+device.
+The password must be followed by a newline character.
+.TP 12n
+\fB\-s\fR [\fIcommand\fR]
+The
+\fB\-s\fR (\fIshell\fR)
+option runs the shell specified by the
+\fRSHELL\fR
environment variable if it is set or the shell as specified in the
-password database. If a command is specified, it is passed to the
-shell for execution via the shell's \fB\-c\fR option. If no command
-is specified, an interactive shell is executed.
-.if \n(SL \{\
-.IP "\-t \fItype\fR" 12
-.IX Item "-t type"
-The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
-have the type specified by \fItype\fR. If no type is specified, the default
-type is derived from the specified role.
-\}
-.IP "\-U \fIuser\fR" 12
-.IX Item "-U user"
-The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the
-\&\fB\-l\fR option to specify the user whose privileges should be listed.
+password database.
+If a command is specified, it is passed to the shell for execution
+via the shell's
+\fB\-c\fR
+option.
+If no command is specified, an interactive shell is executed.
+.TP 12n
+\fB\-t\fR \fItype\fR
+The
+\fB\-t\fR (\fItype\fR)
+option causes the new (SELinux) security context to have the type
+specified by
+\fItype\fR.
+If no type is specified, the default type is derived from the
+specified role.
+.TP 12n
+\fB\-U\fR \fIuser\fR
+The
+\fB\-U\fR (\fIother user\fR)
+option is used in conjunction with the
+\fB\-l\fR
+option to specify the user whose privileges should be listed.
The security policy may restrict listing other users' privileges.
-The \fIsudoers\fR policy only allows root or a user with the \f(CW\*(C`ALL\*(C'\fR
+The
+\fIsudoers\fR
+policy only allows root or a user with the
+\fRALL\fR
privilege on the current host to use this option.
-.IP "\-u \fIuser\fR" 12
-.IX Item "-u user"
-The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified
-command as a user other than \fIroot\fR. To specify a \fIuid\fR instead
-of a \fIuser name\fR, use \fI#uid\fR. When running commands as a \fIuid\fR,
-many shells require that the '#' be escaped with a backslash ('\e').
-Security policies may restrict \fIuid\fRs to those listed in the
-password database. The \fIsudoers\fR policy allows \fIuid\fRs that are
-not in the password database as long as the \fItargetpw\fR option is
-not set. Other security policies may not support this.
-.IP "\-V" 12
-.IX Item "-V"
-The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print its version
-string and the version string of the security policy plugin and any
-I/O plugins. If the invoking user is already root the \fB\-V\fR option
-will display the arguments passed to configure when \fIsudo\fR was
-built and plugins may display more verbose information such as
+.TP 12n
+\fB\-u\fR \fIuser\fR
+The
+\fB\-u\fR (\fIuser\fR)
+option causes
+\fBsudo\fR
+to run the specified command as a user other than
+\fIroot\fR.
+To specify a
+\fIuid\fR
+instead of a
+\fIuser name\fR,
+\fI#uid\fR.
+When running commands as a
+\fIuid\fR,
+many shells require that the
+`#'
+be escaped with a backslash
+(`\e').
+Security policies may restrict
+\fIuid\fRs
+to those listed in the password database.
+The
+\fIsudoers\fR
+policy allows
+\fIuid\fRs
+that are not in the password database as long as the
+\fItargetpw\fR
+option is not set.
+Other security policies may not support this.
+.TP 12n
+\fB\-V\fR
+The
+\fB\-V\fR (\fIversion\fR)
+option causes
+\fBsudo\fR
+to print its version string and the version string of the security
+policy plugin and any I/O plugins.
+If the invoking user is already root the
+\fB\-V\fR
+option will display the arguments passed to configure when
+\fBsudo\fR
+was built and plugins may display more verbose information such as
default options.
-.IP "\-v" 12
-.IX Item "-v"
-When given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the
-user's cached credentials, authenticating the user's password if
-necessary. For the \fIsudoers\fR plugin, this extends the \fBsudo\fR
-timeout for another \f(CW\*(C`@timeout@\*(C'\fR minutes (or whatever the timeout
-is set to in \fIsudoers\fR) but does not run a command. Not all
-security policies support cached credentials.
-.IP "\-\-" 12
-The \fB\-\-\fR option indicates that \fBsudo\fR should stop processing command
-line arguments.
+.TP 12n
+\fB\-v\fR
+When given the
+\fB\-v\fR (\fIvalidate\fR)
+option,
+\fBsudo\fR
+will update the user's cached credentials, authenticating the user's
+password if necessary.
+For the
+\fIsudoers\fR
+plugin, this extends the
+\fBsudo\fR
+timeout for another
+\fR@timeout@\fR
+minutes (or whatever the timeout is set to by the security policy)
+but does not run a command.
+Not all security policies support cached credentials.
+.TP 12n
+\fB\--\fR
+The
+\fB\--\fR
+option indicates that
+\fBsudo\fR
+should stop processing command line arguments.
.PP
Environment variables to be set for the command may also be passed
-on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g.
-\&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. Variables passed on the
-command line are subject to the same restrictions as normal environment
-variables with one important exception. If the \fIsetenv\fR option
-is set in \fIsudoers\fR, the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag
-set or the command matched is \f(CW\*(C`ALL\*(C'\fR, the user may set variables
-that would otherwise be forbidden. See \fIsudoers\fR\|(@mansectform@) for more information.
+on the command line in the form of
+\fBVAR\fR=\fIvalue\fR,
+e.g.\&
+\fBLD_LIBRARY_PATH\fR=\fI/usr/local/pkg/lib\fR.
+Variables passed on the command line are subject to the same
+restrictions as normal environment variables with one important
+exception.
+If the
+\fIsetenv\fR
+option is set in
+\fIsudoers\fR,
+the command to be run has the
+\fRSETENV\fR
+tag set or the command matched is
+\fRALL\fR,
+the user may set variables that would otherwise be forbidden.
+See
+sudoers(@mansectform@)
+for more information.
+.SH "COMMAND EXECUTION"
+When
+\fBsudo\fR
+executes a command, the security policy specifies the execution
+envionment for the command.
+Typically, the real and effective uid and gid are set to
+match those of the target user, as specified in the password database,
+and the group vector is initialized based on the group database
+(unless the
+\fB\-P\fR
+option was specified).
+.PP
+The following parameters may be specified by security policy:
+.TP 4n
+\fBo\fR
+real and effective user ID
+.TP 4n
+\fBo\fR
+real and effective group ID
+.TP 4n
+\fBo\fR
+supplementary group IDs
+.TP 4n
+\fBo\fR
+the environment list
+.TP 4n
+\fBo\fR
+current working directory
+.TP 4n
+\fBo\fR
+file creation mode mask (umask)
+.TP 4n
+\fBo\fR
+SELinux role and type
+.TP 4n
+\fBo\fR
+Solaris project
+.TP 4n
+\fBo\fR
+Solaris privileges
+.TP 4n
+\fBo\fR
+BSD login class
+.TP 4n
+\fBo\fR
+scheduling priority (aka nice value)
+.SS "Process model"
+When
+\fBsudo\fR
+runs a command, it calls
+fork(2),
+sets up the execution environment as described above, and calls the
+execve
+system call in the child process.
+The main
+\fBsudo\fR
+process waits until the command has completed, then passes the
+command's exit status to the security policy's close method and exits.
+If an I/O logging plugin is configured, a new pseudo-terminal
+(``pty'')
+is created and a second
+\fBsudo\fR
+process is used to relay job control signals between the user's
+existing pty and the new pty the command is being run in.
+This extra process makes it possible to, for example, suspend
+and resume the command.
+Without it, the command would be in what POSIX terms an
+``orphaned process group''
+and it would not receive any job control signals.
+.SS "Signal handling"
+Because the command is run as a child of the
+\fBsudo\fR
+process,
+\fBsudo\fR
+will relay signals it receives to the command.
+Unless the command is being run in a new pty, the
+\fRSIGHUP\fR,
+\fRSIGINT\fR
+and
+\fRSIGQUIT\fR
+signals are not relayed unless they are sent by a user process,
+not the kernel.
+Otherwise, the command would receive
+\fRSIGINT\fR
+twice every time the user entered control-C.
+Some signals, such as
+\fRSIGSTOP\fR
+and
+\fRSIGKILL\fR,
+cannot be caught and thus will not be relayed to the command.
+As a general rule,
+\fRSIGTSTP\fR
+should be used instead of
+\fRSIGSTOP\fR
+when you wish to suspend a command being run by
+\fBsudo\fR.
+.PP
+As a special case,
+\fBsudo\fR
+will not relay signals that were sent by the command it is running.
+This prevents the command from accidentally killing itself.
+On some systems, the
+reboot(@mansectsu@)
+command sends
+\fRSIGTERM\fR
+to all non-system processes other than itself before rebooting
+the systyem.
+This prevents
+\fBsudo\fR
+from relaying the
+\fRSIGTERM\fR
+signal it received back to
+reboot(@mansectsu@),
+which might then exit before the system was actually rebooted,
+leaving it in a half-dead state similar to single user mode.
+Note, however, that this check only applies to the command run by
+\fBsudo\fR
+and not any other processes that the command may create.
+As a result, running a script that calls
+reboot(@mansectsu@)
+or
+shutdown(@mansectsu@)
+via
+\fBsudo\fR
+may cause the system to end up in this undefined state unless the
+reboot(@mansectsu@)
+or
+shutdown(@mansectsu@)
+are run using the
+\fBexec\fR()
+family of functions instead of
+\fBsystem\fR()
+(which interposes a shell between the command and the calling process).
.SH "PLUGINS"
-.IX Header "PLUGINS"
Plugins are dynamically loaded based on the contents of the
-\&\fI@sysconfdir@/sudo.conf\fR file. If no \fI@sysconfdir@/sudo.conf\fR
-file is present, or it contains no \f(CW\*(C`Plugin\*(C'\fR lines, \fBsudo\fR
-will use the traditional \fIsudoers\fR security policy and I/O logging,
-which corresponds to the following \fI@sysconfdir@/sudo.conf\fR file.
-.PP
-.Vb 10
-\& #
-\& # Default @sysconfdir@/sudo.conf file
-\& #
-\& # Format:
-\& # Plugin plugin_name plugin_path plugin_options ...
-\& # Path askpass /path/to/askpass
-\& # Path noexec /path/to/sudo_noexec.so
-\& # Debug sudo /var/log/sudo_debug all@warn
-\& # Set disable_coredump true
-\& #
-\& # The plugin_path is relative to @prefix@/libexec unless
-\& # fully qualified.
-\& # The plugin_name corresponds to a global symbol in the plugin
-\& # that contains the plugin interface structure.
-\& # The plugin_options are optional.
-\& #
-\& Plugin policy_plugin sudoers.so
-\& Plugin io_plugin sudoers.so
-.Ve
-.PP
-A \f(CW\*(C`Plugin\*(C'\fR line consists of the \f(CW\*(C`Plugin\*(C'\fR keyword, followed by the
-\&\fIsymbol_name\fR and the \fIpath\fR to the shared object containing the
-plugin. The \fIsymbol_name\fR is the name of the \f(CW\*(C`struct policy_plugin\*(C'\fR
-or \f(CW\*(C`struct io_plugin\*(C'\fR in the plugin shared object. The \fIpath\fR
-may be fully qualified or relative. If not fully qualified it is
-relative to the \fI@prefix@/libexec\fR directory. Any additional
-parameters after the \fIpath\fR are passed as arguments to the plugin's
-\&\fIopen\fR function. Lines that don't begin with \f(CW\*(C`Plugin\*(C'\fR, \f(CW\*(C`Path\*(C'\fR,
-\&\f(CW\*(C`Debug\*(C'\fR or \f(CW\*(C`Set\*(C'\fR are silently ignored.
-.PP
-For more information, see the \fIsudo_plugin\fR\|(@mansectsu@) manual.
-.SH "PATHS"
-.IX Header "PATHS"
-A \f(CW\*(C`Path\*(C'\fR line consists of the \f(CW\*(C`Path\*(C'\fR keyword, followed by the
-name of the path to set and its value. E.g.
+\fI@sysconfdir@/sudo.conf\fR
+file.
+If no
+\fI@sysconfdir@/sudo.conf\fR
+file is present, or it contains no
+\fRPlugin\fR
+lines,
+\fBsudo\fR
+will use the traditional
+\fIsudoers\fR
+security policy and I/O logging, which corresponds to the following
+\fI@sysconfdir@/sudo.conf\fR
+file.
+.nf
+.sp
+.RS 0n
+#
+# Default @sysconfdir@/sudo.conf file
+#
+# Format:
+# Plugin plugin_name plugin_path plugin_options ...
+# Path askpass /path/to/askpass
+# Path noexec /path/to/sudo_noexec.so
+# Debug sudo /var/log/sudo_debug all@warn
+# Set disable_coredump true
+#
+# The plugin_path is relative to @prefix@/libexec unless
+# fully qualified.
+# The plugin_name corresponds to a global symbol in the plugin
+# that contains the plugin interface structure.
+# The plugin_options are optional.
+#
+Plugin policy_plugin sudoers.so
+Plugin io_plugin sudoers.so
+.RE
+.fi
.PP
-.Vb 2
-\& Path noexec @noexec_file@
-\& Path askpass /usr/X11R6/bin/ssh\-askpass
-.Ve
+A
+\fRPlugin\fR
+line consists of the
+\fRPlugin\fR
+keyword, followed by the
+\fIsymbol_name\fR
+and the
+\fIpath\fR
+to the shared object containing the plugin.
+The
+\fIsymbol_name\fR
+is the name of the
+\fRstruct policy_plugin\fR
+or
+\fRstruct io_plugin\fR
+in the plugin shared object.
+The
+\fIpath\fR
+may be fully qualified or relative.
+If not fully qualified it is relative to the
+\fI@prefix@/libexec\fR
+directory.
+Any additional parameters after the
+\fIpath\fR
+are passed as arguments to the plugin's
+\fIopen\fR
+function.
+Lines that don't begin with
+\fRPlugin\fR,
+\fRPath\fR,
+\fRDebug\fR,
+or
+\fRSet\fR
+are silently ignored.
+.PP
+For more information, see the
+sudo_plugin(@mansectsu@)
+manual.
+.SH "PATHS"
+A
+\fRPath\fR
+line consists of the
+\fRPath\fR
+keyword, followed by the name of the path to set and its value.
+E.g.
+.nf
+.sp
+.RS 6n
+Path noexec @noexec_file@
+Path askpass /usr/X11R6/bin/ssh-askpass
+.RE
+.fi
.PP
The following plugin-agnostic paths may be set in the
-\&\fI@sysconfdir@/sudo.conf\fR file.
-.IP "askpass" 16
-.IX Item "askpass"
+\fI@sysconfdir@/sudo.conf\fR
+file:
+.TP 10n
+askpass
The fully qualified path to a helper program used to read the user's
-password when no terminal is available. This may be the case when
-\&\fBsudo\fR is executed from a graphical (as opposed to text-based)
-application. The program specified by \fIaskpass\fR should display
-the argument passed to it as the prompt and write the user's password
-to the standard output. The value of \fIaskpass\fR may be overridden
-by the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable.
-.IP "noexec" 16
-.IX Item "noexec"
+password when no terminal is available.
+This may be the case when
+\fBsudo\fR
+is executed from a graphical (as opposed to text-based) application.
+The program specified by
+\fIaskpass\fR
+should display the argument passed to it as the prompt and write
+the user's password to the standard output.
+The value of
+\fIaskpass\fR
+may be overridden by the
+\fRSUDO_ASKPASS\fR
+environment variable.
+.TP 10n
+noexec
The fully-qualified path to a shared library containing dummy
-versions of the \fIexecv()\fR, \fIexecve()\fR and \fIfexecve()\fR library functions
-that just return an error. This is used to implement the \fInoexec\fR
-functionality on systems that support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent.
-Defaults to \fI@noexec_file@\fR.
+versions of the
+\fBexecv\fR(),
+\fBexecve\fR()
+and
+\fBfexecve\fR()
+library functions that just return an error.
+This is used to implement the
+\fInoexec\fR
+functionality on systems that support
+\fRLD_PRELOAD\fR
+or its equivalent.
+Defaults to
+\fI@noexec_file@\fR.
.SH "DEBUG FLAGS"
-.IX Header "DEBUG FLAGS"
-\&\fBsudo\fR versions 1.8.4 and higher support a flexible debugging
-framework that can help track down what \fBsudo\fR is doing internally
-if there is a problem.
+\fBsudo\fR
+versions 1.8.4 and higher support a flexible debugging framework
+that can help track down what
+\fBsudo\fR
+is doing internally if there is a problem.
.PP
-A \f(CW\*(C`Debug\*(C'\fR line consists of the \f(CW\*(C`Debug\*(C'\fR keyword, followed by the
-name of the program to debug (\fBsudo\fR, \fBvisudo\fR, \fBsudoreplay\fR),
+A
+\fRDebug\fR
+line consists of the
+\fRDebug\fR
+keyword, followed by the name of the program to debug
+(\fBsudo\fR, \fBvisudo\fR, \fBsudoreplay\fR),
the debug file name and a comma-separated list of debug flags.
-The debug flag syntax used by \fBsudo\fR and the \fIsudoers\fR plugin is
-\&\fIsubsystem\fR@\fIpriority\fR but the plugin is free to use a different
-format so long as it does not include a command \f(CW\*(C`,\*(C'\fR.
+The debug flag syntax used by
+\fBsudo\fR
+and the
+\fIsudoers\fR
+plugin is
+\fIsubsystem\fR@\fIpriority\fR
+but the plugin is free to use a different format so long as it does
+not include a comma
+(`\&,').
.PP
For instance:
+.nf
+.sp
+.RS 6n
+Debug sudo /var/log/sudo_debug all@warn,plugin@info
+.RE
+.fi
.PP
-.Vb 1
-\& Debug sudo /var/log/sudo_debug all@warn,plugin@info
-.Ve
-.PP
-would log all debugging statements at the \fIwarn\fR level and higher
-in addition to those at the \fIinfo\fR level for the plugin subsystem.
+would log all debugging statements at the
+\fIwarn\fR
+level and higher in addition to those at the
+\fIinfo\fR
+level for the plugin subsystem.
.PP
-Currently, only one \f(CW\*(C`Debug\*(C'\fR entry per program is supported. The
-\&\f(CW\*(C`sudo\*(C'\fR \f(CW\*(C`Debug\*(C'\fR entry is shared by the \fBsudo\fR front end, \fBsudoedit\fR
-and the plugins. A future release may add support for per-plugin
-\&\f(CW\*(C`Debug\*(C'\fR lines and/or support for multiple debugging files for a
-single program.
+Currently, only one
+\fRDebug\fR
+entry per program is supported.
+The
+\fBsudo\fR
+\fRDebug\fR
+entry is shared by the
+\fBsudo\fR
+front end,
+\fBsudoedit\fR
+and the plugins.
+A future release may add support for per-plugin
+\fRDebug\fR
+lines and/or support for multiple debugging files for a single
+program.
.PP
-The priorities used by the \fBsudo\fR front end, in order of decreasing
-severity, are: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR,
-\&\fItrace\fR and \fIdebug\fR. Each priority, when specified, also includes
-all priorities higher than it. For example, a priority of \fInotice\fR
-would include debug messages logged at \fInotice\fR and higher.
+The priorities used by the
+\fBsudo\fR
+front end, in order of decreasing severity, are:
+\fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
+and
+\fIdebug\fR.
+Each priority, when specified, also includes all priorities higher
+than it.
+For example, a priority of
+\fInotice\fR
+would include debug messages logged at
+\fInotice\fR
+and higher.
.PP
-The following subsystems are used by \fBsudo\fR:
-.IP "\fIall\fR" 10
-.IX Item "all"
+The following subsystems are used by the
+\fBsudo\fR
+front-end:
+.TP 12n
+\fIall\fR
matches every subsystem
-.IP "\fIargs\fR" 10
-.IX Item "args"
+.TP 12n
+\fIargs\fR
command line argument processing
-.IP "\fIconv\fR" 10
-.IX Item "conv"
+.TP 12n
+\fIconv\fR
user conversation
-.IP "\fIedit\fR" 10
-.IX Item "edit"
+.TP 12n
+\fIedit\fR
sudoedit
-.IP "\fIexec\fR" 10
-.IX Item "exec"
+.TP 12n
+\fIexec\fR
command execution
-.IP "\fImain\fR" 10
-.IX Item "main"
-\&\fBsudo\fR main function
-.IP "\fInetif\fR" 10
-.IX Item "netif"
+.TP 12n
+\fImain\fR
+\fBsudo\fR
+main function
+.TP 12n
+\fInetif\fR
network interface handling
-.IP "\fIpcomm\fR" 10
-.IX Item "pcomm"
+.TP 12n
+\fIpcomm\fR
communication with the plugin
-.IP "\fIplugin\fR" 10
-.IX Item "plugin"
+.TP 12n
+\fIplugin\fR
plugin configuration
-.IP "\fIpty\fR" 10
-.IX Item "pty"
+.TP 12n
+\fIpty\fR
pseudo-tty related code
-.IP "\fIselinux\fR" 10
-.IX Item "selinux"
+.TP 12n
+\fIselinux\fR
SELinux-specific handling
-.IP "\fIutil\fR" 10
-.IX Item "util"
+.TP 12n
+\fIutil\fR
utility functions
-.IP "\fIutmp\fR" 10
-.IX Item "utmp"
+.TP 12n
+\fIutmp\fR
utmp handling
-.SH "RETURN VALUES"
-.IX Header "RETURN VALUES"
-Upon successful execution of a program, the exit status from \fBsudo\fR
+.SH "EXIT VALUE"
+Upon successful execution of a program, the exit status from
+\fIsudo\fR
will simply be the exit status of the program that was executed.
.PP
-Otherwise, \fBsudo\fR exits with a value of 1 if there is a
-configuration/permission problem or if \fBsudo\fR cannot execute the
-given command. In the latter case the error string is printed to
-the standard error. If \fBsudo\fR cannot \fIstat\fR\|(2) one or more entries
-in the user's \f(CW\*(C`PATH\*(C'\fR, an error is printed on stderr. (If the
-directory does not exist or if it is not really a directory, the
-entry is ignored and no error is printed.) This should not happen
-under normal circumstances. The most common reason for \fIstat\fR\|(2)
-to return \*(L"permission denied\*(R" is if you are running an automounter
-and one of the directories in your \f(CW\*(C`PATH\*(C'\fR is on a machine that is
-currently unreachable.
+Otherwise,
+\fBsudo\fR
+exits with a value of 1 if there is a configuration/permission
+problem or if
+\fBsudo\fR
+cannot execute the given command.
+In the latter case the error string is printed to the standard error.
+If
+\fBsudo\fR
+cannot
+stat(2)
+one or more entries in the user's
+\fRPATH\fR,
+an error is printed on stderr.
+(If the directory does not exist or if it is not really a directory,
+the entry is ignored and no error is printed.)
+This should not happen under normal circumstances.
+The most common reason for
+stat(2)
+to return
+``permission denied''
+is if you are running an automounter and one of the directories in
+your
+\fRPATH\fR
+is on a machine that is currently unreachable.
.SH "SECURITY NOTES"
-.IX Header "SECURITY NOTES"
-\&\fBsudo\fR tries to be safe when executing external commands.
-.PP
-To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting
-current directory) last when searching for a command in the user's
-\&\s-1PATH\s0 (if one or both are in the \s-1PATH\s0). Note, however, that the
-actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed
-unchanged to the program that \fBsudo\fR executes.
-.PP
-Please note that \fBsudo\fR will normally only log the command it
-explicitly runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or
-\&\f(CW\*(C`sudo sh\*(C'\fR, subsequent commands run from that shell are not subject
-to \fBsudo\fR's security policy. The same is true for commands that
-offer shell escapes (including most editors). If I/O logging is
-enabled, subsequent commands will have their input and/or output
-logged, but there will not be traditional logs for those commands.
-Because of this, care must be taken when giving users access to
-commands via \fBsudo\fR to verify that the command does not inadvertently
-give the user an effective root shell. For more information, please
-see the \f(CW\*(C`PREVENTING SHELL ESCAPES\*(C'\fR section in \fIsudoers\fR\|(@mansectform@).
+\fBsudo\fR
+tries to be safe when executing external commands.
.PP
-To prevent the disclosure of potentially sensitive information,
-\&\fBsudo\fR disables core dumps by default while it is executing (they
-are re-enabled for the command that is run). To aid in debugging
-\&\fBsudo\fR crashes, you may wish to re-enable core dumps by setting
-\&\*(L"disable_coredump\*(R" to false in the \fI@sysconfdir@/sudo.conf\fR file.
+To prevent command spoofing,
+\fBsudo\fR
+checks "." and "" (both denoting current directory) last when
+searching for a command in the user's
+\fRPATH\fR
+(if one or both are in the
+\fRPATH\fR).
+Note, however, that the actual
+\fRPATH\fR
+environment variable is
+\fInot\fR
+modified and is passed unchanged to the program that
+\fBsudo\fR
+executes.
.PP
-.Vb 1
-\& Set disable_coredump false
-.Ve
+Please note that
+\fBsudo\fR
+will normally only log the command it explicitly runs.
+If a user runs a command such as
+\fRsudo su\fR
+or
+\fRsudo sh\fR,
+subsequent commands run from that shell are not subject to
+\fBsudo\fR's
+security policy.
+The same is true for commands that offer shell escapes (including
+most editors).
+If I/O logging is enabled, subsequent commands will have their input and/or
+output logged, but there will not be traditional logs for those commands.
+Because of this, care must be taken when giving users access to commands via
+\fBsudo\fR
+to verify that the command does not inadvertently give the user an
+effective root shell.
+For more information, please see the
+\fIPREVENTING SHELL ESCAPES\fR
+section in
+sudoers(@mansectform@).
+.PP
+To prevent the disclosure of potentially sensitive information,
+\fBsudo\fR
+disables core dumps by default while it is executing (they are
+re-enabled for the command that is run).
+To aid in debugging
+\fBsudo\fR
+crashes, you may wish to re-enable core dumps by setting
+``disable_coredump''
+to false in the
+\fI@sysconfdir@/sudo.conf\fR
+file as follows:
+.nf
+.sp
+.RS 6n
+Set disable_coredump false
+.RE
+.fi
.PP
Note that by default, most operating systems disable core dumps
-from setuid programs, which includes \fBsudo\fR. To actually get a
-\&\fBsudo\fR core file you may need to enable core dumps for setuid
-processes. On \s-1BSD\s0 and Linux systems this is accomplished via the
-sysctl command, on Solaris the coreadm command can be used.
+from setuid programs, which includes
+\fBsudo\fR.
+To actually get a
+\fBsudo\fR
+core file you may need to enable core dumps for setuid processes.
+On BSD and Linux systems this is accomplished via the sysctl command,
+on Solaris the coreadm command can be used.
.SH "ENVIRONMENT"
-.IX Header "ENVIRONMENT"
-\&\fBsudo\fR utilizes the following environment variables. The security
-policy has control over the content of the command's environment.
-.ie n .IP "\*(C`EDITOR\*(C'" 16
-.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16
-.IX Item "EDITOR"
-Default editor to use in \fB\-e\fR (sudoedit) mode if neither \f(CW\*(C`SUDO_EDITOR\*(C'\fR
-nor \f(CW\*(C`VISUAL\*(C'\fR is set
-.ie n .IP "\*(C`MAIL\*(C'" 16
-.el .IP "\f(CW\*(C`MAIL\*(C'\fR" 16
-.IX Item "MAIL"
-In \fB\-i\fR mode or when \fIenv_reset\fR is enabled in \fIsudoers\fR, set
-to the mail spool of the target user
-.ie n .IP "\*(C`HOME\*(C'" 16
-.el .IP "\f(CW\*(C`HOME\*(C'\fR" 16
-.IX Item "HOME"
-Set to the home directory of the target user if \fB\-i\fR or \fB\-H\fR are
-specified, \fIenv_reset\fR or \fIalways_set_home\fR are set in \fIsudoers\fR,
-or when the \fB\-s\fR option is specified and \fIset_home\fR is set in
-\&\fIsudoers\fR
-.ie n .IP "\*(C`PATH\*(C'" 16
-.el .IP "\f(CW\*(C`PATH\*(C'\fR" 16
-.IX Item "PATH"
+\fBsudo\fR
+utilizes the following environment variables.
+The security policy has control over the actual content of the command's
+environment.
+.TP 17n
+\fREDITOR\fR
+Default editor to use in
+\fB\-e\fR
+(sudoedit) mode if neither
+\fRSUDO_EDITOR\fR
+nor
+\fRVISUAL\fR
+is set.
+.TP 17n
+\fRMAIL\fR
+In
+\fB\-i\fR
+mode or when
+\fIenv_reset\fR
+is enabled in
+\fIsudoers\fR,
+set to the mail spool of the target user.
+.TP 17n
+\fRHOME\fR
+Set to the home directory of the target user if
+\fB\-i\fR
+or
+\fB\-H\fR
+are specified,
+\fIenv_reset\fR
+or
+\fIalways_set_home\fR
+are set in
+\fIsudoers\fR,
+or when the
+\fB\-s\fR
+option is specified and
+\fIset_home\fR
+is set in
+\fIsudoers\fR.
+.TP 17n
+\fRPATH\fR
May be overridden by the security policy.
-.ie n .IP "\*(C`SHELL\*(C'" 16
-.el .IP "\f(CW\*(C`SHELL\*(C'\fR" 16
-.IX Item "SHELL"
-Used to determine shell to run with \f(CW\*(C`\-s\*(C'\fR option
-.ie n .IP "\*(C`SUDO_ASKPASS\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_ASKPASS\*(C'\fR" 16
-.IX Item "SUDO_ASKPASS"
+.TP 17n
+\fRSHELL\fR
+Used to determine shell to run with
+\fB\-s\fR
+option.
+.TP 17n
+\fRSUDO_ASKPASS\fR
Specifies the path to a helper program used to read the password
-if no terminal is available or if the \f(CW\*(C`\-A\*(C'\fR option is specified.
-.ie n .IP "\*(C`SUDO_COMMAND\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_COMMAND\*(C'\fR" 16
-.IX Item "SUDO_COMMAND"
-Set to the command run by sudo
-.ie n .IP "\*(C`SUDO_EDITOR\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_EDITOR\*(C'\fR" 16
-.IX Item "SUDO_EDITOR"
-Default editor to use in \fB\-e\fR (sudoedit) mode
-.ie n .IP "\*(C`SUDO_GID\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_GID\*(C'\fR" 16
-.IX Item "SUDO_GID"
-Set to the group \s-1ID\s0 of the user who invoked sudo
-.ie n .IP "\*(C`SUDO_PROMPT\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_PROMPT\*(C'\fR" 16
-.IX Item "SUDO_PROMPT"
-Used as the default password prompt
-.ie n .IP "\*(C`SUDO_PS1\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_PS1\*(C'\fR" 16
-.IX Item "SUDO_PS1"
-If set, \f(CW\*(C`PS1\*(C'\fR will be set to its value for the program being run
-.ie n .IP "\*(C`SUDO_UID\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_UID\*(C'\fR" 16
-.IX Item "SUDO_UID"
-Set to the user \s-1ID\s0 of the user who invoked sudo
-.ie n .IP "\*(C`SUDO_USER\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_USER\*(C'\fR" 16
-.IX Item "SUDO_USER"
-Set to the login of the user who invoked sudo
-.ie n .IP "\*(C`USER\*(C'" 16
-.el .IP "\f(CW\*(C`USER\*(C'\fR" 16
-.IX Item "USER"
-Set to the target user (root unless the \fB\-u\fR option is specified)
-.ie n .IP "\*(C`VISUAL\*(C'" 16
-.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16
-.IX Item "VISUAL"
-Default editor to use in \fB\-e\fR (sudoedit) mode if \f(CW\*(C`SUDO_EDITOR\*(C'\fR
-is not set
+if no terminal is available or if the
+\fB\-A\fR
+option is specified.
+.TP 17n
+\fRSUDO_COMMAND\fR
+Set to the command run by sudo.
+.TP 17n
+\fRSUDO_EDITOR\fR
+Default editor to use in
+\fB\-e\fR
+(sudoedit) mode.
+.TP 17n
+\fRSUDO_GID\fR
+Set to the group ID of the user who invoked sudo.
+.TP 17n
+\fRSUDO_PROMPT\fR
+Used as the default password prompt.
+.TP 17n
+\fRSUDO_PS1\fR
+If set,
+\fRPS1\fR
+will be set to its value for the program being run.
+.TP 17n
+\fRSUDO_UID\fR
+Set to the user ID of the user who invoked sudo.
+.TP 17n
+\fRSUDO_USER\fR
+Set to the login name of the user who invoked sudo.
+.TP 17n
+\fRUSER\fR
+Set to the target user (root unless the
+\fB\-u\fR
+option is specified).
+.TP 17n
+\fRVISUAL\fR
+Default editor to use in
+\fB\-e\fR
+(sudoedit) mode if
+\fRSUDO_EDITOR\fR
+is not set.
.SH "FILES"
-.IX Header "FILES"
-.ie n .IP "\fI@sysconfdir@/sudo.conf\fR" 24
-.el .IP "\fI@sysconfdir@/sudo.conf\fR" 24
-.IX Item "@sysconfdir@/sudo.conf"
-\&\fBsudo\fR front end configuration
+.TP 26n
+\fI@sysconfdir@/sudo.conf\fR
+\fBsudo\fR
+front end configuration
.SH "EXAMPLES"
-.IX Header "EXAMPLES"
-Note: the following examples assume a properly configured security policy.
+Note: the following examples assume a properly configured security
+policy.
.PP
To get a file listing of an unreadable directory:
+.nf
+.sp
+.RS 6n
+$ sudo ls /usr/local/protected
+.RE
+.fi
.PP
-.Vb 1
-\& $ sudo ls /usr/local/protected
-.Ve
-.PP
-To list the home directory of user yaz on a machine where the
-file system holding ~yaz is not exported as root:
-.PP
-.Vb 1
-\& $ sudo \-u yaz ls ~yaz
-.Ve
-.PP
-To edit the \fIindex.html\fR file as user www:
-.PP
-.Vb 1
-\& $ sudo \-u www vi ~www/htdocs/index.html
-.Ve
+To list the home directory of user yaz on a machine where the file
+system holding ~yaz is not exported as root:
+.nf
+.sp
+.RS 6n
+$ sudo -u yaz ls ~yaz
+.RE
+.fi
.PP
-To view system logs only accessible to root and users in the adm group:
+To edit the
+\fIindex.html\fR
+file as user www:
+.nf
+.sp
+.RS 6n
+$ sudo -u www vi ~www/htdocs/index.html
+.RE
+.fi
.PP
-.Vb 1
-\& $ sudo \-g adm view /var/log/syslog
-.Ve
+To view system logs only accessible to root and users in the adm
+group:
+.nf
+.sp
+.RS 6n
+$ sudo -g adm view /var/log/syslog
+.RE
+.fi
.PP
To run an editor as jim with a different primary group:
+.nf
+.sp
+.RS 6n
+$ sudo -u jim -g audio vi ~jim/sound.txt
+.RE
+.fi
.PP
-.Vb 1
-\& $ sudo \-u jim \-g audio vi ~jim/sound.txt
-.Ve
-.PP
-To shutdown a machine:
-.PP
-.Vb 1
-\& $ sudo shutdown \-r +15 "quick reboot"
-.Ve
-.PP
-To make a usage listing of the directories in the /home
-partition. Note that this runs the commands in a sub-shell
-to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
+To shut down a machine:
+.nf
+.sp
+.RS 6n
+$ sudo shutdown -r +15 "quick reboot"
+.RE
+.fi
.PP
-.Vb 1
-\& $ sudo sh \-c "cd /home ; du \-s * | sort \-rn > USAGE"
-.Ve
+To make a usage listing of the directories in the /home partition.
+Note that this runs the commands in a sub-shell to make the
+\fRcd\fR
+and file redirection work.
+.nf
+.sp
+.RS 6n
+$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+.RE
+.fi
.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2),
-.if \n(LC \&\fIlogin_cap\fR\|(3),
-\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@), \fIsudo_plugin\fR\|(@mansectsu@), \fIsudoreplay\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@)
+grep(1),
+su(1),
+stat(2),
+login_cap(3),
+passwd(@mansectform@),
+sudoers(@mansectform@),
+sudo_plugin(@mansectsu@),
+sudoreplay(@mansectsu@),
+visudo(@mansectsu@)
+.SH "HISTORY"
+See the HISTORY file in the
+\fBsudo\fR
+distribution (http://www.sudo.ws/sudo/history.html) for a brief
+history of sudo.
.SH "AUTHORS"
-.IX Header "AUTHORS"
-Many people have worked on \fBsudo\fR over the years; this
-version consists of code written primarily by:
-.PP
-.Vb 1
-\& Todd C. Miller
-.Ve
+Many people have worked on
+\fBsudo\fR
+over the years; this version consists of code written primarily by:
+.sp
+.RS 6n
+Todd C. Miller
+.RE
.PP
-See the \s-1CONTRIBUTORS\s0 file in the \fBsudo\fR distribution
-(http://www.sudo.ws/sudo/contributors.html) for a list of people
-who have contributed to \fBsudo\fR.
-.SH "HISTORY"
-.IX Header "HISTORY"
-See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution
-(http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
+See the CONTRIBUTORS file in the
+\fBsudo\fR
+distribution (http://www.sudo.ws/sudo/contributors.html) for an
+exhaustive list of people who have contributed to
+\fBsudo\fR.
.SH "CAVEATS"
-.IX Header "CAVEATS"
There is no easy way to prevent a user from gaining a root shell
-if that user is allowed to run arbitrary commands via \fBsudo\fR.
+if that user is allowed to run arbitrary commands via
+\fBsudo\fR.
Also, many programs (such as editors) allow the user to run commands
-via shell escapes, thus avoiding \fBsudo\fR's checks. However, on
-most systems it is possible to prevent shell escapes with the
-\&\fIsudoers\fR\|(@mansectform@) module's \fInoexec\fR functionality.
-.PP
-It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g.,
+via shell escapes, thus avoiding
+\fBsudo\fR's
+checks.
+However, on most systems it is possible to prevent shell escapes with the
+sudoers(@mansectform@)
+plugin's
+\fInoexec\fR
+functionality.
.PP
-.Vb 1
-\& $ sudo cd /usr/local/protected
-.Ve
+It is not meaningful to run the
+\fRcd\fR
+command directly via sudo, e.g.,
+.nf
+.sp
+.RS 6n
+$ sudo cd /usr/local/protected
+.RE
+.fi
.PP
since when the command exits the parent process (your shell) will
-still be the same. Please see the \s-1EXAMPLES\s0 section for more information.
+still be the same.
+Please see the
+\fIEXAMPLES\fR
+section for more information.
.PP
-Running shell scripts via \fBsudo\fR can expose the same kernel bugs that
-make setuid shell scripts unsafe on some operating systems (if your \s-1OS\s0
-has a /dev/fd/ directory, setuid shell scripts are generally safe).
+Running shell scripts via
+\fBsudo\fR
+can expose the same kernel bugs that make setuid shell scripts
+unsafe on some operating systems (if your OS has a /dev/fd/ directory,
+setuid shell scripts are generally safe).
.SH "BUGS"
-.IX Header "BUGS"
-If you feel you have found a bug in \fBsudo\fR, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
+If you feel you have found a bug in
+\fBsudo\fR,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
-.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
-.IX Header "DISCLAIMER"
-\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
-file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
-for complete details.
+\fBsudo\fR
+is provided
+``AS IS''
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+\fBsudo\fR
+or http://www.sudo.ws/sudo/license.html for complete details.
+++ /dev/null
-#!/usr/bin/perl -p
-
-BEGIN {
- %tags = ( 'a', 'BA', 'c', 'LC', 'r', 'SL', 't', 'SL');
- $cond = -1;
-}
-
-# Initialize the numeric register we use for conditionals
-if ($cond == -1) {
- $_ = ".nr SL \@SEMAN\@\n.nr BA \@BAMAN\@\n.nr LC \@LCMAN\@\n.nr PT \@password_timeout\@\n.\\\"\n$_";
- $cond = 0;
-}
-
-# Add conditionals
-if (/^\.IP.*-([acrt])/) {
- $_ = ".if \\n($tags{$1} \\{\\\n$_";
- $cond = 1;
-} elsif ($cond && /^\.(Sh|SS|IP|PP)/) {
- $_ = "\\}\n$_";
- $cond = 0;
-}
-
-if (/-a.*auth_type/) {
- $_ = ".if \\n($tags{'a'} $_";
-} elsif (/(-c.*class.*\||login_cap)/) {
- $_ = ".if \\n($tags{'c'} $_";
-} elsif (/-r.*role.*-t.*type/) {
- $_ = ".if \\n($tags{'r'} $_";
-}
-
-# Fix up broken pod2man formatting of F<@foo@/bar>
-s/\\fI\\f(\(C)?I\@([^\@]*)\\fI\@/\\fI\@$2\@/g;
-
-# Try to deal sensibly with password_timeout being set to 0 by default
-s/([^ ]*\@password_timeout\@[^ ]* minutes.$)/\n.ie \\n(PT $1\n.el unlimited./;
--- /dev/null
+.\"
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" Sponsored in part by the Defense Advanced Research Projects
+.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
+.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
+.\"
+.Dd July 10, 2012
+.Dt SUDO @mansectsu@
+.Os Sudo @PACKAGE_VERSION@
+.Sh NAME
+.Nm sudo ,
+.Nm sudoedit
+.Nd execute a command as another user
+.Sh SYNOPSIS
+.Nm sudo
+.Fl h No | Fl K No | Fl k No | Fl V
+.Nm sudo
+.Fl v
+.Op Fl AknS
+.Bk -words
+.Op Fl a Ar auth_type
+.Ek
+.Bk -words
+.Op Fl g Ar group name No | Ar #gid
+.Ek
+.Bk -words
+.Op Fl p Ar prompt
+.Ek
+.Bk -words
+.Op Fl u Ar user name No | Ar #uid
+.Ek
+.Nm sudo
+.Fl l Ns Op Ar l
+.Op Fl AknS
+.Bk -words
+.Op Fl a Ar auth_type
+.Ek
+.Bk -words
+.Op Fl g Ar group name No | Ar #gid
+.Ek
+.Bk -words
+.Op Fl p Ar prompt
+.Ek
+.Bk -words
+.Op Fl U Ar user name
+.Ek
+.Bk -words
+.Op Fl u Ar user name No | Ar #uid
+.Ek
+.Op Ar command
+.Nm sudo
+.Op Fl AbEHnPS
+.Bk -words
+.Op Fl a Ar auth_type
+.Ek
+.Bk -words
+.Op Fl C Ar fd
+.Ek
+.Bk -words
+.Op Fl c Ar class No | Ar -
+.Ek
+.Bk -words
+.Op Fl g Ar group name No | Ar #gid
+.Ek
+.Bk -words
+.Op Fl p Ar prompt
+.Ek
+.Bk -words
+.Op Fl r Ar role
+.Ek
+.Bk -words
+.Op Fl t Ar type
+.Ek
+.Bk -words
+.Op Fl u Ar user name No | Ar #uid
+.Ek
+.Bk -words
+.Op Sy VAR Ns = Ns Ar value
+.Ek
+.Bk -words
+.Fl i No | Fl s
+.Ek
+.Op Ar command
+.Nm sudoedit
+.Op Fl AnS
+.Bk -words
+.Op Fl a Ar auth_type
+.Ek
+.Bk -words
+.Op Fl C Ar fd
+.Ek
+.Bk -words
+.Op Fl c Ar class No | Ar -
+.Ek
+.Bk -words
+.Op Fl g Ar group name No | Ar #gid
+.Ek
+.Bk -words
+.Op Fl p Ar prompt
+.Ek
+.Bk -words
+.Op Fl u Ar user name No | Ar #uid
+.Ek
+.Bk -words
+file ...
+.Ek
+.Sh DESCRIPTION
+.Nm sudo
+allows a permitted user to execute a
+.Ar command
+as the superuser or another user, as specified by the security
+policy.
+.Pp
+.Nm sudo
+supports a plugin architecture for security policies and input/output
+logging.
+Third parties can develop and distribute their own policy and I/O
+logging plugins to work seamlessly with the
+.Nm sudo
+front end.
+The default security policy is
+.Em sudoers ,
+which is configured via the file
+.Pa @sysconfdir@/sudoers ,
+or via LDAP.
+See the
+.Sx PLUGINS
+section for more information.
+.Pp
+The security policy determines what privileges, if any, a user has
+to run
+.Nm sudo .
+The policy may require that users authenticate themselves with a
+password or another authentication mechanism.
+If authentication is required,
+.Nm sudo
+will exit if the user's password is not entered within a configurable
+time limit.
+This limit is policy-specific; the default password prompt timeout
+for the
+.Em sudoers
+security policy is
+.Li @password_timeout@
+minutes.
+.Pp
+Security policies may support credential caching to allow the user
+to run
+.Nm sudo
+again for a period of time without requiring authentication.
+The
+.Em sudoers
+policy caches credentials for
+.Li @timeout@
+minutes, unless overridden in
+.Xr sudoers @mansectform@ .
+By running
+.Nm sudo
+with the
+.Fl v
+option, a user can update the cached credentials without running a
+.Ar command .
+.Pp
+When invoked as
+.Nm sudoedit ,
+the
+.Fl e
+option (described below), is implied.
+.Pp
+Security policies may log successful and failed attempts to use
+.Nm sudo .
+If an I/O plugin is configured, the running command's input and
+output may be logged as well.
+.Pp
+The options are as follows:
+.Bl -tag -width Fl
+.It Fl A
+Normally, if
+.Nm sudo
+requires a password, it will read it from the user's terminal.
+If the
+.Fl A No ( Em askpass Ns No )
+option is specified, a (possibly graphical) helper program is
+executed to read the user's password and output the password to the
+standard output.
+If the
+.Ev SUDO_ASKPASS
+environment variable is set, it specifies the path to the helper
+program.
+Otherwise, if
+.Pa @sysconfdir@/sudo.conf
+contains a line specifying the askpass program, that value will be
+used.
+For example:
+.Bd -literal -offset 4n
+# Path to askpass helper program
+Path askpass /usr/X11R6/bin/ssh-askpass
+.Ed
+.Pp
+If no askpass program is available,
+.Nm sudo
+will exit with an error.
+.It Fl a Ar type
+The
+.Fl a No ( Em "authentication type" Ns No )
+option causes
+.Nm sudo
+to use the specified authentication type when validating the user,
+as allowed by
+.Pa /etc/login.conf .
+The system administrator may specify a list of sudo-specific
+authentication methods by adding an
+.Dq auth-sudo
+entry in
+.Pa /etc/login.conf .
+This option is only available on systems that support BSD authentication.
+.It Fl b
+The
+.Fl b No ( Em background Ns No )
+option tells
+.Nm sudo
+to run the given command in the background.
+Note that if you use the
+.Fl b
+option you cannot use shell job control to manipulate the process.
+Most interactive commands will fail to work properly in background
+mode.
+.It Fl C Ar fd
+Normally,
+.Nm sudo
+will close all open file descriptors other than standard input,
+standard output and standard error.
+The
+.Fl C No ( Em close from Ns No )
+option allows the user to specify a starting point above the standard
+error (file descriptor three).
+Values less than three are not permitted.
+The security policy may restrict the user's ability to use the
+.Fl C
+option.
+The
+.Em sudoers
+policy only permits use of the
+.Fl C
+option when the administrator has enabled the
+.Em closefrom_override
+option.
+.It Fl c Ar class
+The
+.Fl c No ( Em class Ns No )
+option causes
+.Nm sudo
+to run the specified command with resources limited by the specified
+login class.
+The
+.Em class
+argument can be either a class name as defined in
+.Pa /etc/login.conf ,
+or a single
+.Ql \-
+character.
+Specifying a
+.Ar class
+of
+.Li -
+indicates that the command should be run restricted by the default
+login capabilities for the user the command is run as.
+If the
+.Ar class
+argument specifies an existing user class, the command must be run
+as root, or the
+.Nm sudo
+command must be run from a shell that is already root.
+This option is only available on systems with BSD login classes.
+.It Fl E
+The
+.Fl E No ( Em preserve environment Ns No )
+option indicates to the security policy that the user wishes to
+preserve their existing environment variables.
+The security policy may return an error if the
+.Fl E
+option is specified and the user does not have permission to preserve
+the environment.
+.It Fl e
+The
+.Fl e No ( Em edit Ns No )
+option indicates that, instead of running a command, the user wishes
+to edit one or more files.
+In lieu of a command, the string "sudoedit" is used when consulting
+the security policy.
+If the user is authorized by the policy, the following steps are
+taken:
+.Bl -enum -offset 4
+.It
+Temporary copies are made of the files to be edited with the owner
+set to the invoking user.
+.It
+The editor specified by the policy is run to edit the temporary
+files.
+The
+.Em sudoers
+policy uses the
+.Ev SUDO_EDITOR ,
+.Ev VISUAL
+and
+.Ev EDITOR
+environment variables (in that order).
+If none of
+.Ev SUDO_EDITOR ,
+.Ev VISUAL
+or
+.Ev EDITOR
+are set, the first program listed in the
+.Em editor
+.Xr sudoers @mansectform@
+option is used.
+.It
+If they have been modified, the temporary files are copied back to
+their original location and the temporary versions are removed.
+.El
+.Pp
+If the specified file does not exist, it will be created.
+Note that unlike most commands run by
+.Em sudo ,
+the editor is run with the invoking user's environment unmodified.
+If, for some reason,
+.Nm sudo
+is unable to update a file with its edited version, the user will
+receive a warning and the edited copy will remain in a temporary
+file.
+.It Fl g Ar group
+Normally,
+.Nm sudo
+runs a command with the primary group set to the one specified by
+the password database for the user the command is being run as (by
+default, root).
+The
+.Fl g No ( Em group Ns No )
+option causes
+.Nm sudo
+to run the command with the primary group set to
+.Ar group
+instead.
+To specify a
+.Em gid
+instead of a
+.Em "group name" ,
+use
+.Em #gid .
+When running commands as a
+.Em gid ,
+many shells require that the
+.Ql #
+be escaped with a backslash
+.Pq Ql \e .
+If no
+.Fl u
+option is specified, the command will be run as the invoking user
+(not root).
+In either case, the primary group will be set to
+.Em group .
+.It Fl H
+The
+.Fl H No ( Em HOME Ns No )
+option requests that the security policy set the
+.Ev HOME
+environment variable to the home directory of the target user (root
+by default) as specified by the password database.
+Depending on the policy, this may be the default behavior.
+.It Fl h
+The
+.Fl h No ( Em help Ns No )
+option causes
+.Nm sudo
+to print a short help message to the standard output and exit.
+.It Fl i Op Ar command
+The
+.Fl i No ( Em simulate initial login Ns No )
+option runs the shell specified by the password database entry of
+the target user as a login shell.
+This means that login-specific resource files such as
+.Pa .profile
+or
+.Pa .login
+will be read by the shell.
+If a command is specified, it is passed to the shell for execution
+via the shell's
+.Fl c
+option.
+If no command is specified, an interactive shell is executed.
+.Nm sudo
+attempts to change to that user's home directory before running the
+shell.
+The security policy shall initialize the environment to a minimal
+set of variables, similar to what is present when a user logs in.
+The
+.Em Command Environment
+section in the
+.Xr sudoers @mansectform@
+manual documents how the
+.Fl i
+option affects the environment in which a command is run when the
+.Em sudoers
+policy is in use.
+.It Fl K
+The
+.Fl K No ( sure Em kill Ns No )
+option is like
+.Fl k
+except that it removes the user's cached credentials entirely and
+may not be used in conjunction with a command or other option.
+This option does not require a password.
+Not all security policies support credential caching.
+.It Fl k Op Ar command
+When used alone, the
+.Fl k No ( Em kill Ns No )
+option to
+.Nm sudo
+invalidates the user's cached credentials.
+The next time
+.Nm sudo
+is run a password will be required.
+This option does not require a password and was added to allow a
+user to revoke
+.Nm sudo
+permissions from a
+.Pa .logout
+file.
+Not all security policies support credential caching.
+.Pp
+When used in conjunction with a command or an option that may require
+a password, the
+.Fl k
+option will cause
+.Nm sudo
+to ignore the user's cached credentials.
+As a result,
+.Nm sudo
+will prompt for a password (if one is required by the security
+policy) and will not update the user's cached credentials.
+.It Fl l Ns Oo Sy l Oc Op Ar command
+If no
+.Ar command
+is specified, the
+.Fl l No ( Em list Ns No )
+option will list the allowed (and forbidden) commands for the
+invoking user (or the user specified by the
+.Fl U
+option) on the current host.
+If a
+.Ar command
+is specified and is permitted by the security policy, the fully-qualified
+path to the command is displayed along with any command line
+arguments.
+If
+.Ar command
+is specified but not allowed,
+.Nm sudo
+will exit with a status value of 1.
+If the
+.Fl l
+option is specified with an
+.Ar l
+argument
+.Pq i.e.\& Fl ll ,
+or if
+.Fl l
+is specified multiple times, a longer list format is used.
+.It Fl n
+The
+.Fl n No ( Em non-interactive Ns No )
+option prevents
+.Nm sudo
+from prompting the user for a password.
+If a password is required for the command to run,
+.Nm sudo
+will display an error message and exit.
+.It Fl P
+The
+.Fl P No ( Em preserve group vector Ns No )
+option causes
+.Nm sudo
+to preserve the invoking user's group vector unaltered.
+By default, the
+.Em sudoers
+policy will initialize the group vector to the list of groups the
+target user is in.
+The real and effective group IDs, however, are still set to match
+the target user.
+.It Fl p Ar prompt
+The
+.Fl p No ( Em prompt Ns No )
+option allows you to override the default password prompt and use
+a custom one.
+The following percent
+.Pq Ql %
+escapes are supported by the
+.Em sudoers
+policy:
+.Bl -tag -width 2n
+.It Li %H
+expanded to the host name including the domain name (on if the
+machine's host name is fully qualified or the
+.Em fqdn
+option is set in
+.Xr sudoers @mansectform@ )
+.It Li %h
+expanded to the local host name without the domain name
+.It Li %p
+expanded to the name of the user whose password is being requested
+(respects the
+.Em rootpw ,
+.Em targetpw ,
+and
+.Em runaspw
+flags in
+.Xr sudoers @mansectform@ )
+.It Li \&%U
+expanded to the login name of the user the command will be run as
+(defaults to root unless the
+.Fl u
+option is also specified)
+.It Li %u
+expanded to the invoking user's login name
+.It Li %%
+two consecutive
+.Ql %
+characters are collapsed into a single
+.Ql %
+character
+.El
+.Pp
+The prompt specified by the
+.Fl p
+option will override the system password prompt on systems that
+support PAM unless the
+.Em passprompt_override
+flag is disabled in
+.Em sudoers .
+.It Fl r Ar role
+The
+.Fl r No ( Em role Ns No )
+option causes the new (SELinux) security context to have the role
+specified by
+.Ar role .
+.It Fl S
+The
+.Fl S ( Em stdin Ns No )
+option causes
+.Nm sudo
+to read the password from the standard input instead of the terminal
+device.
+The password must be followed by a newline character.
+.It Fl s Op Ar command
+The
+.Fl s ( Em shell Ns No )
+option runs the shell specified by the
+.Ev SHELL
+environment variable if it is set or the shell as specified in the
+password database.
+If a command is specified, it is passed to the shell for execution
+via the shell's
+.Fl c
+option.
+If no command is specified, an interactive shell is executed.
+.It Fl t Ar type
+The
+.Fl t ( Em type Ns No )
+option causes the new (SELinux) security context to have the type
+specified by
+.Ar type .
+If no type is specified, the default type is derived from the
+specified role.
+.It Fl U Ar user
+The
+.Fl U ( Em other user Ns No )
+option is used in conjunction with the
+.Fl l
+option to specify the user whose privileges should be listed.
+The security policy may restrict listing other users' privileges.
+The
+.Em sudoers
+policy only allows root or a user with the
+.Li ALL
+privilege on the current host to use this option.
+.It Fl u Ar user
+The
+.Fl u ( Em user Ns No )
+option causes
+.Nm sudo
+to run the specified command as a user other than
+.Em root .
+To specify a
+.Em uid
+instead of a
+.Em user name ,
+.Em #uid .
+When running commands as a
+.Em uid ,
+many shells require that the
+.Ql #
+be escaped with a backslash
+.Pq Ql \e .
+Security policies may restrict
+.Em uid Ns No s
+to those listed in the password database.
+The
+.Em sudoers
+policy allows
+.Em uid Ns No s
+that are not in the password database as long as the
+.Em targetpw
+option is not set.
+Other security policies may not support this.
+.It Fl V
+The
+.Fl V ( Em version Ns No )
+option causes
+.Nm sudo
+to print its version string and the version string of the security
+policy plugin and any I/O plugins.
+If the invoking user is already root the
+.Fl V
+option will display the arguments passed to configure when
+.Nm sudo
+was built and plugins may display more verbose information such as
+default options.
+.It Fl v
+When given the
+.Fl v ( Em validate Ns No )
+option,
+.Nm sudo
+will update the user's cached credentials, authenticating the user's
+password if necessary.
+For the
+.Em sudoers
+plugin, this extends the
+.Nm sudo
+timeout for another
+.Li @timeout@
+minutes (or whatever the timeout is set to by the security policy)
+but does not run a command.
+Not all security policies support cached credentials.
+.It Fl -
+The
+.Fl -
+option indicates that
+.Nm sudo
+should stop processing command line arguments.
+.El
+.Pp
+Environment variables to be set for the command may also be passed
+on the command line in the form of
+.Sy VAR Ns No = Ns Em value ,
+e.g.\&
+.Sy LD_LIBRARY_PATH Ns No = Ns Em /usr/local/pkg/lib .
+Variables passed on the command line are subject to the same
+restrictions as normal environment variables with one important
+exception.
+If the
+.Em setenv
+option is set in
+.Em sudoers ,
+the command to be run has the
+.Li SETENV
+tag set or the command matched is
+.Li ALL ,
+the user may set variables that would otherwise be forbidden.
+See
+.Xr sudoers @mansectform@
+for more information.
+.Sh COMMAND EXECUTION
+When
+.Nm sudo
+executes a command, the security policy specifies the execution
+envionment for the command.
+Typically, the real and effective uid and gid are set to
+match those of the target user, as specified in the password database,
+and the group vector is initialized based on the group database
+(unless the
+.Fl P
+option was specified).
+.Pp
+The following parameters may be specified by security policy:
+.Bl -bullet
+.It
+real and effective user ID
+.It
+real and effective group ID
+.It
+supplementary group IDs
+.It
+the environment list
+.It
+current working directory
+.It
+file creation mode mask (umask)
+.It
+SELinux role and type
+.It
+Solaris project
+.It
+Solaris privileges
+.It
+BSD login class
+.It
+scheduling priority (aka nice value)
+.El
+.Ss Process model
+When
+.Nm sudo
+runs a command, it calls
+.Xr fork 2 ,
+sets up the execution environment as described above, and calls the
+.Xr execve
+system call in the child process.
+The main
+.Nm sudo
+process waits until the command has completed, then passes the
+command's exit status to the security policy's close method and exits.
+If an I/O logging plugin is configured, a new pseudo-terminal
+.Pq Dq pty
+is created and a second
+.Nm sudo
+process is used to relay job control signals between the user's
+existing pty and the new pty the command is being run in.
+This extra process makes it possible to, for example, suspend
+and resume the command.
+Without it, the command would be in what POSIX terms an
+.Dq orphaned process group
+and it would not receive any job control signals.
+.Ss Signal handling
+Because the command is run as a child of the
+.Nm sudo
+process,
+.Nm sudo
+will relay signals it receives to the command.
+Unless the command is being run in a new pty, the
+.Dv SIGHUP ,
+.Dv SIGINT
+and
+.Dv SIGQUIT
+signals are not relayed unless they are sent by a user process,
+not the kernel.
+Otherwise, the command would receive
+.Dv SIGINT
+twice every time the user entered control-C.
+Some signals, such as
+.Dv SIGSTOP
+and
+.Dv SIGKILL ,
+cannot be caught and thus will not be relayed to the command.
+As a general rule,
+.Dv SIGTSTP
+should be used instead of
+.Dv SIGSTOP
+when you wish to suspend a command being run by
+.Nm sudo .
+.Pp
+As a special case,
+.Nm sudo
+will not relay signals that were sent by the command it is running.
+This prevents the command from accidentally killing itself.
+On some systems, the
+.Xr reboot @mansectsu@
+command sends
+.Dv SIGTERM
+to all non-system processes other than itself before rebooting
+the systyem.
+This prevents
+.Nm sudo
+from relaying the
+.Dv SIGTERM
+signal it received back to
+.Xr reboot @mansectsu@ ,
+which might then exit before the system was actually rebooted,
+leaving it in a half-dead state similar to single user mode.
+Note, however, that this check only applies to the command run by
+.Nm sudo
+and not any other processes that the command may create.
+As a result, running a script that calls
+.Xr reboot @mansectsu@
+or
+.Xr shutdown @mansectsu@
+via
+.Nm sudo
+may cause the system to end up in this undefined state unless the
+.Xr reboot @mansectsu@
+or
+.Xr shutdown @mansectsu@
+are run using the
+.Fn exec
+family of functions instead of
+.Fn system
+(which interposes a shell between the command and the calling process).
+.Sh PLUGINS
+Plugins are dynamically loaded based on the contents of the
+.Pa @sysconfdir@/sudo.conf
+file.
+If no
+.Pa @sysconfdir@/sudo.conf
+file is present, or it contains no
+.Li Plugin
+lines,
+.Nm sudo
+will use the traditional
+.Em sudoers
+security policy and I/O logging, which corresponds to the following
+.Pa @sysconfdir@/sudo.conf
+file.
+.Bd -literal
+#
+# Default @sysconfdir@/sudo.conf file
+#
+# Format:
+# Plugin plugin_name plugin_path plugin_options ...
+# Path askpass /path/to/askpass
+# Path noexec /path/to/sudo_noexec.so
+# Debug sudo /var/log/sudo_debug all@warn
+# Set disable_coredump true
+#
+# The plugin_path is relative to @prefix@/libexec unless
+# fully qualified.
+# The plugin_name corresponds to a global symbol in the plugin
+# that contains the plugin interface structure.
+# The plugin_options are optional.
+#
+Plugin policy_plugin sudoers.so
+Plugin io_plugin sudoers.so
+.Ed
+.Pp
+A
+.Li Plugin
+line consists of the
+.Li Plugin
+keyword, followed by the
+.Em symbol_name
+and the
+.Em path
+to the shared object containing the plugin.
+The
+.Em symbol_name
+is the name of the
+.Li struct policy_plugin
+or
+.Li struct io_plugin
+in the plugin shared object.
+The
+.Em path
+may be fully qualified or relative.
+If not fully qualified it is relative to the
+.Pa @prefix@/libexec
+directory.
+Any additional parameters after the
+.Em path
+are passed as arguments to the plugin's
+.Em open
+function.
+Lines that don't begin with
+.Li Plugin ,
+.Li Path ,
+.Li Debug ,
+or
+.Li Set
+are silently ignored.
+.Pp
+For more information, see the
+.Xr sudo_plugin @mansectsu@
+manual.
+.Sh PATHS
+A
+.Li Path
+line consists of the
+.Li Path
+keyword, followed by the name of the path to set and its value.
+E.g.
+.Bd -literal -offset indent
+Path noexec @noexec_file@
+Path askpass /usr/X11R6/bin/ssh-askpass
+.Ed
+.Pp
+The following plugin-agnostic paths may be set in the
+.Pa @sysconfdir@/sudo.conf
+file:
+.Bl -tag -width 8n
+.It askpass
+The fully qualified path to a helper program used to read the user's
+password when no terminal is available.
+This may be the case when
+.Nm sudo
+is executed from a graphical (as opposed to text-based) application.
+The program specified by
+.Em askpass
+should display the argument passed to it as the prompt and write
+the user's password to the standard output.
+The value of
+.Em askpass
+may be overridden by the
+.Ev SUDO_ASKPASS
+environment variable.
+.It noexec
+The fully-qualified path to a shared library containing dummy
+versions of the
+.Fn execv ,
+.Fn execve
+and
+.Fn fexecve
+library functions that just return an error.
+This is used to implement the
+.Em noexec
+functionality on systems that support
+.Ev LD_PRELOAD
+or its equivalent.
+Defaults to
+.Pa @noexec_file@ .
+.El
+.Sh DEBUG FLAGS
+.Nm sudo
+versions 1.8.4 and higher support a flexible debugging framework
+that can help track down what
+.Nm sudo
+is doing internally if there is a problem.
+.Pp
+A
+.Li Debug
+line consists of the
+.Li Debug
+keyword, followed by the name of the program to debug
+.Pq Nm sudo , Nm visudo , Nm sudoreplay ,
+the debug file name and a comma-separated list of debug flags.
+The debug flag syntax used by
+.Nm sudo
+and the
+.Em sudoers
+plugin is
+.Em subsystem Ns No @ Ns Em priority
+but the plugin is free to use a different format so long as it does
+not include a comma
+.Pq Ql \&, .
+.Pp
+For instance:
+.Bd -literal -offset indent
+Debug sudo /var/log/sudo_debug all@warn,plugin@info
+.Ed
+.Pp
+would log all debugging statements at the
+.Em warn
+level and higher in addition to those at the
+.Em info
+level for the plugin subsystem.
+.Pp
+Currently, only one
+.Li Debug
+entry per program is supported.
+The
+.Nm sudo
+.Li Debug
+entry is shared by the
+.Nm sudo
+front end,
+.Nm sudoedit
+and the plugins.
+A future release may add support for per-plugin
+.Li Debug
+lines and/or support for multiple debugging files for a single
+program.
+.Pp
+The priorities used by the
+.Nm sudo
+front end, in order of decreasing severity, are:
+.Em crit , err , warn , notice , diag , info , trace
+and
+.Em debug .
+Each priority, when specified, also includes all priorities higher
+than it.
+For example, a priority of
+.Em notice
+would include debug messages logged at
+.Em notice
+and higher.
+.Pp
+The following subsystems are used by the
+.Nm sudo
+front-end:
+.Bl -tag -width Fl
+.It Em all
+matches every subsystem
+.It Em args
+command line argument processing
+.It Em conv
+user conversation
+.It Em edit
+sudoedit
+.It Em exec
+command execution
+.It Em main
+.Nm sudo
+main function
+.It Em netif
+network interface handling
+.It Em pcomm
+communication with the plugin
+.It Em plugin
+plugin configuration
+.It Em pty
+pseudo-tty related code
+.It Em selinux
+SELinux-specific handling
+.It Em util
+utility functions
+.It Em utmp
+utmp handling
+.El
+.Sh EXIT VALUE
+Upon successful execution of a program, the exit status from
+.Em sudo
+will simply be the exit status of the program that was executed.
+.Pp
+Otherwise,
+.Nm sudo
+exits with a value of 1 if there is a configuration/permission
+problem or if
+.Nm sudo
+cannot execute the given command.
+In the latter case the error string is printed to the standard error.
+If
+.Nm sudo
+cannot
+.Xr stat 2
+one or more entries in the user's
+.Ev PATH ,
+an error is printed on stderr.
+(If the directory does not exist or if it is not really a directory,
+the entry is ignored and no error is printed.)
+This should not happen under normal circumstances.
+The most common reason for
+.Xr stat 2
+to return
+.Dq permission denied
+is if you are running an automounter and one of the directories in
+your
+.Ev PATH
+is on a machine that is currently unreachable.
+.Sh SECURITY NOTES
+.Nm sudo
+tries to be safe when executing external commands.
+.Pp
+To prevent command spoofing,
+.Nm sudo
+checks "." and "" (both denoting current directory) last when
+searching for a command in the user's
+.Ev PATH
+(if one or both are in the
+.Ev PATH ) .
+Note, however, that the actual
+.Ev PATH
+environment variable is
+.Em not
+modified and is passed unchanged to the program that
+.Nm sudo
+executes.
+.Pp
+Please note that
+.Nm sudo
+will normally only log the command it explicitly runs.
+If a user runs a command such as
+.Li sudo su
+or
+.Li sudo sh ,
+subsequent commands run from that shell are not subject to
+.Nm sudo Ns No 's
+security policy.
+The same is true for commands that offer shell escapes (including
+most editors).
+If I/O logging is enabled, subsequent commands will have their input and/or
+output logged, but there will not be traditional logs for those commands.
+Because of this, care must be taken when giving users access to commands via
+.Nm sudo
+to verify that the command does not inadvertently give the user an
+effective root shell.
+For more information, please see the
+.Em PREVENTING SHELL ESCAPES
+section in
+.Xr sudoers @mansectform@ .
+.Pp
+To prevent the disclosure of potentially sensitive information,
+.Nm sudo
+disables core dumps by default while it is executing (they are
+re-enabled for the command that is run).
+To aid in debugging
+.Nm sudo
+crashes, you may wish to re-enable core dumps by setting
+.Dq disable_coredump
+to false in the
+.Pa @sysconfdir@/sudo.conf
+file as follows:
+.Bd -literal -offset indent
+Set disable_coredump false
+.Ed
+.Pp
+Note that by default, most operating systems disable core dumps
+from setuid programs, which includes
+.Nm sudo .
+To actually get a
+.Nm sudo
+core file you may need to enable core dumps for setuid processes.
+On BSD and Linux systems this is accomplished via the sysctl command,
+on Solaris the coreadm command can be used.
+.Sh ENVIRONMENT
+.Nm sudo
+utilizes the following environment variables.
+The security policy has control over the actual content of the command's
+environment.
+.Bl -tag -width 15n
+.It Ev EDITOR
+Default editor to use in
+.Fl e
+(sudoedit) mode if neither
+.Ev SUDO_EDITOR
+nor
+.Ev VISUAL
+is set.
+.It Ev MAIL
+In
+.Fl i
+mode or when
+.Em env_reset
+is enabled in
+.Em sudoers ,
+set to the mail spool of the target user.
+.It Ev HOME
+Set to the home directory of the target user if
+.Fl i
+or
+.Fl H
+are specified,
+.Em env_reset
+or
+.Em always_set_home
+are set in
+.Em sudoers ,
+or when the
+.Fl s
+option is specified and
+.Em set_home
+is set in
+.Em sudoers .
+.It Ev PATH
+May be overridden by the security policy.
+.It Ev SHELL
+Used to determine shell to run with
+.Fl s
+option.
+.It Ev SUDO_ASKPASS
+Specifies the path to a helper program used to read the password
+if no terminal is available or if the
+.Fl A
+option is specified.
+.It Ev SUDO_COMMAND
+Set to the command run by sudo.
+.It Ev SUDO_EDITOR
+Default editor to use in
+.Fl e
+(sudoedit) mode.
+.It Ev SUDO_GID
+Set to the group ID of the user who invoked sudo.
+.It Ev SUDO_PROMPT
+Used as the default password prompt.
+.It Ev SUDO_PS1
+If set,
+.Ev PS1
+will be set to its value for the program being run.
+.It Ev SUDO_UID
+Set to the user ID of the user who invoked sudo.
+.It Ev SUDO_USER
+Set to the login name of the user who invoked sudo.
+.It Ev USER
+Set to the target user (root unless the
+.Fl u
+option is specified).
+.It Ev VISUAL
+Default editor to use in
+.Fl e
+(sudoedit) mode if
+.Ev SUDO_EDITOR
+is not set.
+.El
+.Sh FILES
+.Bl -tag -width 24n
+.It Pa @sysconfdir@/sudo.conf
+.Nm sudo
+front end configuration
+.El
+.Sh EXAMPLES
+Note: the following examples assume a properly configured security
+policy.
+.Pp
+To get a file listing of an unreadable directory:
+.Bd -literal -offset indent
+$ sudo ls /usr/local/protected
+.Ed
+.Pp
+To list the home directory of user yaz on a machine where the file
+system holding ~yaz is not exported as root:
+.Bd -literal -offset indent
+$ sudo -u yaz ls ~yaz
+.Ed
+.Pp
+To edit the
+.Pa index.html
+file as user www:
+.Bd -literal -offset indent
+$ sudo -u www vi ~www/htdocs/index.html
+.Ed
+.Pp
+To view system logs only accessible to root and users in the adm
+group:
+.Bd -literal -offset indent
+$ sudo -g adm view /var/log/syslog
+.Ed
+.Pp
+To run an editor as jim with a different primary group:
+.Bd -literal -offset indent
+$ sudo -u jim -g audio vi ~jim/sound.txt
+.Ed
+.Pp
+To shut down a machine:
+.Bd -literal -offset indent
+$ sudo shutdown -r +15 "quick reboot"
+.Ed
+.Pp
+To make a usage listing of the directories in the /home partition.
+Note that this runs the commands in a sub-shell to make the
+.Li cd
+and file redirection work.
+.Bd -literal -offset indent
+$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+.Ed
+.Sh SEE ALSO
+.Xr grep 1 ,
+.Xr su 1 ,
+.Xr stat 2 ,
+.Xr login_cap 3 ,
+.Xr passwd @mansectform@ ,
+.Xr sudoers @mansectform@ ,
+.Xr sudo_plugin @mansectsu@ ,
+.Xr sudoreplay @mansectsu@ ,
+.Xr visudo @mansectsu@
+.Sh HISTORY
+See the HISTORY file in the
+.Nm sudo
+distribution (http://www.sudo.ws/sudo/history.html) for a brief
+history of sudo.
+.Sh AUTHORS
+Many people have worked on
+.Nm sudo
+over the years; this version consists of code written primarily by:
+.Bd -ragged -offset indent
+Todd C. Miller
+.Ed
+.Pp
+See the CONTRIBUTORS file in the
+.Nm sudo
+distribution (http://www.sudo.ws/sudo/contributors.html) for an
+exhaustive list of people who have contributed to
+.Nm sudo .
+.Sh CAVEATS
+There is no easy way to prevent a user from gaining a root shell
+if that user is allowed to run arbitrary commands via
+.Nm sudo .
+Also, many programs (such as editors) allow the user to run commands
+via shell escapes, thus avoiding
+.Nm sudo Ns No 's
+checks.
+However, on most systems it is possible to prevent shell escapes with the
+.Xr sudoers @mansectform@
+plugin's
+.Em noexec
+functionality.
+.Pp
+It is not meaningful to run the
+.Li cd
+command directly via sudo, e.g.,
+.Bd -literal -offset indent
+$ sudo cd /usr/local/protected
+.Ed
+.Pp
+since when the command exits the parent process (your shell) will
+still be the same.
+Please see the
+.Sx EXAMPLES
+section for more information.
+.Pp
+Running shell scripts via
+.Nm sudo
+can expose the same kernel bugs that make setuid shell scripts
+unsafe on some operating systems (if your OS has a /dev/fd/ directory,
+setuid shell scripts are generally safe).
+.Sh BUGS
+If you feel you have found a bug in
+.Nm sudo ,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
+.Sh SUPPORT
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+.Sh DISCLAIMER
+.Nm sudo
+is provided
+.Dq AS IS
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+.Nm sudo
+or http://www.sudo.ws/sudo/license.html for complete details.
+++ /dev/null
-Copyright (c) 1994-1996, 1998-2005, 2007-2012
- Todd C. Miller <Todd.Miller@courtesan.com>
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-Sponsored in part by the Defense Advanced Research Projects
-Agency (DARPA) and Air Force Research Laboratory, Air Force
-Materiel Command, USAF, under agreement number F39502-99-1-0512.
-
-=pod
-
-=head1 NAME
-
-sudo, sudoedit - execute a command as another user
-
-=head1 SYNOPSIS
-
-B<sudo> B<-h> | B<-K> | B<-k> | B<-V>
-
-B<sudo> B<-v> [B<-AknS>]
-S<[B<-a> I<auth_type>]>
-S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
-S<[B<-u> I<user name>|I<#uid>]>
-
-B<sudo> B<-l[l]> [B<-AknS>]
-S<[B<-a> I<auth_type>]>
-S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
-S<[B<-U> I<user name>]> S<[B<-u> I<user name>|I<#uid>]> [I<command>]
-
-B<sudo> [B<-AbEHnPS>]
-S<[B<-a> I<auth_type>]>
-S<[B<-C> I<fd>]>
-S<[B<-c> I<class>|I<->]>
-S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
-S<[B<-r> I<role>]> S<[B<-t> I<type>]>
-S<[B<-u> I<user name>|I<#uid>]>
-S<[B<VAR>=I<value>]> S<[B<-i> | B<-s>]> [I<command>]
-
-B<sudoedit> [B<-AnS>]
-S<[B<-a> I<auth_type>]>
-S<[B<-C> I<fd>]>
-S<[B<-c> I<class>|I<->]>
-S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
-S<[B<-u> I<user name>|I<#uid>]> file ...
-
-=head1 DESCRIPTION
-
-B<sudo> allows a permitted user to execute a I<command> as the
-superuser or another user, as specified by the security policy.
-The real and effective uid and gid are set to match those of the
-target user, as specified in the password database, and the group
-vector is initialized based on the group database (unless the B<-P>
-option was specified).
-
-B<sudo> supports a plugin architecture for security policies and
-input/output logging. Third parties can develop and distribute
-their own policy and I/O logging modules to work seamlessly with
-the B<sudo> front end. The default security policy is I<sudoers>,
-which is configured via the file F<@sysconfdir@/sudoers>, or via
-LDAP. See the L<PLUGINS> section for more information.
-
-The security policy determines what privileges, if any, a user has
-to run B<sudo>. The policy may require that users authenticate
-themselves with a password or another authentication mechanism. If
-authentication is required, B<sudo> will exit if the user's password
-is not entered within a configurable time limit. This limit is
-policy-specific; the default password prompt timeout for the
-I<sudoers> security policy is C<@password_timeout@> minutes.
-
-Security policies may support credential caching to allow the user
-to run B<sudo> again for a period of time without requiring
-authentication. The I<sudoers> policy caches credentials for
-C<@timeout@> minutes, unless overridden in L<sudoers(5)>. By
-running B<sudo> with the B<-v> option, a user can update the cached
-credentials without running a I<command>.
-
-When invoked as B<sudoedit>, the B<-e> option (described below),
-is implied.
-
-Security policies may log successful and failed attempts to use
-B<sudo>. If an I/O plugin is configured, the running command's
-input and output may be logged as well.
-
-=head1 OPTIONS
-
-B<sudo> accepts the following command line options:
-
-=over 12
-
-=item -A
-
-Normally, if B<sudo> requires a password, it will read it from the
-user's terminal. If the B<-A> (I<askpass>) option is specified,
-a (possibly graphical) helper program is executed to read the user's
-password and output the password to the standard output. If the
-C<SUDO_ASKPASS> environment variable is set, it specifies the path
-to the helper program. Otherwise, if F<@sysconfdir@/sudo.conf>
-contains a line specifying the askpass program, that value will be
-used. For example:
-
- # Path to askpass helper program
- Path askpass /usr/X11R6/bin/ssh-askpass
-
-If no askpass program is available, sudo will exit with an error.
-
-=item -a I<type>
-
-The B<-a> (I<authentication type>) option causes B<sudo> to use the
-specified authentication type when validating the user, as allowed
-by F</etc/login.conf>. The system administrator may specify a list
-of sudo-specific authentication methods by adding an "auth-sudo"
-entry in F</etc/login.conf>. This option is only available on systems
-that support BSD authentication.
-
-=item -b
-
-The B<-b> (I<background>) option tells B<sudo> to run the given
-command in the background. Note that if you use the B<-b>
-option you cannot use shell job control to manipulate the process.
-Most interactive commands will fail to work properly in background
-mode.
-
-=item -C I<fd>
-
-Normally, B<sudo> will close all open file descriptors other than
-standard input, standard output and standard error. The B<-C>
-(I<close from>) option allows the user to specify a starting point
-above the standard error (file descriptor three). Values less than
-three are not permitted. The security policy may restrict the
-user's ability to use the B<-C> option. The I<sudoers> policy only
-permits use of the B<-C> option when the administrator has enabled
-the I<closefrom_override> option.
-
-=item -c I<class>
-
-The B<-c> (I<class>) option causes B<sudo> to run the specified command
-with resources limited by the specified login class. The I<class>
-argument can be either a class name as defined in F</etc/login.conf>,
-or a single '-' character. Specifying a I<class> of C<-> indicates
-that the command should be run restricted by the default login
-capabilities for the user the command is run as. If the I<class>
-argument specifies an existing user class, the command must be run
-as root, or the B<sudo> command must be run from a shell that is already
-root. This option is only available on systems with BSD login classes.
-
-=item -E
-
-The B<-E> (I<preserve> I<environment>) option indicates to the
-security policy that the user wishes to preserve their existing
-environment variables. The security policy may return an error if
-the B<-E> option is specified and the user does not have permission
-to preserve the environment.
-
-=item -e
-
-The B<-e> (I<edit>) option indicates that, instead of running a
-command, the user wishes to edit one or more files. In lieu of a
-command, the string "sudoedit" is used when consulting the security
-policy. If the user is authorized by the policy, the following
-steps are taken:
-
-=over 4
-
-=item 1.
-
-Temporary copies are made of the files to be edited with the owner
-set to the invoking user.
-
-=item 2.
-
-The editor specified by the policy is run to edit the temporary files.
-The I<sudoers> policy uses the C<SUDO_EDITOR>, C<VISUAL> and C<EDITOR>
-environment variables (in that order). If none of C<SUDO_EDITOR>,
-C<VISUAL> or C<EDITOR> are set, the first program listed in the
-I<editor> L<sudoers(5)> option is used.
-
-=item 3.
-
-If they have been modified, the temporary files are copied back to
-their original location and the temporary versions are removed.
-
-=back
-
-If the specified file does not exist, it will be created. Note
-that unlike most commands run by B<sudo>, the editor is run with
-the invoking user's environment unmodified. If, for some reason,
-B<sudo> is unable to update a file with its edited version, the
-user will receive a warning and the edited copy will remain in a
-temporary file.
-
-=item -g I<group>
-
-Normally, B<sudo> runs a command with the primary group set to the
-one specified by the password database for the user the command is
-being run as (by default, root). The B<-g> (I<group>) option causes
-B<sudo> to run the command with the primary group set to I<group>
-instead. To specify a I<gid> instead of a I<group name>, use
-I<#gid>. When running commands as a I<gid>, many shells require
-that the '#' be escaped with a backslash ('\'). If no B<-u> option
-is specified, the command will be run as the invoking user (not
-root). In either case, the primary group will be set to I<group>.
-
-=item -H
-
-The B<-H> (I<HOME>) option requests that the security policy set
-the C<HOME> environment variable to the home directory of the target
-user (root by default) as specified by the password database.
-Depending on the policy, this may be the default behavior.
-
-=item -h
-
-The B<-h> (I<help>) option causes B<sudo> to print a short help message
-to the standard output and exit.
-
-=item -i [command]
-
-The B<-i> (I<simulate initial login>) option runs the shell specified
-by the password database entry of the target user as a login shell.
-This means that login-specific resource files such as C<.profile>
-or C<.login> will be read by the shell. If a command is specified,
-it is passed to the shell for execution via the shell's B<-c> option.
-If no command is specified, an interactive shell is executed.
-B<sudo> attempts to change to that user's home directory before
-running the shell. The security policy shall initialize the
-environment to a minimal set of variables, similar to what is present
-when a user logs in. The I<Command Environment> section in the
-L<sudoers(5)> manual documents how the B<-i> option affects the
-environment in which a command is run when the I<sudoers> policy
-is in use.
-
-=item -K
-
-The B<-K> (sure I<kill>) option is like B<-k> except that it removes
-the user's cached credentials entirely and may not be used in
-conjunction with a command or other option. This option does not
-require a password. Not all security policies support credential
-caching.
-
-=item -k [command]
-
-When used alone, the B<-k> (I<kill>) option to B<sudo> invalidates
-the user's cached credentials. The next time B<sudo> is run a
-password will be required. This option does not require a password
-and was added to allow a user to revoke B<sudo> permissions from a
-.logout file. Not all security policies support credential
-caching.
-
-When used in conjunction with a command or an option that may require
-a password, the B<-k> option will cause B<sudo> to ignore the user's
-cached credentials. As a result, B<sudo> will prompt for a password
-(if one is required by the security policy) and will not update the
-user's cached credentials.
-
-=item -l[l] [I<command>]
-
-If no I<command> is specified, the B<-l> (I<list>) option will list
-the allowed (and forbidden) commands for the invoking user (or the
-user specified by the B<-U> option) on the current host. If a
-I<command> is specified and is permitted by the security policy,
-the fully-qualified path to the command is displayed along with any
-command line arguments. If I<command> is specified but not allowed,
-B<sudo> will exit with a status value of 1. If the B<-l> option
-is specified with an B<l> argument (i.e. B<-ll>), or if B<-l> is
-specified multiple times, a longer list format is used.
-
-=item -n
-
-The B<-n> (I<non-interactive>) option prevents B<sudo> from prompting
-the user for a password. If a password is required for the command
-to run, B<sudo> will display an error messages and exit.
-
-=item -P
-
-The B<-P> (I<preserve> I<group vector>) option causes B<sudo> to
-preserve the invoking user's group vector unaltered. By default,
-the I<sudoers> policy will initialize the group vector to the list
-of groups the target user is in. The real and effective group IDs,
-however, are still set to match the target user.
-
-=item -p I<prompt>
-
-The B<-p> (I<prompt>) option allows you to override the default
-password prompt and use a custom one. The following percent (`C<%>')
-escapes are supported by the I<sudoers> policy:
-
-=over 4
-
-=item C<%H>
-
-expanded to the host name including the domain name (on if
-the machine's host name is fully qualified or the I<fqdn> option
-is set in L<sudoers(5)>)
-
-=item C<%h>
-
-expanded to the local host name without the domain name
-
-=item C<%p>
-
-expanded to the name of the user whose password is being requested
-(respects the I<rootpw>, I<targetpw> and I<runaspw> flags in
-L<sudoers(5)>)
-
-=item C<%U>
-
-expanded to the login name of the user the command will be run as
-(defaults to root unless the C<-u> option is also specified)
-
-=item C<%u>
-
-expanded to the invoking user's login name
-
-=item C<%%>
-
-two consecutive C<%> characters are collapsed into a single C<%> character
-
-=back
-
-The prompt specified by the B<-p> option will override the system
-password prompt on systems that support PAM unless the
-I<passprompt_override> flag is disabled in I<sudoers>.
-
-=item -r I<role>
-
-The B<-r> (I<role>) option causes the new (SELinux) security context to
-have the role specified by I<role>.
-
-=item -S
-
-The B<-S> (I<stdin>) option causes B<sudo> to read the password from
-the standard input instead of the terminal device. The password must
-be followed by a newline character.
-
-=item -s [command]
-
-The B<-s> (I<shell>) option runs the shell specified by the I<SHELL>
-environment variable if it is set or the shell as specified in the
-password database. If a command is specified, it is passed to the
-shell for execution via the shell's B<-c> option. If no command
-is specified, an interactive shell is executed.
-
-=item -t I<type>
-
-The B<-t> (I<type>) option causes the new (SELinux) security context to
-have the type specified by I<type>. If no type is specified, the default
-type is derived from the specified role.
-
-=item -U I<user>
-
-The B<-U> (I<other user>) option is used in conjunction with the
-B<-l> option to specify the user whose privileges should be listed.
-The security policy may restrict listing other users' privileges.
-The I<sudoers> policy only allows root or a user with the C<ALL>
-privilege on the current host to use this option.
-
-=item -u I<user>
-
-The B<-u> (I<user>) option causes B<sudo> to run the specified
-command as a user other than I<root>. To specify a I<uid> instead
-of a I<user name>, use I<#uid>. When running commands as a I<uid>,
-many shells require that the '#' be escaped with a backslash ('\').
-Security policies may restrict I<uid>s to those listed in the
-password database. The I<sudoers> policy allows I<uid>s that are
-not in the password database as long as the I<targetpw> option is
-not set. Other security policies may not support this.
-
-=item -V
-
-The B<-V> (I<version>) option causes B<sudo> to print its version
-string and the version string of the security policy plugin and any
-I/O plugins. If the invoking user is already root the B<-V> option
-will display the arguments passed to configure when I<sudo> was
-built and plugins may display more verbose information such as
-default options.
-
-=item -v
-
-When given the B<-v> (I<validate>) option, B<sudo> will update the
-user's cached credentials, authenticating the user's password if
-necessary. For the I<sudoers> plugin, this extends the B<sudo>
-timeout for another C<@timeout@> minutes (or whatever the timeout
-is set to in I<sudoers>) but does not run a command. Not all
-security policies support cached credentials.
-
-=item --
-
-The B<--> option indicates that B<sudo> should stop processing command
-line arguments.
-
-=back
-
-Environment variables to be set for the command may also be passed
-on the command line in the form of B<VAR>=I<value>, e.g.
-B<LD_LIBRARY_PATH>=I</usr/local/pkg/lib>. Variables passed on the
-command line are subject to the same restrictions as normal environment
-variables with one important exception. If the I<setenv> option
-is set in I<sudoers>, the command to be run has the C<SETENV> tag
-set or the command matched is C<ALL>, the user may set variables
-that would otherwise be forbidden. See L<sudoers(5)> for more information.
-
-=head1 PLUGINS
-
-Plugins are dynamically loaded based on the contents of the
-F<@sysconfdir@/sudo.conf> file. If no F<@sysconfdir@/sudo.conf>
-file is present, or it contains no C<Plugin> lines, B<sudo>
-will use the traditional I<sudoers> security policy and I/O logging,
-which corresponds to the following F<@sysconfdir@/sudo.conf> file.
-
- #
- # Default @sysconfdir@/sudo.conf file
- #
- # Format:
- # Plugin plugin_name plugin_path plugin_options ...
- # Path askpass /path/to/askpass
- # Path noexec /path/to/sudo_noexec.so
- # Debug sudo /var/log/sudo_debug all@warn
- # Set disable_coredump true
- #
- # The plugin_path is relative to @prefix@/libexec unless
- # fully qualified.
- # The plugin_name corresponds to a global symbol in the plugin
- # that contains the plugin interface structure.
- # The plugin_options are optional.
- #
- Plugin policy_plugin sudoers.so
- Plugin io_plugin sudoers.so
-
-A C<Plugin> line consists of the C<Plugin> keyword, followed by the
-I<symbol_name> and the I<path> to the shared object containing the
-plugin. The I<symbol_name> is the name of the C<struct policy_plugin>
-or C<struct io_plugin> in the plugin shared object. The I<path>
-may be fully qualified or relative. If not fully qualified it is
-relative to the F<@prefix@/libexec> directory. Any additional
-parameters after the I<path> are passed as arguments to the plugin's
-I<open> function. Lines that don't begin with C<Plugin>, C<Path>,
-C<Debug> or C<Set> are silently ignored.
-
-For more information, see the L<sudo_plugin(8)> manual.
-
-=head1 PATHS
-
-A C<Path> line consists of the C<Path> keyword, followed by the
-name of the path to set and its value. E.g.
-
- Path noexec @noexec_file@
- Path askpass /usr/X11R6/bin/ssh-askpass
-
-The following plugin-agnostic paths may be set in the
-F<@sysconfdir@/sudo.conf> file.
-
-=over 16
-
-=item askpass
-
-The fully qualified path to a helper program used to read the user's
-password when no terminal is available. This may be the case when
-B<sudo> is executed from a graphical (as opposed to text-based)
-application. The program specified by I<askpass> should display
-the argument passed to it as the prompt and write the user's password
-to the standard output. The value of I<askpass> may be overridden
-by the C<SUDO_ASKPASS> environment variable.
-
-=item noexec
-
-The fully-qualified path to a shared library containing dummy
-versions of the execv(), execve() and fexecve() library functions
-that just return an error. This is used to implement the I<noexec>
-functionality on systems that support C<LD_PRELOAD> or its equivalent.
-Defaults to F<@noexec_file@>.
-
-=back
-
-=head1 DEBUG FLAGS
-
-B<sudo> versions 1.8.4 and higher support a flexible debugging
-framework that can help track down what B<sudo> is doing internally
-if there is a problem.
-
-A C<Debug> line consists of the C<Debug> keyword, followed by the
-name of the program to debug (B<sudo>, B<visudo>, B<sudoreplay>),
-the debug file name and a comma-separated list of debug flags.
-The debug flag syntax used by B<sudo> and the I<sudoers> plugin is
-I<subsystem>@I<priority> but the plugin is free to use a different
-format so long as it does not include a command C<,>.
-
-For instance:
-
- Debug sudo /var/log/sudo_debug all@warn,plugin@info
-
-would log all debugging statements at the I<warn> level and higher
-in addition to those at the I<info> level for the plugin subsystem.
-
-Currently, only one C<Debug> entry per program is supported. The
-C<sudo> C<Debug> entry is shared by the B<sudo> front end, B<sudoedit>
-and the plugins. A future release may add support for per-plugin
-C<Debug> lines and/or support for multiple debugging files for a
-single program.
-
-The priorities used by the B<sudo> front end, in order of decreasing
-severity, are: I<crit>, I<err>, I<warn>, I<notice>, I<diag>, I<info>,
-I<trace> and I<debug>. Each priority, when specified, also includes
-all priorities higher than it. For example, a priority of I<notice>
-would include debug messages logged at I<notice> and higher.
-
-The following subsystems are used by B<sudo>:
-
-=over 10
-
-=item I<all>
-
-matches every subsystem
-
-=item I<args>
-
-command line argument processing
-
-=item I<conv>
-
-user conversation
-
-=item I<edit>
-
-sudoedit
-
-=item I<exec>
-
-command execution
-
-=item I<main>
-
-B<sudo> main function
-
-=item I<netif>
-
-network interface handling
-
-=item I<pcomm>
-
-communication with the plugin
-
-=item I<plugin>
-
-plugin configuration
-
-=item I<pty>
-
-pseudo-tty related code
-
-=item I<selinux>
-
-SELinux-specific handling
-
-=item I<util>
-
-utility functions
-
-=item I<utmp>
-
-utmp handling
-
-=back
-
-=head1 RETURN VALUES
-
-Upon successful execution of a program, the exit status from B<sudo>
-will simply be the exit status of the program that was executed.
-
-Otherwise, B<sudo> exits with a value of 1 if there is a
-configuration/permission problem or if B<sudo> cannot execute the
-given command. In the latter case the error string is printed to
-the standard error. If B<sudo> cannot L<stat(2)> one or more entries
-in the user's C<PATH>, an error is printed on stderr. (If the
-directory does not exist or if it is not really a directory, the
-entry is ignored and no error is printed.) This should not happen
-under normal circumstances. The most common reason for L<stat(2)>
-to return "permission denied" is if you are running an automounter
-and one of the directories in your C<PATH> is on a machine that is
-currently unreachable.
-
-=head1 SECURITY NOTES
-
-B<sudo> tries to be safe when executing external commands.
-
-To prevent command spoofing, B<sudo> checks "." and "" (both denoting
-current directory) last when searching for a command in the user's
-PATH (if one or both are in the PATH). Note, however, that the
-actual C<PATH> environment variable is I<not> modified and is passed
-unchanged to the program that B<sudo> executes.
-
-Please note that B<sudo> will normally only log the command it
-explicitly runs. If a user runs a command such as C<sudo su> or
-C<sudo sh>, subsequent commands run from that shell are not subject
-to B<sudo>'s security policy. The same is true for commands that
-offer shell escapes (including most editors). If I/O logging is
-enabled, subsequent commands will have their input and/or output
-logged, but there will not be traditional logs for those commands.
-Because of this, care must be taken when giving users access to
-commands via B<sudo> to verify that the command does not inadvertently
-give the user an effective root shell. For more information, please
-see the C<PREVENTING SHELL ESCAPES> section in L<sudoers(5)>.
-
-To prevent the disclosure of potentially sensitive information,
-B<sudo> disables core dumps by default while it is executing (they
-are re-enabled for the command that is run). To aid in debugging
-B<sudo> crashes, you may wish to re-enable core dumps by setting
-"disable_coredump" to false in the F<@sysconfdir@/sudo.conf> file.
-
- Set disable_coredump false
-
-Note that by default, most operating systems disable core dumps
-from setuid programs, which includes B<sudo>. To actually get a
-B<sudo> core file you may need to enable core dumps for setuid
-processes. On BSD and Linux systems this is accomplished via the
-sysctl command, on Solaris the coreadm command can be used.
-
-=head1 ENVIRONMENT
-
-B<sudo> utilizes the following environment variables. The security
-policy has control over the content of the command's environment.
-
-=over 16
-
-=item C<EDITOR>
-
-Default editor to use in B<-e> (sudoedit) mode if neither C<SUDO_EDITOR>
-nor C<VISUAL> is set
-
-=item C<MAIL>
-
-In B<-i> mode or when I<env_reset> is enabled in I<sudoers>, set
-to the mail spool of the target user
-
-=item C<HOME>
-
-Set to the home directory of the target user if B<-i> or B<-H> are
-specified, I<env_reset> or I<always_set_home> are set in I<sudoers>,
-or when the B<-s> option is specified and I<set_home> is set in
-I<sudoers>
-
-=item C<PATH>
-
-May be overridden by the security policy.
-
-=item C<SHELL>
-
-Used to determine shell to run with C<-s> option
-
-=item C<SUDO_ASKPASS>
-
-Specifies the path to a helper program used to read the password
-if no terminal is available or if the C<-A> option is specified.
-
-=item C<SUDO_COMMAND>
-
-Set to the command run by sudo
-
-=item C<SUDO_EDITOR>
-
-Default editor to use in B<-e> (sudoedit) mode
-
-=item C<SUDO_GID>
-
-Set to the group ID of the user who invoked sudo
-
-=item C<SUDO_PROMPT>
-
-Used as the default password prompt
-
-=item C<SUDO_PS1>
-
-If set, C<PS1> will be set to its value for the program being run
-
-=item C<SUDO_UID>
-
-Set to the user ID of the user who invoked sudo
-
-=item C<SUDO_USER>
-
-Set to the login of the user who invoked sudo
-
-=item C<USER>
-
-Set to the target user (root unless the B<-u> option is specified)
-
-=item C<VISUAL>
-
-Default editor to use in B<-e> (sudoedit) mode if C<SUDO_EDITOR>
-is not set
-
-=back
-
-=head1 FILES
-
-=over 24
-
-=item F<@sysconfdir@/sudo.conf>
-
-B<sudo> front end configuration
-
-=back
-
-=head1 EXAMPLES
-
-Note: the following examples assume a properly configured security policy.
-
-To get a file listing of an unreadable directory:
-
- $ sudo ls /usr/local/protected
-
-To list the home directory of user yaz on a machine where the
-file system holding ~yaz is not exported as root:
-
- $ sudo -u yaz ls ~yaz
-
-To edit the F<index.html> file as user www:
-
- $ sudo -u www vi ~www/htdocs/index.html
-
-To view system logs only accessible to root and users in the adm group:
-
- $ sudo -g adm view /var/log/syslog
-
-To run an editor as jim with a different primary group:
-
- $ sudo -u jim -g audio vi ~jim/sound.txt
-
-To shutdown a machine:
-
- $ sudo shutdown -r +15 "quick reboot"
-
-To make a usage listing of the directories in the /home
-partition. Note that this runs the commands in a sub-shell
-to make the C<cd> and file redirection work.
-
- $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
-
-=head1 SEE ALSO
-
-L<grep(1)>, L<su(1)>, L<stat(2)>,
-L<login_cap(3)>,
-L<passwd(5)>, L<sudoers(5)>, L<sudo_plugin(8)>, L<sudoreplay(8)>, L<visudo(8)>
-
-=head1 AUTHORS
-
-Many people have worked on B<sudo> over the years; this
-version consists of code written primarily by:
-
- Todd C. Miller
-
-See the CONTRIBUTORS file in the B<sudo> distribution
-(http://www.sudo.ws/sudo/contributors.html) for a list of people
-who have contributed to B<sudo>.
-
-=head1 HISTORY
-
-See the HISTORY file in the B<sudo> distribution
-(http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
-
-=head1 CAVEATS
-
-There is no easy way to prevent a user from gaining a root shell
-if that user is allowed to run arbitrary commands via B<sudo>.
-Also, many programs (such as editors) allow the user to run commands
-via shell escapes, thus avoiding B<sudo>'s checks. However, on
-most systems it is possible to prevent shell escapes with the
-L<sudoers(5)> module's I<noexec> functionality.
-
-It is not meaningful to run the C<cd> command directly via sudo, e.g.,
-
- $ sudo cd /usr/local/protected
-
-since when the command exits the parent process (your shell) will
-still be the same. Please see the EXAMPLES section for more information.
-
-Running shell scripts via B<sudo> can expose the same kernel bugs that
-make setuid shell scripts unsafe on some operating systems (if your OS
-has a /dev/fd/ directory, setuid shell scripts are generally safe).
-
-=head1 BUGS
-
-If you feel you have found a bug in B<sudo>, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
-
-=head1 SUPPORT
-
-Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
-search the archives.
-
-=head1 DISCLAIMER
-
-B<sudo> is provided ``AS IS'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the LICENSE
-file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
-for complete details.
-SUDO_PLUGIN(1m) MAINTENANCE COMMANDS SUDO_PLUGIN(1m)
-
-
+SUDO_PLUGIN(4) Programmer's Manual SUDO_PLUGIN(4)
N\bNA\bAM\bME\bE
- sudo_plugin - Sudo Plugin API
+ s\bsu\bud\bdo\bo_\b_p\bpl\blu\bug\bgi\bin\bn - Sudo Plugin API
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- Starting with version 1.8, s\bsu\bud\bdo\bo supports a plugin API for policy and
- session logging. By default, the _\bs_\bu_\bd_\bo_\be_\br_\bs policy plugin and an
- associated I/O logging plugin are used. Via the plugin API, s\bsu\bud\bdo\bo can
- be configured to use alternate policy and/or I/O logging plugins
- provided by third parties. The plugins to be used are specified via
- the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
-
- The API is versioned with a major and minor number. The minor version
- number is incremented when additions are made. The major number is
- incremented when incompatible changes are made. A plugin should be
- check the version passed to it and make sure that the major version
- matches.
-
- The plugin API is defined by the sudo_plugin.h header file.
-
- T\bTh\bhe\be s\bsu\bud\bdo\bo.\b.c\bco\bon\bnf\bf F\bFi\bil\ble\be
- The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file contains plugin configuration directives.
- Currently, the only supported keyword is the Plugin directive, which
- causes a plugin plugin to be loaded.
-
- A Plugin line consists of the Plugin keyword, followed by the
- _\bs_\by_\bm_\bb_\bo_\bl_\b__\bn_\ba_\bm_\be and the _\bp_\ba_\bt_\bh to the shared object containing the plugin.
- The _\bs_\by_\bm_\bb_\bo_\bl_\b__\bn_\ba_\bm_\be is the name of the struct policy_plugin or struct
- io_plugin in the plugin shared object. The _\bp_\ba_\bt_\bh may be fully qualified
- or relative. If not fully qualified it is relative to the
- _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc directory. Any additional parameters after the _\bp_\ba_\bt_\bh
- are passed as options to the plugin's _\bo_\bp_\be_\bn function. Lines that don't
- begin with Plugin, Path, Debug or Set are silently ignored.
-
- The same shared object may contain multiple plugins, each with a
- different symbol name. The shared object file must be owned by uid 0
- and only writable by its owner. Because of ambiguities that arise from
- composite policies, only a single policy plugin may be specified. This
- limitation does not apply to I/O plugins.
-
- #
- # Default /etc/sudo.conf file
- #
- # Format:
- # Plugin plugin_name plugin_path plugin_options ...
- # Path askpass /path/to/askpass
- # Path noexec /path/to/sudo_noexec.so
- # Debug sudo /var/log/sudo_debug all@warn
- # Set disable_coredump true
- #
- # The plugin_path is relative to /usr/local/libexec unless
- # fully qualified.
- # The plugin_name corresponds to a global symbol in the plugin
- # that contains the plugin interface structure.
- # The plugin_options are optional.
- #
- Plugin sudoers_policy sudoers.so
- Plugin sudoers_io sudoers.so
-
- P\bPo\bol\bli\bic\bcy\by P\bPl\blu\bug\bgi\bin\bn A\bAP\bPI\bI
- A policy plugin must declare and populate a policy_plugin struct in the
- global scope. This structure contains pointers to the functions that
- implement the s\bsu\bud\bdo\bo policy checks. The name of the symbol should be
- specified in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf along with a path to the plugin so that
- s\bsu\bud\bdo\bo can load it.
-
- struct policy_plugin {
- #define SUDO_POLICY_PLUGIN 1
- unsigned int type; /* always SUDO_POLICY_PLUGIN */
- unsigned int version; /* always SUDO_API_VERSION */
- int (*open)(unsigned int version, sudo_conv_t conversation,
- sudo_printf_t plugin_printf, char * const settings[],
- char * const user_info[], char * const user_env[],
- char * const plugin_options[]);
- void (*close)(int exit_status, int error);
- int (*show_version)(int verbose);
- int (*check_policy)(int argc, char * const argv[],
- char *env_add[], char **command_info[],
- char **argv_out[], char **user_env_out[]);
- int (*list)(int argc, char * const argv[], int verbose,
- const char *list_user);
- int (*validate)(void);
- void (*invalidate)(int remove);
- int (*init_session)(struct passwd *pwd, char **user_env[]);
- void (*register_hooks)(int version,
- int (*register_hook)(struct sudo_hook *hook));
- void (*deregister_hooks)(int version,
- int (*deregister_hook)(struct sudo_hook *hook));
- };
-
- The policy_plugin struct has the following fields:
-
- type
- The type field should always be set to SUDO_POLICY_PLUGIN.
-
- version
+ Starting with version 1.8, s\bsu\bud\bdo\bo supports a plugin API for policy and
+ session logging. By default, the _\bs_\bu_\bd_\bo_\be_\br_\bs policy plugin and an associated
+ I/O logging plugin are used. Via the plugin API, s\bsu\bud\bdo\bo can be configured
+ to use alternate policy and/or I/O logging plugins provided by third
+ parties. The plugins to be used are specified via the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
+ file.
+
+ The API is versioned with a major and minor number. The minor version
+ number is incremented when additions are made. The major number is
+ incremented when incompatible changes are made. A plugin should be check
+ the version passed to it and make sure that the major version matches.
+
+ The plugin API is defined by the sudo_plugin.h header file.
+
+ T\bTh\bhe\be s\bsu\bud\bdo\bo.\b.c\bco\bon\bnf\bf f\bfi\bil\ble\be
+ The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file contains plugin configuration directives. The
+ primary keyword is the Plugin directive, which causes a plugin to be
+ loaded.
+
+ A Plugin line consists of the Plugin keyword, followed by the _\bs_\by_\bm_\bb_\bo_\bl_\b__\bn_\ba_\bm_\be
+ and the _\bp_\ba_\bt_\bh to the shared object containing the plugin. The _\bs_\by_\bm_\bb_\bo_\bl_\b__\bn_\ba_\bm_\be
+ is the name of the struct policy_plugin or struct io_plugin in the plugin
+ shared object. The _\bp_\ba_\bt_\bh may be fully qualified or relative. If not
+ fully qualified it is relative to the _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc directory. Any
+ additional parameters after the _\bp_\ba_\bt_\bh are passed as options to the
+ plugin's o\bop\bpe\ben\bn() function. Lines that don't begin with Plugin, Path,
+ Debug or Set are silently ignored.
+
+ The same shared object may contain multiple plugins, each with a
+ different symbol name. The shared object file must be owned by uid 0 and
+ only writable by its owner. Because of ambiguities that arise from
+ composite policies, only a single policy plugin may be specified. This
+ limitation does not apply to I/O plugins.
+
+ #
+ # Default /etc/sudo.conf file
+ #
+ # Format:
+ # Plugin plugin_name plugin_path plugin_options ...
+ # Path askpass /path/to/askpass
+ # Path noexec /path/to/sudo_noexec.so
+ # Debug sudo /var/log/sudo_debug all@warn
+ # Set disable_coredump true
+ #
+ # The plugin_path is relative to /usr/local/libexec unless
+ # fully qualified.
+ # The plugin_name corresponds to a global symbol in the plugin
+ # that contains the plugin interface structure.
+ # The plugin_options are optional.
+ #
+ Plugin sudoers_policy sudoers.so
+ Plugin sudoers_io sudoers.so
+
+ P\bPo\bol\bli\bic\bcy\by p\bpl\blu\bug\bgi\bin\bn A\bAP\bPI\bI
+ A policy plugin must declare and populate a policy_plugin struct in the
+ global scope. This structure contains pointers to the functions that
+ implement the s\bsu\bud\bdo\bo policy checks. The name of the symbol should be
+ specified in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf along with a path to the plugin so that s\bsu\bud\bdo\bo
+ can load it.
+
+ struct policy_plugin {
+ #define SUDO_POLICY_PLUGIN 1
+ unsigned int type; /* always SUDO_POLICY_PLUGIN */
+ unsigned int version; /* always SUDO_API_VERSION */
+ int (*open)(unsigned int version, sudo_conv_t conversation,
+ sudo_printf_t plugin_printf, char * const settings[],
+ char * const user_info[], char * const user_env[],
+ char * const plugin_options[]);
+ void (*close)(int exit_status, int error);
+ int (*show_version)(int verbose);
+ int (*check_policy)(int argc, char * const argv[],
+ char *env_add[], char **command_info[],
+ char **argv_out[], char **user_env_out[]);
+ int (*list)(int argc, char * const argv[], int verbose,
+ const char *list_user);
+ int (*validate)(void);
+ void (*invalidate)(int remove);
+ int (*init_session)(struct passwd *pwd, char **user_env[]);
+ void (*register_hooks)(int version,
+ int (*register_hook)(struct sudo_hook *hook));
+ void (*deregister_hooks)(int version,
+ int (*deregister_hook)(struct sudo_hook *hook));
+ };
+
+ The policy_plugin struct has the following fields:
+
+ type The type field should always be set to SUDO_POLICY_PLUGIN.
+
+ version
The version field should be set to SUDO_API_VERSION.
This allows s\bsu\bud\bdo\bo to determine the API version the plugin was built
against.
- open
- int (*open)(unsigned int version, sudo_conv_t conversation,
- sudo_printf_t plugin_printf, char * const settings[],
- char * const user_info[], char * const user_env[],
- char * const plugin_options[]);
+ open
+ int (*open)(unsigned int version, sudo_conv_t conversation,
+ sudo_printf_t plugin_printf, char * const settings[],
+ char * const user_info[], char * const user_env[],
+ char * const plugin_options[]);
Returns 1 on success, 0 on failure, -1 if a general error occurred,
or -2 if there was a usage error. In the latter case, s\bsu\bud\bdo\bo will
print a usage message before it exits. If an error occurs, the
- plugin may optionally call the conversation or plugin_printf
+ plugin may optionally call the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf()
function with SUDO_CONF_ERROR_MSG to present additional error
information to the user.
The function arguments are as follows:
version
- The version passed in by s\bsu\bud\bdo\bo allows the plugin to determine
- the major and minor version number of the plugin API supported
- by s\bsu\bud\bdo\bo.
+ The version passed in by s\bsu\bud\bdo\bo allows the plugin to determine
+ the major and minor version number of the plugin API
+ supported by s\bsu\bud\bdo\bo.
conversation
- A pointer to the conversation function that can be used by the
- plugin to interact with the user (see below). Returns 0 on
- success and -1 on failure.
+ A pointer to the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function that can be used by
+ the plugin to interact with the user (see below). Returns 0
+ on success and -1 on failure.
plugin_printf
- A pointer to a printf-style function that may be used to
- display informational or error messages (see below). Returns
- the number of characters printed on success and -1 on failure.
+ A pointer to a p\bpr\bri\bin\bnt\btf\bf()-style function that may be used to
+ display informational or error messages (see below). Returns
+ the number of characters printed on success and -1 on
+ failure.
settings
- A vector of user-supplied s\bsu\bud\bdo\bo settings in the form of
- "name=value" strings. The vector is terminated by a NULL
- pointer. These settings correspond to flags the user specified
- when running s\bsu\bud\bdo\bo. As such, they will only be present when the
- corresponding flag has been specified on the command line.
-
- When parsing _\bs_\be_\bt_\bt_\bi_\bn_\bg_\bs, the plugin should split on the f\bfi\bir\brs\bst\bt
- equal sign ('=') since the _\bn_\ba_\bm_\be field will never include one
- itself but the _\bv_\ba_\bl_\bu_\be might.
-
- debug_flags=string
- A comma-separated list of debug flags that correspond to
- s\bsu\bud\bdo\bo's Debug entry in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf, if there is one. The
- flags are passed to the plugin as they appear in
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf. The syntax used by s\bsu\bud\bdo\bo and the _\bs_\bu_\bd_\bo_\be_\br_\bs
- plugin is _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by but the plugin is free to use
- a different format so long as it does not include a command
- ,.
-
- For reference, the priorities supported by the s\bsu\bud\bdo\bo front
- end and _\bs_\bu_\bd_\bo_\be_\br_\bs are: _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo,
- _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg.
-
- The following subsystems are defined: _\bm_\ba_\bi_\bn, _\bm_\be_\bm_\bo_\br_\by, _\ba_\br_\bg_\bs,
- _\be_\bx_\be_\bc, _\bp_\bt_\by, _\bu_\bt_\bm_\bp, _\bc_\bo_\bn_\bv, _\bp_\bc_\bo_\bm_\bm, _\bu_\bt_\bi_\bl, _\bl_\bi_\bs_\bt, _\bn_\be_\bt_\bi_\bf, _\ba_\bu_\bd_\bi_\bt,
- _\be_\bd_\bi_\bt, _\bs_\be_\bl_\bi_\bn_\bu_\bx, _\bl_\bd_\ba_\bp, _\bm_\ba_\bt_\bc_\bh, _\bp_\ba_\br_\bs_\be_\br, _\ba_\bl_\bi_\ba_\bs, _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs, _\ba_\bu_\bt_\bh,
- _\be_\bn_\bv, _\bl_\bo_\bg_\bg_\bi_\bn_\bg, _\bn_\bs_\bs, _\br_\bb_\bt_\br_\be_\be, _\bp_\be_\br_\bm_\bs, _\bp_\bl_\bu_\bg_\bi_\bn. The subsystem
- _\ba_\bl_\bl includes every subsystem.
-
- There is not currently a way to specify a set of debug
- flags specific to the plugin--the flags are shared by s\bsu\bud\bdo\bo
- and the plugin.
-
- debug_level=number
- This setting has been deprecated in favor of _\bd_\be_\bb_\bu_\bg_\b__\bf_\bl_\ba_\bg_\bs.
-
- runas_user=string
- The user name or uid to to run the command as, if specified
- via the -u flag.
-
- runas_group=string
- The group name or gid to to run the command as, if
- specified via the -g flag.
-
- prompt=string
- The prompt to use when requesting a password, if specified
- via the -p flag.
-
- set_home=bool
- Set to true if the user specified the -H flag. If true,
- set the HOME environment variable to the target user's home
- directory.
-
- preserve_environment=bool
- Set to true if the user specified the -E flag, indicating
- that the user wishes to preserve the environment.
-
- run_shell=bool
- Set to true if the user specified the -s flag, indicating
- that the user wishes to run a shell.
-
- login_shell=bool
- Set to true if the user specified the -i flag, indicating
- that the user wishes to run a login shell.
-
- implied_shell=bool
- If the user does not specify a program on the command line,
- s\bsu\bud\bdo\bo will pass the plugin the path to the user's shell and
- set _\bi_\bm_\bp_\bl_\bi_\be_\bd_\b__\bs_\bh_\be_\bl_\bl to true. This allows s\bsu\bud\bdo\bo with no
- arguments to be used similarly to _\bs_\bu(1). If the plugin
- does not to support this usage, it may return a value of -2
- from the check_policy function, which will cause s\bsu\bud\bdo\bo to
- print a usage message and exit.
-
- preserve_groups=bool
- Set to true if the user specified the -P flag, indicating
- that the user wishes to preserve the group vector instead
- of setting it based on the runas user.
-
- ignore_ticket=bool
- Set to true if the user specified the -k flag along with a
- command, indicating that the user wishes to ignore any
- cached authentication credentials.
-
- noninteractive=bool
- Set to true if the user specified the -n flag, indicating
- that s\bsu\bud\bdo\bo should operate in non-interactive mode. The
- plugin may reject a command run in non-interactive mode if
- user interaction is required.
-
- login_class=string
- BSD login class to use when setting resource limits and
- nice value, if specified by the -c flag.
-
- selinux_role=string
- SELinux role to use when executing the command, if
- specified by the -r flag.
-
- selinux_type=string
- SELinux type to use when executing the command, if
- specified by the -t flag.
-
- bsdauth_type=string
- Authentication type, if specified by the -a flag, to use on
- systems where BSD authentication is supported.
-
- network_addrs=list
- A space-separated list of IP network addresses and netmasks
- in the form "addr/netmask", e.g.
- "192.168.1.2/255.255.255.0". The address and netmask pairs
- may be either IPv4 or IPv6, depending on what the operating
- system supports. If the address contains a colon (':'), it
- is an IPv6 address, else it is IPv4.
-
- progname=string
- The command name that sudo was run as, typically "sudo" or
- "sudoedit".
-
- sudoedit=bool
- Set to true when the -e flag is is specified or if invoked
- as s\bsu\bud\bdo\boe\bed\bdi\bit\bt. The plugin shall substitute an editor into
- _\ba_\br_\bg_\bv in the _\bc_\bh_\be_\bc_\bk_\b__\bp_\bo_\bl_\bi_\bc_\by function or return -2 with a usage
- error if the plugin does not support _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt. For more
- information, see the _\bc_\bh_\be_\bc_\bk_\b__\bp_\bo_\bl_\bi_\bc_\by section.
-
- closefrom=number
- If specified, the user has requested via the -C flag that
- s\bsu\bud\bdo\bo close all files descriptors with a value of _\bn_\bu_\bm_\bb_\be_\br or
- higher. The plugin may optionally pass this, or another
- value, back in the _\bc_\bo_\bm_\bm_\ba_\bn_\bd_\b__\bi_\bn_\bf_\bo list.
-
- Additional settings may be added in the future so the plugin
- should silently ignore settings that it does not recognize.
+ A vector of user-supplied s\bsu\bud\bdo\bo settings in the form of
+ ``name=value'' strings. The vector is terminated by a NULL
+ pointer. These settings correspond to flags the user
+ specified when running s\bsu\bud\bdo\bo. As such, they will only be
+ present when the corresponding flag has been specified on the
+ command line.
+
+ When parsing _\bs_\be_\bt_\bt_\bi_\bn_\bg_\bs, the plugin should split on the f\bfi\bir\brs\bst\bt
+ equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
+ itself but the _\bv_\ba_\bl_\bu_\be might.
+
+ debug_flags=string
+ A comma-separated list of debug flags that correspond
+ to s\bsu\bud\bdo\bo's Debug entry in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf, if there is
+ one. The flags are passed to the plugin as they appear
+ in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf. The syntax used by s\bsu\bud\bdo\bo and the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs plugin is _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by but the plugin is
+ free to use a different format so long as it does not
+ include a comma (`,').
+
+ For reference, the priorities supported by the s\bsu\bud\bdo\bo
+ front end and _\bs_\bu_\bd_\bo_\be_\br_\bs are: _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be,
+ _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg.
+
+ The following subsystems are defined: _\bm_\ba_\bi_\bn, _\bm_\be_\bm_\bo_\br_\by,
+ _\ba_\br_\bg_\bs, _\be_\bx_\be_\bc, _\bp_\bt_\by, _\bu_\bt_\bm_\bp, _\bc_\bo_\bn_\bv, _\bp_\bc_\bo_\bm_\bm, _\bu_\bt_\bi_\bl, _\bl_\bi_\bs_\bt, _\bn_\be_\bt_\bi_\bf,
+ _\ba_\bu_\bd_\bi_\bt, _\be_\bd_\bi_\bt, _\bs_\be_\bl_\bi_\bn_\bu_\bx, _\bl_\bd_\ba_\bp, _\bm_\ba_\bt_\bc_\bh, _\bp_\ba_\br_\bs_\be_\br, _\ba_\bl_\bi_\ba_\bs,
+ _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs, _\ba_\bu_\bt_\bh, _\be_\bn_\bv, _\bl_\bo_\bg_\bg_\bi_\bn_\bg, _\bn_\bs_\bs, _\br_\bb_\bt_\br_\be_\be, _\bp_\be_\br_\bm_\bs,
+ _\bp_\bl_\bu_\bg_\bi_\bn. The subsystem _\ba_\bl_\bl includes every subsystem.
+
+ There is not currently a way to specify a set of debug
+ flags specific to the plugin--the flags are shared by
+ s\bsu\bud\bdo\bo and the plugin.
+
+ debug_level=number
+ This setting has been deprecated in favor of
+ _\bd_\be_\bb_\bu_\bg_\b__\bf_\bl_\ba_\bg_\bs.
+
+ runas_user=string
+ The user name or uid to to run the command as, if
+ specified via the -\b-u\bu flag.
+
+ runas_group=string
+ The group name or gid to to run the command as, if
+ specified via the -\b-g\bg flag.
+
+ prompt=string
+ The prompt to use when requesting a password, if
+ specified via the -\b-p\bp flag.
+
+ set_home=bool
+ Set to true if the user specified the -\b-H\bH flag. If
+ true, set the HOME environment variable to the target
+ user's home directory.
+
+ preserve_environment=bool
+ Set to true if the user specified the -\b-E\bE flag,
+ indicating that the user wishes to preserve the
+ environment.
+
+ run_shell=bool
+ Set to true if the user specified the -\b-s\bs flag,
+ indicating that the user wishes to run a shell.
+
+ login_shell=bool
+ Set to true if the user specified the -\b-i\bi flag,
+ indicating that the user wishes to run a login shell.
+
+ implied_shell=bool
+ If the user does not specify a program on the command
+ line, s\bsu\bud\bdo\bo will pass the plugin the path to the user's
+ shell and set _\bi_\bm_\bp_\bl_\bi_\be_\bd_\b__\bs_\bh_\be_\bl_\bl to true. This allows s\bsu\bud\bdo\bo
+ with no arguments to be used similarly to su(1). If
+ the plugin does not to support this usage, it may
+ return a value of -2 from the c\bch\bhe\bec\bck\bk_\b_p\bpo\bol\bli\bic\bcy\by() function,
+ which will cause s\bsu\bud\bdo\bo to print a usage message and
+ exit.
+
+ preserve_groups=bool
+ Set to true if the user specified the -\b-P\bP flag,
+ indicating that the user wishes to preserve the group
+ vector instead of setting it based on the runas user.
+
+ ignore_ticket=bool
+ Set to true if the user specified the -\b-k\bk flag along
+ with a command, indicating that the user wishes to
+ ignore any cached authentication credentials.
+
+ noninteractive=bool
+ Set to true if the user specified the -\b-n\bn flag,
+ indicating that s\bsu\bud\bdo\bo should operate in non-interactive
+ mode. The plugin may reject a command run in non-
+ interactive mode if user interaction is required.
+
+ login_class=string
+ BSD login class to use when setting resource limits and
+ nice value, if specified by the -\b-c\bc flag.
+
+ selinux_role=string
+ SELinux role to use when executing the command, if
+ specified by the -\b-r\br flag.
+
+ selinux_type=string
+ SELinux type to use when executing the command, if
+ specified by the -\b-t\bt flag.
+
+ bsdauth_type=string
+ Authentication type, if specified by the -\b-a\ba flag, to
+ use on systems where BSD authentication is supported.
+
+ network_addrs=list
+ A space-separated list of IP network addresses and
+ netmasks in the form ``addr/netmask'', e.g.
+ ``192.168.1.2/255.255.255.0''. The address and netmask
+ pairs may be either IPv4 or IPv6, depending on what the
+ operating system supports. If the address contains a
+ colon (`:'), it is an IPv6 address, else it is IPv4.
+
+ progname=string
+ The command name that sudo was run as, typically
+ ``sudo'' or ``sudoedit''.
+
+ sudoedit=bool
+ Set to true when the -\b-e\be flag is is specified or if
+ invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt. The plugin shall substitute an
+ editor into _\ba_\br_\bg_\bv in the c\bch\bhe\bec\bck\bk_\b_p\bpo\bol\bli\bic\bcy\by() function or
+ return -2 with a usage error if the plugin does not
+ support _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt. For more information, see the
+ _\bc_\bh_\be_\bc_\bk_\b__\bp_\bo_\bl_\bi_\bc_\by section.
+
+ closefrom=number
+ If specified, the user has requested via the -\b-C\bC flag
+ that s\bsu\bud\bdo\bo close all files descriptors with a value of
+ _\bn_\bu_\bm_\bb_\be_\br or higher. The plugin may optionally pass this,
+ or another value, back in the _\bc_\bo_\bm_\bm_\ba_\bn_\bd_\b__\bi_\bn_\bf_\bo list.
+
+ Additional settings may be added in the future so the plugin
+ should silently ignore settings that it does not recognize.
user_info
- A vector of information about the user running the command in
- the form of "name=value" strings. The vector is terminated by
- a NULL pointer.
+ A vector of information about the user running the command in
+ the form of ``name=value'' strings. The vector is terminated
+ by a NULL pointer.
- When parsing _\bu_\bs_\be_\br_\b__\bi_\bn_\bf_\bo, the plugin should split on the f\bfi\bir\brs\bst\bt
- equal sign ('=') since the _\bn_\ba_\bm_\be field will never include one
- itself but the _\bv_\ba_\bl_\bu_\be might.
+ When parsing _\bu_\bs_\be_\br_\b__\bi_\bn_\bf_\bo, the plugin should split on the f\bfi\bir\brs\bst\bt
+ equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
+ itself but the _\bv_\ba_\bl_\bu_\be might.
- pid=int
- The process ID of the running s\bsu\bud\bdo\bo process. Only available
- starting with API version 1.2
+ pid=int
+ The process ID of the running s\bsu\bud\bdo\bo process. Only
+ available starting with API version 1.2
- ppid=int
- The parent process ID of the running s\bsu\bud\bdo\bo process. Only
- available starting with API version 1.2
+ ppid=int
+ The parent process ID of the running s\bsu\bud\bdo\bo process.
+ Only available starting with API version 1.2
- sid=int
- The session ID of the running s\bsu\bud\bdo\bo process or 0 if s\bsu\bud\bdo\bo is
- not part of a POSIX job control session. Only available
- starting with API version 1.2
+ sid=int
+ The session ID of the running s\bsu\bud\bdo\bo process or 0 if s\bsu\bud\bdo\bo
+ is not part of a POSIX job control session. Only
+ available starting with API version 1.2
- pgid=int
- The ID of the process group that the running s\bsu\bud\bdo\bo process
- belongs to. Only available starting with API version 1.2
+ pgid=int
+ The ID of the process group that the running s\bsu\bud\bdo\bo
+ process belongs to. Only available starting with API
+ version 1.2
- tcpgid=int
- The ID of the forground process group associated with the
- terminal device associcated with the s\bsu\bud\bdo\bo process or -1 if
- there is no terminal present. Only available starting with
- API version 1.2
+ tcpgid=int
+ The ID of the forground process group associated with
+ the terminal device associcated with the s\bsu\bud\bdo\bo process
+ or -1 if there is no terminal present. Only available
+ starting with API version 1.2
- user=string
- The name of the user invoking s\bsu\bud\bdo\bo.
+ user=string
+ The name of the user invoking s\bsu\bud\bdo\bo.
- euid=uid_t
- The effective user ID of the user invoking s\bsu\bud\bdo\bo.
+ euid=uid_t
+ The effective user ID of the user invoking s\bsu\bud\bdo\bo.
- uid=uid_t
- The real user ID of the user invoking s\bsu\bud\bdo\bo.
+ uid=uid_t
+ The real user ID of the user invoking s\bsu\bud\bdo\bo.
- egid=gid_t
- The effective group ID of the user invoking s\bsu\bud\bdo\bo.
+ egid=gid_t
+ The effective group ID of the user invoking s\bsu\bud\bdo\bo.
- gid=gid_t
- The real group ID of the user invoking s\bsu\bud\bdo\bo.
+ gid=gid_t
+ The real group ID of the user invoking s\bsu\bud\bdo\bo.
- groups=list
- The user's supplementary group list formatted as a string
- of comma-separated group IDs.
+ groups=list
+ The user's supplementary group list formatted as a
+ string of comma-separated group IDs.
- cwd=string
- The user's current working directory.
+ cwd=string
+ The user's current working directory.
- tty=string
- The path to the user's terminal device. If the user has no
- terminal device associated with the session, the value will
- be empty, as in tty=.
+ tty=string
+ The path to the user's terminal device. If the user
+ has no terminal device associated with the session, the
+ value will be empty, as in ``tty=''.
- host=string
- The local machine's hostname as returned by the
- gethostname() system call.
+ host=string
+ The local machine's hostname as returned by the
+ gethostname(2) system call.
- lines=int
- The number of lines the user's terminal supports. If there
- is no terminal device available, a default value of 24 is
- used.
+ lines=int
+ The number of lines the user's terminal supports. If
+ there is no terminal device available, a default value
+ of 24 is used.
- cols=int
- The number of columns the user's terminal supports. If
- there is no terminal device available, a default value of
- 80 is used.
+ cols=int
+ The number of columns the user's terminal supports. If
+ there is no terminal device available, a default value
+ of 80 is used.
user_env
- The user's environment in the form of a NULL-terminated vector
- of "name=value" strings.
+ The user's environment in the form of a NULL-terminated
+ vector of ``name=value'' strings.
- When parsing _\bu_\bs_\be_\br_\b__\be_\bn_\bv, the plugin should split on the f\bfi\bir\brs\bst\bt
- equal sign ('=') since the _\bn_\ba_\bm_\be field will never include one
- itself but the _\bv_\ba_\bl_\bu_\be might.
+ When parsing _\bu_\bs_\be_\br_\b__\be_\bn_\bv, the plugin should split on the f\bfi\bir\brs\bst\bt
+ equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
+ itself but the _\bv_\ba_\bl_\bu_\be might.
plugin_options
- Any (non-comment) strings immediately after the plugin path are
- treated as arguments to the plugin. These arguments are split
- on a white space boundary and are passed to the plugin in the
- form of a NULL-terminated array of strings. If no arguments
- were specified, _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs will be the NULL pointer.
-
- NOTE: the _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs parameter is only available starting
- with API version 1.2. A plugin m\bmu\bus\bst\bt check the API version
- specified by the s\bsu\bud\bdo\bo front end before using _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs.
- Failure to do so may result in a crash.
-
- close
- void (*close)(int exit_status, int error);
-
- The close function is called when the command being run by s\bsu\bud\bdo\bo
+ Any (non-comment) strings immediately after the plugin path
+ are treated as arguments to the plugin. These arguments are
+ split on a white space boundary and are passed to the plugin
+ in the form of a NULL-terminated array of strings. If no
+ arguments were specified, _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs will be the NULL
+ pointer.
+
+ NOTE: the _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs parameter is only available starting
+ with API version 1.2. A plugin m\bmu\bus\bst\bt check the API version
+ specified by the s\bsu\bud\bdo\bo front end before using _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs.
+ Failure to do so may result in a crash.
+
+ close
+ void (*close)(int exit_status, int error);
+
+ The c\bcl\blo\bos\bse\be() function is called when the command being run by s\bsu\bud\bdo\bo
finishes.
The function arguments are as follows:
exit_status
- The command's exit status, as returned by the _\bw_\ba_\bi_\bt(2) system
- call. The value of exit_status is undefined if error is non-
- zero.
+ The command's exit status, as returned by the wait(2) system
+ call. The value of exit_status is undefined if error is non-
+ zero.
error
- If the command could not be executed, this is set to the value
- of errno set by the _\be_\bx_\be_\bc_\bv_\be(2) system call. The plugin is
- responsible for displaying error information via the
- conversation or plugin_printf function. If the command was
- successfully executed, the value of error is 0.
-
- show_version
- int (*show_version)(int verbose);
-
- The show_version function is called by s\bsu\bud\bdo\bo when the user specifies
- the -V option. The plugin may display its version information to
- the user via the conversation or plugin_printf function using
- SUDO_CONV_INFO_MSG. If the user requests detailed version
- information, the verbose flag will be set.
-
- check_policy
- int (*check_policy)(int argc, char * const argv[]
- char *env_add[], char **command_info[],
- char **argv_out[], char **user_env_out[]);
-
- The _\bc_\bh_\be_\bc_\bk_\b__\bp_\bo_\bl_\bi_\bc_\by function is called by s\bsu\bud\bdo\bo to determine whether
+ If the command could not be executed, this is set to the
+ value of errno set by the execve(2) system call. The plugin
+ is responsible for displaying error information via the
+ c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf() function. If the command
+ was successfully executed, the value of error is 0.
+
+ show_version
+ int (*show_version)(int verbose);
+
+ The s\bsh\bho\bow\bw_\b_v\bve\ber\brs\bsi\bio\bon\bn() function is called by s\bsu\bud\bdo\bo when the user
+ specifies the -\b-V\bV option. The plugin may display its version
+ information to the user via the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf()
+ function using SUDO_CONV_INFO_MSG. If the user requests detailed
+ version information, the verbose flag will be set.
+
+ check_policy
+ int (*check_policy)(int argc, char * const argv[]
+ char *env_add[], char **command_info[],
+ char **argv_out[], char **user_env_out[]);
+
+ The c\bch\bhe\bec\bck\bk_\b_p\bpo\bol\bli\bic\bcy\by() function is called by s\bsu\bud\bdo\bo to determine whether
the user is allowed to run the specified commands.
If the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt option was enabled in the _\bs_\be_\bt_\bt_\bi_\bn_\bg_\bs array passed to
- the _\bo_\bp_\be_\bn function, the user has requested _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt mode. _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt
- is a mechanism for editing one or more files where an editor is run
- with the user's credentials instead of with elevated privileges.
- s\bsu\bud\bdo\bo achieves this by creating user-writable temporary copies of
- the files to be edited and then overwriting the originals with the
- temporary copies after editing is complete. If the plugin supports
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt, it should choose the editor to be used, potentially from
- a variable in the user's environment, such as EDITOR, and include
- it in _\ba_\br_\bg_\bv_\b__\bo_\bu_\bt (note that environment variables may include command
- line flags). The files to be edited should be copied from _\ba_\br_\bg_\bv
- into _\ba_\br_\bg_\bv_\b__\bo_\bu_\bt, separated from the editor and its arguments by a
- "--" element. The "--" will be removed by s\bsu\bud\bdo\bo before the editor
- is executed. The plugin should also set _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b=_\bt_\br_\bu_\be in the
- _\bc_\bo_\bm_\bm_\ba_\bn_\bd_\b__\bi_\bn_\bf_\bo list.
-
- The _\bc_\bh_\be_\bc_\bk_\b__\bp_\bo_\bl_\bi_\bc_\by function returns 1 if the command is allowed, 0 if
- not allowed, -1 for a general error, or -2 for a usage error or if
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt was specified but is unsupported by the plugin. In the
+ the o\bop\bpe\ben\bn() function, the user has requested _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt mode.
+ _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt is a mechanism for editing one or more files where an
+ editor is run with the user's credentials instead of with elevated
+ privileges. s\bsu\bud\bdo\bo achieves this by creating user-writable temporary
+ copies of the files to be edited and then overwriting the originals
+ with the temporary copies after editing is complete. If the plugin
+ supports _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt, it should choose the editor to be used,
+ potentially from a variable in the user's environment, such as
+ EDITOR, and include it in _\ba_\br_\bg_\bv_\b__\bo_\bu_\bt (note that environment variables
+ may include command line flags). The files to be edited should be
+ copied from _\ba_\br_\bg_\bv into _\ba_\br_\bg_\bv_\b__\bo_\bu_\bt, separated from the editor and its
+ arguments by a ``--'' element. The ``--'' will be removed by s\bsu\bud\bdo\bo
+ before the editor is executed. The plugin should also set
+ _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b=_\bt_\br_\bu_\be in the _\bc_\bo_\bm_\bm_\ba_\bn_\bd_\b__\bi_\bn_\bf_\bo list.
+
+ The c\bch\bhe\bec\bck\bk_\b_p\bpo\bol\bli\bic\bcy\by() function returns 1 if the command is allowed, 0
+ if not allowed, -1 for a general error, or -2 for a usage error or
+ if _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt was specified but is unsupported by the plugin. In the
latter case, s\bsu\bud\bdo\bo will print a usage message before it exits. If
- an error occurs, the plugin may optionally call the conversation or
- plugin_printf function with SUDO_CONF_ERROR_MSG to present
+ an error occurs, the plugin may optionally call the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn()
+ or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf() function with SUDO_CONF_ERROR_MSG to present
additional error information to the user.
The function arguments are as follows:
- argc
- The number of elements in _\ba_\br_\bg_\bv, not counting the final NULL
- pointer.
+ argc The number of elements in _\ba_\br_\bg_\bv, not counting the final NULL
+ pointer.
- argv
- The argument vector describing the command the user wishes to
- run, in the same form as what would be passed to the _\be_\bx_\be_\bc_\bv_\be_\b(_\b)
- system call. The vector is terminated by a NULL pointer.
+ argv The argument vector describing the command the user wishes to
+ run, in the same form as what would be passed to the
+ execve(2) system call. The vector is terminated by a NULL
+ pointer.
env_add
- Additional environment variables specified by the user on the
- command line in the form of a NULL-terminated vector of
- "name=value" strings. The plugin may reject the command if one
- or more variables are not allowed to be set, or it may silently
- ignore such variables.
+ Additional environment variables specified by the user on the
+ command line in the form of a NULL-terminated vector of
+ ``name=value'' strings. The plugin may reject the command if
+ one or more variables are not allowed to be set, or it may
+ silently ignore such variables.
- When parsing _\be_\bn_\bv_\b__\ba_\bd_\bd, the plugin should split on the f\bfi\bir\brs\bst\bt
- equal sign ('=') since the _\bn_\ba_\bm_\be field will never include one
- itself but the _\bv_\ba_\bl_\bu_\be might.
+ When parsing _\be_\bn_\bv_\b__\ba_\bd_\bd, the plugin should split on the f\bfi\bir\brs\bst\bt
+ equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
+ itself but the _\bv_\ba_\bl_\bu_\be might.
command_info
- Information about the command being run in the form of
- "name=value" strings. These values are used by s\bsu\bud\bdo\bo to set the
- execution environment when running a command. The plugin is
- responsible for creating and populating the vector, which must
- be terminated with a NULL pointer. The following values are
- recognized by s\bsu\bud\bdo\bo:
-
- command=string
- Fully qualified path to the command to be executed.
-
- runas_uid=uid
- User ID to run the command as.
-
- runas_euid=uid
- Effective user ID to run the command as. If not specified,
- the value of _\br_\bu_\bn_\ba_\bs_\b__\bu_\bi_\bd is used.
-
- runas_gid=gid
- Group ID to run the command as.
-
- runas_egid=gid
- Effective group ID to run the command as. If not
- specified, the value of _\br_\bu_\bn_\ba_\bs_\b__\bg_\bi_\bd is used.
-
- runas_groups=list
- The supplementary group vector to use for the command in
- the form of a comma-separated list of group IDs. If
- _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, this option is ignored.
-
- login_class=string
- BSD login class to use when setting resource limits and
- nice value (optional). This option is only set on systems
- that support login classes.
-
- preserve_groups=bool
- If set, s\bsu\bud\bdo\bo will preserve the user's group vector instead
- of initializing the group vector based on runas_user.
-
- cwd=string
- The current working directory to change to when executing
- the command.
-
- noexec=bool
- If set, prevent the command from executing other programs.
-
- chroot=string
- The root directory to use when running the command.
-
- nice=int
- Nice value (priority) to use when executing the command.
- The nice value, if specified, overrides the priority
- associated with the _\bl_\bo_\bg_\bi_\bn_\b__\bc_\bl_\ba_\bs_\bs on BSD systems.
-
- umask=octal
- The file creation mask to use when executing the command.
-
- selinux_role=string
- SELinux role to use when executing the command.
-
- selinux_type=string
- SELinux type to use when executing the command.
-
- timeout=int
- Command timeout. If non-zero then when the timeout expires
- the command will be killed.
-
- sudoedit=bool
- Set to true when in _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt mode. The plugin may enable
- _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt mode even if s\bsu\bud\bdo\bo was not invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
- This allows the plugin to perform command substitution and
- transparently enable _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt when the user attempts to run
- an editor.
-
- closefrom=number
- If specified, s\bsu\bud\bdo\bo will close all files descriptors with a
- value of _\bn_\bu_\bm_\bb_\be_\br or higher.
-
- iolog_compress=bool
- Set to true if the I/O logging plugins, if any, should
- compress the log data. This is a hint to the I/O logging
- plugin which may choose to ignore it.
-
- iolog_path=string
- Fully qualified path to the file or directory in which I/O
- log is to be stored. This is a hint to the I/O logging
- plugin which may choose to ignore it. If no I/O logging
- plugin is loaded, this setting has no effect.
-
- iolog_stdin=bool
- Set to true if the I/O logging plugins, if any, should log
- the standard input if it is not connected to a terminal
- device. This is a hint to the I/O logging plugin which may
- choose to ignore it.
-
- iolog_stdout=bool
- Set to true if the I/O logging plugins, if any, should log
- the standard output if it is not connected to a terminal
- device. This is a hint to the I/O logging plugin which may
- choose to ignore it.
-
- iolog_stderr=bool
- Set to true if the I/O logging plugins, if any, should log
- the standard error if it is not connected to a terminal
- device. This is a hint to the I/O logging plugin which may
- choose to ignore it.
-
- iolog_ttyin=bool
- Set to true if the I/O logging plugins, if any, should log
- all terminal input. This only includes input typed by the
- user and not from a pipe or redirected from a file. This
- is a hint to the I/O logging plugin which may choose to
- ignore it.
-
- iolog_ttyout=bool
- Set to true if the I/O logging plugins, if any, should log
- all terminal output. This only includes output to the
- screen, not output to a pipe or file. This is a hint to
- the I/O logging plugin which may choose to ignore it.
-
- use_pty=bool
- Allocate a pseudo-tty to run the command in, regardless of
- whether or not I/O logging is in use. By default, s\bsu\bud\bdo\bo
- will only run the command in a pty when an I/O log plugin
- is loaded.
-
- set_utmp=bool
- Create a utmp (or utmpx) entry when a pseudo-tty is
- allocated. By default, the new entry will be a copy of the
- user's existing utmp entry (if any), with the tty, time,
- type and pid fields updated.
-
- utmp_user=string
- User name to use when constructing a new utmp (or utmpx)
- entry when _\bs_\be_\bt_\b__\bu_\bt_\bm_\bp is enabled. This option can be used to
- set the user field in the utmp entry to the user the
- command runs as rather than the invoking user. If not set,
- s\bsu\bud\bdo\bo will base the new entry on the invoking user's
- existing entry.
-
- Unsupported values will be ignored.
+ Information about the command being run in the form of
+ ``name=value'' strings. These values are used by s\bsu\bud\bdo\bo to set
+ the execution environment when running a command. The plugin
+ is responsible for creating and populating the vector, which
+ must be terminated with a NULL pointer. The following values
+ are recognized by s\bsu\bud\bdo\bo:
+
+ command=string
+ Fully qualified path to the command to be executed.
+
+ runas_uid=uid
+ User ID to run the command as.
+
+ runas_euid=uid
+ Effective user ID to run the command as. If not
+ specified, the value of _\br_\bu_\bn_\ba_\bs_\b__\bu_\bi_\bd is used.
+
+ runas_gid=gid
+ Group ID to run the command as.
+
+ runas_egid=gid
+ Effective group ID to run the command as. If not
+ specified, the value of _\br_\bu_\bn_\ba_\bs_\b__\bg_\bi_\bd is used.
+
+ runas_groups=list
+ The supplementary group vector to use for the command
+ in the form of a comma-separated list of group IDs. If
+ _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, this option is ignored.
+
+ login_class=string
+ BSD login class to use when setting resource limits and
+ nice value (optional). This option is only set on
+ systems that support login classes.
+
+ preserve_groups=bool
+ If set, s\bsu\bud\bdo\bo will preserve the user's group vector
+ instead of initializing the group vector based on
+ runas_user.
+
+ cwd=string
+ The current working directory to change to when
+ executing the command.
+
+ noexec=bool
+ If set, prevent the command from executing other
+ programs.
+
+ chroot=string
+ The root directory to use when running the command.
+
+ nice=int
+ Nice value (priority) to use when executing the
+ command. The nice value, if specified, overrides the
+ priority associated with the _\bl_\bo_\bg_\bi_\bn_\b__\bc_\bl_\ba_\bs_\bs on BSD
+ systems.
+
+ umask=octal
+ The file creation mask to use when executing the
+ command.
+
+ selinux_role=string
+ SELinux role to use when executing the command.
+
+ selinux_type=string
+ SELinux type to use when executing the command.
+
+ timeout=int
+ Command timeout. If non-zero then when the timeout
+ expires the command will be killed.
+
+ sudoedit=bool
+ Set to true when in _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt mode. The plugin may
+ enable _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt mode even if s\bsu\bud\bdo\bo was not invoked as
+ s\bsu\bud\bdo\boe\bed\bdi\bit\bt. This allows the plugin to perform command
+ substitution and transparently enable _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt when the
+ user attempts to run an editor.
+
+ closefrom=number
+ If specified, s\bsu\bud\bdo\bo will close all files descriptors
+ with a value of _\bn_\bu_\bm_\bb_\be_\br or higher.
+
+ iolog_compress=bool
+ Set to true if the I/O logging plugins, if any, should
+ compress the log data. This is a hint to the I/O
+ logging plugin which may choose to ignore it.
+
+ iolog_path=string
+ Fully qualified path to the file or directory in which
+ I/O log is to be stored. This is a hint to the I/O
+ logging plugin which may choose to ignore it. If no
+ I/O logging plugin is loaded, this setting has no
+ effect.
+
+ iolog_stdin=bool
+ Set to true if the I/O logging plugins, if any, should
+ log the standard input if it is not connected to a
+ terminal device. This is a hint to the I/O logging
+ plugin which may choose to ignore it.
+
+ iolog_stdout=bool
+ Set to true if the I/O logging plugins, if any, should
+ log the standard output if it is not connected to a
+ terminal device. This is a hint to the I/O logging
+ plugin which may choose to ignore it.
+
+ iolog_stderr=bool
+ Set to true if the I/O logging plugins, if any, should
+ log the standard error if it is not connected to a
+ terminal device. This is a hint to the I/O logging
+ plugin which may choose to ignore it.
+
+ iolog_ttyin=bool
+ Set to true if the I/O logging plugins, if any, should
+ log all terminal input. This only includes input typed
+ by the user and not from a pipe or redirected from a
+ file. This is a hint to the I/O logging plugin which
+ may choose to ignore it.
+
+ iolog_ttyout=bool
+ Set to true if the I/O logging plugins, if any, should
+ log all terminal output. This only includes output to
+ the screen, not output to a pipe or file. This is a
+ hint to the I/O logging plugin which may choose to
+ ignore it.
+
+ use_pty=bool
+ Allocate a pseudo-tty to run the command in, regardless
+ of whether or not I/O logging is in use. By default,
+ s\bsu\bud\bdo\bo will only run the command in a pty when an I/O log
+ plugin is loaded.
+
+ set_utmp=bool
+ Create a utmp (or utmpx) entry when a pseudo-tty is
+ allocated. By default, the new entry will be a copy of
+ the user's existing utmp entry (if any), with the tty,
+ time, type and pid fields updated.
+
+ utmp_user=string
+ User name to use when constructing a new utmp (or
+ utmpx) entry when _\bs_\be_\bt_\b__\bu_\bt_\bm_\bp is enabled. This option can
+ be used to set the user field in the utmp entry to the
+ user the command runs as rather than the invoking user.
+ If not set, s\bsu\bud\bdo\bo will base the new entry on the
+ invoking user's existing entry.
+
+ Unsupported values will be ignored.
argv_out
- The NULL-terminated argument vector to pass to the _\be_\bx_\be_\bc_\bv_\be_\b(_\b)
- system call when executing the command. The plugin is
- responsible for allocating and populating the vector.
+ The NULL-terminated argument vector to pass to the execve(2)
+ system call when executing the command. The plugin is
+ responsible for allocating and populating the vector.
user_env_out
- The NULL-terminated environment vector to use when executing
- the command. The plugin is responsible for allocating and
- populating the vector.
+ The NULL-terminated environment vector to use when executing
+ the command. The plugin is responsible for allocating and
+ populating the vector.
- list
- int (*list)(int verbose, const char *list_user,
- int argc, char * const argv[]);
+ list
+ int (*list)(int verbose, const char *list_user,
+ int argc, char * const argv[]);
List available privileges for the invoking user. Returns 1 on
success, 0 on failure and -1 on error. On error, the plugin may
- optionally call the conversation or plugin_printf function with
+ optionally call the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf() function with
SUDO_CONF_ERROR_MSG to present additional error information to the
user.
- Privileges should be output via the conversation or plugin_printf
- function using SUDO_CONV_INFO_MSG.
+ Privileges should be output via the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or
+ p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf() function using SUDO_CONV_INFO_MSG,
verbose
- Flag indicating whether to list in verbose mode or not.
+ Flag indicating whether to list in verbose mode or not.
list_user
- The name of a different user to list privileges for if the
- policy allows it. If NULL, the plugin should list the
- privileges of the invoking user.
-
- argc
- The number of elements in _\ba_\br_\bg_\bv, not counting the final NULL
- pointer.
-
- argv
- If non-NULL, an argument vector describing a command the user
- wishes to check against the policy in the same form as what
- would be passed to the _\be_\bx_\be_\bc_\bv_\be_\b(_\b) system call. If the command is
- permitted by the policy, the fully-qualified path to the
- command should be displayed along with any command line
- arguments.
-
- validate
- int (*validate)(void);
-
- The validate function is called when s\bsu\bud\bdo\bo is run with the -v flag.
- For policy plugins such as _\bs_\bu_\bd_\bo_\be_\br_\bs that cache authentication
+ The name of a different user to list privileges for if the
+ policy allows it. If NULL, the plugin should list the
+ privileges of the invoking user.
+
+ argc The number of elements in _\ba_\br_\bg_\bv, not counting the final NULL
+ pointer.
+
+ argv If non-NULL, an argument vector describing a command the user
+ wishes to check against the policy in the same form as what
+ would be passed to the execve(2) system call. If the command
+ is permitted by the policy, the fully-qualified path to the
+ command should be displayed along with any command line
+ arguments.
+
+ validate
+ int (*validate)(void);
+
+ The v\bva\bal\bli\bid\bda\bat\bte\be() function is called when s\bsu\bud\bdo\bo is run with the -\b-v\bv
+ flag. For policy plugins such as _\bs_\bu_\bd_\bo_\be_\br_\bs that cache authentication
credentials, this function will validate and cache the credentials.
- The validate function should be NULL if the plugin does not support
- credential caching.
+ The v\bva\bal\bli\bid\bda\bat\bte\be() function should be NULL if the plugin does not
+ support credential caching.
Returns 1 on success, 0 on failure and -1 on error. On error, the
- plugin may optionally call the conversation or plugin_printf
+ plugin may optionally call the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf()
function with SUDO_CONF_ERROR_MSG to present additional error
information to the user.
- invalidate
- void (*invalidate)(int remove);
+ invalidate
+ void (*invalidate)(int remove);
- The invalidate function is called when s\bsu\bud\bdo\bo is called with the -k
- or -K flag. For policy plugins such as _\bs_\bu_\bd_\bo_\be_\br_\bs that cache
+ The i\bin\bnv\bva\bal\bli\bid\bda\bat\bte\be() function is called when s\bsu\bud\bdo\bo is called with the -\b-k\bk
+ or -\b-K\bK flag. For policy plugins such as _\bs_\bu_\bd_\bo_\be_\br_\bs that cache
authentication credentials, this function will invalidate the
credentials. If the _\br_\be_\bm_\bo_\bv_\be flag is set, the plugin may remove the
credentials instead of simply invalidating them.
- The invalidate function should be NULL if the plugin does not
+ The i\bin\bnv\bva\bal\bli\bid\bda\bat\bte\be() function should be NULL if the plugin does not
support credential caching.
- init_session
- int (*init_session)(struct passwd *pwd, char **user_envp[);
+ init_session
+ int (*init_session)(struct passwd *pwd, char **user_envp[);
- The init_session function is called before s\bsu\bud\bdo\bo sets up the
+ The i\bin\bni\bit\bt_\b_s\bse\bes\bss\bsi\bio\bon\bn() function is called before s\bsu\bud\bdo\bo sets up the
execution environment for the command. It is run in the parent
s\bsu\bud\bdo\bo process and before any uid or gid changes. This can be used
to perform session setup that is not supported by _\bc_\bo_\bm_\bm_\ba_\bn_\bd_\b__\bi_\bn_\bf_\bo,
- such as opening the PAM session. The close function can be used to
- tear down the session that was opened by init_session.
+ such as opening the PAM session. The c\bcl\blo\bos\bse\be() function can be used
+ to tear down the session that was opened by init_session.
The _\bp_\bw_\bd argument points to a passwd struct for the user the command
will be run as if the uid the command will run as was found in the
password database, otherwise it will be NULL.
The _\bu_\bs_\be_\br_\b__\be_\bn_\bv argument points to the environment the command will
- run in, in the form of a NULL-terminated vector of "name=value"
+ run in, in the form of a NULL-terminated vector of ``name=value''
strings. This is the same string passed back to the front end via
- the Policy Plugin's _\bu_\bs_\be_\br_\b__\be_\bn_\bv_\b__\bo_\bu_\bt parameter. If the init_session
+ the Policy Plugin's _\bu_\bs_\be_\br_\b__\be_\bn_\bv_\b__\bo_\bu_\bt parameter. If the i\bin\bni\bit\bt_\b_s\bse\bes\bss\bsi\bio\bon\bn()
function needs to modify the user environment, it should update the
pointer stored in _\bu_\bs_\be_\br_\b__\be_\bn_\bv. The expected use case is to merge the
contents of the PAM environment (if any) with the contents of
do so may result in a crash.
Returns 1 on success, 0 on failure and -1 on error. On error, the
- plugin may optionally call the conversation or plugin_printf
+ plugin may optionally call the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf()
function with SUDO_CONF_ERROR_MSG to present additional error
information to the user.
- register_hooks
- void (*register_hooks)(int version,
- int (*register_hook)(struct sudo_hook *hook));
+ register_hooks
+ void (*register_hooks)(int version,
+ int (*register_hook)(struct sudo_hook *hook));
- The register_hooks function is called by the sudo front end to
+ The r\bre\beg\bgi\bis\bst\bte\ber\br_\b_h\bho\boo\bok\bks\bs() function is called by the sudo front end to
register any hooks the plugin needs. If the plugin does not
support hooks, register_hooks should be set to the NULL pointer.
The _\bv_\be_\br_\bs_\bi_\bo_\bn argument describes the version of the hooks API
supported by the s\bsu\bud\bdo\bo front end.
- The register_hook function should be used to register any supported
- hooks the plugin needs. It returns 0 on success, 1 if the hook
- type is not supported and -1 if the major version in struct hook
- does not match the front end's major hook API version.
+ The r\bre\beg\bgi\bis\bst\bte\ber\br_\b_h\bho\boo\bok\bk() function should be used to register any
+ supported hooks the plugin needs. It returns 0 on success, 1 if
+ the hook type is not supported and -1 if the major version in
+ struct hook does not match the front end's major hook API version.
- See the "Hook Function API" section below for more information
- about hooks.
+ See the _\bH_\bo_\bo_\bk _\bf_\bu_\bn_\bc_\bt_\bi_\bo_\bn _\bA_\bP_\bI section below for more information about
+ hooks.
- NOTE: the register_hooks function is only available starting with
+ NOTE: the r\bre\beg\bgi\bis\bst\bte\ber\br_\b_h\bho\boo\bok\bks\bs() function is only available starting with
API version 1.2. If the s\bsu\bud\bdo\bo front end doesn't support API version
1.2 or higher, register_hooks will not be called.
- deregister_hooks
- void (*deregister_hooks)(int version,
- int (*deregister_hook)(struct sudo_hook *hook));
+ deregister_hooks
+ void (*deregister_hooks)(int version,
+ int (*deregister_hook)(struct sudo_hook *hook));
- The deregister_hooks function is called by the sudo front end to
+ The d\bde\ber\bre\beg\bgi\bis\bst\bte\ber\br_\b_h\bho\boo\bok\bks\bs() function is called by the sudo front end to
deregister any hooks the plugin has registered. If the plugin does
not support hooks, deregister_hooks should be set to the NULL
pointer.
The _\bv_\be_\br_\bs_\bi_\bo_\bn argument describes the version of the hooks API
supported by the s\bsu\bud\bdo\bo front end.
- The deregister_hook function should be used to deregister any hooks
- that were put in place by the register_hook function. If the
- plugin tries to deregister a hook that the front end does not
+ The d\bde\ber\bre\beg\bgi\bis\bst\bte\ber\br_\b_h\bho\boo\bok\bk() function should be used to deregister any
+ hooks that were put in place by the r\bre\beg\bgi\bis\bst\bte\ber\br_\b_h\bho\boo\bok\bk() function. If
+ the plugin tries to deregister a hook that the front end does not
support, deregister_hook will return an error.
- See the "Hook Function API" section below for more information
- about hooks.
-
- NOTE: the deregister_hooks function is only available starting with
- API version 1.2. If the s\bsu\bud\bdo\bo front end doesn't support API version
- 1.2 or higher, deregister_hooks will not be called.
-
- _\bP_\bo_\bl_\bi_\bc_\by _\bP_\bl_\bu_\bg_\bi_\bn _\bV_\be_\br_\bs_\bi_\bo_\bn _\bM_\ba_\bc_\br_\bo_\bs
-
- /* Plugin API version major/minor. */
- #define SUDO_API_VERSION_MAJOR 1
- #define SUDO_API_VERSION_MINOR 2
- #define SUDO_API_MKVERSION(x, y) ((x << 16) | y)
- #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR,\
- SUDO_API_VERSION_MINOR)
-
- /* Getters and setters for API version */
- #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16)
- #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
- #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \
- *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
- } while(0)
- #define SUDO_VERSION_SET_MINOR(vp, n) do { \
- *(vp) = (*(vp) & 0xffff0000) | (n); \
- } while(0)
-
- I\bI/\b/O\bO P\bPl\blu\bug\bgi\bin\bn A\bAP\bPI\bI
- struct io_plugin {
- #define SUDO_IO_PLUGIN 2
- unsigned int type; /* always SUDO_IO_PLUGIN */
- unsigned int version; /* always SUDO_API_VERSION */
- int (*open)(unsigned int version, sudo_conv_t conversation
- sudo_printf_t plugin_printf, char * const settings[],
- char * const user_info[], int argc, char * const argv[],
- char * const user_env[], char * const plugin_options[]);
- void (*close)(int exit_status, int error); /* wait status or error */
- int (*show_version)(int verbose);
- int (*log_ttyin)(const char *buf, unsigned int len);
- int (*log_ttyout)(const char *buf, unsigned int len);
- int (*log_stdin)(const char *buf, unsigned int len);
- int (*log_stdout)(const char *buf, unsigned int len);
- int (*log_stderr)(const char *buf, unsigned int len);
- void (*register_hooks)(int version,
- int (*register_hook)(struct sudo_hook *hook));
- void (*deregister_hooks)(int version,
- int (*deregister_hook)(struct sudo_hook *hook));
- };
-
- When an I/O plugin is loaded, s\bsu\bud\bdo\bo runs the command in a pseudo-tty.
- This makes it possible to log the input and output from the user's
- session. If any of the standard input, standard output or standard
- error do not correspond to a tty, s\bsu\bud\bdo\bo will open a pipe to capture the
- I/O for logging before passing it on.
-
- The log_ttyin function receives the raw user input from the terminal
- device (note that this will include input even when echo is disabled,
- such as when a password is read). The log_ttyout function receives
- output from the pseudo-tty that is suitable for replaying the user's
- session at a later time. The log_stdin, log_stdout and log_stderr
- functions are only called if the standard input, standard output or
- standard error respectively correspond to something other than a tty.
-
- Any of the logging functions may be set to the NULL pointer if no
- logging is to be performed. If the open function returns 0, no I/O
- will be sent to the plugin.
-
- The io_plugin struct has the following fields:
-
- type
- The type field should always be set to SUDO_IO_PLUGIN
-
- version
+ See the _\bH_\bo_\bo_\bk _\bf_\bu_\bn_\bc_\bt_\bi_\bo_\bn _\bA_\bP_\bI section below for more information about
+ hooks.
+
+ NOTE: the d\bde\ber\bre\beg\bgi\bis\bst\bte\ber\br_\b_h\bho\boo\bok\bks\bs() function is only available starting
+ with API version 1.2. If the s\bsu\bud\bdo\bo front end doesn't support API
+ version 1.2 or higher, deregister_hooks will not be called.
+
+ _\bP_\bo_\bl_\bi_\bc_\by _\bP_\bl_\bu_\bg_\bi_\bn _\bV_\be_\br_\bs_\bi_\bo_\bn _\bM_\ba_\bc_\br_\bo_\bs
+
+ /* Plugin API version major/minor. */
+ #define SUDO_API_VERSION_MAJOR 1
+ #define SUDO_API_VERSION_MINOR 2
+ #define SUDO_API_MKVERSION(x, y) ((x << 16) | y)
+ #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR,\
+ SUDO_API_VERSION_MINOR)
+
+ /* Getters and setters for API version */
+ #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16)
+ #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
+ #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \
+ *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
+ } while(0)
+ #define SUDO_VERSION_SET_MINOR(vp, n) do { \
+ *(vp) = (*(vp) & 0xffff0000) | (n); \
+ } while(0)
+
+ I\bI/\b/O\bO p\bpl\blu\bug\bgi\bin\bn A\bAP\bPI\bI
+ struct io_plugin {
+ #define SUDO_IO_PLUGIN 2
+ unsigned int type; /* always SUDO_IO_PLUGIN */
+ unsigned int version; /* always SUDO_API_VERSION */
+ int (*open)(unsigned int version, sudo_conv_t conversation
+ sudo_printf_t plugin_printf, char * const settings[],
+ char * const user_info[], int argc, char * const argv[],
+ char * const user_env[], char * const plugin_options[]);
+ void (*close)(int exit_status, int error); /* wait status or error */
+ int (*show_version)(int verbose);
+ int (*log_ttyin)(const char *buf, unsigned int len);
+ int (*log_ttyout)(const char *buf, unsigned int len);
+ int (*log_stdin)(const char *buf, unsigned int len);
+ int (*log_stdout)(const char *buf, unsigned int len);
+ int (*log_stderr)(const char *buf, unsigned int len);
+ void (*register_hooks)(int version,
+ int (*register_hook)(struct sudo_hook *hook));
+ void (*deregister_hooks)(int version,
+ int (*deregister_hook)(struct sudo_hook *hook));
+ };
+
+ When an I/O plugin is loaded, s\bsu\bud\bdo\bo runs the command in a pseudo-tty.
+ This makes it possible to log the input and output from the user's
+ session. If any of the standard input, standard output or standard error
+ do not correspond to a tty, s\bsu\bud\bdo\bo will open a pipe to capture the I/O for
+ logging before passing it on.
+
+ The log_ttyin function receives the raw user input from the terminal
+ device (note that this will include input even when echo is disabled,
+ such as when a password is read). The log_ttyout function receives
+ output from the pseudo-tty that is suitable for replaying the user's
+ session at a later time. The l\blo\bog\bg_\b_s\bst\btd\bdi\bin\bn(), l\blo\bog\bg_\b_s\bst\btd\bdo\bou\but\bt() and l\blo\bog\bg_\b_s\bst\btd\bde\ber\brr\br()
+ functions are only called if the standard input, standard output or
+ standard error respectively correspond to something other than a tty.
+
+ Any of the logging functions may be set to the NULL pointer if no logging
+ is to be performed. If the open function returns 0, no I/O will be sent
+ to the plugin.
+
+ The io_plugin struct has the following fields:
+
+ type The type field should always be set to SUDO_IO_PLUGIN.
+
+ version
The version field should be set to SUDO_API_VERSION.
This allows s\bsu\bud\bdo\bo to determine the API version the plugin was built
against.
- open
- int (*open)(unsigned int version, sudo_conv_t conversation
- sudo_printf_t plugin_printf, char * const settings[],
- char * const user_info[], int argc, char * const argv[],
- char * const user_env[], char * const plugin_options[]);
+ open
+ int (*open)(unsigned int version, sudo_conv_t conversation
+ sudo_printf_t plugin_printf, char * const settings[],
+ char * const user_info[], int argc, char * const argv[],
+ char * const user_env[], char * const plugin_options[]);
- The _\bo_\bp_\be_\bn function is run before the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt, _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt or
- _\bs_\bh_\bo_\bw_\b__\bv_\be_\br_\bs_\bi_\bo_\bn functions are called. It is only called if the
- version is being requested or the _\bc_\bh_\be_\bc_\bk_\b__\bp_\bo_\bl_\bi_\bc_\by function has
+ The o\bop\bpe\ben\bn() function is run before the l\blo\bog\bg_\b_i\bin\bnp\bpu\but\bt(), l\blo\bog\bg_\b_o\bou\but\btp\bpu\but\bt() or
+ s\bsh\bho\bow\bw_\b_v\bve\ber\brs\bsi\bio\bon\bn() functions are called. It is only called if the
+ version is being requested or the c\bch\bhe\bec\bck\bk_\b_p\bpo\bol\bli\bic\bcy\by() function has
returned successfully. It returns 1 on success, 0 on failure, -1
if a general error occurred, or -2 if there was a usage error. In
the latter case, s\bsu\bud\bdo\bo will print a usage message before it exits.
- If an error occurs, the plugin may optionally call the conversation
- or plugin_printf function with SUDO_CONF_ERROR_MSG to present
- additional error information to the user.
+ If an error occurs, the plugin may optionally call the
+ c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf() function with SUDO_CONF_ERROR_MSG
+ to present additional error information to the user.
The function arguments are as follows:
version
- The version passed in by s\bsu\bud\bdo\bo allows the plugin to determine
- the major and minor version number of the plugin API supported
- by s\bsu\bud\bdo\bo.
+ The version passed in by s\bsu\bud\bdo\bo allows the plugin to determine
+ the major and minor version number of the plugin API
+ supported by s\bsu\bud\bdo\bo.
conversation
- A pointer to the conversation function that may be used by the
- _\bs_\bh_\bo_\bw_\b__\bv_\be_\br_\bs_\bi_\bo_\bn function to display version information (see
- show_version below). The conversation function may also be
- used to display additional error message to the user. The
- conversation function returns 0 on success and -1 on failure.
+ A pointer to the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function that may be used by
+ the s\bsh\bho\bow\bw_\b_v\bve\ber\brs\bsi\bio\bon\bn() function to display version information
+ (see s\bsh\bho\bow\bw_\b_v\bve\ber\brs\bsi\bio\bon\bn() below). The c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function may
+ also be used to display additional error message to the user.
+ The c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function returns 0 on success and -1 on
+ failure.
plugin_printf
- A pointer to a printf-style function that may be used by the
- _\bs_\bh_\bo_\bw_\b__\bv_\be_\br_\bs_\bi_\bo_\bn function to display version information (see
- show_version below). The plugin_printf function may also be
- used to display additional error message to the user. The
- plugin_printf function returns number of characters printed on
- success and -1 on failure.
+ A pointer to a p\bpr\bri\bin\bnt\btf\bf()-style function that may be used by
+ the s\bsh\bho\bow\bw_\b_v\bve\ber\brs\bsi\bio\bon\bn() function to display version information
+ (see show_version below). The p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf() function may
+ also be used to display additional error message to the user.
+ The p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf() function returns number of characters
+ printed on success and -1 on failure.
settings
- A vector of user-supplied s\bsu\bud\bdo\bo settings in the form of
- "name=value" strings. The vector is terminated by a NULL
- pointer. These settings correspond to flags the user specified
- when running s\bsu\bud\bdo\bo. As such, they will only be present when the
- corresponding flag has been specified on the command line.
+ A vector of user-supplied s\bsu\bud\bdo\bo settings in the form of
+ ``name=value'' strings. The vector is terminated by a NULL
+ pointer. These settings correspond to flags the user
+ specified when running s\bsu\bud\bdo\bo. As such, they will only be
+ present when the corresponding flag has been specified on the
+ command line.
- When parsing _\bs_\be_\bt_\bt_\bi_\bn_\bg_\bs, the plugin should split on the f\bfi\bir\brs\bst\bt
- equal sign ('=') since the _\bn_\ba_\bm_\be field will never include one
- itself but the _\bv_\ba_\bl_\bu_\be might.
+ When parsing _\bs_\be_\bt_\bt_\bi_\bn_\bg_\bs, the plugin should split on the f\bfi\bir\brs\bst\bt
+ equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
+ itself but the _\bv_\ba_\bl_\bu_\be might.
- See the "Policy Plugin API" section for a list of all possible
- settings.
+ See the _\bP_\bo_\bl_\bi_\bc_\by _\bp_\bl_\bu_\bg_\bi_\bn _\bA_\bP_\bI section for a list of all possible
+ settings.
user_info
- A vector of information about the user running the command in
- the form of "name=value" strings. The vector is terminated by
- a NULL pointer.
+ A vector of information about the user running the command in
+ the form of ``name=value'' strings. The vector is terminated
+ by a NULL pointer.
- When parsing _\bu_\bs_\be_\br_\b__\bi_\bn_\bf_\bo, the plugin should split on the f\bfi\bir\brs\bst\bt
- equal sign ('=') since the _\bn_\ba_\bm_\be field will never include one
- itself but the _\bv_\ba_\bl_\bu_\be might.
+ When parsing _\bu_\bs_\be_\br_\b__\bi_\bn_\bf_\bo, the plugin should split on the f\bfi\bir\brs\bst\bt
+ equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
+ itself but the _\bv_\ba_\bl_\bu_\be might.
- See the "Policy Plugin API" section for a list of all possible
- strings.
+ See the _\bP_\bo_\bl_\bi_\bc_\by _\bp_\bl_\bu_\bg_\bi_\bn _\bA_\bP_\bI section for a list of all possible
+ strings.
- argc
- The number of elements in _\ba_\br_\bg_\bv, not counting the final NULL
- pointer.
+ argc The number of elements in _\ba_\br_\bg_\bv, not counting the final NULL
+ pointer.
- argv
- If non-NULL, an argument vector describing a command the user
- wishes to run in the same form as what would be passed to the
- _\be_\bx_\be_\bc_\bv_\be_\b(_\b) system call.
+ argv If non-NULL, an argument vector describing a command the user
+ wishes to run in the same form as what would be passed to the
+ execve(2) system call.
user_env
- The user's environment in the form of a NULL-terminated vector
- of "name=value" strings.
+ The user's environment in the form of a NULL-terminated
+ vector of ``name=value'' strings.
- When parsing _\bu_\bs_\be_\br_\b__\be_\bn_\bv, the plugin should split on the f\bfi\bir\brs\bst\bt
- equal sign ('=') since the _\bn_\ba_\bm_\be field will never include one
- itself but the _\bv_\ba_\bl_\bu_\be might.
+ When parsing _\bu_\bs_\be_\br_\b__\be_\bn_\bv, the plugin should split on the f\bfi\bir\brs\bst\bt
+ equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
+ itself but the _\bv_\ba_\bl_\bu_\be might.
plugin_options
- Any (non-comment) strings immediately after the plugin path are
- treated as arguments to the plugin. These arguments are split
- on a white space boundary and are passed to the plugin in the
- form of a NULL-terminated array of strings. If no arguments
- were specified, _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs will be the NULL pointer.
-
- NOTE: the _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs parameter is only available starting
- with API version 1.2. A plugin m\bmu\bus\bst\bt check the API version
- specified by the s\bsu\bud\bdo\bo front end before using _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs.
- Failure to do so may result in a crash.
-
- close
- void (*close)(int exit_status, int error);
-
- The close function is called when the command being run by s\bsu\bud\bdo\bo
+ Any (non-comment) strings immediately after the plugin path
+ are treated as arguments to the plugin. These arguments are
+ split on a white space boundary and are passed to the plugin
+ in the form of a NULL-terminated array of strings. If no
+ arguments were specified, _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs will be the NULL
+ pointer.
+
+ NOTE: the _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs parameter is only available starting
+ with API version 1.2. A plugin m\bmu\bus\bst\bt check the API version
+ specified by the s\bsu\bud\bdo\bo front end before using _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs.
+ Failure to do so may result in a crash.
+
+ close
+ void (*close)(int exit_status, int error);
+
+ The c\bcl\blo\bos\bse\be() function is called when the command being run by s\bsu\bud\bdo\bo
finishes.
The function arguments are as follows:
exit_status
- The command's exit status, as returned by the _\bw_\ba_\bi_\bt(2) system
- call. The value of exit_status is undefined if error is non-
- zero.
+ The command's exit status, as returned by the wait(2) system
+ call. The value of exit_status is undefined if error is non-
+ zero.
error
- If the command could not be executed, this is set to the value
- of errno set by the _\be_\bx_\be_\bc_\bv_\be(2) system call. If the command was
- successfully executed, the value of error is 0.
-
- show_version
- int (*show_version)(int verbose);
-
- The show_version function is called by s\bsu\bud\bdo\bo when the user specifies
- the -V option. The plugin may display its version information to
- the user via the conversation or plugin_printf function using
- SUDO_CONV_INFO_MSG. If the user requests detailed version
- information, the verbose flag will be set.
-
- log_ttyin
- int (*log_ttyin)(const char *buf, unsigned int len);
-
- The _\bl_\bo_\bg_\b__\bt_\bt_\by_\bi_\bn function is called whenever data can be read from the
- user but before it is passed to the running command. This allows
- the plugin to reject data if it chooses to (for instance if the
- input contains banned content). Returns 1 if the data should be
- passed to the command, 0 if the data is rejected (which will
+ If the command could not be executed, this is set to the
+ value of errno set by the execve(2) system call. If the
+ command was successfully executed, the value of error is 0.
+
+ show_version
+ int (*show_version)(int verbose);
+
+ The s\bsh\bho\bow\bw_\b_v\bve\ber\brs\bsi\bio\bon\bn() function is called by s\bsu\bud\bdo\bo when the user
+ specifies the -\b-V\bV option. The plugin may display its version
+ information to the user via the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf()
+ function using SUDO_CONV_INFO_MSG. If the user requests detailed
+ version information, the verbose flag will be set.
+
+ log_ttyin
+ int (*log_ttyin)(const char *buf, unsigned int len);
+
+ The l\blo\bog\bg_\b_t\btt\bty\byi\bin\bn() function is called whenever data can be read from
+ the user but before it is passed to the running command. This
+ allows the plugin to reject data if it chooses to (for instance if
+ the input contains banned content). Returns 1 if the data should
+ be passed to the command, 0 if the data is rejected (which will
terminate the command) or -1 if an error occurred.
The function arguments are as follows:
- buf The buffer containing user input.
+ buf The buffer containing user input.
- len The length of _\bb_\bu_\bf in bytes.
+ len The length of _\bb_\bu_\bf in bytes.
- log_ttyout
- int (*log_ttyout)(const char *buf, unsigned int len);
+ log_ttyout
+ int (*log_ttyout)(const char *buf, unsigned int len);
- The _\bl_\bo_\bg_\b__\bt_\bt_\by_\bo_\bu_\bt function is called whenever data can be read from
+ The l\blo\bog\bg_\b_t\btt\bty\byo\bou\but\bt() function is called whenever data can be read from
the command but before it is written to the user's terminal. This
allows the plugin to reject data if it chooses to (for instance if
the output contains banned content). Returns 1 if the data should
The function arguments are as follows:
- buf The buffer containing command output.
+ buf The buffer containing command output.
- len The length of _\bb_\bu_\bf in bytes.
+ len The length of _\bb_\bu_\bf in bytes.
- log_stdin
- int (*log_stdin)(const char *buf, unsigned int len);
+ log_stdin
+ int (*log_stdin)(const char *buf, unsigned int len);
- The _\bl_\bo_\bg_\b__\bs_\bt_\bd_\bi_\bn function is only used if the standard input does not
- correspond to a tty device. It is called whenever data can be read
- from the standard input but before it is passed to the running
+ The l\blo\bog\bg_\b_s\bst\btd\bdi\bin\bn() function is only used if the standard input does
+ not correspond to a tty device. It is called whenever data can be
+ read from the standard input but before it is passed to the running
command. This allows the plugin to reject data if it chooses to
(for instance if the input contains banned content). Returns 1 if
the data should be passed to the command, 0 if the data is rejected
The function arguments are as follows:
- buf The buffer containing user input.
+ buf The buffer containing user input.
- len The length of _\bb_\bu_\bf in bytes.
+ len The length of _\bb_\bu_\bf in bytes.
- log_stdout
- int (*log_stdout)(const char *buf, unsigned int len);
+ log_stdout
+ int (*log_stdout)(const char *buf, unsigned int len);
- The _\bl_\bo_\bg_\b__\bs_\bt_\bd_\bo_\bu_\bt function is only used if the standard output does
+ The l\blo\bog\bg_\b_s\bst\btd\bdo\bou\but\bt() function is only used if the standard output does
not correspond to a tty device. It is called whenever data can be
read from the command but before it is written to the standard
output. This allows the plugin to reject data if it chooses to
The function arguments are as follows:
- buf The buffer containing command output.
+ buf The buffer containing command output.
- len The length of _\bb_\bu_\bf in bytes.
+ len The length of _\bb_\bu_\bf in bytes.
- log_stderr
- int (*log_stderr)(const char *buf, unsigned int len);
+ log_stderr
+ int (*log_stderr)(const char *buf, unsigned int len);
- The _\bl_\bo_\bg_\b__\bs_\bt_\bd_\be_\br_\br function is only used if the standard error does not
- correspond to a tty device. It is called whenever data can be read
- from the command but before it is written to the standard error.
- This allows the plugin to reject data if it chooses to (for
+ The l\blo\bog\bg_\b_s\bst\btd\bde\ber\brr\br() function is only used if the standard error does
+ not correspond to a tty device. It is called whenever data can be
+ read from the command but before it is written to the standard
+ error. This allows the plugin to reject data if it chooses to (for
instance if the output contains banned content). Returns 1 if the
data should be passed to the user, 0 if the data is rejected (which
will terminate the command) or -1 if an error occurred.
The function arguments are as follows:
- buf The buffer containing command output.
+ buf The buffer containing command output.
- len The length of _\bb_\bu_\bf in bytes.
+ len The length of _\bb_\bu_\bf in bytes.
- register_hooks
- See the "Policy Plugin API" section for a description of
+ register_hooks
+ See the _\bP_\bo_\bl_\bi_\bc_\by _\bp_\bl_\bu_\bg_\bi_\bn _\bA_\bP_\bI section for a description of
register_hooks.
- deregister_hooks
- See the "Policy Plugin API" section for a description of
+ deregister_hooks
+ See the _\bP_\bo_\bl_\bi_\bc_\by _\bp_\bl_\bu_\bg_\bi_\bn _\bA_\bP_\bI section for a description of
deregister_hooks.
- _\bI_\b/_\bO _\bP_\bl_\bu_\bg_\bi_\bn _\bV_\be_\br_\bs_\bi_\bo_\bn _\bM_\ba_\bc_\br_\bo_\bs
+ _\bI_\b/_\bO _\bP_\bl_\bu_\bg_\bi_\bn _\bV_\be_\br_\bs_\bi_\bo_\bn _\bM_\ba_\bc_\br_\bo_\bs
- Same as for the "Policy Plugin API".
+ Same as for the _\bP_\bo_\bl_\bi_\bc_\by _\bp_\bl_\bu_\bg_\bi_\bn _\bA_\bP_\bI.
- H\bHo\boo\bok\bk F\bFu\bun\bnc\bct\bti\bio\bon\bn A\bAP\bPI\bI
- Beginning with plugin API version 1.2, it is possible to install hooks
- for certain functions called by the s\bsu\bud\bdo\bo front end.
+ H\bHo\boo\bok\bk f\bfu\bun\bnc\bct\bti\bio\bon\bn A\bAP\bPI\bI
+ Beginning with plugin API version 1.2, it is possible to install hooks
+ for certain functions called by the s\bsu\bud\bdo\bo front end.
- Currently, the only supported hooks relate to the handling of
- environment variables. Hooks can be used to intercept attempts to get,
- set, or remove environment variables so that these changes can be
- reflected in the version of the environment that is used to execute a
- command. A future version of the API will support hooking internal
- s\bsu\bud\bdo\bo front end functions as well.
+ Currently, the only supported hooks relate to the handling of environment
+ variables. Hooks can be used to intercept attempts to get, set, or
+ remove environment variables so that these changes can be reflected in
+ the version of the environment that is used to execute a command. A
+ future version of the API will support hooking internal s\bsu\bud\bdo\bo front end
+ functions as well.
- _\bH_\bo_\bo_\bk _\bs_\bt_\br_\bu_\bc_\bt_\bu_\br_\be
+ _\bH_\bo_\bo_\bk _\bs_\bt_\br_\bu_\bc_\bt_\bu_\br_\be
- Hooks in s\bsu\bud\bdo\bo are described by the following structure:
+ Hooks in s\bsu\bud\bdo\bo are described by the following structure:
- typedef int (*sudo_hook_fn_t)();
+ typedef int (*sudo_hook_fn_t)();
- struct sudo_hook {
- int hook_version;
- int hook_type;
- sudo_hook_fn_t hook_fn;
- void *closure;
- };
+ struct sudo_hook {
+ int hook_version;
+ int hook_type;
+ sudo_hook_fn_t hook_fn;
+ void *closure;
+ };
- The sudo_hook structure has the following fields:
+ The sudo_hook structure has the following fields:
- hook_version
+ hook_version
The hook_version field should be set to SUDO_HOOK_VERSION.
- hook_type
+ hook_type
The hook_type field may be one of the following supported hook
types:
SUDO_HOOK_SETENV
- The C library setenv() function. Any registered hooks will run
- before the C library implementation. The hook_fn field should
- be a function that matches the following typedef:
+ The C library setenv(3) function. Any registered hooks will
+ run before the C library implementation. The hook_fn field
+ should be a function that matches the following typedef:
- typedef int (*sudo_hook_fn_setenv_t)(const char *name,
- const char *value, int overwrite, void *closure);
+ typedef int (*sudo_hook_fn_setenv_t)(const char *name,
+ const char *value, int overwrite, void *closure);
- If the registered hook does not match the typedef the results
- are unspecified.
+ If the registered hook does not match the typedef the results
+ are unspecified.
SUDO_HOOK_UNSETENV
- The C library unsetenv() function. Any registered hooks will
- run before the C library implementation. The hook_fn field
- should be a function that matches the following typedef:
+ The C library unsetenv(3) function. Any registered hooks
+ will run before the C library implementation. The hook_fn
+ field should be a function that matches the following
+ typedef:
- typedef int (*sudo_hook_fn_unsetenv_t)(const char *name,
- void *closure);
+ typedef int (*sudo_hook_fn_unsetenv_t)(const char *name,
+ void *closure);
SUDO_HOOK_GETENV
- The C library getenv() function. Any registered hooks will run
- before the C library implementation. The hook_fn field should
- be a function that matches the following typedef:
+ The C library getenv(3) function. Any registered hooks will
+ run before the C library implementation. The hook_fn field
+ should be a function that matches the following typedef:
- typedef int (*sudo_hook_fn_getenv_t)(const char *name,
- char **value, void *closure);
+ typedef int (*sudo_hook_fn_getenv_t)(const char *name,
+ char **value, void *closure);
- If the registered hook does not match the typedef the results
- are unspecified.
+ If the registered hook does not match the typedef the results
+ are unspecified.
SUDO_HOOK_PUTENV
- The C library putenv() function. Any registered hooks will run
- before the C library implementation. The hook_fn field should
- be a function that matches the following typedef:
+ The C library putenv(3) function. Any registered hooks will
+ run before the C library implementation. The hook_fn field
+ should be a function that matches the following typedef:
- typedef int (*sudo_hook_fn_putenv_t)(char *string,
- void *closure);
+ typedef int (*sudo_hook_fn_putenv_t)(char *string,
+ void *closure);
- If the registered hook does not match the typedef the results
- are unspecified.
+ If the registered hook does not match the typedef the results
+ are unspecified.
- hook_fn
- sudo_hook_fn_t hook_fn;
+ hook_fn
+ sudo_hook_fn_t hook_fn;
The hook_fn field should be set to the plugin's hook
implementation. The actual function arguments will vary depending
The function return value may be one of the following:
SUDO_HOOK_RET_ERROR
- The hook function encountered an error.
+ The hook function encountered an error.
SUDO_HOOK_RET_NEXT
- The hook completed without error, go on to the next hook
- (including the native implementation if applicable). For
- example, a getenv hook might return SUDO_HOOK_RET_NEXT if the
- specified variable was not found in the private copy of the
- environment.
+ The hook completed without error, go on to the next hook
+ (including the native implementation if applicable). For
+ example, a getenv(3) hook might return SUDO_HOOK_RET_NEXT if
+ the specified variable was not found in the private copy of
+ the environment.
SUDO_HOOK_RET_STOP
- The hook completed without error, stop processing hooks for
- this invocation. This can be used to replace the native
- implementation. For example, a setenv hook that operates on a
- private copy of the environment but leaves environ unchanged.
-
- Note that it is very easy to create an infinite loop when hooking C
- library functions. For example, a getenv hook that calls the snprintf
- function may create a loop if the snprintf implementation calls getenv
- to check the locale. To prevent this, you may wish to use a static
- variable in the hook function to guard against nested calls. E.g.
-
- static int in_progress = 0; /* avoid recursion */
- if (in_progress)
- return SUDO_HOOK_RET_NEXT;
- in_progress = 1;
- ...
- in_progress = 0;
- return SUDO_HOOK_RET_STOP;
-
- _\bH_\bo_\bo_\bk _\bA_\bP_\bI _\bV_\be_\br_\bs_\bi_\bo_\bn _\bM_\ba_\bc_\br_\bo_\bs
-
- /* Hook API version major/minor */
- #define SUDO_HOOK_VERSION_MAJOR 1
- #define SUDO_HOOK_VERSION_MINOR 0
- #define SUDO_HOOK_MKVERSION(x, y) ((x << 16) | y)
- #define SUDO_HOOK_VERSION SUDO_HOOK_MKVERSION(SUDO_HOOK_VERSION_MAJOR,\
- SUDO_HOOK_VERSION_MINOR)
-
- /* Getters and setters for hook API version */
- #define SUDO_HOOK_VERSION_GET_MAJOR(v) ((v) >> 16)
- #define SUDO_HOOK_VERSION_GET_MINOR(v) ((v) & 0xffff)
- #define SUDO_HOOK_VERSION_SET_MAJOR(vp, n) do { \
- *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
- } while(0)
- #define SUDO_HOOK_VERSION_SET_MINOR(vp, n) do { \
- *(vp) = (*(vp) & 0xffff0000) | (n); \
- } while(0)
+ The hook completed without error, stop processing hooks for
+ this invocation. This can be used to replace the native
+ implementation. For example, a setenv hook that operates on
+ a private copy of the environment but leaves environ
+ unchanged.
+
+ Note that it is very easy to create an infinite loop when hooking C
+ library functions. For example, a getenv(3) hook that calls the
+ snprintf(3) function may create a loop if the snprintf(3) implementation
+ calls getenv(3) to check the locale. To prevent this, you may wish to
+ use a static variable in the hook function to guard against nested calls.
+ For example:
+
+ static int in_progress = 0; /* avoid recursion */
+ if (in_progress)
+ return SUDO_HOOK_RET_NEXT;
+ in_progress = 1;
+ ...
+ in_progress = 0;
+ return SUDO_HOOK_RET_STOP;
+
+ _\bH_\bo_\bo_\bk _\bA_\bP_\bI _\bV_\be_\br_\bs_\bi_\bo_\bn _\bM_\ba_\bc_\br_\bo_\bs
+
+ /* Hook API version major/minor */
+ #define SUDO_HOOK_VERSION_MAJOR 1
+ #define SUDO_HOOK_VERSION_MINOR 0
+ #define SUDO_HOOK_MKVERSION(x, y) ((x << 16) | y)
+ #define SUDO_HOOK_VERSION SUDO_HOOK_MKVERSION(SUDO_HOOK_VERSION_MAJOR,\
+ SUDO_HOOK_VERSION_MINOR)
+
+ /* Getters and setters for hook API version */
+ #define SUDO_HOOK_VERSION_GET_MAJOR(v) ((v) >> 16)
+ #define SUDO_HOOK_VERSION_GET_MINOR(v) ((v) & 0xffff)
+ #define SUDO_HOOK_VERSION_SET_MAJOR(vp, n) do { \
+ *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
+ } while(0)
+ #define SUDO_HOOK_VERSION_SET_MINOR(vp, n) do { \
+ *(vp) = (*(vp) & 0xffff0000) | (n); \
+ } while(0)
C\bCo\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn A\bAP\bPI\bI
- If the plugin needs to interact with the user, it may do so via the
- conversation function. A plugin should not attempt to read directly
- from the standard input or the user's tty (neither of which are
- guaranteed to exist). The caller must include a trailing newline in
- msg if one is to be printed.
-
- A printf-style function is also available that can be used to display
- informational or error messages to the user, which is usually more
- convenient for simple messages where no use input is required.
-
- struct sudo_conv_message {
- #define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */
- #define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */
- #define SUDO_CONV_ERROR_MSG 0x0003 /* error message */
- #define SUDO_CONV_INFO_MSG 0x0004 /* informational message */
- #define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */
- #define SUDO_CONV_DEBUG_MSG 0x0006 /* debugging message */
- #define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */
- int msg_type;
- int timeout;
- const char *msg;
- };
-
- struct sudo_conv_reply {
- char *reply;
- };
-
- typedef int (*sudo_conv_t)(int num_msgs,
- const struct sudo_conv_message msgs[],
- struct sudo_conv_reply replies[]);
-
- typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...);
-
- Pointers to the conversation and printf-style functions are passed in
- to the plugin's open function when the plugin is initialized.
-
- To use the conversation function, the plugin must pass an array of
- sudo_conv_message and sudo_conv_reply structures. There must be a
- struct sudo_conv_message and struct sudo_conv_reply for each message in
- the conversation. The plugin is responsible for freeing the reply
- buffer filled in to the struct sudo_conv_reply, if any.
-
- The printf-style function uses the same underlying mechanism as the
- conversation function but only supports SUDO_CONV_INFO_MSG,
- SUDO_CONV_ERROR_MSG and SUDO_CONV_DEBUG_MSG for the _\bm_\bs_\bg_\b__\bt_\by_\bp_\be parameter.
- It can be more convenient than using the conversation function if no
- user reply is needed and supports standard _\bp_\br_\bi_\bn_\bt_\bf_\b(_\b) escape sequences.
-
- Unlike, SUDO_CONV_INFO_MSG and SUDO_CONV_ERROR_MSG, messages sent with
- the <SUDO_CONV_DEBUG_MSG> _\bm_\bs_\bg_\b__\bt_\by_\bp_\be are not directly user-visible.
- Instead, they are logged to the file specified in the Debug statement
- (if any) in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file. This allows a plugin to log
- debugging information and is intended to be used in conjunction with
- the _\bd_\be_\bb_\bu_\bg_\b__\bf_\bl_\ba_\bg_\bs setting.
-
- See the sample plugin for an example of the conversation function
- usage.
-
- S\bSu\bud\bdo\boe\ber\brs\bs G\bGr\bro\bou\bup\bp P\bPl\blu\bug\bgi\bin\bn A\bAP\bPI\bI
- The _\bs_\bu_\bd_\bo_\be_\br_\bs module supports a plugin interface to allow non-Unix group
- lookups. This can be used to query a group source other than the
- standard Unix group database. A sample group plugin is bundled with
- s\bsu\bud\bdo\bo that implements file-based lookups. Third party group plugins
- include a QAS AD plugin available from Quest Software.
-
- A group plugin must declare and populate a sudoers_group_plugin struct
- in the global scope. This structure contains pointers to the functions
- that implement plugin initialization, cleanup and group lookup.
-
- struct sudoers_group_plugin {
- unsigned int version;
- int (*init)(int version, sudo_printf_t sudo_printf,
- char *const argv[]);
- void (*cleanup)(void);
- int (*query)(const char *user, const char *group,
- const struct passwd *pwd);
- };
-
- The sudoers_group_plugin struct has the following fields:
-
- version
+ If the plugin needs to interact with the user, it may do so via the
+ c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function. A plugin should not attempt to read directly
+ from the standard input or the user's tty (neither of which are
+ guaranteed to exist). The caller must include a trailing newline in msg
+ if one is to be printed.
+
+ A p\bpr\bri\bin\bnt\btf\bf()-style function is also available that can be used to display
+ informational or error messages to the user, which is usually more
+ convenient for simple messages where no use input is required.
+
+ struct sudo_conv_message {
+ #define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */
+ #define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */
+ #define SUDO_CONV_ERROR_MSG 0x0003 /* error message */
+ #define SUDO_CONV_INFO_MSG 0x0004 /* informational message */
+ #define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */
+ #define SUDO_CONV_DEBUG_MSG 0x0006 /* debugging message */
+ #define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */
+ int msg_type;
+ int timeout;
+ const char *msg;
+ };
+
+ struct sudo_conv_reply {
+ char *reply;
+ };
+
+ typedef int (*sudo_conv_t)(int num_msgs,
+ const struct sudo_conv_message msgs[],
+ struct sudo_conv_reply replies[]);
+
+ typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...);
+
+ Pointers to the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() and p\bpr\bri\bin\bnt\btf\bf()-style functions are passed in
+ to the plugin's o\bop\bpe\ben\bn() function when the plugin is initialized.
+
+ To use the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function, the plugin must pass an array of
+ sudo_conv_message and sudo_conv_reply structures. There must be a struct
+ sudo_conv_message and struct sudo_conv_reply for each message in the
+ conversation. The plugin is responsible for freeing the reply buffer
+ filled in to the struct sudo_conv_reply, if any.
+
+ The p\bpr\bri\bin\bnt\btf\bf()-style function uses the same underlying mechanism as the
+ c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function but only supports SUDO_CONV_INFO_MSG,
+ SUDO_CONV_ERROR_MSG and SUDO_CONV_DEBUG_MSG for the _\bm_\bs_\bg_\b__\bt_\by_\bp_\be parameter.
+ It can be more convenient than using the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function if no
+ user reply is needed and supports standard p\bpr\bri\bin\bnt\btf\bf() escape sequences.
+
+ Unlike, SUDO_CONV_INFO_MSG and Dv SUDO_CONV_ERROR_MSG , messages sent
+ with the SUDO_CONV_DEBUG_MSG _\bm_\bs_\bg_\b__\bt_\by_\bp_\be are not directly user-visible.
+ Instead, they are logged to the file specified in the Debug statement (if
+ any) in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
+
+ file. This allows a plugin to log debugging information and is intended
+ to be used in conjunction with the _\bd_\be_\bb_\bu_\bg_\b__\bf_\bl_\ba_\bg_\bs setting.
+
+ See the sample plugin for an example of the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function
+ usage.
+
+ S\bSu\bud\bdo\boe\ber\brs\bs g\bgr\bro\bou\bup\bp p\bpl\blu\bug\bgi\bin\bn A\bAP\bPI\bI
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs module supports a plugin interface to allow non-Unix group
+ lookups. This can be used to query a group source other than the
+ standard Unix group database. A sample group plugin is bundled with s\bsu\bud\bdo\bo
+ that implements file-based lookups. Third party group plugins include a
+ QAS AD plugin available from Quest Software.
+
+ A group plugin must declare and populate a sudoers_group_plugin struct in
+ the global scope. This structure contains pointers to the functions that
+ implement plugin initialization, cleanup and group lookup.
+
+ struct sudoers_group_plugin {
+ unsigned int version;
+ int (*init)(int version, sudo_printf_t sudo_printf,
+ char *const argv[]);
+ void (*cleanup)(void);
+ int (*query)(const char *user, const char *group,
+ const struct passwd *pwd);
+ };
+
+ The sudoers_group_plugin struct has the following fields:
+
+ version
The version field should be set to GROUP_API_VERSION.
This allows _\bs_\bu_\bd_\bo_\be_\br_\bs to determine the API version the group plugin
was built against.
- init
- int (*init)(int version, sudo_printf_t plugin_printf,
- char *const argv[]);
+ init
+ int (*init)(int version, sudo_printf_t plugin_printf,
+ char *const argv[]);
- The _\bi_\bn_\bi_\bt function is called after _\bs_\bu_\bd_\bo_\be_\br_\bs has been parsed but
+ The i\bin\bni\bit\bt() function is called after _\bs_\bu_\bd_\bo_\be_\br_\bs has been parsed but
before any policy checks. It returns 1 on success, 0 on failure
(or if the plugin is not configured), and -1 if a error occurred.
- If an error occurs, the plugin may call the plugin_printf function
- with SUDO_CONF_ERROR_MSG to present additional error information to
- the user.
+ If an error occurs, the plugin may call the p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf()
+ function with SUDO_CONF_ERROR_MSG to present additional error
+ information to the user.
The function arguments are as follows:
version
- The version passed in by _\bs_\bu_\bd_\bo_\be_\br_\bs allows the plugin to determine
- the major and minor version number of the group plugin API
- supported by _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ The version passed in by _\bs_\bu_\bd_\bo_\be_\br_\bs allows the plugin to
+ determine the major and minor version number of the group
+ plugin API supported by _\bs_\bu_\bd_\bo_\be_\br_\bs.
plugin_printf
- A pointer to a printf-style function that may be used to
- display informational or error message to the user. Returns
- the number of characters printed on success and -1 on failure.
+ A pointer to a p\bpr\bri\bin\bnt\btf\bf()-style function that may be used to
+ display informational or error message to the user. Returns
+ the number of characters printed on success and -1 on
+ failure.
- argv
- A NULL-terminated array of arguments generated from the
- _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs. If no arguments were given,
- _\ba_\br_\bg_\bv will be NULL.
+ argv A NULL-terminated array of arguments generated from the
+ _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs. If no arguments were given,
+ _\ba_\br_\bg_\bv will be NULL.
- cleanup
- void (*cleanup)();
+ cleanup
+ void (*cleanup)();
- The _\bc_\bl_\be_\ba_\bn_\bu_\bp function is called when _\bs_\bu_\bd_\bo_\be_\br_\bs has finished its group
- checks. The plugin should free any memory it has allocated and
- close open file handles.
+ The c\bcl\ble\bea\ban\bnu\bup\bp() function is called when _\bs_\bu_\bd_\bo_\be_\br_\bs has finished its
+ group checks. The plugin should free any memory it has allocated
+ and close open file handles.
- query
- int (*query)(const char *user, const char *group,
- const struct passwd *pwd);
+ query
+ int (*query)(const char *user, const char *group,
+ const struct passwd *pwd);
- The _\bq_\bu_\be_\br_\by function is used to ask the group plugin whether _\bu_\bs_\be_\br is
- a member of _\bg_\br_\bo_\bu_\bp.
+ The q\bqu\bue\ber\bry\by() function is used to ask the group plugin whether _\bu_\bs_\be_\br
+ is a member of _\bg_\br_\bo_\bu_\bp.
The function arguments are as follows:
- user
- The name of the user being looked up in the external group
- database.
+ user The name of the user being looked up in the external group
+ database.
group
- The name of the group being queried.
+ The name of the group being queried.
- pwd The password database entry for _\bu_\bs_\be_\br, if any. If _\bu_\bs_\be_\br is not
- present in the password database, _\bp_\bw_\bd will be NULL.
+ pwd The password database entry for _\bu_\bs_\be_\br, if any. If _\bu_\bs_\be_\br is not
+ present in the password database, _\bp_\bw_\bd will be NULL.
- _\bG_\br_\bo_\bu_\bp _\bA_\bP_\bI _\bV_\be_\br_\bs_\bi_\bo_\bn _\bM_\ba_\bc_\br_\bo_\bs
+ _\bG_\br_\bo_\bu_\bp _\bA_\bP_\bI _\bV_\be_\br_\bs_\bi_\bo_\bn _\bM_\ba_\bc_\br_\bo_\bs
- /* Sudoers group plugin version major/minor */
- #define GROUP_API_VERSION_MAJOR 1
- #define GROUP_API_VERSION_MINOR 0
- #define GROUP_API_VERSION ((GROUP_API_VERSION_MAJOR << 16) | \
- GROUP_API_VERSION_MINOR)
+ /* Sudoers group plugin version major/minor */
+ #define GROUP_API_VERSION_MAJOR 1
+ #define GROUP_API_VERSION_MINOR 0
+ #define GROUP_API_VERSION ((GROUP_API_VERSION_MAJOR << 16) | \
+ GROUP_API_VERSION_MINOR)
- /* Getters and setters for group version */
- #define GROUP_API_VERSION_GET_MAJOR(v) ((v) >> 16)
- #define GROUP_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
- #define GROUP_API_VERSION_SET_MAJOR(vp, n) do { \
- *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
- } while(0)
- #define GROUP_API_VERSION_SET_MINOR(vp, n) do { \
- *(vp) = (*(vp) & 0xffff0000) | (n); \
- } while(0)
+ /* Getters and setters for group version */
+ #define GROUP_API_VERSION_GET_MAJOR(v) ((v) >> 16)
+ #define GROUP_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
+ #define GROUP_API_VERSION_SET_MAJOR(vp, n) do { \
+ *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
+ } while(0)
+ #define GROUP_API_VERSION_SET_MINOR(vp, n) do { \
+ *(vp) = (*(vp) & 0xffff0000) | (n); \
+ } while(0)
P\bPL\bLU\bUG\bGI\bIN\bN A\bAP\bPI\bI C\bCH\bHA\bAN\bNG\bGE\bEL\bLO\bOG\bG
- The following revisions have been made to the Sudo Plugin API.
+ The following revisions have been made to the Sudo Plugin API.
- Version 1.0
+ Version 1.0
Initial API version.
- Version 1.1
- The I/O logging plugin's open function was modified to take the
+ Version 1.1
+ The I/O logging plugin's o\bop\bpe\ben\bn() function was modified to take the
command_info list as an argument.
- Version 1.2
- The Policy and I/O logging plugins' open functions are now passed a
- list of plugin options if any are specified in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf.
+ Version 1.2
+ The Policy and I/O logging plugins' o\bop\bpe\ben\bn() functions are now passed
+ a list of plugin options if any are specified in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf.
A simple hooks API has been introduced to allow plugins to hook in
to the system's environment handling functions.
before a command is run.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bs_\bu_\bd_\bo_\be_\br_\bs(4), _\bs_\bu_\bd_\bo(1m)
+ sudoers(4), sudo(1m)
B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
- http://www.sudo.ws/sudo/bugs/
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+ http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-workers mailing list,
- see http://www.sudo.ws/mailman/listinfo/sudo-workers to subscribe or
- search the archives.
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
+ archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
- including, but not limited to, the implied warranties of
- merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with s\bsu\bud\bdo\bo or
- http://www.sudo.ws/sudo/license.html for complete details.
-
-
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantability
+ and fitness for a particular purpose are disclaimed. See the LICENSE
+ file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
+ complete details.
-1.8.5 April 23, 2012 SUDO_PLUGIN(1m)
+Sudo 1.8.6 July 16, 2012 Sudo 1.8.6
+.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
+.\" IT IS GENERATED AUTOMATICALLY FROM sudo_plugin.mdoc.in
+.\"
.\" Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com>
-.\"
+.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
-.\"
+.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings. \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. \*(C+ will
-.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-. ds -- \(*W-
-. ds PI pi
-. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
-. ds L" ""
-. ds R" ""
-. ds C`
-. ds C'
-'br\}
-.el\{\
-. ds -- \|\(em\|
-. ds PI \(*p
-. ds L" ``
-. ds R" ''
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD. Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
-..
-. nr % 0
-. rr F
-.\}
-.el \{\
-. de IX
-..
-.\}
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear. Run. Save yourself. No user-serviceable parts.
-. \" fudge factors for nroff and troff
-.if n \{\
-. ds #H 0
-. ds #V .8m
-. ds #F .3m
-. ds #[ \f1
-. ds #] \fP
-.\}
-.if t \{\
-. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-. ds #V .6m
-. ds #F 0
-. ds #[ \&
-. ds #] \&
-.\}
-. \" simple accents for nroff and troff
-.if n \{\
-. ds ' \&
-. ds ` \&
-. ds ^ \&
-. ds , \&
-. ds ~ ~
-. ds /
-.\}
-.if t \{\
-. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-. \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-. \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-. \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-. ds : e
-. ds 8 ss
-. ds o a
-. ds d- d\h'-1'\(ga
-. ds D- D\h'-1'\(hy
-. ds th \o'bp'
-. ds Th \o'LP'
-. ds ae ae
-. ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "SUDO_PLUGIN @mansectsu@"
-.TH SUDO_PLUGIN @mansectsu@ "April 23, 2012" "1.8.5" "MAINTENANCE COMMANDS"
-.\" For nroff, turn off justification. Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
+.TH "SUDO_PLUGIN" "5" "July 16, 2012" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
.nh
+.if n .ad l
.SH "NAME"
-sudo_plugin \- Sudo Plugin API
+\fBsudo_plugin\fR
+\- Sudo Plugin API
.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-Starting with version 1.8, \fBsudo\fR supports a plugin \s-1API\s0
-for policy and session logging. By default, the \fIsudoers\fR policy
-plugin and an associated I/O logging plugin are used. Via the plugin
-\&\s-1API\s0, \fBsudo\fR can be configured to use alternate policy and/or I/O
-logging plugins provided by third parties. The plugins to be used
-are specified via the \fI@sysconfdir@/sudo.conf\fR file.
+Starting with version 1.8,
+\fBsudo\fR
+supports a plugin API
+for policy and session logging.
+By default, the
+\fIsudoers\fR
+policy plugin and an associated I/O logging plugin are used.
+Via the plugin API,
+\fBsudo\fR
+can be configured to use alternate policy and/or I/O logging plugins
+provided by third parties.
+The plugins to be used are specified via the
+\fI@sysconfdir@/sudo.conf\fR
+file.
.PP
-The \s-1API\s0 is versioned with a major and minor number. The minor
-version number is incremented when additions are made. The major
-number is incremented when incompatible changes are made. A plugin
-should be check the version passed to it and make sure that the
+The API is versioned with a major and minor number.
+The minor version number is incremented when additions are made.
+The major number is incremented when incompatible changes are made.
+A plugin should be check the version passed to it and make sure that the
major version matches.
.PP
-The plugin \s-1API\s0 is defined by the \f(CW\*(C`sudo_plugin.h\*(C'\fR header file.
-.SS "The sudo.conf File"
-.IX Subsection "The sudo.conf File"
-The \fI@sysconfdir@/sudo.conf\fR file contains plugin configuration directives.
-Currently, the only supported keyword is the \f(CW\*(C`Plugin\*(C'\fR directive,
-which causes a plugin plugin to be loaded.
+The plugin API is defined by the
+\fRsudo_plugin.h\fR
+header file.
+.SS "The sudo.conf file"
+The
+\fI@sysconfdir@/sudo.conf\fR
+file contains plugin configuration directives.
+The primary keyword is the
+\fRPlugin\fR
+directive, which causes a plugin to be loaded.
.PP
-A \f(CW\*(C`Plugin\*(C'\fR line consists of the \f(CW\*(C`Plugin\*(C'\fR keyword, followed by the
-\&\fIsymbol_name\fR and the \fIpath\fR to the shared object containing the
-plugin. The \fIsymbol_name\fR is the name of the \f(CW\*(C`struct policy_plugin\*(C'\fR
-or \f(CW\*(C`struct io_plugin\*(C'\fR in the plugin shared object. The \fIpath\fR
-may be fully qualified or relative. If not fully qualified it is
-relative to the \fI@prefix@/libexec\fR directory. Any additional
-parameters after the \fIpath\fR are passed as options to the plugin's
-\&\fIopen\fR function. Lines that don't begin with \f(CW\*(C`Plugin\*(C'\fR, \f(CW\*(C`Path\*(C'\fR,
-\&\f(CW\*(C`Debug\*(C'\fR or \f(CW\*(C`Set\*(C'\fR are silently ignored.
+A
+\fRPlugin\fR
+line consists of the
+\fRPlugin\fR
+keyword, followed by the
+\fIsymbol_name\fR
+and the
+\fIpath\fR
+to the shared object containing the plugin.
+The
+\fIsymbol_name\fR
+is the name of the
+\fRstruct policy_plugin\fR
+or
+\fRstruct io_plugin\fR
+in the plugin shared object.
+The
+\fIpath\fR
+may be fully qualified or relative.
+If not fully qualified it is relative to the
+\fI@prefix@/libexec\fR
+directory.
+Any additional parameters after the
+\fIpath\fR
+are passed as options to the plugin's
+\fBopen\fR()
+function.
+Lines that don't begin with
+\fRPlugin\fR,
+\fRPath\fR,
+\fRDebug\fR
+or
+\fRSet\fR
+are silently ignored.
.PP
The same shared object may contain multiple plugins, each with a
-different symbol name. The shared object file must be owned by uid
-0 and only writable by its owner. Because of ambiguities that arise
-from composite policies, only a single policy plugin may be specified.
+different symbol name.
+The shared object file must be owned by uid 0 and only writable by its owner.
+Because of ambiguities that arise from composite policies, only a single
+policy plugin may be specified.
This limitation does not apply to I/O plugins.
-.PP
-.Vb 10
-\& #
-\& # Default @sysconfdir@/sudo.conf file
-\& #
-\& # Format:
-\& # Plugin plugin_name plugin_path plugin_options ...
-\& # Path askpass /path/to/askpass
-\& # Path noexec /path/to/sudo_noexec.so
-\& # Debug sudo /var/log/sudo_debug all@warn
-\& # Set disable_coredump true
-\& #
-\& # The plugin_path is relative to @prefix@/libexec unless
-\& # fully qualified.
-\& # The plugin_name corresponds to a global symbol in the plugin
-\& # that contains the plugin interface structure.
-\& # The plugin_options are optional.
-\& #
-\& Plugin sudoers_policy sudoers.so
-\& Plugin sudoers_io sudoers.so
-.Ve
-.SS "Policy Plugin \s-1API\s0"
-.IX Subsection "Policy Plugin API"
-A policy plugin must declare and populate a \f(CW\*(C`policy_plugin\*(C'\fR struct
-in the global scope. This structure contains pointers to the functions
-that implement the \fBsudo\fR policy checks. The name of the symbol should
-be specified in \fI@sysconfdir@/sudo.conf\fR along with a path to the plugin
-so that \fBsudo\fR can load it.
-.PP
-.Vb 10
-\& struct policy_plugin {
-\& #define SUDO_POLICY_PLUGIN 1
-\& unsigned int type; /* always SUDO_POLICY_PLUGIN */
-\& unsigned int version; /* always SUDO_API_VERSION */
-\& int (*open)(unsigned int version, sudo_conv_t conversation,
-\& sudo_printf_t plugin_printf, char * const settings[],
-\& char * const user_info[], char * const user_env[],
-\& char * const plugin_options[]);
-\& void (*close)(int exit_status, int error);
-\& int (*show_version)(int verbose);
-\& int (*check_policy)(int argc, char * const argv[],
-\& char *env_add[], char **command_info[],
-\& char **argv_out[], char **user_env_out[]);
-\& int (*list)(int argc, char * const argv[], int verbose,
-\& const char *list_user);
-\& int (*validate)(void);
-\& void (*invalidate)(int remove);
-\& int (*init_session)(struct passwd *pwd, char **user_env[]);
-\& void (*register_hooks)(int version,
-\& int (*register_hook)(struct sudo_hook *hook));
-\& void (*deregister_hooks)(int version,
-\& int (*deregister_hook)(struct sudo_hook *hook));
-\& };
-.Ve
+.nf
+.sp
+.RS 0n
+#
+# Default @sysconfdir@/sudo.conf file
+#
+# Format:
+# Plugin plugin_name plugin_path plugin_options ...
+# Path askpass /path/to/askpass
+# Path noexec /path/to/sudo_noexec.so
+# Debug sudo /var/log/sudo_debug all@warn
+# Set disable_coredump true
+#
+# The plugin_path is relative to @prefix@/libexec unless
+# fully qualified.
+# The plugin_name corresponds to a global symbol in the plugin
+# that contains the plugin interface structure.
+# The plugin_options are optional.
+#
+Plugin sudoers_policy sudoers.so
+Plugin sudoers_io sudoers.so
+.RE
+.fi
+.SS "Policy plugin API"
+A policy plugin must declare and populate a
+\fRpolicy_plugin\fR
+struct in the global scope.
+This structure contains pointers to the functions that implement the
+\fBsudo\fR
+policy checks.
+The name of the symbol should be specified in
+\fI@sysconfdir@/sudo.conf\fR
+along with a path to the plugin so that
+\fBsudo\fR
+can load it.
+.nf
+.sp
+.RS 0n
+struct policy_plugin {
+#define SUDO_POLICY_PLUGIN 1
+ unsigned int type; /* always SUDO_POLICY_PLUGIN */
+ unsigned int version; /* always SUDO_API_VERSION */
+ int (*open)(unsigned int version, sudo_conv_t conversation,
+ sudo_printf_t plugin_printf, char * const settings[],
+ char * const user_info[], char * const user_env[],
+ char * const plugin_options[]);
+ void (*close)(int exit_status, int error);
+ int (*show_version)(int verbose);
+ int (*check_policy)(int argc, char * const argv[],
+ char *env_add[], char **command_info[],
+ char **argv_out[], char **user_env_out[]);
+ int (*list)(int argc, char * const argv[], int verbose,
+ const char *list_user);
+ int (*validate)(void);
+ void (*invalidate)(int remove);
+ int (*init_session)(struct passwd *pwd, char **user_env[]);
+ void (*register_hooks)(int version,
+ int (*register_hook)(struct sudo_hook *hook));
+ void (*deregister_hooks)(int version,
+ int (*deregister_hook)(struct sudo_hook *hook));
+};
+.RE
+.fi
.PP
The policy_plugin struct has the following fields:
-.IP "type" 4
-.IX Item "type"
-The \f(CW\*(C`type\*(C'\fR field should always be set to \s-1SUDO_POLICY_PLUGIN\s0.
-.IP "version" 4
-.IX Item "version"
-The \f(CW\*(C`version\*(C'\fR field should be set to \s-1SUDO_API_VERSION\s0.
-.Sp
-This allows \fBsudo\fR to determine the \s-1API\s0 version the plugin was
+.TP 6n
+type
+The
+\fRtype\fR
+field should always be set to SUDO_POLICY_PLUGIN.
+.TP 6n
+version
+The
+\fRversion\fR
+field should be set to
+\fRSUDO_API_VERSION\fR.
+.sp
+This allows
+\fBsudo\fR
+to determine the API version the plugin was
built against.
-.IP "open" 4
-.IX Item "open"
-.Vb 4
-\& int (*open)(unsigned int version, sudo_conv_t conversation,
-\& sudo_printf_t plugin_printf, char * const settings[],
-\& char * const user_info[], char * const user_env[],
-\& char * const plugin_options[]);
-.Ve
-.Sp
+.TP 6n
+open
+.RS
+.nf
+.RS 0n
+int (*open)(unsigned int version, sudo_conv_t conversation,
+ sudo_printf_t plugin_printf, char * const settings[],
+ char * const user_info[], char * const user_env[],
+ char * const plugin_options[]);
+.RE
+.fi
+.sp
Returns 1 on success, 0 on failure, \-1 if a general error occurred,
-or \-2 if there was a usage error. In the latter case, \fBsudo\fR will
-print a usage message before it exits. If an error occurs, the
-plugin may optionally call the conversation or plugin_printf function
-with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present additional error information
-to the user.
-.Sp
+or \-2 if there was a usage error.
+In the latter case,
+\fBsudo\fR
+will print a usage message before it exits.
+If an error occurs, the plugin may optionally call the
+\fBconversation\fR()
+or
+\fBplugin_printf\fR()
+function with
+\fRSUDO_CONF_ERROR_MSG\fR
+to present additional error information to the user.
+.sp
The function arguments are as follows:
-.RS 4
-.IP "version" 4
-.IX Item "version"
-The version passed in by \fBsudo\fR allows the plugin to determine the
-major and minor version number of the plugin \s-1API\s0 supported by
-\&\fBsudo\fR.
-.IP "conversation" 4
-.IX Item "conversation"
-A pointer to the conversation function that can be used by the
-plugin to interact with the user (see below).
+.TP 6n
+version
+The version passed in by
+\fBsudo\fR
+allows the plugin to determine the
+major and minor version number of the plugin API supported by
+\fBsudo\fR.
+.TP 6n
+conversation
+A pointer to the
+\fBconversation\fR()
+function that can be used by the plugin to interact with the user (see below).
Returns 0 on success and \-1 on failure.
-.IP "plugin_printf" 4
-.IX Item "plugin_printf"
-A pointer to a printf-style function that may be used to display
-informational or error messages (see below).
+.TP 6n
+plugin_printf
+A pointer to a
+\fBprintf\fR()-style
+function that may be used to display informational or error messages
+(see below).
Returns the number of characters printed on success and \-1 on failure.
-.IP "settings" 4
-.IX Item "settings"
-A vector of user-supplied \fBsudo\fR settings in the form of \*(L"name=value\*(R"
-strings. The vector is terminated by a \f(CW\*(C`NULL\*(C'\fR pointer. These
-settings correspond to flags the user specified when running \fBsudo\fR.
+.TP 6n
+settings
+A vector of user-supplied
+\fBsudo\fR
+settings in the form of
+``name=value''
+strings.
+The vector is terminated by a
+\fRNULL\fR
+pointer.
+These settings correspond to flags the user specified when running
+\fBsudo\fR.
As such, they will only be present when the corresponding flag has
been specified on the command line.
-.Sp
-When parsing \fIsettings\fR, the plugin should split on the \fBfirst\fR
-equal sign ('=') since the \fIname\fR field will never include one
-itself but the \fIvalue\fR might.
-.RS 4
-.IP "debug_flags=string" 4
-.IX Item "debug_flags=string"
-A comma-separated list of debug flags that correspond to \fBsudo\fR's
-\&\f(CW\*(C`Debug\*(C'\fR entry in \fI@sysconfdir@/sudo.conf\fR, if there is one. The
-flags are passed to the plugin as they appear in \fI@sysconfdir@/sudo.conf\fR.
-The syntax used by \fBsudo\fR and the \fIsudoers\fR plugin is
-\&\fIsubsystem\fR@\fIpriority\fR but the plugin is free to use a different
-format so long as it does not include a command \f(CW\*(C`,\*(C'\fR.
-.Sp
-For reference, the priorities supported by the \fBsudo\fR front end and
-\&\fIsudoers\fR are: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR,
-\&\fIinfo\fR, \fItrace\fR and \fIdebug\fR.
-.Sp
-The following subsystems are defined: \fImain\fR, \fImemory\fR, \fIargs\fR,
-\&\fIexec\fR, \fIpty\fR, \fIutmp\fR, \fIconv\fR, \fIpcomm\fR, \fIutil\fR, \fIlist\fR,
-\&\fInetif\fR, \fIaudit\fR, \fIedit\fR, \fIselinux\fR, \fIldap\fR, \fImatch\fR, \fIparser\fR,
-\&\fIalias\fR, \fIdefaults\fR, \fIauth\fR, \fIenv\fR, \fIlogging\fR, \fInss\fR, \fIrbtree\fR,
-\&\fIperms\fR, \fIplugin\fR. The subsystem \fIall\fR includes every subsystem.
-.Sp
+.sp
+When parsing
+\fIsettings\fR,
+the plugin should split on the
+\fBfirst\fR
+equal sign
+(`=')
+since the
+\fIname\fR
+field will never include one
+itself but the
+\fIvalue\fR
+might.
+.RS
+.TP 6n
+debug_flags=string
+A comma-separated list of debug flags that correspond to
+\fBsudo\fR's
+\fRDebug\fR
+entry in
+\fI@sysconfdir@/sudo.conf\fR,
+if there is one.
+The flags are passed to the plugin as they appear in
+\fI@sysconfdir@/sudo.conf\fR.
+The syntax used by
+\fBsudo\fR
+and the
+\fIsudoers\fR
+plugin is
+\fIsubsystem\fR@\fIpriority\fR
+but the plugin is free to use a different
+format so long as it does not include a comma
+(`,\&').
+.sp
+For reference, the priorities supported by the
+\fBsudo\fR
+front end and
+\fIsudoers\fR
+are:
+\fIcrit\fR,
+\fIerr\fR,
+\fIwarn\fR,
+\fInotice\fR,
+\fIdiag\fR,
+\fIinfo\fR,
+\fItrace\fR
+and
+\fIdebug\fR.
+.sp
+The following subsystems are defined:
+\fImain\fR,
+\fImemory\fR,
+\fIargs\fR,
+\fIexec\fR,
+\fIpty\fR,
+\fIutmp\fR,
+\fIconv\fR,
+\fIpcomm\fR,
+\fIutil\fR,
+\fIlist\fR,
+\fInetif\fR,
+\fIaudit\fR,
+\fIedit\fR,
+\fIselinux\fR,
+\fIldap\fR,
+\fImatch\fR,
+\fIparser\fR,
+\fIalias\fR,
+\fIdefaults\fR,
+\fIauth\fR,
+\fIenv\fR,
+\fIlogging\fR,
+\fInss\fR,
+\fIrbtree\fR,
+\fIperms\fR,
+\fIplugin\fR.
+The subsystem
+\fIall\fR
+includes every subsystem.
+.sp
There is not currently a way to specify a set of debug flags specific
-to the plugin\*(--the flags are shared by \fBsudo\fR and the plugin.
-.IP "debug_level=number" 4
-.IX Item "debug_level=number"
-This setting has been deprecated in favor of \fIdebug_flags\fR.
-.IP "runas_user=string" 4
-.IX Item "runas_user=string"
+to the plugin--the flags are shared by
+\fBsudo\fR
+and the plugin.
+.TP 6n
+debug_level=number
+This setting has been deprecated in favor of
+\fIdebug_flags\fR.
+.TP 6n
+runas_user=string
The user name or uid to to run the command as, if specified via the
-\&\f(CW\*(C`\-u\*(C'\fR flag.
-.IP "runas_group=string" 4
-.IX Item "runas_group=string"
+\fB\-u\fR
+flag.
+.TP 6n
+runas_group=string
The group name or gid to to run the command as, if specified via
-the \f(CW\*(C`\-g\*(C'\fR flag.
-.IP "prompt=string" 4
-.IX Item "prompt=string"
+the
+\fB\-g\fR
+flag.
+.TP 6n
+prompt=string
The prompt to use when requesting a password, if specified via
-the \f(CW\*(C`\-p\*(C'\fR flag.
-.IP "set_home=bool" 4
-.IX Item "set_home=bool"
-Set to true if the user specified the \f(CW\*(C`\-H\*(C'\fR flag. If true, set the
-\&\f(CW\*(C`HOME\*(C'\fR environment variable to the target user's home directory.
-.IP "preserve_environment=bool" 4
-.IX Item "preserve_environment=bool"
-Set to true if the user specified the \f(CW\*(C`\-E\*(C'\fR flag, indicating that
+the
+\fB\-p\fR
+flag.
+.TP 6n
+set_home=bool
+Set to true if the user specified the
+\fB\-H\fR
+flag.
+If true, set the
+\fRHOME\fR
+environment variable to the target user's home directory.
+.TP 6n
+preserve_environment=bool
+Set to true if the user specified the
+\fB\-E\fR
+flag, indicating that
the user wishes to preserve the environment.
-.IP "run_shell=bool" 4
-.IX Item "run_shell=bool"
-Set to true if the user specified the \f(CW\*(C`\-s\*(C'\fR flag, indicating that
+.TP 6n
+run_shell=bool
+Set to true if the user specified the
+\fB\-s\fR
+flag, indicating that
the user wishes to run a shell.
-.IP "login_shell=bool" 4
-.IX Item "login_shell=bool"
-Set to true if the user specified the \f(CW\*(C`\-i\*(C'\fR flag, indicating that
+.TP 6n
+login_shell=bool
+Set to true if the user specified the
+\fB\-i\fR
+flag, indicating that
the user wishes to run a login shell.
-.IP "implied_shell=bool" 4
-.IX Item "implied_shell=bool"
-If the user does not specify a program on the command line, \fBsudo\fR
+.TP 6n
+implied_shell=bool
+If the user does not specify a program on the command line,
+\fBsudo\fR
will pass the plugin the path to the user's shell and set
-\&\fIimplied_shell\fR to true. This allows \fBsudo\fR with no arguments
-to be used similarly to \fIsu\fR\|(1). If the plugin does not to support
-this usage, it may return a value of \-2 from the \f(CW\*(C`check_policy\*(C'\fR
-function, which will cause \fBsudo\fR to print a usage message and
+\fIimplied_shell\fR
+to true.
+This allows
+\fBsudo\fR
+with no arguments
+to be used similarly to
+su(1).
+If the plugin does not to support this usage, it may return a value of \-2
+from the
+\fBcheck_policy\fR()
+function, which will cause
+\fBsudo\fR
+to print a usage message and
exit.
-.IP "preserve_groups=bool" 4
-.IX Item "preserve_groups=bool"
-Set to true if the user specified the \f(CW\*(C`\-P\*(C'\fR flag, indicating that
+.TP 6n
+preserve_groups=bool
+Set to true if the user specified the
+\fB\-P\fR
+flag, indicating that
the user wishes to preserve the group vector instead of setting it
based on the runas user.
-.IP "ignore_ticket=bool" 4
-.IX Item "ignore_ticket=bool"
-Set to true if the user specified the \f(CW\*(C`\-k\*(C'\fR flag along with a
+.TP 6n
+ignore_ticket=bool
+Set to true if the user specified the
+\fB\-k\fR
+flag along with a
command, indicating that the user wishes to ignore any cached
authentication credentials.
-.IP "noninteractive=bool" 4
-.IX Item "noninteractive=bool"
-Set to true if the user specified the \f(CW\*(C`\-n\*(C'\fR flag, indicating that
-\&\fBsudo\fR should operate in non-interactive mode. The plugin may
-reject a command run in non-interactive mode if user interaction
-is required.
-.IP "login_class=string" 4
-.IX Item "login_class=string"
-\&\s-1BSD\s0 login class to use when setting resource limits and nice value,
-if specified by the \f(CW\*(C`\-c\*(C'\fR flag.
-.IP "selinux_role=string" 4
-.IX Item "selinux_role=string"
+.TP 6n
+noninteractive=bool
+Set to true if the user specified the
+\fB\-n\fR
+flag, indicating that
+\fBsudo\fR
+should operate in non-interactive mode.
+The plugin may reject a command run in non-interactive mode if user
+interaction is required.
+.TP 6n
+login_class=string
+BSD login class to use when setting resource limits and nice value,
+if specified by the
+\fB\-c\fR
+flag.
+.TP 6n
+selinux_role=string
SELinux role to use when executing the command, if specified by
-the \f(CW\*(C`\-r\*(C'\fR flag.
-.IP "selinux_type=string" 4
-.IX Item "selinux_type=string"
+the
+\fB\-r\fR
+flag.
+.TP 6n
+selinux_type=string
SELinux type to use when executing the command, if specified by
-the \f(CW\*(C`\-t\*(C'\fR flag.
-.IP "bsdauth_type=string" 4
-.IX Item "bsdauth_type=string"
-Authentication type, if specified by the \f(CW\*(C`\-a\*(C'\fR flag, to use on
-systems where \s-1BSD\s0 authentication is supported.
-.IP "network_addrs=list" 4
-.IX Item "network_addrs=list"
-A space-separated list of \s-1IP\s0 network addresses and netmasks in the
-form \*(L"addr/netmask\*(R", e.g. \*(L"192.168.1.2/255.255.255.0\*(R". The address
-and netmask pairs may be either IPv4 or IPv6, depending on what the
-operating system supports. If the address contains a colon (':'),
+the
+\fB\-t\fR
+flag.
+.TP 6n
+bsdauth_type=string
+Authentication type, if specified by the
+\fB\-a\fR
+flag, to use on
+systems where BSD authentication is supported.
+.TP 6n
+network_addrs=list
+A space-separated list of IP network addresses and netmasks in the
+form
+``addr/netmask'',
+e.g.\&
+``192.168.1.2/255.255.255.0''.
+The address and netmask pairs may be either IPv4 or IPv6, depending on
+what the operating system supports.
+If the address contains a colon
+(`:\&'),
it is an IPv6 address, else it is IPv4.
-.IP "progname=string" 4
-.IX Item "progname=string"
-The command name that sudo was run as, typically \*(L"sudo\*(R" or \*(L"sudoedit\*(R".
-.IP "sudoedit=bool" 4
-.IX Item "sudoedit=bool"
-Set to true when the \f(CW\*(C`\-e\*(C'\fR flag is is specified or if invoked as
-\&\fBsudoedit\fR. The plugin shall substitute an editor into \fIargv\fR
-in the \fIcheck_policy\fR function or return \f(CW\*(C`\-2\*(C'\fR with a usage error
-if the plugin does not support \fIsudoedit\fR. For more information,
-see the \fIcheck_policy\fR section.
-.IP "closefrom=number" 4
-.IX Item "closefrom=number"
-If specified, the user has requested via the \f(CW\*(C`\-C\*(C'\fR flag that \fBsudo\fR
-close all files descriptors with a value of \fInumber\fR or higher.
+.TP 6n
+progname=string
+The command name that sudo was run as, typically
+``sudo''
+or
+``sudoedit''.
+.TP 6n
+sudoedit=bool
+Set to true when the
+\fB\-e\fR
+flag is is specified or if invoked as
+\fBsudoedit\fR.
+The plugin shall substitute an editor into
+\fIargv\fR
+in the
+\fBcheck_policy\fR()
+function or return \-2 with a usage error
+if the plugin does not support
+\fIsudoedit\fR.
+For more information, see the
+\fIcheck_policy\fR
+section.
+.TP 6n
+closefrom=number
+If specified, the user has requested via the
+\fB\-C\fR
+flag that
+\fBsudo\fR
+close all files descriptors with a value of
+\fInumber\fR
+or higher.
The plugin may optionally pass this, or another value, back in the
-\&\fIcommand_info\fR list.
-.RE
-.RS 4
-.Sp
+\fIcommand_info\fR
+list.
+.PP
Additional settings may be added in the future so the plugin should
silently ignore settings that it does not recognize.
+.PP
.RE
-.IP "user_info" 4
-.IX Item "user_info"
+.PD 0
+.TP 6n
+user_info
A vector of information about the user running the command in the form of
-\&\*(L"name=value\*(R" strings. The vector is terminated by a \f(CW\*(C`NULL\*(C'\fR pointer.
-.Sp
-When parsing \fIuser_info\fR, the plugin should split on the \fBfirst\fR
-equal sign ('=') since the \fIname\fR field will never include one
-itself but the \fIvalue\fR might.
-.RS 4
-.IP "pid=int" 4
-.IX Item "pid=int"
-The process \s-1ID\s0 of the running \fBsudo\fR process.
-Only available starting with \s-1API\s0 version 1.2
-.IP "ppid=int" 4
-.IX Item "ppid=int"
-The parent process \s-1ID\s0 of the running \fBsudo\fR process.
-Only available starting with \s-1API\s0 version 1.2
-.IP "sid=int" 4
-.IX Item "sid=int"
-The session \s-1ID\s0 of the running \fBsudo\fR process or 0 if \fBsudo\fR is
-not part of a \s-1POSIX\s0 job control session.
-Only available starting with \s-1API\s0 version 1.2
-.IP "pgid=int" 4
-.IX Item "pgid=int"
-The \s-1ID\s0 of the process group that the running \fBsudo\fR process belongs
+``name=value''
+strings.
+The vector is terminated by a
+\fRNULL\fR
+pointer.
+.sp
+When parsing
+\fIuser_info\fR,
+the plugin should split on the
+\fBfirst\fR
+equal sign
+(`=')
+since the
+\fIname\fR
+field will never include one
+itself but the
+\fIvalue\fR
+might.
+.RS
+.PD
+.TP 6n
+pid=int
+The process ID of the running
+\fBsudo\fR
+process.
+Only available starting with API version 1.2
+.TP 6n
+ppid=int
+The parent process ID of the running
+\fBsudo\fR
+process.
+Only available starting with API version 1.2
+.TP 6n
+sid=int
+The session ID of the running
+\fBsudo\fR
+process or 0 if
+\fBsudo\fR
+is
+not part of a POSIX job control session.
+Only available starting with API version 1.2
+.TP 6n
+pgid=int
+The ID of the process group that the running
+\fBsudo\fR
+process belongs
to.
-Only available starting with \s-1API\s0 version 1.2
-.IP "tcpgid=int" 4
-.IX Item "tcpgid=int"
-The \s-1ID\s0 of the forground process group associated with the terminal
-device associcated with the \fBsudo\fR process or \-1 if there is no
+Only available starting with API version 1.2
+.TP 6n
+tcpgid=int
+The ID of the forground process group associated with the terminal
+device associcated with the
+\fBsudo\fR
+process or \-1 if there is no
terminal present.
-Only available starting with \s-1API\s0 version 1.2
-.IP "user=string" 4
-.IX Item "user=string"
-The name of the user invoking \fBsudo\fR.
-.IP "euid=uid_t" 4
-.IX Item "euid=uid_t"
-The effective user \s-1ID\s0 of the user invoking \fBsudo\fR.
-.IP "uid=uid_t" 4
-.IX Item "uid=uid_t"
-The real user \s-1ID\s0 of the user invoking \fBsudo\fR.
-.IP "egid=gid_t" 4
-.IX Item "egid=gid_t"
-The effective group \s-1ID\s0 of the user invoking \fBsudo\fR.
-.IP "gid=gid_t" 4
-.IX Item "gid=gid_t"
-The real group \s-1ID\s0 of the user invoking \fBsudo\fR.
-.IP "groups=list" 4
-.IX Item "groups=list"
+Only available starting with API version 1.2
+.TP 6n
+user=string
+The name of the user invoking
+\fBsudo\fR.
+.TP 6n
+euid=uid_t
+The effective user ID of the user invoking
+\fBsudo\fR.
+.TP 6n
+uid=uid_t
+The real user ID of the user invoking
+\fBsudo\fR.
+.TP 6n
+egid=gid_t
+The effective group ID of the user invoking
+\fBsudo\fR.
+.TP 6n
+gid=gid_t
+The real group ID of the user invoking
+\fBsudo\fR.
+.TP 6n
+groups=list
The user's supplementary group list formatted as a string of
comma-separated group IDs.
-.IP "cwd=string" 4
-.IX Item "cwd=string"
+.TP 6n
+cwd=string
The user's current working directory.
-.IP "tty=string" 4
-.IX Item "tty=string"
-The path to the user's terminal device. If the user has no terminal
-device associated with the session, the value will be empty, as in
-\&\f(CW\*(C`tty=\*(C'\fR.
-.IP "host=string" 4
-.IX Item "host=string"
-The local machine's hostname as returned by the \f(CW\*(C`gethostname()\*(C'\fR
+.TP 6n
+tty=string
+The path to the user's terminal device.
+If the user has no terminal device associated with the session,
+the value will be empty, as in
+``\fRtty=\fR''.
+.TP 6n
+host=string
+The local machine's hostname as returned by the
+gethostname(2)
system call.
-.IP "lines=int" 4
-.IX Item "lines=int"
-The number of lines the user's terminal supports. If there is
+.TP 6n
+lines=int
+The number of lines the user's terminal supports.
+If there is
no terminal device available, a default value of 24 is used.
-.IP "cols=int" 4
-.IX Item "cols=int"
-The number of columns the user's terminal supports. If there is
-no terminal device available, a default value of 80 is used.
-.RE
-.RS 4
-.RE
-.IP "user_env" 4
-.IX Item "user_env"
-The user's environment in the form of a \f(CW\*(C`NULL\*(C'\fR\-terminated vector of
-\&\*(L"name=value\*(R" strings.
-.Sp
-When parsing \fIuser_env\fR, the plugin should split on the \fBfirst\fR
-equal sign ('=') since the \fIname\fR field will never include one
-itself but the \fIvalue\fR might.
-.IP "plugin_options" 4
-.IX Item "plugin_options"
+.TP 6n
+cols=int
+The number of columns the user's terminal supports.
+If there is no terminal device available, a default value of 80 is used.
+.PP
+.RE
+.PD 0
+.TP 6n
+user_env
+The user's environment in the form of a
+\fRNULL\fR-terminated vector of
+``name=value''
+strings.
+.sp
+When parsing
+\fIuser_env\fR,
+the plugin should split on the
+\fBfirst\fR
+equal sign
+(`=')
+since the
+\fIname\fR
+field will never include one
+itself but the
+\fIvalue\fR
+might.
+.PD
+.TP 6n
+plugin_options
Any (non-comment) strings immediately after the plugin path are
-treated as arguments to the plugin. These arguments are split on
-a white space boundary and are passed to the plugin in the form of
-a \f(CW\*(C`NULL\*(C'\fR\-terminated array of strings. If no arguments were
-specified, \fIplugin_options\fR will be the \s-1NULL\s0 pointer.
-.Sp
-\&\s-1NOTE:\s0 the \fIplugin_options\fR parameter is only available starting with
-\&\s-1API\s0 version 1.2. A plugin \fBmust\fR check the \s-1API\s0 version specified
-by the \fBsudo\fR front end before using \fIplugin_options\fR. Failure to
-do so may result in a crash.
-.RE
-.RS 4
-.RE
-.IP "close" 4
-.IX Item "close"
-.Vb 1
-\& void (*close)(int exit_status, int error);
-.Ve
-.Sp
-The \f(CW\*(C`close\*(C'\fR function is called when the command being run by \fBsudo\fR
+treated as arguments to the plugin.
+These arguments are split on a white space boundary and are passed to
+the plugin in the form of a
+\fRNULL\fR-terminated
+array of strings.
+If no arguments were
+specified,
+\fIplugin_options\fR
+will be the
+\fRNULL\fR
+pointer.
+.sp
+NOTE: the
+\fIplugin_options\fR
+parameter is only available starting with
+API version 1.2.
+A plugin
+\fBmust\fR
+check the API version specified
+by the
+\fBsudo\fR
+front end before using
+\fIplugin_options\fR.
+Failure to do so may result in a crash.
+.PP
+.RE
+.PD 0
+.TP 6n
+close
+.br
+.RS
+.nf
+.RS 0n
+void (*close)(int exit_status, int error);
+.RE
+.fi
+.sp
+The
+\fBclose\fR()
+function is called when the command being run by
+\fBsudo\fR
finishes.
-.Sp
+.sp
The function arguments are as follows:
-.RS 4
-.IP "exit_status" 4
-.IX Item "exit_status"
-The command's exit status, as returned by the \fIwait\fR\|(2) system call.
-The value of \f(CW\*(C`exit_status\*(C'\fR is undefined if \f(CW\*(C`error\*(C'\fR is non-zero.
-.IP "error" 4
-.IX Item "error"
+.PD
+.TP 6n
+exit_status
+The command's exit status, as returned by the
+wait(2)
+system call.
+The value of
+\fRexit_status\fR
+is undefined if
+\fRerror\fR
+is non-zero.
+.TP 6n
+error
+.br
If the command could not be executed, this is set to the value of
-\&\f(CW\*(C`errno\*(C'\fR set by the \fIexecve\fR\|(2) system call. The plugin is responsible
-for displaying error information via the conversation or plugin_printf
-function. If the command was successfully executed, the value of
-\&\f(CW\*(C`error\*(C'\fR is 0.
-.RE
-.RS 4
-.RE
-.IP "show_version" 4
-.IX Item "show_version"
-.Vb 1
-\& int (*show_version)(int verbose);
-.Ve
-.Sp
-The \f(CW\*(C`show_version\*(C'\fR function is called by \fBsudo\fR when the user specifies
-the \f(CW\*(C`\-V\*(C'\fR option. The plugin may display its version information
-to the user via the conversation or plugin_printf function using
-\&\f(CW\*(C`SUDO_CONV_INFO_MSG\*(C'\fR. If the user requests detailed version
-information, the verbose flag will be set.
-.IP "check_policy" 4
-.IX Item "check_policy"
-.Vb 3
-\& int (*check_policy)(int argc, char * const argv[]
-\& char *env_add[], char **command_info[],
-\& char **argv_out[], char **user_env_out[]);
-.Ve
-.Sp
-The \fIcheck_policy\fR function is called by \fBsudo\fR to determine
+\fRerrno\fR
+set by the
+execve(2)
+system call.
+The plugin is responsible for displaying error information via the
+\fBconversation\fR()
+or
+\fBplugin_printf\fR()
+function.
+If the command was successfully executed, the value of
+\fRerror\fR
+is 0.
+.PP
+.RE
+.PD 0
+.TP 6n
+show_version
+.RS
+.nf
+.RS 0n
+int (*show_version)(int verbose);
+.RE
+.fi
+.sp
+The
+\fBshow_version\fR()
+function is called by
+\fBsudo\fR
+when the user specifies
+the
+\fB\-V\fR
+option.
+The plugin may display its version information to the user via the
+\fBconversation\fR()
+or
+\fBplugin_printf\fR()
+function using
+\fRSUDO_CONV_INFO_MSG\fR.
+If the user requests detailed version information, the verbose flag will be set.
+.PD
+.PP
+.RE
+.PD 0
+.TP 6n
+check_policy
+.RS
+.nf
+.RS 0n
+int (*check_policy)(int argc, char * const argv[]
+ char *env_add[], char **command_info[],
+ char **argv_out[], char **user_env_out[]);
+.RE
+.fi
+.sp
+The
+\fBcheck_policy\fR()
+function is called by
+\fBsudo\fR
+to determine
whether the user is allowed to run the specified commands.
-.Sp
-If the \fIsudoedit\fR option was enabled in the \fIsettings\fR array
-passed to the \fIopen\fR function, the user has requested \fIsudoedit\fR
-mode. \fIsudoedit\fR is a mechanism for editing one or more files
+.sp
+If the
+\fIsudoedit\fR
+option was enabled in the
+\fIsettings\fR
+array
+passed to the
+\fBopen\fR()
+function, the user has requested
+\fIsudoedit\fR
+mode.
+\fIsudoedit\fR
+is a mechanism for editing one or more files
where an editor is run with the user's credentials instead of with
-elevated privileges. \fBsudo\fR achieves this by creating user-writable
+elevated privileges.
+\fBsudo\fR
+achieves this by creating user-writable
temporary copies of the files to be edited and then overwriting the
-originals with the temporary copies after editing is complete. If
-the plugin supports \fBsudoedit\fR, it should choose the editor to be
-used, potentially from a variable in the user's environment, such
-as \f(CW\*(C`EDITOR\*(C'\fR, and include it in \fIargv_out\fR (note that environment
-variables may include command line flags). The files to be edited
-should be copied from \fIargv\fR into \fIargv_out\fR, separated from the
-editor and its arguments by a \f(CW"\-\-"\fR element. The \f(CW"\-\-"\fR will
-be removed by \fBsudo\fR before the editor is executed. The plugin
-should also set \fIsudoedit=true\fR in the \fIcommand_info\fR list.
-.Sp
-The \fIcheck_policy\fR function returns 1 if the command is allowed,
+originals with the temporary copies after editing is complete.
+If the plugin supports
+\fIsudoedit\fR,
+it should choose the editor to be used, potentially from a variable
+in the user's environment, such as
+\fREDITOR\fR,
+and include it in
+\fIargv_out\fR
+(note that environment
+variables may include command line flags).
+The files to be edited should be copied from
+\fIargv\fR
+into
+\fIargv_out\fR,
+separated from the
+editor and its arguments by a
+``\fR--\fR''
+element.
+The
+``\fR--\fR''
+will
+be removed by
+\fBsudo\fR
+before the editor is executed.
+The plugin should also set
+\fIsudoedit=true\fR
+in the
+\fIcommand_info\fR
+list.
+.sp
+The
+\fBcheck_policy\fR()
+function returns 1 if the command is allowed,
0 if not allowed, \-1 for a general error, or \-2 for a usage error
-or if \fBsudoedit\fR was specified but is unsupported by the plugin.
-In the latter case, \fBsudo\fR will print a usage message before it
-exits. If an error occurs, the plugin may optionally call the
-conversation or plugin_printf function with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR
+or if
+\fIsudoedit\fR
+was specified but is unsupported by the plugin.
+In the latter case,
+\fBsudo\fR
+will print a usage message before it
+exits.
+If an error occurs, the plugin may optionally call the
+\fBconversation\fR()
+or
+\fBplugin_printf\fR()
+function with
+\fRSUDO_CONF_ERROR_MSG\fR
to present additional error information to the user.
-.Sp
+.sp
The function arguments are as follows:
-.RS 4
-.IP "argc" 4
-.IX Item "argc"
-The number of elements in \fIargv\fR, not counting the final \f(CW\*(C`NULL\*(C'\fR
+.PD
+.TP 6n
+argc
+The number of elements in
+\fIargv\fR,
+not counting the final
+\fRNULL\fR
pointer.
-.IP "argv" 4
-.IX Item "argv"
+.TP 6n
+argv
The argument vector describing the command the user wishes to run,
-in the same form as what would be passed to the \fIexecve()\fR system
-call. The vector is terminated by a \f(CW\*(C`NULL\*(C'\fR pointer.
-.IP "env_add" 4
-.IX Item "env_add"
+in the same form as what would be passed to the
+execve(2)
+system call.
+The vector is terminated by a
+\fRNULL\fR
+pointer.
+.TP 6n
+env_add
Additional environment variables specified by the user on the command
-line in the form of a \f(CW\*(C`NULL\*(C'\fR\-terminated vector of \*(L"name=value\*(R"
-strings. The plugin may reject the command if one or more variables
+line in the form of a
+\fRNULL\fR-terminated
+vector of
+``name=value''
+strings.
+The plugin may reject the command if one or more variables
are not allowed to be set, or it may silently ignore such variables.
-.Sp
-When parsing \fIenv_add\fR, the plugin should split on the \fBfirst\fR
-equal sign ('=') since the \fIname\fR field will never include one
-itself but the \fIvalue\fR might.
-.IP "command_info" 4
-.IX Item "command_info"
-Information about the command being run in the form of \*(L"name=value\*(R"
-strings. These values are used by \fBsudo\fR to set the execution
-environment when running a command. The plugin is responsible for
-creating and populating the vector, which must be terminated with
-a \f(CW\*(C`NULL\*(C'\fR pointer. The following values are recognized by \fBsudo\fR:
-.RS 4
-.IP "command=string" 4
-.IX Item "command=string"
+.sp
+When parsing
+\fIenv_add\fR,
+the plugin should split on the
+\fBfirst\fR
+equal sign
+(`=')
+since the
+\fIname\fR
+field will never include one
+itself but the
+\fIvalue\fR
+might.
+.TP 6n
+command_info
+Information about the command being run in the form of
+``name=value''
+strings.
+These values are used by
+\fBsudo\fR
+to set the execution
+environment when running a command.
+The plugin is responsible for creating and populating the vector,
+which must be terminated with a
+\fRNULL\fR
+pointer.
+The following values are recognized by
+\fBsudo\fR:
+.RS
+.TP 6n
+command=string
Fully qualified path to the command to be executed.
-.IP "runas_uid=uid" 4
-.IX Item "runas_uid=uid"
-User \s-1ID\s0 to run the command as.
-.IP "runas_euid=uid" 4
-.IX Item "runas_euid=uid"
-Effective user \s-1ID\s0 to run the command as.
-If not specified, the value of \fIrunas_uid\fR is used.
-.IP "runas_gid=gid" 4
-.IX Item "runas_gid=gid"
-Group \s-1ID\s0 to run the command as.
-.IP "runas_egid=gid" 4
-.IX Item "runas_egid=gid"
-Effective group \s-1ID\s0 to run the command as.
-If not specified, the value of \fIrunas_gid\fR is used.
-.IP "runas_groups=list" 4
-.IX Item "runas_groups=list"
+.TP 6n
+runas_uid=uid
+User ID to run the command as.
+.TP 6n
+runas_euid=uid
+Effective user ID to run the command as.
+If not specified, the value of
+\fIrunas_uid\fR
+is used.
+.TP 6n
+runas_gid=gid
+Group ID to run the command as.
+.TP 6n
+runas_egid=gid
+Effective group ID to run the command as.
+If not specified, the value of
+\fIrunas_gid\fR
+is used.
+.TP 6n
+runas_groups=list
The supplementary group vector to use for the command in the form
-of a comma-separated list of group IDs. If \fIpreserve_groups\fR
+of a comma-separated list of group IDs.
+If
+\fIpreserve_groups\fR
is set, this option is ignored.
-.IP "login_class=string" 4
-.IX Item "login_class=string"
-\&\s-1BSD\s0 login class to use when setting resource limits and nice value
-(optional). This option is only set on systems that support login
-classes.
-.IP "preserve_groups=bool" 4
-.IX Item "preserve_groups=bool"
-If set, \fBsudo\fR will preserve the user's group vector instead of
-initializing the group vector based on \f(CW\*(C`runas_user\*(C'\fR.
-.IP "cwd=string" 4
-.IX Item "cwd=string"
+.TP 6n
+login_class=string
+BSD login class to use when setting resource limits and nice value
+(optional).
+This option is only set on systems that support login classes.
+.TP 6n
+preserve_groups=bool
+If set,
+\fBsudo\fR
+will preserve the user's group vector instead of
+initializing the group vector based on
+\fRrunas_user\fR.
+.TP 6n
+cwd=string
The current working directory to change to when executing the command.
-.IP "noexec=bool" 4
-.IX Item "noexec=bool"
+.TP 6n
+noexec=bool
If set, prevent the command from executing other programs.
-.IP "chroot=string" 4
-.IX Item "chroot=string"
+.TP 6n
+chroot=string
The root directory to use when running the command.
-.IP "nice=int" 4
-.IX Item "nice=int"
-Nice value (priority) to use when executing the command. The nice
-value, if specified, overrides the priority associated with the
-\&\fIlogin_class\fR on \s-1BSD\s0 systems.
-.IP "umask=octal" 4
-.IX Item "umask=octal"
+.TP 6n
+nice=int
+Nice value (priority) to use when executing the command.
+The nice value, if specified, overrides the priority associated with the
+\fIlogin_class\fR
+on BSD systems.
+.TP 6n
+umask=octal
The file creation mask to use when executing the command.
-.IP "selinux_role=string" 4
-.IX Item "selinux_role=string"
+.TP 6n
+selinux_role=string
SELinux role to use when executing the command.
-.IP "selinux_type=string" 4
-.IX Item "selinux_type=string"
+.TP 6n
+selinux_type=string
SELinux type to use when executing the command.
-.IP "timeout=int" 4
-.IX Item "timeout=int"
-Command timeout. If non-zero then when the timeout expires the
-command will be killed.
-.IP "sudoedit=bool" 4
-.IX Item "sudoedit=bool"
-Set to true when in \fIsudoedit\fR mode. The plugin may enable
-\&\fIsudoedit\fR mode even if \fBsudo\fR was not invoked as \fBsudoedit\fR.
+.TP 6n
+timeout=int
+Command timeout.
+If non-zero then when the timeout expires the command will be killed.
+.TP 6n
+sudoedit=bool
+Set to true when in
+\fIsudoedit\fR
+mode.
+The plugin may enable
+\fIsudoedit\fR
+mode even if
+\fBsudo\fR
+was not invoked as
+\fBsudoedit\fR.
This allows the plugin to perform command substitution and transparently
-enable \fIsudoedit\fR when the user attempts to run an editor.
-.IP "closefrom=number" 4
-.IX Item "closefrom=number"
-If specified, \fBsudo\fR will close all files descriptors with a value
-of \fInumber\fR or higher.
-.IP "iolog_compress=bool" 4
-.IX Item "iolog_compress=bool"
+enable
+\fIsudoedit\fR
+when the user attempts to run an editor.
+.TP 6n
+closefrom=number
+If specified,
+\fBsudo\fR
+will close all files descriptors with a value
+of
+\fInumber\fR
+or higher.
+.TP 6n
+iolog_compress=bool
Set to true if the I/O logging plugins, if any, should compress the
-log data. This is a hint to the I/O logging plugin which may choose
-to ignore it.
-.IP "iolog_path=string" 4
-.IX Item "iolog_path=string"
+log data.
+This is a hint to the I/O logging plugin which may choose to ignore it.
+.TP 6n
+iolog_path=string
Fully qualified path to the file or directory in which I/O log is
-to be stored. This is a hint to the I/O logging plugin which may
-choose to ignore it. If no I/O logging plugin is loaded, this
-setting has no effect.
-.IP "iolog_stdin=bool" 4
-.IX Item "iolog_stdin=bool"
+to be stored.
+This is a hint to the I/O logging plugin which may choose to ignore it.
+If no I/O logging plugin is loaded, this setting has no effect.
+.TP 6n
+iolog_stdin=bool
Set to true if the I/O logging plugins, if any, should log the
-standard input if it is not connected to a terminal device. This
-is a hint to the I/O logging plugin which may choose to ignore it.
-.IP "iolog_stdout=bool" 4
-.IX Item "iolog_stdout=bool"
+standard input if it is not connected to a terminal device.
+This is a hint to the I/O logging plugin which may choose to ignore it.
+.TP 6n
+iolog_stdout=bool
Set to true if the I/O logging plugins, if any, should log the
-standard output if it is not connected to a terminal device. This
-is a hint to the I/O logging plugin which may choose to ignore it.
-.IP "iolog_stderr=bool" 4
-.IX Item "iolog_stderr=bool"
+standard output if it is not connected to a terminal device.
+This is a hint to the I/O logging plugin which may choose to ignore it.
+.TP 6n
+iolog_stderr=bool
Set to true if the I/O logging plugins, if any, should log the
-standard error if it is not connected to a terminal device. This
-is a hint to the I/O logging plugin which may choose to ignore it.
-.IP "iolog_ttyin=bool" 4
-.IX Item "iolog_ttyin=bool"
+standard error if it is not connected to a terminal device.
+This is a hint to the I/O logging plugin which may choose to ignore it.
+.TP 6n
+iolog_ttyin=bool
Set to true if the I/O logging plugins, if any, should log all
-terminal input. This only includes input typed by the user and not
-from a pipe or redirected from a file. This is a hint to the I/O
-logging plugin which may choose to ignore it.
-.IP "iolog_ttyout=bool" 4
-.IX Item "iolog_ttyout=bool"
+terminal input.
+This only includes input typed by the user and not from a pipe or
+redirected from a file.
+This is a hint to the I/O logging plugin which may choose to ignore it.
+.TP 6n
+iolog_ttyout=bool
Set to true if the I/O logging plugins, if any, should log all
-terminal output. This only includes output to the screen, not
-output to a pipe or file. This is a hint to the I/O logging plugin
-which may choose to ignore it.
-.IP "use_pty=bool" 4
-.IX Item "use_pty=bool"
+terminal output.
+This only includes output to the screen, not output to a pipe or file.
+This is a hint to the I/O logging plugin which may choose to ignore it.
+.TP 6n
+use_pty=bool
Allocate a pseudo-tty to run the command in, regardless of whether
-or not I/O logging is in use. By default, \fBsudo\fR will only run
+or not I/O logging is in use.
+By default,
+\fBsudo\fR
+will only run
the command in a pty when an I/O log plugin is loaded.
-.IP "set_utmp=bool" 4
-.IX Item "set_utmp=bool"
-Create a utmp (or utmpx) entry when a pseudo-tty is allocated. By
-default, the new entry will be a copy of the user's existing utmp
+.TP 6n
+set_utmp=bool
+Create a utmp (or utmpx) entry when a pseudo-tty is allocated.
+By default, the new entry will be a copy of the user's existing utmp
entry (if any), with the tty, time, type and pid fields updated.
-.IP "utmp_user=string" 4
-.IX Item "utmp_user=string"
+.TP 6n
+utmp_user=string
User name to use when constructing a new utmp (or utmpx) entry when
-\&\fIset_utmp\fR is enabled. This option can be used to set the user
-field in the utmp entry to the user the command runs as rather than
-the invoking user. If not set, \fBsudo\fR will base the new entry on
+\fIset_utmp\fR
+is enabled.
+This option can be used to set the user field in the utmp entry to
+the user the command runs as rather than the invoking user.
+If not set,
+\fBsudo\fR
+will base the new entry on
the invoking user's existing entry.
-.RE
-.RS 4
-.Sp
+.PP
Unsupported values will be ignored.
+.PP
+.RE
+.PD 0
+.TP 6n
+argv_out
+The
+\fRNULL\fR-terminated
+argument vector to pass to the
+execve(2)
+system call when executing the command.
+The plugin is responsible for allocating and populating the vector.
+.PD
+.TP 6n
+user_env_out
+The
+\fRNULL\fR-terminated
+environment vector to use when executing the command.
+The plugin is responsible for allocating and populating the vector.
+.PP
.RE
-.IP "argv_out" 4
-.IX Item "argv_out"
-The \f(CW\*(C`NULL\*(C'\fR\-terminated argument vector to pass to the \fIexecve()\fR
-system call when executing the command. The plugin is responsible
-for allocating and populating the vector.
-.IP "user_env_out" 4
-.IX Item "user_env_out"
-The \f(CW\*(C`NULL\*(C'\fR\-terminated environment vector to use when executing the
-command. The plugin is responsible for allocating and populating
-the vector.
-.RE
-.RS 4
-.RE
-.IP "list" 4
-.IX Item "list"
-.Vb 2
-\& int (*list)(int verbose, const char *list_user,
-\& int argc, char * const argv[]);
-.Ve
-.Sp
-List available privileges for the invoking user. Returns 1 on
-success, 0 on failure and \-1 on error. On error, the plugin may
-optionally call the conversation or plugin_printf function with
-\&\f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present additional error information to
+.PD 0
+.TP 6n
+list
+.RS
+.nf
+.RS 0n
+int (*list)(int verbose, const char *list_user,
+ int argc, char * const argv[]);
+.RE
+.fi
+.sp
+List available privileges for the invoking user.
+Returns 1 on success, 0 on failure and \-1 on error.
+On error, the plugin may optionally call the
+\fBconversation\fR()
+or
+\fBplugin_printf\fR()
+function with
+\fRSUDO_CONF_ERROR_MSG\fR
+to present additional error information to
the user.
-.Sp
-Privileges should be output via the conversation or plugin_printf
-function using \f(CW\*(C`SUDO_CONV_INFO_MSG\*(C'\fR.
-.RS 4
-.IP "verbose" 4
-.IX Item "verbose"
+.sp
+Privileges should be output via the
+\fBconversation\fR()
+or
+\fBplugin_printf\fR()
+function using
+\fRSUDO_CONV_INFO_MSG\fR,
+.PD
+.TP 6n
+verbose
Flag indicating whether to list in verbose mode or not.
-.IP "list_user" 4
-.IX Item "list_user"
+.TP 6n
+list_user
The name of a different user to list privileges for if the policy
-allows it. If \f(CW\*(C`NULL\*(C'\fR, the plugin should list the privileges of
-the invoking user.
-.IP "argc" 4
-.IX Item "argc"
-The number of elements in \fIargv\fR, not counting the final \f(CW\*(C`NULL\*(C'\fR
+allows it.
+If
+\fRNULL\fR,
+the plugin should list the privileges of the invoking user.
+.TP 6n
+argc
+The number of elements in
+\fIargv\fR,
+not counting the final
+\fRNULL\fR
pointer.
-.IP "argv" 4
-.IX Item "argv"
-If non\-\f(CW\*(C`NULL\*(C'\fR, an argument vector describing a command the user
+.TP 6n
+argv
+If
+non-\fRNULL\fR,
+an argument vector describing a command the user
wishes to check against the policy in the same form as what would
-be passed to the \fIexecve()\fR system call. If the command is permitted
-by the policy, the fully-qualified path to the command should be
-displayed along with any command line arguments.
-.RE
-.RS 4
-.RE
-.IP "validate" 4
-.IX Item "validate"
-.Vb 1
-\& int (*validate)(void);
-.Ve
-.Sp
-The \f(CW\*(C`validate\*(C'\fR function is called when \fBsudo\fR is run with the
-\&\f(CW\*(C`\-v\*(C'\fR flag. For policy plugins such as \fIsudoers\fR that cache
+be passed to the
+execve(2)
+system call.
+If the command is permitted by the policy, the fully-qualified path
+to the command should be displayed along with any command line arguments.
+.PP
+.RE
+.PD 0
+.TP 6n
+validate
+.RS
+.nf
+.RS 0n
+int (*validate)(void);
+.RE
+.fi
+.sp
+The
+\fBvalidate\fR()
+function is called when
+\fBsudo\fR
+is run with the
+\fB\-v\fR
+flag.
+For policy plugins such as
+\fIsudoers\fR
+that cache
authentication credentials, this function will validate and cache
the credentials.
-.Sp
-The \f(CW\*(C`validate\*(C'\fR function should be \f(CW\*(C`NULL\*(C'\fR if the plugin does not
-support credential caching.
-.Sp
+.sp
+The
+\fBvalidate\fR()
+function should be
+\fRNULL\fR
+if the plugin does not support credential caching.
+.sp
Returns 1 on success, 0 on failure and \-1 on error.
-On error, the plugin may optionally call the conversation or plugin_printf
-function with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present additional
+On error, the plugin may optionally call the
+\fBconversation\fR()
+or
+\fBplugin_printf\fR()
+function with
+\fRSUDO_CONF_ERROR_MSG\fR
+to present additional
error information to the user.
-.IP "invalidate" 4
-.IX Item "invalidate"
-.Vb 1
-\& void (*invalidate)(int remove);
-.Ve
-.Sp
-The \f(CW\*(C`invalidate\*(C'\fR function is called when \fBsudo\fR is called with
-the \f(CW\*(C`\-k\*(C'\fR or \f(CW\*(C`\-K\*(C'\fR flag. For policy plugins such as \fIsudoers\fR that
+.PD
+.PP
+.RE
+.PD 0
+.TP 6n
+invalidate
+.RS
+.nf
+.RS 0n
+void (*invalidate)(int remove);
+.RE
+.fi
+.sp
+The
+\fBinvalidate\fR()
+function is called when
+\fBsudo\fR
+is called with
+the
+\fB\-k\fR
+or
+\fB\-K\fR
+flag.
+For policy plugins such as
+\fIsudoers\fR
+that
cache authentication credentials, this function will invalidate the
-credentials. If the \fIremove\fR flag is set, the plugin may remove
+credentials.
+If the
+\fIremove\fR
+flag is set, the plugin may remove
the credentials instead of simply invalidating them.
-.Sp
-The \f(CW\*(C`invalidate\*(C'\fR function should be \f(CW\*(C`NULL\*(C'\fR if the plugin does not
-support credential caching.
-.IP "init_session" 4
-.IX Item "init_session"
-.Vb 1
-\& int (*init_session)(struct passwd *pwd, char **user_envp[);
-.Ve
-.Sp
-The \f(CW\*(C`init_session\*(C'\fR function is called before \fBsudo\fR sets up the
-execution environment for the command. It is run in the parent
-\&\fBsudo\fR process and before any uid or gid changes. This can be used
-to perform session setup that is not supported by \fIcommand_info\fR,
-such as opening the \s-1PAM\s0 session. The \f(CW\*(C`close\*(C'\fR function can be
-used to tear down the session that was opened by \f(CW\*(C`init_session\*(C'\fR.
-.Sp
-The \fIpwd\fR argument points to a passwd struct for the user the
+.sp
+The
+\fBinvalidate\fR()
+function should be
+\fRNULL\fR
+if the plugin does not support credential caching.
+.PD
+.PP
+.RE
+.PD 0
+.TP 6n
+init_session
+.RS
+.nf
+.RS 0n
+int (*init_session)(struct passwd *pwd, char **user_envp[);
+.RE
+.fi
+.sp
+The
+\fBinit_session\fR()
+function is called before
+\fBsudo\fR
+sets up the
+execution environment for the command.
+It is run in the parent
+\fBsudo\fR
+process and before any uid or gid changes.
+This can be used to perform session setup that is not supported by
+\fIcommand_info\fR,
+such as opening the PAM session.
+The
+\fBclose\fR()
+function can be
+used to tear down the session that was opened by
+\fRinit_session\fR.
+.sp
+The
+\fIpwd\fR
+argument points to a passwd struct for the user the
command will be run as if the uid the command will run as was found
-in the password database, otherwise it will be \s-1NULL\s0.
-.Sp
-The \fIuser_env\fR argument points to the environment the command will
-run in, in the form of a \f(CW\*(C`NULL\*(C'\fR\-terminated vector of \*(L"name=value\*(R"
-strings. This is the same string passed back to the front end via
-the Policy Plugin's \fIuser_env_out\fR parameter. If the \f(CW\*(C`init_session\*(C'\fR
+in the password database, otherwise it will be
+\fRNULL\fR.
+.sp
+The
+\fIuser_env\fR
+argument points to the environment the command will
+run in, in the form of a
+\fRNULL\fR-terminated
+vector of
+``name=value''
+strings.
+This is the same string passed back to the front end via
+the Policy Plugin's
+\fIuser_env_out\fR
+parameter.
+If the
+\fBinit_session\fR()
function needs to modify the user environment, it should update the
-pointer stored in \fIuser_env\fR. The expected use case is to merge
-the contents of the \s-1PAM\s0 environment (if any) with the contents of
-\&\fIuser_env\fR. \s-1NOTE:\s0 the \fIuser_env\fR parameter is only available
-starting with \s-1API\s0 version 1.2. A plugin \fBmust\fR check the \s-1API\s0
-version specified by the \fBsudo\fR front end before using \fIuser_env\fR.
+pointer stored in
+\fIuser_env\fR.
+The expected use case is to merge the contents of the PAM environment
+(if any) with the contents of
+\fIuser_env\fR.
+NOTE: the
+\fIuser_env\fR
+parameter is only available
+starting with API version 1.2.
+A plugin
+\fBmust\fR
+check the API
+version specified by the
+\fBsudo\fR
+front end before using
+\fIuser_env\fR.
Failure to do so may result in a crash.
-.Sp
+.sp
Returns 1 on success, 0 on failure and \-1 on error.
-On error, the plugin may optionally call the conversation or plugin_printf
-function with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present additional
+On error, the plugin may optionally call the
+\fBconversation\fR()
+or
+\fBplugin_printf\fR()
+function with
+\fRSUDO_CONF_ERROR_MSG\fR
+to present additional
error information to the user.
-.IP "register_hooks" 4
-.IX Item "register_hooks"
-.Vb 2
-\& void (*register_hooks)(int version,
-\& int (*register_hook)(struct sudo_hook *hook));
-.Ve
-.Sp
-The \f(CW\*(C`register_hooks\*(C'\fR function is called by the sudo front end to
-register any hooks the plugin needs. If the plugin does not support
-hooks, \f(CW\*(C`register_hooks\*(C'\fR should be set to the \s-1NULL\s0 pointer.
-.Sp
-The \fIversion\fR argument describes the version of the hooks \s-1API\s0
-supported by the \fBsudo\fR front end.
-.Sp
-The \f(CW\*(C`register_hook\*(C'\fR function should be used to register any supported
-hooks the plugin needs. It returns 0 on success, 1 if the hook
-type is not supported and \-1 if the major version in \f(CW\*(C`struct hook\*(C'\fR
-does not match the front end's major hook \s-1API\s0 version.
-.Sp
-See the \*(L"Hook Function \s-1API\s0\*(R" section below for more information
+.PD
+.PP
+.RE
+.PD 0
+.TP 6n
+register_hooks
+.RS
+.nf
+.RS 0n
+void (*register_hooks)(int version,
+ int (*register_hook)(struct sudo_hook *hook));
+.RE
+.fi
+.sp
+The
+\fBregister_hooks\fR()
+function is called by the sudo front end to
+register any hooks the plugin needs.
+If the plugin does not support hooks,
+\fRregister_hooks\fR
+should be set to the
+\fRNULL\fR
+pointer.
+.sp
+The
+\fIversion\fR
+argument describes the version of the hooks API
+supported by the
+\fBsudo\fR
+front end.
+.sp
+The
+\fBregister_hook\fR()
+function should be used to register any supported
+hooks the plugin needs.
+It returns 0 on success, 1 if the hook type is not supported and \-1
+if the major version in
+\fRstruct hook\fR
+does not match the front end's major hook API version.
+.sp
+See the
+\fIHook function API\fR
+section below for more information
about hooks.
-.Sp
-\&\s-1NOTE:\s0 the \f(CW\*(C`register_hooks\*(C'\fR function is only available starting
-with \s-1API\s0 version 1.2. If the \fBsudo\fR front end doesn't support \s-1API\s0
-version 1.2 or higher, \f(CW\*(C`register_hooks\*(C'\fR will not be called.
-.IP "deregister_hooks" 4
-.IX Item "deregister_hooks"
-.Vb 2
-\& void (*deregister_hooks)(int version,
-\& int (*deregister_hook)(struct sudo_hook *hook));
-.Ve
-.Sp
-The \f(CW\*(C`deregister_hooks\*(C'\fR function is called by the sudo front end
-to deregister any hooks the plugin has registered. If the plugin
-does not support hooks, \f(CW\*(C`deregister_hooks\*(C'\fR should be set to the
-\&\s-1NULL\s0 pointer.
-.Sp
-The \fIversion\fR argument describes the version of the hooks \s-1API\s0
-supported by the \fBsudo\fR front end.
-.Sp
-The \f(CW\*(C`deregister_hook\*(C'\fR function should be used to deregister any
-hooks that were put in place by the \f(CW\*(C`register_hook\*(C'\fR function. If
-the plugin tries to deregister a hook that the front end does not
-support, \f(CW\*(C`deregister_hook\*(C'\fR will return an error.
-.Sp
-See the \*(L"Hook Function \s-1API\s0\*(R" section below for more information
+.sp
+NOTE: the
+\fBregister_hooks\fR()
+function is only available starting
+with API version 1.2.
+If the
+\fBsudo\fR
+front end doesn't support API
+version 1.2 or higher,
+\fRregister_hooks\fR
+will not be called.
+.PD
+.PP
+.RE
+.PD 0
+.TP 6n
+deregister_hooks
+.RS
+.nf
+.RS 0n
+void (*deregister_hooks)(int version,
+ int (*deregister_hook)(struct sudo_hook *hook));
+.RE
+.fi
+.sp
+The
+\fBderegister_hooks\fR()
+function is called by the sudo front end
+to deregister any hooks the plugin has registered.
+If the plugin does not support hooks,
+\fRderegister_hooks\fR
+should be set to the
+\fRNULL\fR
+pointer.
+.sp
+The
+\fIversion\fR
+argument describes the version of the hooks API
+supported by the
+\fBsudo\fR
+front end.
+.sp
+The
+\fBderegister_hook\fR()
+function should be used to deregister any
+hooks that were put in place by the
+\fBregister_hook\fR()
+function.
+If the plugin tries to deregister a hook that the front end does not support,
+\fRderegister_hook\fR
+will return an error.
+.sp
+See the
+\fIHook function API\fR
+section below for more information
about hooks.
-.Sp
-\&\s-1NOTE:\s0 the \f(CW\*(C`deregister_hooks\*(C'\fR function is only available starting
-with \s-1API\s0 version 1.2. If the \fBsudo\fR front end doesn't support \s-1API\s0
-version 1.2 or higher, \f(CW\*(C`deregister_hooks\*(C'\fR will not be called.
+.sp
+NOTE: the
+\fBderegister_hooks\fR()
+function is only available starting
+with API version 1.2.
+If the
+\fBsudo\fR
+front end doesn't support API
+version 1.2 or higher,
+\fRderegister_hooks\fR
+will not be called.
+.RE
+.PD
.PP
\fIPolicy Plugin Version Macros\fR
-.IX Subsection "Policy Plugin Version Macros"
-.PP
-.Vb 6
-\& /* Plugin API version major/minor. */
-\& #define SUDO_API_VERSION_MAJOR 1
-\& #define SUDO_API_VERSION_MINOR 2
-\& #define SUDO_API_MKVERSION(x, y) ((x << 16) | y)
-\& #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR,\e
-\& SUDO_API_VERSION_MINOR)
-\&
-\& /* Getters and setters for API version */
-\& #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16)
-\& #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
-\& #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \e
-\& *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \e
-\& } while(0)
-\& #define SUDO_VERSION_SET_MINOR(vp, n) do { \e
-\& *(vp) = (*(vp) & 0xffff0000) | (n); \e
-\& } while(0)
-.Ve
-.SS "I/O Plugin \s-1API\s0"
-.IX Subsection "I/O Plugin API"
-.Vb 10
-\& struct io_plugin {
-\& #define SUDO_IO_PLUGIN 2
-\& unsigned int type; /* always SUDO_IO_PLUGIN */
-\& unsigned int version; /* always SUDO_API_VERSION */
-\& int (*open)(unsigned int version, sudo_conv_t conversation
-\& sudo_printf_t plugin_printf, char * const settings[],
-\& char * const user_info[], int argc, char * const argv[],
-\& char * const user_env[], char * const plugin_options[]);
-\& void (*close)(int exit_status, int error); /* wait status or error */
-\& int (*show_version)(int verbose);
-\& int (*log_ttyin)(const char *buf, unsigned int len);
-\& int (*log_ttyout)(const char *buf, unsigned int len);
-\& int (*log_stdin)(const char *buf, unsigned int len);
-\& int (*log_stdout)(const char *buf, unsigned int len);
-\& int (*log_stderr)(const char *buf, unsigned int len);
-\& void (*register_hooks)(int version,
-\& int (*register_hook)(struct sudo_hook *hook));
-\& void (*deregister_hooks)(int version,
-\& int (*deregister_hook)(struct sudo_hook *hook));
-\& };
-.Ve
+.nf
+.sp
+.RS 0n
+/* Plugin API version major/minor. */
+#define SUDO_API_VERSION_MAJOR 1
+#define SUDO_API_VERSION_MINOR 2
+#define SUDO_API_MKVERSION(x, y) ((x << 16) | y)
+#define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR,\e
+ SUDO_API_VERSION_MINOR)
+
+/* Getters and setters for API version */
+#define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16)
+#define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
+#define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \e
+ *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \e
+} while(0)
+#define SUDO_VERSION_SET_MINOR(vp, n) do { \e
+ *(vp) = (*(vp) & 0xffff0000) | (n); \e
+} while(0)
+.RE
+.fi
+.SS "I/O plugin API"
+.nf
+.RS 0n
+struct io_plugin {
+#define SUDO_IO_PLUGIN 2
+ unsigned int type; /* always SUDO_IO_PLUGIN */
+ unsigned int version; /* always SUDO_API_VERSION */
+ int (*open)(unsigned int version, sudo_conv_t conversation
+ sudo_printf_t plugin_printf, char * const settings[],
+ char * const user_info[], int argc, char * const argv[],
+ char * const user_env[], char * const plugin_options[]);
+ void (*close)(int exit_status, int error); /* wait status or error */
+ int (*show_version)(int verbose);
+ int (*log_ttyin)(const char *buf, unsigned int len);
+ int (*log_ttyout)(const char *buf, unsigned int len);
+ int (*log_stdin)(const char *buf, unsigned int len);
+ int (*log_stdout)(const char *buf, unsigned int len);
+ int (*log_stderr)(const char *buf, unsigned int len);
+ void (*register_hooks)(int version,
+ int (*register_hook)(struct sudo_hook *hook));
+ void (*deregister_hooks)(int version,
+ int (*deregister_hook)(struct sudo_hook *hook));
+};
+.RE
+.fi
.PP
-When an I/O plugin is loaded, \fBsudo\fR runs the command in a pseudo-tty.
+When an I/O plugin is loaded,
+\fBsudo\fR
+runs the command in a pseudo-tty.
This makes it possible to log the input and output from the user's
-session. If any of the standard input, standard output or standard
-error do not correspond to a tty, \fBsudo\fR will open a pipe to capture
+session.
+If any of the standard input, standard output or standard error do not
+correspond to a tty,
+\fBsudo\fR
+will open a pipe to capture
the I/O for logging before passing it on.
.PP
The log_ttyin function receives the raw user input from the terminal
device (note that this will include input even when echo is disabled,
-such as when a password is read). The log_ttyout function receives
-output from the pseudo-tty that is suitable for replaying the user's
-session at a later time. The log_stdin, log_stdout and log_stderr
+such as when a password is read).
+The log_ttyout function receives output from the pseudo-tty that is
+suitable for replaying the user's session at a later time.
+The
+\fBlog_stdin\fR(),
+\fBlog_stdout\fR()
+and
+\fBlog_stderr\fR()
functions are only called if the standard input, standard output
or standard error respectively correspond to something other than
a tty.
.PP
-Any of the logging functions may be set to the \s-1NULL\s0
-pointer if no logging is to be performed. If the open function
-returns \f(CW0\fR, no I/O will be sent to the plugin.
+Any of the logging functions may be set to the
+\fRNULL\fR
+pointer if no logging is to be performed.
+If the open function returns 0, no I/O will be sent to the plugin.
.PP
The io_plugin struct has the following fields:
-.IP "type" 4
-.IX Item "type"
-The \f(CW\*(C`type\*(C'\fR field should always be set to \s-1SUDO_IO_PLUGIN\s0
-.IP "version" 4
-.IX Item "version"
-The \f(CW\*(C`version\*(C'\fR field should be set to \s-1SUDO_API_VERSION\s0.
-.Sp
-This allows \fBsudo\fR to determine the \s-1API\s0 version the plugin was
+.TP 6n
+type
+The
+\fRtype\fR
+field should always be set to
+\fRSUDO_IO_PLUGIN\fR.
+.TP 6n
+version
+The
+\fRversion\fR
+field should be set to
+\fRSUDO_API_VERSION\fR.
+.sp
+This allows
+\fBsudo\fR
+to determine the API version the plugin was
built against.
-.IP "open" 4
-.IX Item "open"
-.Vb 4
-\& int (*open)(unsigned int version, sudo_conv_t conversation
-\& sudo_printf_t plugin_printf, char * const settings[],
-\& char * const user_info[], int argc, char * const argv[],
-\& char * const user_env[], char * const plugin_options[]);
-.Ve
-.Sp
-The \fIopen\fR function is run before the \fIlog_input\fR, \fIlog_output\fR
-or \fIshow_version\fR functions are called. It is only called if the
-version is being requested or the \fIcheck_policy\fR function has
-returned successfully. It returns 1 on success, 0 on failure, \-1
-if a general error occurred, or \-2 if there was a usage error. In
-the latter case, \fBsudo\fR will print a usage message before it exits.
-If an error occurs, the plugin may optionally call the conversation
-or plugin_printf function with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present
+.TP 6n
+open
+.RS
+.nf
+.RS 0n
+int (*open)(unsigned int version, sudo_conv_t conversation
+ sudo_printf_t plugin_printf, char * const settings[],
+ char * const user_info[], int argc, char * const argv[],
+ char * const user_env[], char * const plugin_options[]);
+.RE
+.fi
+.sp
+The
+\fBopen\fR()
+function is run before the
+\fBlog_input\fR(),
+\fBlog_output\fR()
+or
+\fBshow_version\fR()
+functions are called.
+It is only called if the version is being requested or the
+\fBcheck_policy\fR()
+function has
+returned successfully.
+It returns 1 on success, 0 on failure, \-1 if a general error occurred,
+or \-2 if there was a usage error.
+In the latter case,
+\fBsudo\fR
+will print a usage message before it exits.
+If an error occurs, the plugin may optionally call the
+\fBconversation\fR()
+or
+\fBplugin_printf\fR()
+function with
+\fRSUDO_CONF_ERROR_MSG\fR
+to present
additional error information to the user.
-.Sp
+.sp
The function arguments are as follows:
-.RS 4
-.IP "version" 4
-.IX Item "version"
-The version passed in by \fBsudo\fR allows the plugin to determine the
-major and minor version number of the plugin \s-1API\s0 supported by
-\&\fBsudo\fR.
-.IP "conversation" 4
-.IX Item "conversation"
-A pointer to the conversation function that may be used by the
-\&\fIshow_version\fR function to display version information (see
-show_version below). The conversation function may also be used
-to display additional error message to the user.
-The conversation function returns 0 on success and \-1 on failure.
-.IP "plugin_printf" 4
-.IX Item "plugin_printf"
-A pointer to a printf-style function that may be used by the
-\&\fIshow_version\fR function to display version information (see
-show_version below). The plugin_printf function may also be used
-to display additional error message to the user.
-The plugin_printf function returns number of characters printed on
-success and \-1 on failure.
-.IP "settings" 4
-.IX Item "settings"
-A vector of user-supplied \fBsudo\fR settings in the form of \*(L"name=value\*(R"
-strings. The vector is terminated by a \f(CW\*(C`NULL\*(C'\fR pointer. These
-settings correspond to flags the user specified when running \fBsudo\fR.
+.TP 6n
+version
+The version passed in by
+\fBsudo\fR
+allows the plugin to determine the
+major and minor version number of the plugin API supported by
+\fBsudo\fR.
+.TP 6n
+conversation
+A pointer to the
+\fBconversation\fR()
+function that may be used by the
+\fBshow_version\fR()
+function to display version information (see
+\fBshow_version\fR()
+below).
+The
+\fBconversation\fR()
+function may also be used to display additional error message to the user.
+The
+\fBconversation\fR()
+function returns 0 on success and \-1 on failure.
+.TP 6n
+plugin_printf
+A pointer to a
+\fBprintf\fR()-style
+function that may be used by the
+\fBshow_version\fR()
+function to display version information (see
+show_version below).
+The
+\fBplugin_printf\fR()
+function may also be used to display additional error message to the user.
+The
+\fBplugin_printf\fR()
+function returns number of characters printed on success and \-1 on failure.
+.TP 6n
+settings
+A vector of user-supplied
+\fBsudo\fR
+settings in the form of
+``name=value''
+strings.
+The vector is terminated by a
+\fRNULL\fR
+pointer.
+These settings correspond to flags the user specified when running
+\fBsudo\fR.
As such, they will only be present when the corresponding flag has
been specified on the command line.
-.Sp
-When parsing \fIsettings\fR, the plugin should split on the \fBfirst\fR
-equal sign ('=') since the \fIname\fR field will never include one
-itself but the \fIvalue\fR might.
-.Sp
-See the \*(L"Policy Plugin \s-1API\s0\*(R" section for a list of all possible settings.
-.IP "user_info" 4
-.IX Item "user_info"
+.sp
+When parsing
+\fIsettings\fR,
+the plugin should split on the
+\fBfirst\fR
+equal sign
+(`=')
+since the
+\fIname\fR
+field will never include one
+itself but the
+\fIvalue\fR
+might.
+.sp
+See the
+\fIPolicy plugin API\fR
+section for a list of all possible settings.
+.TP 6n
+user_info
A vector of information about the user running the command in the form of
-\&\*(L"name=value\*(R" strings. The vector is terminated by a \f(CW\*(C`NULL\*(C'\fR pointer.
-.Sp
-When parsing \fIuser_info\fR, the plugin should split on the \fBfirst\fR
-equal sign ('=') since the \fIname\fR field will never include one
-itself but the \fIvalue\fR might.
-.Sp
-See the \*(L"Policy Plugin \s-1API\s0\*(R" section for a list of all possible strings.
-.IP "argc" 4
-.IX Item "argc"
-The number of elements in \fIargv\fR, not counting the final \f(CW\*(C`NULL\*(C'\fR
+``name=value''
+strings.
+The vector is terminated by a
+\fRNULL\fR
pointer.
-.IP "argv" 4
-.IX Item "argv"
-If non\-\f(CW\*(C`NULL\*(C'\fR, an argument vector describing a command the user
+.sp
+When parsing
+\fIuser_info\fR,
+the plugin should split on the
+\fBfirst\fR
+equal sign
+(`=')
+since the
+\fIname\fR
+field will never include one
+itself but the
+\fIvalue\fR
+might.
+.sp
+See the
+\fIPolicy plugin API\fR
+section for a list of all possible strings.
+.TP 6n
+argc
+The number of elements in
+\fIargv\fR,
+not counting the final
+\fRNULL\fR
+pointer.
+.TP 6n
+argv
+If
+non-\fRNULL\fR,
+an argument vector describing a command the user
wishes to run in the same form as what would be passed to the
-\&\fIexecve()\fR system call.
-.IP "user_env" 4
-.IX Item "user_env"
-The user's environment in the form of a \f(CW\*(C`NULL\*(C'\fR\-terminated vector of
-\&\*(L"name=value\*(R" strings.
-.Sp
-When parsing \fIuser_env\fR, the plugin should split on the \fBfirst\fR
-equal sign ('=') since the \fIname\fR field will never include one
-itself but the \fIvalue\fR might.
-.IP "plugin_options" 4
-.IX Item "plugin_options"
+execve(2)
+system call.
+.TP 6n
+user_env
+The user's environment in the form of a
+\fRNULL\fR-terminated
+vector of
+``name=value''
+strings.
+.sp
+When parsing
+\fIuser_env\fR,
+the plugin should split on the
+\fBfirst\fR
+equal sign
+(`=')
+since the
+\fIname\fR
+field will never include one
+itself but the
+\fIvalue\fR
+might.
+.TP 6n
+plugin_options
Any (non-comment) strings immediately after the plugin path are
-treated as arguments to the plugin. These arguments are split on
-a white space boundary and are passed to the plugin in the form of
-a \f(CW\*(C`NULL\*(C'\fR\-terminated array of strings. If no arguments were
-specified, \fIplugin_options\fR will be the \s-1NULL\s0 pointer.
-.Sp
-\&\s-1NOTE:\s0 the \fIplugin_options\fR parameter is only available starting with
-\&\s-1API\s0 version 1.2. A plugin \fBmust\fR check the \s-1API\s0 version specified
-by the \fBsudo\fR front end before using \fIplugin_options\fR. Failure to
-do so may result in a crash.
-.RE
-.RS 4
-.RE
-.IP "close" 4
-.IX Item "close"
-.Vb 1
-\& void (*close)(int exit_status, int error);
-.Ve
-.Sp
-The \f(CW\*(C`close\*(C'\fR function is called when the command being run by \fBsudo\fR
+treated as arguments to the plugin.
+These arguments are split on a white space boundary and are passed to
+the plugin in the form of a
+\fRNULL\fR-terminated
+array of strings.
+If no arguments were specified,
+\fIplugin_options\fR
+will be the
+\fRNULL\fR
+pointer.
+.sp
+NOTE: the
+\fIplugin_options\fR
+parameter is only available starting with
+API version 1.2.
+A plugin
+\fBmust\fR
+check the API version specified
+by the
+\fBsudo\fR
+front end before using
+\fIplugin_options\fR.
+Failure to do so may result in a crash.
+.PP
+.RE
+.PD 0
+.TP 6n
+close
+.br
+.RS
+.nf
+.RS 0n
+void (*close)(int exit_status, int error);
+.RE
+.fi
+.sp
+The
+\fBclose\fR()
+function is called when the command being run by
+\fBsudo\fR
finishes.
-.Sp
+.sp
The function arguments are as follows:
-.RS 4
-.IP "exit_status" 4
-.IX Item "exit_status"
-The command's exit status, as returned by the \fIwait\fR\|(2) system call.
-The value of \f(CW\*(C`exit_status\*(C'\fR is undefined if \f(CW\*(C`error\*(C'\fR is non-zero.
-.IP "error" 4
-.IX Item "error"
+.PD
+.TP 6n
+exit_status
+The command's exit status, as returned by the
+wait(2)
+system call.
+The value of
+\fRexit_status\fR
+is undefined if
+\fRerror\fR
+is non-zero.
+.TP 6n
+error
+.br
If the command could not be executed, this is set to the value of
-\&\f(CW\*(C`errno\*(C'\fR set by the \fIexecve\fR\|(2) system call. If the command was
-successfully executed, the value of \f(CW\*(C`error\*(C'\fR is 0.
-.RE
-.RS 4
-.RE
-.IP "show_version" 4
-.IX Item "show_version"
-.Vb 1
-\& int (*show_version)(int verbose);
-.Ve
-.Sp
-The \f(CW\*(C`show_version\*(C'\fR function is called by \fBsudo\fR when the user specifies
-the \f(CW\*(C`\-V\*(C'\fR option. The plugin may display its version information
-to the user via the conversation or plugin_printf function using
-\&\f(CW\*(C`SUDO_CONV_INFO_MSG\*(C'\fR. If the user requests detailed version
-information, the verbose flag will be set.
-.IP "log_ttyin" 4
-.IX Item "log_ttyin"
-.Vb 1
-\& int (*log_ttyin)(const char *buf, unsigned int len);
-.Ve
-.Sp
-The \fIlog_ttyin\fR function is called whenever data can be read from
-the user but before it is passed to the running command. This
-allows the plugin to reject data if it chooses to (for instance
-if the input contains banned content). Returns \f(CW1\fR if the data
-should be passed to the command, \f(CW0\fR if the data is rejected
-(which will terminate the command) or \f(CW\*(C`\-1\*(C'\fR if an error occurred.
-.Sp
+\fRerrno\fR
+set by the
+execve(2)
+system call.
+If the command was successfully executed, the value of
+\fRerror\fR
+is 0.
+.PP
+.RE
+.PD 0
+.TP 6n
+show_version
+.RS
+.nf
+.RS 0n
+int (*show_version)(int verbose);
+.RE
+.fi
+.sp
+The
+\fBshow_version\fR()
+function is called by
+\fBsudo\fR
+when the user specifies
+the
+\fB\-V\fR
+option.
+The plugin may display its version information to the user via the
+\fBconversation\fR()
+or
+\fBplugin_printf\fR()
+function using
+\fRSUDO_CONV_INFO_MSG\fR.
+If the user requests detailed version information, the verbose flag will be set.
+.PD
+.PP
+.RE
+.PD 0
+.TP 6n
+log_ttyin
+.RS
+.nf
+.RS 0n
+int (*log_ttyin)(const char *buf, unsigned int len);
+.RE
+.fi
+.sp
+The
+\fBlog_ttyin\fR()
+function is called whenever data can be read from
+the user but before it is passed to the running command.
+This allows the plugin to reject data if it chooses to (for instance
+if the input contains banned content).
+Returns 1 if the data should be passed to the command, 0 if the data
+is rejected (which will terminate the command) or \-1 if an error occurred.
+.sp
The function arguments are as follows:
-.RS 4
-.IP "buf" 4
-.IX Item "buf"
+.PD
+.TP 6n
+buf
The buffer containing user input.
-.IP "len" 4
-.IX Item "len"
-The length of \fIbuf\fR in bytes.
-.RE
-.RS 4
-.RE
-.IP "log_ttyout" 4
-.IX Item "log_ttyout"
-.Vb 1
-\& int (*log_ttyout)(const char *buf, unsigned int len);
-.Ve
-.Sp
-The \fIlog_ttyout\fR function is called whenever data can be read from
-the command but before it is written to the user's terminal. This
-allows the plugin to reject data if it chooses to (for instance
-if the output contains banned content). Returns \f(CW1\fR if the data
-should be passed to the user, \f(CW0\fR if the data is rejected
-(which will terminate the command) or \f(CW\*(C`\-1\*(C'\fR if an error occurred.
-.Sp
+.TP 6n
+len
+The length of
+\fIbuf\fR
+in bytes.
+.PP
+.RE
+.PD 0
+.TP 6n
+log_ttyout
+.RS
+.nf
+.RS 0n
+int (*log_ttyout)(const char *buf, unsigned int len);
+.RE
+.fi
+.sp
+The
+\fBlog_ttyout\fR()
+function is called whenever data can be read from
+the command but before it is written to the user's terminal.
+This allows the plugin to reject data if it chooses to (for instance
+if the output contains banned content).
+Returns 1 if the data should be passed to the user, 0 if the data is rejected
+(which will terminate the command) or \-1 if an error occurred.
+.sp
The function arguments are as follows:
-.RS 4
-.IP "buf" 4
-.IX Item "buf"
+.PD
+.TP 6n
+buf
The buffer containing command output.
-.IP "len" 4
-.IX Item "len"
-The length of \fIbuf\fR in bytes.
-.RE
-.RS 4
-.RE
-.IP "log_stdin" 4
-.IX Item "log_stdin"
-.Vb 1
-\& int (*log_stdin)(const char *buf, unsigned int len);
-.Ve
-.Sp
-The \fIlog_stdin\fR function is only used if the standard input does
-not correspond to a tty device. It is called whenever data can be
-read from the standard input but before it is passed to the running
-command. This allows the plugin to reject data if it chooses to
-(for instance if the input contains banned content). Returns \f(CW1\fR
-if the data should be passed to the command, \f(CW0\fR if the data is
-rejected (which will terminate the command) or \f(CW\*(C`\-1\*(C'\fR if an error
-occurred.
-.Sp
+.TP 6n
+len
+The length of
+\fIbuf\fR
+in bytes.
+.PP
+.RE
+.PD 0
+.TP 6n
+log_stdin
+.RS
+.nf
+.RS 0n
+int (*log_stdin)(const char *buf, unsigned int len);
+.RE
+.fi
+.sp
+The
+\fBlog_stdin\fR()
+function is only used if the standard input does
+not correspond to a tty device.
+It is called whenever data can be read from the standard input but
+before it is passed to the running command.
+This allows the plugin to reject data if it chooses to
+(for instance if the input contains banned content).
+Returns 1 if the data should be passed to the command, 0 if the data is
+rejected (which will terminate the command) or \-1 if an error occurred.
+.sp
The function arguments are as follows:
-.RS 4
-.IP "buf" 4
-.IX Item "buf"
+.PD
+.TP 6n
+buf
The buffer containing user input.
-.IP "len" 4
-.IX Item "len"
-The length of \fIbuf\fR in bytes.
-.RE
-.RS 4
-.RE
-.IP "log_stdout" 4
-.IX Item "log_stdout"
-.Vb 1
-\& int (*log_stdout)(const char *buf, unsigned int len);
-.Ve
-.Sp
-The \fIlog_stdout\fR function is only used if the standard output does
-not correspond to a tty device. It is called whenever data can be
-read from the command but before it is written to the standard
-output. This allows the plugin to reject data if it chooses to
-(for instance if the output contains banned content). Returns \f(CW1\fR
-if the data should be passed to the user, \f(CW0\fR if the data is
-rejected (which will terminate the command) or \f(CW\*(C`\-1\*(C'\fR if an error
-occurred.
-.Sp
+.TP 6n
+len
+The length of
+\fIbuf\fR
+in bytes.
+.PP
+.RE
+.PD 0
+.TP 6n
+log_stdout
+.RS
+.nf
+.RS 0n
+int (*log_stdout)(const char *buf, unsigned int len);
+.RE
+.fi
+.sp
+The
+\fBlog_stdout\fR()
+function is only used if the standard output does not correspond
+to a tty device.
+It is called whenever data can be read from the command but before
+it is written to the standard output.
+This allows the plugin to reject data if it chooses to
+(for instance if the output contains banned content).
+Returns 1 if the data should be passed to the user, 0 if the data is
+rejected (which will terminate the command) or \-1 if an error occurred.
+.sp
The function arguments are as follows:
-.RS 4
-.IP "buf" 4
-.IX Item "buf"
+.PD
+.TP 6n
+buf
The buffer containing command output.
-.IP "len" 4
-.IX Item "len"
-The length of \fIbuf\fR in bytes.
-.RE
-.RS 4
-.RE
-.IP "log_stderr" 4
-.IX Item "log_stderr"
-.Vb 1
-\& int (*log_stderr)(const char *buf, unsigned int len);
-.Ve
-.Sp
-The \fIlog_stderr\fR function is only used if the standard error does
-not correspond to a tty device. It is called whenever data can be
-read from the command but before it is written to the standard
-error. This allows the plugin to reject data if it chooses to
-(for instance if the output contains banned content). Returns \f(CW1\fR
-if the data should be passed to the user, \f(CW0\fR if the data is
-rejected (which will terminate the command) or \f(CW\*(C`\-1\*(C'\fR if an error
-occurred.
-.Sp
+.TP 6n
+len
+The length of
+\fIbuf\fR
+in bytes.
+.PP
+.RE
+.PD 0
+.TP 6n
+log_stderr
+.RS
+.nf
+.RS 0n
+int (*log_stderr)(const char *buf, unsigned int len);
+.RE
+.fi
+.sp
+The
+\fBlog_stderr\fR()
+function is only used if the standard error does
+not correspond to a tty device.
+It is called whenever data can be read from the command but before it
+is written to the standard error.
+This allows the plugin to reject data if it chooses to
+(for instance if the output contains banned content).
+Returns 1 if the data should be passed to the user, 0 if the data is
+rejected (which will terminate the command) or \-1 if an error occurred.
+.sp
The function arguments are as follows:
-.RS 4
-.IP "buf" 4
-.IX Item "buf"
+.PD
+.TP 6n
+buf
The buffer containing command output.
-.IP "len" 4
-.IX Item "len"
-The length of \fIbuf\fR in bytes.
-.RE
-.RS 4
-.RE
-.IP "register_hooks" 4
-.IX Item "register_hooks"
-See the \*(L"Policy Plugin \s-1API\s0\*(R" section for a description of
-\&\f(CW\*(C`register_hooks\*(C'\fR.
-.IP "deregister_hooks" 4
-.IX Item "deregister_hooks"
-See the \*(L"Policy Plugin \s-1API\s0\*(R" section for a description of
-\&\f(CW\*(C`deregister_hooks\*(C'\fR.
+.TP 6n
+len
+The length of
+\fIbuf\fR
+in bytes.
+.PP
+.RE
+.PD 0
+.TP 6n
+register_hooks
+See the
+\fIPolicy plugin API\fR
+section for a description of
+\fRregister_hooks\fR.
+.PD
+.TP 6n
+deregister_hooks
+See the
+\fIPolicy plugin API\fR
+section for a description of
+\fRderegister_hooks.\fR
.PP
\fII/O Plugin Version Macros\fR
-.IX Subsection "I/O Plugin Version Macros"
.PP
-Same as for the \*(L"Policy Plugin \s-1API\s0\*(R".
-.SS "Hook Function \s-1API\s0"
-.IX Subsection "Hook Function API"
-Beginning with plugin \s-1API\s0 version 1.2, it is possible to install
-hooks for certain functions called by the \fBsudo\fR front end.
+Same as for the
+\fIPolicy plugin API\fR.
+.SS "Hook function API"
+Beginning with plugin API version 1.2, it is possible to install
+hooks for certain functions called by the
+\fBsudo\fR
+front end.
.PP
Currently, the only supported hooks relate to the handling of
-environment variables. Hooks can be used to intercept attempts to
-get, set, or remove environment variables so that these changes can
-be reflected in the version of the environment that is used to
-execute a command. A future version of the \s-1API\s0 will support
-hooking internal \fBsudo\fR front end functions as well.
+environment variables.
+Hooks can be used to intercept attempts to get, set, or remove
+environment variables so that these changes can be reflected in
+the version of the environment that is used to execute a command.
+A future version of the API will support hooking internal
+\fBsudo\fR
+front end functions as well.
.PP
\fIHook structure\fR
-.IX Subsection "Hook structure"
-.PP
-Hooks in \fBsudo\fR are described by the following structure:
.PP
-.Vb 1
-\& typedef int (*sudo_hook_fn_t)();
-\&
-\& struct sudo_hook {
-\& int hook_version;
-\& int hook_type;
-\& sudo_hook_fn_t hook_fn;
-\& void *closure;
-\& };
-.Ve
+Hooks in
+\fBsudo\fR
+are described by the following structure:
+.nf
+.sp
+.RS 0n
+typedef int (*sudo_hook_fn_t)();
+
+struct sudo_hook {
+ int hook_version;
+ int hook_type;
+ sudo_hook_fn_t hook_fn;
+ void *closure;
+};
+.RE
+.fi
.PP
-The \f(CW\*(C`sudo_hook\*(C'\fR structure has the following fields:
-.IP "hook_version" 4
-.IX Item "hook_version"
-The \f(CW\*(C`hook_version\*(C'\fR field should be set to \s-1SUDO_HOOK_VERSION\s0.
-.IP "hook_type" 4
-.IX Item "hook_type"
-The \f(CW\*(C`hook_type\*(C'\fR field may be one of the following supported hook types:
-.RS 4
-.IP "\s-1SUDO_HOOK_SETENV\s0" 4
-.IX Item "SUDO_HOOK_SETENV"
-The C library \f(CW\*(C`setenv()\*(C'\fR function. Any registered hooks will run
-before the C library implementation. The \f(CW\*(C`hook_fn\*(C'\fR field should
+The
+\fRsudo_hook\fR
+structure has the following fields:
+.TP 6n
+hook_version
+The
+\fRhook_version\fR
+field should be set to
+\fRSUDO_HOOK_VERSION\fR.
+.TP 6n
+hook_type
+The
+\fRhook_type\fR
+field may be one of the following supported hook types:
+.RS
+.TP 6n
+\fRSUDO_HOOK_SETENV\fR
+The C library
+setenv(3)
+function.
+Any registered hooks will run before the C library implementation.
+The
+\fRhook_fn\fR
+field should
be a function that matches the following typedef:
-.Sp
-.Vb 2
-\& typedef int (*sudo_hook_fn_setenv_t)(const char *name,
-\& const char *value, int overwrite, void *closure);
-.Ve
-.Sp
+.RS
+.nf
+.sp
+.RS 0n
+typedef int (*sudo_hook_fn_setenv_t)(const char *name,
+ const char *value, int overwrite, void *closure);
+.RE
+.fi
+.sp
If the registered hook does not match the typedef the results are
unspecified.
-.IP "\s-1SUDO_HOOK_UNSETENV\s0" 4
-.IX Item "SUDO_HOOK_UNSETENV"
-The C library \f(CW\*(C`unsetenv()\*(C'\fR function. Any registered hooks will run
-before the C library implementation. The \f(CW\*(C`hook_fn\*(C'\fR field should
+.PP
+.RE
+.PD 0
+.TP 6n
+\fRSUDO_HOOK_UNSETENV\fR
+The C library
+unsetenv(3)
+function.
+Any registered hooks will run before the C library implementation.
+The
+\fRhook_fn\fR
+field should
be a function that matches the following typedef:
-.Sp
-.Vb 2
-\& typedef int (*sudo_hook_fn_unsetenv_t)(const char *name,
-\& void *closure);
-.Ve
-.IP "\s-1SUDO_HOOK_GETENV\s0" 4
-.IX Item "SUDO_HOOK_GETENV"
-The C library \f(CW\*(C`getenv()\*(C'\fR function. Any registered hooks will run
-before the C library implementation. The \f(CW\*(C`hook_fn\*(C'\fR field should
+.RS
+.nf
+.sp
+.RS 0n
+typedef int (*sudo_hook_fn_unsetenv_t)(const char *name,
+ void *closure);
+.RE
+.fi
+.PD
+.PP
+.RE
+.PD 0
+.TP 6n
+\fRSUDO_HOOK_GETENV\fR
+The C library
+getenv(3)
+function.
+Any registered hooks will run before the C library implementation.
+The
+\fRhook_fn\fR
+field should
be a function that matches the following typedef:
-.Sp
-.Vb 2
-\& typedef int (*sudo_hook_fn_getenv_t)(const char *name,
-\& char **value, void *closure);
-.Ve
-.Sp
+.RS
+.nf
+.sp
+.RS 0n
+typedef int (*sudo_hook_fn_getenv_t)(const char *name,
+ char **value, void *closure);
+.RE
+.fi
+.sp
If the registered hook does not match the typedef the results are
unspecified.
-.IP "\s-1SUDO_HOOK_PUTENV\s0" 4
-.IX Item "SUDO_HOOK_PUTENV"
-The C library \f(CW\*(C`putenv()\*(C'\fR function. Any registered hooks will run
-before the C library implementation. The \f(CW\*(C`hook_fn\*(C'\fR field should
+.PD
+.PP
+.RE
+.PD 0
+.TP 6n
+\fRSUDO_HOOK_PUTENV\fR
+The C library
+putenv(3)
+function.
+Any registered hooks will run before the C library implementation.
+The
+\fRhook_fn\fR
+field should
be a function that matches the following typedef:
-.Sp
-.Vb 2
-\& typedef int (*sudo_hook_fn_putenv_t)(char *string,
-\& void *closure);
-.Ve
-.Sp
+.RS
+.nf
+.sp
+.RS 0n
+typedef int (*sudo_hook_fn_putenv_t)(char *string,
+ void *closure);
+.RE
+.fi
+.sp
If the registered hook does not match the typedef the results are
unspecified.
.RE
-.RS 4
-.RE
-.IP "hook_fn" 4
-.IX Item "hook_fn"
-.Vb 1
-\& sudo_hook_fn_t hook_fn;
-.Ve
-.Sp
-The \f(CW\*(C`hook_fn\*(C'\fR field should be set to the plugin's hook implementation.
-The actual function arguments will vary depending on the \f(CW\*(C`hook_type\*(C'\fR
-(see \f(CW\*(C`hook_type\*(C'\fR above). In all cases, the \f(CW\*(C`closure\*(C'\fR field of
-\&\f(CW\*(C`struct sudo_hook\*(C'\fR is passed as the last function parameter. This
-can be used to pass arbitrary data to the plugin's hook implementation.
-.Sp
+.PD
+.PP
+.RE
+.PD 0
+.TP 6n
+hook_fn
+sudo_hook_fn_t hook_fn;
+.sp
+The
+\fRhook_fn\fR
+field should be set to the plugin's hook implementation.
+The actual function arguments will vary depending on the
+\fRhook_type\fR
+(see
+\fRhook_type\fR
+above).
+In all cases, the
+\fRclosure\fR
+field of
+\fRstruct sudo_hook\fR
+is passed as the last function parameter.
+This can be used to pass arbitrary data to the plugin's hook implementation.
+.sp
The function return value may be one of the following:
-.RS 4
-.IP "\s-1SUDO_HOOK_RET_ERROR\s0" 4
-.IX Item "SUDO_HOOK_RET_ERROR"
+.RS
+.PD
+.TP 6n
+\fRSUDO_HOOK_RET_ERROR\fR
The hook function encountered an error.
-.IP "\s-1SUDO_HOOK_RET_NEXT\s0" 4
-.IX Item "SUDO_HOOK_RET_NEXT"
+.TP 6n
+\fRSUDO_HOOK_RET_NEXT\fR
The hook completed without error, go on to the next hook (including
-the native implementation if applicable). For example, a \f(CW\*(C`getenv\*(C'\fR
-hook might return \f(CW\*(C`SUDO_HOOK_RET_NEXT\*(C'\fR if the specified variable
-was not found in the private copy of the environment.
-.IP "\s-1SUDO_HOOK_RET_STOP\s0" 4
-.IX Item "SUDO_HOOK_RET_STOP"
-The hook completed without error, stop processing hooks for this
-invocation. This can be used to replace the native implementation.
-For example, a \f(CW\*(C`setenv\*(C'\fR hook that operates on a private copy of
-the environment but leaves \f(CW\*(C`environ\*(C'\fR unchanged.
-.RE
-.RS 4
+the native implementation if applicable).
+For example, a
+getenv(3)
+hook might return
+\fRSUDO_HOOK_RET_NEXT\fR
+if the specified variable was not found in the private copy of the environment.
+.TP 6n
+\fRSUDO_HOOK_RET_STOP\fR
+The hook completed without error, stop processing hooks for this invocation.
+This can be used to replace the native implementation.
+For example, a
+\fRsetenv\fR
+hook that operates on a private copy of
+the environment but leaves
+\fRenviron\fR
+unchanged.
.RE
.PP
Note that it is very easy to create an infinite loop when hooking
-C library functions. For example, a \f(CW\*(C`getenv\*(C'\fR hook that calls the
-\&\f(CW\*(C`snprintf\*(C'\fR function may create a loop if the \f(CW\*(C`snprintf\*(C'\fR implementation
-calls \f(CW\*(C`getenv\*(C'\fR to check the locale. To prevent this, you may wish
-to use a static variable in the hook function to guard against
-nested calls. E.g.
-.PP
-.Vb 7
-\& static int in_progress = 0; /* avoid recursion */
-\& if (in_progress)
-\& return SUDO_HOOK_RET_NEXT;
-\& in_progress = 1;
-\& ...
-\& in_progress = 0;
-\& return SUDO_HOOK_RET_STOP;
-.Ve
-.PP
-\fIHook \s-1API\s0 Version Macros\fR
-.IX Subsection "Hook API Version Macros"
+C library functions.
+For example, a
+getenv(3)
+hook that calls the
+snprintf(3)
+function may create a loop if the
+snprintf(3)
+implementation calls
+getenv(3)
+to check the locale.
+To prevent this, you may wish to use a static variable in the hook
+function to guard against nested calls.
+For example:
+.nf
+.sp
+.RS 0n
+static int in_progress = 0; /* avoid recursion */
+if (in_progress)
+ return SUDO_HOOK_RET_NEXT;
+in_progress = 1;
+\&...
+in_progress = 0;
+return SUDO_HOOK_RET_STOP;
+.RE
+.fi
.PP
-.Vb 6
-\& /* Hook API version major/minor */
-\& #define SUDO_HOOK_VERSION_MAJOR 1
-\& #define SUDO_HOOK_VERSION_MINOR 0
-\& #define SUDO_HOOK_MKVERSION(x, y) ((x << 16) | y)
-\& #define SUDO_HOOK_VERSION SUDO_HOOK_MKVERSION(SUDO_HOOK_VERSION_MAJOR,\e
-\& SUDO_HOOK_VERSION_MINOR)
-\&
-\& /* Getters and setters for hook API version */
-\& #define SUDO_HOOK_VERSION_GET_MAJOR(v) ((v) >> 16)
-\& #define SUDO_HOOK_VERSION_GET_MINOR(v) ((v) & 0xffff)
-\& #define SUDO_HOOK_VERSION_SET_MAJOR(vp, n) do { \e
-\& *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \e
-\& } while(0)
-\& #define SUDO_HOOK_VERSION_SET_MINOR(vp, n) do { \e
-\& *(vp) = (*(vp) & 0xffff0000) | (n); \e
-\& } while(0)
-.Ve
-.SS "Conversation \s-1API\s0"
-.IX Subsection "Conversation API"
+\fIHook API Version Macros\fR
+.nf
+.sp
+.RS 0n
+/* Hook API version major/minor */
+#define SUDO_HOOK_VERSION_MAJOR 1
+#define SUDO_HOOK_VERSION_MINOR 0
+#define SUDO_HOOK_MKVERSION(x, y) ((x << 16) | y)
+#define SUDO_HOOK_VERSION SUDO_HOOK_MKVERSION(SUDO_HOOK_VERSION_MAJOR,\e
+ SUDO_HOOK_VERSION_MINOR)
+
+/* Getters and setters for hook API version */
+#define SUDO_HOOK_VERSION_GET_MAJOR(v) ((v) >> 16)
+#define SUDO_HOOK_VERSION_GET_MINOR(v) ((v) & 0xffff)
+#define SUDO_HOOK_VERSION_SET_MAJOR(vp, n) do { \e
+ *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \e
+} while(0)
+#define SUDO_HOOK_VERSION_SET_MINOR(vp, n) do { \e
+ *(vp) = (*(vp) & 0xffff0000) | (n); \e
+} while(0)
+.RE
+.fi
+.SS "Conversation API"
If the plugin needs to interact with the user, it may do so via the
-conversation function. A plugin should not attempt to read directly
-from the standard input or the user's tty (neither of which are
-guaranteed to exist). The caller must include a trailing newline
-in \f(CW\*(C`msg\*(C'\fR if one is to be printed.
-.PP
-A printf-style function is also available that can be used to display
-informational or error messages to the user, which is usually more
-convenient for simple messages where no use input is required.
+\fBconversation\fR()
+function.
+A plugin should not attempt to read directly from the standard input
+or the user's tty (neither of which are guaranteed to exist).
+The caller must include a trailing newline in
+\fRmsg\fR
+if one is to be printed.
.PP
-.Vb 12
-\& struct sudo_conv_message {
-\& #define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */
-\& #define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */
-\& #define SUDO_CONV_ERROR_MSG 0x0003 /* error message */
-\& #define SUDO_CONV_INFO_MSG 0x0004 /* informational message */
-\& #define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */
-\& #define SUDO_CONV_DEBUG_MSG 0x0006 /* debugging message */
-\& #define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */
-\& int msg_type;
-\& int timeout;
-\& const char *msg;
-\& };
-\&
-\& struct sudo_conv_reply {
-\& char *reply;
-\& };
-\&
-\& typedef int (*sudo_conv_t)(int num_msgs,
-\& const struct sudo_conv_message msgs[],
-\& struct sudo_conv_reply replies[]);
-\&
-\& typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...);
-.Ve
+A
+\fBprintf\fR()-style
+function is also available that can be used to display informational
+or error messages to the user, which is usually more convenient for
+simple messages where no use input is required.
+.nf
+.sp
+.RS 0n
+struct sudo_conv_message {
+#define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */
+#define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */
+#define SUDO_CONV_ERROR_MSG 0x0003 /* error message */
+#define SUDO_CONV_INFO_MSG 0x0004 /* informational message */
+#define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */
+#define SUDO_CONV_DEBUG_MSG 0x0006 /* debugging message */
+#define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */
+ int msg_type;
+ int timeout;
+ const char *msg;
+};
+
+struct sudo_conv_reply {
+ char *reply;
+};
+
+typedef int (*sudo_conv_t)(int num_msgs,
+ const struct sudo_conv_message msgs[],
+ struct sudo_conv_reply replies[]);
+
+typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...);
+.RE
+.fi
.PP
-Pointers to the conversation and printf-style functions are passed
-in to the plugin's \f(CW\*(C`open\*(C'\fR function when the plugin is initialized.
+Pointers to the
+\fBconversation\fR()
+and
+\fBprintf\fR()-style
+functions are passed
+in to the plugin's
+\fBopen\fR()
+function when the plugin is initialized.
.PP
-To use the conversation function, the plugin must pass an array of
-\&\f(CW\*(C`sudo_conv_message\*(C'\fR and \f(CW\*(C`sudo_conv_reply\*(C'\fR structures. There must
-be a \f(CW\*(C`struct sudo_conv_message\*(C'\fR and \f(CW\*(C`struct sudo_conv_reply\*(C'\fR for
-each message in the conversation. The plugin is responsible for
-freeing the reply buffer filled in to the \f(CW\*(C`struct sudo_conv_reply\*(C'\fR,
+To use the
+\fBconversation\fR()
+function, the plugin must pass an array of
+\fRsudo_conv_message\fR
+and
+\fRsudo_conv_reply\fR
+structures.
+There must be a
+\fRstruct sudo_conv_message\fR
+and
+\fRstruct sudo_conv_reply\fR
+for
+each message in the conversation.
+The plugin is responsible for freeing the reply buffer filled in to the
+\fRstruct sudo_conv_reply\fR,
if any.
.PP
-The printf-style function uses the same underlying mechanism as the
-conversation function but only supports \f(CW\*(C`SUDO_CONV_INFO_MSG\*(C'\fR,
-\&\f(CW\*(C`SUDO_CONV_ERROR_MSG\*(C'\fR and \f(CW\*(C`SUDO_CONV_DEBUG_MSG\*(C'\fR for the \fImsg_type\fR
-parameter. It can be more convenient than using the conversation
-function if no user reply is needed and supports standard \fIprintf()\fR
+The
+\fBprintf\fR()-style
+function uses the same underlying mechanism as the
+\fBconversation\fR()
+function but only supports
+\fRSUDO_CONV_INFO_MSG\fR,
+\fRSUDO_CONV_ERROR_MSG\fR
+and
+\fRSUDO_CONV_DEBUG_MSG\fR
+for the
+\fImsg_type\fR
+parameter.
+It can be more convenient than using the
+\fBconversation\fR()
+function if no user reply is needed and supports standard
+\fBprintf\fR()
escape sequences.
.PP
-Unlike, \f(CW\*(C`SUDO_CONV_INFO_MSG\*(C'\fR and \f(CW\*(C`SUDO_CONV_ERROR_MSG\*(C'\fR, messages
-sent with the <\s-1SUDO_CONV_DEBUG_MSG\s0> \fImsg_type\fR are not directly
-user-visible. Instead, they are logged to the file specified in
-the \f(CW\*(C`Debug\*(C'\fR statement (if any) in the \fI@sysconfdir@/sudo.conf\fR
-file. This allows a plugin to log debugging information and is
-intended to be used in conjunction with the \fIdebug_flags\fR setting.
+Unlike,
+\fRSUDO_CONV_INFO_MSG\fR
+and
+Dv SUDO_CONV_ERROR_MSG ,
+messages
+sent with the
+\fRSUDO_CONV_DEBUG_MSG\fR
+\fImsg_type\fR
+are not directly
+user-visible.
+Instead, they are logged to the file specified in the
+\fRDebug\fR
+statement (if any) in the
+\fI@sysconfdir@/sudo.conf\fR
.PP
-See the sample plugin for an example of the conversation function usage.
-.SS "Sudoers Group Plugin \s-1API\s0"
-.IX Subsection "Sudoers Group Plugin API"
-The \fIsudoers\fR module supports a plugin interface to allow non-Unix
-group lookups. This can be used to query a group source other than
-the standard Unix group database. A sample group plugin is bundled
-with \fBsudo\fR that implements file-based lookups. Third party group
-plugins include a \s-1QAS\s0 \s-1AD\s0 plugin available from Quest Software.
+file.
+This allows a plugin to log debugging information and is intended
+to be used in conjunction with the
+\fIdebug_flags\fR
+setting.
.PP
-A group plugin must declare and populate a \f(CW\*(C`sudoers_group_plugin\*(C'\fR
-struct in the global scope. This structure contains pointers to
-the functions that implement plugin initialization, cleanup and
-group lookup.
+See the sample plugin for an example of the
+\fBconversation\fR()
+function usage.
+.SS "Sudoers group plugin API"
+The
+\fIsudoers\fR
+module supports a plugin interface to allow non-Unix
+group lookups.
+This can be used to query a group source other than the standard Unix
+group database.
+A sample group plugin is bundled with
+\fBsudo\fR
+that implements file-based lookups.
+Third party group plugins include a QAS AD plugin available from Quest Software.
.PP
-.Vb 8
-\& struct sudoers_group_plugin {
-\& unsigned int version;
-\& int (*init)(int version, sudo_printf_t sudo_printf,
-\& char *const argv[]);
-\& void (*cleanup)(void);
-\& int (*query)(const char *user, const char *group,
-\& const struct passwd *pwd);
-\&};
-.Ve
+A group plugin must declare and populate a
+\fRsudoers_group_plugin\fR
+struct in the global scope.
+This structure contains pointers to the functions that implement plugin
+initialization, cleanup and group lookup.
+.nf
+.sp
+.RS 0n
+struct sudoers_group_plugin {
+ unsigned int version;
+ int (*init)(int version, sudo_printf_t sudo_printf,
+ char *const argv[]);
+ void (*cleanup)(void);
+ int (*query)(const char *user, const char *group,
+ const struct passwd *pwd);
+};
+.RE
+.fi
.PP
-The \f(CW\*(C`sudoers_group_plugin\*(C'\fR struct has the following fields:
-.IP "version" 4
-.IX Item "version"
-The \f(CW\*(C`version\*(C'\fR field should be set to \s-1GROUP_API_VERSION\s0.
-.Sp
-This allows \fIsudoers\fR to determine the \s-1API\s0 version the group plugin
+The
+\fRsudoers_group_plugin\fR
+struct has the following fields:
+.TP 6n
+version
+The
+\fRversion\fR
+field should be set to GROUP_API_VERSION.
+.sp
+This allows
+\fIsudoers\fR
+to determine the API version the group plugin
was built against.
-.IP "init" 4
-.IX Item "init"
-.Vb 2
-\& int (*init)(int version, sudo_printf_t plugin_printf,
-\& char *const argv[]);
-.Ve
-.Sp
-The \fIinit\fR function is called after \fIsudoers\fR has been parsed but
-before any policy checks. It returns 1 on success, 0 on failure
-(or if the plugin is not configured), and \-1 if a error occurred.
-If an error occurs, the plugin may call the plugin_printf function
-with \f(CW\*(C`SUDO_CONF_ERROR_MSG\*(C'\fR to present additional error information
+.TP 6n
+init
+.RS
+.nf
+.RS 0n
+int (*init)(int version, sudo_printf_t plugin_printf,
+ char *const argv[]);
+.RE
+.fi
+.sp
+The
+\fBinit\fR()
+function is called after
+\fIsudoers\fR
+has been parsed but
+before any policy checks.
+It returns 1 on success, 0 on failure (or if the plugin is not configured),
+and \-1 if a error occurred.
+If an error occurs, the plugin may call the
+\fBplugin_printf\fR()
+function with
+\fRSUDO_CONF_ERROR_MSG\fR
+to present additional error information
to the user.
-.Sp
+.sp
The function arguments are as follows:
-.RS 4
-.IP "version" 4
-.IX Item "version"
-The version passed in by \fIsudoers\fR allows the plugin to determine the
-major and minor version number of the group plugin \s-1API\s0 supported by
-\&\fIsudoers\fR.
-.IP "plugin_printf" 4
-.IX Item "plugin_printf"
-A pointer to a printf-style function that may be used to display
-informational or error message to the user.
+.TP 6n
+version
+The version passed in by
+\fIsudoers\fR
+allows the plugin to determine the
+major and minor version number of the group plugin API supported by
+\fIsudoers\fR.
+.TP 6n
+plugin_printf
+A pointer to a
+\fBprintf\fR()-style
+function that may be used to display informational or error message to the user.
Returns the number of characters printed on success and \-1 on failure.
-.IP "argv" 4
-.IX Item "argv"
-A NULL-terminated array of arguments generated from the \fIgroup_plugin\fR
-option in \fIsudoers\fR. If no arguments were given, \fIargv\fR will be
-\&\s-1NULL\s0.
-.RE
-.RS 4
-.RE
-.IP "cleanup" 4
-.IX Item "cleanup"
-.Vb 1
-\& void (*cleanup)();
-.Ve
-.Sp
-The \fIcleanup\fR function is called when \fIsudoers\fR has finished its
-group checks. The plugin should free any memory it has allocated
-and close open file handles.
-.IP "query" 4
-.IX Item "query"
-.Vb 2
-\& int (*query)(const char *user, const char *group,
-\& const struct passwd *pwd);
-.Ve
-.Sp
-The \fIquery\fR function is used to ask the group plugin whether \fIuser\fR
-is a member of \fIgroup\fR.
-.Sp
+.TP 6n
+argv
+A
+\fRNULL\fR-terminated
+array of arguments generated from the
+\fIgroup_plugin\fR
+option in
+\fIsudoers\fR.
+If no arguments were given,
+\fIargv\fR
+will be
+\fRNULL\fR.
+.PP
+.RE
+.PD 0
+.TP 6n
+cleanup
+.RS
+.nf
+.RS 0n
+void (*cleanup)();
+.RE
+.fi
+.sp
+The
+\fBcleanup\fR()
+function is called when
+\fIsudoers\fR
+has finished its
+group checks.
+The plugin should free any memory it has allocated and close open file handles.
+.PD
+.PP
+.RE
+.PD 0
+.TP 6n
+query
+.br
+.RS
+.nf
+.RS 0n
+int (*query)(const char *user, const char *group,
+ const struct passwd *pwd);
+.RE
+.fi
+.sp
+The
+\fBquery\fR()
+function is used to ask the group plugin whether
+\fIuser\fR
+is a member of
+\fIgroup\fR.
+.sp
The function arguments are as follows:
-.RS 4
-.IP "user" 4
-.IX Item "user"
+.PD
+.TP 6n
+user
The name of the user being looked up in the external group database.
-.IP "group" 4
-.IX Item "group"
+.TP 6n
+group
+.br
The name of the group being queried.
-.IP "pwd" 4
-.IX Item "pwd"
-The password database entry for \fIuser\fR, if any. If \fIuser\fR is not
-present in the password database, \fIpwd\fR will be \f(CW\*(C`NULL\*(C'\fR.
-.RE
-.RS 4
+.TP 6n
+pwd
+The password database entry for
+\fIuser\fR,
+if any.
+If
+\fIuser\fR
+is not
+present in the password database,
+\fIpwd\fR
+will be
+\fRNULL\fR.
.RE
.PP
-\fIGroup \s-1API\s0 Version Macros\fR
-.IX Subsection "Group API Version Macros"
-.PP
-.Vb 5
-\& /* Sudoers group plugin version major/minor */
-\& #define GROUP_API_VERSION_MAJOR 1
-\& #define GROUP_API_VERSION_MINOR 0
-\& #define GROUP_API_VERSION ((GROUP_API_VERSION_MAJOR << 16) | \e
-\& GROUP_API_VERSION_MINOR)
-\&
-\& /* Getters and setters for group version */
-\& #define GROUP_API_VERSION_GET_MAJOR(v) ((v) >> 16)
-\& #define GROUP_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
-\& #define GROUP_API_VERSION_SET_MAJOR(vp, n) do { \e
-\& *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \e
-\& } while(0)
-\& #define GROUP_API_VERSION_SET_MINOR(vp, n) do { \e
-\& *(vp) = (*(vp) & 0xffff0000) | (n); \e
-\& } while(0)
-.Ve
+\fIGroup API Version Macros\fR
+.nf
+.sp
+.RS 0n
+/* Sudoers group plugin version major/minor */
+#define GROUP_API_VERSION_MAJOR 1
+#define GROUP_API_VERSION_MINOR 0
+#define GROUP_API_VERSION ((GROUP_API_VERSION_MAJOR << 16) | \e
+ GROUP_API_VERSION_MINOR)
+
+/* Getters and setters for group version */
+#define GROUP_API_VERSION_GET_MAJOR(v) ((v) >> 16)
+#define GROUP_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
+#define GROUP_API_VERSION_SET_MAJOR(vp, n) do { \e
+ *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \e
+} while(0)
+#define GROUP_API_VERSION_SET_MINOR(vp, n) do { \e
+ *(vp) = (*(vp) & 0xffff0000) | (n); \e
+} while(0)
+.RE
+.fi
.SH "PLUGIN API CHANGELOG"
-.IX Header "PLUGIN API CHANGELOG"
-The following revisions have been made to the Sudo Plugin \s-1API\s0.
-.IP "Version 1.0" 4
-.IX Item "Version 1.0"
-Initial \s-1API\s0 version.
-.IP "Version 1.1" 4
-.IX Item "Version 1.1"
-The I/O logging plugin's \f(CW\*(C`open\*(C'\fR function was modified to take the
-\&\f(CW\*(C`command_info\*(C'\fR list as an argument.
-.IP "Version 1.2" 4
-.IX Item "Version 1.2"
-The Policy and I/O logging plugins' \f(CW\*(C`open\*(C'\fR functions are now passed
-a list of plugin options if any are specified in \fI@sysconfdir@/sudo.conf\fR.
-.Sp
-A simple hooks \s-1API\s0 has been introduced to allow plugins to hook in to the
+The following revisions have been made to the Sudo Plugin API.
+.TP 6n
+Version 1.0
+Initial API version.
+.TP 6n
+Version 1.1
+The I/O logging plugin's
+\fBopen\fR()
+function was modified to take the
+\fRcommand_info\fR
+list as an argument.
+.TP 6n
+Version 1.2
+The Policy and I/O logging plugins'
+\fBopen\fR()
+functions are now passed
+a list of plugin options if any are specified in
+\fI@sysconfdir@/sudo.conf\fR.
+.sp
+A simple hooks API has been introduced to allow plugins to hook in to the
system's environment handling functions.
-.Sp
-The \f(CW\*(C`init_session\*(C'\fR Policy plugin function is now passed a pointer
-to the user environment which can be updated as needed. This can
-be used to merge in environment variables stored in the \s-1PAM\s0 handle
-before a command is run.
+.sp
+The
+\fRinit_session\fR
+Policy plugin function is now passed a pointer
+to the user environment which can be updated as needed.
+This can be used to merge in environment variables stored in the PAM
+handle before a command is run.
.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@)
+sudoers(@mansectform@),
+sudo(@mansectsu@)
.SH "BUGS"
-.IX Header "BUGS"
-If you feel you have found a bug in \fBsudo\fR, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
+If you feel you have found a bug in
+\fBsudo\fR,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
-.IX Header "SUPPORT"
-Limited free support is available via the sudo-workers mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo\-workers to subscribe or
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
-.IX Header "DISCLAIMER"
-\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
-file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
-for complete details.
+\fBsudo\fR
+is provided
+``AS IS''
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+\fBsudo\fR
+or http://www.sudo.ws/sudo/license.html for complete details.
--- /dev/null
+.\"
+.\" Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd July 16, 2012
+.Dt SUDO_PLUGIN @mansectform@
+.Os Sudo @PACKAGE_VERSION@
+.Sh NAME
+.Nm sudo_plugin
+.Nd Sudo Plugin API
+.Sh DESCRIPTION
+Starting with version 1.8,
+.Nm sudo
+supports a plugin API
+for policy and session logging.
+By default, the
+.Em sudoers
+policy plugin and an associated I/O logging plugin are used.
+Via the plugin API,
+.Nm sudo
+can be configured to use alternate policy and/or I/O logging plugins
+provided by third parties.
+The plugins to be used are specified via the
+.Pa @sysconfdir@/sudo.conf
+file.
+.Pp
+The API is versioned with a major and minor number.
+The minor version number is incremented when additions are made.
+The major number is incremented when incompatible changes are made.
+A plugin should be check the version passed to it and make sure that the
+major version matches.
+.Pp
+The plugin API is defined by the
+.Li sudo_plugin.h
+header file.
+.Ss The sudo.conf file
+The
+.Pa @sysconfdir@/sudo.conf
+file contains plugin configuration directives.
+The primary keyword is the
+.Li Plugin
+directive, which causes a plugin to be loaded.
+.Pp
+A
+.Li Plugin
+line consists of the
+.Li Plugin
+keyword, followed by the
+.Em symbol_name
+and the
+.Em path
+to the shared object containing the plugin.
+The
+.Em symbol_name
+is the name of the
+.Li struct policy_plugin
+or
+.Li struct io_plugin
+in the plugin shared object.
+The
+.Em path
+may be fully qualified or relative.
+If not fully qualified it is relative to the
+.Pa @prefix@/libexec
+directory.
+Any additional parameters after the
+.Em path
+are passed as options to the plugin's
+.Fn open
+function.
+Lines that don't begin with
+.Li Plugin ,
+.Li Path ,
+.Li Debug
+or
+.Li Set
+are silently ignored.
+.Pp
+The same shared object may contain multiple plugins, each with a
+different symbol name.
+The shared object file must be owned by uid 0 and only writable by its owner.
+Because of ambiguities that arise from composite policies, only a single
+policy plugin may be specified.
+This limitation does not apply to I/O plugins.
+.Bd -literal
+#
+# Default @sysconfdir@/sudo.conf file
+#
+# Format:
+# Plugin plugin_name plugin_path plugin_options ...
+# Path askpass /path/to/askpass
+# Path noexec /path/to/sudo_noexec.so
+# Debug sudo /var/log/sudo_debug all@warn
+# Set disable_coredump true
+#
+# The plugin_path is relative to @prefix@/libexec unless
+# fully qualified.
+# The plugin_name corresponds to a global symbol in the plugin
+# that contains the plugin interface structure.
+# The plugin_options are optional.
+#
+Plugin sudoers_policy sudoers.so
+Plugin sudoers_io sudoers.so
+.Ed
+.Ss Policy plugin API
+A policy plugin must declare and populate a
+.Li policy_plugin
+struct in the global scope.
+This structure contains pointers to the functions that implement the
+.Nm sudo
+policy checks.
+The name of the symbol should be specified in
+.Pa @sysconfdir@/sudo.conf
+along with a path to the plugin so that
+.Nm sudo
+can load it.
+.Bd -literal
+struct policy_plugin {
+#define SUDO_POLICY_PLUGIN 1
+ unsigned int type; /* always SUDO_POLICY_PLUGIN */
+ unsigned int version; /* always SUDO_API_VERSION */
+ int (*open)(unsigned int version, sudo_conv_t conversation,
+ sudo_printf_t plugin_printf, char * const settings[],
+ char * const user_info[], char * const user_env[],
+ char * const plugin_options[]);
+ void (*close)(int exit_status, int error);
+ int (*show_version)(int verbose);
+ int (*check_policy)(int argc, char * const argv[],
+ char *env_add[], char **command_info[],
+ char **argv_out[], char **user_env_out[]);
+ int (*list)(int argc, char * const argv[], int verbose,
+ const char *list_user);
+ int (*validate)(void);
+ void (*invalidate)(int remove);
+ int (*init_session)(struct passwd *pwd, char **user_env[]);
+ void (*register_hooks)(int version,
+ int (*register_hook)(struct sudo_hook *hook));
+ void (*deregister_hooks)(int version,
+ int (*deregister_hook)(struct sudo_hook *hook));
+};
+.Ed
+.Pp
+The policy_plugin struct has the following fields:
+.Bl -tag -width 4n
+.It type
+The
+.Li type
+field should always be set to SUDO_POLICY_PLUGIN.
+.It version
+The
+.Li version
+field should be set to
+.Dv SUDO_API_VERSION .
+.Pp
+This allows
+.Nm sudo
+to determine the API version the plugin was
+built against.
+.It open
+.Bd -literal -compact
+int (*open)(unsigned int version, sudo_conv_t conversation,
+ sudo_printf_t plugin_printf, char * const settings[],
+ char * const user_info[], char * const user_env[],
+ char * const plugin_options[]);
+.Ed
+.Pp
+Returns 1 on success, 0 on failure, \-1 if a general error occurred,
+or \-2 if there was a usage error.
+In the latter case,
+.Nm sudo
+will print a usage message before it exits.
+If an error occurs, the plugin may optionally call the
+.Fn conversation
+or
+.Fn plugin_printf
+function with
+.Dv SUDO_CONF_ERROR_MSG
+to present additional error information to the user.
+.Pp
+The function arguments are as follows:
+.Bl -tag -width 4n
+.It version
+The version passed in by
+.Nm sudo
+allows the plugin to determine the
+major and minor version number of the plugin API supported by
+.Nm sudo .
+.It conversation
+A pointer to the
+.Fn conversation
+function that can be used by the plugin to interact with the user (see below).
+Returns 0 on success and \-1 on failure.
+.It plugin_printf
+A pointer to a
+.Fn printf Ns No -style
+function that may be used to display informational or error messages
+(see below).
+Returns the number of characters printed on success and \-1 on failure.
+.It settings
+A vector of user-supplied
+.Nm sudo
+settings in the form of
+.Dq name=value
+strings.
+The vector is terminated by a
+.Dv NULL
+pointer.
+These settings correspond to flags the user specified when running
+.Nm sudo .
+As such, they will only be present when the corresponding flag has
+been specified on the command line.
+.Pp
+When parsing
+.Em settings ,
+the plugin should split on the
+.Sy first
+equal sign
+.Pq Ql =
+since the
+.Em name
+field will never include one
+itself but the
+.Em value
+might.
+.Bl -tag -width 4n
+.It debug_flags=string
+A comma-separated list of debug flags that correspond to
+.Nm sudo Ns No 's
+.Li Debug
+entry in
+.Pa @sysconfdir@/sudo.conf ,
+if there is one.
+The flags are passed to the plugin as they appear in
+.Pa @sysconfdir@/sudo.conf .
+The syntax used by
+.Nm sudo
+and the
+.Em sudoers
+plugin is
+.Em subsystem Ns No @ Ns Em priority
+but the plugin is free to use a different
+format so long as it does not include a comma
+.Pq Ql ,\& .
+.Pp
+For reference, the priorities supported by the
+.Nm sudo
+front end and
+.Em sudoers
+are:
+.Em crit ,
+.Em err ,
+.Em warn ,
+.Em notice ,
+.Em diag ,
+.Em info ,
+.Em trace
+and
+.Em debug .
+.Pp
+The following subsystems are defined:
+.Em main ,
+.Em memory ,
+.Em args ,
+.Em exec ,
+.Em pty ,
+.Em utmp ,
+.Em conv ,
+.Em pcomm ,
+.Em util ,
+.Em list ,
+.Em netif ,
+.Em audit ,
+.Em edit ,
+.Em selinux ,
+.Em ldap ,
+.Em match ,
+.Em parser ,
+.Em alias ,
+.Em defaults ,
+.Em auth ,
+.Em env ,
+.Em logging ,
+.Em nss ,
+.Em rbtree ,
+.Em perms ,
+.Em plugin .
+The subsystem
+.Em all
+includes every subsystem.
+.Pp
+There is not currently a way to specify a set of debug flags specific
+to the plugin--the flags are shared by
+.Nm sudo
+and the plugin.
+.It debug_level=number
+This setting has been deprecated in favor of
+.Em debug_flags .
+.It runas_user=string
+The user name or uid to to run the command as, if specified via the
+.Fl u
+flag.
+.It runas_group=string
+The group name or gid to to run the command as, if specified via
+the
+.Fl g
+flag.
+.It prompt=string
+The prompt to use when requesting a password, if specified via
+the
+.Fl p
+flag.
+.It set_home=bool
+Set to true if the user specified the
+.Fl H
+flag.
+If true, set the
+.Li HOME
+environment variable to the target user's home directory.
+.It preserve_environment=bool
+Set to true if the user specified the
+.Fl E
+flag, indicating that
+the user wishes to preserve the environment.
+.It run_shell=bool
+Set to true if the user specified the
+.Fl s
+flag, indicating that
+the user wishes to run a shell.
+.It login_shell=bool
+Set to true if the user specified the
+.Fl i
+flag, indicating that
+the user wishes to run a login shell.
+.It implied_shell=bool
+If the user does not specify a program on the command line,
+.Nm sudo
+will pass the plugin the path to the user's shell and set
+.Em implied_shell
+to true.
+This allows
+.Nm sudo
+with no arguments
+to be used similarly to
+.Xr su 1 .
+If the plugin does not to support this usage, it may return a value of \-2
+from the
+.Fn check_policy
+function, which will cause
+.Nm sudo
+to print a usage message and
+exit.
+.It preserve_groups=bool
+Set to true if the user specified the
+.Fl P
+flag, indicating that
+the user wishes to preserve the group vector instead of setting it
+based on the runas user.
+.It ignore_ticket=bool
+Set to true if the user specified the
+.Fl k
+flag along with a
+command, indicating that the user wishes to ignore any cached
+authentication credentials.
+.It noninteractive=bool
+Set to true if the user specified the
+.Fl n
+flag, indicating that
+.Nm sudo
+should operate in non-interactive mode.
+The plugin may reject a command run in non-interactive mode if user
+interaction is required.
+.It login_class=string
+BSD login class to use when setting resource limits and nice value,
+if specified by the
+.Fl c
+flag.
+.It selinux_role=string
+SELinux role to use when executing the command, if specified by
+the
+.Fl r
+flag.
+.It selinux_type=string
+SELinux type to use when executing the command, if specified by
+the
+.Fl t
+flag.
+.It bsdauth_type=string
+Authentication type, if specified by the
+.Fl a
+flag, to use on
+systems where BSD authentication is supported.
+.It network_addrs=list
+A space-separated list of IP network addresses and netmasks in the
+form
+.Dq addr/netmask ,
+e.g.\&
+.Dq 192.168.1.2/255.255.255.0 .
+The address and netmask pairs may be either IPv4 or IPv6, depending on
+what the operating system supports.
+If the address contains a colon
+.Pq Ql :\& ,
+it is an IPv6 address, else it is IPv4.
+.It progname=string
+The command name that sudo was run as, typically
+.Dq sudo
+or
+.Dq sudoedit .
+.It sudoedit=bool
+Set to true when the
+.Fl e
+flag is is specified or if invoked as
+.Nm sudoedit .
+The plugin shall substitute an editor into
+.Em argv
+in the
+.Fn check_policy
+function or return \-2 with a usage error
+if the plugin does not support
+.Em sudoedit .
+For more information, see the
+.Em check_policy
+section.
+.It closefrom=number
+If specified, the user has requested via the
+.Fl C
+flag that
+.Nm sudo
+close all files descriptors with a value of
+.Em number
+or higher.
+The plugin may optionally pass this, or another value, back in the
+.Em command_info
+list.
+.El
+.Pp
+Additional settings may be added in the future so the plugin should
+silently ignore settings that it does not recognize.
+.It user_info
+A vector of information about the user running the command in the form of
+.Dq name=value
+strings.
+The vector is terminated by a
+.Dv NULL
+pointer.
+.Pp
+When parsing
+.Em user_info ,
+the plugin should split on the
+.Sy first
+equal sign
+.Pq Ql =
+since the
+.Em name
+field will never include one
+itself but the
+.Em value
+might.
+.Bl -tag -width 4n
+.It pid=int
+The process ID of the running
+.Nm sudo
+process.
+Only available starting with API version 1.2
+.It ppid=int
+The parent process ID of the running
+.Nm sudo
+process.
+Only available starting with API version 1.2
+.It sid=int
+The session ID of the running
+.Nm sudo
+process or 0 if
+.Nm sudo
+is
+not part of a POSIX job control session.
+Only available starting with API version 1.2
+.It pgid=int
+The ID of the process group that the running
+.Nm sudo
+process belongs
+to.
+Only available starting with API version 1.2
+.It tcpgid=int
+The ID of the forground process group associated with the terminal
+device associcated with the
+.Nm sudo
+process or \-1 if there is no
+terminal present.
+Only available starting with API version 1.2
+.It user=string
+The name of the user invoking
+.Nm sudo .
+.It euid=uid_t
+The effective user ID of the user invoking
+.Nm sudo .
+.It uid=uid_t
+The real user ID of the user invoking
+.Nm sudo .
+.It egid=gid_t
+The effective group ID of the user invoking
+.Nm sudo .
+.It gid=gid_t
+The real group ID of the user invoking
+.Nm sudo .
+.It groups=list
+The user's supplementary group list formatted as a string of
+comma-separated group IDs.
+.It cwd=string
+The user's current working directory.
+.It tty=string
+The path to the user's terminal device.
+If the user has no terminal device associated with the session,
+the value will be empty, as in
+.Dq Li tty= .
+.It host=string
+The local machine's hostname as returned by the
+.Xr gethostname 2
+system call.
+.It lines=int
+The number of lines the user's terminal supports.
+If there is
+no terminal device available, a default value of 24 is used.
+.It cols=int
+The number of columns the user's terminal supports.
+If there is no terminal device available, a default value of 80 is used.
+.El
+.It user_env
+The user's environment in the form of a
+.Dv NULL Ns No -terminated vector of
+.Dq name=value
+strings.
+.Pp
+When parsing
+.Em user_env ,
+the plugin should split on the
+.Sy first
+equal sign
+.Pq Ql =
+since the
+.Em name
+field will never include one
+itself but the
+.Em value
+might.
+.It plugin_options
+Any (non-comment) strings immediately after the plugin path are
+treated as arguments to the plugin.
+These arguments are split on a white space boundary and are passed to
+the plugin in the form of a
+.Dv NULL Ns No -terminated
+array of strings.
+If no arguments were
+specified,
+.Em plugin_options
+will be the
+.Dv NULL
+pointer.
+.Pp
+NOTE: the
+.Em plugin_options
+parameter is only available starting with
+API version 1.2.
+A plugin
+.Sy must
+check the API version specified
+by the
+.Nm sudo
+front end before using
+.Em plugin_options .
+Failure to do so may result in a crash.
+.El
+.It close
+.Bd -literal -compact
+void (*close)(int exit_status, int error);
+.Ed
+.Pp
+The
+.Fn close
+function is called when the command being run by
+.Nm sudo
+finishes.
+.Pp
+The function arguments are as follows:
+.Bl -tag -width 4n
+.It exit_status
+The command's exit status, as returned by the
+.Xr wait 2
+system call.
+The value of
+.Li exit_status
+is undefined if
+.Li error
+is non-zero.
+.It error
+If the command could not be executed, this is set to the value of
+.Li errno
+set by the
+.Xr execve 2
+system call.
+The plugin is responsible for displaying error information via the
+.Fn conversation
+or
+.Fn plugin_printf
+function.
+If the command was successfully executed, the value of
+.Li error
+is 0.
+.El
+.It show_version
+.Bd -literal -compact
+int (*show_version)(int verbose);
+.Ed
+.Pp
+The
+.Fn show_version
+function is called by
+.Nm sudo
+when the user specifies
+the
+.Fl V
+option.
+The plugin may display its version information to the user via the
+.Fn conversation
+or
+.Fn plugin_printf
+function using
+.Dv SUDO_CONV_INFO_MSG .
+If the user requests detailed version information, the verbose flag will be set.
+.It check_policy
+.Bd -literal -compact
+int (*check_policy)(int argc, char * const argv[]
+ char *env_add[], char **command_info[],
+ char **argv_out[], char **user_env_out[]);
+.Ed
+.Pp
+The
+.Fn check_policy
+function is called by
+.Nm sudo
+to determine
+whether the user is allowed to run the specified commands.
+.Pp
+If the
+.Em sudoedit
+option was enabled in the
+.Em settings
+array
+passed to the
+.Fn open
+function, the user has requested
+.Em sudoedit
+mode.
+.Em sudoedit
+is a mechanism for editing one or more files
+where an editor is run with the user's credentials instead of with
+elevated privileges.
+.Nm sudo
+achieves this by creating user-writable
+temporary copies of the files to be edited and then overwriting the
+originals with the temporary copies after editing is complete.
+If the plugin supports
+.Em sudoedit ,
+it should choose the editor to be used, potentially from a variable
+in the user's environment, such as
+.Li EDITOR ,
+and include it in
+.Em argv_out
+(note that environment
+variables may include command line flags).
+The files to be edited should be copied from
+.Em argv
+into
+.Em argv_out ,
+separated from the
+editor and its arguments by a
+.Dq Li --
+element.
+The
+.Dq Li --
+will
+be removed by
+.Nm sudo
+before the editor is executed.
+The plugin should also set
+.Em sudoedit=true
+in the
+.Em command_info
+list.
+.Pp
+The
+.Fn check_policy
+function returns 1 if the command is allowed,
+0 if not allowed, \-1 for a general error, or \-2 for a usage error
+or if
+.Em sudoedit
+was specified but is unsupported by the plugin.
+In the latter case,
+.Nm sudo
+will print a usage message before it
+exits.
+If an error occurs, the plugin may optionally call the
+.Fn conversation
+or
+.Fn plugin_printf
+function with
+.Dv SUDO_CONF_ERROR_MSG
+to present additional error information to the user.
+.Pp
+The function arguments are as follows:
+.Bl -tag -width 4n
+.It argc
+The number of elements in
+.Em argv ,
+not counting the final
+.Dv NULL
+pointer.
+.It argv
+The argument vector describing the command the user wishes to run,
+in the same form as what would be passed to the
+.Xr execve 2
+system call.
+The vector is terminated by a
+.Dv NULL
+pointer.
+.It env_add
+Additional environment variables specified by the user on the command
+line in the form of a
+.Dv NULL Ns No -terminated
+vector of
+.Dq name=value
+strings.
+The plugin may reject the command if one or more variables
+are not allowed to be set, or it may silently ignore such variables.
+.Pp
+When parsing
+.Em env_add ,
+the plugin should split on the
+.Sy first
+equal sign
+.Pq Ql =
+since the
+.Em name
+field will never include one
+itself but the
+.Em value
+might.
+.It command_info
+Information about the command being run in the form of
+.Dq name=value
+strings.
+These values are used by
+.Nm sudo
+to set the execution
+environment when running a command.
+The plugin is responsible for creating and populating the vector,
+which must be terminated with a
+.Dv NULL
+pointer.
+The following values are recognized by
+.Nm sudo :
+.Bl -tag -width 4n
+.It command=string
+Fully qualified path to the command to be executed.
+.It runas_uid=uid
+User ID to run the command as.
+.It runas_euid=uid
+Effective user ID to run the command as.
+If not specified, the value of
+.Em runas_uid
+is used.
+.It runas_gid=gid
+Group ID to run the command as.
+.It runas_egid=gid
+Effective group ID to run the command as.
+If not specified, the value of
+.Em runas_gid
+is used.
+.It runas_groups=list
+The supplementary group vector to use for the command in the form
+of a comma-separated list of group IDs.
+If
+.Em preserve_groups
+is set, this option is ignored.
+.It login_class=string
+BSD login class to use when setting resource limits and nice value
+(optional).
+This option is only set on systems that support login classes.
+.It preserve_groups=bool
+If set,
+.Nm sudo
+will preserve the user's group vector instead of
+initializing the group vector based on
+.Li runas_user .
+.It cwd=string
+The current working directory to change to when executing the command.
+.It noexec=bool
+If set, prevent the command from executing other programs.
+.It chroot=string
+The root directory to use when running the command.
+.It nice=int
+Nice value (priority) to use when executing the command.
+The nice value, if specified, overrides the priority associated with the
+.Em login_class
+on BSD systems.
+.It umask=octal
+The file creation mask to use when executing the command.
+.It selinux_role=string
+SELinux role to use when executing the command.
+.It selinux_type=string
+SELinux type to use when executing the command.
+.It timeout=int
+Command timeout.
+If non-zero then when the timeout expires the command will be killed.
+.It sudoedit=bool
+Set to true when in
+.Em sudoedit
+mode.
+The plugin may enable
+.Em sudoedit
+mode even if
+.Nm sudo
+was not invoked as
+.Nm sudoedit .
+This allows the plugin to perform command substitution and transparently
+enable
+.Em sudoedit
+when the user attempts to run an editor.
+.It closefrom=number
+If specified,
+.Nm sudo
+will close all files descriptors with a value
+of
+.Em number
+or higher.
+.It iolog_compress=bool
+Set to true if the I/O logging plugins, if any, should compress the
+log data.
+This is a hint to the I/O logging plugin which may choose to ignore it.
+.It iolog_path=string
+Fully qualified path to the file or directory in which I/O log is
+to be stored.
+This is a hint to the I/O logging plugin which may choose to ignore it.
+If no I/O logging plugin is loaded, this setting has no effect.
+.It iolog_stdin=bool
+Set to true if the I/O logging plugins, if any, should log the
+standard input if it is not connected to a terminal device.
+This is a hint to the I/O logging plugin which may choose to ignore it.
+.It iolog_stdout=bool
+Set to true if the I/O logging plugins, if any, should log the
+standard output if it is not connected to a terminal device.
+This is a hint to the I/O logging plugin which may choose to ignore it.
+.It iolog_stderr=bool
+Set to true if the I/O logging plugins, if any, should log the
+standard error if it is not connected to a terminal device.
+This is a hint to the I/O logging plugin which may choose to ignore it.
+.It iolog_ttyin=bool
+Set to true if the I/O logging plugins, if any, should log all
+terminal input.
+This only includes input typed by the user and not from a pipe or
+redirected from a file.
+This is a hint to the I/O logging plugin which may choose to ignore it.
+.It iolog_ttyout=bool
+Set to true if the I/O logging plugins, if any, should log all
+terminal output.
+This only includes output to the screen, not output to a pipe or file.
+This is a hint to the I/O logging plugin which may choose to ignore it.
+.It use_pty=bool
+Allocate a pseudo-tty to run the command in, regardless of whether
+or not I/O logging is in use.
+By default,
+.Nm sudo
+will only run
+the command in a pty when an I/O log plugin is loaded.
+.It set_utmp=bool
+Create a utmp (or utmpx) entry when a pseudo-tty is allocated.
+By default, the new entry will be a copy of the user's existing utmp
+entry (if any), with the tty, time, type and pid fields updated.
+.It utmp_user=string
+User name to use when constructing a new utmp (or utmpx) entry when
+.Em set_utmp
+is enabled.
+This option can be used to set the user field in the utmp entry to
+the user the command runs as rather than the invoking user.
+If not set,
+.Nm sudo
+will base the new entry on
+the invoking user's existing entry.
+.El
+.Pp
+Unsupported values will be ignored.
+.It argv_out
+The
+.Dv NULL Ns No -terminated
+argument vector to pass to the
+.Xr execve 2
+system call when executing the command.
+The plugin is responsible for allocating and populating the vector.
+.It user_env_out
+The
+.Dv NULL Ns No -terminated
+environment vector to use when executing the command.
+The plugin is responsible for allocating and populating the vector.
+.El
+.It list
+.Bd -literal -compact
+int (*list)(int verbose, const char *list_user,
+ int argc, char * const argv[]);
+.Ed
+.Pp
+List available privileges for the invoking user.
+Returns 1 on success, 0 on failure and \-1 on error.
+On error, the plugin may optionally call the
+.Fn conversation
+or
+.Fn plugin_printf
+function with
+.Dv SUDO_CONF_ERROR_MSG
+to present additional error information to
+the user.
+.Pp
+Privileges should be output via the
+.Fn conversation
+or
+.Fn plugin_printf
+function using
+.Dv SUDO_CONV_INFO_MSG ,
+.Bl -tag -width 4n
+.It verbose
+Flag indicating whether to list in verbose mode or not.
+.It list_user
+The name of a different user to list privileges for if the policy
+allows it.
+If
+.Dv NULL ,
+the plugin should list the privileges of the invoking user.
+.It argc
+The number of elements in
+.Em argv ,
+not counting the final
+.Dv NULL
+pointer.
+.It argv
+If
+.No non- Ns Dv NULL ,
+an argument vector describing a command the user
+wishes to check against the policy in the same form as what would
+be passed to the
+.Xr execve 2
+system call.
+If the command is permitted by the policy, the fully-qualified path
+to the command should be displayed along with any command line arguments.
+.El
+.It validate
+.Bd -literal -compact
+int (*validate)(void);
+.Ed
+.Pp
+The
+.Fn validate
+function is called when
+.Nm sudo
+is run with the
+.Fl v
+flag.
+For policy plugins such as
+.Em sudoers
+that cache
+authentication credentials, this function will validate and cache
+the credentials.
+.Pp
+The
+.Fn validate
+function should be
+.Dv NULL
+if the plugin does not support credential caching.
+.Pp
+Returns 1 on success, 0 on failure and \-1 on error.
+On error, the plugin may optionally call the
+.Fn conversation
+or
+.Fn plugin_printf
+function with
+.Dv SUDO_CONF_ERROR_MSG
+to present additional
+error information to the user.
+.It invalidate
+.Bd -literal -compact
+void (*invalidate)(int remove);
+.Ed
+.Pp
+The
+.Fn invalidate
+function is called when
+.Nm sudo
+is called with
+the
+.Fl k
+or
+.Fl K
+flag.
+For policy plugins such as
+.Em sudoers
+that
+cache authentication credentials, this function will invalidate the
+credentials.
+If the
+.Em remove
+flag is set, the plugin may remove
+the credentials instead of simply invalidating them.
+.Pp
+The
+.Fn invalidate
+function should be
+.Dv NULL
+if the plugin does not support credential caching.
+.It init_session
+.Bd -literal -compact
+int (*init_session)(struct passwd *pwd, char **user_envp[);
+.Ed
+.Pp
+The
+.Fn init_session
+function is called before
+.Nm sudo
+sets up the
+execution environment for the command.
+It is run in the parent
+.Nm sudo
+process and before any uid or gid changes.
+This can be used to perform session setup that is not supported by
+.Em command_info ,
+such as opening the PAM session.
+The
+.Fn close
+function can be
+used to tear down the session that was opened by
+.Li init_session .
+.Pp
+The
+.Em pwd
+argument points to a passwd struct for the user the
+command will be run as if the uid the command will run as was found
+in the password database, otherwise it will be
+.Dv NULL .
+.Pp
+The
+.Em user_env
+argument points to the environment the command will
+run in, in the form of a
+.Dv NULL Ns No -terminated
+vector of
+.Dq name=value
+strings.
+This is the same string passed back to the front end via
+the Policy Plugin's
+.Em user_env_out
+parameter.
+If the
+.Fn init_session
+function needs to modify the user environment, it should update the
+pointer stored in
+.Em user_env .
+The expected use case is to merge the contents of the PAM environment
+(if any) with the contents of
+.Em user_env .
+NOTE: the
+.Em user_env
+parameter is only available
+starting with API version 1.2.
+A plugin
+.Sy must
+check the API
+version specified by the
+.Nm sudo
+front end before using
+.Em user_env .
+Failure to do so may result in a crash.
+.Pp
+Returns 1 on success, 0 on failure and \-1 on error.
+On error, the plugin may optionally call the
+.Fn conversation
+or
+.Fn plugin_printf
+function with
+.Dv SUDO_CONF_ERROR_MSG
+to present additional
+error information to the user.
+.It register_hooks
+.Bd -literal -compact
+void (*register_hooks)(int version,
+ int (*register_hook)(struct sudo_hook *hook));
+.Ed
+.Pp
+The
+.Fn register_hooks
+function is called by the sudo front end to
+register any hooks the plugin needs.
+If the plugin does not support hooks,
+.Li register_hooks
+should be set to the
+.Dv NULL
+pointer.
+.Pp
+The
+.Em version
+argument describes the version of the hooks API
+supported by the
+.Nm sudo
+front end.
+.Pp
+The
+.Fn register_hook
+function should be used to register any supported
+hooks the plugin needs.
+It returns 0 on success, 1 if the hook type is not supported and \-1
+if the major version in
+.Li struct hook
+does not match the front end's major hook API version.
+.Pp
+See the
+.Sx Hook function API
+section below for more information
+about hooks.
+.Pp
+NOTE: the
+.Fn register_hooks
+function is only available starting
+with API version 1.2.
+If the
+.Nm sudo
+front end doesn't support API
+version 1.2 or higher,
+.Li register_hooks
+will not be called.
+.It deregister_hooks
+.Bd -literal -compact
+void (*deregister_hooks)(int version,
+ int (*deregister_hook)(struct sudo_hook *hook));
+.Ed
+.Pp
+The
+.Fn deregister_hooks
+function is called by the sudo front end
+to deregister any hooks the plugin has registered.
+If the plugin does not support hooks,
+.Li deregister_hooks
+should be set to the
+.Dv NULL
+pointer.
+.Pp
+The
+.Em version
+argument describes the version of the hooks API
+supported by the
+.Nm sudo
+front end.
+.Pp
+The
+.Fn deregister_hook
+function should be used to deregister any
+hooks that were put in place by the
+.Fn register_hook
+function.
+If the plugin tries to deregister a hook that the front end does not support,
+.Li deregister_hook
+will return an error.
+.Pp
+See the
+.Sx Hook function API
+section below for more information
+about hooks.
+.Pp
+NOTE: the
+.Fn deregister_hooks
+function is only available starting
+with API version 1.2.
+If the
+.Nm sudo
+front end doesn't support API
+version 1.2 or higher,
+.Li deregister_hooks
+will not be called.
+.El
+.Pp
+.Em Policy Plugin Version Macros
+.Bd -literal
+/* Plugin API version major/minor. */
+#define SUDO_API_VERSION_MAJOR 1
+#define SUDO_API_VERSION_MINOR 2
+#define SUDO_API_MKVERSION(x, y) ((x << 16) | y)
+#define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR,\e
+ SUDO_API_VERSION_MINOR)
+
+/* Getters and setters for API version */
+#define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16)
+#define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
+#define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \e
+ *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \e
+} while(0)
+#define SUDO_VERSION_SET_MINOR(vp, n) do { \e
+ *(vp) = (*(vp) & 0xffff0000) | (n); \e
+} while(0)
+.Ed
+.Ss I/O plugin API
+.Bd -literal
+struct io_plugin {
+#define SUDO_IO_PLUGIN 2
+ unsigned int type; /* always SUDO_IO_PLUGIN */
+ unsigned int version; /* always SUDO_API_VERSION */
+ int (*open)(unsigned int version, sudo_conv_t conversation
+ sudo_printf_t plugin_printf, char * const settings[],
+ char * const user_info[], int argc, char * const argv[],
+ char * const user_env[], char * const plugin_options[]);
+ void (*close)(int exit_status, int error); /* wait status or error */
+ int (*show_version)(int verbose);
+ int (*log_ttyin)(const char *buf, unsigned int len);
+ int (*log_ttyout)(const char *buf, unsigned int len);
+ int (*log_stdin)(const char *buf, unsigned int len);
+ int (*log_stdout)(const char *buf, unsigned int len);
+ int (*log_stderr)(const char *buf, unsigned int len);
+ void (*register_hooks)(int version,
+ int (*register_hook)(struct sudo_hook *hook));
+ void (*deregister_hooks)(int version,
+ int (*deregister_hook)(struct sudo_hook *hook));
+};
+.Ed
+.Pp
+When an I/O plugin is loaded,
+.Nm sudo
+runs the command in a pseudo-tty.
+This makes it possible to log the input and output from the user's
+session.
+If any of the standard input, standard output or standard error do not
+correspond to a tty,
+.Nm sudo
+will open a pipe to capture
+the I/O for logging before passing it on.
+.Pp
+The log_ttyin function receives the raw user input from the terminal
+device (note that this will include input even when echo is disabled,
+such as when a password is read).
+The log_ttyout function receives output from the pseudo-tty that is
+suitable for replaying the user's session at a later time.
+The
+.Fn log_stdin ,
+.Fn log_stdout
+and
+.Fn log_stderr
+functions are only called if the standard input, standard output
+or standard error respectively correspond to something other than
+a tty.
+.Pp
+Any of the logging functions may be set to the
+.Dv NULL
+pointer if no logging is to be performed.
+If the open function returns 0, no I/O will be sent to the plugin.
+.Pp
+The io_plugin struct has the following fields:
+.Bl -tag -width 4n
+.It type
+The
+.Li type
+field should always be set to
+.Dv SUDO_IO_PLUGIN .
+.It version
+The
+.Li version
+field should be set to
+.Dv SUDO_API_VERSION .
+.Pp
+This allows
+.Nm sudo
+to determine the API version the plugin was
+built against.
+.It open
+.Bd -literal -compact
+int (*open)(unsigned int version, sudo_conv_t conversation
+ sudo_printf_t plugin_printf, char * const settings[],
+ char * const user_info[], int argc, char * const argv[],
+ char * const user_env[], char * const plugin_options[]);
+.Ed
+.Pp
+The
+.Fn open
+function is run before the
+.Fn log_input ,
+.Fn log_output
+or
+.Fn show_version
+functions are called.
+It is only called if the version is being requested or the
+.Fn check_policy
+function has
+returned successfully.
+It returns 1 on success, 0 on failure, \-1 if a general error occurred,
+or \-2 if there was a usage error.
+In the latter case,
+.Nm sudo
+will print a usage message before it exits.
+If an error occurs, the plugin may optionally call the
+.Fn conversation
+or
+.Fn plugin_printf
+function with
+.Dv SUDO_CONF_ERROR_MSG
+to present
+additional error information to the user.
+.Pp
+The function arguments are as follows:
+.Bl -tag -width 4n
+.It version
+The version passed in by
+.Nm sudo
+allows the plugin to determine the
+major and minor version number of the plugin API supported by
+.Nm sudo .
+.It conversation
+A pointer to the
+.Fn conversation
+function that may be used by the
+.Fn show_version
+function to display version information (see
+.Fn show_version
+below).
+The
+.Fn conversation
+function may also be used to display additional error message to the user.
+The
+.Fn conversation
+function returns 0 on success and \-1 on failure.
+.It plugin_printf
+A pointer to a
+.Fn printf Ns No -style
+function that may be used by the
+.Fn show_version
+function to display version information (see
+show_version below).
+The
+.Fn plugin_printf
+function may also be used to display additional error message to the user.
+The
+.Fn plugin_printf
+function returns number of characters printed on success and \-1 on failure.
+.It settings
+A vector of user-supplied
+.Nm sudo
+settings in the form of
+.Dq name=value
+strings.
+The vector is terminated by a
+.Dv NULL
+pointer.
+These settings correspond to flags the user specified when running
+.Nm sudo .
+As such, they will only be present when the corresponding flag has
+been specified on the command line.
+.Pp
+When parsing
+.Em settings ,
+the plugin should split on the
+.Sy first
+equal sign
+.Pq Ql =
+since the
+.Em name
+field will never include one
+itself but the
+.Em value
+might.
+.Pp
+See the
+.Sx Policy plugin API
+section for a list of all possible settings.
+.It user_info
+A vector of information about the user running the command in the form of
+.Dq name=value
+strings.
+The vector is terminated by a
+.Dv NULL
+pointer.
+.Pp
+When parsing
+.Em user_info ,
+the plugin should split on the
+.Sy first
+equal sign
+.Pq Ql =
+since the
+.Em name
+field will never include one
+itself but the
+.Em value
+might.
+.Pp
+See the
+.Sx Policy plugin API
+section for a list of all possible strings.
+.It argc
+The number of elements in
+.Em argv ,
+not counting the final
+.Dv NULL
+pointer.
+.It argv
+If
+.No non- Ns Dv NULL ,
+an argument vector describing a command the user
+wishes to run in the same form as what would be passed to the
+.Xr execve 2
+system call.
+.It user_env
+The user's environment in the form of a
+.Dv NULL Ns No -terminated
+vector of
+.Dq name=value
+strings.
+.Pp
+When parsing
+.Em user_env ,
+the plugin should split on the
+.Sy first
+equal sign
+.Pq Ql =
+since the
+.Em name
+field will never include one
+itself but the
+.Em value
+might.
+.It plugin_options
+Any (non-comment) strings immediately after the plugin path are
+treated as arguments to the plugin.
+These arguments are split on a white space boundary and are passed to
+the plugin in the form of a
+.Dv NULL Ns No -terminated
+array of strings.
+If no arguments were specified,
+.Em plugin_options
+will be the
+.Dv NULL
+pointer.
+.Pp
+NOTE: the
+.Em plugin_options
+parameter is only available starting with
+API version 1.2.
+A plugin
+.Sy must
+check the API version specified
+by the
+.Nm sudo
+front end before using
+.Em plugin_options .
+Failure to do so may result in a crash.
+.El
+.It close
+.Bd -literal -compact
+void (*close)(int exit_status, int error);
+.Ed
+.Pp
+The
+.Fn close
+function is called when the command being run by
+.Nm sudo
+finishes.
+.Pp
+The function arguments are as follows:
+.Bl -tag -width 4n
+.It exit_status
+The command's exit status, as returned by the
+.Xr wait 2
+system call.
+The value of
+.Li exit_status
+is undefined if
+.Li error
+is non-zero.
+.It error
+If the command could not be executed, this is set to the value of
+.Li errno
+set by the
+.Xr execve 2
+system call.
+If the command was successfully executed, the value of
+.Li error
+is 0.
+.El
+.It show_version
+.Bd -literal -compact
+int (*show_version)(int verbose);
+.Ed
+.Pp
+The
+.Fn show_version
+function is called by
+.Nm sudo
+when the user specifies
+the
+.Fl V
+option.
+The plugin may display its version information to the user via the
+.Fn conversation
+or
+.Fn plugin_printf
+function using
+.Dv SUDO_CONV_INFO_MSG .
+If the user requests detailed version information, the verbose flag will be set.
+.It log_ttyin
+.Bd -literal -compact
+int (*log_ttyin)(const char *buf, unsigned int len);
+.Ed
+.Pp
+The
+.Fn log_ttyin
+function is called whenever data can be read from
+the user but before it is passed to the running command.
+This allows the plugin to reject data if it chooses to (for instance
+if the input contains banned content).
+Returns 1 if the data should be passed to the command, 0 if the data
+is rejected (which will terminate the command) or \-1 if an error occurred.
+.Pp
+The function arguments are as follows:
+.Bl -tag -width 4n
+.It buf
+The buffer containing user input.
+.It len
+The length of
+.Em buf
+in bytes.
+.El
+.It log_ttyout
+.Bd -literal -compact
+int (*log_ttyout)(const char *buf, unsigned int len);
+.Ed
+.Pp
+The
+.Fn log_ttyout
+function is called whenever data can be read from
+the command but before it is written to the user's terminal.
+This allows the plugin to reject data if it chooses to (for instance
+if the output contains banned content).
+Returns 1 if the data should be passed to the user, 0 if the data is rejected
+(which will terminate the command) or \-1 if an error occurred.
+.Pp
+The function arguments are as follows:
+.Bl -tag -width 4n
+.It buf
+The buffer containing command output.
+.It len
+The length of
+.Em buf
+in bytes.
+.El
+.It log_stdin
+.Bd -literal -compact
+int (*log_stdin)(const char *buf, unsigned int len);
+.Ed
+.Pp
+The
+.Fn log_stdin
+function is only used if the standard input does
+not correspond to a tty device.
+It is called whenever data can be read from the standard input but
+before it is passed to the running command.
+This allows the plugin to reject data if it chooses to
+(for instance if the input contains banned content).
+Returns 1 if the data should be passed to the command, 0 if the data is
+rejected (which will terminate the command) or \-1 if an error occurred.
+.Pp
+The function arguments are as follows:
+.Bl -tag -width 4n
+.It buf
+The buffer containing user input.
+.It len
+The length of
+.Em buf
+in bytes.
+.El
+.It log_stdout
+.Bd -literal -compact
+int (*log_stdout)(const char *buf, unsigned int len);
+.Ed
+.Pp
+The
+.Fn log_stdout
+function is only used if the standard output does not correspond
+to a tty device.
+It is called whenever data can be read from the command but before
+it is written to the standard output.
+This allows the plugin to reject data if it chooses to
+(for instance if the output contains banned content).
+Returns 1 if the data should be passed to the user, 0 if the data is
+rejected (which will terminate the command) or \-1 if an error occurred.
+.Pp
+The function arguments are as follows:
+.Bl -tag -width 4n
+.It buf
+The buffer containing command output.
+.It len
+The length of
+.Em buf
+in bytes.
+.El
+.It log_stderr
+.Bd -literal -compact
+int (*log_stderr)(const char *buf, unsigned int len);
+.Ed
+.Pp
+The
+.Fn log_stderr
+function is only used if the standard error does
+not correspond to a tty device.
+It is called whenever data can be read from the command but before it
+is written to the standard error.
+This allows the plugin to reject data if it chooses to
+(for instance if the output contains banned content).
+Returns 1 if the data should be passed to the user, 0 if the data is
+rejected (which will terminate the command) or \-1 if an error occurred.
+.Pp
+The function arguments are as follows:
+.Bl -tag -width 4n
+.It buf
+The buffer containing command output.
+.It len
+The length of
+.Em buf
+in bytes.
+.El
+.It register_hooks
+See the
+.Sx Policy plugin API
+section for a description of
+.Li register_hooks .
+.It deregister_hooks
+See the
+.Sx Policy plugin API
+section for a description of
+.Li deregister_hooks.
+.El
+.Pp
+.Em I/O Plugin Version Macros
+.Pp
+Same as for the
+.Sx Policy plugin API .
+.Ss Hook function API
+Beginning with plugin API version 1.2, it is possible to install
+hooks for certain functions called by the
+.Nm sudo
+front end.
+.Pp
+Currently, the only supported hooks relate to the handling of
+environment variables.
+Hooks can be used to intercept attempts to get, set, or remove
+environment variables so that these changes can be reflected in
+the version of the environment that is used to execute a command.
+A future version of the API will support hooking internal
+.Nm sudo
+front end functions as well.
+.Pp
+.Em Hook structure
+.Pp
+Hooks in
+.Nm sudo
+are described by the following structure:
+.Bd -literal
+typedef int (*sudo_hook_fn_t)();
+
+struct sudo_hook {
+ int hook_version;
+ int hook_type;
+ sudo_hook_fn_t hook_fn;
+ void *closure;
+};
+.Ed
+.Pp
+The
+.Li sudo_hook
+structure has the following fields:
+.Bl -tag -width 4n
+.It hook_version
+The
+.Li hook_version
+field should be set to
+.Dv SUDO_HOOK_VERSION .
+.It hook_type
+The
+.Li hook_type
+field may be one of the following supported hook types:
+.Bl -tag -width 4n
+.It Dv SUDO_HOOK_SETENV
+The C library
+.Xr setenv 3
+function.
+Any registered hooks will run before the C library implementation.
+The
+.Li hook_fn
+field should
+be a function that matches the following typedef:
+.Bd -literal
+typedef int (*sudo_hook_fn_setenv_t)(const char *name,
+ const char *value, int overwrite, void *closure);
+.Ed
+.Pp
+If the registered hook does not match the typedef the results are
+unspecified.
+.It Dv SUDO_HOOK_UNSETENV
+The C library
+.Xr unsetenv 3
+function.
+Any registered hooks will run before the C library implementation.
+The
+.Li hook_fn
+field should
+be a function that matches the following typedef:
+.Bd -literal
+typedef int (*sudo_hook_fn_unsetenv_t)(const char *name,
+ void *closure);
+.Ed
+.It Dv SUDO_HOOK_GETENV
+The C library
+.Xr getenv 3
+function.
+Any registered hooks will run before the C library implementation.
+The
+.Li hook_fn
+field should
+be a function that matches the following typedef:
+.Bd -literal
+typedef int (*sudo_hook_fn_getenv_t)(const char *name,
+ char **value, void *closure);
+.Ed
+.Pp
+If the registered hook does not match the typedef the results are
+unspecified.
+.It Dv SUDO_HOOK_PUTENV
+The C library
+.Xr putenv 3
+function.
+Any registered hooks will run before the C library implementation.
+The
+.Li hook_fn
+field should
+be a function that matches the following typedef:
+.Bd -literal
+typedef int (*sudo_hook_fn_putenv_t)(char *string,
+ void *closure);
+.Ed
+.Pp
+If the registered hook does not match the typedef the results are
+unspecified.
+.El
+.It hook_fn
+sudo_hook_fn_t hook_fn;
+.Pp
+The
+.Li hook_fn
+field should be set to the plugin's hook implementation.
+The actual function arguments will vary depending on the
+.Li hook_type
+(see
+.Li hook_type
+above).
+In all cases, the
+.Li closure
+field of
+.Li struct sudo_hook
+is passed as the last function parameter.
+This can be used to pass arbitrary data to the plugin's hook implementation.
+.Pp
+The function return value may be one of the following:
+.Bl -tag -width 4n
+.It Dv SUDO_HOOK_RET_ERROR
+The hook function encountered an error.
+.It Dv SUDO_HOOK_RET_NEXT
+The hook completed without error, go on to the next hook (including
+the native implementation if applicable).
+For example, a
+.Xr getenv 3
+hook might return
+.Dv SUDO_HOOK_RET_NEXT
+if the specified variable was not found in the private copy of the environment.
+.It Dv SUDO_HOOK_RET_STOP
+The hook completed without error, stop processing hooks for this invocation.
+This can be used to replace the native implementation.
+For example, a
+.Li setenv
+hook that operates on a private copy of
+the environment but leaves
+.Li environ
+unchanged.
+.El
+.El
+.Pp
+Note that it is very easy to create an infinite loop when hooking
+C library functions.
+For example, a
+.Xr getenv 3
+hook that calls the
+.Xr snprintf 3
+function may create a loop if the
+.Xr snprintf 3
+implementation calls
+.Xr getenv 3
+to check the locale.
+To prevent this, you may wish to use a static variable in the hook
+function to guard against nested calls.
+For example:
+.Bd -literal
+static int in_progress = 0; /* avoid recursion */
+if (in_progress)
+ return SUDO_HOOK_RET_NEXT;
+in_progress = 1;
+\&...
+in_progress = 0;
+return SUDO_HOOK_RET_STOP;
+.Ed
+.Pp
+.Em Hook API Version Macros
+.Bd -literal
+/* Hook API version major/minor */
+#define SUDO_HOOK_VERSION_MAJOR 1
+#define SUDO_HOOK_VERSION_MINOR 0
+#define SUDO_HOOK_MKVERSION(x, y) ((x << 16) | y)
+#define SUDO_HOOK_VERSION SUDO_HOOK_MKVERSION(SUDO_HOOK_VERSION_MAJOR,\e
+ SUDO_HOOK_VERSION_MINOR)
+
+/* Getters and setters for hook API version */
+#define SUDO_HOOK_VERSION_GET_MAJOR(v) ((v) >> 16)
+#define SUDO_HOOK_VERSION_GET_MINOR(v) ((v) & 0xffff)
+#define SUDO_HOOK_VERSION_SET_MAJOR(vp, n) do { \e
+ *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \e
+} while(0)
+#define SUDO_HOOK_VERSION_SET_MINOR(vp, n) do { \e
+ *(vp) = (*(vp) & 0xffff0000) | (n); \e
+} while(0)
+.Ed
+.Ss Conversation API
+If the plugin needs to interact with the user, it may do so via the
+.Fn conversation
+function.
+A plugin should not attempt to read directly from the standard input
+or the user's tty (neither of which are guaranteed to exist).
+The caller must include a trailing newline in
+.Li msg
+if one is to be printed.
+.Pp
+A
+.Fn printf Ns No -style
+function is also available that can be used to display informational
+or error messages to the user, which is usually more convenient for
+simple messages where no use input is required.
+.Bd -literal
+struct sudo_conv_message {
+#define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */
+#define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */
+#define SUDO_CONV_ERROR_MSG 0x0003 /* error message */
+#define SUDO_CONV_INFO_MSG 0x0004 /* informational message */
+#define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */
+#define SUDO_CONV_DEBUG_MSG 0x0006 /* debugging message */
+#define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */
+ int msg_type;
+ int timeout;
+ const char *msg;
+};
+
+struct sudo_conv_reply {
+ char *reply;
+};
+
+typedef int (*sudo_conv_t)(int num_msgs,
+ const struct sudo_conv_message msgs[],
+ struct sudo_conv_reply replies[]);
+
+typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...);
+.Ed
+.Pp
+Pointers to the
+.Fn conversation
+and
+.Fn printf Ns No -style
+functions are passed
+in to the plugin's
+.Fn open
+function when the plugin is initialized.
+.Pp
+To use the
+.Fn conversation
+function, the plugin must pass an array of
+.Li sudo_conv_message
+and
+.Li sudo_conv_reply
+structures.
+There must be a
+.Li struct sudo_conv_message
+and
+.Li struct sudo_conv_reply
+for
+each message in the conversation.
+The plugin is responsible for freeing the reply buffer filled in to the
+.Li struct sudo_conv_reply ,
+if any.
+.Pp
+The
+.Fn printf Ns No -style
+function uses the same underlying mechanism as the
+.Fn conversation
+function but only supports
+.Dv SUDO_CONV_INFO_MSG ,
+.Dv SUDO_CONV_ERROR_MSG
+and
+.Dv SUDO_CONV_DEBUG_MSG
+for the
+.Em msg_type
+parameter.
+It can be more convenient than using the
+.Fn conversation
+function if no user reply is needed and supports standard
+.Fn printf
+escape sequences.
+.Pp
+Unlike,
+.Dv SUDO_CONV_INFO_MSG
+and
+Dv SUDO_CONV_ERROR_MSG ,
+messages
+sent with the
+.Dv SUDO_CONV_DEBUG_MSG
+.Em msg_type
+are not directly
+user-visible.
+Instead, they are logged to the file specified in the
+.Li Debug
+statement (if any) in the
+.Pa @sysconfdir@/sudo.conf
+.Pp
+file.
+This allows a plugin to log debugging information and is intended
+to be used in conjunction with the
+.Em debug_flags
+setting.
+.Pp
+See the sample plugin for an example of the
+.Fn conversation
+function usage.
+.Ss Sudoers group plugin API
+The
+.Em sudoers
+module supports a plugin interface to allow non-Unix
+group lookups.
+This can be used to query a group source other than the standard Unix
+group database.
+A sample group plugin is bundled with
+.Nm sudo
+that implements file-based lookups.
+Third party group plugins include a QAS AD plugin available from Quest Software.
+.Pp
+A group plugin must declare and populate a
+.Li sudoers_group_plugin
+struct in the global scope.
+This structure contains pointers to the functions that implement plugin
+initialization, cleanup and group lookup.
+.Bd -literal
+struct sudoers_group_plugin {
+ unsigned int version;
+ int (*init)(int version, sudo_printf_t sudo_printf,
+ char *const argv[]);
+ void (*cleanup)(void);
+ int (*query)(const char *user, const char *group,
+ const struct passwd *pwd);
+};
+.Ed
+.Pp
+The
+.Li sudoers_group_plugin
+struct has the following fields:
+.Bl -tag -width 4n
+.It version
+The
+.Li version
+field should be set to GROUP_API_VERSION.
+.Pp
+This allows
+.Em sudoers
+to determine the API version the group plugin
+was built against.
+.It init
+.Bd -literal -compact
+int (*init)(int version, sudo_printf_t plugin_printf,
+ char *const argv[]);
+.Ed
+.Pp
+The
+.Fn init
+function is called after
+.Em sudoers
+has been parsed but
+before any policy checks.
+It returns 1 on success, 0 on failure (or if the plugin is not configured),
+and \-1 if a error occurred.
+If an error occurs, the plugin may call the
+.Fn plugin_printf
+function with
+.Dv SUDO_CONF_ERROR_MSG
+to present additional error information
+to the user.
+.Pp
+The function arguments are as follows:
+.Bl -tag -width 4n
+.It version
+The version passed in by
+.Em sudoers
+allows the plugin to determine the
+major and minor version number of the group plugin API supported by
+.Em sudoers .
+.It plugin_printf
+A pointer to a
+.Fn printf Ns No -style
+function that may be used to display informational or error message to the user.
+Returns the number of characters printed on success and \-1 on failure.
+.It argv
+A
+.Dv NULL Ns No -terminated
+array of arguments generated from the
+.Em group_plugin
+option in
+.Em sudoers .
+If no arguments were given,
+.Em argv
+will be
+.Dv NULL .
+.El
+.It cleanup
+.Bd -literal -compact
+void (*cleanup)();
+.Ed
+.Pp
+The
+.Fn cleanup
+function is called when
+.Em sudoers
+has finished its
+group checks.
+The plugin should free any memory it has allocated and close open file handles.
+.It query
+.Bd -literal -compact
+int (*query)(const char *user, const char *group,
+ const struct passwd *pwd);
+.Ed
+.Pp
+The
+.Fn query
+function is used to ask the group plugin whether
+.Em user
+is a member of
+.Em group .
+.Pp
+The function arguments are as follows:
+.Bl -tag -width 4n
+.It user
+The name of the user being looked up in the external group database.
+.It group
+The name of the group being queried.
+.It pwd
+The password database entry for
+.Em user ,
+if any.
+If
+.Em user
+is not
+present in the password database,
+.Em pwd
+will be
+.Dv NULL .
+.El
+.El
+.Pp
+.Em Group API Version Macros
+.Bd -literal
+/* Sudoers group plugin version major/minor */
+#define GROUP_API_VERSION_MAJOR 1
+#define GROUP_API_VERSION_MINOR 0
+#define GROUP_API_VERSION ((GROUP_API_VERSION_MAJOR << 16) | \e
+ GROUP_API_VERSION_MINOR)
+
+/* Getters and setters for group version */
+#define GROUP_API_VERSION_GET_MAJOR(v) ((v) >> 16)
+#define GROUP_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
+#define GROUP_API_VERSION_SET_MAJOR(vp, n) do { \e
+ *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \e
+} while(0)
+#define GROUP_API_VERSION_SET_MINOR(vp, n) do { \e
+ *(vp) = (*(vp) & 0xffff0000) | (n); \e
+} while(0)
+.Ed
+.Sh PLUGIN API CHANGELOG
+The following revisions have been made to the Sudo Plugin API.
+.Bl -tag -width 4n
+.It Version 1.0
+Initial API version.
+.It Version 1.1
+The I/O logging plugin's
+.Fn open
+function was modified to take the
+.Li command_info
+list as an argument.
+.It Version 1.2
+The Policy and I/O logging plugins'
+.Fn open
+functions are now passed
+a list of plugin options if any are specified in
+.Pa @sysconfdir@/sudo.conf .
+.Pp
+A simple hooks API has been introduced to allow plugins to hook in to the
+system's environment handling functions.
+.Pp
+The
+.Li init_session
+Policy plugin function is now passed a pointer
+to the user environment which can be updated as needed.
+This can be used to merge in environment variables stored in the PAM
+handle before a command is run.
+.El
+.Sh SEE ALSO
+.Xr sudoers @mansectform@ ,
+.Xr sudo @mansectsu@
+.Sh BUGS
+If you feel you have found a bug in
+.Nm sudo ,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
+.Sh SUPPORT
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+.Sh DISCLAIMER
+.Nm sudo
+is provided
+.Dq AS IS
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+.Nm sudo
+or http://www.sudo.ws/sudo/license.html for complete details.
+++ /dev/null
-Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com>
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-=pod
-
-=head1 NAME
-
-sudo_plugin - Sudo Plugin API
-
-=head1 DESCRIPTION
-
-Starting with version 1.8, B<sudo> supports a plugin API
-for policy and session logging. By default, the I<sudoers> policy
-plugin and an associated I/O logging plugin are used. Via the plugin
-API, B<sudo> can be configured to use alternate policy and/or I/O
-logging plugins provided by third parties. The plugins to be used
-are specified via the F<@sysconfdir@/sudo.conf> file.
-
-The API is versioned with a major and minor number. The minor
-version number is incremented when additions are made. The major
-number is incremented when incompatible changes are made. A plugin
-should be check the version passed to it and make sure that the
-major version matches.
-
-The plugin API is defined by the C<sudo_plugin.h> header file.
-
-=head2 The sudo.conf File
-
-The F<@sysconfdir@/sudo.conf> file contains plugin configuration directives.
-Currently, the only supported keyword is the C<Plugin> directive,
-which causes a plugin plugin to be loaded.
-
-A C<Plugin> line consists of the C<Plugin> keyword, followed by the
-I<symbol_name> and the I<path> to the shared object containing the
-plugin. The I<symbol_name> is the name of the C<struct policy_plugin>
-or C<struct io_plugin> in the plugin shared object. The I<path>
-may be fully qualified or relative. If not fully qualified it is
-relative to the F<@prefix@/libexec> directory. Any additional
-parameters after the I<path> are passed as options to the plugin's
-I<open> function. Lines that don't begin with C<Plugin>, C<Path>,
-C<Debug> or C<Set> are silently ignored.
-
-The same shared object may contain multiple plugins, each with a
-different symbol name. The shared object file must be owned by uid
-0 and only writable by its owner. Because of ambiguities that arise
-from composite policies, only a single policy plugin may be specified.
-This limitation does not apply to I/O plugins.
-
- #
- # Default @sysconfdir@/sudo.conf file
- #
- # Format:
- # Plugin plugin_name plugin_path plugin_options ...
- # Path askpass /path/to/askpass
- # Path noexec /path/to/sudo_noexec.so
- # Debug sudo /var/log/sudo_debug all@warn
- # Set disable_coredump true
- #
- # The plugin_path is relative to @prefix@/libexec unless
- # fully qualified.
- # The plugin_name corresponds to a global symbol in the plugin
- # that contains the plugin interface structure.
- # The plugin_options are optional.
- #
- Plugin sudoers_policy sudoers.so
- Plugin sudoers_io sudoers.so
-
-=head2 Policy Plugin API
-
-A policy plugin must declare and populate a C<policy_plugin> struct
-in the global scope. This structure contains pointers to the functions
-that implement the B<sudo> policy checks. The name of the symbol should
-be specified in F<@sysconfdir@/sudo.conf> along with a path to the plugin
-so that B<sudo> can load it.
-
- struct policy_plugin {
- #define SUDO_POLICY_PLUGIN 1
- unsigned int type; /* always SUDO_POLICY_PLUGIN */
- unsigned int version; /* always SUDO_API_VERSION */
- int (*open)(unsigned int version, sudo_conv_t conversation,
- sudo_printf_t plugin_printf, char * const settings[],
- char * const user_info[], char * const user_env[],
- char * const plugin_options[]);
- void (*close)(int exit_status, int error);
- int (*show_version)(int verbose);
- int (*check_policy)(int argc, char * const argv[],
- char *env_add[], char **command_info[],
- char **argv_out[], char **user_env_out[]);
- int (*list)(int argc, char * const argv[], int verbose,
- const char *list_user);
- int (*validate)(void);
- void (*invalidate)(int remove);
- int (*init_session)(struct passwd *pwd, char **user_env[]);
- void (*register_hooks)(int version,
- int (*register_hook)(struct sudo_hook *hook));
- void (*deregister_hooks)(int version,
- int (*deregister_hook)(struct sudo_hook *hook));
- };
-
-The policy_plugin struct has the following fields:
-
-=over 4
-
-=item type
-
-The C<type> field should always be set to SUDO_POLICY_PLUGIN.
-
-=item version
-
-The C<version> field should be set to SUDO_API_VERSION.
-
-This allows B<sudo> to determine the API version the plugin was
-built against.
-
-=item open
-
- int (*open)(unsigned int version, sudo_conv_t conversation,
- sudo_printf_t plugin_printf, char * const settings[],
- char * const user_info[], char * const user_env[],
- char * const plugin_options[]);
-
-Returns 1 on success, 0 on failure, -1 if a general error occurred,
-or -2 if there was a usage error. In the latter case, B<sudo> will
-print a usage message before it exits. If an error occurs, the
-plugin may optionally call the conversation or plugin_printf function
-with C<SUDO_CONF_ERROR_MSG> to present additional error information
-to the user.
-
-The function arguments are as follows:
-
-=over 4
-
-=item version
-
-The version passed in by B<sudo> allows the plugin to determine the
-major and minor version number of the plugin API supported by
-B<sudo>.
-
-=item conversation
-
-A pointer to the conversation function that can be used by the
-plugin to interact with the user (see below).
-Returns 0 on success and -1 on failure.
-
-=item plugin_printf
-
-A pointer to a printf-style function that may be used to display
-informational or error messages (see below).
-Returns the number of characters printed on success and -1 on failure.
-
-=item settings
-
-A vector of user-supplied B<sudo> settings in the form of "name=value"
-strings. The vector is terminated by a C<NULL> pointer. These
-settings correspond to flags the user specified when running B<sudo>.
-As such, they will only be present when the corresponding flag has
-been specified on the command line.
-
-When parsing I<settings>, the plugin should split on the B<first>
-equal sign ('=') since the I<name> field will never include one
-itself but the I<value> might.
-
-=over 4
-
-=item debug_flags=string
-
-A comma-separated list of debug flags that correspond to B<sudo>'s
-C<Debug> entry in F<@sysconfdir@/sudo.conf>, if there is one. The
-flags are passed to the plugin as they appear in F<@sysconfdir@/sudo.conf>.
-The syntax used by B<sudo> and the I<sudoers> plugin is
-I<subsystem>@I<priority> but the plugin is free to use a different
-format so long as it does not include a command C<,>.
-
-For reference, the priorities supported by the B<sudo> front end and
-I<sudoers> are: I<crit>, I<err>, I<warn>, I<notice>, I<diag>,
-I<info>, I<trace> and I<debug>.
-
-The following subsystems are defined: I<main>, I<memory>, I<args>,
-I<exec>, I<pty>, I<utmp>, I<conv>, I<pcomm>, I<util>, I<list>,
-I<netif>, I<audit>, I<edit>, I<selinux>, I<ldap>, I<match>, I<parser>,
-I<alias>, I<defaults>, I<auth>, I<env>, I<logging>, I<nss>, I<rbtree>,
-I<perms>, I<plugin>. The subsystem I<all> includes every subsystem.
-
-There is not currently a way to specify a set of debug flags specific
-to the plugin--the flags are shared by B<sudo> and the plugin.
-
-=item debug_level=number
-
-This setting has been deprecated in favor of I<debug_flags>.
-
-=item runas_user=string
-
-The user name or uid to to run the command as, if specified via the
-C<-u> flag.
-
-=item runas_group=string
-
-The group name or gid to to run the command as, if specified via
-the C<-g> flag.
-
-=item prompt=string
-
-The prompt to use when requesting a password, if specified via
-the C<-p> flag.
-
-=item set_home=bool
-
-Set to true if the user specified the C<-H> flag. If true, set the
-C<HOME> environment variable to the target user's home directory.
-
-=item preserve_environment=bool
-
-Set to true if the user specified the C<-E> flag, indicating that
-the user wishes to preserve the environment.
-
-=item run_shell=bool
-
-Set to true if the user specified the C<-s> flag, indicating that
-the user wishes to run a shell.
-
-=item login_shell=bool
-
-Set to true if the user specified the C<-i> flag, indicating that
-the user wishes to run a login shell.
-
-=item implied_shell=bool
-
-If the user does not specify a program on the command line, B<sudo>
-will pass the plugin the path to the user's shell and set
-I<implied_shell> to true. This allows B<sudo> with no arguments
-to be used similarly to L<su(1)>. If the plugin does not to support
-this usage, it may return a value of -2 from the C<check_policy>
-function, which will cause B<sudo> to print a usage message and
-exit.
-
-=item preserve_groups=bool
-
-Set to true if the user specified the C<-P> flag, indicating that
-the user wishes to preserve the group vector instead of setting it
-based on the runas user.
-
-=item ignore_ticket=bool
-
-Set to true if the user specified the C<-k> flag along with a
-command, indicating that the user wishes to ignore any cached
-authentication credentials.
-
-=item noninteractive=bool
-
-Set to true if the user specified the C<-n> flag, indicating that
-B<sudo> should operate in non-interactive mode. The plugin may
-reject a command run in non-interactive mode if user interaction
-is required.
-
-=item login_class=string
-
-BSD login class to use when setting resource limits and nice value,
-if specified by the C<-c> flag.
-
-=item selinux_role=string
-
-SELinux role to use when executing the command, if specified by
-the C<-r> flag.
-
-=item selinux_type=string
-
-SELinux type to use when executing the command, if specified by
-the C<-t> flag.
-
-=item bsdauth_type=string
-
-Authentication type, if specified by the C<-a> flag, to use on
-systems where BSD authentication is supported.
-
-=item network_addrs=list
-
-A space-separated list of IP network addresses and netmasks in the
-form "addr/netmask", e.g. "192.168.1.2/255.255.255.0". The address
-and netmask pairs may be either IPv4 or IPv6, depending on what the
-operating system supports. If the address contains a colon (':'),
-it is an IPv6 address, else it is IPv4.
-
-=item progname=string
-
-The command name that sudo was run as, typically "sudo" or "sudoedit".
-
-=item sudoedit=bool
-
-Set to true when the C<-e> flag is is specified or if invoked as
-B<sudoedit>. The plugin shall substitute an editor into I<argv>
-in the I<check_policy> function or return C<-2> with a usage error
-if the plugin does not support I<sudoedit>. For more information,
-see the I<check_policy> section.
-
-=item closefrom=number
-
-If specified, the user has requested via the C<-C> flag that B<sudo>
-close all files descriptors with a value of I<number> or higher.
-The plugin may optionally pass this, or another value, back in the
-I<command_info> list.
-
-=back
-
-Additional settings may be added in the future so the plugin should
-silently ignore settings that it does not recognize.
-
-=item user_info
-
-A vector of information about the user running the command in the form of
-"name=value" strings. The vector is terminated by a C<NULL> pointer.
-
-When parsing I<user_info>, the plugin should split on the B<first>
-equal sign ('=') since the I<name> field will never include one
-itself but the I<value> might.
-
-=over 4
-
-=item pid=int
-
-The process ID of the running B<sudo> process.
-Only available starting with API version 1.2
-
-=item ppid=int
-
-The parent process ID of the running B<sudo> process.
-Only available starting with API version 1.2
-
-=item sid=int
-
-The session ID of the running B<sudo> process or 0 if B<sudo> is
-not part of a POSIX job control session.
-Only available starting with API version 1.2
-
-=item pgid=int
-
-The ID of the process group that the running B<sudo> process belongs
-to.
-Only available starting with API version 1.2
-
-=item tcpgid=int
-
-The ID of the forground process group associated with the terminal
-device associcated with the B<sudo> process or -1 if there is no
-terminal present.
-Only available starting with API version 1.2
-
-=item user=string
-
-The name of the user invoking B<sudo>.
-
-=item euid=uid_t
-
-The effective user ID of the user invoking B<sudo>.
-
-=item uid=uid_t
-
-The real user ID of the user invoking B<sudo>.
-
-=item egid=gid_t
-
-The effective group ID of the user invoking B<sudo>.
-
-=item gid=gid_t
-
-The real group ID of the user invoking B<sudo>.
-
-=item groups=list
-
-The user's supplementary group list formatted as a string of
-comma-separated group IDs.
-
-=item cwd=string
-
-The user's current working directory.
-
-=item tty=string
-
-The path to the user's terminal device. If the user has no terminal
-device associated with the session, the value will be empty, as in
-C<tty=>.
-
-=item host=string
-
-The local machine's hostname as returned by the C<gethostname()>
-system call.
-
-=item lines=int
-
-The number of lines the user's terminal supports. If there is
-no terminal device available, a default value of 24 is used.
-
-=item cols=int
-
-The number of columns the user's terminal supports. If there is
-no terminal device available, a default value of 80 is used.
-
-=back
-
-=item user_env
-
-The user's environment in the form of a C<NULL>-terminated vector of
-"name=value" strings.
-
-When parsing I<user_env>, the plugin should split on the B<first>
-equal sign ('=') since the I<name> field will never include one
-itself but the I<value> might.
-
-=item plugin_options
-
-Any (non-comment) strings immediately after the plugin path are
-treated as arguments to the plugin. These arguments are split on
-a white space boundary and are passed to the plugin in the form of
-a C<NULL>-terminated array of strings. If no arguments were
-specified, I<plugin_options> will be the NULL pointer.
-
-NOTE: the I<plugin_options> parameter is only available starting with
-API version 1.2. A plugin B<must> check the API version specified
-by the B<sudo> front end before using I<plugin_options>. Failure to
-do so may result in a crash.
-
-=back
-
-=item close
-
- void (*close)(int exit_status, int error);
-
-The C<close> function is called when the command being run by B<sudo>
-finishes.
-
-The function arguments are as follows:
-
-=over 4
-
-=item exit_status
-
-The command's exit status, as returned by the wait(2) system call.
-The value of C<exit_status> is undefined if C<error> is non-zero.
-
-=item error
-
-If the command could not be executed, this is set to the value of
-C<errno> set by the execve(2) system call. The plugin is responsible
-for displaying error information via the conversation or plugin_printf
-function. If the command was successfully executed, the value of
-C<error> is 0.
-
-=back
-
-=item show_version
-
- int (*show_version)(int verbose);
-
-The C<show_version> function is called by B<sudo> when the user specifies
-the C<-V> option. The plugin may display its version information
-to the user via the conversation or plugin_printf function using
-C<SUDO_CONV_INFO_MSG>. If the user requests detailed version
-information, the verbose flag will be set.
-
-=item check_policy
-
- int (*check_policy)(int argc, char * const argv[]
- char *env_add[], char **command_info[],
- char **argv_out[], char **user_env_out[]);
-
-The I<check_policy> function is called by B<sudo> to determine
-whether the user is allowed to run the specified commands.
-
-If the I<sudoedit> option was enabled in the I<settings> array
-passed to the I<open> function, the user has requested I<sudoedit>
-mode. I<sudoedit> is a mechanism for editing one or more files
-where an editor is run with the user's credentials instead of with
-elevated privileges. B<sudo> achieves this by creating user-writable
-temporary copies of the files to be edited and then overwriting the
-originals with the temporary copies after editing is complete. If
-the plugin supports B<sudoedit>, it should choose the editor to be
-used, potentially from a variable in the user's environment, such
-as C<EDITOR>, and include it in I<argv_out> (note that environment
-variables may include command line flags). The files to be edited
-should be copied from I<argv> into I<argv_out>, separated from the
-editor and its arguments by a C<"--"> element. The C<"--"> will
-be removed by B<sudo> before the editor is executed. The plugin
-should also set I<sudoedit=true> in the I<command_info> list.
-
-The I<check_policy> function returns 1 if the command is allowed,
-0 if not allowed, -1 for a general error, or -2 for a usage error
-or if B<sudoedit> was specified but is unsupported by the plugin.
-In the latter case, B<sudo> will print a usage message before it
-exits. If an error occurs, the plugin may optionally call the
-conversation or plugin_printf function with C<SUDO_CONF_ERROR_MSG>
-to present additional error information to the user.
-
-The function arguments are as follows:
-
-=over 4
-
-=item argc
-
-The number of elements in I<argv>, not counting the final C<NULL>
-pointer.
-
-=item argv
-
-The argument vector describing the command the user wishes to run,
-in the same form as what would be passed to the execve() system
-call. The vector is terminated by a C<NULL> pointer.
-
-=item env_add
-
-Additional environment variables specified by the user on the command
-line in the form of a C<NULL>-terminated vector of "name=value"
-strings. The plugin may reject the command if one or more variables
-are not allowed to be set, or it may silently ignore such variables.
-
-When parsing I<env_add>, the plugin should split on the B<first>
-equal sign ('=') since the I<name> field will never include one
-itself but the I<value> might.
-
-=item command_info
-
-Information about the command being run in the form of "name=value"
-strings. These values are used by B<sudo> to set the execution
-environment when running a command. The plugin is responsible for
-creating and populating the vector, which must be terminated with
-a C<NULL> pointer. The following values are recognized by B<sudo>:
-
-=over 4
-
-=item command=string
-
-Fully qualified path to the command to be executed.
-
-=item runas_uid=uid
-
-User ID to run the command as.
-
-=item runas_euid=uid
-
-Effective user ID to run the command as.
-If not specified, the value of I<runas_uid> is used.
-
-=item runas_gid=gid
-
-Group ID to run the command as.
-
-=item runas_egid=gid
-
-Effective group ID to run the command as.
-If not specified, the value of I<runas_gid> is used.
-
-=item runas_groups=list
-
-The supplementary group vector to use for the command in the form
-of a comma-separated list of group IDs. If I<preserve_groups>
-is set, this option is ignored.
-
-=item login_class=string
-
-BSD login class to use when setting resource limits and nice value
-(optional). This option is only set on systems that support login
-classes.
-
-=item preserve_groups=bool
-
-If set, B<sudo> will preserve the user's group vector instead of
-initializing the group vector based on C<runas_user>.
-
-=item cwd=string
-
-The current working directory to change to when executing the command.
-
-=item noexec=bool
-
-If set, prevent the command from executing other programs.
-
-=item chroot=string
-
-The root directory to use when running the command.
-
-=item nice=int
-
-Nice value (priority) to use when executing the command. The nice
-value, if specified, overrides the priority associated with the
-I<login_class> on BSD systems.
-
-=item umask=octal
-
-The file creation mask to use when executing the command.
-
-=item selinux_role=string
-
-SELinux role to use when executing the command.
-
-=item selinux_type=string
-
-SELinux type to use when executing the command.
-
-=item timeout=int
-
-Command timeout. If non-zero then when the timeout expires the
-command will be killed.
-
-=item sudoedit=bool
-
-Set to true when in I<sudoedit> mode. The plugin may enable
-I<sudoedit> mode even if B<sudo> was not invoked as B<sudoedit>.
-This allows the plugin to perform command substitution and transparently
-enable I<sudoedit> when the user attempts to run an editor.
-
-=item closefrom=number
-
-If specified, B<sudo> will close all files descriptors with a value
-of I<number> or higher.
-
-=item iolog_compress=bool
-
-Set to true if the I/O logging plugins, if any, should compress the
-log data. This is a hint to the I/O logging plugin which may choose
-to ignore it.
-
-=item iolog_path=string
-
-Fully qualified path to the file or directory in which I/O log is
-to be stored. This is a hint to the I/O logging plugin which may
-choose to ignore it. If no I/O logging plugin is loaded, this
-setting has no effect.
-
-=item iolog_stdin=bool
-
-Set to true if the I/O logging plugins, if any, should log the
-standard input if it is not connected to a terminal device. This
-is a hint to the I/O logging plugin which may choose to ignore it.
-
-=item iolog_stdout=bool
-
-Set to true if the I/O logging plugins, if any, should log the
-standard output if it is not connected to a terminal device. This
-is a hint to the I/O logging plugin which may choose to ignore it.
-
-=item iolog_stderr=bool
-
-Set to true if the I/O logging plugins, if any, should log the
-standard error if it is not connected to a terminal device. This
-is a hint to the I/O logging plugin which may choose to ignore it.
-
-=item iolog_ttyin=bool
-
-Set to true if the I/O logging plugins, if any, should log all
-terminal input. This only includes input typed by the user and not
-from a pipe or redirected from a file. This is a hint to the I/O
-logging plugin which may choose to ignore it.
-
-=item iolog_ttyout=bool
-
-Set to true if the I/O logging plugins, if any, should log all
-terminal output. This only includes output to the screen, not
-output to a pipe or file. This is a hint to the I/O logging plugin
-which may choose to ignore it.
-
-=item use_pty=bool
-
-Allocate a pseudo-tty to run the command in, regardless of whether
-or not I/O logging is in use. By default, B<sudo> will only run
-the command in a pty when an I/O log plugin is loaded.
-
-=item set_utmp=bool
-
-Create a utmp (or utmpx) entry when a pseudo-tty is allocated. By
-default, the new entry will be a copy of the user's existing utmp
-entry (if any), with the tty, time, type and pid fields updated.
-
-=item utmp_user=string
-
-User name to use when constructing a new utmp (or utmpx) entry when
-I<set_utmp> is enabled. This option can be used to set the user
-field in the utmp entry to the user the command runs as rather than
-the invoking user. If not set, B<sudo> will base the new entry on
-the invoking user's existing entry.
-
-=back
-
-Unsupported values will be ignored.
-
-=item argv_out
-
-The C<NULL>-terminated argument vector to pass to the execve()
-system call when executing the command. The plugin is responsible
-for allocating and populating the vector.
-
-=item user_env_out
-
-The C<NULL>-terminated environment vector to use when executing the
-command. The plugin is responsible for allocating and populating
-the vector.
-
-=back
-
-=item list
-
- int (*list)(int verbose, const char *list_user,
- int argc, char * const argv[]);
-
-List available privileges for the invoking user. Returns 1 on
-success, 0 on failure and -1 on error. On error, the plugin may
-optionally call the conversation or plugin_printf function with
-C<SUDO_CONF_ERROR_MSG> to present additional error information to
-the user.
-
-Privileges should be output via the conversation or plugin_printf
-function using C<SUDO_CONV_INFO_MSG>.
-
-=over 4
-
-=item verbose
-
-Flag indicating whether to list in verbose mode or not.
-
-=item list_user
-
-The name of a different user to list privileges for if the policy
-allows it. If C<NULL>, the plugin should list the privileges of
-the invoking user.
-
-=item argc
-
-The number of elements in I<argv>, not counting the final C<NULL>
-pointer.
-
-=item argv
-
-If non-C<NULL>, an argument vector describing a command the user
-wishes to check against the policy in the same form as what would
-be passed to the execve() system call. If the command is permitted
-by the policy, the fully-qualified path to the command should be
-displayed along with any command line arguments.
-
-=back
-
-=item validate
-
- int (*validate)(void);
-
-The C<validate> function is called when B<sudo> is run with the
-C<-v> flag. For policy plugins such as I<sudoers> that cache
-authentication credentials, this function will validate and cache
-the credentials.
-
-The C<validate> function should be C<NULL> if the plugin does not
-support credential caching.
-
-Returns 1 on success, 0 on failure and -1 on error.
-On error, the plugin may optionally call the conversation or plugin_printf
-function with C<SUDO_CONF_ERROR_MSG> to present additional
-error information to the user.
-
-=item invalidate
-
- void (*invalidate)(int remove);
-
-The C<invalidate> function is called when B<sudo> is called with
-the C<-k> or C<-K> flag. For policy plugins such as I<sudoers> that
-cache authentication credentials, this function will invalidate the
-credentials. If the I<remove> flag is set, the plugin may remove
-the credentials instead of simply invalidating them.
-
-The C<invalidate> function should be C<NULL> if the plugin does not
-support credential caching.
-
-=item init_session
-
- int (*init_session)(struct passwd *pwd, char **user_envp[);
-
-The C<init_session> function is called before B<sudo> sets up the
-execution environment for the command. It is run in the parent
-B<sudo> process and before any uid or gid changes. This can be used
-to perform session setup that is not supported by I<command_info>,
-such as opening the PAM session. The C<close> function can be
-used to tear down the session that was opened by C<init_session>.
-
-The I<pwd> argument points to a passwd struct for the user the
-command will be run as if the uid the command will run as was found
-in the password database, otherwise it will be NULL.
-
-The I<user_env> argument points to the environment the command will
-run in, in the form of a C<NULL>-terminated vector of "name=value"
-strings. This is the same string passed back to the front end via
-the Policy Plugin's I<user_env_out> parameter. If the C<init_session>
-function needs to modify the user environment, it should update the
-pointer stored in I<user_env>. The expected use case is to merge
-the contents of the PAM environment (if any) with the contents of
-I<user_env>. NOTE: the I<user_env> parameter is only available
-starting with API version 1.2. A plugin B<must> check the API
-version specified by the B<sudo> front end before using I<user_env>.
-Failure to do so may result in a crash.
-
-Returns 1 on success, 0 on failure and -1 on error.
-On error, the plugin may optionally call the conversation or plugin_printf
-function with C<SUDO_CONF_ERROR_MSG> to present additional
-error information to the user.
-
-=item register_hooks
-
- void (*register_hooks)(int version,
- int (*register_hook)(struct sudo_hook *hook));
-
-The C<register_hooks> function is called by the sudo front end to
-register any hooks the plugin needs. If the plugin does not support
-hooks, C<register_hooks> should be set to the NULL pointer.
-
-The I<version> argument describes the version of the hooks API
-supported by the B<sudo> front end.
-
-The C<register_hook> function should be used to register any supported
-hooks the plugin needs. It returns 0 on success, 1 if the hook
-type is not supported and -1 if the major version in C<struct hook>
-does not match the front end's major hook API version.
-
-See the L<Hook Function API> section below for more information
-about hooks.
-
-NOTE: the C<register_hooks> function is only available starting
-with API version 1.2. If the B<sudo> front end doesn't support API
-version 1.2 or higher, C<register_hooks> will not be called.
-
-=item deregister_hooks
-
- void (*deregister_hooks)(int version,
- int (*deregister_hook)(struct sudo_hook *hook));
-
-The C<deregister_hooks> function is called by the sudo front end
-to deregister any hooks the plugin has registered. If the plugin
-does not support hooks, C<deregister_hooks> should be set to the
-NULL pointer.
-
-The I<version> argument describes the version of the hooks API
-supported by the B<sudo> front end.
-
-The C<deregister_hook> function should be used to deregister any
-hooks that were put in place by the C<register_hook> function. If
-the plugin tries to deregister a hook that the front end does not
-support, C<deregister_hook> will return an error.
-
-See the L<Hook Function API> section below for more information
-about hooks.
-
-NOTE: the C<deregister_hooks> function is only available starting
-with API version 1.2. If the B<sudo> front end doesn't support API
-version 1.2 or higher, C<deregister_hooks> will not be called.
-
-=back
-
-=head3 Policy Plugin Version Macros
-
- /* Plugin API version major/minor. */
- #define SUDO_API_VERSION_MAJOR 1
- #define SUDO_API_VERSION_MINOR 2
- #define SUDO_API_MKVERSION(x, y) ((x << 16) | y)
- #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR,\
- SUDO_API_VERSION_MINOR)
-
- /* Getters and setters for API version */
- #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16)
- #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
- #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \
- *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
- } while(0)
- #define SUDO_VERSION_SET_MINOR(vp, n) do { \
- *(vp) = (*(vp) & 0xffff0000) | (n); \
- } while(0)
-
-=head2 I/O Plugin API
-
- struct io_plugin {
- #define SUDO_IO_PLUGIN 2
- unsigned int type; /* always SUDO_IO_PLUGIN */
- unsigned int version; /* always SUDO_API_VERSION */
- int (*open)(unsigned int version, sudo_conv_t conversation
- sudo_printf_t plugin_printf, char * const settings[],
- char * const user_info[], int argc, char * const argv[],
- char * const user_env[], char * const plugin_options[]);
- void (*close)(int exit_status, int error); /* wait status or error */
- int (*show_version)(int verbose);
- int (*log_ttyin)(const char *buf, unsigned int len);
- int (*log_ttyout)(const char *buf, unsigned int len);
- int (*log_stdin)(const char *buf, unsigned int len);
- int (*log_stdout)(const char *buf, unsigned int len);
- int (*log_stderr)(const char *buf, unsigned int len);
- void (*register_hooks)(int version,
- int (*register_hook)(struct sudo_hook *hook));
- void (*deregister_hooks)(int version,
- int (*deregister_hook)(struct sudo_hook *hook));
- };
-
-When an I/O plugin is loaded, B<sudo> runs the command in a pseudo-tty.
-This makes it possible to log the input and output from the user's
-session. If any of the standard input, standard output or standard
-error do not correspond to a tty, B<sudo> will open a pipe to capture
-the I/O for logging before passing it on.
-
-The log_ttyin function receives the raw user input from the terminal
-device (note that this will include input even when echo is disabled,
-such as when a password is read). The log_ttyout function receives
-output from the pseudo-tty that is suitable for replaying the user's
-session at a later time. The log_stdin, log_stdout and log_stderr
-functions are only called if the standard input, standard output
-or standard error respectively correspond to something other than
-a tty.
-
-Any of the logging functions may be set to the NULL
-pointer if no logging is to be performed. If the open function
-returns C<0>, no I/O will be sent to the plugin.
-
-The io_plugin struct has the following fields:
-
-=over 4
-
-=item type
-
-The C<type> field should always be set to SUDO_IO_PLUGIN
-
-=item version
-
-The C<version> field should be set to SUDO_API_VERSION.
-
-This allows B<sudo> to determine the API version the plugin was
-built against.
-
-=item open
-
- int (*open)(unsigned int version, sudo_conv_t conversation
- sudo_printf_t plugin_printf, char * const settings[],
- char * const user_info[], int argc, char * const argv[],
- char * const user_env[], char * const plugin_options[]);
-
-The I<open> function is run before the I<log_input>, I<log_output>
-or I<show_version> functions are called. It is only called if the
-version is being requested or the I<check_policy> function has
-returned successfully. It returns 1 on success, 0 on failure, -1
-if a general error occurred, or -2 if there was a usage error. In
-the latter case, B<sudo> will print a usage message before it exits.
-If an error occurs, the plugin may optionally call the conversation
-or plugin_printf function with C<SUDO_CONF_ERROR_MSG> to present
-additional error information to the user.
-
-The function arguments are as follows:
-
-=over 4
-
-=item version
-
-The version passed in by B<sudo> allows the plugin to determine the
-major and minor version number of the plugin API supported by
-B<sudo>.
-
-=item conversation
-
-A pointer to the conversation function that may be used by the
-I<show_version> function to display version information (see
-show_version below). The conversation function may also be used
-to display additional error message to the user.
-The conversation function returns 0 on success and -1 on failure.
-
-=item plugin_printf
-
-A pointer to a printf-style function that may be used by the
-I<show_version> function to display version information (see
-show_version below). The plugin_printf function may also be used
-to display additional error message to the user.
-The plugin_printf function returns number of characters printed on
-success and -1 on failure.
-
-=item settings
-
-A vector of user-supplied B<sudo> settings in the form of "name=value"
-strings. The vector is terminated by a C<NULL> pointer. These
-settings correspond to flags the user specified when running B<sudo>.
-As such, they will only be present when the corresponding flag has
-been specified on the command line.
-
-When parsing I<settings>, the plugin should split on the B<first>
-equal sign ('=') since the I<name> field will never include one
-itself but the I<value> might.
-
-See the L<Policy Plugin API> section for a list of all possible settings.
-
-=item user_info
-
-A vector of information about the user running the command in the form of
-"name=value" strings. The vector is terminated by a C<NULL> pointer.
-
-When parsing I<user_info>, the plugin should split on the B<first>
-equal sign ('=') since the I<name> field will never include one
-itself but the I<value> might.
-
-See the L<Policy Plugin API> section for a list of all possible strings.
-
-=item argc
-
-The number of elements in I<argv>, not counting the final C<NULL>
-pointer.
-
-=item argv
-
-If non-C<NULL>, an argument vector describing a command the user
-wishes to run in the same form as what would be passed to the
-execve() system call.
-
-=item user_env
-
-The user's environment in the form of a C<NULL>-terminated vector of
-"name=value" strings.
-
-When parsing I<user_env>, the plugin should split on the B<first>
-equal sign ('=') since the I<name> field will never include one
-itself but the I<value> might.
-
-=item plugin_options
-
-Any (non-comment) strings immediately after the plugin path are
-treated as arguments to the plugin. These arguments are split on
-a white space boundary and are passed to the plugin in the form of
-a C<NULL>-terminated array of strings. If no arguments were
-specified, I<plugin_options> will be the NULL pointer.
-
-NOTE: the I<plugin_options> parameter is only available starting with
-API version 1.2. A plugin B<must> check the API version specified
-by the B<sudo> front end before using I<plugin_options>. Failure to
-do so may result in a crash.
-
-=back
-
-=item close
-
- void (*close)(int exit_status, int error);
-
-The C<close> function is called when the command being run by B<sudo>
-finishes.
-
-The function arguments are as follows:
-
-=over 4
-
-=item exit_status
-
-The command's exit status, as returned by the wait(2) system call.
-The value of C<exit_status> is undefined if C<error> is non-zero.
-
-=item error
-
-If the command could not be executed, this is set to the value of
-C<errno> set by the execve(2) system call. If the command was
-successfully executed, the value of C<error> is 0.
-
-=back
-
-=item show_version
-
- int (*show_version)(int verbose);
-
-The C<show_version> function is called by B<sudo> when the user specifies
-the C<-V> option. The plugin may display its version information
-to the user via the conversation or plugin_printf function using
-C<SUDO_CONV_INFO_MSG>. If the user requests detailed version
-information, the verbose flag will be set.
-
-=item log_ttyin
-
- int (*log_ttyin)(const char *buf, unsigned int len);
-
-The I<log_ttyin> function is called whenever data can be read from
-the user but before it is passed to the running command. This
-allows the plugin to reject data if it chooses to (for instance
-if the input contains banned content). Returns C<1> if the data
-should be passed to the command, C<0> if the data is rejected
-(which will terminate the command) or C<-1> if an error occurred.
-
-The function arguments are as follows:
-
-=over 4
-
-=item buf
-
-The buffer containing user input.
-
-=item len
-
-The length of I<buf> in bytes.
-
-=back
-
-=item log_ttyout
-
- int (*log_ttyout)(const char *buf, unsigned int len);
-
-The I<log_ttyout> function is called whenever data can be read from
-the command but before it is written to the user's terminal. This
-allows the plugin to reject data if it chooses to (for instance
-if the output contains banned content). Returns C<1> if the data
-should be passed to the user, C<0> if the data is rejected
-(which will terminate the command) or C<-1> if an error occurred.
-
-The function arguments are as follows:
-
-=over 4
-
-=item buf
-
-The buffer containing command output.
-
-=item len
-
-The length of I<buf> in bytes.
-
-=back
-
-=item log_stdin
-
- int (*log_stdin)(const char *buf, unsigned int len);
-
-The I<log_stdin> function is only used if the standard input does
-not correspond to a tty device. It is called whenever data can be
-read from the standard input but before it is passed to the running
-command. This allows the plugin to reject data if it chooses to
-(for instance if the input contains banned content). Returns C<1>
-if the data should be passed to the command, C<0> if the data is
-rejected (which will terminate the command) or C<-1> if an error
-occurred.
-
-The function arguments are as follows:
-
-=over 4
-
-=item buf
-
-The buffer containing user input.
-
-=item len
-
-The length of I<buf> in bytes.
-
-=back
-
-=item log_stdout
-
- int (*log_stdout)(const char *buf, unsigned int len);
-
-The I<log_stdout> function is only used if the standard output does
-not correspond to a tty device. It is called whenever data can be
-read from the command but before it is written to the standard
-output. This allows the plugin to reject data if it chooses to
-(for instance if the output contains banned content). Returns C<1>
-if the data should be passed to the user, C<0> if the data is
-rejected (which will terminate the command) or C<-1> if an error
-occurred.
-
-The function arguments are as follows:
-
-=over 4
-
-=item buf
-
-The buffer containing command output.
-
-=item len
-
-The length of I<buf> in bytes.
-
-=back
-
-=item log_stderr
-
- int (*log_stderr)(const char *buf, unsigned int len);
-
-The I<log_stderr> function is only used if the standard error does
-not correspond to a tty device. It is called whenever data can be
-read from the command but before it is written to the standard
-error. This allows the plugin to reject data if it chooses to
-(for instance if the output contains banned content). Returns C<1>
-if the data should be passed to the user, C<0> if the data is
-rejected (which will terminate the command) or C<-1> if an error
-occurred.
-
-The function arguments are as follows:
-
-=over 4
-
-=item buf
-
-The buffer containing command output.
-
-=item len
-
-The length of I<buf> in bytes.
-
-=back
-
-=item register_hooks
-
-See the L<Policy Plugin API> section for a description of
-C<register_hooks>.
-
-=item deregister_hooks
-
-See the L<Policy Plugin API> section for a description of
-C<deregister_hooks>.
-
-=back
-
-=head3 I/O Plugin Version Macros
-
-Same as for the L<Policy Plugin API>.
-
-=head2 Hook Function API
-
-Beginning with plugin API version 1.2, it is possible to install
-hooks for certain functions called by the B<sudo> front end.
-
-Currently, the only supported hooks relate to the handling of
-environment variables. Hooks can be used to intercept attempts to
-get, set, or remove environment variables so that these changes can
-be reflected in the version of the environment that is used to
-execute a command. A future version of the API will support
-hooking internal B<sudo> front end functions as well.
-
-=head3 Hook structure
-
-Hooks in B<sudo> are described by the following structure:
-
- typedef int (*sudo_hook_fn_t)();
-
- struct sudo_hook {
- int hook_version;
- int hook_type;
- sudo_hook_fn_t hook_fn;
- void *closure;
- };
-
-The C<sudo_hook> structure has the following fields:
-
-=over 4
-
-=item hook_version
-
-The C<hook_version> field should be set to SUDO_HOOK_VERSION.
-
-=item hook_type
-
-The C<hook_type> field may be one of the following supported hook types:
-
-=over 4
-
-=item SUDO_HOOK_SETENV
-
-The C library C<setenv()> function. Any registered hooks will run
-before the C library implementation. The C<hook_fn> field should
-be a function that matches the following typedef:
-
- typedef int (*sudo_hook_fn_setenv_t)(const char *name,
- const char *value, int overwrite, void *closure);
-
-If the registered hook does not match the typedef the results are
-unspecified.
-
-=item SUDO_HOOK_UNSETENV
-
-The C library C<unsetenv()> function. Any registered hooks will run
-before the C library implementation. The C<hook_fn> field should
-be a function that matches the following typedef:
-
- typedef int (*sudo_hook_fn_unsetenv_t)(const char *name,
- void *closure);
-
-=item SUDO_HOOK_GETENV
-
-The C library C<getenv()> function. Any registered hooks will run
-before the C library implementation. The C<hook_fn> field should
-be a function that matches the following typedef:
-
- typedef int (*sudo_hook_fn_getenv_t)(const char *name,
- char **value, void *closure);
-
-If the registered hook does not match the typedef the results are
-unspecified.
-
-=item SUDO_HOOK_PUTENV
-
-The C library C<putenv()> function. Any registered hooks will run
-before the C library implementation. The C<hook_fn> field should
-be a function that matches the following typedef:
-
- typedef int (*sudo_hook_fn_putenv_t)(char *string,
- void *closure);
-
-If the registered hook does not match the typedef the results are
-unspecified.
-
-=back
-
-=item hook_fn
-
- sudo_hook_fn_t hook_fn;
-
-The C<hook_fn> field should be set to the plugin's hook implementation.
-The actual function arguments will vary depending on the C<hook_type>
-(see C<hook_type> above). In all cases, the C<closure> field of
-C<struct sudo_hook> is passed as the last function parameter. This
-can be used to pass arbitrary data to the plugin's hook implementation.
-
-The function return value may be one of the following:
-
-=over 4
-
-=item SUDO_HOOK_RET_ERROR
-
-The hook function encountered an error.
-
-=item SUDO_HOOK_RET_NEXT
-
-The hook completed without error, go on to the next hook (including
-the native implementation if applicable). For example, a C<getenv>
-hook might return C<SUDO_HOOK_RET_NEXT> if the specified variable
-was not found in the private copy of the environment.
-
-=item SUDO_HOOK_RET_STOP
-
-The hook completed without error, stop processing hooks for this
-invocation. This can be used to replace the native implementation.
-For example, a C<setenv> hook that operates on a private copy of
-the environment but leaves C<environ> unchanged.
-
-=back
-
-=back
-
-Note that it is very easy to create an infinite loop when hooking
-C library functions. For example, a C<getenv> hook that calls the
-C<snprintf> function may create a loop if the C<snprintf> implementation
-calls C<getenv> to check the locale. To prevent this, you may wish
-to use a static variable in the hook function to guard against
-nested calls. E.g.
-
- static int in_progress = 0; /* avoid recursion */
- if (in_progress)
- return SUDO_HOOK_RET_NEXT;
- in_progress = 1;
- ...
- in_progress = 0;
- return SUDO_HOOK_RET_STOP;
-
-=head3 Hook API Version Macros
-
- /* Hook API version major/minor */
- #define SUDO_HOOK_VERSION_MAJOR 1
- #define SUDO_HOOK_VERSION_MINOR 0
- #define SUDO_HOOK_MKVERSION(x, y) ((x << 16) | y)
- #define SUDO_HOOK_VERSION SUDO_HOOK_MKVERSION(SUDO_HOOK_VERSION_MAJOR,\
- SUDO_HOOK_VERSION_MINOR)
-
- /* Getters and setters for hook API version */
- #define SUDO_HOOK_VERSION_GET_MAJOR(v) ((v) >> 16)
- #define SUDO_HOOK_VERSION_GET_MINOR(v) ((v) & 0xffff)
- #define SUDO_HOOK_VERSION_SET_MAJOR(vp, n) do { \
- *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
- } while(0)
- #define SUDO_HOOK_VERSION_SET_MINOR(vp, n) do { \
- *(vp) = (*(vp) & 0xffff0000) | (n); \
- } while(0)
-
-=head2 Conversation API
-
-If the plugin needs to interact with the user, it may do so via the
-conversation function. A plugin should not attempt to read directly
-from the standard input or the user's tty (neither of which are
-guaranteed to exist). The caller must include a trailing newline
-in C<msg> if one is to be printed.
-
-A printf-style function is also available that can be used to display
-informational or error messages to the user, which is usually more
-convenient for simple messages where no use input is required.
-
- struct sudo_conv_message {
- #define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */
- #define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */
- #define SUDO_CONV_ERROR_MSG 0x0003 /* error message */
- #define SUDO_CONV_INFO_MSG 0x0004 /* informational message */
- #define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */
- #define SUDO_CONV_DEBUG_MSG 0x0006 /* debugging message */
- #define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */
- int msg_type;
- int timeout;
- const char *msg;
- };
-
- struct sudo_conv_reply {
- char *reply;
- };
-
- typedef int (*sudo_conv_t)(int num_msgs,
- const struct sudo_conv_message msgs[],
- struct sudo_conv_reply replies[]);
-
- typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...);
-
-Pointers to the conversation and printf-style functions are passed
-in to the plugin's C<open> function when the plugin is initialized.
-
-To use the conversation function, the plugin must pass an array of
-C<sudo_conv_message> and C<sudo_conv_reply> structures. There must
-be a C<struct sudo_conv_message> and C<struct sudo_conv_reply> for
-each message in the conversation. The plugin is responsible for
-freeing the reply buffer filled in to the C<struct sudo_conv_reply>,
-if any.
-
-The printf-style function uses the same underlying mechanism as the
-conversation function but only supports C<SUDO_CONV_INFO_MSG>,
-C<SUDO_CONV_ERROR_MSG> and C<SUDO_CONV_DEBUG_MSG> for the I<msg_type>
-parameter. It can be more convenient than using the conversation
-function if no user reply is needed and supports standard printf()
-escape sequences.
-
-Unlike, C<SUDO_CONV_INFO_MSG> and C<SUDO_CONV_ERROR_MSG>, messages
-sent with the <SUDO_CONV_DEBUG_MSG> I<msg_type> are not directly
-user-visible. Instead, they are logged to the file specified in
-the C<Debug> statement (if any) in the F<@sysconfdir@/sudo.conf>
-file. This allows a plugin to log debugging information and is
-intended to be used in conjunction with the I<debug_flags> setting.
-
-See the sample plugin for an example of the conversation function usage.
-
-=head2 Sudoers Group Plugin API
-
-The I<sudoers> module supports a plugin interface to allow non-Unix
-group lookups. This can be used to query a group source other than
-the standard Unix group database. A sample group plugin is bundled
-with B<sudo> that implements file-based lookups. Third party group
-plugins include a QAS AD plugin available from Quest Software.
-
-A group plugin must declare and populate a C<sudoers_group_plugin>
-struct in the global scope. This structure contains pointers to
-the functions that implement plugin initialization, cleanup and
-group lookup.
-
- struct sudoers_group_plugin {
- unsigned int version;
- int (*init)(int version, sudo_printf_t sudo_printf,
- char *const argv[]);
- void (*cleanup)(void);
- int (*query)(const char *user, const char *group,
- const struct passwd *pwd);
-};
-
-The C<sudoers_group_plugin> struct has the following fields:
-
-=over 4
-
-=item version
-
-The C<version> field should be set to GROUP_API_VERSION.
-
-This allows I<sudoers> to determine the API version the group plugin
-was built against.
-
-=item init
-
- int (*init)(int version, sudo_printf_t plugin_printf,
- char *const argv[]);
-
-The I<init> function is called after I<sudoers> has been parsed but
-before any policy checks. It returns 1 on success, 0 on failure
-(or if the plugin is not configured), and -1 if a error occurred.
-If an error occurs, the plugin may call the plugin_printf function
-with C<SUDO_CONF_ERROR_MSG> to present additional error information
-to the user.
-
-The function arguments are as follows:
-
-=over 4
-
-=item version
-
-The version passed in by I<sudoers> allows the plugin to determine the
-major and minor version number of the group plugin API supported by
-I<sudoers>.
-
-=item plugin_printf
-
-A pointer to a printf-style function that may be used to display
-informational or error message to the user.
-Returns the number of characters printed on success and -1 on failure.
-
-=item argv
-
-A NULL-terminated array of arguments generated from the I<group_plugin>
-option in I<sudoers>. If no arguments were given, I<argv> will be
-NULL.
-
-=back
-
-=item cleanup
-
- void (*cleanup)();
-
-The I<cleanup> function is called when I<sudoers> has finished its
-group checks. The plugin should free any memory it has allocated
-and close open file handles.
-
-=item query
-
- int (*query)(const char *user, const char *group,
- const struct passwd *pwd);
-
-The I<query> function is used to ask the group plugin whether I<user>
-is a member of I<group>.
-
-The function arguments are as follows:
-
-=over 4
-
-=item user
-
-The name of the user being looked up in the external group database.
-
-=item group
-
-The name of the group being queried.
-
-=item pwd
-
-The password database entry for I<user>, if any. If I<user> is not
-present in the password database, I<pwd> will be C<NULL>.
-
-=back
-
-=back
-
-=head3 Group API Version Macros
-
- /* Sudoers group plugin version major/minor */
- #define GROUP_API_VERSION_MAJOR 1
- #define GROUP_API_VERSION_MINOR 0
- #define GROUP_API_VERSION ((GROUP_API_VERSION_MAJOR << 16) | \
- GROUP_API_VERSION_MINOR)
-
- /* Getters and setters for group version */
- #define GROUP_API_VERSION_GET_MAJOR(v) ((v) >> 16)
- #define GROUP_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
- #define GROUP_API_VERSION_SET_MAJOR(vp, n) do { \
- *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
- } while(0)
- #define GROUP_API_VERSION_SET_MINOR(vp, n) do { \
- *(vp) = (*(vp) & 0xffff0000) | (n); \
- } while(0)
-
-=head1 PLUGIN API CHANGELOG
-
-The following revisions have been made to the Sudo Plugin API.
-
-=over 4
-
-=item Version 1.0
-
-Initial API version.
-
-=item Version 1.1
-
-The I/O logging plugin's C<open> function was modified to take the
-C<command_info> list as an argument.
-
-=item Version 1.2
-
-The Policy and I/O logging plugins' C<open> functions are now passed
-a list of plugin options if any are specified in F<@sysconfdir@/sudo.conf>.
-
-A simple hooks API has been introduced to allow plugins to hook in to the
-system's environment handling functions.
-
-The C<init_session> Policy plugin function is now passed a pointer
-to the user environment which can be updated as needed. This can
-be used to merge in environment variables stored in the PAM handle
-before a command is run.
-
-=back
-
-
-=head1 SEE ALSO
-
-L<sudoers(5)>, L<sudo(8)>
-
-=head1 BUGS
-
-If you feel you have found a bug in B<sudo>, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
-
-=head1 SUPPORT
-
-Limited free support is available via the sudo-workers mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo-workers to subscribe or
-search the archives.
-
-=head1 DISCLAIMER
-
-B<sudo> is provided ``AS IS'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the LICENSE
-file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
-for complete details.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
+SUDOERS(4) Programmer's Manual SUDOERS(4)
N\bNA\bAM\bME\bE
- sudoers - default sudo security policy module
+ s\bsu\bud\bdo\boe\ber\brs\bs - default sudo security policy module
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- The _\bs_\bu_\bd_\bo_\be_\br_\bs policy module determines a user's s\bsu\bud\bdo\bo privileges. It is
- the default s\bsu\bud\bdo\bo policy plugin. The policy is driven by the
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file or, optionally in LDAP. The policy format is
- described in detail in the "SUDOERS FILE FORMAT" section. For
- information on storing _\bs_\bu_\bd_\bo_\be_\br_\bs policy information in LDAP, please see
- _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bd_\ba_\bp(4).
-
- A\bAu\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bti\bio\bon\bn a\ban\bnd\bd L\bLo\bog\bgg\bgi\bin\bng\bg
- The _\bs_\bu_\bd_\bo_\be_\br_\bs security policy requires that most users authenticate
- themselves before they can use s\bsu\bud\bdo\bo. A password is not required if the
- invoking user is root, if the target user is the same as the invoking
- user, or if the policy has disabled authentication for the user or
- command. Unlike _\bs_\bu(1), when _\bs_\bu_\bd_\bo_\be_\br_\bs requires authentication, it
- validates the invoking user's credentials, not the target user's (or
- root's) credentials. This can be changed via the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and
- _\br_\bu_\bn_\ba_\bs_\bp_\bw flags, described later.
-
- If a user who is not listed in the policy tries to run a command via
- s\bsu\bud\bdo\bo, mail is sent to the proper authorities. The address used for
- such mail is configurable via the _\bm_\ba_\bi_\bl_\bt_\bo Defaults entry (described
- later) and defaults to root.
-
- Note that mail will not be sent if an unauthorized user tries to run
- s\bsu\bud\bdo\bo with the -\b-l\bl or -\b-v\bv option. This allows users to determine for
- themselves whether or not they are allowed to use s\bsu\bud\bdo\bo.
-
- If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment variable is set,
- the _\bs_\bu_\bd_\bo_\be_\br_\bs policy will use this value to determine who the actual user
- is. This can be used by a user to log commands through sudo even when
- a root shell has been invoked. It also allows the -\b-e\be option to remain
- useful even when invoked via a sudo-run script or program. Note,
- however, that the _\bs_\bu_\bd_\bo_\be_\br_\bs lookup is still done for root, not the user
- specified by SUDO_USER.
-
- _\bs_\bu_\bd_\bo_\be_\br_\bs uses time stamp files for credential caching. Once a user has
- been authenticated, a time stamp is updated and the user may then use
- sudo without a password for a short period of time (5 minutes unless
- overridden by the _\bt_\bi_\bm_\be_\bo_\bu_\bt option. By default, _\bs_\bu_\bd_\bo_\be_\br_\bs uses a tty-based
- time stamp which means that there is a separate time stamp for each of
- a user's login sessions. The _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option can be disabled to
- force the use of a single time stamp for all of a user's sessions.
-
- _\bs_\bu_\bd_\bo_\be_\br_\bs can log both successful and unsuccessful attempts (as well as
- errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By default, _\bs_\bu_\bd_\bo_\be_\br_\bs will
- log via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable via the _\bs_\by_\bs_\bl_\bo_\bg and _\bl_\bo_\bg_\bf_\bi_\bl_\be
- Defaults settings.
-
- _\bs_\bu_\bd_\bo_\be_\br_\bs also supports logging a command's input and output streams.
- I/O logging is not on by default but can be enabled using the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt
- and _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt Defaults flags as well as the LOG_INPUT and LOG_OUTPUT
- command tags.
-
- C\bCo\bom\bmm\bma\ban\bnd\bd E\bEn\bnv\bvi\bir\bro\bon\bnm\bme\ben\bnt\bt
- Since environment variables can influence program behavior, _\bs_\bu_\bd_\bo_\be_\br_\bs
- provides a means to restrict which variables from the user's
- environment are inherited by the command to be run. There are two
- distinct ways _\bs_\bu_\bd_\bo_\be_\br_\bs can deal with environment variables.
-
- By default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is enabled. This causes commands to
- be executed with a new, minimal environment. On AIX (and Linux systems
- without PAM), the environment is initialized with the contents of the
- _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt file. On BSD systems, if the _\bu_\bs_\be_\b__\bl_\bo_\bg_\bi_\bn_\bc_\bl_\ba_\bs_\bs option is
- enabled, the environment is initialized based on the _\bp_\ba_\bt_\bh and _\bs_\be_\bt_\be_\bn_\bv
- settings in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The new environment contains the TERM,
- PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables
- in addition to variables from the invoking process permitted by the
- _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp options. This is effectively a whitelist for
- environment variables.
-
- If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled, any variables not
- explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are inherited
- from the invoking process. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be
- behave like a blacklist. Since it is not possible to blacklist all
- potentially dangerous environment variables, use of the default
- _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is encouraged.
-
- In all cases, environment variables with a value beginning with () are
- removed as they could be interpreted as b\bba\bas\bsh\bh functions. The list of
- environment variables that s\bsu\bud\bdo\bo allows or denies is contained in the
- output of sudo -V when run as root.
-
- Note that the dynamic linker on most operating systems will remove
- variables that can control dynamic linking from the environment of
- setuid executables, including s\bsu\bud\bdo\bo. Depending on the operating system
- this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
- others. These type of variables are removed from the environment
- before s\bsu\bud\bdo\bo even begins execution and, as such, it is not possible for
- s\bsu\bud\bdo\bo to preserve them.
-
- As a special case, if s\bsu\bud\bdo\bo's -\b-i\bi option (initial login) is specified,
- _\bs_\bu_\bd_\bo_\be_\br_\bs will initialize the environment regardless of the value of
- _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt. The _\bD_\bI_\bS_\bP_\bL_\bA_\bY, _\bP_\bA_\bT_\bH and _\bT_\bE_\bR_\bM variables remain unchanged;
- _\bH_\bO_\bM_\bE, _\bM_\bA_\bI_\bL, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, and _\bL_\bO_\bG_\bN_\bA_\bM_\bE are set based on the target user.
- On AIX (and Linux systems without PAM), the contents of
- _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt are also included. On BSD systems, if the
- _\bu_\bs_\be_\b__\bl_\bo_\bg_\bi_\bn_\bc_\bl_\ba_\bs_\bs option is enabled, the _\bp_\ba_\bt_\bh and _\bs_\be_\bt_\be_\bn_\bv variables in
- _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf are also applied. All other environment variables are
- removed.
-
- Finally, if the _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option is defined, any variables present in
- that file will be set to their specified values as long as they would
- not conflict with an existing environment variable.
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs policy module determines a user's s\bsu\bud\bdo\bo privileges. It is the
+ default s\bsu\bud\bdo\bo policy plugin. The policy is driven by the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs
+ file or, optionally in LDAP. The policy format is described in detail in
+ the _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bF_\bI_\bL_\bE _\bF_\bO_\bR_\bM_\bA_\bT section. For information on storing _\bs_\bu_\bd_\bo_\be_\br_\bs
+ policy information in LDAP, please see sudoers.ldap(4).
+
+ A\bAu\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bti\bio\bon\bn a\ban\bnd\bd l\blo\bog\bgg\bgi\bin\bng\bg
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs security policy requires that most users authenticate
+ themselves before they can use s\bsu\bud\bdo\bo. A password is not required if the
+ invoking user is root, if the target user is the same as the invoking
+ user, or if the policy has disabled authentication for the user or
+ command. Unlike su(1), when _\bs_\bu_\bd_\bo_\be_\br_\bs requires authentication, it
+ validates the invoking user's credentials, not the target user's (or
+ root's) credentials. This can be changed via the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and
+ _\br_\bu_\bn_\ba_\bs_\bp_\bw flags, described later.
+
+ If a user who is not listed in the policy tries to run a command via
+ s\bsu\bud\bdo\bo, mail is sent to the proper authorities. The address used for such
+ mail is configurable via the _\bm_\ba_\bi_\bl_\bt_\bo Defaults entry (described later) and
+ defaults to root.
+
+ Note that mail will not be sent if an unauthorized user tries to run s\bsu\bud\bdo\bo
+ with the -\b-l\bl or -\b-v\bv option. This allows users to determine for themselves
+ whether or not they are allowed to use s\bsu\bud\bdo\bo.
+
+ If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment variable is set, the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs policy will use this value to determine who the actual user is.
+ This can be used by a user to log commands through sudo even when a root
+ shell has been invoked. It also allows the -\b-e\be option to remain useful
+ even when invoked via a sudo-run script or program. Note, however, that
+ the _\bs_\bu_\bd_\bo_\be_\br_\bs lookup is still done for root, not the user specified by
+ SUDO_USER.
+
+ _\bs_\bu_\bd_\bo_\be_\br_\bs uses time stamp files for credential caching. Once a user has
+ been authenticated, the time stamp is updated and the user may then use
+ sudo without a password for a short period of time (5 minutes unless
+ overridden by the _\bt_\bi_\bm_\be_\bo_\bu_\bt option). By default, _\bs_\bu_\bd_\bo_\be_\br_\bs uses a tty-based
+ time stamp which means that there is a separate time stamp for each of a
+ user's login sessions. The _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option can be disabled to force
+ the use of a single time stamp for all of a user's sessions.
+
+ _\bs_\bu_\bd_\bo_\be_\br_\bs can log both successful and unsuccessful attempts (as well as
+ errors) to syslog(3), a log file, or both. By default, _\bs_\bu_\bd_\bo_\be_\br_\bs will log
+ via syslog(3) but this is changeable via the _\bs_\by_\bs_\bl_\bo_\bg and _\bl_\bo_\bg_\bf_\bi_\bl_\be Defaults
+ settings.
+
+ _\bs_\bu_\bd_\bo_\be_\br_\bs also supports logging a command's input and output streams. I/O
+ logging is not on by default but can be enabled using the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt and
+ _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt Defaults flags as well as the LOG_INPUT and LOG_OUTPUT command
+ tags.
+
+ C\bCo\bom\bmm\bma\ban\bnd\bd e\ben\bnv\bvi\bir\bro\bon\bnm\bme\ben\bnt\bt
+ Since environment variables can influence program behavior, _\bs_\bu_\bd_\bo_\be_\br_\bs
+ provides a means to restrict which variables from the user's environment
+ are inherited by the command to be run. There are two distinct ways
+ _\bs_\bu_\bd_\bo_\be_\br_\bs can deal with environment variables.
+
+ By default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is enabled. This causes commands to be
+ executed with a new, minimal environment. On AIX (and Linux systems
+ without PAM), the environment is initialized with the contents of the
+ _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt file. On BSD systems, if the _\bu_\bs_\be_\b__\bl_\bo_\bg_\bi_\bn_\bc_\bl_\ba_\bs_\bs option is
+ enabled, the environment is initialized based on the _\bp_\ba_\bt_\bh and _\bs_\be_\bt_\be_\bn_\bv
+ settings in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The new environment contains the TERM,
+ PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in
+ addition to variables from the invoking process permitted by the
+ _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp options. This is effectively a whitelist for
+ environment variables.
+
+ If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled, any variables not
+ explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are inherited
+ from the invoking process. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave
+ like a blacklist. Since it is not possible to blacklist all potentially
+ dangerous environment variables, use of the default _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is
+ encouraged.
+
+ In all cases, environment variables with a value beginning with () are
+ removed as they could be interpreted as b\bba\bas\bsh\bh functions. The list of
+ environment variables that s\bsu\bud\bdo\bo allows or denies is contained in the
+ output of ``sudo -V'' when run as root.
+
+ Note that the dynamic linker on most operating systems will remove
+ variables that can control dynamic linking from the environment of setuid
+ executables, including s\bsu\bud\bdo\bo. Depending on the operating system this may
+ include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
+ These type of variables are removed from the environment before s\bsu\bud\bdo\bo even
+ begins execution and, as such, it is not possible for s\bsu\bud\bdo\bo to preserve
+ them.
+
+ As a special case, if s\bsu\bud\bdo\bo's -\b-i\bi option (initial login) is specified,
+ _\bs_\bu_\bd_\bo_\be_\br_\bs will initialize the environment regardless of the value of
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt. The DISPLAY, PATH and TERM variables remain unchanged; HOME,
+ MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX
+ (and Linux systems without PAM), the contents of _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt are
+ also included. On BSD systems, if the _\bu_\bs_\be_\b__\bl_\bo_\bg_\bi_\bn_\bc_\bl_\ba_\bs_\bs option is enabled,
+ the _\bp_\ba_\bt_\bh and _\bs_\be_\bt_\be_\bn_\bv variables in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf are also applied. All
+ other environment variables are removed.
+
+ Finally, if the _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option is defined, any variables present in that
+ file will be set to their specified values as long as they would not
+ conflict with an existing environment variable.
S\bSU\bUD\bDO\bOE\bER\bRS\bS F\bFI\bIL\bLE\bE F\bFO\bOR\bRM\bMA\bAT\bT
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries: aliases
- (basically variables) and user specifications (which specify who may
- run what).
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries: aliases (basically
+ variables) and user specifications (which specify who may run what).
- When multiple entries match for a user, they are applied in order.
- Where there are multiple matches, the last match is used (which is not
- necessarily the most specific match).
+ When multiple entries match for a user, they are applied in order. Where
+ there are multiple matches, the last match is used (which is not
+ necessarily the most specific match).
- The _\bs_\bu_\bd_\bo_\be_\br_\bs grammar will be described below in Extended Backus-Naur
- Form (EBNF). Don't despair if you don't know what EBNF is; it is
- fairly simple, and the definitions below are annotated.
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs grammar will be described below in Extended Backus-Naur Form
+ (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
+ simple, and the definitions below are annotated.
Q\bQu\bui\bic\bck\bk g\bgu\bui\bid\bde\be t\bto\bo E\bEB\bBN\bNF\bF
- EBNF is a concise and exact way of describing the grammar of a
- language. Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
+ EBNF is a concise and exact way of describing the grammar of a language.
+ Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
- symbol ::= definition | alternate1 | alternate2 ...
+ symbol ::= definition | alternate1 | alternate2 ...
- Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a grammar for
- the language. EBNF also contains the following operators, which many
- readers will recognize from regular expressions. Do not, however,
- confuse them with "wildcard" characters, which have different meanings.
+ Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a grammar for
+ the language. EBNF also contains the following operators, which many
+ readers will recognize from regular expressions. Do not, however,
+ confuse them with ``wildcard'' characters, which have different meanings.
- ? Means that the preceding symbol (or group of symbols) is optional.
+ ? Means that the preceding symbol (or group of symbols) is optional.
That is, it may appear once or not at all.
- * Means that the preceding symbol (or group of symbols) may appear
+ * Means that the preceding symbol (or group of symbols) may appear
zero or more times.
- + Means that the preceding symbol (or group of symbols) may appear
+ + Means that the preceding symbol (or group of symbols) may appear
one or more times.
- Parentheses may be used to group symbols together. For clarity, we
- will use single quotes ('') to designate what is a verbatim character
- string (as opposed to a symbol name).
+ Parentheses may be used to group symbols together. For clarity, we will
+ use single quotes ('') to designate what is a verbatim character string
+ (as opposed to a symbol name).
A\bAl\bli\bia\bas\bse\bes\bs
- There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
- and Cmnd_Alias.
+ There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
+ Cmnd_Alias.
- Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
- 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
- 'Host_Alias' Host_Alias (':' Host_Alias)* |
- 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
-
- User_Alias ::= NAME '=' User_List
-
- Runas_Alias ::= NAME '=' Runas_List
-
- Host_Alias ::= NAME '=' Host_List
-
- Cmnd_Alias ::= NAME '=' Cmnd_List
-
- NAME ::= [A-Z]([A-Z][0-9]_)*
-
- Each _\ba_\bl_\bi_\ba_\bs definition is of the form
-
- Alias_Type NAME = item1, item2, ...
-
- where _\bA_\bl_\bi_\ba_\bs_\b__\bT_\by_\bp_\be is one of User_Alias, Runas_Alias, Host_Alias, or
- Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
- underscore characters ('_'). A NAME m\bmu\bus\bst\bt start with an uppercase
- letter. It is possible to put several alias definitions of the same
- type on a single line, joined by a colon (':'). E.g.,
-
- Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
-
- The definitions of what constitutes a valid _\ba_\bl_\bi_\ba_\bs member follow.
-
- User_List ::= User |
- User ',' User_List
-
- User ::= '!'* user name |
- '!'* #uid |
- '!'* %group |
- '!'* %#gid |
- '!'* +netgroup |
- '!'* %:nonunix_group |
- '!'* %:#nonunix_gid |
- '!'* User_Alias
-
- A User_List is made up of one or more user names, user ids (prefixed
- with '#'), system group names and ids (prefixed with '%' and '%#'
- respectively), netgroups (prefixed with '+'), non-Unix group names and
- IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
- list item may be prefixed with zero or more '!' operators. An odd
- number of '!' operators negate the value of the item; an even number
- just cancel each other out.
-
- A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
- may be enclosed in double quotes to avoid the need for escaping special
- characters. Alternately, special characters may be specified in
- escaped hex mode, e.g. \x20 for space. When using double quotes, any
- prefix characters must be included inside the quotes.
-
- The actual nonunix_group and nonunix_gid syntax depends on the
- underlying group provider plugin (see the _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn description
- below). For instance, the QAS AD plugin supports the following
- formats:
-
- o Group in the same domain: "Group Name"
-
- o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
-
- o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
-
- Note that quotes around group names are optional. Unquoted strings
- must use a backslash (\) to escape spaces and special characters. See
- "Other special characters and reserved words" for a list of characters
- that need to be escaped.
-
- Runas_List ::= Runas_Member |
- Runas_Member ',' Runas_List
-
- Runas_Member ::= '!'* user name |
- '!'* #uid |
- '!'* %group |
- '!'* %#gid |
- '!'* %:nonunix_group |
- '!'* %:#nonunix_gid |
- '!'* +netgroup |
- '!'* Runas_Alias
-
- A Runas_List is similar to a User_List except that instead of
- User_Aliases it can contain Runas_Aliases. Note that user names and
- groups are matched as strings. In other words, two users (groups) with
- the same uid (gid) are considered to be distinct. If you wish to match
- all user names with the same uid (e.g. root and toor), you can use a
- uid instead (#0 in the example given).
-
- Host_List ::= Host |
- Host ',' Host_List
-
- Host ::= '!'* host name |
- '!'* ip_addr |
- '!'* network(/netmask)? |
- '!'* +netgroup |
- '!'* Host_Alias
-
- A Host_List is made up of one or more host names, IP addresses, network
- numbers, netgroups (prefixed with '+') and other aliases. Again, the
- value of an item may be negated with the '!' operator. If you do not
- specify a netmask along with the network number, s\bsu\bud\bdo\bo will query each
- of the local host's network interfaces and, if the network number
- corresponds to one of the hosts's network interfaces, the corresponding
- netmask will be used. The netmask may be specified either in standard
- IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
- CIDR notation (number of bits, e.g. 24 or 64). A host name may include
- shell-style wildcards (see the Wildcards section below), but unless the
- host name command on your machine returns the fully qualified host
- name, you'll need to use the _\bf_\bq_\bd_\bn option for wildcards to be useful.
- Note s\bsu\bud\bdo\bo only inspects actual network interfaces; this means that IP
- address 127.0.0.1 (localhost) will never match. Also, the host name
- "localhost" will only match if that is the actual host name, which is
- usually only the case for non-networked systems.
-
- Cmnd_List ::= Cmnd |
- Cmnd ',' Cmnd_List
-
- commandname ::= file name |
- file name args |
- file name '""'
-
- Cmnd ::= '!'* commandname |
- '!'* directory |
- '!'* "sudoedit" |
- '!'* Cmnd_Alias
-
- A Cmnd_List is a list of one or more commandnames, directories, and
- other aliases. A commandname is a fully qualified file name which may
- include shell-style wildcards (see the Wildcards section below). A
- simple file name allows the user to run the command with any arguments
- he/she wishes. However, you may also specify command line arguments
- (including wildcards). Alternately, you can specify "" to indicate
- that the command may only be run w\bwi\bit\bth\bho\bou\but\bt command line arguments. A
- directory is a fully qualified path name ending in a '/'. When you
- specify a directory in a Cmnd_List, the user will be able to run any
- file within that directory (but not in any subdirectories therein).
-
- If a Cmnd has associated command line arguments, then the arguments in
- the Cmnd must match exactly those given by the user on the command line
- (or match the wildcards if there are any). Note that the following
- characters must be escaped with a '\' if they are used in command
- arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
- to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It
- may take command line arguments just as a normal command does.
+ Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
+ 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
+ 'Host_Alias' Host_Alias (':' Host_Alias)* |
+ 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
+
+ User_Alias ::= NAME '=' User_List
+
+ Runas_Alias ::= NAME '=' Runas_List
+
+ Host_Alias ::= NAME '=' Host_List
+
+ Cmnd_Alias ::= NAME '=' Cmnd_List
+
+ NAME ::= [A-Z]([A-Z][0-9]_)*
+
+ Each _\ba_\bl_\bi_\ba_\bs definition is of the form
+
+ Alias_Type NAME = item1, item2, ...
+
+ where _\bA_\bl_\bi_\ba_\bs_\b__\bT_\by_\bp_\be is one of User_Alias, Runas_Alias, Host_Alias, or
+ Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
+ underscore characters (`_'). A NAME m\bmu\bus\bst\bt start with an uppercase letter.
+ It is possible to put several alias definitions of the same type on a
+ single line, joined by a colon (`:'). E.g.,
+
+ Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
+
+ The definitions of what constitutes a valid _\ba_\bl_\bi_\ba_\bs member follow.
+
+ User_List ::= User |
+ User ',' User_List
+
+ User ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* +netgroup |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* User_Alias
+
+ A User_List is made up of one or more user names, user ids (prefixed with
+ `#'), system group names and ids (prefixed with `%' and `%#'
+ respectively), netgroups (prefixed with `+'), non-Unix group names and
+ IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
+ list item may be prefixed with zero or more `!' operators. An odd number
+ of `!' operators negate the value of the item; an even number just cancel
+ each other out.
+
+ A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
+ be enclosed in double quotes to avoid the need for escaping special
+ characters. Alternately, special characters may be specified in escaped
+ hex mode, e.g. \x20 for space. When using double quotes, any prefix
+ characters must be included inside the quotes.
+
+ The actual nonunix_group and nonunix_gid syntax depends on the underlying
+ group provider plugin (see the _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn description below). For
+ instance, the QAS AD plugin supports the following formats:
+
+ o\bo Group in the same domain: "%:Group Name"
+
+ o\bo Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
+
+ o\bo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
+
+ Note that quotes around group names are optional. Unquoted strings must
+ use a backslash (`\') to escape spaces and special characters. See _\bO_\bt_\bh_\be_\br
+ _\bs_\bp_\be_\bc_\bi_\ba_\bl _\bc_\bh_\ba_\br_\ba_\bc_\bt_\be_\br_\bs _\ba_\bn_\bd _\br_\be_\bs_\be_\br_\bv_\be_\bd _\bw_\bo_\br_\bd_\bs for a list of characters that need
+ to be escaped.
+
+ Runas_List ::= Runas_Member |
+ Runas_Member ',' Runas_List
+
+ Runas_Member ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* +netgroup |
+ '!'* Runas_Alias
+
+ A Runas_List is similar to a User_List except that instead of
+ User_Aliases it can contain Runas_Aliases. Note that user names and
+ groups are matched as strings. In other words, two users (groups) with
+ the same uid (gid) are considered to be distinct. If you wish to match
+ all user names with the same uid (e.g. root and toor), you can use a uid
+ instead (#0 in the example given).
+
+ Host_List ::= Host |
+ Host ',' Host_List
+
+ Host ::= '!'* host name |
+ '!'* ip_addr |
+ '!'* network(/netmask)? |
+ '!'* +netgroup |
+ '!'* Host_Alias
+
+ A Host_List is made up of one or more host names, IP addresses, network
+ numbers, netgroups (prefixed with `+') and other aliases. Again, the
+ value of an item may be negated with the `!' operator. If you do not
+ specify a netmask along with the network number, s\bsu\bud\bdo\bo will query each of
+ the local host's network interfaces and, if the network number
+ corresponds to one of the hosts's network interfaces, the corresponding
+ netmask will be used. The netmask may be specified either in standard IP
+ address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR
+ notation (number of bits, e.g. 24 or 64). A host name may include shell-
+ style wildcards (see the _\bW_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs section below), but unless the host
+ name command on your machine returns the fully qualified host name,
+ you'll need to use the _\bf_\bq_\bd_\bn option for wildcards to be useful. Note that
+ s\bsu\bud\bdo\bo only inspects actual network interfaces; this means that IP address
+ 127.0.0.1 (localhost) will never match. Also, the host name
+ ``localhost'' will only match if that is the actual host name, which is
+ usually only the case for non-networked systems.
+
+ Cmnd_List ::= Cmnd |
+ Cmnd ',' Cmnd_List
+
+ command name ::= file name |
+ file name args |
+ file name '""'
+
+ Cmnd ::= '!'* command name |
+ '!'* directory |
+ '!'* "sudoedit" |
+ '!'* Cmnd_Alias
+
+ A Cmnd_List is a list of one or more command names, directories, and
+ other aliases. A command name is a fully qualified file name which may
+ include shell-style wildcards (see the _\bW_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs section below). A
+ simple file name allows the user to run the command with any arguments
+ he/she wishes. However, you may also specify command line arguments
+ (including wildcards). Alternately, you can specify "" to indicate that
+ the command may only be run w\bwi\bit\bth\bho\bou\but\bt command line arguments. A directory
+ is a fully qualified path name ending in a `/'. When you specify a
+ directory in a Cmnd_List, the user will be able to run any file within
+ that directory (but not in any sub-directories therein).
+
+ If a Cmnd has associated command line arguments, then the arguments in
+ the Cmnd must match exactly those given by the user on the command line
+ (or match the wildcards if there are any). Note that the following
+ characters must be escaped with a `\' if they are used in command
+ arguments: `,', `:', `=', `\'. The special command ``sudoedit'' is used
+ to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It may
+ take command line arguments just as a normal command does.
D\bDe\bef\bfa\bau\bul\blt\bts\bs
- Certain configuration options may be changed from their default values
- at runtime via one or more Default_Entry lines. These may affect all
- users on any host, all users on a specific host, a specific user, a
- specific command, or commands being run as a specific user. Note that
- per-command entries may not include command line arguments. If you
- need to specify arguments, define a Cmnd_Alias and reference that
- instead.
+ Certain configuration options may be changed from their default values at
+ run-time via one or more Default_Entry lines. These may affect all users
+ on any host, all users on a specific host, a specific user, a specific
+ command, or commands being run as a specific user. Note that per-command
+ entries may not include command line arguments. If you need to specify
+ arguments, define a Cmnd_Alias and reference that instead.
+
+ Default_Type ::= 'Defaults' |
+ 'Defaults' '@' Host_List |
+ 'Defaults' ':' User_List |
+ 'Defaults' '!' Cmnd_List |
+ 'Defaults' '>' Runas_List
- Default_Type ::= 'Defaults' |
- 'Defaults' '@' Host_List |
- 'Defaults' ':' User_List |
- 'Defaults' '!' Cmnd_List |
- 'Defaults' '>' Runas_List
+ Default_Entry ::= Default_Type Parameter_List
- Default_Entry ::= Default_Type Parameter_List
+ Parameter_List ::= Parameter |
+ Parameter ',' Parameter_List
- Parameter_List ::= Parameter |
- Parameter ',' Parameter_List
+ Parameter ::= Parameter '=' Value |
+ Parameter '+=' Value |
+ Parameter '-=' Value |
+ '!'* Parameter
- Parameter ::= Parameter '=' Value |
- Parameter '+=' Value |
- Parameter '-=' Value |
- '!'* Parameter
+ Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or l\bli\bis\bst\bts\bs. Flags are
+ implicitly boolean and can be turned off via the `!' operator. Some
+ integer, string and list parameters may also be used in a boolean context
+ to disable them. Values may be enclosed in double quotes ("") when they
+ contain multiple words. Special characters may be escaped with a
+ backslash (`\').
- Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or l\bli\bis\bst\bts\bs. Flags are
- implicitly boolean and can be turned off via the '!' operator. Some
- integer, string and list parameters may also be used in a boolean
- context to disable them. Values may be enclosed in double quotes (")
- when they contain multiple words. Special characters may be escaped
- with a backslash (\).
+ Lists have two additional assignment operators, += and -=. These
+ operators are used to add to and delete from a list respectively. It is
+ not an error to use the -= operator to remove an element that does not
+ exist in a list.
- Lists have two additional assignment operators, += and -=. These
- operators are used to add to and delete from a list respectively. It
- is not an error to use the -= operator to remove an element that does
- not exist in a list.
+ Defaults entries are parsed in the following order: generic, host and
+ user Defaults first, then runas Defaults and finally command defaults.
- Defaults entries are parsed in the following order: generic, host and
- user Defaults first, then runas Defaults and finally command defaults.
+ See _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS for a list of supported Defaults parameters.
- See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
+ U\bUs\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
+ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
+ (':' Host_List '=' Cmnd_Spec_List)*
- U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
- User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
- (':' Host_List '=' Cmnd_Spec_List)*
+ Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
- Cmnd_Spec_List ::= Cmnd_Spec |
- Cmnd_Spec ',' Cmnd_Spec_List
+ Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
- Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
+ Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
- Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
+ SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
- SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
+ Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
- Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
- 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
- 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
+ Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
+ 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
+ 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
- A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may run (and as
- what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
- but this can be changed on a per-command basis.
+ A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may run (and as
+ what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt, but
+ this can be changed on a per-command basis.
- The basic structure of a user specification is `who where = (as_whom)
- what'. Let's break that down into its constituent parts:
+ The basic structure of a user specification is ``who where = (as_whom)
+ what''. Let's break that down into its constituent parts:
R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
- A Runas_Spec determines the user and/or the group that a command may be
- run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
- defined above) separated by a colon (':') and enclosed in a set of
- parentheses. The first Runas_List indicates which users the command
- may be run as via s\bsu\bud\bdo\bo's -\b-u\bu option. The second defines a list of
- groups that can be specified via s\bsu\bud\bdo\bo's -\b-g\bg option. If both Runas_Lists
- are specified, the command may be run with any combination of users and
- groups listed in their respective Runas_Lists. If only the first is
- specified, the command may be run as any user in the list but no -\b-g\bg
- option may be specified. If the first Runas_List is empty but the
- second is specified, the command may be run as the invoking user with
- the group set to any listed in the Runas_List. If no Runas_Spec is
- specified the command may be run as r\bro\boo\bot\bt and no group may be specified.
+ A Runas_Spec determines the user and/or the group that a command may be
+ run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
+ defined above) separated by a colon (`:') and enclosed in a set of
+ parentheses. The first Runas_List indicates which users the command may
+ be run as via s\bsu\bud\bdo\bo's -\b-u\bu option. The second defines a list of groups that
+ can be specified via s\bsu\bud\bdo\bo's -\b-g\bg option. If both Runas_Lists are
+ specified, the command may be run with any combination of users and
+ groups listed in their respective Runas_Lists. If only the first is
+ specified, the command may be run as any user in the list but no -\b-g\bg
+ option may be specified. If the first Runas_List is empty but the second
+ is specified, the command may be run as the invoking user with the group
+ set to any listed in the Runas_List. If both Runas_Lists are empty, the
+ command may only be run as the invoking user. If no Runas_Spec is
+ specified the command may be run as r\bro\boo\bot\bt and no group may be specified.
- A Runas_Spec sets the default for the commands that follow it. What
- this means is that for the entry:
+ A Runas_Spec sets the default for the commands that follow it. What this
+ means is that for the entry:
- dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
+ dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
- The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm -- but only
- as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
+ The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm--but only as
+ o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
- $ sudo -u operator /bin/ls
+ $ sudo -u operator /bin/ls
- It is also possible to override a Runas_Spec later on in an entry. If
- we modify the entry like so:
+ It is also possible to override a Runas_Spec later on in an entry. If we
+ modify the entry like so:
- dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+ dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
- Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
- and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
+ Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
+ and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
- We can extend this to allow d\bdg\bgb\bb to run /bin/ls with either the user or
- group set to o\bop\bpe\ber\bra\bat\bto\bor\br:
+ We can extend this to allow d\bdg\bgb\bb to run /bin/ls with either the user or
+ group set to o\bop\bpe\ber\bra\bat\bto\bor\br:
- dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
- /usr/bin/lprm
+ dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
+ /usr/bin/lprm
- Note that while the group portion of the Runas_Spec permits the user to
- run as command with that group, it does not force the user to do so.
- If no group is specified on the command line, the command will run with
- the group listed in the target user's password database entry. The
- following would all be permitted by the sudoers entry above:
+ Note that while the group portion of the Runas_Spec permits the user to
+ run as command with that group, it does not force the user to do so. If
+ no group is specified on the command line, the command will run with the
+ group listed in the target user's password database entry. The following
+ would all be permitted by the sudoers entry above:
- $ sudo -u operator /bin/ls
- $ sudo -u operator -g operator /bin/ls
- $ sudo -g operator /bin/ls
+ $ sudo -u operator /bin/ls
+ $ sudo -u operator -g operator /bin/ls
+ $ sudo -g operator /bin/ls
- In the following example, user t\btc\bcm\bm may run commands that access a modem
- device file with the dialer group.
+ In the following example, user t\btc\bcm\bm may run commands that access a modem
+ device file with the dialer group.
- tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
- /usr/local/bin/minicom
+ tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
+ /usr/local/bin/minicom
- Note that in this example only the group will be set, the command still
- runs as user t\btc\bcm\bm. E.g.
+ Note that in this example only the group will be set, the command still
+ runs as user t\btc\bcm\bm. E.g.
- $ sudo -g dialer /usr/bin/cu
+ $ sudo -g dialer /usr/bin/cu
- Multiple users and groups may be present in a Runas_Spec, in which case
- the user may select any combination of users and groups via the -\b-u\bu and
- -\b-g\bg options. In this example:
+ Multiple users and groups may be present in a Runas_Spec, in which case
+ the user may select any combination of users and groups via the -\b-u\bu and -\b-g\bg
+ options. In this example:
- alan ALL = (root, bin : operator, system) ALL
+ alan ALL = (root, bin : operator, system) ALL
- user a\bal\bla\ban\bn may run any command as either user root or bin, optionally
- setting the group to operator or system.
+ user a\bal\bla\ban\bn may run any command as either user root or bin, optionally
+ setting the group to operator or system.
S\bSE\bEL\bLi\bin\bnu\bux\bx_\b_S\bSp\bpe\bec\bc
- On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally have an
- SELinux role and/or type associated with a command. If a role or type
- is specified with the command it will override any default values
- specified in _\bs_\bu_\bd_\bo_\be_\br_\bs. A role or type specified on the command line,
- however, will supercede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally have an
+ SELinux role and/or type associated with a command. If a role or type is
+ specified with the command it will override any default values specified
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs. A role or type specified on the command line, however, will
+ supersede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+
+ S\bSo\bol\bla\bar\bri\bis\bs_\b_P\bPr\bri\biv\bv_\b_S\bSp\bpe\bec\bc
+ On Solaris systems, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally specify Solaris
+ privilege set and/or limit privilege set associated with a command. If
+ privileges or limit privileges are specified with the command it will
+ override any default values specified in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+
+ A privilege set is a comma-separated list of privilege names. The
+ ppriv(1) command can be used to list all privileges known to the system.
+ For example:
+
+ $ ppriv -l
+
+ In addition, there are several ``special'' privilege strings:
+
+ none the empty set
+
+ all the set of all privileges
+
+ zone the set of all privileges available in the current zone
+
+ basic the default set of privileges normal users are granted at login
+ time
+
+ Privileges can be excluded from a set by prefixing the privilege name
+ with either an `!' or `-' character.
T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
- A command may have zero or more tags associated with it. There are
- eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
- NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
- tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
- the tag unless it is overridden by the opposite tag (i.e.: PASSWD
- overrides NOPASSWD and NOEXEC overrides EXEC).
+ A command may have zero or more tags associated with it. There are ten
+ possible tag values: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV,
+ LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set
+ on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless
+ it is overridden by the opposite tag (in other words, PASSWD overrides
+ NOPASSWD and NOEXEC overrides EXEC).
- _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
+ _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
- By default, s\bsu\bud\bdo\bo requires that a user authenticate him or herself
- before running a command. This behavior can be modified via the
- NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
- the commands that follow it in the Cmnd_Spec_List. Conversely, the
- PASSWD tag can be used to reverse things. For example:
+ By default, s\bsu\bud\bdo\bo requires that a user authenticate him or herself before
+ running a command. This behavior can be modified via the NOPASSWD tag.
+ Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that
+ follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used
+ to reverse things. For example:
- ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+ ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
- would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
- as r\bro\boo\bot\bt on the machine rushmore without authenticating himself. If we
- only want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry
- would be:
+ would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as
+ r\bro\boo\bot\bt on the machine rushmore without authenticating himself. If we only
+ want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry would
+ be:
- ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+ ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
- Note, however, that the PASSWD tag has no effect on users who are in
- the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
+ Note, however, that the PASSWD tag has no effect on users who are in the
+ group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
- By default, if the NOPASSWD tag is applied to any of the entries for a
- user on the current host, he or she will be able to run sudo -l without
- a password. Additionally, a user may only run sudo -v without a
- password if the NOPASSWD tag is present for all a user's entries that
- pertain to the current host. This behavior may be overridden via the
- verifypw and listpw options.
+ By default, if the NOPASSWD tag is applied to any of the entries for a
+ user on the current host, he or she will be able to run ``sudo -l''
+ without a password. Additionally, a user may only run ``sudo -v''
+ without a password if the NOPASSWD tag is present for all a user's
+ entries that pertain to the current host. This behavior may be
+ overridden via the _\bv_\be_\br_\bi_\bf_\by_\bp_\bw and _\bl_\bi_\bs_\bt_\bp_\bw options.
- _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
+ _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
- operating system supports it, the NOEXEC tag can be used to prevent a
- dynamically-linked executable from running further commands itself.
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
+ operating system supports it, the NOEXEC tag can be used to prevent a
+ dynamically-linked executable from running further commands itself.
- In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
+ In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- See the "Preventing Shell Escapes" section below for more details on
- how NOEXEC works and whether or not it will work on your system.
+ See the _\bP_\br_\be_\bv_\be_\bn_\bt_\bi_\bn_\bg _\bs_\bh_\be_\bl_\bl _\be_\bs_\bc_\ba_\bp_\be_\bs section below for more details on how
+ NOEXEC works and whether or not it will work on your system.
- _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
+ _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
- These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
- basis. Note that if SETENV has been set for a command, the user may
- disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the command line via the -\b-E\bE option.
- Additionally, environment variables set on the command line are not
- subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
- _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be allowed to set
- variables in this manner. If the command matched is A\bAL\bLL\bL, the SETENV
- tag is implied for that command; this default may be overridden by use
- of the NOSETENV tag.
+ These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
+ basis. Note that if SETENV has been set for a command, the user may
+ disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the command line via the -\b-E\bE option.
+ Additionally, environment variables set on the command line are not
+ subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be allowed to set variables
+ in this manner. If the command matched is A\bAL\bLL\bL, the SETENV tag is implied
+ for that command; this default may be overridden by use of the NOSETENV
+ tag.
- _\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT
+ _\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT
- These tags override the value of the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt option on a per-command
- basis. For more information, see the description of _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt in the
- "SUDOERS OPTIONS" section below.
+ These tags override the value of the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt option on a per-command
+ basis. For more information, see the description of _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt in the
+ _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS section below.
- _\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT
+ _\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT
- These tags override the value of the _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt option on a per-command
- basis. For more information, see the description of _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt in the
- "SUDOERS OPTIONS" section below.
+ These tags override the value of the _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt option on a per-command
+ basis. For more information, see the description of _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt in the
+ _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS section below.
W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
- s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
- used in host names, path names and command line arguments in the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file. Wildcard matching is done via the P\bPO\bOS\bSI\bIX\bX _\bg_\bl_\bo_\bb(3) and
- _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) routines. Note that these are _\bn_\bo_\bt regular expressions.
+ s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
+ used in host names, path names and command line arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file. Wildcard matching is done via the P\bPO\bOS\bSI\bIX\bX glob(3) and fnmatch(3)
+ routines. Note that these are _\bn_\bo_\bt regular expressions.
+
+ * Matches any set of zero or more characters.
+
+ ? Matches any single character.
+
+ [...] Matches any character in the specified range.
+
+ [!...] Matches any character n\bno\bot\bt in the specified range.
+
+ \x For any character `x', evaluates to `x'. This is used to
+ escape special characters such as: `*', `?', `[', and `]'.
+
+ POSIX character classes may also be used if your system's glob(3) and
+ fnmatch(3) functions support them. However, because the `:' character
+ has special meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
+
+ /bin/ls [[:alpha:]]*
- * Matches any set of zero or more characters.
+ Would match any file name beginning with a letter.
- ? Matches any single character.
+ Note that a forward slash (`/') will n\bno\bot\bt be matched by wildcards used in
+ the path name. This is to make a path like:
- [...] Matches any character in the specified range.
+ /usr/bin/*
- [!...] Matches any character n\bno\bot\bt in the specified range.
+ match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
- \x For any character "x", evaluates to "x". This is used to
- escape special characters such as: "*", "?", "[", and "}".
+ When matching the command line arguments, however, a slash d\bdo\boe\bes\bs get
+ matched by wildcards since command line arguments may contain arbitrary
+ strings and not just path names.
- POSIX character classes may also be used if your system's _\bg_\bl_\bo_\bb(3) and
- _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) functions support them. However, because the ':' character
- has special meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
+ Wildcards in command line arguments should be used with care. Because
+ command line arguments are matched as a single, concatenated string, a
+ wildcard such as `?' or `*' can match multiple words. For example, while
+ a sudoers entry like:
- /bin/ls [[\:alpha\:]]*
+ %operator ALL = /bin/cat /var/log/messages*
- Would match any file name beginning with a letter.
+ will allow command like:
- Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
- in the path name. When matching the command line arguments, however, a
- slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
+ $ sudo cat /var/log/messages.1
- /usr/bin/*
+ It will also allow:
- match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
+ $ sudo cat /var/log/messages /etc/shadow
+
+ which is probably not what was intended.
E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
- The following exceptions apply to the above rules:
+ The following exceptions apply to the above rules:
- "" If the empty string "" is the only command line argument in the
+ "" If the empty string "" is the only command line argument in the
_\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run
with a\ban\bny\by arguments.
+ sudoedit Command line arguments to the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt built-in command should
+ always be path names, so a forward slash (`/') will not be
+ matched by a wildcard.
+
I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
- It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file currently being parsed using the #include and #includedir
- directives.
+ It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file currently being parsed using the #include and #includedir
+ directives.
- This can be used, for example, to keep a site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file in
- addition to a local, per-machine file. For the sake of this example
- the site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will
- be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from within
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs we would use the following line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
+ This can be used, for example, to keep a site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file in
+ addition to a local, per-machine file. For the sake of this example the
+ site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will be
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from within
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs we would use the following line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
- #include /etc/sudoers.local
+ #include /etc/sudoers.local
- When s\bsu\bud\bdo\bo reaches this line it will suspend processing of the current
- file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching
- the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl, the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
- processed. Files that are included may themselves include other files.
- A hard limit of 128 nested include files is enforced to prevent include
- file loops.
+ When s\bsu\bud\bdo\bo reaches this line it will suspend processing of the current
+ file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching the
+ end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl, the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be processed.
+ Files that are included may themselves include other files. A hard limit
+ of 128 nested include files is enforced to prevent include file loops.
- If the path to the include file is not fully-qualified (does not begin
- with a _\b/), it must be located in the same directory as the sudoers file
- it was included from. For example, if _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs contains the line:
+ If the path to the include file is not fully-qualified (does not begin
+ with a `/', it must be located in the same directory as the sudoers file
+ it was included from. For example, if _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs contains the line:
- #include sudoers.local
+ #include sudoers.local
- the file that will be included is _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl.
+ the file that will be included is _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl.
- The file name may also include the %h escape, signifying the short form
- of the host name. I.e., if the machine's host name is "xerxes", then
+ The file name may also include the %h escape, signifying the short form
+ of the host name. In other words, if the machine's host name is
+ ``xerxes'', then
- #include /etc/sudoers.%h
+ #include /etc/sudoers.%h
- will cause s\bsu\bud\bdo\bo to include the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bx_\be_\br_\bx_\be_\bs.
+ will cause s\bsu\bud\bdo\bo to include the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bx_\be_\br_\bx_\be_\bs.
- The #includedir directive can be used to create a _\bs_\bu_\bd_\bo_\b._\bd directory that
- the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs rules into as part of
- package installation. For example, given:
+ The #includedir directive can be used to create a _\bs_\bu_\bd_\bo_\b._\bd directory that
+ the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs rules into as part of package
+ installation. For example, given:
- #includedir /etc/sudoers.d
+ #includedir /etc/sudoers.d
- s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that
- end in ~ or contain a . character to avoid causing problems with
- package manager or editor temporary/backup files. Files are parsed in
- sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
- before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
- lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
- in the file names can be used to avoid such problems.
+ s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that end
+ in `~' or contain a `.' character to avoid causing problems with package
+ manager or editor temporary/backup files. Files are parsed in sorted
+ lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed before
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is lexical,
+ not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes in
+ the file names can be used to avoid such problems.
- Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
- files in a #includedir directory unless one of them contains a syntax
- error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
- files directly.
+ Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
+ files in a #includedir directory unless one of them contains a syntax
+ error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -\b-f\bf flag to edit the
+ files directly.
O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
- The pound sign ('#') is used to indicate a comment (unless it is part
- of a #include directive or unless it occurs in the context of a user
- name and is followed by one or more digits, in which case it is treated
- as a uid). Both the comment character and any text after it, up to the
- end of the line, are ignored.
-
- The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always causes a match to
- succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
- User_Alias, Runas_Alias, or Host_Alias. You should not try to define
- your own _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
- preference to your own. Please note that using A\bAL\bLL\bL can be dangerous
- since in a command context, it allows the user to run a\ban\bny\by command on
- the system.
-
- An exclamation point ('!') can be used as a logical _\bn_\bo_\bt operator both
- in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This allows one to exclude certain
- values. Note, however, that using a ! in conjunction with the built-in
- ALL alias to allow a user to run "all but a few" commands rarely works
- as intended (see SECURITY NOTES below).
-
- Long lines can be continued with a backslash ('\') as the last
- character on the line.
-
- Whitespace between elements in a list as well as special syntactic
- characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':', '(', ')') is optional.
-
- The following characters must be escaped with a backslash ('\') when
- used as part of a word (e.g. a user name or host name): '!', '=', ':',
- ',', '(', ')', '\'.
+ The pound sign (`#') is used to indicate a comment (unless it is part of
+ a #include directive or unless it occurs in the context of a user name
+ and is followed by one or more digits, in which case it is treated as a
+ uid). Both the comment character and any text after it, up to the end of
+ the line, are ignored.
+
+ The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always causes a match to
+ succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
+ User_Alias, Runas_Alias, or Host_Alias. You should not try to define
+ your own _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
+ preference to your own. Please note that using A\bAL\bLL\bL can be dangerous
+ since in a command context, it allows the user to run a\ban\bny\by command on the
+ system.
+
+ An exclamation point (`!') can be used as a logical _\bn_\bo_\bt operator both in
+ an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This allows one to exclude certain
+ values. Note, however, that using a `!' in conjunction with the built-in
+ A\bAL\bLL\bL alias to allow a user to run ``all but a few'' commands rarely works
+ as intended (see _\bS_\bE_\bC_\bU_\bR_\bI_\bT_\bY _\bN_\bO_\bT_\bE_\bS below).
+
+ Long lines can be continued with a backslash (`\') as the last character
+ on the line.
+
+ White space between elements in a list as well as special syntactic
+ characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn (`=', `:', `(', `)') is optional.
+
+ The following characters must be escaped with a backslash (`\') when used
+ as part of a word (e.g. a user name or host name): `!', `=', `:', `,',
+ `(', `)', `\'.
S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
- s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as explained
- earlier. A list of all supported Defaults parameters, grouped by type,
- are listed below.
+ s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as explained
+ earlier. A list of all supported Defaults parameters, grouped by type,
+ are listed below.
- B\bBo\boo\bol\ble\bea\ban\bn F\bFl\bla\bag\bgs\bs:
+ B\bBo\boo\bol\ble\bea\ban\bn F\bFl\bla\bag\bgs\bs:
- always_set_home If enabled, s\bsu\bud\bdo\bo will set the HOME environment variable
+ always_set_home If enabled, s\bsu\bud\bdo\bo will set the HOME environment variable
to the home directory of the target user (which is root
unless the -\b-u\bu option is used). This effectively means
that the -\b-H\bH option is always implied. Note that HOME
HOME is present in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list. This flag is _\bo_\bf_\bf
by default.
- authenticate If set, users must authenticate themselves via a
+ authenticate If set, users must authenticate themselves via a
password (or other means of authentication) before they
may run commands. This default may be overridden via
the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
default.
- closefrom_override
+ closefrom_override
If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
overrides the default starting point at which s\bsu\bud\bdo\bo
begins closing open file descriptors. This flag is _\bo_\bf_\bf
by default.
- compress_io If set, and s\bsu\bud\bdo\bo is configured to log a command's input
+ compress_io If set, and s\bsu\bud\bdo\bo is configured to log a command's input
or output, the I/O logs will be compressed using z\bzl\bli\bib\bb.
This flag is _\bo_\bn by default when s\bsu\bud\bdo\bo is compiled with
z\bzl\bli\bib\bb support.
- env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDITOR or
+ env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDITOR or
VISUAL environment variables before falling back on the
default editor list. Note that this may create a
security hole as it allows the user to run any
use the EDITOR or VISUAL if they match a value
specified in editor. This flag is _\bo_\bf_\bf by default.
- env_reset If set, s\bsu\bud\bdo\bo will run the command in a minimal
+ env_reset If set, s\bsu\bud\bdo\bo will run the command in a minimal
environment containing the TERM, PATH, HOME, MAIL,
SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
Any variables in the caller's environment that match
followed by any variables present in the file specified
by the _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option (if any). The default contents
of the env_keep and env_check lists are displayed when
- s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option. If the
+ s\bsu\bud\bdo\bo is run by root with the -\b-V\bV option. If the
_\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set, its value will be used for
the PATH environment variable. This flag is _\bo_\bn by
default.
- fast_glob Normally, s\bsu\bud\bdo\bo uses the _\bg_\bl_\bo_\bb(3) function to do shell-
+ fast_glob Normally, s\bsu\bud\bdo\bo uses the glob(3) function to do shell-
style globbing when matching path names. However,
- since it accesses the file system, _\bg_\bl_\bo_\bb(3) can take a
+ since it accesses the file system, glob(3) can take a
long time to complete for some patterns, especially
when the pattern references a network file system that
- is mounted on demand (automounted). The _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
- option causes s\bsu\bud\bdo\bo to use the _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function,
+ is mounted on demand (auto mounted). The _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
+ option causes s\bsu\bud\bdo\bo to use the fnmatch(3) function,
which does not access the file system to do its
matching. The disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is
unable to match relative path names such as _\b._\b/_\bl_\bs or
_\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This has security implications when path
names that include globbing characters are used with
- the negation operator, '!', as such rules can be
+ the negation operator, `!', as such rules can be
trivially bypassed. As such, this option should not be
used when _\bs_\bu_\bd_\bo_\be_\br_\bs contains rules that contain negated
path names which include globbing characters. This
flag is _\bo_\bf_\bf by default.
- fqdn Set this flag if you want to put fully qualified host
- names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
+ fqdn Set this flag if you want to put fully qualified host
+ names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file when the local host name (as
+ returned by the hostname command) does not contain the
+ domain name. In other words, instead of myhost you
would use myhost.mydomain.edu. You may still use the
- short form if you wish (and even mix the two). Beware
- that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS lookups
- which may make s\bsu\bud\bdo\bo unusable if DNS stops working (for
- example if the machine is not plugged into the
- network). Also note that you must use the host's
- official name as DNS knows it. That is, you may not
- use a host alias (CNAME entry) due to performance
- issues and the fact that there is no way to get all
- aliases from DNS. If your machine's host name (as
- returned by the hostname command) is already fully
- qualified you shouldn't need to set _\bf_\bq_\bd_\bn. This flag is
- _\bo_\bf_\bf by default.
+ short form if you wish (and even mix the two). This
+ option is only effective when the ``canonical'' host
+ name, as returned by the g\bge\bet\bta\bad\bdd\bdr\bri\bin\bnf\bfo\bo() or
+ g\bge\bet\bth\bho\bos\bst\btb\bby\byn\bna\bam\bme\be() function, is a fully-qualified domain
+ name. This is usually the case when the system is
+ configured to use DNS for host name resolution.
+
+ If the system is configured to use the _\b/_\be_\bt_\bc_\b/_\bh_\bo_\bs_\bt_\bs file
+ in preference to DNS, the ``canonical'' host name may
+ not be fully-qualified. The order that sources are
+ queried for hosts name resolution is usually specified
+ in the _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf,
+ _\b/_\be_\bt_\bc_\b/_\bh_\bo_\bs_\bt_\b._\bc_\bo_\bn_\bf, or, in some cases, _\b/_\be_\bt_\bc_\b/_\br_\be_\bs_\bo_\bl_\bv_\b._\bc_\bo_\bn_\bf
+ file. In the _\b/_\be_\bt_\bc_\b/_\bh_\bo_\bs_\bt_\bs file, the first host name of
+ the entry is considered to be the ``canonical'' name;
+ subsequent names are aliases that are not used by
+ s\bsu\bud\bdo\boe\ber\brs\bs. For example, the following hosts file line
+ for the machine ``xyzzy'' has the fully-qualified
+ domain name as the ``canonical'' host name, and the
+ short version as an alias.
+
+ 192.168.1.1 xyzzy.sudo.ws xyzzy
+
+ If the machine's hosts file entry is not formatted
+ properly, the _\bf_\bq_\bd_\bn option will not be effective if it
+ is queried before DNS.
+
+ Beware that when using DNS for host name resolution,
+ turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\boe\ber\brs\bs to make DNS lookups
+ which renders s\bsu\bud\bdo\bo unusable if DNS stops working (for
+ example if the machine is disconnected from the
+ network). Also note that just like with the hosts
+ file, you must use the ``canonical'' name as DNS knows
+ it. That is, you may not use a host alias (CNAME
+ entry) due to performance issues and the fact that
+ there is no way to get all aliases from DNS.
+
+ This flag is _\bo_\bf_\bf by default.
- ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current dir) in the
- PATH environment variable; the PATH itself is not
- modified. This flag is _\bo_\bf_\bf by default.
+ ignore_dot If set, s\bsu\bud\bdo\bo will ignore "." or "" (both denoting
+ current directory) in the PATH environment variable;
+ the PATH itself is not modified. This flag is _\bo_\bf_\bf by
+ default.
- ignore_local_sudoers
+ ignore_local_sudoers
If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
skipped. This is intended for Enterprises that wish to
prevent the usage of local sudoers files so that only
LDAP is used. This thwarts the efforts of rogue
operators who would attempt to add roles to
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. When this option is present,
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even need to exist. Since this
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even need to exist. Since this
option tells s\bsu\bud\bdo\bo how to behave when no specific LDAP
entries have been matched, this sudoOption is only
meaningful for the cn=defaults section. This flag is
_\bo_\bf_\bf by default.
- insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
+ insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
incorrect password. This flag is _\bo_\bf_\bf by default.
- log_host If set, the host name will be logged in the (non-
+ log_host If set, the host name will be logged in the (non-
syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
- log_input If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log_input If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
log all user input. If the standard input is not
connected to the user's tty, due to I/O redirection or
because the command is part of a pipeline, that input
Input is logged to the directory specified by the
_\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
unique session ID that is included in the normal s\bsu\bud\bdo\bo
- log line, prefixed with _\bT_\bS_\bI_\bD_\b=. The _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be option
- may be used to control the format of the session ID.
+ log line, prefixed with ``TSID=''. The _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be
+ option may be used to control the format of the session
+ ID.
Note that user input may contain sensitive information
such as passwords (even if they are not echoed to the
unencrypted. In most cases, logging the command output
via _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt is all that is required.
- log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
log all output that is sent to the screen, similar to
- the _\bs_\bc_\br_\bi_\bp_\bt(1) command. If the standard output or
+ the script(1) command. If the standard output or
standard error is not connected to the user's tty, due
to I/O redirection or because the command is part of a
pipeline, that output is also captured and stored in
Output is logged to the directory specified by the
_\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
unique session ID that is included in the normal s\bsu\bud\bdo\bo
- log line, prefixed with _\bT_\bS_\bI_\bD_\b=. The _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be option
- may be used to control the format of the session ID.
+ log line, prefixed with ``TSID=''. The _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be
+ option may be used to control the format of the session
+ ID.
- Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
+ Output logs may be viewed with the sudoreplay(1m)
utility, which can also be used to list or search the
available logs.
- log_year If set, the four-digit year will be logged in the (non-
+ log_year If set, the four-digit year will be logged in the (non-
syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
- long_otp_prompt When validating with a One Time Password (OTP) scheme
+ long_otp_prompt When validating with a One Time Password (OTP) scheme
such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-line prompt is used to
make it easier to cut and paste the challenge to a
local window. It's not as pretty as the default but
some people find it more convenient. This flag is _\bo_\bf_\bf
by default.
- mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a users runs
+ mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a users runs
s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
- mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user running s\bsu\bud\bdo\bo
- does not enter the correct password. This flag is _\bo_\bf_\bf
- by default.
+ mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user running s\bsu\bud\bdo\bo
+ does not enter the correct password. If the command
+ the user is attempting to run is not permitted by
+ _\bs_\bu_\bd_\bo_\be_\br_\bs and one of the _\bm_\ba_\bi_\bl_\b__\ba_\bl_\bw_\ba_\by_\bs, _\bm_\ba_\bi_\bl_\b__\bn_\bo_\b__\bh_\bo_\bs_\bt,
+ _\bm_\ba_\bi_\bl_\b__\bn_\bo_\b__\bp_\be_\br_\bm_\bs or _\bm_\ba_\bi_\bl_\b__\bn_\bo_\b__\bu_\bs_\be_\br flags are set, this flag
+ will have no effect. This flag is _\bo_\bf_\bf by default.
- mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not
allowed to run commands on the current host. This flag
is _\bo_\bf_\bf by default.
- mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
invoking user is allowed to use s\bsu\bud\bdo\bo but the command
they are trying is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file
entry or is explicitly denied. This flag is _\bo_\bf_\bf by
default.
- mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is
_\bo_\bn by default.
- noexec If set, all commands run via s\bsu\bud\bdo\bo will behave as if the
+ noexec If set, all commands run via s\bsu\bud\bdo\bo will behave as if the
NOEXEC tag has been set, unless overridden by a EXEC
tag. See the description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
- well as the "Preventing Shell Escapes" section at the
- end of this manual. This flag is _\bo_\bf_\bf by default.
+ well as the _\bP_\br_\be_\bv_\be_\bn_\bt_\bi_\bn_\bg _\bs_\bh_\be_\bl_\bl _\be_\bs_\bc_\ba_\bp_\be_\bs section at the end
+ of this manual. This flag is _\bo_\bf_\bf by default.
- path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
+ path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
not be found in their PATH environment variable. Some
sites may wish to disable this as it could be used to
gather information on the location of executables that
not allowed to run it, which can be confusing. This
flag is _\bo_\bn by default.
- passprompt_override
+ passprompt_override
The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
normally only be used if the password prompt provided
- by systems such as PAM matches the string "Password:".
- If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always
- be used. This flag is _\bo_\bf_\bf by default.
+ by systems such as PAM matches the string
+ ``Password:''. If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set,
+ _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always be used. This flag is _\bo_\bf_\bf by
+ default.
- preserve_groups By default, s\bsu\bud\bdo\bo will initialize the group vector to
+ preserve_groups By default, s\bsu\bud\bdo\bo will initialize the group vector to
the list of groups the target user is in. When
_\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's existing group
vector is left unaltered. The real and effective group
IDs, however, are still set to match the target user.
This flag is _\bo_\bf_\bf by default.
- pwfeedback By default, s\bsu\bud\bdo\bo reads the password like most other
+ pwfeedback By default, s\bsu\bud\bdo\bo reads the password like most other
Unix programs, by turning off echo until the user hits
the return (or enter) key. Some users become confused
by this as it appears to them that s\bsu\bud\bdo\bo has hung at
able to determine the length of the password being
entered. This flag is _\bo_\bf_\bf by default.
- requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
+ requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
to a real tty. When this flag is set, s\bsu\bud\bdo\bo can only be
run from a login session and not via other means such
- as _\bc_\br_\bo_\bn(1m) or cgi-bin scripts. This flag is _\bo_\bf_\bf by
+ as cron(1m) or cgi-bin scripts. This flag is _\bo_\bf_\bf by
default.
- root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
- this prevents users from "chaining" s\bsu\bud\bdo\bo commands to
- get a root shell by doing something like "sudo sudo
- /bin/sh". Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
+ root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
+ this prevents users from ``chaining'' s\bsu\bud\bdo\bo commands to
+ get a root shell by doing something like ``sudo sudo
+ /bin/sh''. Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
will also prevent root from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
security; it exists purely for historical reasons.
This flag is _\bo_\bn by default.
- rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password instead
+ rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password instead
of the password of the invoking user. This flag is _\bo_\bf_\bf
by default.
- runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
+ runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option (defaults to root)
instead of the password of the invoking user. This
flag is _\bo_\bf_\bf by default.
- set_home If enabled and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs option the
+ set_home If enabled and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs option the
HOME environment variable will be set to the home
directory of the target user (which is root unless the
-\b-u\bu option is used). This effectively makes the -\b-s\bs
_\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled or HOME is present in the
_\be_\bn_\bv_\b__\bk_\be_\be_\bp list. This flag is _\bo_\bf_\bf by default.
- set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER and USERNAME
+ set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER and USERNAME
environment variables to the name of the target user
(usually root unless the -\b-u\bu option is given). However,
since some programs (including the RCS revision control
disabled, entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override
the value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is _\bo_\bn by default.
- set_utmp When enabled, s\bsu\bud\bdo\bo will create an entry in the utmp (or
+ set_utmp When enabled, s\bsu\bud\bdo\bo will create an entry in the utmp (or
utmpx) file when a pseudo-tty is allocated. A pseudo-
tty is allocated by s\bsu\bud\bdo\bo when the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt, _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt
or _\bu_\bs_\be_\b__\bp_\bt_\by flags are enabled. By default, the new
(if any), with the tty, time, type and pid fields
updated. This flag is _\bo_\bn by default.
- setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
+ setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
command line via the -\b-E\bE option. Additionally,
environment variables set via the command line are not
subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk,
should be allowed to set variables in this manner.
This flag is _\bo_\bf_\bf by default.
- shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no arguments it acts as
+ shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no arguments it acts as
if the -\b-s\bs option had been given. That is, it runs a
shell as root (the shell is determined by the SHELL
environment variable if it is set, falling back on the
shell listed in the invoking user's /etc/passwd entry
if not). This flag is _\bo_\bf_\bf by default.
- stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
+ stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
effective UIDs are set to the target user (root by
default). This option changes that behavior such that
the real UID is left as the invoking user's UID. In
This can be useful on systems that disable some
potentially dangerous functionality when a program is
run setuid. This option is only effective on systems
- with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
- This flag is _\bo_\bf_\bf by default.
+ that support either the setreuid(2) or setresuid(2)
+ system call. This flag is _\bo_\bf_\bf by default.
- targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
+ targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
specified by the -\b-u\bu option (defaults to root) instead
of the password of the invoking user. In addition, the
- timestamp file name will include the target user's
+ time stamp file name will include the target user's
name. Note that this flag precludes the use of a uid
not listed in the passwd database as an argument to the
-\b-u\bu option. This flag is _\bo_\bf_\bf by default.
- tty_tickets If set, users must authenticate on a per-tty basis.
+ tty_tickets If set, users must authenticate on a per-tty basis.
With this flag enabled, s\bsu\bud\bdo\bo will use a file named for
the tty the user is logged in on in the user's time
stamp directory. If disabled, the time stamp of the
directory is used instead. This flag is _\bo_\bn by default.
- umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
+ umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
without modification. This makes it possible to
specify a more permissive umask in _\bs_\bu_\bd_\bo_\be_\br_\bs than the
user's own umask and matches historical behavior. If
be the union of the user's umask and what is specified
in _\bs_\bu_\bd_\bo_\be_\br_\bs. This flag is _\bo_\bf_\bf by default.
- use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
+ use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
target user's login class if one exists. Only
available if s\bsu\bud\bdo\bo is configured with the
--with-logincap option. This flag is _\bo_\bf_\bf by default.
- use_pty If set, s\bsu\bud\bdo\bo will run the command in a pseudo-pty even
+ use_pty If set, s\bsu\bud\bdo\bo will run the command in a pseudo-pty even
if no I/O logging is being gone. A malicious program
run under s\bsu\bud\bdo\bo could conceivably fork a background
process that retains to the user's terminal device
this option will make that impossible. This flag is
_\bo_\bf_\bf by default.
- utmp_runas If set, s\bsu\bud\bdo\bo will store the name of the runas user when
+ utmp_runas If set, s\bsu\bud\bdo\bo will store the name of the runas user when
updating the utmp (or utmpx) file. By default, s\bsu\bud\bdo\bo
stores the name of the invoking user. This flag is _\bo_\bf_\bf
by default.
- visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
+ visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
enter a password but it is not possible to disable echo
on the terminal. If the _\bv_\bi_\bs_\bi_\bb_\bl_\be_\bp_\bw flag is set, s\bsu\bud\bdo\bo
will prompt for a password even when it would be
visible on the screen. This makes it possible to run
- things like "rsh somehost sudo ls" since _\br_\bs_\bh(1) does
- not allocate a tty. This flag is _\bo_\bf_\bf by default.
+ things like ``ssh somehost sudo ls'' since by default,
+ ssh(1) does not allocate a tty when running a command.
+ This flag is _\bo_\bf_\bf by default.
- I\bIn\bnt\bte\beg\bge\ber\brs\bs:
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs:
- closefrom Before it executes a command, s\bsu\bud\bdo\bo will close all open
+ closefrom Before it executes a command, s\bsu\bud\bdo\bo will close all open
file descriptors other than standard input, standard
output and standard error (ie: file descriptors 0-2).
The _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm option can be used to specify a different
file descriptor at which to start closing. The default
is 3.
- passwd_tries The number of tries a user gets to enter his/her
+ passwd_tries The number of tries a user gets to enter his/her
password before s\bsu\bud\bdo\bo logs the failure and exits. The
default is 3.
- I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- loglinelen Number of characters per line for the file log. This
+ loglinelen Number of characters per line for the file log. This
value is used to decide when to wrap lines for nicer
log files. This has no effect on the syslog log file,
only the file log. The default is 80 (use 0 or negate
the option to disable word wrap).
- passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
+ passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
out, or 0 for no timeout. The timeout may include a
fractional component if minute granularity is
insufficient, for example 2.5. The default is 5.
- timestamp_timeout
+ timestamp_timeout
Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
for a passwd again. The timeout may include a
fractional component if minute granularity is
insufficient, for example 2.5. The default is 5. Set
this to 0 to always prompt for a password. If set to a
- value less than 0 the user's timestamp will never
+ value less than 0 the user's time stamp will never
expire. This can be used to allow users to create or
- delete their own timestamps via sudo -v and sudo -k
- respectively.
+ delete their own time stamps via ``sudo -v'' and ``sudo
+ -k'' respectively.
- umask Umask to use when running the command. Negate this
+ umask Umask to use when running the command. Negate this
option or set it to 0777 to preserve the user's umask.
The actual umask that is used will be the union of the
user's umask and the value of the _\bu_\bm_\ba_\bs_\bk option, which
defaults to 0022. This guarantees that s\bsu\bud\bdo\bo never
- lowers the umask when running a command. Note on
+ lowers the umask when running a command. Note: on
systems that use PAM, the default PAM configuration may
specify its own umask which will override the value set
in _\bs_\bu_\bd_\bo_\be_\br_\bs.
- S\bSt\btr\bri\bin\bng\bgs\bs:
+ S\bSt\btr\bri\bin\bng\bgs\bs:
- badpass_message Message that is displayed if a user enters an incorrect
+ badpass_message Message that is displayed if a user enters an incorrect
password. The default is Sorry, try again. unless
insults are enabled.
- editor A colon (':') separated list of editors allowed to be
+ editor A colon (`:') separated list of editors allowed to be
used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo will choose the editor that
matches the user's EDITOR environment variable if
possible, or the first editor in the list that exists
- and is executable. The default is "vi".
+ and is executable. The default is _\bv_\bi.
- iolog_dir The top-level directory to use when constructing the
+ iolog_dir The top-level directory to use when constructing the
path name for the input/output log directory. Only
used if the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt or _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt options are enabled
or when the LOG_INPUT or LOG_OUTPUT tags are present
for a command. The session sequence number, if any, is
stored in the directory. The default is
- "/var/log/sudo-io".
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo.
The following percent (`%') escape sequences are
supported:
%{seq}
- expanded to a monotonically increasing base-36
- sequence number, such as 0100A5, where every two
- digits are used to form a new directory, e.g.
- _\b0_\b1_\b/_\b0_\b0_\b/_\bA_\b5
+ expanded to a monotonically increasing base-36
+ sequence number, such as 0100A5, where every two
+ digits are used to form a new directory, e.g.
+ _\b0_\b1_\b/_\b0_\b0_\b/_\bA_\b5
%{user}
- expanded to the invoking user's login name
+ expanded to the invoking user's login name
%{group}
- expanded to the name of the invoking user's real
- group ID
+ expanded to the name of the invoking user's real
+ group ID
%{runas_user}
- expanded to the login name of the user the command
- will be run as (e.g. root)
+ expanded to the login name of the user the
+ command will be run as (e.g. root)
%{runas_group}
- expanded to the group name of the user the command
- will be run as (e.g. wheel)
+ expanded to the group name of the user the
+ command will be run as (e.g. wheel)
%{hostname}
- expanded to the local host name without the domain
- name
+ expanded to the local host name without the
+ domain name
%{command}
- expanded to the base name of the command being run
+ expanded to the base name of the command being
+ run
In addition, any escape sequences supported by the
- system's _\bs_\bt_\br_\bf_\bt_\bi_\bm_\be_\b(_\b) function will be expanded.
+ system's strftime(3) function will be expanded.
To include a literal `%' character, the string `%%'
should be used.
- iolog_file The path name, relative to _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br, in which to store
+ iolog_file The path name, relative to _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br, in which to store
input/output logs when the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt or _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt
options are enabled or when the LOG_INPUT or LOG_OUTPUT
tags are present for a command. Note that _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be
may contain directory components. The default is
- "%{seq}".
+ ``%{seq}''.
See the _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option above for a list of supported
percent (`%') escape sequences.
In addition to the escape sequences, path names that
end in six or more Xs will have the Xs replaced with a
unique combination of digits and letters, similar to
- the _\bm_\bk_\bt_\be_\bm_\bp_\b(_\b) function.
+ the mktemp(3) function.
- mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The escape
- %h will expand to the host name of the machine.
- Default is *** SECURITY information for %h ***.
+ limitprivs The default Solaris limit privileges to use when
+ constructing a new privilege set for a command. This
+ bounds all privileges of the executing process. The
+ default limit privileges may be overridden on a per-
+ command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs. This option is only
+ available if s\bsu\bud\bdo\boe\ber\brs\bs is built on Solaris 10 or higher.
- noexec_file This option is no longer supported. The path to the
+ mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The
+ escape %h will expand to the host name of the machine.
+ Default is ``*** SECURITY information for %h ***''.
+
+ noexec_file This option is no longer supported. The path to the
noexec file should now be set in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
file.
- passprompt The default prompt to use when asking for a password;
+ passprompt The default prompt to use when asking for a password;
can be overridden via the -\b-p\bp option or the SUDO_PROMPT
environment variable. The following percent (`%')
escape sequences are supported:
- %H expanded to the local host name including the
- domain name (only if the machine's host name is
- fully qualified or the _\bf_\bq_\bd_\bn option is set)
+ %H expanded to the local host name including the
+ domain name (only if the machine's host name is
+ fully qualified or the _\bf_\bq_\bd_\bn option is set)
+
+ %h expanded to the local host name without the
+ domain name
- %h expanded to the local host name without the domain
- name
+ %p expanded to the user whose password is being
+ asked for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and
+ _\br_\bu_\bn_\ba_\bs_\bp_\bw flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
- %p expanded to the user whose password is being asked
- for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
- flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
+ %U expanded to the login name of the user the
+ command will be run as (defaults to root)
- %U expanded to the login name of the user the command
- will be run as (defaults to root)
+ %u expanded to the invoking user's login name
- %u expanded to the invoking user's login name
+ %% two consecutive % characters are collapsed into a
+ single % character
- %% two consecutive % characters are collapsed into a
- single % character
+ The default value is ``Password:''.
- The default value is Password:.
+ privs The default Solaris privileges to use when constructing
+ a new privilege set for a command. This is passed to
+ the executing process via the inherited privilege set,
+ but is bounded by the limit privileges. If the _\bp_\br_\bi_\bv_\bs
+ option is specified but the _\bl_\bi_\bm_\bi_\bt_\bp_\br_\bi_\bv_\bs option is not,
+ the limit privileges of the executing process is set to
+ _\bp_\br_\bi_\bv_\bs. The default privileges may be overridden on a
+ per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs. This option is only
+ available if s\bsu\bud\bdo\boe\ber\brs\bs is built on Solaris 10 or higher.
- role The default SELinux role to use when constructing a new
+ role The default SELinux role to use when constructing a new
security context to run the command. The default role
may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
via command line options. This option is only
- available whe s\bsu\bud\bdo\bo is built with SELinux support.
+ available when s\bsu\bud\bdo\bo is built with SELinux support.
- runas_default The default user to run commands as if the -\b-u\bu option is
+ runas_default The default user to run commands as if the -\b-u\bu option is
not specified on the command line. This defaults to
root.
- syslog_badpri Syslog priority to use when user authenticates
+ syslog_badpri Syslog priority to use when user authenticates
unsuccessfully. Defaults to alert.
The following syslog priorities are supported: a\bal\ble\ber\brt\bt,
c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be, and w\bwa\bar\brn\bni\bin\bng\bg.
- syslog_goodpri Syslog priority to use when user authenticates
+ syslog_goodpri Syslog priority to use when user authenticates
successfully. Defaults to notice.
- See syslog_badpri for the list of supported syslog
+ See _\bs_\by_\bs_\bl_\bo_\bg_\b__\bb_\ba_\bd_\bp_\br_\bi for the list of supported syslog
priorities.
- sudoers_locale Locale to use when parsing the sudoers file, logging
+ sudoers_locale Locale to use when parsing the sudoers file, logging
commands, and sending email. Note that changing the
locale may affect how sudoers is interpreted. Defaults
- to "C".
+ to ``C''.
- timestampdir The directory in which s\bsu\bud\bdo\bo stores its timestamp files.
- The default is _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo.
+ timestampdir The directory in which s\bsu\bud\bdo\bo stores its time stamp
+ files. The default is _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo.
- timestampowner The owner of the timestamp directory and the timestamps
- stored therein. The default is root.
+ timestampowner The owner of the time stamp directory and the time
+ stamps stored therein. The default is root.
- type The default SELinux type to use when constructing a new
+ type The default SELinux type to use when constructing a new
security context to run the command. The default type
may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
via command line options. This option is only
- available whe s\bsu\bud\bdo\bo is built with SELinux support.
+ available when s\bsu\bud\bdo\bo is built with SELinux support.
- S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option specifies the fully qualified path to a
+ env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option specifies the fully qualified path to a
file containing variables to be set in the environment of
the program being run. Entries in this file should either
- be of the form VARIABLE=value or export VARIABLE=value.
- The value may optionally be surrounded by single or double
- quotes. Variables in this file are subject to other s\bsu\bud\bdo\bo
- environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
+ be of the form ``VARIABLE=value'' or ``export
+ VARIABLE=value''. The value may optionally be surrounded
+ by single or double quotes. Variables in this file are
+ subject to other s\bsu\bud\bdo\bo environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp
+ and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
- exempt_group
- Users in this group are exempt from password and PATH
+ exempt_group Users in this group are exempt from password and PATH
requirements. The group name specified should not include
a % prefix. This is not set by default.
- group_plugin
- A string containing a _\bs_\bu_\bd_\bo_\be_\br_\bs group plugin with optional
+ group_plugin A string containing a _\bs_\bu_\bd_\bo_\be_\br_\bs group plugin with optional
arguments. This can be used to implement support for the
nonunix_group syntax described earlier. The string should
consist of the plugin path, either fully-qualified or
any configuration arguments the plugin requires. These
arguments (if any) will be passed to the plugin's
initialization function. If arguments are present, the
- string must be enclosed in double quotes (").
+ string must be enclosed in double quotes ("").
For example, given _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b-_\bg_\br_\bo_\bu_\bp, a group file in Unix
group format, the sample group plugin can be used:
- Defaults group_plugin="sample_group.so /etc/sudo-group"
+ Defaults group_plugin="sample_group.so /etc/sudo-group"
- For more information see _\bs_\bu_\bd_\bo_\b__\bp_\bl_\bu_\bg_\bi_\bn(4).
+ For more information see sudo_plugin(4).
- lecture This option controls when a short lecture will be printed
+ lecture This option controls when a short lecture will be printed
along with the password prompt. It has the following
possible values:
Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
The default value is _\bo_\bn_\bc_\be.
- lecture_file
- Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
+ lecture_file Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
will be used in place of the standard lecture if the named
file exists. By default, s\bsu\bud\bdo\bo uses a built-in lecture.
- listpw This option controls when a password will be required when
+ listpw This option controls when a password will be required when
a user runs s\bsu\bud\bdo\bo with the -\b-l\bl option. It has the following
possible values:
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
- must have the NOPASSWD flag set to avoid entering a
- password.
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current
+ host must have the NOPASSWD flag set to avoid
+ entering a password.
- always The user must always enter a password to use the -\b-l\bl
- option.
+ always The user must always enter a password to use the
+ -\b-l\bl option.
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
- current host must have the NOPASSWD flag set to
- avoid entering a password.
+ any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for
+ the current host must have the NOPASSWD flag set
+ to avoid entering a password.
- never The user need never enter a password to use the -\b-l\bl
- option.
+ never The user need never enter a password to use the
+ -\b-l\bl option.
If no value is specified, a value of _\ba_\bn_\by is implied.
Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
The default value is _\ba_\bn_\by.
- logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log file).
+ logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log file).
Setting a path turns on logging to a file; negating this
option turns it off. By default, s\bsu\bud\bdo\bo logs via syslog.
- mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
+ mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
- mailerpath Path to mail program used to send warning mail. Defaults
+ mailerpath Path to mail program used to send warning mail. Defaults
to the path to sendmail found at configure time.
- mailfrom Address to use for the "from" address when sending warning
- and error mail. The address should be enclosed in double
- quotes (") to protect against s\bsu\bud\bdo\bo interpreting the @ sign.
- Defaults to the name of the user running s\bsu\bud\bdo\bo.
+ mailfrom Address to use for the ``from'' address when sending
+ warning and error mail. The address should be enclosed in
+ double quotes ("") to protect against s\bsu\bud\bdo\bo interpreting the
+ @ sign. Defaults to the name of the user running s\bsu\bud\bdo\bo.
- mailto Address to send warning and error mail to. The address
- should be enclosed in double quotes (") to protect against
+ mailto Address to send warning and error mail to. The address
+ should be enclosed in double quotes ("") to protect against
s\bsu\bud\bdo\bo interpreting the @ sign. Defaults to root.
- secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
+ secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
trust the people running s\bsu\bud\bdo\bo to have a sane PATH
environment variable you may want to use this. Another use
- is if you want to have the "root path" be separate from the
- "user path." Users in the group specified by the
+ is if you want to have the ``root path'' be separate from
+ the ``user path''. Users in the group specified by the
_\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
option is not set by default.
- syslog Syslog facility if syslog is being used for logging (negate
+ syslog Syslog facility if syslog is being used for logging (negate
to disable syslog logging). Defaults to auth.
The following syslog facilities are supported: a\bau\but\bth\bhp\bpr\bri\biv\bv (if
your OS supports it), a\bau\but\bth\bh, d\bda\bae\bem\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1,
l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3, l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5, l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7.
- verifypw This option controls when a password will be required when
+ verifypw This option controls when a password will be required when
a user runs s\bsu\bud\bdo\bo with the -\b-v\bv option. It has the following
possible values:
Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
The default value is _\ba_\bl_\bl.
- L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- env_check Environment variables to be removed from the user's
- environment if the variable's value contains % or /
+ env_check Environment variables to be removed from the user's
+ environment if the variable's value contains `%' or `/'
characters. This can be used to guard against printf-
style format vulnerabilities in poorly-written
programs. The argument may be a double-quoted, space-
env_check will be preserved in the environment if they
pass the aforementioned check. The default list of
environment variables to check is displayed when s\bsu\bud\bdo\bo
- is run by root with the _\b-_\bV option.
+ is run by root with the -\b-V\bV option.
- env_delete Environment variables to be removed from the user's
+ env_delete Environment variables to be removed from the user's
environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is not in effect.
The argument may be a double-quoted, space-separated
list or a single value without double-quotes. The list
can be replaced, added to, deleted from, or disabled by
using the =, +=, -=, and ! operators respectively. The
default list of environment variables to remove is
- displayed when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option.
+ displayed when s\bsu\bud\bdo\bo is run by root with the -\b-V\bV option.
Note that many operating systems will remove
potentially dangerous variables from the environment of
any setuid process (such as s\bsu\bud\bdo\bo).
- env_keep Environment variables to be preserved in the user's
+ env_keep Environment variables to be preserved in the user's
environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
This allows fine-grained control over the environment
s\bsu\bud\bdo\bo-spawned processes will receive. The argument may
added to, deleted from, or disabled by using the =, +=,
-=, and ! operators respectively. The default list of
variables to keep is displayed when s\bsu\bud\bdo\bo is run by root
- with the _\b-_\bV option.
+ with the -\b-V\bV option.
+
+L\bLO\bOG\bG F\bFO\bOR\bRM\bMA\bAT\bT
+ s\bsu\bud\bdo\boe\ber\brs\bs can log events using either syslog(3) or a simple log file. In
+ each case the log format is almost identical.
+
+ A\bAc\bcc\bce\bep\bpt\bte\bed\bd c\bco\bom\bmm\bma\ban\bnd\bd l\blo\bog\bg e\ben\bnt\btr\bri\bie\bes\bs
+ Commands that sudo runs are logged using the following format (split into
+ multiple lines for readability):
+
+ date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
+ USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
+ ENV=env_vars COMMAND=command
+
+ Where the fields are as follows:
+
+ date The date the command was run. Typically, this is in the
+ format ``MMM, DD, HH:MM:SS''. If logging via syslog(3),
+ the actual date format is controlled by the syslog daemon.
+ If logging to a file and the _\bl_\bo_\bg_\b__\by_\be_\ba_\br option is enabled,
+ the date will also include the year.
+
+ hostname The name of the host s\bsu\bud\bdo\bo was run on. This field is only
+ present when logging via syslog(3).
+
+ progname The name of the program, usually _\bs_\bu_\bd_\bo or _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt. This
+ field is only present when logging via syslog(3).
+
+ username The login name of the user who ran s\bsu\bud\bdo\bo.
+
+ ttyname The short name of the terminal (e.g. ``console'',
+ ``tty01'', or ``pts/0'') s\bsu\bud\bdo\bo was run on, or ``unknown'' if
+ there was no terminal present.
+
+ cwd The current working directory that s\bsu\bud\bdo\bo was run in.
+
+ runasuser The user the command was run as.
+
+ runasgroup The group the command was run as if one was specified on
+ the command line.
+
+ logid An I/O log identifier that can be used to replay the
+ command's output. This is only present when the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt
+ or _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt option is enabled.
+
+ env_vars A list of environment variables specified on the command
+ line, if specified.
+
+ command The actual command that was executed.
+
+ Messages are logged using the locale specified by _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bl_\bo_\bc_\ba_\bl_\be, which
+ defaults to the ``C'' locale.
+
+ D\bDe\ben\bni\bie\bed\bd c\bco\bom\bmm\bma\ban\bnd\bd l\blo\bog\bg e\ben\bnt\btr\bri\bie\bes\bs
+ If the user is not allowed to run the command, the reason for the denial
+ will follow the user name. Possible reasons include:
+
+ user NOT in sudoers
+ The user is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+
+ user NOT authorized on host
+ The user is listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file but is not allowed to run
+ commands on the host.
+
+ command not allowed
+ The user is listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file for the host but they are not
+ allowed to run the specified command.
+
+ 3 incorrect password attempts
+ The user failed to enter their password after 3 tries. The actual
+ number of tries will vary based on the number of failed attempts and
+ the value of the _\bp_\ba_\bs_\bs_\bw_\bd_\b__\bt_\br_\bi_\be_\bs option.
+
+ a password is required
+ s\bsu\bud\bdo\bo's -\b-n\bn option was specified but a password was required.
+
+ sorry, you are not allowed to set the following environment variables
+ The user specified environment variables on the command line that were
+ not allowed by _\bs_\bu_\bd_\bo_\be_\br_\bs.
+
+ E\bEr\brr\bro\bor\br l\blo\bog\bg e\ben\bnt\btr\bri\bie\bes\bs
+ If an error occurs, s\bsu\bud\bdo\boe\ber\brs\bs will log a message and, in most cases, send a
+ message to the administrator via email. Possible errors include:
+
+ parse error in /etc/sudoers near line N
+ s\bsu\bud\bdo\boe\ber\brs\bs encountered an error when parsing the specified file. In some
+ cases, the actual error may be one line above or below the line number
+ listed, depending on the type of error.
+
+ problem with defaults entries
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file contains one or more unknown Defaults settings. This
+ does not prevent s\bsu\bud\bdo\bo from running, but the _\bs_\bu_\bd_\bo_\be_\br_\bs file should be
+ checked using v\bvi\bis\bsu\bud\bdo\bo.
+
+ timestamp owner (username): No such user
+ The time stamp directory owner, as specified by the _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\bo_\bw_\bn_\be_\br
+ setting, could not be found in the password database.
+
+ unable to open/read /etc/sudoers
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file could not be opened for reading. This can happen
+ when the _\bs_\bu_\bd_\bo_\be_\br_\bs file is located on a remote file system that maps
+ user ID 0 to a different value. Normally, s\bsu\bud\bdo\boe\ber\brs\bs tries to open
+ _\bs_\bu_\bd_\bo_\be_\br_\bs using group permissions to avoid this problem. Consider
+ changing the ownership of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs by adding an option like
+ ``sudoers_uid=N'' (where `N' is the user ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file) to the s\bsu\bud\bdo\boe\ber\brs\bs plugin line in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+
+ unable to stat /etc/sudoers
+ The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file is missing.
+
+ /etc/sudoers is not a regular file
+ The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file exists but is not a regular file or symbolic
+ link.
+
+ /etc/sudoers is owned by uid N, should be 0
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file has the wrong owner. If you wish to change the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file owner, please add ``sudoers_uid=N'' (where `N' is the
+ user ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs file) to the s\bsu\bud\bdo\boe\ber\brs\bs plugin line in the
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+
+ /etc/sudoers is world writable
+ The permissions on the _\bs_\bu_\bd_\bo_\be_\br_\bs file allow all users to write to it.
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file must not be world-writable, the default file mode is
+ 0440 (readable by owner and group, writable by none). The default
+ mode may be changed via the ``sudoers_mode'' option to the s\bsu\bud\bdo\boe\ber\brs\bs
+ plugin line in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+
+ /etc/sudoers is owned by gid N, should be 1
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file has the wrong group ownership. If you wish to change
+ the _\bs_\bu_\bd_\bo_\be_\br_\bs file group ownership, please add ``sudoers_gid=N'' (where
+ `N' is the group ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs file) to the s\bsu\bud\bdo\boe\ber\brs\bs plugin
+ line in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+
+ unable to open /var/adm/sudo/username/ttyname
+ _\bs_\bu_\bd_\bo_\be_\br_\bs was unable to read or create the user's time stamp file.
+
+ unable to write to /var/adm/sudo/username/ttyname
+ _\bs_\bu_\bd_\bo_\be_\br_\bs was unable to write to the user's time stamp file.
+
+ unable to mkdir to /var/adm/sudo/username
+ _\bs_\bu_\bd_\bo_\be_\br_\bs was unable to create the user's time stamp directory.
+
+ N\bNo\bot\bte\bes\bs o\bon\bn l\blo\bog\bgg\bgi\bin\bng\bg v\bvi\bia\ba s\bsy\bys\bsl\blo\bog\bg
+ By default, _\bs_\bu_\bd_\bo_\be_\br_\bs logs messages via syslog(3). The _\bd_\ba_\bt_\be, _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be, and
+ _\bp_\br_\bo_\bg_\bn_\ba_\bm_\be fields are added by the syslog daemon, not _\bs_\bu_\bd_\bo_\be_\br_\bs itself. As
+ such, they may vary in format on different systems.
+
+ On most systems, syslog(3) has a relatively small log buffer. To prevent
+ the command line arguments from being truncated, s\bsu\bud\bdo\boe\ber\brs\bs will split up
+ log messages that are larger than 960 characters (not including the date,
+ hostname, and the string ``sudo''). When a message is split, additional
+ parts will include the string ``(command continued)'' after the user name
+ and before the continued command line arguments.
+
+ N\bNo\bot\bte\bes\bs o\bon\bn l\blo\bog\bgg\bgi\bin\bng\bg t\bto\bo a\ba f\bfi\bil\ble\be
+ If the _\bl_\bo_\bg_\bf_\bi_\bl_\be option is set, _\bs_\bu_\bd_\bo_\be_\br_\bs will log to a local file, such as
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo. When logging to a file, _\bs_\bu_\bd_\bo_\be_\br_\bs uses a format similar to
+ syslog(3), with a few important differences:
+
+ 1. The _\bp_\br_\bo_\bg_\bn_\ba_\bm_\be and _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be fields are not present.
+
+ 2. If the _\bl_\bo_\bg_\b__\by_\be_\ba_\br option is enabled, the date will also include the
+ year.
+
+ 3. Lines that are longer than _\bl_\bo_\bg_\bl_\bi_\bn_\be_\bl_\be_\bn characters (80 by default) are
+ word-wrapped and continued on the next line with a four character
+ indent. This makes entries easier to read for a human being, but
+ makes it more difficult to use grep(1) on the log files. If the
+ _\bl_\bo_\bg_\bl_\bi_\bn_\be_\bl_\be_\bn option is set to 0 (or negated with a `!'), word wrap
+ will be disabled.
S\bSU\bUD\bDO\bO.\b.C\bCO\bON\bNF\bF
- The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file determines which plugins the s\bsu\bud\bdo\bo front end
- will load. If no _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file is present, or it contains no
- Plugin lines, s\bsu\bud\bdo\bo will use the _\bs_\bu_\bd_\bo_\be_\br_\bs security policy and I/O
- logging, which corresponds to the following _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+ The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file determines which plugins the s\bsu\bud\bdo\bo front end will
+ load. If no _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file is present, or it contains no Plugin
+ lines, s\bsu\bud\bdo\bo will use the _\bs_\bu_\bd_\bo_\be_\br_\bs security policy and I/O logging, which
+ corresponds to the following _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
- #
- # Default /etc/sudo.conf file
- #
- # Format:
- # Plugin plugin_name plugin_path plugin_options ...
- # Path askpass /path/to/askpass
- # Path noexec /path/to/sudo_noexec.so
- # Debug sudo /var/log/sudo_debug all@warn
- # Set disable_coredump true
- #
- # The plugin_path is relative to /usr/local/libexec unless
- # fully qualified.
- # The plugin_name corresponds to a global symbol in the plugin
- # that contains the plugin interface structure.
- # The plugin_options are optional.
- #
- Plugin policy_plugin sudoers.so
- Plugin io_plugin sudoers.so
+ #
+ # Default /etc/sudo.conf file
+ #
+ # Format:
+ # Plugin plugin_name plugin_path plugin_options ...
+ # Path askpass /path/to/askpass
+ # Path noexec /path/to/sudo_noexec.so
+ # Debug sudo /var/log/sudo_debug all@warn
+ # Set disable_coredump true
+ #
+ # The plugin_path is relative to /usr/local/libexec unless
+ # fully qualified.
+ # The plugin_name corresponds to a global symbol in the plugin
+ # that contains the plugin interface structure.
+ # The plugin_options are optional.
+ #
+ Plugin policy_plugin sudoers.so
+ Plugin io_plugin sudoers.so
- P\bPL\bLU\bUG\bGI\bIN\bN O\bOP\bPT\bTI\bIO\bON\bNS\bS
- Starting with s\bsu\bud\bdo\bo 1.8.5 it is possible to pass options to the _\bs_\bu_\bd_\bo_\be_\br_\bs
- plugin. Options may be listed after the path to the plugin (i.e. after
- _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bs_\bo); multiple options should be space-separated. For example:
+ P\bPl\blu\bug\bgi\bin\bn o\bop\bpt\bti\bio\bon\bns\bs
+ Starting with s\bsu\bud\bdo\bo 1.8.5, it is possible to pass options to the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ plugin. Options may be listed after the path to the plugin (i.e. after
+ _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bs_\bo); multiple options should be space-separated. For example:
- Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
+ Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
- The following plugin options are supported:
+ The following plugin options are supported:
- sudoers_file=pathname
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bf_\bi_\bl_\be option can be used to override the default
- path to the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ sudoers_file=pathname
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bf_\bi_\bl_\be option can be used to override the default
+ path to the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
- sudoers_uid=uid
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bu_\bi_\bd option can be used to override the default
- owner of the sudoers file. It should be specified as a
- numeric user ID.
+ sudoers_uid=uid
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bu_\bi_\bd option can be used to override the default
+ owner of the sudoers file. It should be specified as a numeric
+ user ID.
- sudoers_gid=gid
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bg_\bi_\bd option can be used to override the default
- group of the sudoers file. It should be specified as a
- numeric group ID.
+ sudoers_gid=gid
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bg_\bi_\bd option can be used to override the default
+ group of the sudoers file. It should be specified as a numeric
+ group ID.
- sudoers_mode=mode
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bm_\bo_\bd_\be option can be used to override the default
- file mode for the sudoers file. It should be specified as an
- octal value.
+ sudoers_mode=mode
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bm_\bo_\bd_\be option can be used to override the default
+ file mode for the sudoers file. It should be specified as an
+ octal value.
- D\bDE\bEB\bBU\bUG\bG F\bFL\bLA\bAG\bGS\bS
- Versions 1.8.4 and higher of the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin supports a debugging
- framework that can help track down what the plugin is doing internally
- if there is a problem. This can be configured in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
- file as described in _\bs_\bu_\bd_\bo(1m).
+ D\bDe\beb\bbu\bug\bg f\bfl\bla\bag\bgs\bs
+ Versions 1.8.4 and higher of the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin supports a debugging
+ framework that can help track down what the plugin is doing internally if
+ there is a problem. This can be configured in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file as
+ described in sudo(1m).
- The _\bs_\bu_\bd_\bo_\be_\br_\bs plugin uses the same debug flag format as s\bsu\bud\bdo\bo itself:
- _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by.
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs plugin uses the same debug flag format as the s\bsu\bud\bdo\bo front-end:
+ _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by.
- The priorities used by _\bs_\bu_\bd_\bo_\be_\br_\bs, in order of decreasing severity, are:
- _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg. Each priority,
- when specified, also includes all priorities higher than it. For
- example, a priority of _\bn_\bo_\bt_\bi_\bc_\be would include debug messages logged at
- _\bn_\bo_\bt_\bi_\bc_\be and higher.
+ The priorities used by _\bs_\bu_\bd_\bo_\be_\br_\bs, in order of decreasing severity, are:
+ _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg. Each priority,
+ when specified, also includes all priorities higher than it. For
+ example, a priority of _\bn_\bo_\bt_\bi_\bc_\be would include debug messages logged at
+ _\bn_\bo_\bt_\bi_\bc_\be and higher.
- The following subsystems are used by _\bs_\bu_\bd_\bo_\be_\br_\bs:
+ The following subsystems are used by _\bs_\bu_\bd_\bo_\be_\br_\bs:
- _\ba_\bl_\bi_\ba_\bs User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
+ _\ba_\bl_\bi_\ba_\bs User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
- _\ba_\bl_\bl matches every subsystem
+ _\ba_\bl_\bl matches every subsystem
- _\ba_\bu_\bd_\bi_\bt BSM and Linux audit code
+ _\ba_\bu_\bd_\bi_\bt BSM and Linux audit code
- _\ba_\bu_\bt_\bh user authentication
+ _\ba_\bu_\bt_\bh user authentication
- _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs _\bs_\bu_\bd_\bo_\be_\br_\bs _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs settings
+ _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs _\bs_\bu_\bd_\bo_\be_\br_\bs _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs settings
- _\be_\bn_\bv environment handling
+ _\be_\bn_\bv environment handling
- _\bl_\bd_\ba_\bp LDAP-based sudoers
+ _\bl_\bd_\ba_\bp LDAP-based sudoers
- _\bl_\bo_\bg_\bg_\bi_\bn_\bg logging support
+ _\bl_\bo_\bg_\bg_\bi_\bn_\bg logging support
- _\bm_\ba_\bt_\bc_\bh matching of users, groups, hosts and netgroups in _\bs_\bu_\bd_\bo_\be_\br_\bs
+ _\bm_\ba_\bt_\bc_\bh matching of users, groups, hosts and netgroups in _\bs_\bu_\bd_\bo_\be_\br_\bs
- _\bn_\be_\bt_\bi_\bf network interface handling
+ _\bn_\be_\bt_\bi_\bf network interface handling
- _\bn_\bs_\bs network service switch handling in _\bs_\bu_\bd_\bo_\be_\br_\bs
+ _\bn_\bs_\bs network service switch handling in _\bs_\bu_\bd_\bo_\be_\br_\bs
- _\bp_\ba_\br_\bs_\be_\br _\bs_\bu_\bd_\bo_\be_\br_\bs file parsing
+ _\bp_\ba_\br_\bs_\be_\br _\bs_\bu_\bd_\bo_\be_\br_\bs file parsing
- _\bp_\be_\br_\bm_\bs permission setting
+ _\bp_\be_\br_\bm_\bs permission setting
- _\bp_\bl_\bu_\bg_\bi_\bn The equivalent of _\bm_\ba_\bi_\bn for the plugin.
+ _\bp_\bl_\bu_\bg_\bi_\bn The equivalent of _\bm_\ba_\bi_\bn for the plugin.
- _\bp_\bt_\by pseudo-tty related code
+ _\bp_\bt_\by pseudo-tty related code
- _\br_\bb_\bt_\br_\be_\be redblack tree internals
+ _\br_\bb_\bt_\br_\be_\be redblack tree internals
- _\bu_\bt_\bi_\bl utility functions
+ _\bu_\bt_\bi_\bl utility functions
F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf Sudo front end configuration
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf Sudo front end configuration
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
+ _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
- _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
+ _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo I/O log files
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo I/O log files
- _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo Directory containing time stamps for the
+ _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo Directory containing time stamps for the
_\bs_\bu_\bd_\bo_\be_\br_\bs security policy
- _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on AIX and
+ _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on AIX and
Linux systems
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
- contrived. First, we allow a few environment variables to pass and
- then define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
-
- # Run X applications through sudo; HOME is used to find the
- # .Xauthority file. Note that other programs use HOME to find
- # configuration files and this may lead to privilege escalation!
- Defaults env_keep += "DISPLAY HOME"
-
- # User alias specification
- User_Alias FULLTIMERS = millert, mikef, dowdy
- User_Alias PARTTIMERS = bostley, jwfox, crawl
- User_Alias WEBMASTERS = will, wendy, wim
-
- # Runas alias specification
- Runas_Alias OP = root, operator
- Runas_Alias DB = oracle, sybase
- Runas_Alias ADMINGRP = adm, oper
-
- # Host alias specification
- Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
- SGI = grolsch, dandelion, black :\
- ALPHA = widget, thalamus, foobar :\
- HPPA = boa, nag, python
- Host_Alias CUNETS = 128.138.0.0/255.255.0.0
- Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
- Host_Alias SERVERS = master, mail, www, ns
- Host_Alias CDROM = orion, perseus, hercules
-
- # Cmnd alias specification
- Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
- /usr/sbin/restore, /usr/sbin/rrestore
- Cmnd_Alias KILL = /usr/bin/kill
- Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
- Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
- Cmnd_Alias HALT = /usr/sbin/halt
- Cmnd_Alias REBOOT = /usr/sbin/reboot
- Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
- /usr/local/bin/tcsh, /usr/bin/rsh, \
- /usr/local/bin/zsh
- Cmnd_Alias SU = /usr/bin/su
- Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
+ Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
+ contrived. First, we allow a few environment variables to pass and then
+ define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
+
+ # Run X applications through sudo; HOME is used to find the
+ # .Xauthority file. Note that other programs use HOME to find
+ # configuration files and this may lead to privilege escalation!
+ Defaults env_keep += "DISPLAY HOME"
+
+ # User alias specification
+ User_Alias FULLTIMERS = millert, mikef, dowdy
+ User_Alias PARTTIMERS = bostley, jwfox, crawl
+ User_Alias WEBMASTERS = will, wendy, wim
+
+ # Runas alias specification
+ Runas_Alias OP = root, operator
+ Runas_Alias DB = oracle, sybase
+ Runas_Alias ADMINGRP = adm, oper
+
+ # Host alias specification
+ Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
+ SGI = grolsch, dandelion, black :\
+ ALPHA = widget, thalamus, foobar :\
+ HPPA = boa, nag, python
+ Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+ Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+ Host_Alias SERVERS = master, mail, www, ns
+ Host_Alias CDROM = orion, perseus, hercules
+
+ # Cmnd alias specification
+ Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
+ /usr/sbin/restore, /usr/sbin/rrestore
+ Cmnd_Alias KILL = /usr/bin/kill
+ Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+ Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
+ Cmnd_Alias HALT = /usr/sbin/halt
+ Cmnd_Alias REBOOT = /usr/sbin/reboot
+ Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
+ /usr/local/bin/tcsh, /usr/bin/rsh,\
+ /usr/local/bin/zsh
+ Cmnd_Alias SU = /usr/bin/su
+ Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
- Here we override some of the compiled in default values. We want s\bsu\bud\bdo\bo
- to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility in all cases. We don't
- want to subject the full time staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt
- need not give a password, and we don't want to reset the LOGNAME, USER
- or USERNAME environment variables when running commands as root.
- Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, we keep an
- additional local log file and make sure we log the year in each log
- line since the log entries will be kept around for several years.
- Lastly, we disable shell escapes for the commands in the PAGERS
- Cmnd_Alias (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
+ Here we override some of the compiled in default values. We want s\bsu\bud\bdo\bo to
+ log via syslog(3) using the _\ba_\bu_\bt_\bh facility in all cases. We don't want to
+ subject the full time staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt need not
+ give a password, and we don't want to reset the LOGNAME, USER or USERNAME
+ environment variables when running commands as root. Additionally, on
+ the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, we keep an additional local log
+ file and make sure we log the year in each log line since the log entries
+ will be kept around for several years. Lastly, we disable shell escapes
+ for the commands in the PAGERS Cmnd_Alias (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
- # Override built-in defaults
- Defaults syslog=auth
- Defaults>root !set_logname
- Defaults:FULLTIMERS !lecture
- Defaults:millert !authenticate
- Defaults@SERVERS log_year, logfile=/var/log/sudo.log
- Defaults!PAGERS noexec
+ # Override built-in defaults
+ Defaults syslog=auth
+ Defaults>root !set_logname
+ Defaults:FULLTIMERS !lecture
+ Defaults:millert !authenticate
+ Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+ Defaults!PAGERS noexec
- The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
- what.
+ The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
+ what.
- root ALL = (ALL) ALL
- %wheel ALL = (ALL) ALL
+ root ALL = (ALL) ALL
+ %wheel ALL = (ALL) ALL
- We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
- any user.
+ We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
+ any user.
- FULLTIMERS ALL = NOPASSWD: ALL
+ FULLTIMERS ALL = NOPASSWD: ALL
- Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
- any host without authenticating themselves.
+ Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
+ any host without authenticating themselves.
- PARTTIMERS ALL = ALL
+ PARTTIMERS ALL = ALL
- Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on
- any host but they must authenticate themselves first (since the entry
- lacks the NOPASSWD tag).
+ Part time sysadmins b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on any
+ host but they must authenticate themselves first (since the entry lacks
+ the NOPASSWD tag).
- jack CSNETS = ALL
+ jack CSNETS = ALL
- The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
- (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
- those networks, only 128.138.204.0 has an explicit netmask (in CIDR
- notation) indicating it is a class C network. For the other networks
- in _\bC_\bS_\bN_\bE_\bT_\bS, the local machine's netmask will be used during matching.
+ The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
+ (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
+ networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
+ indicating it is a class C network. For the other networks in _\bC_\bS_\bN_\bE_\bT_\bS,
+ the local machine's netmask will be used during matching.
- lisa CUNETS = ALL
+ lisa CUNETS = ALL
- The user l\bli\bis\bsa\ba may run any command on any host in the _\bC_\bU_\bN_\bE_\bT_\bS alias (the
- class B network 128.138.0.0).
+ The user l\bli\bis\bsa\ba may run any command on any host in the _\bC_\bU_\bN_\bE_\bT_\bS alias (the
+ class B network 128.138.0.0).
- operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
- sudoedit /etc/printcap, /usr/oper/bin/
+ operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
+ sudoedit /etc/printcap, /usr/oper/bin/
- The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple maintenance.
- Here, those are commands related to backups, killing processes, the
- printing system, shutting down the system, and any commands in the
- directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
+ The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple maintenance. Here,
+ those are commands related to backups, killing processes, the printing
+ system, shutting down the system, and any commands in the directory
+ _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
- joe ALL = /usr/bin/su operator
+ joe ALL = /usr/bin/su operator
- The user j\bjo\boe\be may only _\bs_\bu(1) to operator.
+ The user j\bjo\boe\be may only su(1) to operator.
- pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+ pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
- %opers ALL = (: ADMINGRP) /usr/sbin/
+ %opers ALL = (: ADMINGRP) /usr/sbin/
- Users in the o\bop\bpe\ber\brs\bs group may run commands in _\b/_\bu_\bs_\br_\b/_\bs_\bb_\bi_\bn_\b/ as themselves
- with any group in the _\bA_\bD_\bM_\bI_\bN_\bG_\bR_\bP Runas_Alias (the a\bad\bdm\bm and o\bop\bpe\ber\br groups).
+ Users in the o\bop\bpe\ber\brs\bs group may run commands in _\b/_\bu_\bs_\br_\b/_\bs_\bb_\bi_\bn_\b/ as themselves
+ with any group in the _\bA_\bD_\bM_\bI_\bN_\bG_\bR_\bP Runas_Alias (the a\bad\bdm\bm and o\bop\bpe\ber\br groups).
- The user p\bpe\bet\bte\be is allowed to change anyone's password except for root on
- the _\bH_\bP_\bP_\bA machines. Note that this assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take
- multiple user names on the command line.
+ The user p\bpe\bet\bte\be is allowed to change anyone's password except for root on
+ the _\bH_\bP_\bP_\bA machines. Note that this assumes passwd(1) does not take
+ multiple user names on the command line.
- bob SPARC = (OP) ALL : SGI = (OP) ALL
+ bob SPARC = (OP) ALL : SGI = (OP) ALL
- The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
- listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt and o\bop\bpe\ber\bra\bat\bto\bor\br).
+ The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
+ listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt and o\bop\bpe\ber\bra\bat\bto\bor\br.)
- jim +biglab = ALL
+ jim +biglab = ALL
- The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
- s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the '+' prefix.
+ The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
+ s\bsu\bud\bdo\bo knows that ``biglab'' is a netgroup due to the `+' prefix.
- +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+ +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
- Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
- well as add and remove users, so they are allowed to run those commands
- on all machines.
+ Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
+ well as add and remove users, so they are allowed to run those commands
+ on all machines.
- fred ALL = (DB) NOPASSWD: ALL
+ fred ALL = (DB) NOPASSWD: ALL
- The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias
- (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
+ The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias (o\bor\bra\bac\bcl\ble\be
+ or s\bsy\byb\bba\bas\bse\be) without giving a password.
- john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+ john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
- On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
- not allowed to specify any options to the _\bs_\bu(1) command.
+ On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
+ not allowed to specify any options to the su(1) command.
- jen ALL, !SERVERS = ALL
+ jen ALL, !SERVERS = ALL
- The user j\bje\ben\bn may run any command on any machine except for those in the
- _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and ns).
+ The user j\bje\ben\bn may run any command on any machine except for those in the
+ _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and ns).
- jill SERVERS = /usr/bin/, !SU, !SHELLS
+ jill SERVERS = /usr/bin/, !SU, !SHELLS
- For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run any commands in
- the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those commands belonging to the _\bS_\bU
- and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
+ For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run any commands in
+ the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those commands belonging to the _\bS_\bU and
+ _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
- steve CSNETS = (operator) /usr/local/op_commands/
+ steve CSNETS = (operator) /usr/local/op_commands/
- The user s\bst\bte\bev\bve\be may run any command in the directory
- /usr/local/op_commands/ but only as user operator.
+ The user s\bst\bte\bev\bve\be may run any command in the directory
+ /usr/local/op_commands/ but only as user operator.
- matt valkyrie = KILL
+ matt valkyrie = KILL
- On his personal workstation, valkyrie, m\bma\bat\btt\bt needs to be able to kill
- hung processes.
+ On his personal workstation, valkyrie, m\bma\bat\btt\bt needs to be able to kill hung
+ processes.
- WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
+ WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
- On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias (will, wendy,
- and wim), may run any command as user www (which owns the web pages) or
- simply _\bs_\bu(1) to www.
+ On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias (will, wendy, and
+ wim), may run any command as user www (which owns the web pages) or
+ simply su(1) to www.
- ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
- /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
+ /sbin/mount -o nosuid,nodev /dev/cd0a /CDROM
- Any user may mount or unmount a CD-ROM on the machines in the CDROM
- Host_Alias (orion, perseus, hercules) without entering a password.
- This is a bit tedious for users to type, so it is a prime candidate for
- encapsulating in a shell script.
+ Any user may mount or unmount a CD-ROM on the machines in the CDROM
+ Host_Alias (orion, perseus, hercules) without entering a password. This
+ is a bit tedious for users to type, so it is a prime candidate for
+ encapsulating in a shell script.
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
- L\bLi\bim\bmi\bit\bta\bat\bti\bio\bon\bns\bs o\bof\bf t\bth\bhe\be '\b'!\b!'\b' o\bop\bpe\ber\bra\bat\bto\bor\br
- It is generally not effective to "subtract" commands from ALL using the
- '!' operator. A user can trivially circumvent this by copying the
- desired command to a different name and then executing that. For
- example:
+ L\bLi\bim\bmi\bit\bta\bat\bti\bio\bon\bns\bs o\bof\bf t\bth\bhe\be `\b`!\b!'\b' o\bop\bpe\ber\bra\bat\bto\bor\br
+ It is generally not effective to ``subtract'' commands from A\bAL\bLL\bL using the
+ `!' operator. A user can trivially circumvent this by copying the
+ desired command to a different name and then executing that. For
+ example:
- bill ALL = ALL, !SU, !SHELLS
+ bill ALL = ALL, !SU, !SHELLS
- Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
- _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
- use a shell escape from an editor or other program. Therefore, these
- kind of restrictions should be considered advisory at best (and
- reinforced by policy).
+ Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
+ _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
+ use a shell escape from an editor or other program. Therefore, these
+ kind of restrictions should be considered advisory at best (and
+ reinforced by policy).
- In general, if a user has sudo ALL there is nothing to prevent them
- from creating their own program that gives them a root shell (or making
- their own copy of a shell) regardless of any '!' elements in the user
- specification.
+ In general, if a user has sudo A\bAL\bLL\bL there is nothing to prevent them from
+ creating their own program that gives them a root shell (or making their
+ own copy of a shell) regardless of any `!' elements in the user
+ specification.
S\bSe\bec\bcu\bur\bri\bit\bty\by i\bim\bmp\bpl\bli\bic\bca\bat\bti\bio\bon\bns\bs o\bof\bf _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
- If the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to reliably
- negate commands where the path name includes globbing (aka wildcard)
- characters. This is because the C library's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function cannot
- resolve relative paths. While this is typically only an inconvenience
- for rules that grant privileges, it can result in a security issue for
- rules that subtract or revoke privileges.
-
- For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
-
- john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
- /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
-
- User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
- changing to _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and running ./passwd root instead.
-
- P\bPr\bre\bev\bve\ben\bnt\bti\bin\bng\bg S\bSh\bhe\bel\bll\bl E\bEs\bsc\bca\bap\bpe\bes\bs
- Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
- pleases, including run other programs. This can be a security issue
- since it is not uncommon for a program to allow shell escapes, which
- lets a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs
- that permit shell escapes include shells (obviously), editors,
- paginators, mail and terminal programs.
-
- There are two basic approaches to this problem:
-
- restrict Avoid giving users access to commands that allow the user to
- run arbitrary commands. Many editors have a restricted mode
- where shell escapes are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better
- solution to running editors via s\bsu\bud\bdo\bo. Due to the large
- number of programs that offer shell escapes, restricting
- users to the set of programs that do not is often unworkable.
-
- noexec Many systems that support shared libraries have the ability
- to override default library functions by pointing an
- environment variable (usually LD_PRELOAD) to an alternate
- shared library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality
- can be used to prevent a program run by s\bsu\bud\bdo\bo from executing
- any other programs. Note, however, that this applies only to
- native dynamically-linked executables. Statically-linked
- executables and foreign executables running under binary
- emulation are not affected.
-
- The _\bn_\bo_\be_\bx_\be_\bc feature is known to work on SunOS, Solaris, *BSD,
- Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
- above. It should be supported on most operating systems that
- support the LD_PRELOAD environment variable. Check your
- operating system's manual pages for the dynamic linker
- (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
- if LD_PRELOAD is supported.
-
- On Solaris 10 and higher, _\bn_\bo_\be_\bx_\be_\bc uses Solaris privileges
- instead of the LD_PRELOAD environment variable.
-
- To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as
- documented in the User Specification section above. Here is
- that example again:
-
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-
- This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
- with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those two commands
- from executing other commands (such as a shell). If you are
- unsure whether or not your system is capable of supporting
- _\bn_\bo_\be_\bx_\be_\bc you can always just try it out and check whether shell
- escapes work when _\bn_\bo_\be_\bx_\be_\bc is enabled.
-
- Note that restricting shell escapes is not a panacea. Programs running
- as root are still capable of many potentially hazardous operations
- (such as changing or overwriting files) that could lead to unintended
- privilege escalation. In the specific case of an editor, a safer
- approach is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
+ If the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to reliably negate
+ commands where the path name includes globbing (aka wildcard) characters.
+ This is because the C library's fnmatch(3) function cannot resolve
+ relative paths. While this is typically only an inconvenience for rules
+ that grant privileges, it can result in a security issue for rules that
+ subtract or revoke privileges.
+
+ For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
+
+ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+
+ User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
+ changing to _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and running ./passwd root instead.
+
+ P\bPr\bre\bev\bve\ben\bnt\bti\bin\bng\bg s\bsh\bhe\bel\bll\bl e\bes\bsc\bca\bap\bpe\bes\bs
+ Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
+ pleases, including run other programs. This can be a security issue
+ since it is not uncommon for a program to allow shell escapes, which lets
+ a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs that
+ permit shell escapes include shells (obviously), editors, paginators,
+ mail and terminal programs.
+
+ There are two basic approaches to this problem:
+
+ restrict Avoid giving users access to commands that allow the user to
+ run arbitrary commands. Many editors have a restricted mode
+ where shell escapes are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better
+ solution to running editors via s\bsu\bud\bdo\bo. Due to the large number
+ of programs that offer shell escapes, restricting users to the
+ set of programs that do not is often unworkable.
+
+ noexec Many systems that support shared libraries have the ability to
+ override default library functions by pointing an environment
+ variable (usually LD_PRELOAD) to an alternate shared library.
+ On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality can be used to
+ prevent a program run by s\bsu\bud\bdo\bo from executing any other
+ programs. Note, however, that this applies only to native
+ dynamically-linked executables. Statically-linked executables
+ and foreign executables running under binary emulation are not
+ affected.
+
+ The _\bn_\bo_\be_\bx_\be_\bc feature is known to work on SunOS, Solaris, *BSD,
+ Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
+ above. It should be supported on most operating systems that
+ support the LD_PRELOAD environment variable. Check your
+ operating system's manual pages for the dynamic linker (usually
+ ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
+ LD_PRELOAD is supported.
+
+ On Solaris 10 and higher, _\bn_\bo_\be_\bx_\be_\bc uses Solaris privileges
+ instead of the LD_PRELOAD environment variable.
+
+ To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as
+ documented in the User Specification section above. Here is
+ that example again:
+
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+
+ This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
+ with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those two commands from
+ executing other commands (such as a shell). If you are unsure
+ whether or not your system is capable of supporting _\bn_\bo_\be_\bx_\be_\bc you
+ can always just try it out and check whether shell escapes work
+ when _\bn_\bo_\be_\bx_\be_\bc is enabled.
+
+ Note that restricting shell escapes is not a panacea. Programs running
+ as root are still capable of many potentially hazardous operations (such
+ as changing or overwriting files) that could lead to unintended privilege
+ escalation. In the specific case of an editor, a safer approach is to
+ give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
T\bTi\bim\bme\be s\bst\bta\bam\bmp\bp f\bfi\bil\ble\be c\bch\bhe\bec\bck\bks\bs
- _\bs_\bu_\bd_\bo_\be_\br_\bs will check the ownership of its time stamp directory
- (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's contents if it is
- not owned by root or if it is writable by a user other than root. On
- systems that allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if
- the time stamp directory is located in a world-writable directory
- (e.g., _\b/_\bt_\bm_\bp), it is possible for a user to create the time stamp
- directory before s\bsu\bud\bdo\bo is run. However, because _\bs_\bu_\bd_\bo_\be_\br_\bs checks the
- ownership and mode of the directory and its contents, the only damage
- that can be done is to "hide" files by putting them in the time stamp
- dir. This is unlikely to happen since once the time stamp dir is owned
- by root and inaccessible by any other user, the user placing files
- there would be unable to get them back out.
-
- _\bs_\bu_\bd_\bo_\be_\br_\bs will not honor time stamps set far in the future. Time stamps
- with a date greater than current_time + 2 * TIMEOUT will be ignored and
- sudo will log and complain. This is done to keep a user from creating
- his/her own time stamp with a bogus date on systems that allow users to
- give away files if the time stamp directory is located in a world-
- writable directory.
-
- On systems where the boot time is available, _\bs_\bu_\bd_\bo_\be_\br_\bs will ignore time
- stamps that date from before the machine booted.
-
- Since time stamp files live in the file system, they can outlive a
- user's login session. As a result, a user may be able to login, run a
- command with s\bsu\bud\bdo\bo after authenticating, logout, login again, and run
- s\bsu\bud\bdo\bo without authenticating so long as the time stamp file's
- modification time is within 5 minutes (or whatever the timeout is set
- to in _\bs_\bu_\bd_\bo_\be_\br_\bs). When the _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option is enabled, the time stamp
- has per-tty granularity but still may outlive the user's session. On
- Linux systems where the devpts filesystem is used, Solaris systems with
- the devices filesystem, as well as other systems that utilize a devfs
- filesystem that monotonically increase the inode number of devices as
- they are created (such as Mac OS X), _\bs_\bu_\bd_\bo_\be_\br_\bs is able to determine when
- a tty-based time stamp file is stale and will ignore it.
- Administrators should not rely on this feature as it is not universally
- available.
+ _\bs_\bu_\bd_\bo_\be_\br_\bs will check the ownership of its time stamp directory
+ (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's contents if it is
+ not owned by root or if it is writable by a user other than root. On
+ systems that allow non-root users to give away files via chown(2), if the
+ time stamp directory is located in a world-writable directory (e.g.,
+ _\b/_\bt_\bm_\bp), it is possible for a user to create the time stamp directory
+ before s\bsu\bud\bdo\bo is run. However, because _\bs_\bu_\bd_\bo_\be_\br_\bs checks the ownership and
+ mode of the directory and its contents, the only damage that can be done
+ is to ``hide'' files by putting them in the time stamp dir. This is
+ unlikely to happen since once the time stamp dir is owned by root and
+ inaccessible by any other user, the user placing files there would be
+ unable to get them back out.
+
+ _\bs_\bu_\bd_\bo_\be_\br_\bs will not honor time stamps set far in the future. Time stamps
+ with a date greater than current_time + 2 * TIMEOUT will be ignored and
+ sudo will log and complain. This is done to keep a user from creating
+ his/her own time stamp with a bogus date on systems that allow users to
+ give away files if the time stamp directory is located in a world-
+ writable directory.
+
+ On systems where the boot time is available, _\bs_\bu_\bd_\bo_\be_\br_\bs will ignore time
+ stamps that date from before the machine booted.
+
+ Since time stamp files live in the file system, they can outlive a user's
+ login session. As a result, a user may be able to login, run a command
+ with s\bsu\bud\bdo\bo after authenticating, logout, login again, and run s\bsu\bud\bdo\bo without
+ authenticating so long as the time stamp file's modification time is
+ within 5 minutes (or whatever the timeout is set to in _\bs_\bu_\bd_\bo_\be_\br_\bs). When
+ the _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option is enabled, the time stamp has per-tty granularity
+ but still may outlive the user's session. On Linux systems where the
+ devpts filesystem is used, Solaris systems with the devices filesystem,
+ as well as other systems that utilize a devfs filesystem that
+ monotonically increase the inode number of devices as they are created
+ (such as Mac OS X), _\bs_\bu_\bd_\bo_\be_\br_\bs is able to determine when a tty-based time
+ stamp file is stale and will ignore it. Administrators should not rely
+ on this feature as it is not universally available.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bg_\bl_\bo_\bb(3), _\bm_\bk_\bt_\be_\bm_\bp(3), _\bs_\bt_\br_\bf_\bt_\bi_\bm_\be(3),
- _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bd_\ba_\bp(4), _\bs_\bu_\bd_\bo_\b__\bp_\bl_\bu_\bg_\bi_\bn(1m), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(1m)
+ ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3),
+ sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
- locks the file and does grammatical checking. It is imperative that
- _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax errors since s\bsu\bud\bdo\bo will not run with a
- syntactically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
+ locks the file and does grammatical checking. It is imperative that
+ _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax errors since s\bsu\bud\bdo\bo will not run with a
+ syntactically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
- When using netgroups of machines (as opposed to users), if you store
- fully qualified host name in the netgroup (as is usually the case), you
- either need to have the machine's host name be fully qualified as
- returned by the hostname command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ When using netgroups of machines (as opposed to users), if you store
+ fully qualified host name in the netgroup (as is usually the case), you
+ either need to have the machine's host name be fully qualified as
+ returned by the hostname command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
- http://www.sudo.ws/sudo/bugs/
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+ http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
+ archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
- including, but not limited to, the implied warranties of
- merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with s\bsu\bud\bdo\bo or
- http://www.sudo.ws/sudo/license.html for complete details.
-
-
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantability
+ and fitness for a particular purpose are disclaimed. See the LICENSE
+ file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
+ complete details.
-1.8.5 March 28, 2012 SUDOERS(4)
+Sudo 1.8.6 July 16, 2012 Sudo 1.8.6
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
+SUDOERS.LDAP(1m) System Manager's Manual SUDOERS.LDAP(1m)
N\bNA\bAM\bME\bE
- sudoers.ldap - sudo LDAP configuration
+ s\bsu\bud\bdo\boe\ber\brs\bs.\b.l\bld\bda\bap\bp - sudo LDAP configuration
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- In addition to the standard _\bs_\bu_\bd_\bo_\be_\br_\bs file, s\bsu\bud\bdo\bo may be configured via
- LDAP. This can be especially useful for synchronizing _\bs_\bu_\bd_\bo_\be_\br_\bs in a
- large, distributed environment.
-
- Using LDAP for _\bs_\bu_\bd_\bo_\be_\br_\bs has several benefits:
-
- o s\bsu\bud\bdo\bo no longer needs to read _\bs_\bu_\bd_\bo_\be_\br_\bs in its entirety. When LDAP is
- used, there are only two or three LDAP queries per invocation.
- This makes it especially fast and particularly usable in LDAP
- environments.
-
- o s\bsu\bud\bdo\bo no longer exits if there is a typo in _\bs_\bu_\bd_\bo_\be_\br_\bs. It is not
- possible to load LDAP data into the server that does not conform to
- the sudoers schema, so proper syntax is guaranteed. It is still
- possible to have typos in a user or host name, but this will not
- prevent s\bsu\bud\bdo\bo from running.
-
- o It is possible to specify per-entry options that override the
- global default options. _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs only supports default options
- and limited options associated with user/host/commands/aliases.
- The syntax is complicated and can be difficult for users to
- understand. Placing the options directly in the entry is more
- natural.
-
- o The v\bvi\bis\bsu\bud\bdo\bo program is no longer needed. v\bvi\bis\bsu\bud\bdo\bo provides locking
- and syntax checking of the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file. Since LDAP updates
- are atomic, locking is no longer necessary. Because syntax is
- checked when the data is inserted into LDAP, there is no need for a
- specialized tool to check syntax.
-
- Another major difference between LDAP and file-based _\bs_\bu_\bd_\bo_\be_\br_\bs is that in
- LDAP, s\bsu\bud\bdo\bo-specific Aliases are not supported.
-
- For the most part, there is really no need for s\bsu\bud\bdo\bo-specific Aliases.
- Unix groups or user netgroups can be used in place of User_Aliases and
- Runas_Aliases. Host netgroups can be used in place of Host_Aliases.
- Since Unix groups and netgroups can also be stored in LDAP there is no
- real need for s\bsu\bud\bdo\bo-specific aliases.
-
- Cmnd_Aliases are not really required either since it is possible to
- have multiple users listed in a sudoRole. Instead of defining a
- Cmnd_Alias that is referenced by multiple users, one can create a
- sudoRole that contains the commands and assign multiple users to it.
+ In addition to the standard _\bs_\bu_\bd_\bo_\be_\br_\bs file, s\bsu\bud\bdo\bo may be configured via
+ LDAP. This can be especially useful for synchronizing _\bs_\bu_\bd_\bo_\be_\br_\bs in a
+ large, distributed environment.
+
+ Using LDAP for _\bs_\bu_\bd_\bo_\be_\br_\bs has several benefits:
+
+ o\bo s\bsu\bud\bdo\bo no longer needs to read _\bs_\bu_\bd_\bo_\be_\br_\bs in its entirety. When LDAP is
+ used, there are only two or three LDAP queries per invocation. This
+ makes it especially fast and particularly usable in LDAP
+ environments.
+
+ o\bo s\bsu\bud\bdo\bo no longer exits if there is a typo in _\bs_\bu_\bd_\bo_\be_\br_\bs. It is not
+ possible to load LDAP data into the server that does not conform to
+ the sudoers schema, so proper syntax is guaranteed. It is still
+ possible to have typos in a user or host name, but this will not
+ prevent s\bsu\bud\bdo\bo from running.
+
+ o\bo It is possible to specify per-entry options that override the global
+ default options. _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs only supports default options and
+ limited options associated with user/host/commands/aliases. The
+ syntax is complicated and can be difficult for users to understand.
+ Placing the options directly in the entry is more natural.
+
+ o\bo The v\bvi\bis\bsu\bud\bdo\bo program is no longer needed. v\bvi\bis\bsu\bud\bdo\bo provides locking and
+ syntax checking of the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file. Since LDAP updates are
+ atomic, locking is no longer necessary. Because syntax is checked
+ when the data is inserted into LDAP, there is no need for a
+ specialized tool to check syntax.
+
+ Another major difference between LDAP and file-based _\bs_\bu_\bd_\bo_\be_\br_\bs is that in
+ LDAP, s\bsu\bud\bdo\bo-specific Aliases are not supported.
+
+ For the most part, there is really no need for s\bsu\bud\bdo\bo-specific Aliases.
+ Unix groups or user netgroups can be used in place of User_Aliases and
+ Runas_Aliases. Host netgroups can be used in place of Host_Aliases.
+ Since Unix groups and netgroups can also be stored in LDAP there is no
+ real need for s\bsu\bud\bdo\bo-specific aliases.
+
+ Cmnd_Aliases are not really required either since it is possible to have
+ multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias
+ that is referenced by multiple users, one can create a sudoRole that
+ contains the commands and assign multiple users to it.
S\bSU\bUD\bDO\bOe\ber\brs\bs L\bLD\bDA\bAP\bP c\bco\bon\bnt\bta\bai\bin\bne\ber\br
- The _\bs_\bu_\bd_\bo_\be_\br_\bs configuration is contained in the ou=SUDOers LDAP
- container.
-
- Sudo first looks for the cn=default entry in the SUDOers container. If
- found, the multi-valued sudoOption attribute is parsed in the same
- manner as a global Defaults line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. In the following
- example, the SSH_AUTH_SOCK variable will be preserved in the
- environment for all users.
-
- dn: cn=defaults,ou=SUDOers,dc=example,dc=com
- objectClass: top
- objectClass: sudoRole
- cn: defaults
- description: Default sudoOption's go here
- sudoOption: env_keep+=SSH_AUTH_SOCK
-
- The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
- following attributes:
-
- s\bsu\bud\bdo\boU\bUs\bse\ber\br
- A user name, user ID (prefixed with '#'), Unix group (prefixed with
- '%'), Unix group ID (prefixed with '%#'), or user netgroup
- (prefixed with '+').
-
- s\bsu\bud\bdo\boH\bHo\bos\bst\bt
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs configuration is contained in the ou=SUDOers LDAP container.
+
+ Sudo first looks for the cn=default entry in the SUDOers container. If
+ found, the multi-valued sudoOption attribute is parsed in the same manner
+ as a global Defaults line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. In the following example, the
+ SSH_AUTH_SOCK variable will be preserved in the environment for all
+ users.
+
+ dn: cn=defaults,ou=SUDOers,dc=example,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: defaults
+ description: Default sudoOption's go here
+ sudoOption: env_keep+=SSH_AUTH_SOCK
+
+ The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
+ following attributes:
+
+ s\bsu\bud\bdo\boU\bUs\bse\ber\br
+ A user name, user ID (prefixed with `#'), Unix group (prefixed with
+ `%'), Unix group ID (prefixed with `%#'), or user netgroup
+ (prefixed with `+').
+
+ s\bsu\bud\bdo\boH\bHo\bos\bst\bt
A host name, IP address, IP network, or host netgroup (prefixed
- with a '+'). The special value ALL will match any host.
+ with a `+'). The special value ALL will match any host.
- s\bsu\bud\bdo\boC\bCo\bom\bmm\bma\ban\bnd\bd
+ s\bsu\bud\bdo\boC\bCo\bom\bmm\bma\ban\bnd\bd
A Unix command with optional command line arguments, potentially
including globbing characters (aka wild cards). The special value
ALL will match any command. If a command is prefixed with an
- exclamation point '!', the user will be prohibited from running
+ exclamation point `!', the user will be prohibited from running
that command.
- s\bsu\bud\bdo\boO\bOp\bpt\bti\bio\bon\bn
+ s\bsu\bud\bdo\boO\bOp\bpt\bti\bio\bon\bn
Identical in function to the global options described above, but
specific to the sudoRole in which it resides.
- s\bsu\bud\bdo\boR\bRu\bun\bnA\bAs\bsU\bUs\bse\ber\br
- A user name or uid (prefixed with '#') that commands may be run as
- or a Unix group (prefixed with a '%') or user netgroup (prefixed
- with a '+') that contains a list of users that commands may be run
+ s\bsu\bud\bdo\boR\bRu\bun\bnA\bAs\bsU\bUs\bse\ber\br
+ A user name or uid (prefixed with `#') that commands may be run as
+ or a Unix group (prefixed with a `%') or user netgroup (prefixed
+ with a `+') that contains a list of users that commands may be run
as. The special value ALL will match any user.
The sudoRunAsUser attribute is only available in s\bsu\bud\bdo\bo versions
1.7.0 and higher. Older versions of s\bsu\bud\bdo\bo use the sudoRunAs
attribute instead.
- s\bsu\bud\bdo\boR\bRu\bun\bnA\bAs\bsG\bGr\bro\bou\bup\bp
- A Unix group or gid (prefixed with '#') that commands may be run
+ s\bsu\bud\bdo\boR\bRu\bun\bnA\bAs\bsG\bGr\bro\bou\bup\bp
+ A Unix group or gid (prefixed with `#') that commands may be run
as. The special value ALL will match any group.
The sudoRunAsGroup attribute is only available in s\bsu\bud\bdo\bo versions
1.7.0 and higher.
- s\bsu\bud\bdo\boN\bNo\bot\btB\bBe\bef\bfo\bor\bre\be
+ s\bsu\bud\bdo\boN\bNo\bot\btB\bBe\bef\bfo\bor\bre\be
A timestamp in the form yyyymmddHHMMSSZ that can be used to provide
a start date/time for when the sudoRole will be valid. If multiple
sudoNotBefore entries are present, the earliest is used. Note that
1.7.5 and higher and must be explicitly enabled via the
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD option in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf.
- s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br
+ s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br
A timestamp in the form yyyymmddHHMMSSZ that indicates an
expiration date/time, after which the sudoRole will no longer be
valid. If multiple sudoNotBefore entries are present, the last one
and higher and must be explicitly enabled via the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD
option in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf.
- s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br
+ s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br
The sudoRole entries retrieved from the LDAP directory have no
inherent order. The sudoOrder attribute is an integer (or floating
point value for LDAP servers that support it) that is used to sort
more closely mimic the behaviour of the sudoers file, where the of
the entries influences the result. If multiple entries match, the
entry with the highest sudoOrder attribute is chosen. This
- corresponds to the "last match" behavior of the sudoers file. If
+ corresponds to the ``last match'' behavior of the sudoers file. If
the sudoOrder attribute is not present, a value of 0 is assumed.
The sudoOrder attribute is only available in s\bsu\bud\bdo\bo versions 1.7.5
and higher.
- Each attribute listed above should contain a single value, but there
- may be multiple instances of each attribute type. A sudoRole must
- contain at least one sudoUser, sudoHost and sudoCommand.
+ Each attribute listed above should contain a single value, but there may
+ be multiple instances of each attribute type. A sudoRole must contain at
+ least one sudoUser, sudoHost and sudoCommand.
- The following example allows users in group wheel to run any command on
- any host via s\bsu\bud\bdo\bo:
+ The following example allows users in group wheel to run any command on
+ any host via s\bsu\bud\bdo\bo:
- dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
- objectClass: top
- objectClass: sudoRole
- cn: %wheel
- sudoUser: %wheel
- sudoHost: ALL
- sudoCommand: ALL
+ dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: %wheel
+ sudoUser: %wheel
+ sudoHost: ALL
+ sudoCommand: ALL
A\bAn\bna\bat\bto\bom\bmy\by o\bof\bf L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs l\blo\boo\bok\bku\bup\bp
- When looking up a sudoer using LDAP there are only two or three LDAP
- queries per invocation. The first query is to parse the global
- options. The second is to match against the user's name and the groups
- that the user belongs to. (The special ALL tag is matched in this
- query too.) If no match is returned for the user's name and groups, a
- third query returns all entries containing user netgroups and checks to
- see if the user belongs to any of them.
-
- If timed entries are enabled with the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD configuration
- directive, the LDAP queries include a subfilter that limits retrieval
- to entries that satisfy the time constraints, if any.
+ When looking up a sudoer using LDAP there are only two or three LDAP
+ queries per invocation. The first query is to parse the global options.
+ The second is to match against the user's name and the groups that the
+ user belongs to. (The special ALL tag is matched in this query too.) If
+ no match is returned for the user's name and groups, a third query
+ returns all entries containing user netgroups and checks to see if the
+ user belongs to any of them.
+
+ If timed entries are enabled with the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD configuration
+ directive, the LDAP queries include a subfilter that limits retrieval to
+ entries that satisfy the time constraints, if any.
D\bDi\bif\bff\bfe\ber\bre\ben\bnc\bce\bes\bs b\bbe\bet\btw\bwe\bee\ben\bn L\bLD\bDA\bAP\bP a\ban\bnd\bd n\bno\bon\bn-\b-L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
- There are some subtle differences in the way sudoers is handled once in
- LDAP. Probably the biggest is that according to the RFC, LDAP ordering
- is arbitrary and you cannot expect that Attributes and Entries are
- returned in any specific order.
-
- The order in which different entries are applied can be controlled
- using the sudoOrder attribute, but there is no way to guarantee the
- order of attributes within a specific entry. If there are conflicting
- command rules in an entry, the negative takes precedence. This is
- called paranoid behavior (not necessarily the most specific match).
-
- Here is an example:
-
- # /etc/sudoers:
- # Allow all commands except shell
- johnny ALL=(root) ALL,!/bin/sh
- # Always allows all commands because ALL is matched last
- puddles ALL=(root) !/bin/sh,ALL
-
- # LDAP equivalent of johnny
- # Allows all commands except shell
- dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
- objectClass: sudoRole
- objectClass: top
- cn: role1
- sudoUser: johnny
- sudoHost: ALL
- sudoCommand: ALL
- sudoCommand: !/bin/sh
-
- # LDAP equivalent of puddles
- # Notice that even though ALL comes last, it still behaves like
- # role1 since the LDAP code assumes the more paranoid configuration
- dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
- objectClass: sudoRole
- objectClass: top
- cn: role2
- sudoUser: puddles
- sudoHost: ALL
- sudoCommand: !/bin/sh
- sudoCommand: ALL
-
- Another difference is that negations on the Host, User or Runas are
- currently ignored. For example, the following attributes do not behave
- the way one might expect.
-
- # does not match all but joe
- # rather, does not match anyone
- sudoUser: !joe
-
- # does not match all but joe
- # rather, matches everyone including Joe
- sudoUser: ALL
- sudoUser: !joe
-
- # does not match all but web01
- # rather, matches all hosts including web01
- sudoHost: ALL
- sudoHost: !web01
-
- S\bSu\bud\bdo\boe\ber\brs\bs S\bSc\bch\bhe\bem\bma\ba
- In order to use s\bsu\bud\bdo\bo's LDAP support, the s\bsu\bud\bdo\bo schema must be installed
- on your LDAP server. In addition, be sure to index the 'sudoUser'
- attribute.
-
- Three versions of the schema: one for OpenLDAP servers
- (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP), one for Netscape-derived servers (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bi_\bP_\bl_\ba_\bn_\be_\bt),
- and one for Microsoft Active Directory (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bA_\bc_\bt_\bi_\bv_\be_\bD_\bi_\br_\be_\bc_\bt_\bo_\br_\by) may be
- found in the s\bsu\bud\bdo\bo distribution.
-
- The schema for s\bsu\bud\bdo\bo in OpenLDAP form is included in the EXAMPLES
- section.
+ There are some subtle differences in the way sudoers is handled once in
+ LDAP. Probably the biggest is that according to the RFC, LDAP ordering
+ is arbitrary and you cannot expect that Attributes and Entries are
+ returned in any specific order.
+
+ The order in which different entries are applied can be controlled using
+ the sudoOrder attribute, but there is no way to guarantee the order of
+ attributes within a specific entry. If there are conflicting command
+ rules in an entry, the negative takes precedence. This is called
+ paranoid behavior (not necessarily the most specific match).
+
+ Here is an example:
+
+ # /etc/sudoers:
+ # Allow all commands except shell
+ johnny ALL=(root) ALL,!/bin/sh
+ # Always allows all commands because ALL is matched last
+ puddles ALL=(root) !/bin/sh,ALL
+
+ # LDAP equivalent of johnny
+ # Allows all commands except shell
+ dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role1
+ sudoUser: johnny
+ sudoHost: ALL
+ sudoCommand: ALL
+ sudoCommand: !/bin/sh
+
+ # LDAP equivalent of puddles
+ # Notice that even though ALL comes last, it still behaves like
+ # role1 since the LDAP code assumes the more paranoid configuration
+ dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role2
+ sudoUser: puddles
+ sudoHost: ALL
+ sudoCommand: !/bin/sh
+ sudoCommand: ALL
+
+ Another difference is that negations on the Host, User or Runas are
+ currently ignored. For example, the following attributes do not behave
+ the way one might expect.
+
+ # does not match all but joe
+ # rather, does not match anyone
+ sudoUser: !joe
+
+ # does not match all but joe
+ # rather, matches everyone including Joe
+ sudoUser: ALL
+ sudoUser: !joe
+
+ # does not match all but web01
+ # rather, matches all hosts including web01
+ sudoHost: ALL
+ sudoHost: !web01
+
+ S\bSu\bud\bdo\boe\ber\brs\bs s\bsc\bch\bhe\bem\bma\ba
+ In order to use s\bsu\bud\bdo\bo's LDAP support, the s\bsu\bud\bdo\bo schema must be installed on
+ your LDAP server. In addition, be sure to index the sudoUser attribute.
+
+ Three versions of the schema: one for OpenLDAP servers (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP),
+ one for Netscape-derived servers (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bi_\bP_\bl_\ba_\bn_\be_\bt), and one for Microsoft
+ Active Directory (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bA_\bc_\bt_\bi_\bv_\be_\bD_\bi_\br_\be_\bc_\bt_\bo_\br_\by) may be found in the s\bsu\bud\bdo\bo
+ distribution.
+
+ The schema for s\bsu\bud\bdo\bo in OpenLDAP form is also included in the _\bE_\bX_\bA_\bM_\bP_\bL_\bE_\bS
+ section.
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
- Sudo reads the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file for LDAP-specific configuration.
- Typically, this file is shared amongst different LDAP-aware clients.
- As such, most of the settings are not s\bsu\bud\bdo\bo-specific. Note that s\bsu\bud\bdo\bo
- parses _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf itself and may support options that differ from
- those described in the _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4) manual.
+ Sudo reads the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file for LDAP-specific configuration.
+ Typically, this file is shared amongst different LDAP-aware clients. As
+ such, most of the settings are not s\bsu\bud\bdo\bo-specific. Note that s\bsu\bud\bdo\bo parses
+ _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf itself and may support options that differ from those
+ described in the system's ldap.conf(1m) manual.
- Also note that on systems using the OpenLDAP libraries, default values
- specified in _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf or the user's _\b._\bl_\bd_\ba_\bp_\br_\bc files are
- not used.
+ Also note that on systems using the OpenLDAP libraries, default values
+ specified in _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf or the user's _\b._\bl_\bd_\ba_\bp_\br_\bc files are not
+ used.
- Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf as being
- supported by s\bsu\bud\bdo\bo are honored. Configuration options are listed below
- in upper case but are parsed in a case-independent manner.
+ Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf as being supported
+ by s\bsu\bud\bdo\bo are honored. Configuration options are listed below in upper
+ case but are parsed in a case-independent manner.
- U\bUR\bRI\bI ldap[s]://[hostname[:port]] ...
+ U\bUR\bRI\bI _\bl_\bd_\ba_\bp_\b[_\bs_\b]_\b:_\b/_\b/_\b[_\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be_\b[_\b:_\bp_\bo_\br_\bt_\b]_\b] _\b._\b._\b.
Specifies a whitespace-delimited list of one or more URIs
describing the LDAP server(s) to connect to. The _\bp_\br_\bo_\bt_\bo_\bc_\bo_\bl may be
- either l\bld\bda\bap\bp or l\bld\bda\bap\bps\bs, the latter being for servers that support TLS
+ either _\bl_\bd_\ba_\bp _\bl_\bd_\ba_\bp_\bs, the latter being for servers that support TLS
(SSL) encryption. If no _\bp_\bo_\br_\bt is specified, the default is port 389
for ldap:// or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is specified,
- s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Multiple U\bUR\bRI\bI lines are treated
+ s\bsu\bud\bdo\bo will connect to _\bl_\bo_\bc_\ba_\bl_\bh_\bo_\bs_\bt. Multiple U\bUR\bRI\bI lines are treated
identically to a U\bUR\bRI\bI line containing multiple entries. Only
systems using the OpenSSL libraries support the mixing of ldap://
- and ldaps:// URIs. The Netscape-derived libraries used on most
- commercial versions of Unix are only capable of supporting one or
- the other.
+ and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP
+ libraries used on most commercial versions of Unix are only capable
+ of supporting one or the other.
- H\bHO\bOS\bST\bT name[:port] ...
+ H\bHO\bOS\bST\bT _\bn_\ba_\bm_\be_\b[_\b:_\bp_\bo_\br_\bt_\b] _\b._\b._\b.
If no U\bUR\bRI\bI is specified, the H\bHO\bOS\bST\bT parameter specifies a whitespace-
delimited list of LDAP servers to connect to. Each host may
- include an optional _\bp_\bo_\br_\bt separated by a colon (':'). The H\bHO\bOS\bST\bT
+ include an optional _\bp_\bo_\br_\bt separated by a colon (`:'). The H\bHO\bOS\bST\bT
parameter is deprecated in favor of the U\bUR\bRI\bI specification and is
included for backwards compatibility.
- P\bPO\bOR\bRT\bT port_number
+ P\bPO\bOR\bRT\bT _\bp_\bo_\br_\bt_\b__\bn_\bu_\bm_\bb_\be_\br
If no U\bUR\bRI\bI is specified, the P\bPO\bOR\bRT\bT parameter specifies the default
port to connect to on the LDAP server if a H\bHO\bOS\bST\bT parameter does not
specify the port itself. If no P\bPO\bOR\bRT\bT parameter is used, the default
P\bPO\bOR\bRT\bT parameter is deprecated in favor of the U\bUR\bRI\bI specification and
is included for backwards compatibility.
- B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT seconds
+ B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT _\bs_\be_\bc_\bo_\bn_\bd_\bs
The B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in
seconds, to wait while trying to connect to an LDAP server. If
multiple U\bUR\bRI\bIs or H\bHO\bOS\bST\bTs are specified, this is the amount of time to
wait before trying the next one in the list.
- N\bNE\bET\bTW\bWO\bOR\bRK\bK_\b_T\bTI\bIM\bME\bEO\bOU\bUT\bT seconds
+ N\bNE\bET\bTW\bWO\bOR\bRK\bK_\b_T\bTI\bIM\bME\bEO\bOU\bUT\bT _\bs_\be_\bc_\bo_\bn_\bd_\bs
An alias for B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT for OpenLDAP compatibility.
- T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT seconds
+ T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT _\bs_\be_\bc_\bo_\bn_\bd_\bs
The T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in seconds,
to wait for a response to an LDAP query.
- T\bTI\bIM\bME\bEO\bOU\bUT\bT seconds
+ T\bTI\bIM\bME\bEO\bOU\bUT\bT _\bs_\be_\bc_\bo_\bn_\bd_\bs
The T\bTI\bIM\bME\bEO\bOU\bUT\bT parameter specifies the amount of time, in seconds, to
wait for a response from the various LDAP APIs.
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE base
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE _\bb_\ba_\bs_\be
The base DN to use when performing s\bsu\bud\bdo\bo LDAP queries. Typically
this is of the form ou=SUDOers,dc=example,dc=com for the domain
example.com. Multiple S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE lines may be specified, in
which case they are queried in the order specified.
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_S\bSE\bEA\bAR\bRC\bCH\bH_\b_F\bFI\bIL\bLT\bTE\bER\bR ldap_filter
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_S\bSE\bEA\bAR\bRC\bCH\bH_\b_F\bFI\bIL\bLT\bTE\bER\bR _\bl_\bd_\ba_\bp_\b__\bf_\bi_\bl_\bt_\be_\br
An LDAP filter which is used to restrict the set of records
returned when performing a s\bsu\bud\bdo\bo LDAP query. Typically, this is of
the form attribute=value or
(&(attribute=value)(attribute2=value2)).
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD on/true/yes/off/false/no
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD _\bo_\bn_\b/_\bt_\br_\bu_\be_\b/_\by_\be_\bs_\b/_\bo_\bf_\bf_\b/_\bf_\ba_\bl_\bs_\be_\b/_\bn_\bo
Whether or not to evaluate the sudoNotBefore and sudoNotAfter
attributes that implement time-dependent sudoers entries.
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_D\bDE\bEB\bBU\bUG\bG debug_level
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_D\bDE\bEB\bBU\bUG\bG _\bd_\be_\bb_\bu_\bg_\b__\bl_\be_\bv_\be_\bl
This sets the debug level for s\bsu\bud\bdo\bo LDAP queries. Debugging
information is printed to the standard error. A value of 1 results
in a moderate amount of debugging information. A value of 2 shows
be set in a production environment as the extra information is
likely to confuse users.
- B\bBI\bIN\bND\bDD\bDN\bN DN
+ B\bBI\bIN\bND\bDD\bDN\bN _\bD_\bN
The B\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing LDAP operations.
If not specified, LDAP operations are performed with an anonymous
identity. By default, most LDAP servers will allow anonymous
access.
- B\bBI\bIN\bND\bDP\bPW\bW secret
+ B\bBI\bIN\bND\bDP\bPW\bW _\bs_\be_\bc_\br_\be_\bt
The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use when performing
LDAP operations. This is typically used in conjunction with the
B\bBI\bIN\bND\bDD\bDN\bN parameter.
- R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN DN
+ R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN _\bD_\bN
The R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing privileged LDAP
operations, such as _\bs_\bu_\bd_\bo_\be_\br_\bs queries. The password corresponding to
the identity should be stored in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bs_\be_\bc_\br_\be_\bt. If not
specified, the B\bBI\bIN\bND\bDD\bDN\bN identity is used (if any).
- L\bLD\bDA\bAP\bP_\b_V\bVE\bER\bRS\bSI\bIO\bON\bN number
+ L\bLD\bDA\bAP\bP_\b_V\bVE\bER\bRS\bSI\bIO\bON\bN _\bn_\bu_\bm_\bb_\be_\br
The version of the LDAP protocol to use when connecting to the
server. The default value is protocol version 3.
- S\bSS\bSL\bL on/true/yes/off/false/no
+ S\bSS\bSL\bL _\bo_\bn_\b/_\bt_\br_\bu_\be_\b/_\by_\be_\bs_\b/_\bo_\bf_\bf_\b/_\bf_\ba_\bl_\bs_\be_\b/_\bn_\bo
If the S\bSS\bSL\bL parameter is set to on, true or yes, TLS (SSL)
encryption is always used when communicating with the LDAP server.
Typically, this involves connecting to the server on port 636
(ldaps).
- S\bSS\bSL\bL start_tls
+ S\bSS\bSL\bL _\bs_\bt_\ba_\br_\bt_\b__\bt_\bl_\bs
If the S\bSS\bSL\bL parameter is set to start_tls, the LDAP server
connection is initiated normally and TLS encryption is begun before
the bind credentials are sent. This has the advantage of not
requiring a dedicated port for encrypted communications. This
parameter is only supported by LDAP servers that honor the
- start_tls extension, such as the OpenLDAP server.
+ _\bs_\bt_\ba_\br_\bt_\b__\bt_\bl_\bs extension, such as the OpenLDAP and Tivoli Directory
+ servers.
- T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR on/true/yes/off/false/no
+ T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR _\bo_\bn_\b/_\bt_\br_\bu_\be_\b/_\by_\be_\bs_\b/_\bo_\bf_\bf_\b/_\bf_\ba_\bl_\bs_\be_\b/_\bn_\bo
If enabled, T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR will cause the LDAP server's TLS
certificated to be verified. If the server's TLS certificate
cannot be verified (usually because it is signed by an unknown
the check creates an opportunity for man-in-the-middle attacks
since the server's identity will not be authenticated. If
possible, the CA's certificate should be installed locally so it
- can be verified.
+ can be verified. This option is not supported by the Tivoli
+ Directory Server LDAP libraries.
- T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bT file name
+ T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bT _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
An alias for T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE for OpenLDAP compatibility.
- T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE file name
+ T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
The path to a certificate authority bundle which contains the
certificates for all the Certificate Authorities the client knows
to be valid, e.g. _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\ba_\b-_\bb_\bu_\bn_\bd_\bl_\be_\b._\bp_\be_\bm. This option is only
libraries use the same certificate database for CA and client
certificates (see T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT).
- T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR directory
+ T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by
Similar to T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE but instead of a file, it is a directory
containing individual Certificate Authority certificates, e.g.
_\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\be_\br_\bt_\bs. The directory specified by T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR is
checked after T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE. This option is only supported by the
OpenLDAP libraries.
- T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT file name
+ T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
The path to a file containing the client certificate which can be
used to authenticate the client to the LDAP server. The
certificate type depends on the LDAP libraries used.
OpenLDAP:
- tls_cert /etc/ssl/client_cert.pem
+ tls_cert /etc/ssl/client_cert.pem
Netscape-derived:
- tls_cert /var/ldap/cert7.db
+ tls_cert /var/ldap/cert7.db
- When using Netscape-derived libraries, this file may also contain
- Certificate Authority certificates.
+ Tivoli Directory Server:
+ Unused, the key database specified by T\bTL\bLS\bS_\b_K\bKE\bEY\bY contains both
+ keys and certificates.
- T\bTL\bLS\bS_\b_K\bKE\bEY\bY file name
+ When using Netscape-derived libraries, this file may also
+ contain Certificate Authority certificates.
+
+ T\bTL\bLS\bS_\b_K\bKE\bEY\bY _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
The path to a file containing the private key which matches the
certificate specified by T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT. The private key must not be
password-protected. The key type depends on the LDAP libraries
used.
OpenLDAP:
- tls_key /etc/ssl/client_key.pem
+ tls_key /etc/ssl/client_key.pem
Netscape-derived:
- tls_key /var/ldap/key3.db
-
- T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE file name
+ tls_key /var/ldap/key3.db
+
+ Tivoli Directory Server:
+ tls_cert /usr/ldap/ldapkey.kdb
+ When using Tivoli LDAP libraries, this file may also contain
+ Certificate Authority and client certificates and may be encrypted.
+
+ T\bTL\bLS\bS_\b_K\bKE\bEY\bYP\bPW\bW _\bs_\be_\bc_\br_\be_\bt
+ The T\bTL\bLS\bS_\b_K\bKE\bEY\bYP\bPW\bW contains the password used to decrypt the key
+ database on clients using the Tivoli Directory Server LDAP library.
+ If no T\bTL\bLS\bS_\b_K\bKE\bEY\bYP\bPW\bW is specified, a _\bs_\bt_\ba_\bs_\bh _\bf_\bi_\bl_\be will be used if it
+ exists. The _\bs_\bt_\ba_\bs_\bh _\bf_\bi_\bl_\be must have the same path as the file
+ specified by T\bTL\bLS\bS_\b_K\bKE\bEY\bY, but use a .sth file extension instead of
+ .kdb, e.g. ldapkey.sth. The default ldapkey.kdb that ships with
+ Tivoli Directory Server is encrypted with the password
+ ssl_password. This option is only supported by the Tivoli LDAP
+ libraries.
+
+ T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
The T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE parameter specifies the path to an entropy source
for systems that lack a random device. It is generally used in
conjunction with _\bp_\br_\bn_\bg_\bd or _\be_\bg_\bd. This option is only supported by
the OpenLDAP libraries.
- T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS cipher list
+ T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS _\bc_\bi_\bp_\bh_\be_\br _\bl_\bi_\bs_\bt
The T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS parameter allows the administer to restrict which
encryption algorithms may be used for TLS (SSL) connections. See
- the OpenSSL manual for a list of valid ciphers. This option is
- only supported by the OpenLDAP libraries.
+ the OpenLDAP or Tivoli Directory Server manual for a list of valid
+ ciphers. This option is not supported by Netscape-derived
+ libraries.
- U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
+ U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL _\bo_\bn_\b/_\bt_\br_\bu_\be_\b/_\by_\be_\bs_\b/_\bo_\bf_\bf_\b/_\bf_\ba_\bl_\bs_\be_\b/_\bn_\bo
Enable U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL for LDAP servers that support SASL authentication.
- S\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
+ S\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD _\bi_\bd_\be_\bn_\bt_\bi_\bt_\by
The SASL user name to use when connecting to the LDAP server. By
default, s\bsu\bud\bdo\bo will use an anonymous connection.
- R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
+ R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL _\bo_\bn_\b/_\bt_\br_\bu_\be_\b/_\by_\be_\bs_\b/_\bo_\bf_\bf_\b/_\bf_\ba_\bl_\bs_\be_\b/_\bn_\bo
Enable R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL to enable SASL authentication when connecting
to an LDAP server from a privileged process, such as s\bsu\bud\bdo\bo.
- R\bRO\bOO\bOT\bTS\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
+ R\bRO\bOO\bOT\bTS\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD _\bi_\bd_\be_\bn_\bt_\bi_\bt_\by
The SASL user name to use when R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL is enabled.
- S\bSA\bAS\bSL\bL_\b_S\bSE\bEC\bCP\bPR\bRO\bOP\bPS\bS none/properties
+ S\bSA\bAS\bSL\bL_\b_S\bSE\bEC\bCP\bPR\bRO\bOP\bPS\bS _\bn_\bo_\bn_\be_\b/_\bp_\br_\bo_\bp_\be_\br_\bt_\bi_\be_\bs
SASL security properties or _\bn_\bo_\bn_\be for no properties. See the SASL
programmer's manual for details.
- K\bKR\bRB\bB5\b5_\b_C\bCC\bCN\bNA\bAM\bME\bE file name
+ K\bKR\bRB\bB5\b5_\b_C\bCC\bCN\bNA\bAM\bME\bE _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
The path to the Kerberos 5 credential cache to use when
authenticating with the remote server.
- D\bDE\bER\bRE\bEF\bF never/searching/finding/always
+ D\bDE\bER\bRE\bEF\bF _\bn_\be_\bv_\be_\br_\b/_\bs_\be_\ba_\br_\bc_\bh_\bi_\bn_\bg_\b/_\bf_\bi_\bn_\bd_\bi_\bn_\bg_\b/_\ba_\bl_\bw_\ba_\by_\bs
How alias dereferencing is to be performed when searching. See the
- _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4) manual for a full description of this option.
+ ldap.conf(1m) manual for a full description of this option.
- See the ldap.conf entry in the EXAMPLES section.
+ See the _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf entry in the _\bE_\bX_\bA_\bM_\bP_\bL_\bE_\bS section.
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf
- Unless it is disabled at build time, s\bsu\bud\bdo\bo consults the Name Service
- Switch file, _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, to specify the _\bs_\bu_\bd_\bo_\be_\br_\bs search order.
- Sudo looks for a line beginning with sudoers: and uses this to
- determine the search order. Note that s\bsu\bud\bdo\bo does not stop searching
- after the first match and later matches take precedence over earlier
- ones.
+ Unless it is disabled at build time, s\bsu\bud\bdo\bo consults the Name Service
+ Switch file, _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, to specify the _\bs_\bu_\bd_\bo_\be_\br_\bs search order.
+ Sudo looks for a line beginning with sudoers: and uses this to determine
+ the search order. Note that s\bsu\bud\bdo\bo does not stop searching after the first
+ match and later matches take precedence over earlier ones. The following
+ sources are recognized:
- The following sources are recognized:
+ files read sudoers from _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs
+ ldap read sudoers from LDAP
- files read sudoers from F</etc/sudoers>
- ldap read sudoers from LDAP
+ In addition, the entry [NOTFOUND=return] will short-circuit the search if
+ the user was not found in the preceding source.
- In addition, the entry [NOTFOUND=return] will short-circuit the search
- if the user was not found in the preceding source.
+ To consult LDAP first followed by the local sudoers file (if it exists),
+ use:
- To consult LDAP first followed by the local sudoers file (if it
- exists), use:
+ sudoers: ldap files
- sudoers: ldap files
+ The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
- The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
+ sudoers: ldap
- sudoers: ldap
+ If the _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers
+ line, the following default is assumed:
- If the _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers
- line, the following default is assumed:
+ sudoers: files
- sudoers: files
-
- Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the underlying
- operating system does not use an nsswitch.conf file.
+ Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the underlying
+ operating system does not use an nsswitch.conf file, except on AIX (see
+ below).
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bne\bet\bts\bsv\bvc\bc.\b.c\bco\bon\bnf\bf
- On AIX systems, the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is consulted instead of
- _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf. s\bsu\bud\bdo\bo simply treats _\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf as a variant of
- _\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf; information in the previous section unrelated to the
- file format itself still applies.
+ On AIX systems, the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is consulted instead of
+ _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf. s\bsu\bud\bdo\bo simply treats _\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf as a variant of
+ _\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf; information in the previous section unrelated to the file
+ format itself still applies.
- To consult LDAP first followed by the local sudoers file (if it
- exists), use:
+ To consult LDAP first followed by the local sudoers file (if it exists),
+ use:
- sudoers = ldap, files
+ sudoers = ldap, files
- The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
+ The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
- sudoers = ldap
+ sudoers = ldap
- To treat LDAP as authoratative and only use the local sudoers file if
- the user is not present in LDAP, use:
+ To treat LDAP as authoratative and only use the local sudoers file if the
+ user is not present in LDAP, use:
- sudoers = ldap = auth, files
+ sudoers = ldap = auth, files
- Note that in the above example, the auth qualfier only affects user
- lookups; both LDAP and _\bs_\bu_\bd_\bo_\be_\br_\bs will be queried for Defaults entries.
+ Note that in the above example, the auth qualfier only affects user
+ lookups; both LDAP and _\bs_\bu_\bd_\bo_\be_\br_\bs will be queried for Defaults entries.
- If the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers
- line, the following default is assumed:
+ If the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers line,
+ the following default is assumed:
- sudoers = files
+ sudoers = files
F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf LDAP configuration file
+ _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf LDAP configuration file
- _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf determines sudoers source order
+ _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf determines sudoers source order
- _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf determines sudoers source order on AIX
+ _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf determines sudoers source order on AIX
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
E\bEx\bxa\bam\bmp\bpl\ble\be l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
- # Either specify one or more URIs or one or more host:port pairs.
- # If neither is specified sudo will default to localhost, port 389.
- #
- #host ldapserver
- #host ldapserver1 ldapserver2:390
- #
- # Default port if host is specified without one, defaults to 389.
- #port 389
- #
- # URI will override the host and port settings.
- uri ldap://ldapserver
- #uri ldaps://secureldapserver
- #uri ldaps://secureldapserver ldap://ldapserver
- #
- # The amount of time, in seconds, to wait while trying to connect to
- # an LDAP server.
- bind_timelimit 30
- #
- # The amount of time, in seconds, to wait while performing an LDAP query.
- timelimit 30
- #
- # Must be set or sudo will ignore LDAP; may be specified multiple times.
- sudoers_base ou=SUDOers,dc=example,dc=com
- #
- # verbose sudoers matching from ldap
- #sudoers_debug 2
- #
- # Enable support for time-based entries in sudoers.
- #sudoers_timed yes
- #
- # optional proxy credentials
- #binddn <who to search as>
- #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
- #
- # LDAP protocol version, defaults to 3
- #ldap_version 3
- #
- # Define if you want to use an encrypted LDAP connection.
- # Typically, you must also set the port to 636 (ldaps).
- #ssl on
- #
- # Define if you want to use port 389 and switch to
- # encryption before the bind credentials are sent.
- # Only supported by LDAP servers that support the start_tls
- # extension such as OpenLDAP.
- #ssl start_tls
- #
- # Additional TLS options follow that allow tweaking of the
- # SSL/TLS connection.
- #
- #tls_checkpeer yes # verify server SSL certificate
- #tls_checkpeer no # ignore server SSL certificate
- #
- # If you enable tls_checkpeer, specify either tls_cacertfile
- # or tls_cacertdir. Only supported when using OpenLDAP.
- #
- #tls_cacertfile /etc/certs/trusted_signers.pem
- #tls_cacertdir /etc/certs
- #
- # For systems that don't have /dev/random
- # use this along with PRNGD or EGD.pl to seed the
- # random number pool to generate cryptographic session keys.
- # Only supported when using OpenLDAP.
- #
- #tls_randfile /etc/egd-pool
- #
- # You may restrict which ciphers are used. Consult your SSL
- # documentation for which options go here.
- # Only supported when using OpenLDAP.
- #
- #tls_ciphers <cipher-list>
- #
- # Sudo can provide a client certificate when communicating to
- # the LDAP server.
- # Tips:
- # * Enable both lines at the same time.
- # * Do not password protect the key file.
- # * Ensure the keyfile is only readable by root.
- #
- # For OpenLDAP:
- #tls_cert /etc/certs/client_cert.pem
- #tls_key /etc/certs/client_key.pem
- #
- # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
- # a directory, in which case the files in the directory must have the
- # default names (e.g. cert8.db and key4.db), or the path to the cert
- # and key files themselves. However, a bug in version 5.0 of the LDAP
- # SDK will prevent specific file names from working. For this reason
- # it is suggested that tls_cert and tls_key be set to a directory,
- # not a file name.
- #
- # The certificate database specified by tls_cert may contain CA certs
- # and/or the client's cert. If the client's cert is included, tls_key
- # should be specified as well.
- # For backward compatibility, "sslpath" may be used in place of tls_cert.
- #tls_cert /var/ldap
- #tls_key /var/ldap
- #
- # If using SASL authentication for LDAP (OpenSSL)
- # use_sasl yes
- # sasl_auth_id <SASL user name>
- # rootuse_sasl yes
- # rootsasl_auth_id <SASL user name for root access>
- # sasl_secprops none
- # krb5_ccname /etc/.ldapcache
+ # Either specify one or more URIs or one or more host:port pairs.
+ # If neither is specified sudo will default to localhost, port 389.
+ #
+ #host ldapserver
+ #host ldapserver1 ldapserver2:390
+ #
+ # Default port if host is specified without one, defaults to 389.
+ #port 389
+ #
+ # URI will override the host and port settings.
+ uri ldap://ldapserver
+ #uri ldaps://secureldapserver
+ #uri ldaps://secureldapserver ldap://ldapserver
+ #
+ # The amount of time, in seconds, to wait while trying to connect to
+ # an LDAP server.
+ bind_timelimit 30
+ #
+ # The amount of time, in seconds, to wait while performing an LDAP query.
+ timelimit 30
+ #
+ # Must be set or sudo will ignore LDAP; may be specified multiple times.
+ sudoers_base ou=SUDOers,dc=example,dc=com
+ #
+ # verbose sudoers matching from ldap
+ #sudoers_debug 2
+ #
+ # Enable support for time-based entries in sudoers.
+ #sudoers_timed yes
+ #
+ # optional proxy credentials
+ #binddn <who to search as>
+ #bindpw <password>
+ #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
+ #
+ # LDAP protocol version, defaults to 3
+ #ldap_version 3
+ #
+ # Define if you want to use an encrypted LDAP connection.
+ # Typically, you must also set the port to 636 (ldaps).
+ #ssl on
+ #
+ # Define if you want to use port 389 and switch to
+ # encryption before the bind credentials are sent.
+ # Only supported by LDAP servers that support the start_tls
+ # extension such as OpenLDAP.
+ #ssl start_tls
+ #
+ # Additional TLS options follow that allow tweaking of the
+ # SSL/TLS connection.
+ #
+ #tls_checkpeer yes # verify server SSL certificate
+ #tls_checkpeer no # ignore server SSL certificate
+ #
+ # If you enable tls_checkpeer, specify either tls_cacertfile
+ # or tls_cacertdir. Only supported when using OpenLDAP.
+ #
+ #tls_cacertfile /etc/certs/trusted_signers.pem
+ #tls_cacertdir /etc/certs
+ #
+ # For systems that don't have /dev/random
+ # use this along with PRNGD or EGD.pl to seed the
+ # random number pool to generate cryptographic session keys.
+ # Only supported when using OpenLDAP.
+ #
+ #tls_randfile /etc/egd-pool
+ #
+ # You may restrict which ciphers are used. Consult your SSL
+ # documentation for which options go here.
+ # Only supported when using OpenLDAP.
+ #
+ #tls_ciphers <cipher-list>
+ #
+ # Sudo can provide a client certificate when communicating to
+ # the LDAP server.
+ # Tips:
+ # * Enable both lines at the same time.
+ # * Do not password protect the key file.
+ # * Ensure the keyfile is only readable by root.
+ #
+ # For OpenLDAP:
+ #tls_cert /etc/certs/client_cert.pem
+ #tls_key /etc/certs/client_key.pem
+ #
+ # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
+ # a directory, in which case the files in the directory must have the
+ # default names (e.g. cert8.db and key4.db), or the path to the cert
+ # and key files themselves. However, a bug in version 5.0 of the LDAP
+ # SDK will prevent specific file names from working. For this reason
+ # it is suggested that tls_cert and tls_key be set to a directory,
+ # not a file name.
+ #
+ # The certificate database specified by tls_cert may contain CA certs
+ # and/or the client's cert. If the client's cert is included, tls_key
+ # should be specified as well.
+ # For backward compatibility, "sslpath" may be used in place of tls_cert.
+ #tls_cert /var/ldap
+ #tls_key /var/ldap
+ #
+ # If using SASL authentication for LDAP (OpenSSL)
+ # use_sasl yes
+ # sasl_auth_id <SASL user name>
+ # rootuse_sasl yes
+ # rootsasl_auth_id <SASL user name for root access>
+ # sasl_secprops none
+ # krb5_ccname /etc/.ldapcache
S\bSu\bud\bdo\bo s\bsc\bch\bhe\bem\bma\ba f\bfo\bor\br O\bOp\bpe\ben\bnL\bLD\bDA\bAP\bP
- The following schema, in OpenLDAP format, is included with s\bsu\bud\bdo\bo source
- and binary distributions as _\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP. Simply copy it to the
- schema directory (e.g. _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bs_\bc_\bh_\be_\bm_\ba), add the proper include
- line in slapd.conf and restart s\bsl\bla\bap\bpd\bd.
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.1
- NAME 'sudoUser'
- DESC 'User(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.2
- NAME 'sudoHost'
- DESC 'Host(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.3
- NAME 'sudoCommand'
- DESC 'Command(s) to be executed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.4
- NAME 'sudoRunAs'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.5
- NAME 'sudoOption'
- DESC 'Options(s) followed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.6
- NAME 'sudoRunAsUser'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.7
- NAME 'sudoRunAsGroup'
- DESC 'Group(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.8
- NAME 'sudoNotBefore'
- DESC 'Start of time interval for which the entry is valid'
- EQUALITY generalizedTimeMatch
- ORDERING generalizedTimeOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.9
- NAME 'sudoNotAfter'
- DESC 'End of time interval for which the entry is valid'
- EQUALITY generalizedTimeMatch
- ORDERING generalizedTimeOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
- attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
- NAME 'sudoOrder'
- DESC 'an integer to order the sudoRole entries'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
- objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
- DESC 'Sudoer Entries'
- MUST ( cn )
- MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
- sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
- sudoOrder $ description )
- )
+ The following schema, in OpenLDAP format, is included with s\bsu\bud\bdo\bo source
+ and binary distributions as _\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP. Simply copy it to the
+ schema directory (e.g. _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bs_\bc_\bh_\be_\bm_\ba), add the proper include line
+ in _\bs_\bl_\ba_\bp_\bd_\b._\bc_\bo_\bn_\bf and restart s\bsl\bla\bap\bpd\bd.
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.1
+ NAME 'sudoUser'
+ DESC 'User(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.2
+ NAME 'sudoHost'
+ DESC 'Host(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.3
+ NAME 'sudoCommand'
+ DESC 'Command(s) to be executed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.4
+ NAME 'sudoRunAs'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.5
+ NAME 'sudoOption'
+ DESC 'Options(s) followed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.6
+ NAME 'sudoRunAsUser'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.7
+ NAME 'sudoRunAsGroup'
+ DESC 'Group(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.8
+ NAME 'sudoNotBefore'
+ DESC 'Start of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.9
+ NAME 'sudoNotAfter'
+ DESC 'End of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+ attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
+ NAME 'sudoOrder'
+ DESC 'an integer to order the sudoRole entries'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+ objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+ DESC 'Sudoer Entries'
+ MUST ( cn )
+ MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
+ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
+ sudoOrder $ description )
+ )
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(4)
+ ldap.conf(1m), sudoers(1m)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- Note that there are differences in the way that LDAP-based _\bs_\bu_\bd_\bo_\be_\br_\bs is
- parsed compared to file-based _\bs_\bu_\bd_\bo_\be_\br_\bs. See the "Differences between
- LDAP and non-LDAP sudoers" section for more information.
+ Note that there are differences in the way that LDAP-based _\bs_\bu_\bd_\bo_\be_\br_\bs is
+ parsed compared to file-based _\bs_\bu_\bd_\bo_\be_\br_\bs. See the _\bD_\bi_\bf_\bf_\be_\br_\be_\bn_\bc_\be_\bs _\bb_\be_\bt_\bw_\be_\be_\bn _\bL_\bD_\bA_\bP
+ _\ba_\bn_\bd _\bn_\bo_\bn_\b-_\bL_\bD_\bA_\bP _\bs_\bu_\bd_\bo_\be_\br_\bs section for more information.
B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
- http://www.sudo.ws/sudo/bugs/
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+ http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
+ archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
- including, but not limited to, the implied warranties of
- merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with s\bsu\bud\bdo\bo or
- http://www.sudo.ws/sudo/license.html for complete details.
-
-
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantability
+ and fitness for a particular purpose are disclaimed. See the LICENSE
+ file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
+ complete details.
-1.8.5 March 14, 2012 SUDOERS.LDAP(4)
+Sudo 1.8.6 July 12, 2012 Sudo 1.8.6
-.\" Copyright (c) 2003-2011
-.\" Todd C. Miller <Todd.Miller@courtesan.com>
-.\"
+.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
+.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in
+.\"
+.\" Copyright (c) 2003-2012 Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
-.\"
+.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings. \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. \*(C+ will
-.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-. ds -- \(*W-
-. ds PI pi
-. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
-. ds L" ""
-. ds R" ""
-. ds C`
-. ds C'
-'br\}
-.el\{\
-. ds -- \|\(em\|
-. ds PI \(*p
-. ds L" ``
-. ds R" ''
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el .ds Aq '
-.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD. Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
-..
-. nr % 0
-. rr F
-.\}
-.el \{\
-. de IX
-..
-.\}
.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear. Run. Save yourself. No user-serviceable parts.
-. \" fudge factors for nroff and troff
-.if n \{\
-. ds #H 0
-. ds #V .8m
-. ds #F .3m
-. ds #[ \f1
-. ds #] \fP
-.\}
-.if t \{\
-. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-. ds #V .6m
-. ds #F 0
-. ds #[ \&
-. ds #] \&
-.\}
-. \" simple accents for nroff and troff
-.if n \{\
-. ds ' \&
-. ds ` \&
-. ds ^ \&
-. ds , \&
-. ds ~ ~
-. ds /
-.\}
-.if t \{\
-. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-. \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-. \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-. \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-. ds : e
-. ds 8 ss
-. ds o a
-. ds d- d\h'-1'\(ga
-. ds D- D\h'-1'\(hy
-. ds th \o'bp'
-. ds Th \o'LP'
-. ds ae ae
-. ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "March 14, 2012" "1.8.5" "MAINTENANCE COMMANDS"
-.\" For nroff, turn off justification. Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
+.TH "SUDOERS.LDAP" "8" "July 12, 2012" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
.nh
+.if n .ad l
.SH "NAME"
-sudoers.ldap \- sudo LDAP configuration
+\fBsudoers.ldap\fR
+\- sudo LDAP configuration
.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured
-via \s-1LDAP\s0. This can be especially useful for synchronizing \fIsudoers\fR
+In addition to the standard
+\fIsudoers\fR
+file,
+\fBsudo\fR
+may be configured
+via LDAP.
+This can be especially useful for synchronizing
+\fIsudoers\fR
in a large, distributed environment.
.PP
-Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits:
-.IP "\(bu" 4
-\&\fBsudo\fR no longer needs to read \fIsudoers\fR in its entirety. When
-\&\s-1LDAP\s0 is used, there are only two or three \s-1LDAP\s0 queries per invocation.
-This makes it especially fast and particularly usable in \s-1LDAP\s0
-environments.
-.IP "\(bu" 4
-\&\fBsudo\fR no longer exits if there is a typo in \fIsudoers\fR.
-It is not possible to load \s-1LDAP\s0 data into the server that does
+Using LDAP for
+\fIsudoers\fR
+has several benefits:
+.TP 4n
+\fBo\fR
+\fBsudo\fR
+no longer needs to read
+\fIsudoers\fR
+in its entirety.
+When LDAP is used, there are only two or three LDAP queries per invocation.
+This makes it especially fast and particularly usable in LDAP environments.
+.TP 4n
+\fBo\fR
+\fBsudo\fR
+no longer exits if there is a typo in
+\fIsudoers\fR.
+It is not possible to load LDAP data into the server that does
not conform to the sudoers schema, so proper syntax is guaranteed.
It is still possible to have typos in a user or host name, but
-this will not prevent \fBsudo\fR from running.
-.IP "\(bu" 4
+this will not prevent
+\fBsudo\fR
+from running.
+.TP 4n
+\fBo\fR
It is possible to specify per-entry options that override the global
-default options. \fI@sysconfdir@/sudoers\fR only supports default options and
-limited options associated with user/host/commands/aliases. The
-syntax is complicated and can be difficult for users to understand.
+default options.
+\fI@sysconfdir@/sudoers\fR
+only supports default options and limited options associated with
+user/host/commands/aliases.
+The syntax is complicated and can be difficult for users to understand.
Placing the options directly in the entry is more natural.
-.IP "\(bu" 4
-The \fBvisudo\fR program is no longer needed. \fBvisudo\fR provides
-locking and syntax checking of the \fI@sysconfdir@/sudoers\fR file.
-Since \s-1LDAP\s0 updates are atomic, locking is no longer necessary.
-Because syntax is checked when the data is inserted into \s-1LDAP\s0, there
+.TP 4n
+\fBo\fR
+The
+\fBvisudo\fR
+program is no longer needed.
+\fBvisudo\fR
+provides locking and syntax checking of the
+\fI@sysconfdir@/sudoers\fR
+file.
+Since LDAP updates are atomic, locking is no longer necessary.
+Because syntax is checked when the data is inserted into LDAP, there
is no need for a specialized tool to check syntax.
.PP
-Another major difference between \s-1LDAP\s0 and file-based \fIsudoers\fR
-is that in \s-1LDAP\s0, \fBsudo\fR\-specific Aliases are not supported.
+Another major difference between LDAP and file-based
+\fIsudoers\fR
+is that in LDAP,
+\fBsudo\fR-specific
+Aliases are not supported.
.PP
-For the most part, there is really no need for \fBsudo\fR\-specific
-Aliases. Unix groups or user netgroups can be used in place of
-User_Aliases and Runas_Aliases. Host netgroups can be used in place
-of Host_Aliases. Since Unix groups and netgroups can also be stored
-in \s-1LDAP\s0 there is no real need for \fBsudo\fR\-specific aliases.
+For the most part, there is really no need for
+\fBsudo\fR-specific
+Aliases.
+Unix groups or user netgroups can be used in place of User_Aliases and
+Runas_Aliases.
+Host netgroups can be used in place of Host_Aliases.
+Since Unix groups and netgroups can also be stored in LDAP there is no
+real need for
+\fBsudo\fR-specific
+aliases.
.PP
Cmnd_Aliases are not really required either since it is possible
-to have multiple users listed in a \f(CW\*(C`sudoRole\*(C'\fR. Instead of defining
-a Cmnd_Alias that is referenced by multiple users, one can create
-a \f(CW\*(C`sudoRole\*(C'\fR that contains the commands and assign multiple users
-to it.
-.SS "SUDOers \s-1LDAP\s0 container"
-.IX Subsection "SUDOers LDAP container"
-The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0
-container.
-.PP
-Sudo first looks for the \f(CW\*(C`cn=default\*(C'\fR entry in the SUDOers container.
-If found, the multi-valued \f(CW\*(C`sudoOption\*(C'\fR attribute is parsed in the
-same manner as a global \f(CW\*(C`Defaults\*(C'\fR line in \fI@sysconfdir@/sudoers\fR. In
-the following example, the \f(CW\*(C`SSH_AUTH_SOCK\*(C'\fR variable will be preserved
-in the environment for all users.
+to have multiple users listed in a
+\fRsudoRole\fR.
+Instead of defining a Cmnd_Alias that is referenced by multiple users,
+one can create a
+\fRsudoRole\fR
+that contains the commands and assign multiple users to it.
+.SS "SUDOers LDAP container"
+The
+\fIsudoers\fR
+configuration is contained in the
+\fRou=SUDOers\fR
+LDAP container.
.PP
-.Vb 6
-\& dn: cn=defaults,ou=SUDOers,dc=example,dc=com
-\& objectClass: top
-\& objectClass: sudoRole
-\& cn: defaults
-\& description: Default sudoOption\*(Aqs go here
-\& sudoOption: env_keep+=SSH_AUTH_SOCK
-.Ve
+Sudo first looks for the
+\fRcn=default\fR
+entry in the SUDOers container.
+If found, the multi-valued
+\fRsudoOption\fR
+attribute is parsed in the same manner as a global
+\fRDefaults\fR
+line in
+\fI@sysconfdir@/sudoers\fR.
+In the following example, the
+\fRSSH_AUTH_SOCK\fR
+variable will be preserved in the environment for all users.
+.nf
+.sp
+.RS 4n
+dn: cn=defaults,ou=SUDOers,dc=example,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: defaults
+description: Default sudoOption's go here
+sudoOption: env_keep+=SSH_AUTH_SOCK
+.RE
+.fi
.PP
-The equivalent of a sudoer in \s-1LDAP\s0 is a \f(CW\*(C`sudoRole\*(C'\fR. It consists of
-the following attributes:
-.IP "\fBsudoUser\fR" 4
-.IX Item "sudoUser"
-A user name, user \s-1ID\s0 (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with
-\&\f(CW\*(Aq%\*(Aq\fR), Unix group \s-1ID\s0 (prefixed with \f(CW\*(Aq%#\*(Aq\fR), or user netgroup
-(prefixed with \f(CW\*(Aq+\*(Aq\fR).
-.IP "\fBsudoHost\fR" 4
-.IX Item "sudoHost"
-A host name, \s-1IP\s0 address, \s-1IP\s0 network, or host netgroup (prefixed
-with a \f(CW\*(Aq+\*(Aq\fR).
-The special value \f(CW\*(C`ALL\*(C'\fR will match any host.
-.IP "\fBsudoCommand\fR" 4
-.IX Item "sudoCommand"
+The equivalent of a sudoer in LDAP is a
+\fRsudoRole\fR.
+It consists of the following attributes:
+.TP 6n
+\fBsudoUser\fR
+A user name, user ID (prefixed with
+`#'),
+Unix group (prefixed with
+`%'),
+Unix group ID (prefixed with
+`%#'),
+or user netgroup (prefixed with
+`+').
+.TP 6n
+\fBsudoHost\fR
+A host name, IP address, IP network, or host netgroup (prefixed with a
+`+').
+The special value
+\fRALL\fR
+will match any host.
+.TP 6n
+\fBsudoCommand\fR
A Unix command with optional command line arguments, potentially
including globbing characters (aka wild cards).
-The special value \f(CW\*(C`ALL\*(C'\fR will match any command.
-If a command is prefixed with an exclamation point \f(CW\*(Aq!\*(Aq\fR, the
-user will be prohibited from running that command.
-.IP "\fBsudoOption\fR" 4
-.IX Item "sudoOption"
+The special value
+\fRALL\fR
+will match any command.
+If a command is prefixed with an exclamation point
+`\&!',
+the user will be prohibited from running that command.
+.TP 6n
+\fBsudoOption\fR
Identical in function to the global options described above, but
-specific to the \f(CW\*(C`sudoRole\*(C'\fR in which it resides.
-.IP "\fBsudoRunAsUser\fR" 4
-.IX Item "sudoRunAsUser"
-A user name or uid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run
-as or a Unix group (prefixed with a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed
-with a \f(CW\*(Aq+\*(Aq\fR) that contains a list of users that commands may be
-run as.
-The special value \f(CW\*(C`ALL\*(C'\fR will match any user.
-.Sp
-The \f(CW\*(C`sudoRunAsUser\*(C'\fR attribute is only available in \fBsudo\fR versions
-1.7.0 and higher. Older versions of \fBsudo\fR use the \f(CW\*(C`sudoRunAs\*(C'\fR
+specific to the
+\fRsudoRole\fR
+in which it resides.
+.TP 6n
+\fBsudoRunAsUser\fR
+A user name or uid (prefixed with
+`#')
+that commands may be run as or a Unix group (prefixed with a
+`%')
+or user netgroup (prefixed with a
+`+')
+that contains a list of users that commands may be run as.
+The special value
+\fRALL\fR
+will match any user.
+.sp
+The
+\fRsudoRunAsUser\fR
+attribute is only available in
+\fBsudo\fR
+versions
+1.7.0 and higher.
+Older versions of
+\fBsudo\fR
+use the
+\fRsudoRunAs\fR
attribute instead.
-.IP "\fBsudoRunAsGroup\fR" 4
-.IX Item "sudoRunAsGroup"
-A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as.
-The special value \f(CW\*(C`ALL\*(C'\fR will match any group.
-.Sp
-The \f(CW\*(C`sudoRunAsGroup\*(C'\fR attribute is only available in \fBsudo\fR versions
+.TP 6n
+\fBsudoRunAsGroup\fR
+A Unix group or gid (prefixed with
+`#')
+that commands may be run as.
+The special value
+\fRALL\fR
+will match any group.
+.sp
+The
+\fRsudoRunAsGroup\fR
+attribute is only available in
+\fBsudo\fR
+versions
1.7.0 and higher.
-.IP "\fBsudoNotBefore\fR" 4
-.IX Item "sudoNotBefore"
-A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that can be used to provide
-a start date/time for when the \f(CW\*(C`sudoRole\*(C'\fR will be valid. If
-multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the earliest is used.
-Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
-not the local timezone. The minute and seconds portions are optional,
-but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
-.Sp
-The \f(CW\*(C`sudoNotBefore\*(C'\fR attribute is only available in \fBsudo\fR versions
-1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
-option in \fI@ldap_conf@\fR.
-.IP "\fBsudoNotAfter\fR" 4
-.IX Item "sudoNotAfter"
-A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that indicates an expiration
-date/time, after which the \f(CW\*(C`sudoRole\*(C'\fR will no longer be valid. If
-multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the last one is used.
-Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
-not the local timezone. The minute and seconds portions are optional,
-but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
-.Sp
-The \f(CW\*(C`sudoNotAfter\*(C'\fR attribute is only available in \fBsudo\fR versions
-1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
-option in \fI@ldap_conf@\fR.
-.IP "\fBsudoOrder\fR" 4
-.IX Item "sudoOrder"
-The \f(CW\*(C`sudoRole\*(C'\fR entries retrieved from the \s-1LDAP\s0 directory have no
-inherent order. The \f(CW\*(C`sudoOrder\*(C'\fR attribute is an integer (or
-floating point value for \s-1LDAP\s0 servers that support it) that is used
-to sort the matching entries. This allows LDAP-based sudoers entries
-to more closely mimic the behaviour of the sudoers file, where the
-of the entries influences the result. If multiple entries match,
-the entry with the highest \f(CW\*(C`sudoOrder\*(C'\fR attribute is chosen. This
-corresponds to the \*(L"last match\*(R" behavior of the sudoers file. If
-the \f(CW\*(C`sudoOrder\*(C'\fR attribute is not present, a value of 0 is assumed.
-.Sp
-The \f(CW\*(C`sudoOrder\*(C'\fR attribute is only available in \fBsudo\fR versions
-1.7.5 and higher.
+.TP 6n
+\fBsudoNotBefore\fR
+A timestamp in the form
+\fRyyyymmddHHMMSSZ\fR
+that can be used to provide a start date/time for when the
+\fRsudoRole\fR
+will be valid.
+If multiple
+\fRsudoNotBefore\fR
+entries are present, the earliest is used.
+Note that timestamps must be in Coordinated Universal Time (UTC),
+not the local timezone.
+The minute and seconds portions are optional, but some LDAP servers
+require that they be present (contrary to the RFC).
+.sp
+The
+\fRsudoNotBefore\fR
+attribute is only available in
+\fBsudo\fR
+versions 1.7.5 and higher and must be explicitly enabled via the
+\fBSUDOERS_TIMED\fR
+option in
+\fI@ldap_conf@\fR.
+.TP 6n
+\fBsudoNotAfter\fR
+A timestamp in the form
+\fRyyyymmddHHMMSSZ\fR
+that indicates an expiration date/time, after which the
+\fRsudoRole\fR
+will no longer be valid.
+If multiple
+\fRsudoNotBefore\fR
+entries are present, the last one is used.
+Note that timestamps must be in Coordinated Universal Time (UTC),
+not the local timezone.
+The minute and seconds portions are optional, but some LDAP servers
+require that they be present (contrary to the RFC).
+.sp
+The
+\fRsudoNotAfter\fR
+attribute is only available in
+\fBsudo\fR
+versions
+1.7.5 and higher and must be explicitly enabled via the
+\fBSUDOERS_TIMED\fR
+option in
+\fI@ldap_conf@\fR.
+.TP 6n
+\fBsudoOrder\fR
+The
+\fRsudoRole\fR
+entries retrieved from the LDAP directory have no inherent order.
+The
+\fRsudoOrder\fR
+attribute is an integer (or floating point value for LDAP servers
+that support it) that is used to sort the matching entries.
+This allows LDAP-based sudoers entries to more closely mimic the behaviour
+of the sudoers file, where the of the entries influences the result.
+If multiple entries match, the entry with the highest
+\fRsudoOrder\fR
+attribute is chosen.
+This corresponds to the
+``last match''
+behavior of the sudoers file.
+If the
+\fRsudoOrder\fR
+attribute is not present, a value of 0 is assumed.
+.sp
+The
+\fRsudoOrder\fR
+attribute is only available in
+\fBsudo\fR
+versions 1.7.5 and higher.
.PP
Each attribute listed above should contain a single value, but there
-may be multiple instances of each attribute type. A \f(CW\*(C`sudoRole\*(C'\fR must
-contain at least one \f(CW\*(C`sudoUser\*(C'\fR, \f(CW\*(C`sudoHost\*(C'\fR and \f(CW\*(C`sudoCommand\*(C'\fR.
+may be multiple instances of each attribute type.
+A
+\fRsudoRole\fR
+must contain at least one
+\fRsudoUser\fR,
+\fRsudoHost\fR
+and
+\fRsudoCommand\fR.
.PP
The following example allows users in group wheel to run any command
-on any host via \fBsudo\fR:
-.PP
-.Vb 7
-\& dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
-\& objectClass: top
-\& objectClass: sudoRole
-\& cn: %wheel
-\& sudoUser: %wheel
-\& sudoHost: ALL
-\& sudoCommand: ALL
-.Ve
-.SS "Anatomy of \s-1LDAP\s0 sudoers lookup"
-.IX Subsection "Anatomy of LDAP sudoers lookup"
-When looking up a sudoer using \s-1LDAP\s0 there are only two or three
-\&\s-1LDAP\s0 queries per invocation. The first query is to parse the global
-options. The second is to match against the user's name and the
-groups that the user belongs to. (The special \s-1ALL\s0 tag is matched
-in this query too.) If no match is returned for the user's name
-and groups, a third query returns all entries containing user
-netgroups and checks to see if the user belongs to any of them.
+on any host via
+\fBsudo\fR:
+.nf
+.sp
+.RS 4n
+dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: %wheel
+sudoUser: %wheel
+sudoHost: ALL
+sudoCommand: ALL
+.RE
+.fi
+.SS "Anatomy of LDAP sudoers lookup"
+When looking up a sudoer using LDAP there are only two or three
+LDAP queries per invocation.
+The first query is to parse the global options.
+The second is to match against the user's name and the groups that
+the user belongs to.
+(The special
+\fRALL\fR
+tag is matched in this query too.)
+If no match is returned for the user's name and groups, a third
+query returns all entries containing user netgroups and checks
+to see if the user belongs to any of them.
.PP
-If timed entries are enabled with the \fB\s-1SUDOERS_TIMED\s0\fR configuration
-directive, the \s-1LDAP\s0 queries include a subfilter that limits retrieval
-to entries that satisfy the time constraints, if any.
-.SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
-.IX Subsection "Differences between LDAP and non-LDAP sudoers"
+If timed entries are enabled with the
+\fBSUDOERS_TIMED\fR
+configuration directive, the LDAP queries include a subfilter that
+limits retrieval to entries that satisfy the time constraints, if any.
+.SS "Differences between LDAP and non-LDAP sudoers"
There are some subtle differences in the way sudoers is handled
-once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0,
-\&\s-1LDAP\s0 ordering is arbitrary and you cannot expect that Attributes
-and Entries are returned in any specific order.
+once in LDAP.
+Probably the biggest is that according to the RFC, LDAP ordering
+is arbitrary and you cannot expect that Attributes and Entries are
+returned in any specific order.
.PP
The order in which different entries are applied can be controlled
-using the \f(CW\*(C`sudoOrder\*(C'\fR attribute, but there is no way to guarantee
-the order of attributes within a specific entry. If there are
-conflicting command rules in an entry, the negative takes precedence.
+using the
+\fRsudoOrder\fR
+attribute, but there is no way to guarantee the order of attributes
+within a specific entry.
+If there are conflicting command rules in an entry, the negative
+takes precedence.
This is called paranoid behavior (not necessarily the most specific
match).
.PP
Here is an example:
-.PP
-.Vb 5
-\& # /etc/sudoers:
-\& # Allow all commands except shell
-\& johnny ALL=(root) ALL,!/bin/sh
-\& # Always allows all commands because ALL is matched last
-\& puddles ALL=(root) !/bin/sh,ALL
-\&
-\& # LDAP equivalent of johnny
-\& # Allows all commands except shell
-\& dn: cn=role1,ou=Sudoers,dc=my\-domain,dc=com
-\& objectClass: sudoRole
-\& objectClass: top
-\& cn: role1
-\& sudoUser: johnny
-\& sudoHost: ALL
-\& sudoCommand: ALL
-\& sudoCommand: !/bin/sh
-\&
-\& # LDAP equivalent of puddles
-\& # Notice that even though ALL comes last, it still behaves like
-\& # role1 since the LDAP code assumes the more paranoid configuration
-\& dn: cn=role2,ou=Sudoers,dc=my\-domain,dc=com
-\& objectClass: sudoRole
-\& objectClass: top
-\& cn: role2
-\& sudoUser: puddles
-\& sudoHost: ALL
-\& sudoCommand: !/bin/sh
-\& sudoCommand: ALL
-.Ve
+.nf
+.sp
+.RS 4n
+# /etc/sudoers:
+# Allow all commands except shell
+johnny ALL=(root) ALL,!/bin/sh
+# Always allows all commands because ALL is matched last
+puddles ALL=(root) !/bin/sh,ALL
+
+# LDAP equivalent of johnny
+# Allows all commands except shell
+dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
+objectClass: sudoRole
+objectClass: top
+cn: role1
+sudoUser: johnny
+sudoHost: ALL
+sudoCommand: ALL
+sudoCommand: !/bin/sh
+
+# LDAP equivalent of puddles
+# Notice that even though ALL comes last, it still behaves like
+# role1 since the LDAP code assumes the more paranoid configuration
+dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
+objectClass: sudoRole
+objectClass: top
+cn: role2
+sudoUser: puddles
+sudoHost: ALL
+sudoCommand: !/bin/sh
+sudoCommand: ALL
+.RE
+.fi
.PP
Another difference is that negations on the Host, User or Runas are
-currently ignored. For example, the following attributes do not
-behave the way one might expect.
-.PP
-.Vb 3
-\& # does not match all but joe
-\& # rather, does not match anyone
-\& sudoUser: !joe
-\&
-\& # does not match all but joe
-\& # rather, matches everyone including Joe
-\& sudoUser: ALL
-\& sudoUser: !joe
-\&
-\& # does not match all but web01
-\& # rather, matches all hosts including web01
-\& sudoHost: ALL
-\& sudoHost: !web01
-.Ve
-.SS "Sudoers Schema"
-.IX Subsection "Sudoers Schema"
-In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be
-installed on your \s-1LDAP\s0 server. In addition, be sure to index the
-\&'sudoUser' attribute.
+currently ignored.
+For example, the following attributes do not behave the way one might expect.
+.nf
+.sp
+.RS 4n
+# does not match all but joe
+# rather, does not match anyone
+sudoUser: !joe
+
+# does not match all but joe
+# rather, matches everyone including Joe
+sudoUser: ALL
+sudoUser: !joe
+
+# does not match all but web01
+# rather, matches all hosts including web01
+sudoHost: ALL
+sudoHost: !web01
+.RE
+.fi
+.SS "Sudoers schema"
+In order to use
+\fBsudo\fR's
+LDAP support, the
+\fBsudo\fR
+schema must be
+installed on your LDAP server.
+In addition, be sure to index the
+\fRsudoUser\fR
+attribute.
.PP
-Three versions of the schema: one for OpenLDAP servers (\fIschema.OpenLDAP\fR),
-one for Netscape-derived servers (\fIschema.iPlanet\fR), and one for
-Microsoft Active Directory (\fIschema.ActiveDirectory\fR) may
-be found in the \fBsudo\fR distribution.
+Three versions of the schema: one for OpenLDAP servers
+(\fIschema.OpenLDAP\fR),
+one for Netscape-derived servers
+(\fIschema.iPlanet\fR),
+and one for Microsoft Active Directory
+(\fIschema.ActiveDirectory\fR)
+may be found in the
+\fBsudo\fR
+distribution.
.PP
-The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0
+The schema for
+\fBsudo\fR
+in OpenLDAP form is also included in the
+\fIEXAMPLES\fR
section.
.SS "Configuring ldap.conf"
-.IX Subsection "Configuring ldap.conf"
-Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration.
+Sudo reads the
+\fI@ldap_conf@\fR
+file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
-As such, most of the settings are not \fBsudo\fR\-specific. Note that
-\&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options
-that differ from those described in the \fIldap.conf\fR\|(@mansectform@) manual.
+As such, most of the settings are not
+\fBsudo\fR-specific.
+Note that
+\fBsudo\fR
+parses
+\fI@ldap_conf@\fR
+itself and may support options that differ from those described in the
+system's
+ldap.conf(@mansectsu@)
+manual.
.PP
Also note that on systems using the OpenLDAP libraries, default
-values specified in \fI/etc/openldap/ldap.conf\fR or the user's
-\&\fI.ldaprc\fR files are not used.
+values specified in
+\fI/etc/openldap/ldap.conf\fR
+or the user's
+\fI.ldaprc\fR
+files are not used.
.PP
-Only those options explicitly listed in \fI@ldap_conf@\fR as being
-supported by \fBsudo\fR are honored. Configuration options are listed
-below in upper case but are parsed in a case-independent manner.
-.IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4
-.IX Item "URI ldap[s]://[hostname[:port]] ..."
+Only those options explicitly listed in
+\fI@ldap_conf@\fR
+as being supported by
+\fBsudo\fR
+are honored.
+Configuration options are listed below in upper case but are parsed
+in a case-independent manner.
+.TP 6n
+\fBURI\fR \fIldap[s]://[hostname[:port]] ...\fR
Specifies a whitespace-delimited list of one or more URIs describing
-the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either
-\&\fBldap\fR or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0
-(\s-1SSL\s0) encryption. If no \fIport\fR is specified, the default is port
-389 for \f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR
-is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR
-lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple
-entries. Only systems using the OpenSSL libraries support the
-mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. The Netscape-derived
-libraries used on most commercial versions of Unix are only capable
-of supporting one or the other.
-.IP "\fB\s-1HOST\s0\fR name[:port] ..." 4
-.IX Item "HOST name[:port] ..."
-If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a
-whitespace-delimited list of \s-1LDAP\s0 servers to connect to. Each host
-may include an optional \fIport\fR separated by a colon (':'). The
-\&\fB\s-1HOST\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR specification
-and is included for backwards compatibility.
-.IP "\fB\s-1PORT\s0\fR port_number" 4
-.IX Item "PORT port_number"
-If no \fB\s-1URI\s0\fR is specified, the \fB\s-1PORT\s0\fR parameter specifies the
-default port to connect to on the \s-1LDAP\s0 server if a \fB\s-1HOST\s0\fR parameter
-does not specify the port itself. If no \fB\s-1PORT\s0\fR parameter is used,
-the default is port 389 for \s-1LDAP\s0 and port 636 for \s-1LDAP\s0 over \s-1TLS\s0
-(\s-1SSL\s0). The \fB\s-1PORT\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR
+the LDAP server(s) to connect to.
+The
+\fIprotocol\fR
+may be either
+\fIldap\fR
+\fIldaps\fR,
+the latter being for servers that support TLS (SSL) encryption.
+If no
+\fIport\fR
+is specified, the default is port 389 for
+\fRldap://\fR
+or port 636 for
+\fRldaps://\fR.
+If no
+\fIhostname\fR
+is specified,
+\fBsudo\fR
+will connect to
+\fIlocalhost\fR.
+Multiple
+\fBURI\fR
+lines are treated identically to a
+\fBURI\fR
+line containing multiple entries.
+Only systems using the OpenSSL libraries support the mixing of
+\fRldap://\fR
+and
+\fRldaps://\fR
+URIs.
+Both the Netscape-derived and Tivoli LDAP libraries used on most commercial
+versions of Unix are only capable of supporting one or the other.
+.TP 6n
+\fBHOST\fR \fIname[:port] ...\fR
+If no
+\fBURI\fR
+is specified, the
+\fBHOST\fR
+parameter specifies a whitespace-delimited list of LDAP servers to connect to.
+Each host may include an optional
+\fIport\fR
+separated by a colon
+(`:\&').
+The
+\fBHOST\fR
+parameter is deprecated in favor of the
+\fBURI\fR
specification and is included for backwards compatibility.
-.IP "\fB\s-1BIND_TIMELIMIT\s0\fR seconds" 4
-.IX Item "BIND_TIMELIMIT seconds"
-The \fB\s-1BIND_TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
-to wait while trying to connect to an \s-1LDAP\s0 server. If multiple \fB\s-1URI\s0\fRs or
-\&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying
+.TP 6n
+\fBPORT\fR \fIport_number\fR
+If no
+\fBURI\fR
+is specified, the
+\fBPORT\fR
+parameter specifies the default port to connect to on the LDAP server if a
+\fBHOST\fR
+parameter does not specify the port itself.
+If no
+\fBPORT\fR
+parameter is used, the default is port 389 for LDAP and port 636 for LDAP
+over TLS (SSL).
+The
+\fBPORT\fR
+parameter is deprecated in favor of the
+\fBURI\fR
+specification and is included for backwards compatibility.
+.TP 6n
+\fBBIND_TIMELIMIT\fR \fIseconds\fR
+The
+\fBBIND_TIMELIMIT\fR
+parameter specifies the amount of time, in seconds, to wait while trying
+to connect to an LDAP server.
+If multiple
+\fBURI\fRs
+or
+\fBHOST\fRs
+are specified, this is the amount of time to wait before trying
the next one in the list.
-.IP "\fB\s-1NETWORK_TIMEOUT\s0\fR seconds" 4
-.IX Item "NETWORK_TIMEOUT seconds"
-An alias for \fB\s-1BIND_TIMELIMIT\s0\fR for OpenLDAP compatibility.
-.IP "\fB\s-1TIMELIMIT\s0\fR seconds" 4
-.IX Item "TIMELIMIT seconds"
-The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
-to wait for a response to an \s-1LDAP\s0 query.
-.IP "\fB\s-1TIMEOUT\s0\fR seconds" 4
-.IX Item "TIMEOUT seconds"
-The \fB\s-1TIMEOUT\s0\fR parameter specifies the amount of time, in seconds,
-to wait for a response from the various \s-1LDAP\s0 APIs.
-.IP "\fB\s-1SUDOERS_BASE\s0\fR base" 4
-.IX Item "SUDOERS_BASE base"
-The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries. Typically
-this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain
-\&\f(CW\*(C`example.com\*(C'\fR. Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified,
-in which case they are queried in the order specified.
-.IP "\fB\s-1SUDOERS_SEARCH_FILTER\s0\fR ldap_filter" 4
-.IX Item "SUDOERS_SEARCH_FILTER ldap_filter"
-An \s-1LDAP\s0 filter which is used to restrict the set of records returned
-when performing a \fBsudo\fR \s-1LDAP\s0 query. Typically, this is of the
-form \f(CW\*(C`attribute=value\*(C'\fR or \f(CW\*(C`(&(attribute=value)(attribute2=value2))\*(C'\fR.
-.IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4
-.IX Item "SUDOERS_TIMED on/true/yes/off/false/no"
-Whether or not to evaluate the \f(CW\*(C`sudoNotBefore\*(C'\fR and \f(CW\*(C`sudoNotAfter\*(C'\fR
+.TP 6n
+\fBNETWORK_TIMEOUT\fR \fIseconds\fR
+An alias for
+\fBBIND_TIMELIMIT\fR
+for OpenLDAP compatibility.
+.TP 6n
+\fBTIMELIMIT\fR \fIseconds\fR
+The
+\fBTIMELIMIT\fR
+parameter specifies the amount of time, in seconds, to wait for a
+response to an LDAP query.
+.TP 6n
+\fBTIMEOUT\fR \fIseconds\fR
+The
+\fBTIMEOUT\fR
+parameter specifies the amount of time, in seconds, to wait for a
+response from the various LDAP APIs.
+.TP 6n
+\fBSUDOERS_BASE\fR \fIbase\fR
+The base DN to use when performing
+\fBsudo\fR
+LDAP queries.
+Typically this is of the form
+\fRou=SUDOers,dc=example,dc=com\fR
+for the domain
+\fRexample.com\fR.
+Multiple
+\fBSUDOERS_BASE\fR
+lines may be specified, in which case they are queried in the order specified.
+.TP 6n
+\fBSUDOERS_SEARCH_FILTER\fR \fIldap_filter\fR
+An LDAP filter which is used to restrict the set of records returned
+when performing a
+\fBsudo\fR
+LDAP query.
+Typically, this is of the
+form
+\fRattribute=value\fR
+or
+\fR(&(attribute=value)(attribute2=value2))\fR.
+.TP 6n
+\fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR
+Whether or not to evaluate the
+\fRsudoNotBefore\fR
+and
+\fRsudoNotAfter\fR
attributes that implement time-dependent sudoers entries.
-.IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4
-.IX Item "SUDOERS_DEBUG debug_level"
-This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries. Debugging
-information is printed to the standard error. A value of 1 results
-in a moderate amount of debugging information. A value of 2 shows
-the results of the matches themselves. This parameter should not
-be set in a production environment as the extra information is
-likely to confuse users.
-.IP "\fB\s-1BINDDN\s0\fR \s-1DN\s0" 4
-.IX Item "BINDDN DN"
-The \fB\s-1BINDDN\s0\fR parameter specifies the identity, in the form of a
-Distinguished Name (\s-1DN\s0), to use when performing \s-1LDAP\s0 operations.
-If not specified, \s-1LDAP\s0 operations are performed with an anonymous
-identity. By default, most \s-1LDAP\s0 servers will allow anonymous access.
-.IP "\fB\s-1BINDPW\s0\fR secret" 4
-.IX Item "BINDPW secret"
-The \fB\s-1BINDPW\s0\fR parameter specifies the password to use when performing
-\&\s-1LDAP\s0 operations. This is typically used in conjunction with the
-\&\fB\s-1BINDDN\s0\fR parameter.
-.IP "\fB\s-1ROOTBINDDN\s0\fR \s-1DN\s0" 4
-.IX Item "ROOTBINDDN DN"
-The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of
-a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0
-operations, such as \fIsudoers\fR queries. The password corresponding
-to the identity should be stored in \fI@ldap_secret@\fR.
-If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any).
-.IP "\fB\s-1LDAP_VERSION\s0\fR number" 4
-.IX Item "LDAP_VERSION number"
-The version of the \s-1LDAP\s0 protocol to use when connecting to the server.
+.TP 6n
+\fBSUDOERS_DEBUG\fR \fIdebug_level\fR
+This sets the debug level for
+\fBsudo\fR
+LDAP queries.
+Debugging information is printed to the standard error.
+A value of 1 results in a moderate amount of debugging information.
+A value of 2 shows the results of the matches themselves.
+This parameter should not be set in a production environment as the
+extra information is likely to confuse users.
+.TP 6n
+\fBBINDDN\fR \fIDN\fR
+The
+\fBBINDDN\fR
+parameter specifies the identity, in the form of a Distinguished Name (DN),
+to use when performing LDAP operations.
+If not specified, LDAP operations are performed with an anonymous identity.
+By default, most LDAP servers will allow anonymous access.
+.TP 6n
+\fBBINDPW\fR \fIsecret\fR
+The
+\fBBINDPW\fR
+parameter specifies the password to use when performing LDAP operations.
+This is typically used in conjunction with the
+\fBBINDDN\fR
+parameter.
+.TP 6n
+\fBROOTBINDDN\fR \fIDN\fR
+The
+\fBROOTBINDDN\fR
+parameter specifies the identity, in the form of a Distinguished Name (DN),
+to use when performing privileged LDAP operations, such as
+\fIsudoers\fR
+queries.
+The password corresponding
+to the identity should be stored in
+\fI@ldap_secret@\fR.
+If not specified, the
+\fBBINDDN\fR
+identity is used (if any).
+.TP 6n
+\fBLDAP_VERSION\fR \fInumber\fR
+The version of the LDAP protocol to use when connecting to the server.
The default value is protocol version 3.
-.IP "\fB\s-1SSL\s0\fR on/true/yes/off/false/no" 4
-.IX Item "SSL on/true/yes/off/false/no"
-If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`true\*(C'\fR or \f(CW\*(C`yes\*(C'\fR, \s-1TLS\s0
-(\s-1SSL\s0) encryption is always used when communicating with the \s-1LDAP\s0
-server. Typically, this involves connecting to the server on port
-636 (ldaps).
-.IP "\fB\s-1SSL\s0\fR start_tls" 4
-.IX Item "SSL start_tls"
-If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`start_tls\*(C'\fR, the \s-1LDAP\s0 server
-connection is initiated normally and \s-1TLS\s0 encryption is begun before
-the bind credentials are sent. This has the advantage of not
-requiring a dedicated port for encrypted communications. This
-parameter is only supported by \s-1LDAP\s0 servers that honor the \f(CW\*(C`start_tls\*(C'\fR
-extension, such as the OpenLDAP server.
-.IP "\fB\s-1TLS_CHECKPEER\s0\fR on/true/yes/off/false/no" 4
-.IX Item "TLS_CHECKPEER on/true/yes/off/false/no"
-If enabled, \fB\s-1TLS_CHECKPEER\s0\fR will cause the \s-1LDAP\s0 server's \s-1TLS\s0
-certificated to be verified. If the server's \s-1TLS\s0 certificate cannot
-be verified (usually because it is signed by an unknown certificate
-authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER\s0\fR
-is disabled, no check is made. Note that disabling the check creates
-an opportunity for man-in-the-middle attacks since the server's
-identity will not be authenticated. If possible, the \s-1CA\s0's certificate
-should be installed locally so it can be verified.
-.IP "\fB\s-1TLS_CACERT\s0\fR file name" 4
-.IX Item "TLS_CACERT file name"
-An alias for \fB\s-1TLS_CACERTFILE\s0\fR for OpenLDAP compatibility.
-.IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4
-.IX Item "TLS_CACERTFILE file name"
+.TP 6n
+\fBSSL\fR \fIon/true/yes/off/false/no\fR
+If the
+\fBSSL\fR
+parameter is set to
+\fRon\fR,
+\fRtrue\fR
+\fRor\fR
+\fRyes\fR,
+TLS (SSL) encryption is always used when communicating with the LDAP server.
+Typically, this involves connecting to the server on port 636 (ldaps).
+.TP 6n
+\fBSSL\fR \fIstart_tls\fR
+If the
+\fBSSL\fR
+parameter is set to
+\fRstart_tls\fR,
+the LDAP server connection is initiated normally and TLS encryption is
+begun before the bind credentials are sent.
+This has the advantage of not requiring a dedicated port for encrypted
+communications.
+This parameter is only supported by LDAP servers that honor the
+\fIstart_tls\fR
+extension, such as the OpenLDAP and Tivoli Directory servers.
+.TP 6n
+\fBTLS_CHECKPEER\fR \fIon/true/yes/off/false/no\fR
+If enabled,
+\fBTLS_CHECKPEER\fR
+will cause the LDAP server's TLS certificated to be verified.
+If the server's TLS certificate cannot be verified (usually because it
+is signed by an unknown certificate authority),
+\fBsudo\fR
+will be unable to connect to it.
+If
+\fBTLS_CHECKPEER\fR
+is disabled, no check is made.
+Note that disabling the check creates an opportunity for man-in-the-middle
+attacks since the server's identity will not be authenticated.
+If possible, the CA's certificate should be installed locally so it can
+be verified.
+This option is not supported by the Tivoli Directory Server LDAP libraries.
+.TP 6n
+\fBTLS_CACERT\fR \fIfile name\fR
+An alias for
+\fBTLS_CACERTFILE\fR
+for OpenLDAP compatibility.
+.TP 6n
+\fBTLS_CACERTFILE\fR \fIfile name\fR
The path to a certificate authority bundle which contains the certificates
-for all the Certificate Authorities the client knows to be valid,
-e.g. \fI/etc/ssl/ca\-bundle.pem\fR.
+for all the Certificate Authorities the client knows to be valid, e.g.\&
+\fI/etc/ssl/ca-bundle.pem\fR.
This option is only supported by the OpenLDAP libraries.
-Netscape-derived \s-1LDAP\s0 libraries use the same certificate
-database for \s-1CA\s0 and client certificates (see \fB\s-1TLS_CERT\s0\fR).
-.IP "\fB\s-1TLS_CACERTDIR\s0\fR directory" 4
-.IX Item "TLS_CACERTDIR directory"
-Similar to \fB\s-1TLS_CACERTFILE\s0\fR but instead of a file, it is a
-directory containing individual Certificate Authority certificates,
-e.g. \fI/etc/ssl/certs\fR.
-The directory specified by \fB\s-1TLS_CACERTDIR\s0\fR is checked after
-\&\fB\s-1TLS_CACERTFILE\s0\fR.
+Netscape-derived LDAP libraries use the same certificate
+database for CA and client certificates (see
+\fBTLS_CERT\fR).
+.TP 6n
+\fBTLS_CACERTDIR\fR \fIdirectory\fR
+Similar to
+\fBTLS_CACERTFILE\fR
+but instead of a file, it is a directory containing individual
+Certificate Authority certificates, e.g.\&
+\fI/etc/ssl/certs\fR.
+The directory specified by
+\fBTLS_CACERTDIR\fR
+is checked after
+\fBTLS_CACERTFILE\fR.
This option is only supported by the OpenLDAP libraries.
-.IP "\fB\s-1TLS_CERT\s0\fR file name" 4
-.IX Item "TLS_CERT file name"
+.TP 6n
+\fBTLS_CERT\fR \fIfile name\fR
The path to a file containing the client certificate which can
-be used to authenticate the client to the \s-1LDAP\s0 server.
-The certificate type depends on the \s-1LDAP\s0 libraries used.
-.Sp
+be used to authenticate the client to the LDAP server.
+The certificate type depends on the LDAP libraries used.
+.RS
+.TP 6n
OpenLDAP:
- \f(CW\*(C`tls_cert /etc/ssl/client_cert.pem\*(C'\fR
-.Sp
+\fRtls_cert /etc/ssl/client_cert.pem\fR
+.TP 6n
Netscape-derived:
- \f(CW\*(C`tls_cert /var/ldap/cert7.db\*(C'\fR
-.Sp
+\fRtls_cert /var/ldap/cert7.db\fR
+.TP 6n
+Tivoli Directory Server:
+Unused, the key database specified by
+\fBTLS_KEY\fR
+contains both keys and certificates.
+.sp
When using Netscape-derived libraries, this file may also contain
Certificate Authority certificates.
-.IP "\fB\s-1TLS_KEY\s0\fR file name" 4
-.IX Item "TLS_KEY file name"
+.PP
+.RE
+.PD 0
+.TP 6n
+\fBTLS_KEY\fR \fIfile name\fR
The path to a file containing the private key which matches the
-certificate specified by \fB\s-1TLS_CERT\s0\fR. The private key must not be
-password-protected. The key type depends on the \s-1LDAP\s0 libraries
-used.
-.Sp
+certificate specified by
+\fBTLS_CERT\fR.
+The private key must not be password-protected.
+The key type depends on the LDAP libraries used.
+.RS
+.PD
+.TP 6n
OpenLDAP:
- \f(CW\*(C`tls_key /etc/ssl/client_key.pem\*(C'\fR
-.Sp
+\fRtls_key /etc/ssl/client_key.pem\fR
+.TP 6n
Netscape-derived:
- \f(CW\*(C`tls_key /var/ldap/key3.db\*(C'\fR
-.IP "\fB\s-1TLS_RANDFILE\s0\fR file name" 4
-.IX Item "TLS_RANDFILE file name"
-The \fB\s-1TLS_RANDFILE\s0\fR parameter specifies the path to an entropy
-source for systems that lack a random device. It is generally used
-in conjunction with \fIprngd\fR or \fIegd\fR.
-This option is only supported by the OpenLDAP libraries.
-.IP "\fB\s-1TLS_CIPHERS\s0\fR cipher list" 4
-.IX Item "TLS_CIPHERS cipher list"
-The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict
-which encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections.
-See the OpenSSL manual for a list of valid ciphers.
+\fRtls_key /var/ldap/key3.db\fR
+.TP 6n
+Tivoli Directory Server:
+\fRtls_cert /usr/ldap/ldapkey.kdb\fR
+.PD 0
+.PP
+.PD
+When using Tivoli LDAP libraries, this file may also contain
+Certificate Authority and client certificates and may be encrypted.
+.PP
+.RE
+.PD 0
+.TP 6n
+\fBTLS_KEYPW\fR \fIsecret\fR
+The
+\fBTLS_KEYPW\fR
+contains the password used to decrypt the key database on clients
+using the Tivoli Directory Server LDAP library.
+If no
+\fBTLS_KEYPW\fR
+is specified, a
+\fIstash file\fR
+will be used if it exists.
+The
+\fIstash file\fR
+must have the same path as the file specified by
+\fBTLS_KEY\fR,
+but use a
+\fR.sth\fR
+file extension instead of
+\fR.kdb\fR,
+e.g.\&
+\fRldapkey.sth\fR.
+The default
+\fRldapkey.kdb\fR
+that ships with Tivoli Directory Server is encrypted with the password
+\fRssl_password\fR.
+This option is only supported by the Tivoli LDAP libraries.
+.PD
+.TP 6n
+\fBTLS_RANDFILE\fR \fIfile name\fR
+The
+\fBTLS_RANDFILE\fR
+parameter specifies the path to an entropy source for systems that lack
+a random device.
+It is generally used in conjunction with
+\fIprngd\fR
+or
+\fIegd\fR.
This option is only supported by the OpenLDAP libraries.
-.IP "\fB\s-1USE_SASL\s0\fR on/true/yes/off/false/no" 4
-.IX Item "USE_SASL on/true/yes/off/false/no"
-Enable \fB\s-1USE_SASL\s0\fR for \s-1LDAP\s0 servers that support \s-1SASL\s0 authentication.
-.IP "\fB\s-1SASL_AUTH_ID\s0\fR identity" 4
-.IX Item "SASL_AUTH_ID identity"
-The \s-1SASL\s0 user name to use when connecting to the \s-1LDAP\s0 server.
-By default, \fBsudo\fR will use an anonymous connection.
-.IP "\fB\s-1ROOTUSE_SASL\s0\fR on/true/yes/off/false/no" 4
-.IX Item "ROOTUSE_SASL on/true/yes/off/false/no"
-Enable \fB\s-1ROOTUSE_SASL\s0\fR to enable \s-1SASL\s0 authentication when connecting
-to an \s-1LDAP\s0 server from a privileged process, such as \fBsudo\fR.
-.IP "\fB\s-1ROOTSASL_AUTH_ID\s0\fR identity" 4
-.IX Item "ROOTSASL_AUTH_ID identity"
-The \s-1SASL\s0 user name to use when \fB\s-1ROOTUSE_SASL\s0\fR is enabled.
-.IP "\fB\s-1SASL_SECPROPS\s0\fR none/properties" 4
-.IX Item "SASL_SECPROPS none/properties"
-\&\s-1SASL\s0 security properties or \fInone\fR for no properties. See the
-\&\s-1SASL\s0 programmer's manual for details.
-.IP "\fB\s-1KRB5_CCNAME\s0\fR file name" 4
-.IX Item "KRB5_CCNAME file name"
+.TP 6n
+\fBTLS_CIPHERS\fR \fIcipher list\fR
+The
+\fBTLS_CIPHERS\fR
+parameter allows the administer to restrict which encryption algorithms
+may be used for TLS (SSL) connections.
+See the OpenLDAP or Tivoli Directory Server manual for a list of valid
+ciphers.
+This option is not supported by Netscape-derived libraries.
+.TP 6n
+\fBUSE_SASL\fR \fIon/true/yes/off/false/no\fR
+Enable
+\fBUSE_SASL\fR
+for LDAP servers that support SASL authentication.
+.TP 6n
+\fBSASL_AUTH_ID\fR \fIidentity\fR
+The SASL user name to use when connecting to the LDAP server.
+By default,
+\fBsudo\fR
+will use an anonymous connection.
+.TP 6n
+\fBROOTUSE_SASL\fR \fIon/true/yes/off/false/no\fR
+Enable
+\fBROOTUSE_SASL\fR
+to enable SASL authentication when connecting
+to an LDAP server from a privileged process, such as
+\fBsudo\fR.
+.TP 6n
+\fBROOTSASL_AUTH_ID\fR \fIidentity\fR
+The SASL user name to use when
+\fBROOTUSE_SASL\fR
+is enabled.
+.TP 6n
+\fBSASL_SECPROPS\fR \fInone/properties\fR
+SASL security properties or
+\fInone\fR
+for no properties.
+See the SASL programmer's manual for details.
+.TP 6n
+\fBKRB5_CCNAME\fR \fIfile name\fR
The path to the Kerberos 5 credential cache to use when authenticating
with the remote server.
-.IP "\fB\s-1DEREF\s0\fR never/searching/finding/always" 4
-.IX Item "DEREF never/searching/finding/always"
-How alias dereferencing is to be performed when searching. See the
-\&\fIldap.conf\fR\|(@mansectform@) manual for a full description of this option.
+.TP 6n
+\fBDEREF\fR \fInever/searching/finding/always\fR
+How alias dereferencing is to be performed when searching.
+See the
+ldap.conf(@mansectsu@)
+manual for a full description of this option.
.PP
-See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section.
+See the
+\fIldap.conf\fR
+entry in the
+\fIEXAMPLES\fR
+section.
.SS "Configuring nsswitch.conf"
-.IX Subsection "Configuring nsswitch.conf"
-Unless it is disabled at build time, \fBsudo\fR consults the Name
-Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR
-search order. Sudo looks for a line beginning with \f(CW\*(C`sudoers\*(C'\fR: and
-uses this to determine the search order. Note that \fBsudo\fR does
+Unless it is disabled at build time,
+\fBsudo\fR
+consults the Name Service Switch file,
+\fI@nsswitch_conf@\fR,
+to specify the
+\fIsudoers\fR
+search order.
+Sudo looks for a line beginning with
+\fRsudoers\fR:
+and uses this to determine the search order.
+Note that
+\fBsudo\fR
+does
not stop searching after the first match and later matches take
precedence over earlier ones.
-.PP
The following sources are recognized:
+.TP 10n
+files
+read sudoers from
+\fI@sysconfdir@/sudoers\fR
+.PD 0
+.TP 10n
+ldap
+read sudoers from LDAP
+.PD
.PP
-.Vb 2
-\& files read sudoers from F<@sysconfdir@/sudoers>
-\& ldap read sudoers from LDAP
-.Ve
+In addition, the entry
+\fR[NOTFOUND=return]\fR
+will short-circuit the search if the user was not found in the
+preceding source.
.PP
-In addition, the entry \f(CW\*(C`[NOTFOUND=return]\*(C'\fR will short-circuit the
-search if the user was not found in the preceding source.
-.PP
-To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
+To consult LDAP first followed by the local sudoers file (if it
exists), use:
+.nf
+.sp
+.RS 4n
+sudoers: ldap files
+.RE
+.fi
.PP
-.Vb 1
-\& sudoers: ldap files
-.Ve
-.PP
-The local \fIsudoers\fR file can be ignored completely by using:
-.PP
-.Vb 1
-\& sudoers: ldap
-.Ve
-.PP
-If the \fI@nsswitch_conf@\fR file is not present or there is no
-sudoers line, the following default is assumed:
+The local
+\fIsudoers\fR
+file can be ignored completely by using:
+.nf
+.sp
+.RS 4n
+sudoers: ldap
+.RE
+.fi
.PP
-.Vb 1
-\& sudoers: files
-.Ve
+If the
+\fI@nsswitch_conf@\fR
+file is not present or there is no sudoers line, the following
+default is assumed:
+.nf
+.sp
+.RS 4n
+sudoers: files
+.RE
+.fi
.PP
-Note that \fI@nsswitch_conf@\fR is supported even when the underlying
-operating system does not use an nsswitch.conf file.
+Note that
+\fI@nsswitch_conf@\fR
+is supported even when the underlying operating system does not use
+an nsswitch.conf file, except on AIX (see below).
.SS "Configuring netsvc.conf"
-.IX Subsection "Configuring netsvc.conf"
-On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of
-\&\fI@nsswitch_conf@\fR. \fBsudo\fR simply treats \fInetsvc.conf\fR as a
-variant of \fInsswitch.conf\fR; information in the previous section
-unrelated to the file format itself still applies.
+On AIX systems, the
+\fI@netsvc_conf@\fR
+file is consulted instead of
+\fI@nsswitch_conf@\fR.
+\fBsudo\fR
+simply treats
+\fInetsvc.conf\fR
+as a variant of
+\fInsswitch.conf\fR;
+information in the previous section unrelated to the file format
+itself still applies.
.PP
-To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
+To consult LDAP first followed by the local sudoers file (if it
exists), use:
+.nf
+.sp
+.RS 4n
+sudoers = ldap, files
+.RE
+.fi
.PP
-.Vb 1
-\& sudoers = ldap, files
-.Ve
-.PP
-The local \fIsudoers\fR file can be ignored completely by using:
-.PP
-.Vb 1
-\& sudoers = ldap
-.Ve
-.PP
-To treat \s-1LDAP\s0 as authoratative and only use the local sudoers file
-if the user is not present in \s-1LDAP\s0, use:
+The local
+\fIsudoers\fR
+file can be ignored completely by using:
+.nf
+.sp
+.RS 4n
+sudoers = ldap
+.RE
+.fi
.PP
-.Vb 1
-\& sudoers = ldap = auth, files
-.Ve
+To treat LDAP as authoratative and only use the local sudoers file
+if the user is not present in LDAP, use:
+.nf
+.sp
+.RS 4n
+sudoers = ldap = auth, files
+.RE
+.fi
.PP
-Note that in the above example, the \f(CW\*(C`auth\*(C'\fR qualfier only affects
-user lookups; both \s-1LDAP\s0 and \fIsudoers\fR will be queried for \f(CW\*(C`Defaults\*(C'\fR
+Note that in the above example, the
+\fRauth\fR
+qualfier only affects user lookups; both LDAP and
+\fIsudoers\fR
+will be queried for
+\fRDefaults\fR
entries.
.PP
-If the \fI@netsvc_conf@\fR file is not present or there is no
-sudoers line, the following default is assumed:
-.PP
-.Vb 1
-\& sudoers = files
-.Ve
+If the
+\fI@netsvc_conf@\fR
+file is not present or there is no sudoers line, the following
+default is assumed:
+.nf
+.sp
+.RS 4n
+sudoers = files
+.RE
+.fi
.SH "FILES"
-.IX Header "FILES"
-.ie n .IP "\fI@ldap_conf@\fR" 24
-.el .IP "\fI@ldap_conf@\fR" 24
-.IX Item "@ldap_conf@"
-\&\s-1LDAP\s0 configuration file
-.ie n .IP "\fI@nsswitch_conf@\fR" 24
-.el .IP "\fI@nsswitch_conf@\fR" 24
-.IX Item "@nsswitch_conf@"
+.TP 26n
+\fI@ldap_conf@\fR
+LDAP configuration file
+.TP 26n
+\fI@nsswitch_conf@\fR
determines sudoers source order
-.ie n .IP "\fI@netsvc_conf@\fR" 24
-.el .IP "\fI@netsvc_conf@\fR" 24
-.IX Item "@netsvc_conf@"
-determines sudoers source order on \s-1AIX\s0
+.TP 26n
+\fI@netsvc_conf@\fR
+determines sudoers source order on AIX
.SH "EXAMPLES"
-.IX Header "EXAMPLES"
.SS "Example ldap.conf"
-.IX Subsection "Example ldap.conf"
-.Vb 10
-\& # Either specify one or more URIs or one or more host:port pairs.
-\& # If neither is specified sudo will default to localhost, port 389.
-\& #
-\& #host ldapserver
-\& #host ldapserver1 ldapserver2:390
-\& #
-\& # Default port if host is specified without one, defaults to 389.
-\& #port 389
-\& #
-\& # URI will override the host and port settings.
-\& uri ldap://ldapserver
-\& #uri ldaps://secureldapserver
-\& #uri ldaps://secureldapserver ldap://ldapserver
-\& #
-\& # The amount of time, in seconds, to wait while trying to connect to
-\& # an LDAP server.
-\& bind_timelimit 30
-\& #
-\& # The amount of time, in seconds, to wait while performing an LDAP query.
-\& timelimit 30
-\& #
-\& # Must be set or sudo will ignore LDAP; may be specified multiple times.
-\& sudoers_base ou=SUDOers,dc=example,dc=com
-\& #
-\& # verbose sudoers matching from ldap
-\& #sudoers_debug 2
-\& #
-\& # Enable support for time\-based entries in sudoers.
-\& #sudoers_timed yes
-\& #
-\& # optional proxy credentials
-\& #binddn <who to search as>
-\& #bindpw <password>
-\& #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
-\& #
-\& # LDAP protocol version, defaults to 3
-\& #ldap_version 3
-\& #
-\& # Define if you want to use an encrypted LDAP connection.
-\& # Typically, you must also set the port to 636 (ldaps).
-\& #ssl on
-\& #
-\& # Define if you want to use port 389 and switch to
-\& # encryption before the bind credentials are sent.
-\& # Only supported by LDAP servers that support the start_tls
-\& # extension such as OpenLDAP.
-\& #ssl start_tls
-\& #
-\& # Additional TLS options follow that allow tweaking of the
-\& # SSL/TLS connection.
-\& #
-\& #tls_checkpeer yes # verify server SSL certificate
-\& #tls_checkpeer no # ignore server SSL certificate
-\& #
-\& # If you enable tls_checkpeer, specify either tls_cacertfile
-\& # or tls_cacertdir. Only supported when using OpenLDAP.
-\& #
-\& #tls_cacertfile /etc/certs/trusted_signers.pem
-\& #tls_cacertdir /etc/certs
-\& #
-\& # For systems that don\*(Aqt have /dev/random
-\& # use this along with PRNGD or EGD.pl to seed the
-\& # random number pool to generate cryptographic session keys.
-\& # Only supported when using OpenLDAP.
-\& #
-\& #tls_randfile /etc/egd\-pool
-\& #
-\& # You may restrict which ciphers are used. Consult your SSL
-\& # documentation for which options go here.
-\& # Only supported when using OpenLDAP.
-\& #
-\& #tls_ciphers <cipher\-list>
-\& #
-\& # Sudo can provide a client certificate when communicating to
-\& # the LDAP server.
-\& # Tips:
-\& # * Enable both lines at the same time.
-\& # * Do not password protect the key file.
-\& # * Ensure the keyfile is only readable by root.
-\& #
-\& # For OpenLDAP:
-\& #tls_cert /etc/certs/client_cert.pem
-\& #tls_key /etc/certs/client_key.pem
-\& #
-\& # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
-\& # a directory, in which case the files in the directory must have the
-\& # default names (e.g. cert8.db and key4.db), or the path to the cert
-\& # and key files themselves. However, a bug in version 5.0 of the LDAP
-\& # SDK will prevent specific file names from working. For this reason
-\& # it is suggested that tls_cert and tls_key be set to a directory,
-\& # not a file name.
-\& #
-\& # The certificate database specified by tls_cert may contain CA certs
-\& # and/or the client\*(Aqs cert. If the client\*(Aqs cert is included, tls_key
-\& # should be specified as well.
-\& # For backward compatibility, "sslpath" may be used in place of tls_cert.
-\& #tls_cert /var/ldap
-\& #tls_key /var/ldap
-\& #
-\& # If using SASL authentication for LDAP (OpenSSL)
-\& # use_sasl yes
-\& # sasl_auth_id <SASL user name>
-\& # rootuse_sasl yes
-\& # rootsasl_auth_id <SASL user name for root access>
-\& # sasl_secprops none
-\& # krb5_ccname /etc/.ldapcache
-.Ve
+.nf
+.RS 2n
+# Either specify one or more URIs or one or more host:port pairs.
+# If neither is specified sudo will default to localhost, port 389.
+#
+#host ldapserver
+#host ldapserver1 ldapserver2:390
+#
+# Default port if host is specified without one, defaults to 389.
+#port 389
+#
+# URI will override the host and port settings.
+uri ldap://ldapserver
+#uri ldaps://secureldapserver
+#uri ldaps://secureldapserver ldap://ldapserver
+#
+# The amount of time, in seconds, to wait while trying to connect to
+# an LDAP server.
+bind_timelimit 30
+#
+# The amount of time, in seconds, to wait while performing an LDAP query.
+timelimit 30
+#
+# Must be set or sudo will ignore LDAP; may be specified multiple times.
+sudoers_base ou=SUDOers,dc=example,dc=com
+#
+# verbose sudoers matching from ldap
+#sudoers_debug 2
+#
+# Enable support for time-based entries in sudoers.
+#sudoers_timed yes
+#
+# optional proxy credentials
+#binddn <who to search as>
+#bindpw <password>
+#rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
+#
+# LDAP protocol version, defaults to 3
+#ldap_version 3
+#
+# Define if you want to use an encrypted LDAP connection.
+# Typically, you must also set the port to 636 (ldaps).
+#ssl on
+#
+# Define if you want to use port 389 and switch to
+# encryption before the bind credentials are sent.
+# Only supported by LDAP servers that support the start_tls
+# extension such as OpenLDAP.
+#ssl start_tls
+#
+# Additional TLS options follow that allow tweaking of the
+# SSL/TLS connection.
+#
+#tls_checkpeer yes # verify server SSL certificate
+#tls_checkpeer no # ignore server SSL certificate
+#
+# If you enable tls_checkpeer, specify either tls_cacertfile
+# or tls_cacertdir. Only supported when using OpenLDAP.
+#
+#tls_cacertfile /etc/certs/trusted_signers.pem
+#tls_cacertdir /etc/certs
+#
+# For systems that don't have /dev/random
+# use this along with PRNGD or EGD.pl to seed the
+# random number pool to generate cryptographic session keys.
+# Only supported when using OpenLDAP.
+#
+#tls_randfile /etc/egd-pool
+#
+# You may restrict which ciphers are used. Consult your SSL
+# documentation for which options go here.
+# Only supported when using OpenLDAP.
+#
+#tls_ciphers <cipher-list>
+#
+# Sudo can provide a client certificate when communicating to
+# the LDAP server.
+# Tips:
+# * Enable both lines at the same time.
+# * Do not password protect the key file.
+# * Ensure the keyfile is only readable by root.
+#
+# For OpenLDAP:
+#tls_cert /etc/certs/client_cert.pem
+#tls_key /etc/certs/client_key.pem
+#
+# For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
+# a directory, in which case the files in the directory must have the
+# default names (e.g. cert8.db and key4.db), or the path to the cert
+# and key files themselves. However, a bug in version 5.0 of the LDAP
+# SDK will prevent specific file names from working. For this reason
+# it is suggested that tls_cert and tls_key be set to a directory,
+# not a file name.
+#
+# The certificate database specified by tls_cert may contain CA certs
+# and/or the client's cert. If the client's cert is included, tls_key
+# should be specified as well.
+# For backward compatibility, "sslpath" may be used in place of tls_cert.
+#tls_cert /var/ldap
+#tls_key /var/ldap
+#
+# If using SASL authentication for LDAP (OpenSSL)
+# use_sasl yes
+# sasl_auth_id <SASL user name>
+# rootuse_sasl yes
+# rootsasl_auth_id <SASL user name for root access>
+# sasl_secprops none
+# krb5_ccname /etc/.ldapcache
+.RE
+.fi
.SS "Sudo schema for OpenLDAP"
-.IX Subsection "Sudo schema for OpenLDAP"
-The following schema, in OpenLDAP format, is included with \fBsudo\fR
-source and binary distributions as \fIschema.OpenLDAP\fR. Simply copy
-it to the schema directory (e.g. \fI/etc/openldap/schema\fR), add the
-proper \f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR.
-.PP
-.Vb 6
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.1
-\& NAME \*(AqsudoUser\*(Aq
-\& DESC \*(AqUser(s) who may run sudo\*(Aq
-\& EQUALITY caseExactIA5Match
-\& SUBSTR caseExactIA5SubstringsMatch
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-\&
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.2
-\& NAME \*(AqsudoHost\*(Aq
-\& DESC \*(AqHost(s) who may run sudo\*(Aq
-\& EQUALITY caseExactIA5Match
-\& SUBSTR caseExactIA5SubstringsMatch
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-\&
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.3
-\& NAME \*(AqsudoCommand\*(Aq
-\& DESC \*(AqCommand(s) to be executed by sudo\*(Aq
-\& EQUALITY caseExactIA5Match
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-\&
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.4
-\& NAME \*(AqsudoRunAs\*(Aq
-\& DESC \*(AqUser(s) impersonated by sudo\*(Aq
-\& EQUALITY caseExactIA5Match
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-\&
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.5
-\& NAME \*(AqsudoOption\*(Aq
-\& DESC \*(AqOptions(s) followed by sudo\*(Aq
-\& EQUALITY caseExactIA5Match
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-\&
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.6
-\& NAME \*(AqsudoRunAsUser\*(Aq
-\& DESC \*(AqUser(s) impersonated by sudo\*(Aq
-\& EQUALITY caseExactIA5Match
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-\&
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.7
-\& NAME \*(AqsudoRunAsGroup\*(Aq
-\& DESC \*(AqGroup(s) impersonated by sudo\*(Aq
-\& EQUALITY caseExactIA5Match
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-\&
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.8
-\& NAME \*(AqsudoNotBefore\*(Aq
-\& DESC \*(AqStart of time interval for which the entry is valid\*(Aq
-\& EQUALITY generalizedTimeMatch
-\& ORDERING generalizedTimeOrderingMatch
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-\&
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.9
-\& NAME \*(AqsudoNotAfter\*(Aq
-\& DESC \*(AqEnd of time interval for which the entry is valid\*(Aq
-\& EQUALITY generalizedTimeMatch
-\& ORDERING generalizedTimeOrderingMatch
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-\&
-\& attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
-\& NAME \*(AqsudoOrder\*(Aq
-\& DESC \*(Aqan integer to order the sudoRole entries\*(Aq
-\& EQUALITY integerMatch
-\& ORDERING integerOrderingMatch
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-\&
-\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME \*(AqsudoRole\*(Aq SUP top STRUCTURAL
-\& DESC \*(AqSudoer Entries\*(Aq
-\& MUST ( cn )
-\& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
-\& sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
-\& sudoOrder $ description )
-\& )
-.Ve
+The following schema, in OpenLDAP format, is included with
+\fBsudo\fR
+source and binary distributions as
+\fIschema.OpenLDAP\fR.
+Simply copy
+it to the schema directory (e.g.\&
+\fI/etc/openldap/schema\fR),
+add the proper
+\fRinclude\fR
+line in
+\fIslapd.conf\fR
+and restart
+\fBslapd\fR.
+.nf
+.sp
+.RS 2n
+attributetype ( 1.3.6.1.4.1.15953.9.1.1
+ NAME 'sudoUser'
+ DESC 'User(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.2
+ NAME 'sudoHost'
+ DESC 'Host(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.3
+ NAME 'sudoCommand'
+ DESC 'Command(s) to be executed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.4
+ NAME 'sudoRunAs'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.5
+ NAME 'sudoOption'
+ DESC 'Options(s) followed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.6
+ NAME 'sudoRunAsUser'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.7
+ NAME 'sudoRunAsGroup'
+ DESC 'Group(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.8
+ NAME 'sudoNotBefore'
+ DESC 'Start of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.9
+ NAME 'sudoNotAfter'
+ DESC 'End of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
+ NAME 'sudoOrder'
+ DESC 'an integer to order the sudoRole entries'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+ DESC 'Sudoer Entries'
+ MUST ( cn )
+ MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
+ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
+ sudoOrder $ description )
+ )
+.RE
+.fi
.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(@mansectform@)
+ldap.conf(@mansectsu@),
+sudoers(@mansectsu@)
.SH "CAVEATS"
-.IX Header "CAVEATS"
-Note that there are differences in the way that LDAP-based \fIsudoers\fR
-is parsed compared to file-based \fIsudoers\fR. See the \*(L"Differences
-between \s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information.
+Note that there are differences in the way that LDAP-based
+\fIsudoers\fR
+is parsed compared to file-based
+\fIsudoers\fR.
+See the
+\fIDifferences between LDAP and non-LDAP sudoers\fR
+section for more information.
.SH "BUGS"
-.IX Header "BUGS"
-If you feel you have found a bug in \fBsudo\fR, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
+If you feel you have found a bug in
+\fBsudo\fR,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
-.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
-.IX Header "DISCLAIMER"
-\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
-file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
-for complete details.
+\fBsudo\fR
+is provided
+``AS IS''
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+\fBsudo\fR
+or http://www.sudo.ws/sudo/license.html for complete details.
--- /dev/null
+.\"
+.\" Copyright (c) 2003-2012 Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd July 12, 2012
+.Dt SUDOERS.LDAP @mansectsu@
+.Os Sudo @PACKAGE_VERSION@
+.Sh NAME
+.Nm sudoers.ldap
+.Nd sudo LDAP configuration
+.Sh DESCRIPTION
+In addition to the standard
+.Em sudoers
+file,
+.Nm sudo
+may be configured
+via LDAP.
+This can be especially useful for synchronizing
+.Em sudoers
+in a large, distributed environment.
+.Pp
+Using LDAP for
+.Em sudoers
+has several benefits:
+.Bl -bullet
+.It
+.Nm sudo
+no longer needs to read
+.Em sudoers
+in its entirety.
+When LDAP is used, there are only two or three LDAP queries per invocation.
+This makes it especially fast and particularly usable in LDAP environments.
+.It
+.Nm sudo
+no longer exits if there is a typo in
+.Em sudoers .
+It is not possible to load LDAP data into the server that does
+not conform to the sudoers schema, so proper syntax is guaranteed.
+It is still possible to have typos in a user or host name, but
+this will not prevent
+.Nm sudo
+from running.
+.It
+It is possible to specify per-entry options that override the global
+default options.
+.Pa @sysconfdir@/sudoers
+only supports default options and limited options associated with
+user/host/commands/aliases.
+The syntax is complicated and can be difficult for users to understand.
+Placing the options directly in the entry is more natural.
+.It
+The
+.Nm visudo
+program is no longer needed.
+.Nm visudo
+provides locking and syntax checking of the
+.Pa @sysconfdir@/sudoers
+file.
+Since LDAP updates are atomic, locking is no longer necessary.
+Because syntax is checked when the data is inserted into LDAP, there
+is no need for a specialized tool to check syntax.
+.El
+.Pp
+Another major difference between LDAP and file-based
+.Em sudoers
+is that in LDAP,
+.Nm sudo Ns No -specific
+Aliases are not supported.
+.Pp
+For the most part, there is really no need for
+.Nm sudo Ns No -specific
+Aliases.
+Unix groups or user netgroups can be used in place of User_Aliases and
+Runas_Aliases.
+Host netgroups can be used in place of Host_Aliases.
+Since Unix groups and netgroups can also be stored in LDAP there is no
+real need for
+.Nm sudo Ns No -specific
+aliases.
+.Pp
+Cmnd_Aliases are not really required either since it is possible
+to have multiple users listed in a
+.Li sudoRole .
+Instead of defining a Cmnd_Alias that is referenced by multiple users,
+one can create a
+.Li sudoRole
+that contains the commands and assign multiple users to it.
+.Ss SUDOers LDAP container
+The
+.Em sudoers
+configuration is contained in the
+.Li ou=SUDOers
+LDAP container.
+.Pp
+Sudo first looks for the
+.Li cn=default
+entry in the SUDOers container.
+If found, the multi-valued
+.Li sudoOption
+attribute is parsed in the same manner as a global
+.Li Defaults
+line in
+.Pa @sysconfdir@/sudoers .
+In the following example, the
+.Ev SSH_AUTH_SOCK
+variable will be preserved in the environment for all users.
+.Bd -literal -offset 4n
+dn: cn=defaults,ou=SUDOers,dc=example,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: defaults
+description: Default sudoOption's go here
+sudoOption: env_keep+=SSH_AUTH_SOCK
+.Ed
+.Pp
+The equivalent of a sudoer in LDAP is a
+.Li sudoRole .
+It consists of the following attributes:
+.Bl -tag -width 4n
+.It Sy sudoUser
+A user name, user ID (prefixed with
+.Ql # ) ,
+Unix group (prefixed with
+.Ql % ) ,
+Unix group ID (prefixed with
+.Ql %# ) ,
+or user netgroup (prefixed with
+.Ql + ) .
+.It Sy sudoHost
+A host name, IP address, IP network, or host netgroup (prefixed with a
+.Ql + ) .
+The special value
+.Li ALL
+will match any host.
+.It Sy sudoCommand
+A Unix command with optional command line arguments, potentially
+including globbing characters (aka wild cards).
+The special value
+.Li ALL
+will match any command.
+If a command is prefixed with an exclamation point
+.Ql \&! ,
+the user will be prohibited from running that command.
+.It Sy sudoOption
+Identical in function to the global options described above, but
+specific to the
+.Li sudoRole
+in which it resides.
+.It Sy sudoRunAsUser
+A user name or uid (prefixed with
+.Ql # )
+that commands may be run as or a Unix group (prefixed with a
+.Ql % )
+or user netgroup (prefixed with a
+.Ql + )
+that contains a list of users that commands may be run as.
+The special value
+.Li ALL
+will match any user.
+.Pp
+The
+.Li sudoRunAsUser
+attribute is only available in
+.Nm sudo
+versions
+1.7.0 and higher.
+Older versions of
+.Nm sudo
+use the
+.Li sudoRunAs
+attribute instead.
+.It Sy sudoRunAsGroup
+A Unix group or gid (prefixed with
+.Ql # )
+that commands may be run as.
+The special value
+.Li ALL
+will match any group.
+.Pp
+The
+.Li sudoRunAsGroup
+attribute is only available in
+.Nm sudo
+versions
+1.7.0 and higher.
+.It Sy sudoNotBefore
+A timestamp in the form
+.Li yyyymmddHHMMSSZ
+that can be used to provide a start date/time for when the
+.Li sudoRole
+will be valid.
+If multiple
+.Li sudoNotBefore
+entries are present, the earliest is used.
+Note that timestamps must be in Coordinated Universal Time (UTC),
+not the local timezone.
+The minute and seconds portions are optional, but some LDAP servers
+require that they be present (contrary to the RFC).
+.Pp
+The
+.Li sudoNotBefore
+attribute is only available in
+.Nm sudo
+versions 1.7.5 and higher and must be explicitly enabled via the
+.Sy SUDOERS_TIMED
+option in
+.Pa @ldap_conf@ .
+.It Sy sudoNotAfter
+A timestamp in the form
+.Li yyyymmddHHMMSSZ
+that indicates an expiration date/time, after which the
+.Li sudoRole
+will no longer be valid.
+If multiple
+.Li sudoNotBefore
+entries are present, the last one is used.
+Note that timestamps must be in Coordinated Universal Time (UTC),
+not the local timezone.
+The minute and seconds portions are optional, but some LDAP servers
+require that they be present (contrary to the RFC).
+.Pp
+The
+.Li sudoNotAfter
+attribute is only available in
+.Nm sudo
+versions
+1.7.5 and higher and must be explicitly enabled via the
+.Sy SUDOERS_TIMED
+option in
+.Pa @ldap_conf@ .
+.It Sy sudoOrder
+The
+.Li sudoRole
+entries retrieved from the LDAP directory have no inherent order.
+The
+.Li sudoOrder
+attribute is an integer (or floating point value for LDAP servers
+that support it) that is used to sort the matching entries.
+This allows LDAP-based sudoers entries to more closely mimic the behaviour
+of the sudoers file, where the of the entries influences the result.
+If multiple entries match, the entry with the highest
+.Li sudoOrder
+attribute is chosen.
+This corresponds to the
+.Dq last match
+behavior of the sudoers file.
+If the
+.Li sudoOrder
+attribute is not present, a value of 0 is assumed.
+.Pp
+The
+.Li sudoOrder
+attribute is only available in
+.Nm sudo
+versions 1.7.5 and higher.
+.El
+.Pp
+Each attribute listed above should contain a single value, but there
+may be multiple instances of each attribute type.
+A
+.Li sudoRole
+must contain at least one
+.Li sudoUser ,
+.Li sudoHost
+and
+.Li sudoCommand .
+.Pp
+The following example allows users in group wheel to run any command
+on any host via
+.Nm sudo :
+.Bd -literal -offset 4n
+dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: %wheel
+sudoUser: %wheel
+sudoHost: ALL
+sudoCommand: ALL
+.Ed
+.Ss Anatomy of LDAP sudoers lookup
+When looking up a sudoer using LDAP there are only two or three
+LDAP queries per invocation.
+The first query is to parse the global options.
+The second is to match against the user's name and the groups that
+the user belongs to.
+(The special
+.Li ALL
+tag is matched in this query too.)
+If no match is returned for the user's name and groups, a third
+query returns all entries containing user netgroups and checks
+to see if the user belongs to any of them.
+.Pp
+If timed entries are enabled with the
+.Sy SUDOERS_TIMED
+configuration directive, the LDAP queries include a subfilter that
+limits retrieval to entries that satisfy the time constraints, if any.
+.Ss Differences between LDAP and non-LDAP sudoers
+There are some subtle differences in the way sudoers is handled
+once in LDAP.
+Probably the biggest is that according to the RFC, LDAP ordering
+is arbitrary and you cannot expect that Attributes and Entries are
+returned in any specific order.
+.Pp
+The order in which different entries are applied can be controlled
+using the
+.Li sudoOrder
+attribute, but there is no way to guarantee the order of attributes
+within a specific entry.
+If there are conflicting command rules in an entry, the negative
+takes precedence.
+This is called paranoid behavior (not necessarily the most specific
+match).
+.Pp
+Here is an example:
+.Bd -literal -offset 4n
+# /etc/sudoers:
+# Allow all commands except shell
+johnny ALL=(root) ALL,!/bin/sh
+# Always allows all commands because ALL is matched last
+puddles ALL=(root) !/bin/sh,ALL
+
+# LDAP equivalent of johnny
+# Allows all commands except shell
+dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
+objectClass: sudoRole
+objectClass: top
+cn: role1
+sudoUser: johnny
+sudoHost: ALL
+sudoCommand: ALL
+sudoCommand: !/bin/sh
+
+# LDAP equivalent of puddles
+# Notice that even though ALL comes last, it still behaves like
+# role1 since the LDAP code assumes the more paranoid configuration
+dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
+objectClass: sudoRole
+objectClass: top
+cn: role2
+sudoUser: puddles
+sudoHost: ALL
+sudoCommand: !/bin/sh
+sudoCommand: ALL
+.Ed
+.Pp
+Another difference is that negations on the Host, User or Runas are
+currently ignored.
+For example, the following attributes do not behave the way one might expect.
+.Bd -literal -offset 4n
+# does not match all but joe
+# rather, does not match anyone
+sudoUser: !joe
+
+# does not match all but joe
+# rather, matches everyone including Joe
+sudoUser: ALL
+sudoUser: !joe
+
+# does not match all but web01
+# rather, matches all hosts including web01
+sudoHost: ALL
+sudoHost: !web01
+.Ed
+.Ss Sudoers schema
+In order to use
+.Nm sudo Ns No 's
+LDAP support, the
+.Nm sudo
+schema must be
+installed on your LDAP server.
+In addition, be sure to index the
+.Li sudoUser
+attribute.
+.Pp
+Three versions of the schema: one for OpenLDAP servers
+.Pq Pa schema.OpenLDAP ,
+one for Netscape-derived servers
+.Pq Pa schema.iPlanet ,
+and one for Microsoft Active Directory
+.Pq Pa schema.ActiveDirectory
+may be found in the
+.Nm sudo
+distribution.
+.Pp
+The schema for
+.Nm sudo
+in OpenLDAP form is also included in the
+.Sx EXAMPLES
+section.
+.Ss Configuring ldap.conf
+Sudo reads the
+.Pa @ldap_conf@
+file for LDAP-specific configuration.
+Typically, this file is shared amongst different LDAP-aware clients.
+As such, most of the settings are not
+.Nm sudo Ns No -specific.
+Note that
+.Nm sudo
+parses
+.Pa @ldap_conf@
+itself and may support options that differ from those described in the
+system's
+.Xr ldap.conf @mansectsu@
+manual.
+.Pp
+Also note that on systems using the OpenLDAP libraries, default
+values specified in
+.Pa /etc/openldap/ldap.conf
+or the user's
+.Pa .ldaprc
+files are not used.
+.Pp
+Only those options explicitly listed in
+.Pa @ldap_conf@
+as being supported by
+.Nm sudo
+are honored.
+Configuration options are listed below in upper case but are parsed
+in a case-independent manner.
+.Bl -tag -width 4n
+.It Sy URI Ar ldap[s]://[hostname[:port]] ...
+Specifies a whitespace-delimited list of one or more URIs describing
+the LDAP server(s) to connect to.
+The
+.Em protocol
+may be either
+.Em ldap
+.Em ldaps ,
+the latter being for servers that support TLS (SSL) encryption.
+If no
+.Em port
+is specified, the default is port 389 for
+.Li ldap://
+or port 636 for
+.Li ldaps:// .
+If no
+.Em hostname
+is specified,
+.Nm sudo
+will connect to
+.Em localhost .
+Multiple
+.Sy URI
+lines are treated identically to a
+.Sy URI
+line containing multiple entries.
+Only systems using the OpenSSL libraries support the mixing of
+.Li ldap://
+and
+.Li ldaps://
+URIs.
+Both the Netscape-derived and Tivoli LDAP libraries used on most commercial
+versions of Unix are only capable of supporting one or the other.
+.It Sy HOST Ar name[:port] ...
+If no
+.Sy URI
+is specified, the
+.Sy HOST
+parameter specifies a whitespace-delimited list of LDAP servers to connect to.
+Each host may include an optional
+.Em port
+separated by a colon
+.Pq Ql :\& .
+The
+.Sy HOST
+parameter is deprecated in favor of the
+.Sy URI
+specification and is included for backwards compatibility.
+.It Sy PORT Ar port_number
+If no
+.Sy URI
+is specified, the
+.Sy PORT
+parameter specifies the default port to connect to on the LDAP server if a
+.Sy HOST
+parameter does not specify the port itself.
+If no
+.Sy PORT
+parameter is used, the default is port 389 for LDAP and port 636 for LDAP
+over TLS (SSL).
+The
+.Sy PORT
+parameter is deprecated in favor of the
+.Sy URI
+specification and is included for backwards compatibility.
+.It Sy BIND_TIMELIMIT Ar seconds
+The
+.Sy BIND_TIMELIMIT
+parameter specifies the amount of time, in seconds, to wait while trying
+to connect to an LDAP server.
+If multiple
+.Sy URI Ns No s
+or
+.Sy HOST Ns No s
+are specified, this is the amount of time to wait before trying
+the next one in the list.
+.It Sy NETWORK_TIMEOUT Ar seconds
+An alias for
+.Sy BIND_TIMELIMIT
+for OpenLDAP compatibility.
+.It Sy TIMELIMIT Ar seconds
+The
+.Sy TIMELIMIT
+parameter specifies the amount of time, in seconds, to wait for a
+response to an LDAP query.
+.It Sy TIMEOUT Ar seconds
+The
+.Sy TIMEOUT
+parameter specifies the amount of time, in seconds, to wait for a
+response from the various LDAP APIs.
+.It Sy SUDOERS_BASE Ar base
+The base DN to use when performing
+.Nm sudo
+LDAP queries.
+Typically this is of the form
+.Li ou=SUDOers,dc=example,dc=com
+for the domain
+.Li example.com .
+Multiple
+.Sy SUDOERS_BASE
+lines may be specified, in which case they are queried in the order specified.
+.It Sy SUDOERS_SEARCH_FILTER Ar ldap_filter
+An LDAP filter which is used to restrict the set of records returned
+when performing a
+.Nm sudo
+LDAP query.
+Typically, this is of the
+form
+.Li attribute=value
+or
+.Li (&(attribute=value)(attribute2=value2)) .
+.It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no
+Whether or not to evaluate the
+.Li sudoNotBefore
+and
+.Li sudoNotAfter
+attributes that implement time-dependent sudoers entries.
+.It Sy SUDOERS_DEBUG Ar debug_level
+This sets the debug level for
+.Nm sudo
+LDAP queries.
+Debugging information is printed to the standard error.
+A value of 1 results in a moderate amount of debugging information.
+A value of 2 shows the results of the matches themselves.
+This parameter should not be set in a production environment as the
+extra information is likely to confuse users.
+.It Sy BINDDN Ar DN
+The
+.Sy BINDDN
+parameter specifies the identity, in the form of a Distinguished Name (DN),
+to use when performing LDAP operations.
+If not specified, LDAP operations are performed with an anonymous identity.
+By default, most LDAP servers will allow anonymous access.
+.It Sy BINDPW Ar secret
+The
+.Sy BINDPW
+parameter specifies the password to use when performing LDAP operations.
+This is typically used in conjunction with the
+.Sy BINDDN
+parameter.
+.It Sy ROOTBINDDN Ar DN
+The
+.Sy ROOTBINDDN
+parameter specifies the identity, in the form of a Distinguished Name (DN),
+to use when performing privileged LDAP operations, such as
+.Em sudoers
+queries.
+The password corresponding
+to the identity should be stored in
+.Pa @ldap_secret@ .
+If not specified, the
+.Sy BINDDN
+identity is used (if any).
+.It Sy LDAP_VERSION Ar number
+The version of the LDAP protocol to use when connecting to the server.
+The default value is protocol version 3.
+.It Sy SSL Ar on/true/yes/off/false/no
+If the
+.Sy SSL
+parameter is set to
+.Li on ,
+.Li true
+.Li or
+.Li yes ,
+TLS (SSL) encryption is always used when communicating with the LDAP server.
+Typically, this involves connecting to the server on port 636 (ldaps).
+.It Sy SSL Ar start_tls
+If the
+.Sy SSL
+parameter is set to
+.Li start_tls ,
+the LDAP server connection is initiated normally and TLS encryption is
+begun before the bind credentials are sent.
+This has the advantage of not requiring a dedicated port for encrypted
+communications.
+This parameter is only supported by LDAP servers that honor the
+.Em start_tls
+extension, such as the OpenLDAP and Tivoli Directory servers.
+.It Sy TLS_CHECKPEER Ar on/true/yes/off/false/no
+If enabled,
+.Sy TLS_CHECKPEER
+will cause the LDAP server's TLS certificated to be verified.
+If the server's TLS certificate cannot be verified (usually because it
+is signed by an unknown certificate authority),
+.Nm sudo
+will be unable to connect to it.
+If
+.Sy TLS_CHECKPEER
+is disabled, no check is made.
+Note that disabling the check creates an opportunity for man-in-the-middle
+attacks since the server's identity will not be authenticated.
+If possible, the CA's certificate should be installed locally so it can
+be verified.
+This option is not supported by the Tivoli Directory Server LDAP libraries.
+.It Sy TLS_CACERT Ar file name
+An alias for
+.Sy TLS_CACERTFILE
+for OpenLDAP compatibility.
+.It Sy TLS_CACERTFILE Ar file name
+The path to a certificate authority bundle which contains the certificates
+for all the Certificate Authorities the client knows to be valid, e.g.\&
+.Pa /etc/ssl/ca-bundle.pem .
+This option is only supported by the OpenLDAP libraries.
+Netscape-derived LDAP libraries use the same certificate
+database for CA and client certificates (see
+.Sy TLS_CERT ) .
+.It Sy TLS_CACERTDIR Ar directory
+Similar to
+.Sy TLS_CACERTFILE
+but instead of a file, it is a directory containing individual
+Certificate Authority certificates, e.g.\&
+.Pa /etc/ssl/certs .
+The directory specified by
+.Sy TLS_CACERTDIR
+is checked after
+.Sy TLS_CACERTFILE .
+This option is only supported by the OpenLDAP libraries.
+.It Sy TLS_CERT Ar file name
+The path to a file containing the client certificate which can
+be used to authenticate the client to the LDAP server.
+The certificate type depends on the LDAP libraries used.
+.Bl -tag -width 4n
+.It OpenLDAP:
+.Li tls_cert /etc/ssl/client_cert.pem
+.It Netscape-derived:
+.Li tls_cert /var/ldap/cert7.db
+.It Tivoli Directory Server:
+Unused, the key database specified by
+.Sy TLS_KEY
+contains both keys and certificates.
+.Pp
+When using Netscape-derived libraries, this file may also contain
+Certificate Authority certificates.
+.El
+.It Sy TLS_KEY Ar file name
+The path to a file containing the private key which matches the
+certificate specified by
+.Sy TLS_CERT .
+The private key must not be password-protected.
+The key type depends on the LDAP libraries used.
+.Bl -tag -width 4n
+.It OpenLDAP:
+.Li tls_key /etc/ssl/client_key.pem
+.It Netscape-derived:
+.Li tls_key /var/ldap/key3.db
+.It Tivoli Directory Server:
+.Li tls_cert /usr/ldap/ldapkey.kdb
+.El
+When using Tivoli LDAP libraries, this file may also contain
+Certificate Authority and client certificates and may be encrypted.
+.It Sy TLS_KEYPW Ar secret
+The
+.Sy TLS_KEYPW
+contains the password used to decrypt the key database on clients
+using the Tivoli Directory Server LDAP library.
+If no
+.Sy TLS_KEYPW
+is specified, a
+.Em stash file
+will be used if it exists.
+The
+.Em stash file
+must have the same path as the file specified by
+.Sy TLS_KEY ,
+but use a
+.Li .sth
+file extension instead of
+.Li .kdb ,
+e.g.\&
+.Li ldapkey.sth .
+The default
+.Li ldapkey.kdb
+that ships with Tivoli Directory Server is encrypted with the password
+.Li ssl_password .
+This option is only supported by the Tivoli LDAP libraries.
+.It Sy TLS_RANDFILE Ar file name
+The
+.Sy TLS_RANDFILE
+parameter specifies the path to an entropy source for systems that lack
+a random device.
+It is generally used in conjunction with
+.Em prngd
+or
+.Em egd .
+This option is only supported by the OpenLDAP libraries.
+.It Sy TLS_CIPHERS Ar cipher list
+The
+.Sy TLS_CIPHERS
+parameter allows the administer to restrict which encryption algorithms
+may be used for TLS (SSL) connections.
+See the OpenLDAP or Tivoli Directory Server manual for a list of valid
+ciphers.
+This option is not supported by Netscape-derived libraries.
+.It Sy USE_SASL Ar on/true/yes/off/false/no
+Enable
+.Sy USE_SASL
+for LDAP servers that support SASL authentication.
+.It Sy SASL_AUTH_ID Ar identity
+The SASL user name to use when connecting to the LDAP server.
+By default,
+.Nm sudo
+will use an anonymous connection.
+.It Sy ROOTUSE_SASL Ar on/true/yes/off/false/no
+Enable
+.Sy ROOTUSE_SASL
+to enable SASL authentication when connecting
+to an LDAP server from a privileged process, such as
+.Nm sudo .
+.It Sy ROOTSASL_AUTH_ID Ar identity
+The SASL user name to use when
+.Sy ROOTUSE_SASL
+is enabled.
+.It Sy SASL_SECPROPS Ar none/properties
+SASL security properties or
+.Em none
+for no properties.
+See the SASL programmer's manual for details.
+.It Sy KRB5_CCNAME Ar file name
+The path to the Kerberos 5 credential cache to use when authenticating
+with the remote server.
+.It Sy DEREF Ar never/searching/finding/always
+How alias dereferencing is to be performed when searching.
+See the
+.Xr ldap.conf @mansectsu@
+manual for a full description of this option.
+.El
+.Pp
+See the
+.Pa ldap.conf
+entry in the
+.Sx EXAMPLES
+section.
+.Ss Configuring nsswitch.conf
+Unless it is disabled at build time,
+.Nm sudo
+consults the Name Service Switch file,
+.Pa @nsswitch_conf@ ,
+to specify the
+.Em sudoers
+search order.
+Sudo looks for a line beginning with
+.Li sudoers :
+and uses this to determine the search order.
+Note that
+.Nm sudo
+does
+not stop searching after the first match and later matches take
+precedence over earlier ones.
+The following sources are recognized:
+.Pp
+.Bl -tag -width 8n -offset 4n -compact
+.It files
+read sudoers from
+.Pa @sysconfdir@/sudoers
+.It ldap
+read sudoers from LDAP
+.El
+.Pp
+In addition, the entry
+.Li [NOTFOUND=return]
+will short-circuit the search if the user was not found in the
+preceding source.
+.Pp
+To consult LDAP first followed by the local sudoers file (if it
+exists), use:
+.Bd -literal -offset 4n
+sudoers: ldap files
+.Ed
+.Pp
+The local
+.Em sudoers
+file can be ignored completely by using:
+.Bd -literal -offset 4n
+sudoers: ldap
+.Ed
+.Pp
+If the
+.Pa @nsswitch_conf@
+file is not present or there is no sudoers line, the following
+default is assumed:
+.Bd -literal -offset 4n
+sudoers: files
+.Ed
+.Pp
+Note that
+.Pa @nsswitch_conf@
+is supported even when the underlying operating system does not use
+an nsswitch.conf file, except on AIX (see below).
+.Ss Configuring netsvc.conf
+On AIX systems, the
+.Pa @netsvc_conf@
+file is consulted instead of
+.Pa @nsswitch_conf@ .
+.Nm sudo
+simply treats
+.Pa netsvc.conf
+as a variant of
+.Pa nsswitch.conf ;
+information in the previous section unrelated to the file format
+itself still applies.
+.Pp
+To consult LDAP first followed by the local sudoers file (if it
+exists), use:
+.Bd -literal -offset 4n
+sudoers = ldap, files
+.Ed
+.Pp
+The local
+.Em sudoers
+file can be ignored completely by using:
+.Bd -literal -offset 4n
+sudoers = ldap
+.Ed
+.Pp
+To treat LDAP as authoratative and only use the local sudoers file
+if the user is not present in LDAP, use:
+.Bd -literal -offset 4n
+sudoers = ldap = auth, files
+.Ed
+.Pp
+Note that in the above example, the
+.Li auth
+qualfier only affects user lookups; both LDAP and
+.Em sudoers
+will be queried for
+.Li Defaults
+entries.
+.Pp
+If the
+.Pa @netsvc_conf@
+file is not present or there is no sudoers line, the following
+default is assumed:
+.Bd -literal -offset 4n
+sudoers = files
+.Ed
+.Sh FILES
+.Bl -tag -width 24n
+.It Pa @ldap_conf@
+LDAP configuration file
+.It Pa @nsswitch_conf@
+determines sudoers source order
+.It Pa @netsvc_conf@
+determines sudoers source order on AIX
+.El
+.Sh EXAMPLES
+.Ss Example ldap.conf
+.Bd -literal -offset 2n
+# Either specify one or more URIs or one or more host:port pairs.
+# If neither is specified sudo will default to localhost, port 389.
+#
+#host ldapserver
+#host ldapserver1 ldapserver2:390
+#
+# Default port if host is specified without one, defaults to 389.
+#port 389
+#
+# URI will override the host and port settings.
+uri ldap://ldapserver
+#uri ldaps://secureldapserver
+#uri ldaps://secureldapserver ldap://ldapserver
+#
+# The amount of time, in seconds, to wait while trying to connect to
+# an LDAP server.
+bind_timelimit 30
+#
+# The amount of time, in seconds, to wait while performing an LDAP query.
+timelimit 30
+#
+# Must be set or sudo will ignore LDAP; may be specified multiple times.
+sudoers_base ou=SUDOers,dc=example,dc=com
+#
+# verbose sudoers matching from ldap
+#sudoers_debug 2
+#
+# Enable support for time-based entries in sudoers.
+#sudoers_timed yes
+#
+# optional proxy credentials
+#binddn <who to search as>
+#bindpw <password>
+#rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
+#
+# LDAP protocol version, defaults to 3
+#ldap_version 3
+#
+# Define if you want to use an encrypted LDAP connection.
+# Typically, you must also set the port to 636 (ldaps).
+#ssl on
+#
+# Define if you want to use port 389 and switch to
+# encryption before the bind credentials are sent.
+# Only supported by LDAP servers that support the start_tls
+# extension such as OpenLDAP.
+#ssl start_tls
+#
+# Additional TLS options follow that allow tweaking of the
+# SSL/TLS connection.
+#
+#tls_checkpeer yes # verify server SSL certificate
+#tls_checkpeer no # ignore server SSL certificate
+#
+# If you enable tls_checkpeer, specify either tls_cacertfile
+# or tls_cacertdir. Only supported when using OpenLDAP.
+#
+#tls_cacertfile /etc/certs/trusted_signers.pem
+#tls_cacertdir /etc/certs
+#
+# For systems that don't have /dev/random
+# use this along with PRNGD or EGD.pl to seed the
+# random number pool to generate cryptographic session keys.
+# Only supported when using OpenLDAP.
+#
+#tls_randfile /etc/egd-pool
+#
+# You may restrict which ciphers are used. Consult your SSL
+# documentation for which options go here.
+# Only supported when using OpenLDAP.
+#
+#tls_ciphers <cipher-list>
+#
+# Sudo can provide a client certificate when communicating to
+# the LDAP server.
+# Tips:
+# * Enable both lines at the same time.
+# * Do not password protect the key file.
+# * Ensure the keyfile is only readable by root.
+#
+# For OpenLDAP:
+#tls_cert /etc/certs/client_cert.pem
+#tls_key /etc/certs/client_key.pem
+#
+# For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
+# a directory, in which case the files in the directory must have the
+# default names (e.g. cert8.db and key4.db), or the path to the cert
+# and key files themselves. However, a bug in version 5.0 of the LDAP
+# SDK will prevent specific file names from working. For this reason
+# it is suggested that tls_cert and tls_key be set to a directory,
+# not a file name.
+#
+# The certificate database specified by tls_cert may contain CA certs
+# and/or the client's cert. If the client's cert is included, tls_key
+# should be specified as well.
+# For backward compatibility, "sslpath" may be used in place of tls_cert.
+#tls_cert /var/ldap
+#tls_key /var/ldap
+#
+# If using SASL authentication for LDAP (OpenSSL)
+# use_sasl yes
+# sasl_auth_id <SASL user name>
+# rootuse_sasl yes
+# rootsasl_auth_id <SASL user name for root access>
+# sasl_secprops none
+# krb5_ccname /etc/.ldapcache
+.Ed
+.Ss Sudo schema for OpenLDAP
+The following schema, in OpenLDAP format, is included with
+.Nm sudo
+source and binary distributions as
+.Pa schema.OpenLDAP .
+Simply copy
+it to the schema directory (e.g.\&
+.Pa /etc/openldap/schema ) ,
+add the proper
+.Li include
+line in
+.Pa slapd.conf
+and restart
+.Nm slapd .
+.Bd -literal -offset 2n
+attributetype ( 1.3.6.1.4.1.15953.9.1.1
+ NAME 'sudoUser'
+ DESC 'User(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.2
+ NAME 'sudoHost'
+ DESC 'Host(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.3
+ NAME 'sudoCommand'
+ DESC 'Command(s) to be executed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.4
+ NAME 'sudoRunAs'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.5
+ NAME 'sudoOption'
+ DESC 'Options(s) followed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.6
+ NAME 'sudoRunAsUser'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.7
+ NAME 'sudoRunAsGroup'
+ DESC 'Group(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.8
+ NAME 'sudoNotBefore'
+ DESC 'Start of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.9
+ NAME 'sudoNotAfter'
+ DESC 'End of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
+ NAME 'sudoOrder'
+ DESC 'an integer to order the sudoRole entries'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+ DESC 'Sudoer Entries'
+ MUST ( cn )
+ MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
+ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
+ sudoOrder $ description )
+ )
+.Ed
+.Sh SEE ALSO
+.Xr ldap.conf @mansectsu@ ,
+.Xr sudoers @mansectsu@
+.Sh CAVEATS
+Note that there are differences in the way that LDAP-based
+.Em sudoers
+is parsed compared to file-based
+.Em sudoers .
+See the
+.Sx Differences between LDAP and non-LDAP sudoers
+section for more information.
+.Sh BUGS
+If you feel you have found a bug in
+.Nm sudo ,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
+.Sh SUPPORT
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+.Sh DISCLAIMER
+.Nm sudo
+is provided
+.Dq AS IS
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+.Nm sudo
+or http://www.sudo.ws/sudo/license.html for complete details.
+++ /dev/null
-Copyright (c) 2003-2011
- Todd C. Miller <Todd.Miller@courtesan.com>
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-=pod
-
-=head1 NAME
-
-sudoers.ldap - sudo LDAP configuration
-
-=head1 DESCRIPTION
-
-In addition to the standard I<sudoers> file, B<sudo> may be configured
-via LDAP. This can be especially useful for synchronizing I<sudoers>
-in a large, distributed environment.
-
-Using LDAP for I<sudoers> has several benefits:
-
-=over 4
-
-=item *
-
-B<sudo> no longer needs to read I<sudoers> in its entirety. When
-LDAP is used, there are only two or three LDAP queries per invocation.
-This makes it especially fast and particularly usable in LDAP
-environments.
-
-=item *
-
-B<sudo> no longer exits if there is a typo in I<sudoers>.
-It is not possible to load LDAP data into the server that does
-not conform to the sudoers schema, so proper syntax is guaranteed.
-It is still possible to have typos in a user or host name, but
-this will not prevent B<sudo> from running.
-
-=item *
-
-It is possible to specify per-entry options that override the global
-default options. F<@sysconfdir@/sudoers> only supports default options and
-limited options associated with user/host/commands/aliases. The
-syntax is complicated and can be difficult for users to understand.
-Placing the options directly in the entry is more natural.
-
-=item *
-
-The B<visudo> program is no longer needed. B<visudo> provides
-locking and syntax checking of the F<@sysconfdir@/sudoers> file.
-Since LDAP updates are atomic, locking is no longer necessary.
-Because syntax is checked when the data is inserted into LDAP, there
-is no need for a specialized tool to check syntax.
-
-=back
-
-Another major difference between LDAP and file-based I<sudoers>
-is that in LDAP, B<sudo>-specific Aliases are not supported.
-
-For the most part, there is really no need for B<sudo>-specific
-Aliases. Unix groups or user netgroups can be used in place of
-User_Aliases and Runas_Aliases. Host netgroups can be used in place
-of Host_Aliases. Since Unix groups and netgroups can also be stored
-in LDAP there is no real need for B<sudo>-specific aliases.
-
-Cmnd_Aliases are not really required either since it is possible
-to have multiple users listed in a C<sudoRole>. Instead of defining
-a Cmnd_Alias that is referenced by multiple users, one can create
-a C<sudoRole> that contains the commands and assign multiple users
-to it.
-
-=head2 SUDOers LDAP container
-
-The I<sudoers> configuration is contained in the C<ou=SUDOers> LDAP
-container.
-
-Sudo first looks for the C<cn=default> entry in the SUDOers container.
-If found, the multi-valued C<sudoOption> attribute is parsed in the
-same manner as a global C<Defaults> line in F<@sysconfdir@/sudoers>. In
-the following example, the C<SSH_AUTH_SOCK> variable will be preserved
-in the environment for all users.
-
- dn: cn=defaults,ou=SUDOers,dc=example,dc=com
- objectClass: top
- objectClass: sudoRole
- cn: defaults
- description: Default sudoOption's go here
- sudoOption: env_keep+=SSH_AUTH_SOCK
-
-The equivalent of a sudoer in LDAP is a C<sudoRole>. It consists of
-the following attributes:
-
-=over 4
-
-=item B<sudoUser>
-
-A user name, user ID (prefixed with C<'#'>), Unix group (prefixed with
-C<'%'>), Unix group ID (prefixed with C<'%#'>), or user netgroup
-(prefixed with C<'+'>).
-
-=item B<sudoHost>
-
-A host name, IP address, IP network, or host netgroup (prefixed
-with a C<'+'>).
-The special value C<ALL> will match any host.
-
-=item B<sudoCommand>
-
-A Unix command with optional command line arguments, potentially
-including globbing characters (aka wild cards).
-The special value C<ALL> will match any command.
-If a command is prefixed with an exclamation point C<'!'>, the
-user will be prohibited from running that command.
-
-=item B<sudoOption>
-
-Identical in function to the global options described above, but
-specific to the C<sudoRole> in which it resides.
-
-=item B<sudoRunAsUser>
-
-A user name or uid (prefixed with C<'#'>) that commands may be run
-as or a Unix group (prefixed with a C<'%'>) or user netgroup (prefixed
-with a C<'+'>) that contains a list of users that commands may be
-run as.
-The special value C<ALL> will match any user.
-
-The C<sudoRunAsUser> attribute is only available in B<sudo> versions
-1.7.0 and higher. Older versions of B<sudo> use the C<sudoRunAs>
-attribute instead.
-
-=item B<sudoRunAsGroup>
-
-A Unix group or gid (prefixed with C<'#'>) that commands may be run as.
-The special value C<ALL> will match any group.
-
-The C<sudoRunAsGroup> attribute is only available in B<sudo> versions
-1.7.0 and higher.
-
-=item B<sudoNotBefore>
-
-A timestamp in the form C<yyyymmddHHMMSSZ> that can be used to provide
-a start date/time for when the C<sudoRole> will be valid. If
-multiple C<sudoNotBefore> entries are present, the earliest is used.
-Note that timestamps must be in Coordinated Universal Time (UTC),
-not the local timezone. The minute and seconds portions are optional,
-but some LDAP servers require that they be present (contrary to the RFC).
-
-The C<sudoNotBefore> attribute is only available in B<sudo> versions
-1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
-option in F<@ldap_conf@>.
-
-=item B<sudoNotAfter>
-
-A timestamp in the form C<yyyymmddHHMMSSZ> that indicates an expiration
-date/time, after which the C<sudoRole> will no longer be valid. If
-multiple C<sudoNotBefore> entries are present, the last one is used.
-Note that timestamps must be in Coordinated Universal Time (UTC),
-not the local timezone. The minute and seconds portions are optional,
-but some LDAP servers require that they be present (contrary to the RFC).
-
-The C<sudoNotAfter> attribute is only available in B<sudo> versions
-1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
-option in F<@ldap_conf@>.
-
-=item B<sudoOrder>
-
-The C<sudoRole> entries retrieved from the LDAP directory have no
-inherent order. The C<sudoOrder> attribute is an integer (or
-floating point value for LDAP servers that support it) that is used
-to sort the matching entries. This allows LDAP-based sudoers entries
-to more closely mimic the behaviour of the sudoers file, where the
-of the entries influences the result. If multiple entries match,
-the entry with the highest C<sudoOrder> attribute is chosen. This
-corresponds to the "last match" behavior of the sudoers file. If
-the C<sudoOrder> attribute is not present, a value of 0 is assumed.
-
-The C<sudoOrder> attribute is only available in B<sudo> versions
-1.7.5 and higher.
-
-=back
-
-Each attribute listed above should contain a single value, but there
-may be multiple instances of each attribute type. A C<sudoRole> must
-contain at least one C<sudoUser>, C<sudoHost> and C<sudoCommand>.
-
-The following example allows users in group wheel to run any command
-on any host via B<sudo>:
-
- dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
- objectClass: top
- objectClass: sudoRole
- cn: %wheel
- sudoUser: %wheel
- sudoHost: ALL
- sudoCommand: ALL
-
-=head2 Anatomy of LDAP sudoers lookup
-
-When looking up a sudoer using LDAP there are only two or three
-LDAP queries per invocation. The first query is to parse the global
-options. The second is to match against the user's name and the
-groups that the user belongs to. (The special ALL tag is matched
-in this query too.) If no match is returned for the user's name
-and groups, a third query returns all entries containing user
-netgroups and checks to see if the user belongs to any of them.
-
-If timed entries are enabled with the B<SUDOERS_TIMED> configuration
-directive, the LDAP queries include a subfilter that limits retrieval
-to entries that satisfy the time constraints, if any.
-
-=head2 Differences between LDAP and non-LDAP sudoers
-
-There are some subtle differences in the way sudoers is handled
-once in LDAP. Probably the biggest is that according to the RFC,
-LDAP ordering is arbitrary and you cannot expect that Attributes
-and Entries are returned in any specific order.
-
-The order in which different entries are applied can be controlled
-using the C<sudoOrder> attribute, but there is no way to guarantee
-the order of attributes within a specific entry. If there are
-conflicting command rules in an entry, the negative takes precedence.
-This is called paranoid behavior (not necessarily the most specific
-match).
-
-Here is an example:
-
- # /etc/sudoers:
- # Allow all commands except shell
- johnny ALL=(root) ALL,!/bin/sh
- # Always allows all commands because ALL is matched last
- puddles ALL=(root) !/bin/sh,ALL
-
- # LDAP equivalent of johnny
- # Allows all commands except shell
- dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
- objectClass: sudoRole
- objectClass: top
- cn: role1
- sudoUser: johnny
- sudoHost: ALL
- sudoCommand: ALL
- sudoCommand: !/bin/sh
-
- # LDAP equivalent of puddles
- # Notice that even though ALL comes last, it still behaves like
- # role1 since the LDAP code assumes the more paranoid configuration
- dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
- objectClass: sudoRole
- objectClass: top
- cn: role2
- sudoUser: puddles
- sudoHost: ALL
- sudoCommand: !/bin/sh
- sudoCommand: ALL
-
-Another difference is that negations on the Host, User or Runas are
-currently ignored. For example, the following attributes do not
-behave the way one might expect.
-
- # does not match all but joe
- # rather, does not match anyone
- sudoUser: !joe
-
- # does not match all but joe
- # rather, matches everyone including Joe
- sudoUser: ALL
- sudoUser: !joe
-
- # does not match all but web01
- # rather, matches all hosts including web01
- sudoHost: ALL
- sudoHost: !web01
-
-=head2 Sudoers Schema
-
-In order to use B<sudo>'s LDAP support, the B<sudo> schema must be
-installed on your LDAP server. In addition, be sure to index the
-'sudoUser' attribute.
-
-Three versions of the schema: one for OpenLDAP servers (F<schema.OpenLDAP>),
-one for Netscape-derived servers (F<schema.iPlanet>), and one for
-Microsoft Active Directory (F<schema.ActiveDirectory>) may
-be found in the B<sudo> distribution.
-
-The schema for B<sudo> in OpenLDAP form is included in the L<EXAMPLES>
-section.
-
-=head2 Configuring ldap.conf
-
-Sudo reads the F<@ldap_conf@> file for LDAP-specific configuration.
-Typically, this file is shared amongst different LDAP-aware clients.
-As such, most of the settings are not B<sudo>-specific. Note that
-B<sudo> parses F<@ldap_conf@> itself and may support options
-that differ from those described in the L<ldap.conf(5)> manual.
-
-Also note that on systems using the OpenLDAP libraries, default
-values specified in F</etc/openldap/ldap.conf> or the user's
-F<.ldaprc> files are not used.
-
-Only those options explicitly listed in F<@ldap_conf@> as being
-supported by B<sudo> are honored. Configuration options are listed
-below in upper case but are parsed in a case-independent manner.
-
-=over 4
-
-=item B<URI> ldap[s]://[hostname[:port]] ...
-
-Specifies a whitespace-delimited list of one or more URIs describing
-the LDAP server(s) to connect to. The I<protocol> may be either
-B<ldap> or B<ldaps>, the latter being for servers that support TLS
-(SSL) encryption. If no I<port> is specified, the default is port
-389 for C<ldap://> or port 636 for C<ldaps://>. If no I<hostname>
-is specified, B<sudo> will connect to B<localhost>. Multiple B<URI>
-lines are treated identically to a B<URI> line containing multiple
-entries. Only systems using the OpenSSL libraries support the
-mixing of C<ldap://> and C<ldaps://> URIs. The Netscape-derived
-libraries used on most commercial versions of Unix are only capable
-of supporting one or the other.
-
-=item B<HOST> name[:port] ...
-
-If no B<URI> is specified, the B<HOST> parameter specifies a
-whitespace-delimited list of LDAP servers to connect to. Each host
-may include an optional I<port> separated by a colon (':'). The
-B<HOST> parameter is deprecated in favor of the B<URI> specification
-and is included for backwards compatibility.
-
-=item B<PORT> port_number
-
-If no B<URI> is specified, the B<PORT> parameter specifies the
-default port to connect to on the LDAP server if a B<HOST> parameter
-does not specify the port itself. If no B<PORT> parameter is used,
-the default is port 389 for LDAP and port 636 for LDAP over TLS
-(SSL). The B<PORT> parameter is deprecated in favor of the B<URI>
-specification and is included for backwards compatibility.
-
-=item B<BIND_TIMELIMIT> seconds
-
-The B<BIND_TIMELIMIT> parameter specifies the amount of time, in seconds,
-to wait while trying to connect to an LDAP server. If multiple B<URI>s or
-B<HOST>s are specified, this is the amount of time to wait before trying
-the next one in the list.
-
-=item B<NETWORK_TIMEOUT> seconds
-
-An alias for B<BIND_TIMELIMIT> for OpenLDAP compatibility.
-
-=item B<TIMELIMIT> seconds
-
-The B<TIMELIMIT> parameter specifies the amount of time, in seconds,
-to wait for a response to an LDAP query.
-
-=item B<TIMEOUT> seconds
-
-The B<TIMEOUT> parameter specifies the amount of time, in seconds,
-to wait for a response from the various LDAP APIs.
-
-=item B<SUDOERS_BASE> base
-
-The base DN to use when performing B<sudo> LDAP queries. Typically
-this is of the form C<ou=SUDOers,dc=example,dc=com> for the domain
-C<example.com>. Multiple B<SUDOERS_BASE> lines may be specified,
-in which case they are queried in the order specified.
-
-=item B<SUDOERS_SEARCH_FILTER> ldap_filter
-
-An LDAP filter which is used to restrict the set of records returned
-when performing a B<sudo> LDAP query. Typically, this is of the
-form C<attribute=value> or C<(&(attribute=value)(attribute2=value2))>.
-
-=item B<SUDOERS_TIMED> on/true/yes/off/false/no
-
-Whether or not to evaluate the C<sudoNotBefore> and C<sudoNotAfter>
-attributes that implement time-dependent sudoers entries.
-
-=item B<SUDOERS_DEBUG> debug_level
-
-This sets the debug level for B<sudo> LDAP queries. Debugging
-information is printed to the standard error. A value of 1 results
-in a moderate amount of debugging information. A value of 2 shows
-the results of the matches themselves. This parameter should not
-be set in a production environment as the extra information is
-likely to confuse users.
-
-=item B<BINDDN> DN
-
-The B<BINDDN> parameter specifies the identity, in the form of a
-Distinguished Name (DN), to use when performing LDAP operations.
-If not specified, LDAP operations are performed with an anonymous
-identity. By default, most LDAP servers will allow anonymous access.
-
-=item B<BINDPW> secret
-
-The B<BINDPW> parameter specifies the password to use when performing
-LDAP operations. This is typically used in conjunction with the
-B<BINDDN> parameter.
-
-=item B<ROOTBINDDN> DN
-
-The B<ROOTBINDDN> parameter specifies the identity, in the form of
-a Distinguished Name (DN), to use when performing privileged LDAP
-operations, such as I<sudoers> queries. The password corresponding
-to the identity should be stored in F<@ldap_secret@>.
-If not specified, the B<BINDDN> identity is used (if any).
-
-=item B<LDAP_VERSION> number
-
-The version of the LDAP protocol to use when connecting to the server.
-The default value is protocol version 3.
-
-=item B<SSL> on/true/yes/off/false/no
-
-If the B<SSL> parameter is set to C<on>, C<true> or C<yes>, TLS
-(SSL) encryption is always used when communicating with the LDAP
-server. Typically, this involves connecting to the server on port
-636 (ldaps).
-
-=item B<SSL> start_tls
-
-If the B<SSL> parameter is set to C<start_tls>, the LDAP server
-connection is initiated normally and TLS encryption is begun before
-the bind credentials are sent. This has the advantage of not
-requiring a dedicated port for encrypted communications. This
-parameter is only supported by LDAP servers that honor the C<start_tls>
-extension, such as the OpenLDAP server.
-
-=item B<TLS_CHECKPEER> on/true/yes/off/false/no
-
-If enabled, B<TLS_CHECKPEER> will cause the LDAP server's TLS
-certificated to be verified. If the server's TLS certificate cannot
-be verified (usually because it is signed by an unknown certificate
-authority), B<sudo> will be unable to connect to it. If B<TLS_CHECKPEER>
-is disabled, no check is made. Note that disabling the check creates
-an opportunity for man-in-the-middle attacks since the server's
-identity will not be authenticated. If possible, the CA's certificate
-should be installed locally so it can be verified.
-
-=item B<TLS_CACERT> file name
-
-An alias for B<TLS_CACERTFILE> for OpenLDAP compatibility.
-
-=item B<TLS_CACERTFILE> file name
-
-The path to a certificate authority bundle which contains the certificates
-for all the Certificate Authorities the client knows to be valid,
-e.g. F</etc/ssl/ca-bundle.pem>.
-This option is only supported by the OpenLDAP libraries.
-Netscape-derived LDAP libraries use the same certificate
-database for CA and client certificates (see B<TLS_CERT>).
-
-=item B<TLS_CACERTDIR> directory
-
-Similar to B<TLS_CACERTFILE> but instead of a file, it is a
-directory containing individual Certificate Authority certificates,
-e.g. F</etc/ssl/certs>.
-The directory specified by B<TLS_CACERTDIR> is checked after
-B<TLS_CACERTFILE>.
-This option is only supported by the OpenLDAP libraries.
-
-=item B<TLS_CERT> file name
-
-The path to a file containing the client certificate which can
-be used to authenticate the client to the LDAP server.
-The certificate type depends on the LDAP libraries used.
-
-OpenLDAP:
- C<tls_cert /etc/ssl/client_cert.pem>
-
-Netscape-derived:
- C<tls_cert /var/ldap/cert7.db>
-
-When using Netscape-derived libraries, this file may also contain
-Certificate Authority certificates.
-
-=item B<TLS_KEY> file name
-
-The path to a file containing the private key which matches the
-certificate specified by B<TLS_CERT>. The private key must not be
-password-protected. The key type depends on the LDAP libraries
-used.
-
-OpenLDAP:
- C<tls_key /etc/ssl/client_key.pem>
-
-Netscape-derived:
- C<tls_key /var/ldap/key3.db>
-
-=item B<TLS_RANDFILE> file name
-
-The B<TLS_RANDFILE> parameter specifies the path to an entropy
-source for systems that lack a random device. It is generally used
-in conjunction with I<prngd> or I<egd>.
-This option is only supported by the OpenLDAP libraries.
-
-=item B<TLS_CIPHERS> cipher list
-
-The B<TLS_CIPHERS> parameter allows the administer to restrict
-which encryption algorithms may be used for TLS (SSL) connections.
-See the OpenSSL manual for a list of valid ciphers.
-This option is only supported by the OpenLDAP libraries.
-
-=item B<USE_SASL> on/true/yes/off/false/no
-
-Enable B<USE_SASL> for LDAP servers that support SASL authentication.
-
-=item B<SASL_AUTH_ID> identity
-
-The SASL user name to use when connecting to the LDAP server.
-By default, B<sudo> will use an anonymous connection.
-
-=item B<ROOTUSE_SASL> on/true/yes/off/false/no
-
-Enable B<ROOTUSE_SASL> to enable SASL authentication when connecting
-to an LDAP server from a privileged process, such as B<sudo>.
-
-=item B<ROOTSASL_AUTH_ID> identity
-
-The SASL user name to use when B<ROOTUSE_SASL> is enabled.
-
-=item B<SASL_SECPROPS> none/properties
-
-SASL security properties or I<none> for no properties. See the
-SASL programmer's manual for details.
-
-=item B<KRB5_CCNAME> file name
-
-The path to the Kerberos 5 credential cache to use when authenticating
-with the remote server.
-
-=item B<DEREF> never/searching/finding/always
-
-How alias dereferencing is to be performed when searching. See the
-L<ldap.conf(5)> manual for a full description of this option.
-
-=back
-
-See the C<ldap.conf> entry in the L<EXAMPLES> section.
-
-=head2 Configuring nsswitch.conf
-
-Unless it is disabled at build time, B<sudo> consults the Name
-Service Switch file, F<@nsswitch_conf@>, to specify the I<sudoers>
-search order. Sudo looks for a line beginning with C<sudoers>: and
-uses this to determine the search order. Note that B<sudo> does
-not stop searching after the first match and later matches take
-precedence over earlier ones.
-
-The following sources are recognized:
-
- files read sudoers from F<@sysconfdir@/sudoers>
- ldap read sudoers from LDAP
-
-In addition, the entry C<[NOTFOUND=return]> will short-circuit the
-search if the user was not found in the preceding source.
-
-To consult LDAP first followed by the local sudoers file (if it
-exists), use:
-
- sudoers: ldap files
-
-The local I<sudoers> file can be ignored completely by using:
-
- sudoers: ldap
-
-If the F<@nsswitch_conf@> file is not present or there is no
-sudoers line, the following default is assumed:
-
- sudoers: files
-
-Note that F<@nsswitch_conf@> is supported even when the underlying
-operating system does not use an nsswitch.conf file.
-
-=head2 Configuring netsvc.conf
-
-On AIX systems, the F<@netsvc_conf@> file is consulted instead of
-F<@nsswitch_conf@>. B<sudo> simply treats I<netsvc.conf> as a
-variant of I<nsswitch.conf>; information in the previous section
-unrelated to the file format itself still applies.
-
-To consult LDAP first followed by the local sudoers file (if it
-exists), use:
-
- sudoers = ldap, files
-
-The local I<sudoers> file can be ignored completely by using:
-
- sudoers = ldap
-
-To treat LDAP as authoratative and only use the local sudoers file
-if the user is not present in LDAP, use:
-
- sudoers = ldap = auth, files
-
-Note that in the above example, the C<auth> qualfier only affects
-user lookups; both LDAP and I<sudoers> will be queried for C<Defaults>
-entries.
-
-If the F<@netsvc_conf@> file is not present or there is no
-sudoers line, the following default is assumed:
-
- sudoers = files
-
-=head1 FILES
-
-=over 24
-
-=item F<@ldap_conf@>
-
-LDAP configuration file
-
-=item F<@nsswitch_conf@>
-
-determines sudoers source order
-
-=item F<@netsvc_conf@>
-
-determines sudoers source order on AIX
-
-=back
-
-=head1 EXAMPLES
-
-=head2 Example ldap.conf
-
- # Either specify one or more URIs or one or more host:port pairs.
- # If neither is specified sudo will default to localhost, port 389.
- #
- #host ldapserver
- #host ldapserver1 ldapserver2:390
- #
- # Default port if host is specified without one, defaults to 389.
- #port 389
- #
- # URI will override the host and port settings.
- uri ldap://ldapserver
- #uri ldaps://secureldapserver
- #uri ldaps://secureldapserver ldap://ldapserver
- #
- # The amount of time, in seconds, to wait while trying to connect to
- # an LDAP server.
- bind_timelimit 30
- #
- # The amount of time, in seconds, to wait while performing an LDAP query.
- timelimit 30
- #
- # Must be set or sudo will ignore LDAP; may be specified multiple times.
- sudoers_base ou=SUDOers,dc=example,dc=com
- #
- # verbose sudoers matching from ldap
- #sudoers_debug 2
- #
- # Enable support for time-based entries in sudoers.
- #sudoers_timed yes
- #
- # optional proxy credentials
- #binddn <who to search as>
- #bindpw <password>
- #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
- #
- # LDAP protocol version, defaults to 3
- #ldap_version 3
- #
- # Define if you want to use an encrypted LDAP connection.
- # Typically, you must also set the port to 636 (ldaps).
- #ssl on
- #
- # Define if you want to use port 389 and switch to
- # encryption before the bind credentials are sent.
- # Only supported by LDAP servers that support the start_tls
- # extension such as OpenLDAP.
- #ssl start_tls
- #
- # Additional TLS options follow that allow tweaking of the
- # SSL/TLS connection.
- #
- #tls_checkpeer yes # verify server SSL certificate
- #tls_checkpeer no # ignore server SSL certificate
- #
- # If you enable tls_checkpeer, specify either tls_cacertfile
- # or tls_cacertdir. Only supported when using OpenLDAP.
- #
- #tls_cacertfile /etc/certs/trusted_signers.pem
- #tls_cacertdir /etc/certs
- #
- # For systems that don't have /dev/random
- # use this along with PRNGD or EGD.pl to seed the
- # random number pool to generate cryptographic session keys.
- # Only supported when using OpenLDAP.
- #
- #tls_randfile /etc/egd-pool
- #
- # You may restrict which ciphers are used. Consult your SSL
- # documentation for which options go here.
- # Only supported when using OpenLDAP.
- #
- #tls_ciphers <cipher-list>
- #
- # Sudo can provide a client certificate when communicating to
- # the LDAP server.
- # Tips:
- # * Enable both lines at the same time.
- # * Do not password protect the key file.
- # * Ensure the keyfile is only readable by root.
- #
- # For OpenLDAP:
- #tls_cert /etc/certs/client_cert.pem
- #tls_key /etc/certs/client_key.pem
- #
- # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
- # a directory, in which case the files in the directory must have the
- # default names (e.g. cert8.db and key4.db), or the path to the cert
- # and key files themselves. However, a bug in version 5.0 of the LDAP
- # SDK will prevent specific file names from working. For this reason
- # it is suggested that tls_cert and tls_key be set to a directory,
- # not a file name.
- #
- # The certificate database specified by tls_cert may contain CA certs
- # and/or the client's cert. If the client's cert is included, tls_key
- # should be specified as well.
- # For backward compatibility, "sslpath" may be used in place of tls_cert.
- #tls_cert /var/ldap
- #tls_key /var/ldap
- #
- # If using SASL authentication for LDAP (OpenSSL)
- # use_sasl yes
- # sasl_auth_id <SASL user name>
- # rootuse_sasl yes
- # rootsasl_auth_id <SASL user name for root access>
- # sasl_secprops none
- # krb5_ccname /etc/.ldapcache
-
-=head2 Sudo schema for OpenLDAP
-
-The following schema, in OpenLDAP format, is included with B<sudo>
-source and binary distributions as F<schema.OpenLDAP>. Simply copy
-it to the schema directory (e.g. F</etc/openldap/schema>), add the
-proper C<include> line in C<slapd.conf> and restart B<slapd>.
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.1
- NAME 'sudoUser'
- DESC 'User(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.2
- NAME 'sudoHost'
- DESC 'Host(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.3
- NAME 'sudoCommand'
- DESC 'Command(s) to be executed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.4
- NAME 'sudoRunAs'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.5
- NAME 'sudoOption'
- DESC 'Options(s) followed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.6
- NAME 'sudoRunAsUser'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.7
- NAME 'sudoRunAsGroup'
- DESC 'Group(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.8
- NAME 'sudoNotBefore'
- DESC 'Start of time interval for which the entry is valid'
- EQUALITY generalizedTimeMatch
- ORDERING generalizedTimeOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.9
- NAME 'sudoNotAfter'
- DESC 'End of time interval for which the entry is valid'
- EQUALITY generalizedTimeMatch
- ORDERING generalizedTimeOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
- attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
- NAME 'sudoOrder'
- DESC 'an integer to order the sudoRole entries'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
- objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
- DESC 'Sudoer Entries'
- MUST ( cn )
- MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
- sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
- sudoOrder $ description )
- )
-
-=head1 SEE ALSO
-
-L<ldap.conf(5)>, L<sudoers(5)>
-
-=head1 CAVEATS
-
-Note that there are differences in the way that LDAP-based I<sudoers>
-is parsed compared to file-based I<sudoers>. See the L<Differences
-between LDAP and non-LDAP sudoers> section for more information.
-
-=head1 BUGS
-
-If you feel you have found a bug in B<sudo>, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
-
-=head1 SUPPORT
-
-Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
-search the archives.
-
-=head1 DISCLAIMER
-
-B<sudo> is provided ``AS IS'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the LICENSE
-file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
-for complete details.
+.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
+.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in
+.\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
-.\" Todd C. Miller <Todd.Miller@courtesan.com>
-.\"
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
-.\"
+.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
+.\"
.\" Sponsored in part by the Defense Advanced Research Projects
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
-.\"
-.nr SL @SEMAN@
-.nr BA @BAMAN@
-.nr LC @LCMAN@
-.\"
-.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings. \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. \*(C+ will
-.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-. ds -- \(*W-
-. ds PI pi
-. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
-. ds L" ""
-. ds R" ""
-. ds C`
-. ds C'
-'br\}
-.el\{\
-. ds -- \|\(em\|
-. ds PI \(*p
-. ds L" ``
-. ds R" ''
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el .ds Aq '
-.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD. Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
-..
-. nr % 0
-. rr F
-.\}
-.el \{\
-. de IX
-..
-.\}
.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear. Run. Save yourself. No user-serviceable parts.
-. \" fudge factors for nroff and troff
-.if n \{\
-. ds #H 0
-. ds #V .8m
-. ds #F .3m
-. ds #[ \f1
-. ds #] \fP
-.\}
-.if t \{\
-. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-. ds #V .6m
-. ds #F 0
-. ds #[ \&
-. ds #] \&
-.\}
-. \" simple accents for nroff and troff
-.if n \{\
-. ds ' \&
-. ds ` \&
-. ds ^ \&
-. ds , \&
-. ds ~ ~
-. ds /
-.\}
-.if t \{\
-. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-. \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-. \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-. \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-. ds : e
-. ds 8 ss
-. ds o a
-. ds d- d\h'-1'\(ga
-. ds D- D\h'-1'\(hy
-. ds th \o'bp'
-. ds Th \o'LP'
-. ds ae ae
-. ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "March 28, 2012" "1.8.5" "MAINTENANCE COMMANDS"
-.\" For nroff, turn off justification. Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
+.TH "SUDOERS" "@mansectsu@" "July 16, 2012" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
.nh
+.if n .ad l
.SH "NAME"
-sudoers \- default sudo security policy module
+\fBsudoers\fR
+\- default sudo security policy module
.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-The \fIsudoers\fR policy module determines a user's \fBsudo\fR privileges.
-It is the default \fBsudo\fR policy plugin. The policy is driven by
-the \fI@sysconfdir@/sudoers\fR file or, optionally in \s-1LDAP\s0. The policy
-format is described in detail in the \*(L"\s-1SUDOERS\s0 \s-1FILE\s0 \s-1FORMAT\s0\*(R"
-section. For information on storing \fIsudoers\fR policy information
-in \s-1LDAP\s0, please see \fIsudoers.ldap\fR\|(@mansectform@).
-.SS "Authentication and Logging"
-.IX Subsection "Authentication and Logging"
-The \fIsudoers\fR security policy requires that most users authenticate
-themselves before they can use \fBsudo\fR. A password is not required
+The
+\fIsudoers\fR
+policy module determines a user's
+\fBsudo\fR
+privileges.
+It is the default
+\fBsudo\fR
+policy plugin.
+The policy is driven by
+the
+\fI@sysconfdir@/sudoers\fR
+file or, optionally in LDAP.
+The policy format is described in detail in the
+\fISUDOERS FILE FORMAT\fR
+section.
+For information on storing
+\fIsudoers\fR
+policy information
+in LDAP, please see
+sudoers.ldap(@mansectform@).
+.SS "Authentication and logging"
+The
+\fIsudoers\fR
+security policy requires that most users authenticate
+themselves before they can use
+\fBsudo\fR.
+A password is not required
if the invoking user is root, if the target user is the same as the
invoking user, or if the policy has disabled authentication for the
-user or command. Unlike \fIsu\fR\|(1), when \fIsudoers\fR requires
+user or command.
+Unlike
+su(1),
+when
+\fIsudoers\fR
+requires
authentication, it validates the invoking user's credentials, not
-the target user's (or root's) credentials. This can be changed via
-the \fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags, described later.
+the target user's (or root's) credentials.
+This can be changed via
+the
+\fIrootpw\fR,
+\fItargetpw\fR
+and
+\fIrunaspw\fR
+flags, described later.
.PP
If a user who is not listed in the policy tries to run a command
-via \fBsudo\fR, mail is sent to the proper authorities. The address
-used for such mail is configurable via the \fImailto\fR Defaults entry
-(described later) and defaults to \f(CW\*(C`@mailto@\*(C'\fR.
+via
+\fBsudo\fR,
+mail is sent to the proper authorities.
+The address
+used for such mail is configurable via the
+\fImailto\fR
+Defaults entry
+(described later) and defaults to
+\fR@mailto@\fR.
.PP
Note that mail will not be sent if an unauthorized user tries to
-run \fBsudo\fR with the \fB\-l\fR or \fB\-v\fR option. This allows users to
+run
+\fBsudo\fR
+with the
+\fB\-l\fR
+or
+\fB\-v\fR
+option.
+This allows users to
determine for themselves whether or not they are allowed to use
-\&\fBsudo\fR.
-.PP
-If \fBsudo\fR is run by root and the \f(CW\*(C`SUDO_USER\*(C'\fR environment variable
-is set, the \fIsudoers\fR policy will use this value to determine who
-the actual user is. This can be used by a user to log commands
-through sudo even when a root shell has been invoked. It also
-allows the \fB\-e\fR option to remain useful even when invoked via a
-sudo-run script or program. Note, however, that the \fIsudoers\fR
-lookup is still done for root, not the user specified by \f(CW\*(C`SUDO_USER\*(C'\fR.
-.PP
-\&\fIsudoers\fR uses time stamp files for credential caching. Once a
-user has been authenticated, a time stamp is updated and the user
+\fBsudo\fR.
+.PP
+If
+\fBsudo\fR
+is run by root and the
+\fRSUDO_USER\fR
+environment variable
+is set, the
+\fIsudoers\fR
+policy will use this value to determine who
+the actual user is.
+This can be used by a user to log commands
+through sudo even when a root shell has been invoked.
+It also
+allows the
+\fB\-e\fR
+option to remain useful even when invoked via a
+sudo-run script or program.
+Note, however, that the
+\fIsudoers\fR
+lookup is still done for root, not the user specified by
+\fRSUDO_USER\fR.
+.PP
+\fIsudoers\fR
+uses time stamp files for credential caching.
+Once a
+user has been authenticated, the time stamp is updated and the user
may then use sudo without a password for a short period of time
-(\f(CW\*(C`@timeout@\*(C'\fR minutes unless overridden by the \fItimeout\fR option.
-By default, \fIsudoers\fR uses a tty-based time stamp which means that
+(\fR@timeout@\fR
+minutes unless overridden by the
+\fItimeout\fR
+option)
+\&.
+By default,
+\fIsudoers\fR
+uses a tty-based time stamp which means that
there is a separate time stamp for each of a user's login sessions.
-The \fItty_tickets\fR option can be disabled to force the use of a
+The
+\fItty_tickets\fR
+option can be disabled to force the use of a
single time stamp for all of a user's sessions.
.PP
-\&\fIsudoers\fR can log both successful and unsuccessful attempts (as well
-as errors) to \fIsyslog\fR\|(3), a log file, or both. By default, \fIsudoers\fR
-will log via \fIsyslog\fR\|(3) but this is changeable via the \fIsyslog\fR
-and \fIlogfile\fR Defaults settings.
-.PP
-\&\fIsudoers\fR also supports logging a command's input and output
-streams. I/O logging is not on by default but can be enabled using
-the \fIlog_input\fR and \fIlog_output\fR Defaults flags as well as the
-\&\f(CW\*(C`LOG_INPUT\*(C'\fR and \f(CW\*(C`LOG_OUTPUT\*(C'\fR command tags.
-.SS "Command Environment"
-.IX Subsection "Command Environment"
-Since environment variables can influence program behavior, \fIsudoers\fR
+\fIsudoers\fR
+can log both successful and unsuccessful attempts (as well
+as errors) to
+syslog(3),
+a log file, or both.
+By default,
+\fIsudoers\fR
+will log via
+syslog(3)
+but this is changeable via the
+\fIsyslog\fR
+and
+\fIlogfile\fR
+Defaults settings.
+.PP
+\fIsudoers\fR
+also supports logging a command's input and output
+streams.
+I/O logging is not on by default but can be enabled using
+the
+\fIlog_input\fR
+and
+\fIlog_output\fR
+Defaults flags as well as the
+\fRLOG_INPUT\fR
+and
+\fRLOG_OUTPUT\fR
+command tags.
+.SS "Command environment"
+Since environment variables can influence program behavior,
+\fIsudoers\fR
provides a means to restrict which variables from the user's
-environment are inherited by the command to be run. There are two
-distinct ways \fIsudoers\fR can deal with environment variables.
-.PP
-By default, the \fIenv_reset\fR option is enabled. This causes commands
-to be executed with a new, minimal environment. On \s-1AIX\s0 (and Linux
-systems without \s-1PAM\s0), the environment is initialized with the
-contents of the \fI/etc/environment\fR file. On \s-1BSD\s0 systems, if the
-\&\fIuse_loginclass\fR option is enabled, the environment is initialized
-based on the \fIpath\fR and \fIsetenv\fR settings in \fI/etc/login.conf\fR.
-The new environment contains the \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR,
-\&\f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR, \f(CW\*(C`USERNAME\*(C'\fR and \f(CW\*(C`SUDO_*\*(C'\fR variables
+environment are inherited by the command to be run.
+There are two
+distinct ways
+\fIsudoers\fR
+can deal with environment variables.
+.PP
+By default, the
+\fIenv_reset\fR
+option is enabled.
+This causes commands
+to be executed with a new, minimal environment.
+On AIX (and Linux
+systems without PAM), the environment is initialized with the
+contents of the
+\fI/etc/environment\fR
+file.
+On BSD systems, if the
+\fIuse_loginclass\fR
+option is enabled, the environment is initialized
+based on the
+\fIpath\fR
+and
+\fIsetenv\fR
+settings in
+\fI/etc/login.conf\fR.
+The new environment contains the
+\fRTERM\fR,
+\fRPATH\fR,
+\fRHOME\fR,
+\fRMAIL\fR,
+\fRSHELL\fR,
+\fRLOGNAME\fR,
+\fRUSER\fR,
+\fRUSERNAME\fR
+and
+\fRSUDO_*\fR
+variables
in addition to variables from the invoking process permitted by the
-\&\fIenv_check\fR and \fIenv_keep\fR options. This is effectively a whitelist
+\fIenv_check\fR
+and
+\fIenv_keep\fR
+options.
+This is effectively a whitelist
for environment variables.
.PP
-If, however, the \fIenv_reset\fR option is disabled, any variables not
-explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR options are
-inherited from the invoking process. In this case, \fIenv_check\fR
-and \fIenv_delete\fR behave like a blacklist. Since it is not possible
+If, however, the
+\fIenv_reset\fR
+option is disabled, any variables not
+explicitly denied by the
+\fIenv_check\fR
+and
+\fIenv_delete\fR
+options are
+inherited from the invoking process.
+In this case,
+\fIenv_check\fR
+and
+\fIenv_delete\fR
+behave like a blacklist.
+Since it is not possible
to blacklist all potentially dangerous environment variables, use
-of the default \fIenv_reset\fR behavior is encouraged.
+of the default
+\fIenv_reset\fR
+behavior is encouraged.
.PP
In all cases, environment variables with a value beginning with
-\&\f(CW\*(C`()\*(C'\fR are removed as they could be interpreted as \fBbash\fR functions.
-The list of environment variables that \fBsudo\fR allows or denies is
-contained in the output of \f(CW\*(C`sudo \-V\*(C'\fR when run as root.
+\fR()\fR
+are removed as they could be interpreted as
+\fBbash\fR
+functions.
+The list of environment variables that
+\fBsudo\fR
+allows or denies is
+contained in the output of
+``\fRsudo -V\fR''
+when run as root.
.PP
Note that the dynamic linker on most operating systems will remove
variables that can control dynamic linking from the environment of
-setuid executables, including \fBsudo\fR. Depending on the operating
-system this may include \f(CW\*(C`_RLD*\*(C'\fR, \f(CW\*(C`DYLD_*\*(C'\fR, \f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`LDR_*\*(C'\fR,
-\&\f(CW\*(C`LIBPATH\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR, and others. These type of variables are
-removed from the environment before \fBsudo\fR even begins execution
-and, as such, it is not possible for \fBsudo\fR to preserve them.
-.PP
-As a special case, if \fBsudo\fR's \fB\-i\fR option (initial login) is
-specified, \fIsudoers\fR will initialize the environment regardless
-of the value of \fIenv_reset\fR. The \fI\s-1DISPLAY\s0\fR, \fI\s-1PATH\s0\fR and \fI\s-1TERM\s0\fR
-variables remain unchanged; \fI\s-1HOME\s0\fR, \fI\s-1MAIL\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR,
-and \fI\s-1LOGNAME\s0\fR are set based on the target user. On \s-1AIX\s0 (and Linux
-systems without \s-1PAM\s0), the contents of \fI/etc/environment\fR are also
-included. On \s-1BSD\s0 systems, if the \fIuse_loginclass\fR option is
-enabled, the \fIpath\fR and \fIsetenv\fR variables in \fI/etc/login.conf\fR
-are also applied. All other environment variables are removed.
-.PP
-Finally, if the \fIenv_file\fR option is defined, any variables present
+setuid executables, including
+\fBsudo\fR.
+Depending on the operating
+system this may include
+\fR_RLD*\fR,
+\fRDYLD_*\fR,
+\fRLD_*\fR,
+\fRLDR_*\fR,
+\fRLIBPATH\fR,
+\fRSHLIB_PATH\fR,
+and others.
+These type of variables are
+removed from the environment before
+\fBsudo\fR
+even begins execution
+and, as such, it is not possible for
+\fBsudo\fR
+to preserve them.
+.PP
+As a special case, if
+\fBsudo\fR's
+\fB\-i\fR
+option (initial login) is
+specified,
+\fIsudoers\fR
+will initialize the environment regardless
+of the value of
+\fIenv_reset\fR.
+The
+\fRDISPLAY\fR,
+\fRPATH\fR
+and
+\fRTERM\fR
+variables remain unchanged;
+\fRHOME\fR,
+\fRMAIL\fR,
+\fRSHELL\fR,
+\fRUSER\fR,
+and
+\fRLOGNAME\fR
+are set based on the target user.
+On AIX (and Linux
+systems without PAM), the contents of
+\fI/etc/environment\fR
+are also
+included.
+On BSD systems, if the
+\fIuse_loginclass\fR
+option is
+enabled, the
+\fIpath\fR
+and
+\fIsetenv\fR
+variables in
+\fI/etc/login.conf\fR
+are also applied.
+All other environment variables are removed.
+.PP
+Finally, if the
+\fIenv_file\fR
+option is defined, any variables present
in that file will be set to their specified values as long as they
would not conflict with an existing environment variable.
.SH "SUDOERS FILE FORMAT"
-.IX Header "SUDOERS FILE FORMAT"
-The \fIsudoers\fR file is composed of two types of entries: aliases
+The
+\fIsudoers\fR
+file is composed of two types of entries: aliases
(basically variables) and user specifications (which specify who
may run what).
.PP
Where there are multiple matches, the last match is used (which is
not necessarily the most specific match).
.PP
-The \fIsudoers\fR grammar will be described below in Extended Backus-Naur
-Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is
-fairly simple, and the definitions below are annotated.
-.SS "Quick guide to \s-1EBNF\s0"
-.IX Subsection "Quick guide to EBNF"
-\&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
-Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
-.PP
-.Vb 1
-\& symbol ::= definition | alternate1 | alternate2 ...
-.Ve
-.PP
-Each \fIproduction rule\fR references others and thus makes up a
-grammar for the language. \s-1EBNF\s0 also contains the following
+The
+\fIsudoers\fR
+grammar will be described below in Extended Backus-Naur
+Form (EBNF).
+Don't despair if you are unfamiliar with EBNF; it is fairly simple,
+and the definitions below are annotated.
+.SS "Quick guide to EBNF"
+EBNF is a concise and exact way of describing the grammar of a language.
+Each EBNF definition is made up of
+\fIproduction rules\fR.
+E.g.,
+.PP
+\fRsymbol ::= definition\fR | \fRalternate1\fR | \fRalternate2 ...\fR
+.PP
+Each
+\fIproduction rule\fR
+references others and thus makes up a
+grammar for the language.
+EBNF also contains the following
operators, which many readers will recognize from regular
-expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
+expressions.
+Do not, however, confuse them with
+``wildcard''
characters, which have different meanings.
-.ie n .IP "\*(C`?\*(C'" 4
-.el .IP "\f(CW\*(C`?\*(C'\fR" 4
-.IX Item "?"
+.TP 6n
+\fR\&?\fR
Means that the preceding symbol (or group of symbols) is optional.
That is, it may appear once or not at all.
-.ie n .IP "\*(C`*\*(C'" 4
-.el .IP "\f(CW\*(C`*\*(C'\fR" 4
-.IX Item "*"
+.TP 6n
+\fR*\fR
Means that the preceding symbol (or group of symbols) may appear
zero or more times.
-.ie n .IP "\*(C`+\*(C'" 4
-.el .IP "\f(CW\*(C`+\*(C'\fR" 4
-.IX Item "+"
+.TP 6n
+\fR+\fR
Means that the preceding symbol (or group of symbols) may appear
one or more times.
.PP
-Parentheses may be used to group symbols together. For clarity,
-we will use single quotes ('') to designate what is a verbatim character
-string (as opposed to a symbol name).
+Parentheses may be used to group symbols together.
+For clarity,
+we will use single quotes
+('')
+to designate what is a verbatim character string (as opposed to a symbol name).
.SS "Aliases"
-.IX Subsection "Aliases"
-There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR,
-\&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
-.PP
-.Vb 4
-\& Alias ::= \*(AqUser_Alias\*(Aq User_Alias (\*(Aq:\*(Aq User_Alias)* |
-\& \*(AqRunas_Alias\*(Aq Runas_Alias (\*(Aq:\*(Aq Runas_Alias)* |
-\& \*(AqHost_Alias\*(Aq Host_Alias (\*(Aq:\*(Aq Host_Alias)* |
-\& \*(AqCmnd_Alias\*(Aq Cmnd_Alias (\*(Aq:\*(Aq Cmnd_Alias)*
-\&
-\& User_Alias ::= NAME \*(Aq=\*(Aq User_List
-\&
-\& Runas_Alias ::= NAME \*(Aq=\*(Aq Runas_List
-\&
-\& Host_Alias ::= NAME \*(Aq=\*(Aq Host_List
-\&
-\& Cmnd_Alias ::= NAME \*(Aq=\*(Aq Cmnd_List
-\&
-\& NAME ::= [A\-Z]([A\-Z][0\-9]_)*
-.Ve
-.PP
-Each \fIalias\fR definition is of the form
-.PP
-.Vb 1
-\& Alias_Type NAME = item1, item2, ...
-.Ve
-.PP
-where \fIAlias_Type\fR is one of \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR,
-or \f(CW\*(C`Cmnd_Alias\*(C'\fR. A \f(CW\*(C`NAME\*(C'\fR is a string of uppercase letters, numbers,
-and underscore characters ('_'). A \f(CW\*(C`NAME\*(C'\fR \fBmust\fR start with an
-uppercase letter. It is possible to put several alias definitions
-of the same type on a single line, joined by a colon (':'). E.g.,
-.PP
-.Vb 1
-\& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
-.Ve
-.PP
-The definitions of what constitutes a valid \fIalias\fR member follow.
-.PP
-.Vb 2
-\& User_List ::= User |
-\& User \*(Aq,\*(Aq User_List
-\&
-\& User ::= \*(Aq!\*(Aq* user name |
-\& \*(Aq!\*(Aq* #uid |
-\& \*(Aq!\*(Aq* %group |
-\& \*(Aq!\*(Aq* %#gid |
-\& \*(Aq!\*(Aq* +netgroup |
-\& \*(Aq!\*(Aq* %:nonunix_group |
-\& \*(Aq!\*(Aq* %:#nonunix_gid |
-\& \*(Aq!\*(Aq* User_Alias
-.Ve
-.PP
-A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, user ids
-(prefixed with '#'), system group names and ids (prefixed with '%'
-and '%#' respectively), netgroups (prefixed with '+'), non-Unix
-group names and IDs (prefixed with '%:' and '%:#' respectively) and
-\&\f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with zero or more
-\&'!' operators. An odd number of '!' operators negate the value of
+There are four kinds of aliases:
+\fRUser_Alias\fR,
+\fRRunas_Alias\fR,
+\fRHost_Alias\fR
+and
+\fRCmnd_Alias\fR.
+.nf
+.sp
+.RS 0n
+Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
+ 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
+ 'Host_Alias' Host_Alias (':' Host_Alias)* |
+ 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
+
+User_Alias ::= NAME '=' User_List
+
+Runas_Alias ::= NAME '=' Runas_List
+
+Host_Alias ::= NAME '=' Host_List
+
+Cmnd_Alias ::= NAME '=' Cmnd_List
+
+NAME ::= [A-Z]([A-Z][0-9]_)*
+.RE
+.fi
+.PP
+Each
+\fIalias\fR
+definition is of the form
+.nf
+.sp
+.RS 0n
+Alias_Type NAME = item1, item2, ...
+.RE
+.fi
+.PP
+where
+\fIAlias_Type\fR
+is one of
+\fRUser_Alias\fR,
+\fRRunas_Alias\fR,
+\fRHost_Alias\fR,
+or
+\fRCmnd_Alias\fR.
+A
+\fRNAME\fR
+is a string of uppercase letters, numbers,
+and underscore characters
+(`_').
+A
+\fRNAME\fR
+\fBmust\fR
+start with an
+uppercase letter.
+It is possible to put several alias definitions
+of the same type on a single line, joined by a colon
+(`:\&').
+E.g.,
+.nf
+.sp
+.RS 0n
+Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
+.RE
+.fi
+.PP
+The definitions of what constitutes a valid
+\fIalias\fR
+member follow.
+.nf
+.sp
+.RS 0n
+User_List ::= User |
+ User ',' User_List
+
+User ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* +netgroup |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* User_Alias
+.RE
+.fi
+.PP
+A
+\fRUser_List\fR
+is made up of one or more user names, user ids
+(prefixed with
+`#'),
+system group names and ids (prefixed with
+`%'
+and
+`%#'
+respectively), netgroups (prefixed with
+`+'),
+non-Unix group names and IDs (prefixed with
+`%:'
+and
+`%:#'
+respectively) and
+\fRUser_Alias\fRes.
+Each list item may be prefixed with zero or more
+`\&!'
+operators.
+An odd number of
+`\&!'
+operators negate the value of
the item; an even number just cancel each other out.
.PP
-A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`uid\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`gid\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR, \f(CW\*(C`nonunix_group\*(C'\fR
-or \f(CW\*(C`nonunix_gid\*(C'\fR may be enclosed in double quotes to avoid the
-need for escaping special characters. Alternately, special characters
-may be specified in escaped hex mode, e.g. \ex20 for space. When
+A
+\fRuser name\fR,
+\fRuid\fR,
+\fRgroup\fR,
+\fRgid\fR,
+\fRnetgroup\fR,
+\fRnonunix_group\fR
+or
+\fRnonunix_gid\fR
+may be enclosed in double quotes to avoid the
+need for escaping special characters.
+Alternately, special characters
+may be specified in escaped hex mode, e.g.\& \ex20 for space.
+When
using double quotes, any prefix characters must be included inside
the quotes.
.PP
-The actual \f(CW\*(C`nonunix_group\*(C'\fR and \f(CW\*(C`nonunix_gid\*(C'\fR syntax depends on
-the underlying group provider plugin (see the \fIgroup_plugin\fR
-description below). For instance, the \s-1QAS\s0 \s-1AD\s0 plugin supports the
-following formats:
-.IP "\(bu" 4
-Group in the same domain: \*(L"Group Name\*(R"
-.IP "\(bu" 4
-Group in any domain: \*(L"Group Name@FULLY.QUALIFIED.DOMAIN\*(R"
-.IP "\(bu" 4
-Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
-.PP
-Note that quotes around group names are optional. Unquoted strings
-must use a backslash (\e) to escape spaces and special characters.
-See \*(L"Other special characters and reserved words\*(R" for a list of
+The actual
+\fRnonunix_group\fR
+and
+\fRnonunix_gid\fR
+syntax depends on
+the underlying group provider plugin (see the
+\fIgroup_plugin\fR
+description below).
+For instance, the QAS AD plugin supports the following formats:
+.TP 6n
+\fBo\fR
+Group in the same domain: "%:Group Name"
+.TP 6n
+\fBo\fR
+Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
+.TP 6n
+\fBo\fR
+Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
+.PP
+Note that quotes around group names are optional.
+Unquoted strings must use a backslash
+(`\e')
+to escape spaces and special characters.
+See
+\fIOther special characters and reserved words\fR
+for a list of
characters that need to be escaped.
+.nf
+.sp
+.RS 0n
+Runas_List ::= Runas_Member |
+ Runas_Member ',' Runas_List
+
+Runas_Member ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* +netgroup |
+ '!'* Runas_Alias
+.RE
+.fi
.PP
-.Vb 2
-\& Runas_List ::= Runas_Member |
-\& Runas_Member \*(Aq,\*(Aq Runas_List
-\&
-\& Runas_Member ::= \*(Aq!\*(Aq* user name |
-\& \*(Aq!\*(Aq* #uid |
-\& \*(Aq!\*(Aq* %group |
-\& \*(Aq!\*(Aq* %#gid |
-\& \*(Aq!\*(Aq* %:nonunix_group |
-\& \*(Aq!\*(Aq* %:#nonunix_gid |
-\& \*(Aq!\*(Aq* +netgroup |
-\& \*(Aq!\*(Aq* Runas_Alias
-.Ve
-.PP
-A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
-of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that
-user names and groups are matched as strings. In other words, two
+A
+\fRRunas_List\fR
+is similar to a
+\fRUser_List\fR
+except that instead
+of
+\fRUser_Alias\fRes
+it can contain
+\fRRunas_Alias\fRes.
+Note that
+user names and groups are matched as strings.
+In other words, two
users (groups) with the same uid (gid) are considered to be distinct.
-If you wish to match all user names with the same uid (e.g.\ root
-and toor), you can use a uid instead (#0 in the example given).
-.PP
-.Vb 2
-\& Host_List ::= Host |
-\& Host \*(Aq,\*(Aq Host_List
-\&
-\& Host ::= \*(Aq!\*(Aq* host name |
-\& \*(Aq!\*(Aq* ip_addr |
-\& \*(Aq!\*(Aq* network(/netmask)? |
-\& \*(Aq!\*(Aq* +netgroup |
-\& \*(Aq!\*(Aq* Host_Alias
-.Ve
-.PP
-A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more host names, \s-1IP\s0 addresses,
-network numbers, netgroups (prefixed with '+') and other aliases.
-Again, the value of an item may be negated with the '!' operator.
+If you wish to match all user names with the same uid (e.g.\&
+root and toor), you can use a uid instead (#0 in the example given).
+.nf
+.sp
+.RS 0n
+Host_List ::= Host |
+ Host ',' Host_List
+
+Host ::= '!'* host name |
+ '!'* ip_addr |
+ '!'* network(/netmask)? |
+ '!'* +netgroup |
+ '!'* Host_Alias
+.RE
+.fi
+.PP
+A
+\fRHost_List\fR
+is made up of one or more host names, IP addresses,
+network numbers, netgroups (prefixed with
+`+')
+and other aliases.
+Again, the value of an item may be negated with the
+`\&!'
+operator.
If you do not specify a netmask along with the network number,
-\&\fBsudo\fR will query each of the local host's network interfaces and,
+\fBsudo\fR
+will query each of the local host's network interfaces and,
if the network number corresponds to one of the hosts's network
-interfaces, the corresponding netmask will be used. The netmask
-may be specified either in standard \s-1IP\s0 address notation
-(e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::),
-or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may
-include shell-style wildcards (see the Wildcards section below),
-but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully
-qualified host name, you'll need to use the \fIfqdn\fR option for
-wildcards to be useful. Note \fBsudo\fR only inspects actual network
-interfaces; this means that \s-1IP\s0 address 127.0.0.1 (localhost) will
-never match. Also, the host name \*(L"localhost\*(R" will only match if
-that is the actual host name, which is usually only the case for
-non-networked systems.
-.PP
-.Vb 2
-\& Cmnd_List ::= Cmnd |
-\& Cmnd \*(Aq,\*(Aq Cmnd_List
-\&
-\& commandname ::= file name |
-\& file name args |
-\& file name \*(Aq""\*(Aq
-\&
-\& Cmnd ::= \*(Aq!\*(Aq* commandname |
-\& \*(Aq!\*(Aq* directory |
-\& \*(Aq!\*(Aq* "sudoedit" |
-\& \*(Aq!\*(Aq* Cmnd_Alias
-.Ve
-.PP
-A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
-aliases. A commandname is a fully qualified file name which may include
-shell-style wildcards (see the Wildcards section below). A simple
-file name allows the user to run the command with any arguments he/she
-wishes. However, you may also specify command line arguments (including
-wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command
-may only be run \fBwithout\fR command line arguments. A directory is a
-fully qualified path name ending in a '/'. When you specify a directory
-in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory
-(but not in any subdirectories therein).
-.PP
-If a \f(CW\*(C`Cmnd\*(C'\fR has associated command line arguments, then the arguments
-in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line
-(or match the wildcards if there are any). Note that the following
-characters must be escaped with a '\e' if they are used in command
-arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR
-is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or
-as \fBsudoedit\fR). It may take command line arguments just as
-a normal command does.
+interfaces, the corresponding netmask will be used.
+The netmask
+may be specified either in standard IP address notation
+(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
+or CIDR notation (number of bits, e.g.\& 24 or 64).
+A host name may include shell-style wildcards (see the
+\fIWildcards\fR
+section below),
+but unless the
+\fRhost name\fR
+command on your machine returns the fully
+qualified host name, you'll need to use the
+\fIfqdn\fR
+option for wildcards to be useful.
+Note that
+\fBsudo\fR
+only inspects actual network interfaces; this means that IP address
+127.0.0.1 (localhost) will never match.
+Also, the host name
+``localhost''
+will only match if that is the actual host name, which is usually
+only the case for non-networked systems.
+.nf
+.sp
+.RS 0n
+Cmnd_List ::= Cmnd |
+ Cmnd ',' Cmnd_List
+
+command name ::= file name |
+ file name args |
+ file name '""'
+
+Cmnd ::= '!'* command name |
+ '!'* directory |
+ '!'* "sudoedit" |
+ '!'* Cmnd_Alias
+.RE
+.fi
+.PP
+A
+\fRCmnd_List\fR
+is a list of one or more command names, directories, and other aliases.
+A command name is a fully qualified file name which may include
+shell-style wildcards (see the
+\fIWildcards\fR
+section below).
+A simple file name allows the user to run the command with any
+arguments he/she wishes.
+However, you may also specify command line arguments (including
+wildcards).
+Alternately, you can specify
+\fR\&""\fR
+to indicate that the command
+may only be run
+\fBwithout\fR
+command line arguments.
+A directory is a
+fully qualified path name ending in a
+`/'.
+When you specify a directory in a
+\fRCmnd_List\fR,
+the user will be able to run any file within that directory
+(but not in any sub-directories therein).
+.PP
+If a
+\fRCmnd\fR
+has associated command line arguments, then the arguments
+in the
+\fRCmnd\fR
+must match exactly those given by the user on the command line
+(or match the wildcards if there are any).
+Note that the following characters must be escaped with a
+`\e'
+if they are used in command arguments:
+`,\&',
+`:\&',
+`=\&',
+`\e'.
+The special command
+``\fRsudoedit\fR''
+is used to permit a user to run
+\fBsudo\fR
+with the
+\fB\-e\fR
+option (or as
+\fBsudoedit\fR).
+It may take command line arguments just as a normal command does.
.SS "Defaults"
-.IX Subsection "Defaults"
Certain configuration options may be changed from their default
-values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
-may affect all users on any host, all users on a specific host, a
+values at run-time via one or more
+\fRDefault_Entry\fR
+lines.
+These may affect all users on any host, all users on a specific host, a
specific user, a specific command, or commands being run as a specific user.
Note that per-command entries may not include command line arguments.
-If you need to specify arguments, define a \f(CW\*(C`Cmnd_Alias\*(C'\fR and reference
+If you need to specify arguments, define a
+\fRCmnd_Alias\fR
+and reference
that instead.
+.nf
+.sp
+.RS 0n
+Default_Type ::= 'Defaults' |
+ 'Defaults' '@' Host_List |
+ 'Defaults' ':' User_List |
+ 'Defaults' '!' Cmnd_List |
+ 'Defaults' '>' Runas_List
+
+Default_Entry ::= Default_Type Parameter_List
+
+Parameter_List ::= Parameter |
+ Parameter ',' Parameter_List
+
+Parameter ::= Parameter '=' Value |
+ Parameter '+=' Value |
+ Parameter '-=' Value |
+ '!'* Parameter
+.RE
+.fi
.PP
-.Vb 5
-\& Default_Type ::= \*(AqDefaults\*(Aq |
-\& \*(AqDefaults\*(Aq \*(Aq@\*(Aq Host_List |
-\& \*(AqDefaults\*(Aq \*(Aq:\*(Aq User_List |
-\& \*(AqDefaults\*(Aq \*(Aq!\*(Aq Cmnd_List |
-\& \*(AqDefaults\*(Aq \*(Aq>\*(Aq Runas_List
-\&
-\& Default_Entry ::= Default_Type Parameter_List
-\&
-\& Parameter_List ::= Parameter |
-\& Parameter \*(Aq,\*(Aq Parameter_List
-\&
-\& Parameter ::= Parameter \*(Aq=\*(Aq Value |
-\& Parameter \*(Aq+=\*(Aq Value |
-\& Parameter \*(Aq\-=\*(Aq Value |
-\& \*(Aq!\*(Aq* Parameter
-.Ve
-.PP
-Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR.
-Flags are implicitly boolean and can be turned off via the '!'
-operator. Some integer, string and list parameters may also be
-used in a boolean context to disable them. Values may be enclosed
-in double quotes (\f(CW\*(C`"\*(C'\fR) when they contain multiple words. Special
-characters may be escaped with a backslash (\f(CW\*(C`\e\*(C'\fR).
-.PP
-Lists have two additional assignment operators, \f(CW\*(C`+=\*(C'\fR and \f(CW\*(C`\-=\*(C'\fR.
+Parameters may be
+\fBflags\fR,
+\fBinteger\fR
+values,
+\fBstrings\fR,
+or
+\fBlists\fR.
+Flags are implicitly boolean and can be turned off via the
+`\&!'
+operator.
+Some integer, string and list parameters may also be
+used in a boolean context to disable them.
+Values may be enclosed
+in double quotes
+(\&"")
+when they contain multiple words.
+Special characters may be escaped with a backslash
+(`\e').
+.PP
+Lists have two additional assignment operators,
+\fR+=\fR
+and
+\fR-=\fR.
These operators are used to add to and delete from a list respectively.
-It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element
+It is not an error to use the
+\fR-=\fR
+operator to remove an element
that does not exist in a list.
.PP
Defaults entries are parsed in the following order: generic, host
and user Defaults first, then runas Defaults and finally command
defaults.
.PP
-See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
-.SS "User Specification"
-.IX Subsection "User Specification"
-.Vb 2
-\& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e
-\& (\*(Aq:\*(Aq Host_List \*(Aq=\*(Aq Cmnd_Spec_List)*
-\&
-\& Cmnd_Spec_List ::= Cmnd_Spec |
-\& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List
-\&
-.ie \n(SL \& Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
-.el \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
-\&
-\& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq
-\&
-.if \n(SL \{\
-\& SELinux_Spec ::= (\*(AqROLE=role\*(Aq | \*(AqTYPE=type\*(Aq)
-\&
-\}
-\& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
-\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqLOG_INPUT:\*(Aq | \*(AqNOLOG_INPUT:\*(Aq |
-\& \*(AqLOG_OUTPUT:\*(Aq | \*(AqNOLOG_OUTPUT:\*(Aq)
-.Ve
-.PP
-A \fBuser specification\fR determines which commands a user may run
-(and as what user) on specified hosts. By default, commands are
-run as \fBroot\fR, but this can be changed on a per-command basis.
-.PP
-The basic structure of a user specification is `who where = (as_whom)
-what'. Let's break that down into its constituent parts:
+See
+\fISUDOERS OPTIONS\fR
+for a list of supported Defaults parameters.
+.SS "User specification"
+.nf
+.RS 0n
+User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
+ (':' Host_List '=' Cmnd_Spec_List)*
+
+Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
+
+Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
+
+Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
+
+SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
+
+Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
+
+Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
+ 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
+ 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
+.RE
+.fi
+.PP
+A
+\fBuser specification\fR
+determines which commands a user may run
+(and as what user) on specified hosts.
+By default, commands are
+run as
+\fBroot\fR,
+but this can be changed on a per-command basis.
+.PP
+The basic structure of a user specification is
+``who where = (as_whom) what''.
+Let's break that down into its constituent parts:
.SS "Runas_Spec"
-.IX Subsection "Runas_Spec"
-A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command
-may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two
-\&\f(CW\*(C`Runas_List\*(C'\fRs (as defined above) separated by a colon (':') and
-enclosed in a set of parentheses. The first \f(CW\*(C`Runas_List\*(C'\fR indicates
-which users the command may be run as via \fBsudo\fR's \fB\-u\fR option.
+A
+\fRRunas_Spec\fR
+determines the user and/or the group that a command
+may be run as.
+A fully-specified
+\fRRunas_Spec\fR
+consists of two
+\fRRunas_List\fRs
+(as defined above) separated by a colon
+(`:\&')
+and enclosed in a set of parentheses.
+The first
+\fRRunas_List\fR
+indicates
+which users the command may be run as via
+\fBsudo\fR's
+\fB\-u\fR
+option.
The second defines a list of groups that can be specified via
-\&\fBsudo\fR's \fB\-g\fR option. If both \f(CW\*(C`Runas_List\*(C'\fRs are specified, the
-command may be run with any combination of users and groups listed
-in their respective \f(CW\*(C`Runas_List\*(C'\fRs. If only the first is specified,
-the command may be run as any user in the list but no \fB\-g\fR option
-may be specified. If the first \f(CW\*(C`Runas_List\*(C'\fR is empty but the
+\fBsudo\fR's
+\fB\-g\fR
+option.
+If both
+\fRRunas_List\fRs
+are specified, the command may be run with any combination of users
+and groups listed in their respective
+\fRRunas_List\fRs.
+If only the first is specified, the command may be run as any user
+in the list but no
+\fB\-g\fR
+option
+may be specified.
+If the first
+\fRRunas_List\fR
+is empty but the
second is specified, the command may be run as the invoking user
-with the group set to any listed in the \f(CW\*(C`Runas_List\*(C'\fR. If no
-\&\f(CW\*(C`Runas_Spec\*(C'\fR is specified the command may be run as \fBroot\fR and
+with the group set to any listed in the
+\fRRunas_List\fR.
+If both
+\fRRunas_List\fRs
+are empty, the command may only be run as the invoking user.
+If no
+\fRRunas_Spec\fR
+is specified the command may be run as
+\fBroot\fR
+and
no group may be specified.
.PP
-A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for the commands that follow it.
+A
+\fRRunas_Spec\fR
+sets the default for the commands that follow it.
What this means is that for the entry:
+.nf
+.sp
+.RS 0n
+dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
+.RE
+.fi
.PP
-.Vb 1
-\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
-.Ve
-.PP
-The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
-\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
-.PP
-.Vb 1
-\& $ sudo \-u operator /bin/ls
-.Ve
-.PP
-It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
-entry. If we modify the entry like so:
-.PP
-.Vb 1
-\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
-.Ve
-.PP
-Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
-but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
+The user
+\fBdgb\fR
+may run
+\fI/bin/ls\fR,
+\fI/bin/kill\fR,
+and
+\fI/usr/bin/lprm\fR\(embut
+only as
+\fBoperator\fR.
+E.g.,
+.nf
+.sp
+.RS 0n
+$ sudo -u operator /bin/ls
+.RE
+.fi
.PP
-We can extend this to allow \fBdgb\fR to run \f(CW\*(C`/bin/ls\*(C'\fR with either
-the user or group set to \fBoperator\fR:
+It is also possible to override a
+\fRRunas_Spec\fR
+later on in an entry.
+If we modify the entry like so:
+.nf
+.sp
+.RS 0n
+dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+.RE
+.fi
.PP
-.Vb 2
-\& dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \e
-\& /usr/bin/lprm
-.Ve
+Then user
+\fBdgb\fR
+is now allowed to run
+\fI/bin/ls\fR
+as
+\fBoperator\fR,
+but
+\fI/bin/kill\fR
+and
+\fI/usr/bin/lprm\fR
+as
+\fBroot\fR.
+.PP
+We can extend this to allow
+\fBdgb\fR
+to run
+\fR/bin/ls\fR
+with either
+the user or group set to
+\fBoperator\fR:
+.nf
+.sp
+.RS 0n
+dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
+ /usr/bin/lprm
+.RE
+.fi
.PP
-Note that while the group portion of the \f(CW\*(C`Runas_Spec\*(C'\fR permits the
+Note that while the group portion of the
+\fRRunas_Spec\fR
+permits the
user to run as command with that group, it does not force the user
-to do so. If no group is specified on the command line, the command
+to do so.
+If no group is specified on the command line, the command
will run with the group listed in the target user's password database
-entry. The following would all be permitted by the sudoers entry above:
-.PP
-.Vb 3
-\& $ sudo \-u operator /bin/ls
-\& $ sudo \-u operator \-g operator /bin/ls
-\& $ sudo \-g operator /bin/ls
-.Ve
+entry.
+The following would all be permitted by the sudoers entry above:
+.nf
+.sp
+.RS 0n
+$ sudo -u operator /bin/ls
+$ sudo -u operator -g operator /bin/ls
+$ sudo -g operator /bin/ls
+.RE
+.fi
.PP
-In the following example, user \fBtcm\fR may run commands that access
+In the following example, user
+\fBtcm\fR
+may run commands that access
a modem device file with the dialer group.
-.PP
-.Vb 2
-\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
-\& /usr/local/bin/minicom
-.Ve
+.nf
+.sp
+.RS 0n
+tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
+ /usr/local/bin/minicom
+.RE
+.fi
.PP
Note that in this example only the group will be set, the command
-still runs as user \fBtcm\fR. E.g.
-.PP
-.Vb 1
-\& $ sudo \-g dialer /usr/bin/cu
-.Ve
-.PP
-Multiple users and groups may be present in a \f(CW\*(C`Runas_Spec\*(C'\fR, in
-which case the user may select any combination of users and groups
-via the \fB\-u\fR and \fB\-g\fR options. In this example:
+still runs as user
+\fBtcm\fR.
+E.g.\&
+.nf
+.sp
+.RS 0n
+$ sudo -g dialer /usr/bin/cu
+.RE
+.fi
.PP
-.Vb 1
-\& alan ALL = (root, bin : operator, system) ALL
-.Ve
+Multiple users and groups may be present in a
+\fRRunas_Spec\fR,
+in which case the user may select any combination of users and groups via the
+\fB\-u\fR
+and
+\fB\-g\fR
+options.
+In this example:
+.nf
+.sp
+.RS 0n
+alan ALL = (root, bin : operator, system) ALL
+.RE
+.fi
.PP
-user \fBalan\fR may run any command as either user root or bin,
+user
+\fBalan\fR
+may run any command as either user root or bin,
optionally setting the group to operator or system.
-.if \n(SL \{\
.SS "SELinux_Spec"
-.IX Subsection "SELinux_Spec"
-On systems with SELinux support, \fIsudoers\fR entries may optionally have
-an SELinux role and/or type associated with a command. If a role or
+On systems with SELinux support,
+\fIsudoers\fR
+entries may optionally have an SELinux role and/or type associated
+with a command.
+If a role or
type is specified with the command it will override any default values
-specified in \fIsudoers\fR. A role or type specified on the command line,
-however, will supercede the values in \fIsudoers\fR.
-\}
-.SS "Tag_Spec"
-.IX Subsection "Tag_Spec"
-A command may have zero or more tags associated with it. There are
-eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR,
-\&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`LOG_INPUT\*(C'\fR, \f(CW\*(C`NOLOG_INPUT\*(C'\fR,
-\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR and \f(CW\*(C`NOLOG_OUTPUT\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR,
-subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless
-it is overridden by the opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides
-\&\f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR overrides \f(CW\*(C`EXEC\*(C'\fR).
-.PP
-\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
-.IX Subsection "NOPASSWD and PASSWD"
-.PP
-By default, \fBsudo\fR requires that a user authenticate him or herself
-before running a command. This behavior can be modified via the
-\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
-a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
-Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
+specified in
+\fIsudoers\fR.
+A role or type specified on the command line,
+however, will supersede the values in
+\fIsudoers\fR.
+.SS "Solaris_Priv_Spec"
+On Solaris systems,
+\fIsudoers\fR
+entries may optionally specify Solaris privilege set and/or limit
+privilege set associated with a command.
+If privileges or limit privileges are specified with the command
+it will override any default values specified in
+\fIsudoers\fR.
+.PP
+A privilege set is a comma-separated list of privilege names.
+The
+ppriv(1)
+command can be used to list all privileges known to the system.
For example:
+.nf
+.sp
+.RS 0n
+$ ppriv -l
+.RE
+.fi
.PP
-.Vb 1
-\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
-.Ve
-.PP
-would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
-\&\fI/usr/bin/lprm\fR as \fBroot\fR on the machine rushmore without
-authenticating himself. If we only want \fBray\fR to be able to
-run \fI/bin/kill\fR without a password the entry would be:
-.PP
-.Vb 1
-\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
-.Ve
-.PP
-Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
-in the group specified by the \fIexempt_group\fR option.
-.PP
-By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
-for a user on the current host, he or she will be able to run
-\&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
-\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
-for all a user's entries that pertain to the current host.
-This behavior may be overridden via the verifypw and listpw options.
-.PP
-\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
-.IX Subsection "NOEXEC and EXEC"
-.PP
-If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
-operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
-a dynamically-linked executable from running further commands itself.
-.PP
-In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
-and \fI/usr/bin/vi\fR but shell escapes will be disabled.
-.PP
-.Vb 1
-\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-.Ve
-.PP
-See the \*(L"Preventing Shell Escapes\*(R" section below for more details
-on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
-.PP
-\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR
-.IX Subsection "SETENV and NOSETENV"
-.PP
-These tags override the value of the \fIsetenv\fR option on a per-command
-basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, the user
-may disable the \fIenv_reset\fR option from the command line via the
-\&\fB\-E\fR option. Additionally, environment variables set on the command
-line are not subject to the restrictions imposed by \fIenv_check\fR,
-\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
-be allowed to set variables in this manner. If the command matched
-is \fB\s-1ALL\s0\fR, the \f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this
-default may be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag.
-.PP
-\fI\s-1LOG_INPUT\s0 and \s-1NOLOG_INPUT\s0\fR
-.IX Subsection "LOG_INPUT and NOLOG_INPUT"
+In addition, there are several
+``special''
+privilege strings:
+.TP 10n
+none
+the empty set
+.TP 10n
+all
+the set of all privileges
+.TP 10n
+zone
+the set of all privileges available in the current zone
+.TP 10n
+basic
+the default set of privileges normal users are granted at login time
+.PP
+Privileges can be excluded from a set by prefixing the privilege
+name with either an
+`\&!'
+or
+`\-'
+character.
+.SS "Tag_Spec"
+A command may have zero or more tags associated with it.
+There are
+ten possible tag values:
+\fRNOPASSWD\fR,
+\fRPASSWD\fR,
+\fRNOEXEC\fR,
+\fREXEC\fR,
+\fRSETENV\fR,
+\fRNOSETENV\fR,
+\fRLOG_INPUT\fR,
+\fRNOLOG_INPUT\fR,
+\fRLOG_OUTPUT\fR
+and
+\fRNOLOG_OUTPUT\fR.
+Once a tag is set on a
+\fRCmnd\fR,
+subsequent
+\fRCmnd\fRs
+in the
+\fRCmnd_Spec_List\fR,
+inherit the tag unless it is overridden by the opposite tag (in other words,
+\fRPASSWD\fR
+overrides
+\fRNOPASSWD\fR
+and
+\fRNOEXEC\fR
+overrides
+\fREXEC\fR).
+.PP
+\fINOPASSWD and PASSWD\fR
+.PP
+By default,
+\fBsudo\fR
+requires that a user authenticate him or herself
+before running a command.
+This behavior can be modified via the
+\fRNOPASSWD\fR
+tag.
+Like a
+\fRRunas_Spec\fR,
+the
+\fRNOPASSWD\fR
+tag sets
+a default for the commands that follow it in the
+\fRCmnd_Spec_List\fR.
+Conversely, the
+\fRPASSWD\fR
+tag can be used to reverse things.
+For example:
+.nf
+.sp
+.RS 0n
+ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+.RE
+.fi
.PP
-These tags override the value of the \fIlog_input\fR option on a
-per-command basis. For more information, see the description of
-\&\fIlog_input\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
+would allow the user
+\fBray\fR
+to run
+\fI/bin/kill\fR,
+\fI/bin/ls\fR,
+and
+\fI/usr/bin/lprm\fR
+as
+\fBroot\fR
+on the machine rushmore without authenticating himself.
+If we only want
+\fBray\fR
+to be able to
+run
+\fI/bin/kill\fR
+without a password the entry would be:
+.nf
+.sp
+.RS 0n
+ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+.RE
+.fi
.PP
-\fI\s-1LOG_OUTPUT\s0 and \s-1NOLOG_OUTPUT\s0\fR
-.IX Subsection "LOG_OUTPUT and NOLOG_OUTPUT"
+Note, however, that the
+\fRPASSWD\fR
+tag has no effect on users who are in the group specified by the
+\fIexempt_group\fR
+option.
+.PP
+By default, if the
+\fRNOPASSWD\fR
+tag is applied to any of the entries for a user on the current host,
+he or she will be able to run
+``\fRsudo -l\fR''
+without a password.
+Additionally, a user may only run
+``\fRsudo -v\fR''
+without a password if the
+\fRNOPASSWD\fR
+tag is present for all a user's entries that pertain to the current host.
+This behavior may be overridden via the
+\fIverifypw\fR
+and
+\fIlistpw\fR
+options.
+.PP
+\fINOEXEC and EXEC\fR
+.PP
+If
+\fBsudo\fR
+has been compiled with
+\fInoexec\fR
+support and the underlying operating system supports it, the
+\fRNOEXEC\fR
+tag can be used to prevent a dynamically-linked executable from
+running further commands itself.
+.PP
+In the following example, user
+\fBaaron\fR
+may run
+\fI/usr/bin/more\fR
+and
+\fI/usr/bin/vi\fR
+but shell escapes will be disabled.
+.nf
+.sp
+.RS 0n
+aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+.RE
+.fi
.PP
-These tags override the value of the \fIlog_output\fR option on a
-per-command basis. For more information, see the description of
-\&\fIlog_output\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
+See the
+\fIPreventing shell escapes\fR
+section below for more details on how
+\fRNOEXEC\fR
+works and whether or not it will work on your system.
+.PP
+\fISETENV and NOSETENV\fR
+.PP
+These tags override the value of the
+\fIsetenv\fR
+option on a per-command basis.
+Note that if
+\fRSETENV\fR
+has been set for a command, the user may disable the
+\fIenv_reset\fR
+option from the command line via the
+\fB\-E\fR
+option.
+Additionally, environment variables set on the command
+line are not subject to the restrictions imposed by
+\fIenv_check\fR,
+\fIenv_delete\fR,
+or
+\fIenv_keep\fR.
+As such, only trusted users should be allowed to set variables in this manner.
+If the command matched is
+\fBALL\fR,
+the
+\fRSETENV\fR
+tag is implied for that command; this default may be overridden by use of the
+\fRNOSETENV\fR
+tag.
+.PP
+\fILOG_INPUT and NOLOG_INPUT\fR
+.PP
+These tags override the value of the
+\fIlog_input\fR
+option on a per-command basis.
+For more information, see the description of
+\fIlog_input\fR
+in the
+\fISUDOERS OPTIONS\fR
+section below.
+.PP
+\fILOG_OUTPUT and NOLOG_OUTPUT\fR
+.PP
+These tags override the value of the
+\fIlog_output\fR
+option on a per-command basis.
+For more information, see the description of
+\fIlog_output\fR
+in the
+\fISUDOERS OPTIONS\fR
+section below.
.SS "Wildcards"
-.IX Subsection "Wildcards"
-\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
-to be used in host names, path names and command line arguments in
-the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
-\&\fIglob\fR\|(3) and \fIfnmatch\fR\|(3) routines. Note that these are \fInot\fR
+\fBsudo\fR
+allows shell-style
+\fIwildcards\fR
+(aka meta or glob characters)
+to be used in host names, path names and command line arguments in the
+\fIsudoers\fR
+file.
+Wildcard matching is done via the
+\fBPOSIX\fR
+glob(3)
+and
+fnmatch(3)
+routines.
+Note that these are
+\fInot\fR
regular expressions.
-.ie n .IP "\*(C`*\*(C'" 8
-.el .IP "\f(CW\*(C`*\*(C'\fR" 8
-.IX Item "*"
+.TP 10n
+\fR*\fR
Matches any set of zero or more characters.
-.ie n .IP "\*(C`?\*(C'" 8
-.el .IP "\f(CW\*(C`?\*(C'\fR" 8
-.IX Item "?"
+.TP 10n
+\fR\&?\fR
Matches any single character.
-.ie n .IP "\*(C`[...]\*(C'" 8
-.el .IP "\f(CW\*(C`[...]\*(C'\fR" 8
-.IX Item "[...]"
+.TP 10n
+\fR[...]\fR
Matches any character in the specified range.
-.ie n .IP "\*(C`[!...]\*(C'" 8
-.el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8
-.IX Item "[!...]"
-Matches any character \fBnot\fR in the specified range.
-.ie n .IP "\*(C`\ex\*(C'" 8
-.el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
-.IX Item "x"
-For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
-escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
-.PP
-\&\s-1POSIX\s0 character classes may also be used if your system's \fIglob\fR\|(3)
-and \fIfnmatch\fR\|(3) functions support them. However, because the
-\&\f(CW\*(Aq:\*(Aq\fR character has special meaning in \fIsudoers\fR, it must be
-escaped. For example:
-.PP
-.Vb 1
-\& /bin/ls [[\e:alpha\e:]]*
-.Ve
+.TP 10n
+\fR[!...]\fR
+Matches any character
+\fBnot\fR
+in the specified range.
+.TP 10n
+\fR\ex\fR
+For any character
+`x',
+evaluates to
+`x'.
+This is used to escape special characters such as:
+`*',
+`\&?',
+`[\&',
+and
+`]\&'.
+.PP
+POSIX character classes may also be used if your system's
+glob(3)
+and
+fnmatch(3)
+functions support them.
+However, because the
+`:\&'
+character has special meaning in
+\fIsudoers\fR,
+it must be
+escaped.
+For example:
+.nf
+.sp
+.RS 4n
+/bin/ls [[\:alpha\:]]*
+.RE
+.fi
.PP
Would match any file name beginning with a letter.
.PP
-Note that a forward slash ('/') will \fBnot\fR be matched by
-wildcards used in the path name. When matching the command
-line arguments, however, a slash \fBdoes\fR get matched by
-wildcards. This is to make a path like:
+Note that a forward slash
+(`/')
+will
+\fBnot\fR
+be matched by
+wildcards used in the path name.
+This is to make a path like:
+.nf
+.sp
+.RS 4n
+/usr/bin/*
+.RE
+.fi
+.PP
+match
+\fI/usr/bin/who\fR
+but not
+\fI/usr/bin/X11/xterm\fR.
+.PP
+When matching the command line arguments, however, a slash
+\fBdoes\fR
+get matched by wildcards since command line arguments may contain
+arbitrary strings and not just path names.
+.PP
+Wildcards in command line arguments should be used with care.
+Because command line arguments are matched as a single, concatenated
+string, a wildcard such as
+`\&?'
+or
+`*'
+can match multiple words.
+For example, while a sudoers entry like:
+.nf
+.sp
+.RS 4n
+%operator ALL = /bin/cat /var/log/messages*
+.RE
+.fi
.PP
-.Vb 1
-\& /usr/bin/*
-.Ve
+will allow command like:
+.nf
+.sp
+.RS 4n
+$ sudo cat /var/log/messages.1
+.RE
+.fi
.PP
-match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
+It will also allow:
+.nf
+.sp
+.RS 4n
+$ sudo cat /var/log/messages /etc/shadow
+.RE
+.fi
+.PP
+which is probably not what was intended.
.SS "Exceptions to wildcard rules"
-.IX Subsection "Exceptions to wildcard rules"
The following exceptions apply to the above rules:
-.ie n .IP """""" 8
-.el .IP "\f(CW``''\fR" 8
-.IX Item """"""
-If the empty string \f(CW""\fR is the only command line argument in the
-\&\fIsudoers\fR entry it means that command is not allowed to be run
-with \fBany\fR arguments.
+.TP 10n
+\fR\&""\fR
+If the empty string
+\fR\&""\fR
+is the only command line argument in the
+\fIsudoers\fR
+entry it means that command is not allowed to be run with
+\fBany\fR
+arguments.
+.TP 10n
+sudoedit
+Command line arguments to the
+\fIsudoedit\fR
+built-in command should always be path names, so a forward slash
+(`/')
+will not be matched by a wildcard.
.SS "Including other files from within sudoers"
-.IX Subsection "Including other files from within sudoers"
-It is possible to include other \fIsudoers\fR files from within the
-\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR and
-\&\f(CW\*(C`#includedir\*(C'\fR directives.
-.PP
-This can be used, for example, to keep a site-wide \fIsudoers\fR file
-in addition to a local, per-machine file. For the sake of this
-example the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the
-per-machine one will be \fI/etc/sudoers.local\fR. To include
-\&\fI/etc/sudoers.local\fR from within \fI/etc/sudoers\fR we would use the
-following line in \fI/etc/sudoers\fR:
-.Sp
-.RS 4
-\&\f(CW\*(C`#include /etc/sudoers.local\*(C'\fR
-.RE
-.PP
-When \fBsudo\fR reaches this line it will suspend processing of the
-current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
-Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
-\&\fI/etc/sudoers\fR will be processed. Files that are included may
-themselves include other files. A hard limit of 128 nested include
-files is enforced to prevent include file loops.
+It is possible to include other
+\fIsudoers\fR
+files from within the
+\fIsudoers\fR
+file currently being parsed using the
+\fR#include\fR
+and
+\fR#includedir\fR
+directives.
+.PP
+This can be used, for example, to keep a site-wide
+\fIsudoers\fR
+file in addition to a local, per-machine file.
+For the sake of this example the site-wide
+\fIsudoers\fR
+will be
+\fI/etc/sudoers\fR
+and the per-machine one will be
+\fI/etc/sudoers.local\fR.
+To include
+\fI/etc/sudoers.local\fR
+from within
+\fI/etc/sudoers\fR
+we would use the
+following line in
+\fI/etc/sudoers\fR:
+.nf
+.sp
+.RS 4n
+#include /etc/sudoers.local
+.RE
+.fi
+.PP
+When
+\fBsudo\fR
+reaches this line it will suspend processing of the current file
+(\fI/etc/sudoers\fR)
+and switch to
+\fI/etc/sudoers.local\fR.
+Upon reaching the end of
+\fI/etc/sudoers.local\fR,
+the rest of
+\fI/etc/sudoers\fR
+will be processed.
+Files that are included may themselves include other files.
+A hard limit of 128 nested include files is enforced to prevent include
+file loops.
.PP
If the path to the include file is not fully-qualified (does not
-begin with a \fI/\fR), it must be located in the same directory as the
-sudoers file it was included from. For example, if \fI/etc/sudoers\fR
+begin with a
+`/',
+it must be located in the same directory as the sudoers file it was
+included from.
+For example, if
+\fI/etc/sudoers\fR
contains the line:
-.Sp
-.RS 4
-\&\f(CW\*(C`#include sudoers.local\*(C'\fR
+.nf
+.sp
+.RS 4n
+\fR#include sudoers.local\fR
.RE
+.fi
.PP
-the file that will be included is \fI/etc/sudoers.local\fR.
-.PP
-The file name may also include the \f(CW%h\fR escape, signifying the short form
-of the host name. I.e., if the machine's host name is \*(L"xerxes\*(R", then
-.PP
-\&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR
-.PP
-will cause \fBsudo\fR to include the file \fI/etc/sudoers.xerxes\fR.
-.PP
-The \f(CW\*(C`#includedir\*(C'\fR directive can be used to create a \fIsudo.d\fR
-directory that the system package manager can drop \fIsudoers\fR rules
-into as part of package installation. For example, given:
+the file that will be included is
+\fI/etc/sudoers.local\fR.
.PP
-\&\f(CW\*(C`#includedir /etc/sudoers.d\*(C'\fR
+The file name may also include the
+\fR%h\fR
+escape, signifying the short form of the host name.
+In other words, if the machine's host name is
+``xerxes'',
+then
+.nf
+.sp
+.RS 4n
+#include /etc/sudoers.%h
+.RE
+.fi
.PP
-\&\fBsudo\fR will read each file in \fI/etc/sudoers.d\fR, skipping file
-names that end in \f(CW\*(C`~\*(C'\fR or contain a \f(CW\*(C`.\*(C'\fR character to avoid causing
-problems with package manager or editor temporary/backup files.
-Files are parsed in sorted lexical order. That is,
-\&\fI/etc/sudoers.d/01_first\fR will be parsed before
-\&\fI/etc/sudoers.d/10_second\fR. Be aware that because the sorting is
-lexical, not numeric, \fI/etc/sudoers.d/1_whoops\fR would be loaded
-\&\fBafter\fR \fI/etc/sudoers.d/10_second\fR. Using a consistent number
-of leading zeroes in the file names can be used to avoid such
-problems.
+will cause
+\fBsudo\fR
+to include the file
+\fI/etc/sudoers.xerxes\fR.
+.PP
+The
+\fR#includedir\fR
+directive can be used to create a
+\fIsudo.d\fR
+directory that the system package manager can drop
+\fIsudoers\fR
+rules
+into as part of package installation.
+For example, given:
+.nf
+.sp
+.RS 4n
+#includedir /etc/sudoers.d
+.RE
+.fi
.PP
-Note that unlike files included via \f(CW\*(C`#include\*(C'\fR, \fBvisudo\fR will not
-edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them
-contains a syntax error. It is still possible to run \fBvisudo\fR
-with the \f(CW\*(C`\-f\*(C'\fR flag to edit the files directly.
+\fBsudo\fR
+will read each file in
+\fI/etc/sudoers.d\fR,
+skipping file names that end in
+`~'
+or contain a
+`.\&'
+character to avoid causing problems with package manager or editor
+temporary/backup files.
+Files are parsed in sorted lexical order.
+That is,
+\fI/etc/sudoers.d/01_first\fR
+will be parsed before
+\fI/etc/sudoers.d/10_second\fR.
+Be aware that because the sorting is lexical, not numeric,
+\fI/etc/sudoers.d/1_whoops\fR
+would be loaded
+\fBafter\fR
+\fI/etc/sudoers.d/10_second\fR.
+Using a consistent number of leading zeroes in the file names can be used
+to avoid such problems.
+.PP
+Note that unlike files included via
+\fR#include\fR,
+\fBvisudo\fR
+will not edit the files in a
+\fR#includedir\fR
+directory unless one of them contains a syntax error.
+It is still possible to run
+\fBvisudo\fR
+with the
+\fB\-f\fR
+flag to edit the files directly.
.SS "Other special characters and reserved words"
-.IX Subsection "Other special characters and reserved words"
-The pound sign ('#') is used to indicate a comment (unless it is
-part of a #include directive or unless it occurs in the context of
-a user name and is followed by one or more digits, in which case
-it is treated as a uid). Both the comment character and any text
-after it, up to the end of the line, are ignored.
-.PP
-The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
-a match to succeed. It can be used wherever one might otherwise
-use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
-You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
-built-in alias will be used in preference to your own. Please note
-that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
-allows the user to run \fBany\fR command on the system.
-.PP
-An exclamation point ('!') can be used as a logical \fInot\fR operator
-both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
-exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
-conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
-run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
-\&\s-1NOTES\s0 below).
-.PP
-Long lines can be continued with a backslash ('\e') as the last
-character on the line.
-.PP
-Whitespace between elements in a list as well as special syntactic
-characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
-.PP
-The following characters must be escaped with a backslash ('\e') when
-used as part of a word (e.g.\ a user name or host name):
-\&'!', '=', ':', ',', '(', ')', '\e'.
+The pound sign
+(`#')
+is used to indicate a comment (unless it is part of a #include
+directive or unless it occurs in the context of a user name and is
+followed by one or more digits, in which case it is treated as a
+uid).
+Both the comment character and any text after it, up to the end of
+the line, are ignored.
+.PP
+The reserved word
+\fBALL\fR
+is a built-in
+\fIalias\fR
+that always causes a match to succeed.
+It can be used wherever one might otherwise use a
+\fRCmnd_Alias\fR,
+\fRUser_Alias\fR,
+\fRRunas_Alias\fR,
+or
+\fRHost_Alias\fR.
+You should not try to define your own
+\fIalias\fR
+called
+\fBALL\fR
+as the built-in alias will be used in preference to your own.
+Please note that using
+\fBALL\fR
+can be dangerous since in a command context, it allows the user to run
+\fBany\fR
+command on the system.
+.PP
+An exclamation point
+(`\&!')
+can be used as a logical
+\fInot\fR
+operator both in an
+\fIalias\fR
+and in front of a
+\fRCmnd\fR.
+This allows one to exclude certain values.
+Note, however, that using a
+`\&!'
+in conjunction with the built-in
+\fBALL\fR
+alias to allow a user to run
+``all but a few''
+commands rarely works as intended (see
+\fISECURITY NOTES\fR
+below).
+.PP
+Long lines can be continued with a backslash
+(`\e')
+as the last character on the line.
+.PP
+White space between elements in a list as well as special syntactic
+characters in a
+\fIUser Specification\fR
+(`=\&',
+`:\&',
+`(\&',
+`)\&')
+is optional.
+.PP
+The following characters must be escaped with a backslash
+(`\e')
+when used as part of a word (e.g.\& a user name or host name):
+`\&!',
+`=\&',
+`:\&',
+`,\&',
+`(\&',
+`)\&',
+`\e'.
.SH "SUDOERS OPTIONS"
-.IX Header "SUDOERS OPTIONS"
-\&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
-explained earlier. A list of all supported Defaults parameters,
-grouped by type, are listed below.
-.PP
-\&\fBBoolean Flags\fR:
-.IP "always_set_home" 16
-.IX Item "always_set_home"
-If enabled, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the
-home directory of the target user (which is root unless the \fB\-u\fR
-option is used). This effectively means that the \fB\-H\fR option is
-always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the
-\&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only
-effective for configurations where either \fIenv_reset\fR is disabled
-or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
-This flag is \fIoff\fR by default.
-.IP "authenticate" 16
-.IX Item "authenticate"
+\fBsudo\fR's
+behavior can be modified by
+\fRDefault_Entry\fR
+lines, as explained earlier.
+A list of all supported Defaults parameters, grouped by type, are listed below.
+.PP
+\fBBoolean Flags\fR:
+.TP 18n
+always_set_home
+If enabled,
+\fBsudo\fR
+will set the
+\fRHOME\fR
+environment variable to the home directory of the target user
+(which is root unless the
+\fB\-u\fR
+option is used).
+This effectively means that the
+\fB\-H\fR
+option is always implied.
+Note that
+\fRHOME\fR
+is already set when the the
+\fIenv_reset\fR
+option is enabled, so
+\fIalways_set_home\fR
+is only effective for configurations where either
+\fIenv_reset\fR
+is disabled or
+\fRHOME\fR
+is present in the
+\fIenv_keep\fR
+list.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+authenticate
If set, users must authenticate themselves via a password (or other
-means of authentication) before they may run commands. This default
-may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags.
-This flag is \fIon\fR by default.
-.IP "closefrom_override" 16
-.IX Item "closefrom_override"
-If set, the user may use \fBsudo\fR's \fB\-C\fR option which
-overrides the default starting point at which \fBsudo\fR begins
-closing open file descriptors. This flag is \fIoff\fR by default.
-.IP "compress_io" 16
-.IX Item "compress_io"
-If set, and \fBsudo\fR is configured to log a command's input or output,
-the I/O logs will be compressed using \fBzlib\fR. This flag is \fIon\fR
-by default when \fBsudo\fR is compiled with \fBzlib\fR support.
-.IP "env_editor" 16
-.IX Item "env_editor"
-If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
+means of authentication) before they may run commands.
+This default may be overridden via the
+\fRPASSWD\fR
+and
+\fRNOPASSWD\fR
+tags.
+This flag is
+\fIon\fR
+by default.
+.TP 18n
+closefrom_override
+If set, the user may use
+\fBsudo\fR's
+\fB\-C\fR
+option which overrides the default starting point at which
+\fBsudo\fR
+begins closing open file descriptors.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+compress_io
+If set, and
+\fBsudo\fR
+is configured to log a command's input or output,
+the I/O logs will be compressed using
+\fBzlib\fR.
+This flag is
+\fIon\fR
+by default when
+\fBsudo\fR
+is compiled with
+\fBzlib\fR
+support.
+.TP 18n
+env_editor
+If set,
+\fBvisudo\fR
+will use the value of the
+\fREDITOR\fR
+or
+\fRVISUAL\fR
environment variables before falling back on the default editor list.
Note that this may create a security hole as it allows the user to
-run any arbitrary command as root without logging. A safer alternative
-is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR
-variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if
-they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \fI@env_editor@\fR by
+run any arbitrary command as root without logging.
+A safer alternative is to place a colon-separated list of editors
+in the
+\fReditor\fR
+variable.
+\fBvisudo\fR
+will then only use the
+\fREDITOR\fR
+or
+\fRVISUAL\fR
+if they match a value specified in
+\fReditor\fR.
+This flag is
+\fI@env_editor@\fR
+by
default.
-.IP "env_reset" 16
-.IX Item "env_reset"
-If set, \fBsudo\fR will run the command in a minimal environment
-containing the \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR,
-\&\f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR, \f(CW\*(C`USERNAME\*(C'\fR and \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
-variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR
-and \f(CW\*(C`env_check\*(C'\fR lists are then added, followed by any variables
-present in the file specified by the \fIenv_file\fR option (if any).
-The default contents of the \f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are
-displayed when \fBsudo\fR is run by root with the \fI\-V\fR option. If
-the \fIsecure_path\fR option is set, its value will be used for the
-\&\f(CW\*(C`PATH\*(C'\fR environment variable. This flag is \fI@env_reset@\fR by
-default.
-.IP "fast_glob" 16
-.IX Item "fast_glob"
-Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
-globbing when matching path names. However, since it accesses the
-file system, \fIglob\fR\|(3) can take a long time to complete for some
-patterns, especially when the pattern references a network file
-system that is mounted on demand (automounted). The \fIfast_glob\fR
-option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
-not access the file system to do its matching. The disadvantage
-of \fIfast_glob\fR is that it is unable to match relative path names
-such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications
-when path names that include globbing characters are used with the
-negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed.
-As such, this option should not be used when \fIsudoers\fR contains rules
-that contain negated path names which include globbing characters.
-This flag is \fIoff\fR by default.
-.IP "fqdn" 16
-.IX Item "fqdn"
+.TP 18n
+env_reset
+If set,
+\fBsudo\fR
+will run the command in a minimal environment containing the
+\fRTERM\fR,
+\fRPATH\fR,
+\fRHOME\fR,
+\fRMAIL\fR,
+\fRSHELL\fR,
+\fRLOGNAME\fR,
+\fRUSER\fR,
+\fRUSERNAME\fR
+and
+\fRSUDO_*\fR
+variables.
+Any
+variables in the caller's environment that match the
+\fRenv_keep\fR
+and
+\fRenv_check\fR
+lists are then added, followed by any variables present in the file
+specified by the
+\fIenv_file\fR
+option (if any).
+The default contents of the
+\fRenv_keep\fR
+and
+\fRenv_check\fR
+lists are displayed when
+\fBsudo\fR
+is run by root with the
+\fB\-V\fR
+option.
+If the
+\fIsecure_path\fR
+option is set, its value will be used for the
+\fRPATH\fR
+environment variable.
+This flag is
+\fI@env_reset@\fR
+by default.
+.TP 18n
+fast_glob
+Normally,
+\fBsudo\fR
+uses the
+glob(3)
+function to do shell-style globbing when matching path names.
+However, since it accesses the file system,
+glob(3)
+can take a long time to complete for some patterns, especially
+when the pattern references a network file system that is mounted
+on demand (auto mounted).
+The
+\fIfast_glob\fR
+option causes
+\fBsudo\fR
+to use the
+fnmatch(3)
+function, which does not access the file system to do its matching.
+The disadvantage of
+\fIfast_glob\fR
+is that it is unable to match relative path names such as
+\fI./ls\fR
+or
+\fI../bin/ls\fR.
+This has security implications when path names that include globbing
+characters are used with the negation operator,
+`!\&',
+as such rules can be trivially bypassed.
+As such, this option should not be used when
+\fIsudoers\fR
+contains rules that contain negated path names which include globbing
+characters.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+fqdn
Set this flag if you want to put fully qualified host names in the
-\&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu.
+\fIsudoers\fR
+file when the local host name (as returned by the
+\fRhostname\fR
+command) does not contain the domain name.
+In other words, instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
-Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
-which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
-if the machine is not plugged into the network). Also note that
-you must use the host's official name as \s-1DNS\s0 knows it. That is,
-you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
-issues and the fact that there is no way to get all aliases from
-\&\s-1DNS\s0. If your machine's host name (as returned by the \f(CW\*(C`hostname\*(C'\fR
-command) is already fully qualified you shouldn't need to set
-\&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default.
-.IP "ignore_dot" 16
-.IX Item "ignore_dot"
-If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR
-environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This
-flag is \fI@ignore_dot@\fR by default.
-.IP "ignore_local_sudoers" 16
-.IX Item "ignore_local_sudoers"
-If set via \s-1LDAP\s0, parsing of \fI@sysconfdir@/sudoers\fR will be skipped.
+This option is only effective when the
+``canonical''
+host name, as returned by the
+\fBgetaddrinfo\fR()
+or
+\fBgethostbyname\fR()
+function, is a fully-qualified domain name.
+This is usually the case when the system is configured to use DNS
+for host name resolution.
+.sp
+If the system is configured to use the
+\fI/etc/hosts\fR
+file in preference to DNS, the
+``canonical''
+host name may not be fully-qualified.
+The order that sources are queried for hosts name resolution
+is usually specified in the
+\fI@nsswitch_conf@\fR,
+\fI@netsvc_conf@\fR,
+\fI/etc/host.conf\fR,
+or, in some cases,
+\fI/etc/resolv.conf\fR
+file.
+In the
+\fI/etc/hosts\fR
+file, the first host name of the entry is considered to be the
+``canonical''
+name; subsequent names are aliases that are not used by
+\fBsudoers\fR.
+For example, the following hosts file line for the machine
+``xyzzy''
+has the fully-qualified domain name as the
+``canonical''
+host name, and the short version as an alias.
+.sp
+.RS 6n
+192.168.1.1 xyzzy.sudo.ws xyzzy
+.RE
+.sp
+If the machine's hosts file entry is not formatted properly, the
+\fIfqdn\fR
+option will not be effective if it is queried before DNS.
+.sp
+Beware that when using DNS for host name resolution, turning on
+\fIfqdn\fR
+requires
+\fBsudoers\fR
+to make DNS lookups which renders
+\fBsudo\fR
+unusable if DNS stops working (for example if the machine is disconnected
+from the network).
+Also note that just like with the hosts file, you must use the
+``canonical''
+name as DNS knows it.
+That is, you may not use a host alias
+(\fRCNAME\fR
+entry)
+due to performance issues and the fact that there is no way to get all
+aliases from DNS.
+.sp
+This flag is
+\fI@fqdn@\fR
+by default.
+.TP 18n
+ignore_dot
+If set,
+\fBsudo\fR
+will ignore "." or "" (both denoting current directory) in the
+\fRPATH\fR
+environment variable; the
+\fRPATH\fR
+itself is not modified.
+This flag is
+\fI@ignore_dot@\fR
+by default.
+.TP 18n
+ignore_local_sudoers
+If set via LDAP, parsing of
+\fI@sysconfdir@/sudoers\fR
+will be skipped.
This is intended for Enterprises that wish to prevent the usage of local
-sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of
-rogue operators who would attempt to add roles to \fI@sysconfdir@/sudoers\fR.
-When this option is present, \fI@sysconfdir@/sudoers\fR does not even need to
-exist. Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0
-entries have been matched, this sudoOption is only meaningful for the
-\&\f(CW\*(C`cn=defaults\*(C'\fR section. This flag is \fIoff\fR by default.
-.IP "insults" 16
-.IX Item "insults"
-If set, \fBsudo\fR will insult users when they enter an incorrect
-password. This flag is \fI@insults@\fR by default.
-.IP "log_host" 16
-.IX Item "log_host"
-If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file.
-This flag is \fIoff\fR by default.
-.IP "log_input" 16
-.IX Item "log_input"
-If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
-user input.
+sudoers files so that only LDAP is used.
+This thwarts the efforts of rogue operators who would attempt to add roles to
+\fI@sysconfdir@/sudoers\fR.
+When this option is present,
+\fI@sysconfdir@/sudoers\fR
+does not even need to exist.
+Since this option tells
+\fBsudo\fR
+how to behave when no specific LDAP entries have been matched, this
+sudoOption is only meaningful for the
+\fRcn=defaults\fR
+section.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+insults
+If set,
+\fBsudo\fR
+will insult users when they enter an incorrect password.
+This flag is
+\fI@insults@\fR
+by default.
+.TP 18n
+log_host
+If set, the host name will be logged in the (non-syslog)
+\fBsudo\fR
+log file.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+log_input
+If set,
+\fBsudo\fR
+will run the command in a
+\fIpseudo tty\fR
+and log all user input.
If the standard input is not connected to the user's tty, due to
I/O redirection or because the command is part of a pipeline, that
input is also captured and stored in a separate log file.
-.Sp
-Input is logged to the directory specified by the \fIiolog_dir\fR
-option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
-is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
-The \fIiolog_file\fR option may be used to control the format of the
-session \s-1ID\s0.
-.Sp
+.sp
+Input is logged to the directory specified by the
+\fIiolog_dir\fR
+option
+(\fI@iolog_dir@\fR
+by default)
+using a unique session ID that is included in the normal
+\fBsudo\fR
+log line, prefixed with
+``\fRTSID=\fR''.
+The
+\fIiolog_file\fR
+option may be used to control the format of the session ID.
+.sp
Note that user input may contain sensitive information such as
passwords (even if they are not echoed to the screen), which will
-be stored in the log file unencrypted. In most cases, logging the
-command output via \fIlog_output\fR is all that is required.
-.IP "log_output" 16
-.IX Item "log_output"
-If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
-output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
+be stored in the log file unencrypted.
+In most cases, logging the command output via
+\fIlog_output\fR
+is all that is required.
+.TP 18n
+log_output
+If set,
+\fBsudo\fR
+will run the command in a
+\fIpseudo tty\fR
+and log all output that is sent to the screen, similar to the
+script(1)
+command.
If the standard output or standard error is not connected to the
user's tty, due to I/O redirection or because the command is part
of a pipeline, that output is also captured and stored in separate
log files.
-.Sp
-Output is logged to the directory specified by the \fIiolog_dir\fR
-option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
-is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
-The \fIiolog_file\fR option may be used to control the format of the
-session \s-1ID\s0.
-.Sp
-Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
-can also be used to list or search the available logs.
-.IP "log_year" 16
-.IX Item "log_year"
-If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
-This flag is \fIoff\fR by default.
-.IP "long_otp_prompt" 16
-.IX Item "long_otp_prompt"
-When validating with a One Time Password (\s-1OTP\s0) scheme such as
-\&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier
-to cut and paste the challenge to a local window. It's not as
-pretty as the default but some people find it more convenient. This
-flag is \fI@long_otp_prompt@\fR by default.
-.IP "mail_always" 16
-.IX Item "mail_always"
-Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR.
-This flag is \fIoff\fR by default.
-.IP "mail_badpass" 16
-.IX Item "mail_badpass"
-Send mail to the \fImailto\fR user if the user running \fBsudo\fR does not
-enter the correct password. This flag is \fIoff\fR by default.
-.IP "mail_no_host" 16
-.IX Item "mail_no_host"
-If set, mail will be sent to the \fImailto\fR user if the invoking
-user exists in the \fIsudoers\fR file, but is not allowed to run
-commands on the current host. This flag is \fI@mail_no_host@\fR by default.
-.IP "mail_no_perms" 16
-.IX Item "mail_no_perms"
-If set, mail will be sent to the \fImailto\fR user if the invoking
-user is allowed to use \fBsudo\fR but the command they are trying is not
-listed in their \fIsudoers\fR file entry or is explicitly denied.
-This flag is \fI@mail_no_perms@\fR by default.
-.IP "mail_no_user" 16
-.IX Item "mail_no_user"
-If set, mail will be sent to the \fImailto\fR user if the invoking
-user is not in the \fIsudoers\fR file. This flag is \fI@mail_no_user@\fR
+.sp
+Output is logged to the directory specified by the
+\fIiolog_dir\fR
+option
+(\fI@iolog_dir@\fR
+by default)
+using a unique session ID that is included in the normal
+\fBsudo\fR
+log line, prefixed with
+``\fRTSID=\fR''.
+The
+\fIiolog_file\fR
+option may be used to control the format of the session ID.
+.sp
+Output logs may be viewed with the
+sudoreplay(@mansectsu@)
+utility, which can also be used to list or search the available logs.
+.TP 18n
+log_year
+If set, the four-digit year will be logged in the (non-syslog)
+\fBsudo\fR
+log file.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+long_otp_prompt
+When validating with a One Time Password (OTP) scheme such as
+\fBS/Key\fR
+or
+\fBOPIE\fR,
+a two-line prompt is used to make it easier
+to cut and paste the challenge to a local window.
+It's not as pretty as the default but some people find it more convenient.
+This flag is
+\fI@long_otp_prompt@\fR
+by default.
+.TP 18n
+mail_always
+Send mail to the
+\fImailto\fR
+user every time a users runs
+\fBsudo\fR.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+mail_badpass
+Send mail to the
+\fImailto\fR
+user if the user running
+\fBsudo\fR
+does not enter the correct password.
+If the command the user is attempting to run is not permitted by
+\fIsudoers\fR
+and one of the
+\fImail_always\fR,
+\fImail_no_host\fR,
+\fImail_no_perms\fR
+or
+\fImail_no_user\fR
+flags are set, this flag will have no effect.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+mail_no_host
+If set, mail will be sent to the
+\fImailto\fR
+user if the invoking user exists in the
+\fIsudoers\fR
+file, but is not allowed to run commands on the current host.
+This flag is
+\fI@mail_no_host@\fR
+by default.
+.TP 18n
+mail_no_perms
+If set, mail will be sent to the
+\fImailto\fR
+user if the invoking user is allowed to use
+\fBsudo\fR
+but the command they are trying is not listed in their
+\fIsudoers\fR
+file entry or is explicitly denied.
+This flag is
+\fI@mail_no_perms@\fR
+by default.
+.TP 18n
+mail_no_user
+If set, mail will be sent to the
+\fImailto\fR
+user if the invoking user is not in the
+\fIsudoers\fR
+file.
+This flag is
+\fI@mail_no_user@\fR
+by default.
+.TP 18n
+noexec
+If set, all commands run via
+\fBsudo\fR
+will behave as if the
+\fRNOEXEC\fR
+tag has been set, unless overridden by a
+\fREXEC\fR
+tag.
+See the description of
+\fINOEXEC and EXEC\fR
+below as well as the
+\fIPreventing shell escapes\fR
+section at the end of this manual.
+This flag is
+\fIoff\fR
by default.
-.IP "noexec" 16
-.IX Item "noexec"
-If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
-tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
-description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"Preventing Shell
-Escapes\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
-.IP "path_info" 16
-.IX Item "path_info"
-Normally, \fBsudo\fR will tell the user when a command could not be
-found in their \f(CW\*(C`PATH\*(C'\fR environment variable. Some sites may wish
-to disable this as it could be used to gather information on the
-location of executables that the normal user does not have access
-to. The disadvantage is that if the executable is simply not in
-the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not
-allowed to run it, which can be confusing. This flag is \fI@path_info@\fR
+.TP 18n
+path_info
+Normally,
+\fBsudo\fR
+will tell the user when a command could not be
+found in their
+\fRPATH\fR
+environment variable.
+Some sites may wish to disable this as it could be used to gather
+information on the location of executables that the normal user does
+not have access to.
+The disadvantage is that if the executable is simply not in the user's
+\fRPATH\fR,
+\fBsudo\fR
+will tell the user that they are not allowed to run it, which can be confusing.
+This flag is
+\fI@path_info@\fR
by default.
-.IP "passprompt_override" 16
-.IX Item "passprompt_override"
-The password prompt specified by \fIpassprompt\fR will normally only
-be used if the password prompt provided by systems such as \s-1PAM\s0 matches
-the string \*(L"Password:\*(R". If \fIpassprompt_override\fR is set, \fIpassprompt\fR
-will always be used. This flag is \fIoff\fR by default.
-.IP "preserve_groups" 16
-.IX Item "preserve_groups"
-By default, \fBsudo\fR will initialize the group vector to the list of
-groups the target user is in. When \fIpreserve_groups\fR is set, the
-user's existing group vector is left unaltered. The real and
-effective group IDs, however, are still set to match the target
-user. This flag is \fIoff\fR by default.
-.IP "pwfeedback" 16
-.IX Item "pwfeedback"
-By default, \fBsudo\fR reads the password like most other Unix programs,
+.TP 18n
+passprompt_override
+The password prompt specified by
+\fIpassprompt\fR
+will normally only be used if the password prompt provided by systems
+such as PAM matches the string
+``Password:''.
+If
+\fIpassprompt_override\fR
+is set,
+\fIpassprompt\fR
+will always be used.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+preserve_groups
+By default,
+\fBsudo\fR
+will initialize the group vector to the list of groups the target user is in.
+When
+\fIpreserve_groups\fR
+is set, the user's existing group vector is left unaltered.
+The real and effective group IDs, however, are still set to match the
+target user.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+pwfeedback
+By default,
+\fBsudo\fR
+reads the password like most other Unix programs,
by turning off echo until the user hits the return (or enter) key.
-Some users become confused by this as it appears to them that \fBsudo\fR
-has hung at this point. When \fIpwfeedback\fR is set, \fBsudo\fR will
-provide visual feedback when the user presses a key. Note that
-this does have a security impact as an onlooker may be able to
+Some users become confused by this as it appears to them that
+\fBsudo\fR
+has hung at this point.
+When
+\fIpwfeedback\fR
+is set,
+\fBsudo\fR
+will provide visual feedback when the user presses a key.
+Note that this does have a security impact as an onlooker may be able to
determine the length of the password being entered.
-This flag is \fIoff\fR by default.
-.IP "requiretty" 16
-.IX Item "requiretty"
-If set, \fBsudo\fR will only run when the user is logged in to a real
-tty. When this flag is set, \fBsudo\fR can only be run from a login
-session and not via other means such as \fIcron\fR\|(@mansectsu@) or cgi-bin scripts.
-This flag is \fIoff\fR by default.
-.IP "root_sudo" 16
-.IX Item "root_sudo"
-If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
-from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
-like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR
-will also prevent root from running \fBsudoedit\fR.
-Disabling \fIroot_sudo\fR provides no real additional security; it
-exists purely for historical reasons.
-This flag is \fI@root_sudo@\fR by default.
-.IP "rootpw" 16
-.IX Item "rootpw"
-If set, \fBsudo\fR will prompt for the root password instead of the password
-of the invoking user. This flag is \fIoff\fR by default.
-.IP "runaspw" 16
-.IX Item "runaspw"
-If set, \fBsudo\fR will prompt for the password of the user defined by the
-\&\fIrunas_default\fR option (defaults to \f(CW\*(C`@runas_default@\*(C'\fR) instead of the
-password of the invoking user. This flag is \fIoff\fR by default.
-.IP "set_home" 16
-.IX Item "set_home"
-If enabled and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+requiretty
+If set,
+\fBsudo\fR
+will only run when the user is logged in to a real tty.
+When this flag is set,
+\fBsudo\fR
+can only be run from a login session and not via other means such as
+cron(@mansectsu@)
+or cgi-bin scripts.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+root_sudo
+If set, root is allowed to run
+\fBsudo\fR
+too.
+Disabling this prevents users from
+``chaining''
+\fBsudo\fR
+commands to get a root shell by doing something like
+``\fRsudo sudo /bin/sh\fR''.
+Note, however, that turning off
+\fIroot_sudo\fR
+will also prevent root from running
+\fBsudoedit\fR.
+Disabling
+\fIroot_sudo\fR
+provides no real additional security; it exists purely for historical reasons.
+This flag is
+\fI@root_sudo@\fR
+by default.
+.TP 18n
+rootpw
+If set,
+\fBsudo\fR
+will prompt for the root password instead of the password of the invoking user.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+runaspw
+If set,
+\fBsudo\fR
+will prompt for the password of the user defined by the
+\fIrunas_default\fR
+option (defaults to
+\fR@runas_default@\fR)
+instead of the password of the invoking user.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+set_home
+If enabled and
+\fBsudo\fR
+is invoked with the
+\fB\-s\fR
+option the
+\fRHOME\fR
environment variable will be set to the home directory of the target
-user (which is root unless the \fB\-u\fR option is used). This effectively
-makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already
-set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is
-only effective for configurations where either \fIenv_reset\fR is disabled
-or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
-This flag is \fIoff\fR by default.
-.IP "set_logname" 16
-.IX Item "set_logname"
-Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR
-environment variables to the name of the target user (usually root
-unless the \fB\-u\fR option is given). However, since some programs
-(including the \s-1RCS\s0 revision control system) use \f(CW\*(C`LOGNAME\*(C'\fR to
-determine the real identity of the user, it may be desirable to
-change this behavior. This can be done by negating the set_logname
-option. Note that if the \fIenv_reset\fR option has not been disabled,
-entries in the \fIenv_keep\fR list will override the value of
-\&\fIset_logname\fR. This flag is \fIon\fR by default.
-.IP "set_utmp" 16
-.IX Item "set_utmp"
-When enabled, \fBsudo\fR will create an entry in the utmp (or utmpx)
-file when a pseudo-tty is allocated. A pseudo-tty is allocated by
-\&\fBsudo\fR when the \fIlog_input\fR, \fIlog_output\fR or \fIuse_pty\fR flags
-are enabled. By default, the new entry will be a copy of the user's
-existing utmp entry (if any), with the tty, time, type and pid
-fields updated. This flag is \fIon\fR by default.
-.IP "setenv" 16
-.IX Item "setenv"
-Allow the user to disable the \fIenv_reset\fR option from the command
-line via the \fB\-E\fR option. Additionally, environment variables set
-via the command line are not subject to the restrictions imposed
-by \fIenv_check\fR, \fIenv_delete\fR, or \fIenv_keep\fR. As such, only
-trusted users should be allowed to set variables in this manner.
-This flag is \fIoff\fR by default.
-.IP "shell_noargs" 16
-.IX Item "shell_noargs"
-If set and \fBsudo\fR is invoked with no arguments it acts as if the
-\&\fB\-s\fR option had been given. That is, it runs a shell as root (the
-shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
-set, falling back on the shell listed in the invoking user's
-/etc/passwd entry if not). This flag is \fIoff\fR by default.
-.IP "stay_setuid" 16
-.IX Item "stay_setuid"
-Normally, when \fBsudo\fR executes a command the real and effective
-UIDs are set to the target user (root by default). This option
-changes that behavior such that the real \s-1UID\s0 is left as the invoking
-user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid
-wrapper. This can be useful on systems that disable some potentially
-dangerous functionality when a program is run setuid. This option
-is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\fR
-function. This flag is \fIoff\fR by default.
-.IP "targetpw" 16
-.IX Item "targetpw"
-If set, \fBsudo\fR will prompt for the password of the user specified
-by the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password
-of the invoking user. In addition, the timestamp file name will
-include the target user's name. Note that this flag precludes the
-use of a uid not listed in the passwd database as an argument to
-the \fB\-u\fR option. This flag is \fIoff\fR by default.
-.IP "tty_tickets" 16
-.IX Item "tty_tickets"
-If set, users must authenticate on a per-tty basis. With this flag
-enabled, \fBsudo\fR will use a file named for the tty the user is
-logged in on in the user's time stamp directory. If disabled, the
-time stamp of the directory is used instead. This flag is
-\&\fI@tty_tickets@\fR by default.
-.IP "umask_override" 16
-.IX Item "umask_override"
-If set, \fBsudo\fR will set the umask as specified by \fIsudoers\fR without
-modification. This makes it possible to specify a more permissive
-umask in \fIsudoers\fR than the user's own umask and matches historical
-behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the
-umask to be the union of the user's umask and what is specified in
-\&\fIsudoers\fR. This flag is \fI@umask_override@\fR by default.
-.if \n(LC \{\
-.IP "use_loginclass" 16
-.IX Item "use_loginclass"
-If set, \fBsudo\fR will apply the defaults specified for the target user's
-login class if one exists. Only available if \fBsudo\fR is configured with
-the \-\-with\-logincap option. This flag is \fIoff\fR by default.
-\}
-.IP "use_pty" 16
-.IX Item "use_pty"
-If set, \fBsudo\fR will run the command in a pseudo-pty even if no I/O
-logging is being gone. A malicious program run under \fBsudo\fR could
-conceivably fork a background process that retains to the user's
-terminal device after the main program has finished executing. Use
-of this option will make that impossible. This flag is \fIoff\fR by default.
-.IP "utmp_runas" 16
-.IX Item "utmp_runas"
-If set, \fBsudo\fR will store the name of the runas user when updating
-the utmp (or utmpx) file. By default, \fBsudo\fR stores the name of
-the invoking user. This flag is \fIoff\fR by default.
-.IP "visiblepw" 16
-.IX Item "visiblepw"
-By default, \fBsudo\fR will refuse to run if the user must enter a
-password but it is not possible to disable echo on the terminal.
-If the \fIvisiblepw\fR flag is set, \fBsudo\fR will prompt for a password
-even when it would be visible on the screen. This makes it possible
-to run things like \f(CW"rsh somehost sudo ls"\fR since \fIrsh\fR\|(1) does
-not allocate a tty. This flag is \fIoff\fR by default.
-.PP
-\&\fBIntegers\fR:
-.IP "closefrom" 16
-.IX Item "closefrom"
-Before it executes a command, \fBsudo\fR will close all open file
-descriptors other than standard input, standard output and standard
-error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used
-to specify a different file descriptor at which to start closing.
-The default is \f(CW3\fR.
-.IP "passwd_tries" 16
-.IX Item "passwd_tries"
+user (which is root unless the
+\fB\-u\fR
+option is used).
+This effectively makes the
+\fB\-s\fR
+option imply
+\fB\-H\fR.
+Note that
+\fRHOME\fR
+is already set when the the
+\fIenv_reset\fR
+option is enabled, so
+\fIset_home\fR
+is only effective for configurations where either
+\fIenv_reset\fR
+is disabled
+or
+\fRHOME\fR
+is present in the
+\fIenv_keep\fR
+list.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+set_logname
+Normally,
+\fBsudo\fR
+will set the
+\fRLOGNAME\fR,
+\fRUSER\fR
+and
+\fRUSERNAME\fR
+environment variables to the name of the target user (usually root unless the
+\fB\-u\fR
+option is given).
+However, since some programs (including the RCS revision control system) use
+\fRLOGNAME\fR
+to determine the real identity of the user, it may be desirable to
+change this behavior.
+This can be done by negating the set_logname option.
+Note that if the
+\fIenv_reset\fR
+option has not been disabled, entries in the
+\fIenv_keep\fR
+list will override the value of
+\fIset_logname\fR.
+This flag is
+\fIon\fR
+by default.
+.TP 18n
+set_utmp
+When enabled,
+\fBsudo\fR
+will create an entry in the utmp (or utmpx) file when a pseudo-tty
+is allocated.
+A pseudo-tty is allocated by
+\fBsudo\fR
+when the
+\fIlog_input\fR,
+\fIlog_output\fR
+or
+\fIuse_pty\fR
+flags are enabled.
+By default, the new entry will be a copy of the user's existing utmp
+entry (if any), with the tty, time, type and pid fields updated.
+This flag is
+\fIon\fR
+by default.
+.TP 18n
+setenv
+Allow the user to disable the
+\fIenv_reset\fR
+option from the command line via the
+\fB\-E\fR
+option.
+Additionally, environment variables set via the command line are
+not subject to the restrictions imposed by
+\fIenv_check\fR,
+\fIenv_delete\fR,
+or
+\fIenv_keep\fR.
+As such, only trusted users should be allowed to set variables in this manner.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+shell_noargs
+If set and
+\fBsudo\fR
+is invoked with no arguments it acts as if the
+\fB\-s\fR
+option had been given.
+That is, it runs a shell as root (the shell is determined by the
+\fRSHELL\fR
+environment variable if it is set, falling back on the shell listed
+in the invoking user's /etc/passwd entry if not).
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+stay_setuid
+Normally, when
+\fBsudo\fR
+executes a command the real and effective UIDs are set to the target
+user (root by default).
+This option changes that behavior such that the real UID is left
+as the invoking user's UID.
+In other words, this makes
+\fBsudo\fR
+act as a setuid wrapper.
+This can be useful on systems that disable some potentially
+dangerous functionality when a program is run setuid.
+This option is only effective on systems that support either the
+setreuid(2)
+or
+setresuid(2)
+system call.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+targetpw
+If set,
+\fBsudo\fR
+will prompt for the password of the user specified
+by the
+\fB\-u\fR
+option (defaults to
+\fRroot\fR)
+instead of the password of the invoking user.
+In addition, the time stamp file name will include the target user's name.
+Note that this flag precludes the use of a uid not listed in the passwd
+database as an argument to the
+\fB\-u\fR
+option.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+tty_tickets
+If set, users must authenticate on a per-tty basis.
+With this flag enabled,
+\fBsudo\fR
+will use a file named for the tty the user is
+logged in on in the user's time stamp directory.
+If disabled, the time stamp of the directory is used instead.
+This flag is
+\fI@tty_tickets@\fR
+by default.
+.TP 18n
+umask_override
+If set,
+\fBsudo\fR
+will set the umask as specified by
+\fIsudoers\fR
+without modification.
+This makes it possible to specify a more permissive umask in
+\fIsudoers\fR
+than the user's own umask and matches historical behavior.
+If
+\fIumask_override\fR
+is not set,
+\fBsudo\fR
+will set the umask to be the union of the user's umask and what is specified in
+\fIsudoers\fR.
+This flag is
+\fI@umask_override@\fR
+by default.
+.TP 18n
+use_loginclass
+If set,
+\fBsudo\fR
+will apply the defaults specified for the target user's login class
+if one exists.
+Only available if
+\fBsudo\fR
+is configured with the
+\fR--with-logincap\fR
+option.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+use_pty
+If set,
+\fBsudo\fR
+will run the command in a pseudo-pty even if no I/O logging is being gone.
+A malicious program run under
+\fBsudo\fR
+could conceivably fork a background process that retains to the user's
+terminal device after the main program has finished executing.
+Use of this option will make that impossible.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+utmp_runas
+If set,
+\fBsudo\fR
+will store the name of the runas user when updating the utmp (or utmpx) file.
+By default,
+\fBsudo\fR
+stores the name of the invoking user.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+visiblepw
+By default,
+\fBsudo\fR
+will refuse to run if the user must enter a password but it is not
+possible to disable echo on the terminal.
+If the
+\fIvisiblepw\fR
+flag is set,
+\fBsudo\fR
+will prompt for a password even when it would be visible on the screen.
+This makes it possible to run things like
+``\fRssh somehost sudo ls\fR''
+since by default,
+ssh(1)
+does
+not allocate a tty when running a command.
+This flag is
+\fIoff\fR
+by default.
+.PP
+\fBIntegers\fR:
+.TP 18n
+closefrom
+Before it executes a command,
+\fBsudo\fR
+will close all open file descriptors other than standard input,
+standard output and standard error (ie: file descriptors 0-2).
+The
+\fIclosefrom\fR
+option can be used to specify a different file descriptor at which
+to start closing.
+The default is
+\fR3\fR.
+.TP 18n
+passwd_tries
The number of tries a user gets to enter his/her password before
-\&\fBsudo\fR logs the failure and exits. The default is \f(CW\*(C`@passwd_tries@\*(C'\fR.
-.PP
-\&\fBIntegers that can be used in a boolean context\fR:
-.IP "loglinelen" 16
-.IX Item "loglinelen"
-Number of characters per line for the file log. This value is used
-to decide when to wrap lines for nicer log files. This has no
-effect on the syslog log file, only the file log. The default is
-\&\f(CW\*(C`@loglen@\*(C'\fR (use 0 or negate the option to disable word wrap).
-.IP "passwd_timeout" 16
-.IX Item "passwd_timeout"
-Number of minutes before the \fBsudo\fR password prompt times out, or
-\&\f(CW0\fR for no timeout. The timeout may include a fractional component
-if minute granularity is insufficient, for example \f(CW2.5\fR. The
-default is \f(CW\*(C`@password_timeout@\*(C'\fR.
-.IP "timestamp_timeout" 16
-.IX Item "timestamp_timeout"
-Number of minutes that can elapse before \fBsudo\fR will ask for a
-passwd again. The timeout may include a fractional component if
-minute granularity is insufficient, for example \f(CW2.5\fR. The default
-is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always prompt for a password.
-If set to a value less than \f(CW0\fR the user's timestamp will never
-expire. This can be used to allow users to create or delete their
-own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively.
-.IP "umask" 16
-.IX Item "umask"
-Umask to use when running the command. Negate this option or set
-it to 0777 to preserve the user's umask. The actual umask that is
-used will be the union of the user's umask and the value of the
-\&\fIumask\fR option, which defaults to \f(CW\*(C`@sudo_umask@\*(C'\fR. This guarantees
-that \fBsudo\fR never lowers the umask when running a command. Note
-on systems that use \s-1PAM\s0, the default \s-1PAM\s0 configuration may specify
-its own umask which will override the value set in \fIsudoers\fR.
-.PP
-\&\fBStrings\fR:
-.IP "badpass_message" 16
-.IX Item "badpass_message"
+\fBsudo\fR
+logs the failure and exits.
+The default is
+\fR@passwd_tries@\fR.
+.PP
+\fBIntegers that can be used in a boolean context\fR:
+.TP 18n
+loglinelen
+Number of characters per line for the file log.
+This value is used to decide when to wrap lines for nicer log files.
+This has no effect on the syslog log file, only the file log.
+The default is
+\fR@loglen@\fR
+(use 0 or negate the option to disable word wrap).
+.TP 18n
+passwd_timeout
+Number of minutes before the
+\fBsudo\fR
+password prompt times out, or
+\fR0\fR
+for no timeout.
+The timeout may include a fractional component
+if minute granularity is insufficient, for example
+\fR2.5\fR.
+The
+default is
+\fR@password_timeout@\fR.
+.TP 18n
+timestamp_timeout
+.br
+Number of minutes that can elapse before
+\fBsudo\fR
+will ask for a passwd again.
+The timeout may include a fractional component if
+minute granularity is insufficient, for example
+\fR2.5\fR.
+The default is
+\fR@timeout@\fR.
+Set this to
+\fR0\fR
+to always prompt for a password.
+If set to a value less than
+\fR0\fR
+the user's time stamp will never expire.
+This can be used to allow users to create or delete their own time stamps via
+``\fRsudo -v\fR''
+and
+``\fRsudo -k\fR''
+respectively.
+.TP 18n
+umask
+Umask to use when running the command.
+Negate this option or set it to 0777 to preserve the user's umask.
+The actual umask that is used will be the union of the user's umask
+and the value of the
+\fIumask\fR
+option, which defaults to
+\fR@sudo_umask@\fR.
+This guarantees
+that
+\fBsudo\fR
+never lowers the umask when running a command.
+Note: on systems that use PAM, the default PAM configuration may specify
+its own umask which will override the value set in
+\fIsudoers\fR.
+.PP
+\fBStrings\fR:
+.TP 18n
+badpass_message
Message that is displayed if a user enters an incorrect password.
-The default is \f(CW\*(C`@badpass_message@\*(C'\fR unless insults are enabled.
-.IP "editor" 16
-.IX Item "editor"
-A colon (':') separated list of editors allowed to be used with
-\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
-\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the
-list that exists and is executable. The default is \f(CW"@editor@"\fR.
-.IP "iolog_dir" 16
-.IX Item "iolog_dir"
+The default is
+\fR@badpass_message@\fR
+unless insults are enabled.
+.TP 18n
+editor
+A colon
+(`:\&')
+separated list of editors allowed to be used with
+\fBvisudo\fR.
+\fBvisudo\fR
+will choose the editor that matches the user's
+\fREDITOR\fR
+environment variable if possible, or the first editor in the
+list that exists and is executable.
+The default is
+\fI@editor@\fR.
+.TP 18n
+iolog_dir
The top-level directory to use when constructing the path name for
-the input/output log directory. Only used if the \fIlog_input\fR or
-\&\fIlog_output\fR options are enabled or when the \f(CW\*(C`LOG_INPUT\*(C'\fR or
-\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command. The session sequence
-number, if any, is stored in the directory.
-The default is \f(CW"@iolog_dir@"\fR.
-.Sp
-The following percent (`\f(CW\*(C`%\*(C'\fR') escape sequences are supported:
-.RS 16
-.ie n .IP "\*(C`%{seq}\*(C'" 4
-.el .IP "\f(CW\*(C`%{seq}\*(C'\fR" 4
-.IX Item "%{seq}"
-expanded to a monotonically increasing base\-36 sequence number, such as 0100A5,
-where every two digits are used to form a new directory, e.g. \fI01/00/A5\fR
-.ie n .IP "\*(C`%{user}\*(C'" 4
-.el .IP "\f(CW\*(C`%{user}\*(C'\fR" 4
-.IX Item "%{user}"
+the input/output log directory.
+Only used if the
+\fIlog_input\fR
+or
+\fIlog_output\fR
+options are enabled or when the
+\fRLOG_INPUT\fR
+or
+\fRLOG_OUTPUT\fR
+tags are present for a command.
+The session sequence number, if any, is stored in the directory.
+The default is
+\fI@iolog_dir@\fR.
+.sp
+The following percent
+(`%')
+escape sequences are supported:
+.RS
+.TP 6n
+\fR%{seq}\fR
+expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
+where every two digits are used to form a new directory, e.g.\&
+\fI01/00/A5\fR
+.TP 6n
+\fR%{user}\fR
expanded to the invoking user's login name
-.ie n .IP "\*(C`%{group}\*(C'" 4
-.el .IP "\f(CW\*(C`%{group}\*(C'\fR" 4
-.IX Item "%{group}"
-expanded to the name of the invoking user's real group \s-1ID\s0
-.ie n .IP "\*(C`%{runas_user}\*(C'" 4
-.el .IP "\f(CW\*(C`%{runas_user}\*(C'\fR" 4
-.IX Item "%{runas_user}"
+.TP 6n
+\fR%{group}\fR
+expanded to the name of the invoking user's real group ID
+.TP 6n
+\fR%{runas_user}\fR
expanded to the login name of the user the command will
-be run as (e.g. root)
-.ie n .IP "\*(C`%{runas_group}\*(C'" 4
-.el .IP "\f(CW\*(C`%{runas_group}\*(C'\fR" 4
-.IX Item "%{runas_group}"
+be run as (e.g.\& root)
+.TP 6n
+\fR%{runas_group}\fR
expanded to the group name of the user the command will
-be run as (e.g. wheel)
-.ie n .IP "\*(C`%{hostname}\*(C'" 4
-.el .IP "\f(CW\*(C`%{hostname}\*(C'\fR" 4
-.IX Item "%{hostname}"
+be run as (e.g.\& wheel)
+.TP 6n
+\fR%{hostname}\fR
expanded to the local host name without the domain name
-.ie n .IP "\*(C`%{command}\*(C'" 4
-.el .IP "\f(CW\*(C`%{command}\*(C'\fR" 4
-.IX Item "%{command}"
+.TP 6n
+\fR%{command}\fR
expanded to the base name of the command being run
-.RE
-.RS 16
-.Sp
-In addition, any escape sequences supported by the system's \fIstrftime()\fR
+.PP
+In addition, any escape sequences supported by the system's
+strftime(3)
function will be expanded.
-.Sp
-To include a literal `\f(CW\*(C`%\*(C'\fR' character, the string `\f(CW\*(C`%%\*(C'\fR' should
-be used.
-.RE
-.IP "iolog_file" 16
-.IX Item "iolog_file"
-The path name, relative to \fIiolog_dir\fR, in which to store input/output
-logs when the \fIlog_input\fR or \fIlog_output\fR options are enabled or
-when the \f(CW\*(C`LOG_INPUT\*(C'\fR or \f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command.
-Note that \fIiolog_file\fR may contain directory components.
-The default is \f(CW"%{seq}"\fR.
-.Sp
-See the \fIiolog_dir\fR option above for a list of supported percent
-(`\f(CW\*(C`%\*(C'\fR') escape sequences.
-.Sp
+.sp
+To include a literal
+`%'
+character, the string
+`%%'
+should be used.
+.PP
+.RE
+.PD 0
+.TP 18n
+iolog_file
+The path name, relative to
+\fIiolog_dir\fR,
+in which to store input/output logs when the
+\fIlog_input\fR
+or
+\fIlog_output\fR
+options are enabled or when the
+\fRLOG_INPUT\fR
+or
+\fRLOG_OUTPUT\fR
+tags are present for a command.
+Note that
+\fIiolog_file\fR
+may contain directory components.
+The default is
+``\fR%{seq}\fR''.
+.sp
+See the
+\fIiolog_dir\fR
+option above for a list of supported percent
+(`%')
+escape sequences.
+.sp
In addition to the escape sequences, path names that end in six or
-more \f(CW\*(C`X\*(C'\fRs will have the \f(CW\*(C`X\*(C'\fRs replaced with a unique combination
-of digits and letters, similar to the \fImktemp()\fR function.
-.IP "mailsub" 16
-.IX Item "mailsub"
-Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
+more
+\fRX\fRs
+will have the
+\fRX\fRs
+replaced with a unique combination of digits and letters, similar to the
+mktemp(3)
+function.
+.PD
+.TP 18n
+limitprivs
+The default Solaris limit privileges to use when constructing a new
+privilege set for a command.
+This bounds all privileges of the executing process.
+The default limit privileges may be overridden on a per-command basis in
+\fIsudoers\fR.
+This option is only available if
+\fBsudoers\fR
+is built on Solaris 10 or higher.
+.TP 18n
+mailsub
+Subject of the mail sent to the
+\fImailto\fR
+user.
+The escape
+\fR%h\fR
will expand to the host name of the machine.
-Default is \f(CW\*(C`@mailsub@\*(C'\fR.
-.IP "noexec_file" 16
-.IX Item "noexec_file"
-This option is no longer supported. The path to the noexec file
-should now be set in the \fI@sysconfdir@/sudo.conf\fR file.
-.IP "passprompt" 16
-.IX Item "passprompt"
-The default prompt to use when asking for a password; can be overridden
-via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable.
-The following percent (`\f(CW\*(C`%\*(C'\fR') escape sequences are supported:
-.RS 16
-.ie n .IP "%H" 4
-.el .IP "\f(CW%H\fR" 4
-.IX Item "%H"
+Default is
+``\fR@mailsub@\fR''.
+.TP 18n
+noexec_file
+This option is no longer supported.
+The path to the noexec file should now be set in the
+\fI@sysconfdir@/sudo.conf\fR
+file.
+.TP 18n
+passprompt
+The default prompt to use when asking for a password; can be overridden via the
+\fB\-p\fR
+option or the
+\fRSUDO_PROMPT\fR
+environment variable.
+The following percent
+(`%')
+escape sequences are supported:
+.RS
+.TP 6n
+\fR%H\fR
expanded to the local host name including the domain name
-(only if the machine's host name is fully qualified or the \fIfqdn\fR
+(only if the machine's host name is fully qualified or the
+\fIfqdn\fR
option is set)
-.ie n .IP "%h" 4
-.el .IP "\f(CW%h\fR" 4
-.IX Item "%h"
+.TP 6n
+\fR%h\fR
expanded to the local host name without the domain name
-.ie n .IP "%p" 4
-.el .IP "\f(CW%p\fR" 4
-.IX Item "%p"
-expanded to the user whose password is being asked for (respects the
-\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR)
-.ie n .IP "%U" 4
-.el .IP "\f(CW%U\fR" 4
-.IX Item "%U"
+.TP 6n
+\fR%p\fR
+expanded to the user whose password is being asked for (respects the
+\fIrootpw\fR,
+\fItargetpw\fR
+and
+\fIrunaspw\fR
+flags in
+\fIsudoers\fR)
+.TP 6n
+\fR\&%U\fR
expanded to the login name of the user the command will
be run as (defaults to root)
-.ie n .IP "%u" 4
-.el .IP "\f(CW%u\fR" 4
-.IX Item "%u"
+.TP 6n
+\fR%u\fR
expanded to the invoking user's login name
-.ie n .IP "\*(C`%%\*(C'" 4
-.el .IP "\f(CW\*(C`%%\*(C'\fR" 4
-.IX Item "%%"
-two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
-.RE
-.RS 16
-.Sp
-The default value is \f(CW\*(C`@passprompt@\*(C'\fR.
-.RE
-.if \n(SL \{\
-.IP "role" 16
-.IX Item "role"
+.TP 6n
+\fR%%\fR
+two consecutive
+\fR%\fR
+characters are collapsed into a single
+\fR%\fR
+character
+.PP
+The default value is
+``\fR@passprompt@\fR''.
+.PP
+.RE
+.PD 0
+.TP 18n
+privs
+The default Solaris privileges to use when constructing a new
+privilege set for a command.
+This is passed to the executing process via the inherited privilege set,
+but is bounded by the limit privileges.
+If the
+\fIprivs\fR
+option is specified but the
+\fIlimitprivs\fR
+option is not, the limit privileges of the executing process is set to
+\fIprivs\fR.
+The default privileges may be overridden on a per-command basis in
+\fIsudoers\fR.
+This option is only available if
+\fBsudoers\fR
+is built on Solaris 10 or higher.
+.PD
+.TP 18n
+role
The default SELinux role to use when constructing a new security
-context to run the command. The default role may be overridden on
-a per-command basis in \fIsudoers\fR or via command line options.
-This option is only available whe \fBsudo\fR is built with SELinux support.
-\}
-.IP "runas_default" 16
-.IX Item "runas_default"
-The default user to run commands as if the \fB\-u\fR option is not specified
-on the command line. This defaults to \f(CW\*(C`@runas_default@\*(C'\fR.
-.IP "syslog_badpri" 16
-.IX Item "syslog_badpri"
+context to run the command.
+The default role may be overridden on a per-command basis in
+\fIsudoers\fR
+or via command line options.
+This option is only available when
+\fBsudo\fR
+is built with SELinux support.
+.TP 18n
+runas_default
+The default user to run commands as if the
+\fB\-u\fR
+option is not specified on the command line.
+This defaults to
+\fR@runas_default@\fR.
+.TP 18n
+syslog_badpri
Syslog priority to use when user authenticates unsuccessfully.
-Defaults to \f(CW\*(C`@badpri@\*(C'\fR.
-.Sp
-The following syslog priorities are supported: \fBalert\fR, \fBcrit\fR,
-\&\fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR.
-.IP "syslog_goodpri" 16
-.IX Item "syslog_goodpri"
+Defaults to
+\fR@badpri@\fR.
+.sp
+The following syslog priorities are supported:
+\fBalert\fR,
+\fBcrit\fR,
+\fBdebug\fR,
+\fBemerg\fR,
+\fBerr\fR,
+\fBinfo\fR,
+\fBnotice\fR,
+and
+\fBwarning\fR.
+.TP 18n
+syslog_goodpri
Syslog priority to use when user authenticates successfully.
-Defaults to \f(CW\*(C`@goodpri@\*(C'\fR.
-.Sp
-See syslog_badpri for the list of supported syslog priorities.
-.IP "sudoers_locale" 16
-.IX Item "sudoers_locale"
+Defaults to
+\fR@goodpri@\fR.
+.sp
+See
+\fIsyslog_badpri\fR
+for the list of supported syslog priorities.
+.TP 18n
+sudoers_locale
Locale to use when parsing the sudoers file, logging commands, and
-sending email. Note that changing the locale may affect how sudoers
-is interpreted. Defaults to \f(CW"C"\fR.
-.IP "timestampdir" 16
-.IX Item "timestampdir"
-The directory in which \fBsudo\fR stores its timestamp files.
-The default is \fI@timedir@\fR.
-.IP "timestampowner" 16
-.IX Item "timestampowner"
-The owner of the timestamp directory and the timestamps stored therein.
-The default is \f(CW\*(C`root\*(C'\fR.
-.if \n(SL \{\
-.IP "type" 16
-.IX Item "type"
+sending email.
+Note that changing the locale may affect how sudoers is interpreted.
+Defaults to
+``\fRC\fR''.
+.TP 18n
+timestampdir
+The directory in which
+\fBsudo\fR
+stores its time stamp files.
+The default is
+\fI@timedir@\fR.
+.TP 18n
+timestampowner
+The owner of the time stamp directory and the time stamps stored therein.
+The default is
+\fRroot\fR.
+.TP 18n
+type
The default SELinux type to use when constructing a new security
-context to run the command. The default type may be overridden on
-a per-command basis in \fIsudoers\fR or via command line options.
-This option is only available whe \fBsudo\fR is built with SELinux support.
-\}
-.PP
-\&\fBStrings that can be used in a boolean context\fR:
-.IP "env_file" 12
-.IX Item "env_file"
-The \fIenv_file\fR option specifies the fully qualified path to a
-file containing variables to be set in the environment of the program
-being run. Entries in this file should either be of the form
-\&\f(CW\*(C`VARIABLE=value\*(C'\fR or \f(CW\*(C`export VARIABLE=value\*(C'\fR. The value may
-optionally be surrounded by single or double quotes. Variables in
-this file are subject to other \fBsudo\fR environment settings such
-as \fIenv_keep\fR and \fIenv_check\fR.
-.IP "exempt_group" 12
-.IX Item "exempt_group"
-Users in this group are exempt from password and \s-1PATH\s0 requirements.
-The group name specified should not include a \f(CW\*(C`%\*(C'\fR prefix.
+context to run the command.
+The default type may be overridden on a per-command basis in
+\fIsudoers\fR
+or via command line options.
+This option is only available when
+\fBsudo\fR
+is built with SELinux support.
+.PP
+\fBStrings that can be used in a boolean context\fR:
+.TP 14n
+env_file
+The
+\fIenv_file\fR
+option specifies the fully qualified path to a file containing variables
+to be set in the environment of the program being run.
+Entries in this file should either be of the form
+``\fRVARIABLE=value\fR''
+or
+``\fRexport VARIABLE=value\fR''.
+The value may optionally be surrounded by single or double quotes.
+Variables in this file are subject to other
+\fBsudo\fR
+environment settings such as
+\fIenv_keep\fR
+and
+\fIenv_check\fR.
+.TP 14n
+exempt_group
+Users in this group are exempt from password and PATH requirements.
+The group name specified should not include a
+\fR%\fR
+prefix.
This is not set by default.
-.IP "group_plugin" 12
-.IX Item "group_plugin"
-A string containing a \fIsudoers\fR group plugin with optional arguments.
-This can be used to implement support for the \f(CW\*(C`nonunix_group\*(C'\fR
-syntax described earlier. The string should consist of the plugin
-path, either fully-qualified or relative to the \fI@prefix@/libexec\fR
-directory, followed by any configuration arguments the plugin
-requires. These arguments (if any) will be passed to the plugin's
-initialization function. If arguments are present, the string must
-be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR).
-.Sp
-For example, given \fI/etc/sudo\-group\fR, a group file in Unix group
-format, the sample group plugin can be used:
-.Sp
-.Vb 1
-\& Defaults group_plugin="sample_group.so /etc/sudo\-group"
-.Ve
-.Sp
-For more information see \fIsudo_plugin\fR\|(@mansectform@).
-.IP "lecture" 12
-.IX Item "lecture"
+.TP 14n
+group_plugin
+A string containing a
+\fIsudoers\fR
+group plugin with optional arguments.
+This can be used to implement support for the
+\fRnonunix_group\fR
+syntax described earlier.
+The string should consist of the plugin
+path, either fully-qualified or relative to the
+\fI@prefix@/libexec\fR
+directory, followed by any configuration arguments the plugin requires.
+These arguments (if any) will be passed to the plugin's initialization function.
+If arguments are present, the string must be enclosed in double quotes
+(\&"").
+.sp
+For example, given
+\fI/etc/sudo-group\fR,
+a group file in Unix group format, the sample group plugin can be used:
+.RS
+.nf
+.sp
+.RS 0n
+Defaults group_plugin="sample_group.so /etc/sudo-group"
+.RE
+.fi
+.sp
+For more information see
+sudo_plugin(@mansectform@).
+.PP
+.RE
+.PD 0
+.TP 14n
+lecture
This option controls when a short lecture will be printed along with
-the password prompt. It has the following possible values:
-.RS 12
-.IP "always" 8
-.IX Item "always"
+the password prompt.
+It has the following possible values:
+.RS
+.PD
+.TP 8n
+always
Always lecture the user.
-.IP "never" 8
-.IX Item "never"
+.TP 8n
+never
Never lecture the user.
-.IP "once" 8
-.IX Item "once"
-Only lecture the user the first time they run \fBsudo\fR.
-.RE
-.RS 12
-.Sp
-If no value is specified, a value of \fIonce\fR is implied.
-Negating the option results in a value of \fInever\fR being used.
-The default value is \fI@lecture@\fR.
-.RE
-.IP "lecture_file" 12
-.IX Item "lecture_file"
-Path to a file containing an alternate \fBsudo\fR lecture that will
-be used in place of the standard lecture if the named file exists.
-By default, \fBsudo\fR uses a built-in lecture.
-.IP "listpw" 12
-.IX Item "listpw"
-This option controls when a password will be required when a
-user runs \fBsudo\fR with the \fB\-l\fR option. It has the following possible values:
-.RS 12
-.IP "all" 8
-.IX Item "all"
-All the user's \fIsudoers\fR entries for the current host must have
-the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
-.IP "always" 8
-.IX Item "always"
-The user must always enter a password to use the \fB\-l\fR option.
-.IP "any" 8
-.IX Item "any"
-At least one of the user's \fIsudoers\fR entries for the current host
-must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
-.IP "never" 8
-.IX Item "never"
-The user need never enter a password to use the \fB\-l\fR option.
-.RE
-.RS 12
-.Sp
-If no value is specified, a value of \fIany\fR is implied.
-Negating the option results in a value of \fInever\fR being used.
-The default value is \fIany\fR.
-.RE
-.IP "logfile" 12
-.IX Item "logfile"
-Path to the \fBsudo\fR log file (not the syslog log file). Setting a path
-turns on logging to a file; negating this option turns it off.
-By default, \fBsudo\fR logs via syslog.
-.IP "mailerflags" 12
-.IX Item "mailerflags"
-Flags to use when invoking mailer. Defaults to \fB\-t\fR.
-.IP "mailerpath" 12
-.IX Item "mailerpath"
+.TP 8n
+once
+Only lecture the user the first time they run
+\fBsudo\fR.
+.PP
+If no value is specified, a value of
+\fIonce\fR
+is implied.
+Negating the option results in a value of
+\fInever\fR
+being used.
+The default value is
+\fI@lecture@\fR.
+.PP
+.RE
+.PD 0
+.TP 14n
+lecture_file
+Path to a file containing an alternate
+\fBsudo\fR
+lecture that will be used in place of the standard lecture if the named
+file exists.
+By default,
+\fBsudo\fR
+uses a built-in lecture.
+.PD
+.TP 14n
+listpw
+This option controls when a password will be required when a user runs
+\fBsudo\fR
+with the
+\fB\-l\fR
+option.
+It has the following possible values:
+.RS
+.TP 10n
+all
+All the user's
+\fIsudoers\fR
+entries for the current host must have
+the
+\fRNOPASSWD\fR
+flag set to avoid entering a password.
+.TP 10n
+always
+The user must always enter a password to use the
+\fB\-l\fR
+option.
+.TP 10n
+any
+At least one of the user's
+\fIsudoers\fR
+entries for the current host
+must have the
+\fRNOPASSWD\fR
+flag set to avoid entering a password.
+.TP 10n
+never
+The user need never enter a password to use the
+\fB\-l\fR
+option.
+.PP
+If no value is specified, a value of
+\fIany\fR
+is implied.
+Negating the option results in a value of
+\fInever\fR
+being used.
+The default value is
+\fIany\fR.
+.PP
+.RE
+.PD 0
+.TP 14n
+logfile
+Path to the
+\fBsudo\fR
+log file (not the syslog log file).
+Setting a path turns on logging to a file;
+negating this option turns it off.
+By default,
+\fBsudo\fR
+logs via syslog.
+.PD
+.TP 14n
+mailerflags
+Flags to use when invoking mailer. Defaults to
+\fB\-t\fR.
+.TP 14n
+mailerpath
Path to mail program used to send warning mail.
Defaults to the path to sendmail found at configure time.
-.IP "mailfrom" 12
-.IX Item "mailfrom"
-Address to use for the \*(L"from\*(R" address when sending warning and error
-mail. The address should be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to
-protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to
-the name of the user running \fBsudo\fR.
-.IP "mailto" 12
-.IX Item "mailto"
-Address to send warning and error mail to. The address should
-be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR
-interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR.
-.IP "secure_path" 12
-.IX Item "secure_path"
-Path used for every command run from \fBsudo\fR. If you don't trust the
-people running \fBsudo\fR to have a sane \f(CW\*(C`PATH\*(C'\fR environment variable you may
-want to use this. Another use is if you want to have the \*(L"root path\*(R"
-be separate from the \*(L"user path.\*(R" Users in the group specified by the
-\&\fIexempt_group\fR option are not affected by \fIsecure_path\fR.
+.TP 14n
+mailfrom
+Address to use for the
+``from''
+address when sending warning and error mail.
+The address should be enclosed in double quotes
+(\&"")
+to protect against
+\fBsudo\fR
+interpreting the
+\fR@\fR
+sign.
+Defaults to the name of the user running
+\fBsudo\fR.
+.TP 14n
+mailto
+Address to send warning and error mail to.
+The address should be enclosed in double quotes
+(\&"")
+to protect against
+\fBsudo\fR
+interpreting the
+\fR@\fR
+sign.
+Defaults to
+\fR@mailto@\fR.
+.TP 14n
+secure_path
+Path used for every command run from
+\fBsudo\fR.
+If you don't trust the
+people running
+\fBsudo\fR
+to have a sane
+\fRPATH\fR
+environment variable you may want to use this.
+Another use is if you want to have the
+``root path''
+be separate from the
+``user path''.
+Users in the group specified by the
+\fIexempt_group\fR
+option are not affected by
+\fIsecure_path\fR.
This option is @secure_path@ by default.
-.IP "syslog" 12
-.IX Item "syslog"
+.TP 14n
+syslog
Syslog facility if syslog is being used for logging (negate to
-disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR.
-.Sp
-The following syslog facilities are supported: \fBauthpriv\fR (if your
-\&\s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR,
-\&\fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR.
-.IP "verifypw" 12
-.IX Item "verifypw"
+disable syslog logging).
+Defaults to
+\fR@logfac@\fR.
+.sp
+The following syslog facilities are supported:
+\fBauthpriv\fR
+(if your
+OS supports it),
+\fBauth\fR,
+\fBdaemon\fR,
+\fBuser\fR,
+\fBlocal0\fR,
+\fBlocal1\fR,
+\fBlocal2\fR,
+\fBlocal3\fR,
+\fBlocal4\fR,
+\fBlocal5\fR,
+\fBlocal6\fR,
+and
+\fBlocal7\fR.
+.TP 14n
+verifypw
This option controls when a password will be required when a user runs
-\&\fBsudo\fR with the \fB\-v\fR option. It has the following possible values:
-.RS 12
-.IP "all" 8
-.IX Item "all"
-All the user's \fIsudoers\fR entries for the current host must have
-the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
-.IP "always" 8
-.IX Item "always"
-The user must always enter a password to use the \fB\-v\fR option.
-.IP "any" 8
-.IX Item "any"
-At least one of the user's \fIsudoers\fR entries for the current host
-must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
-.IP "never" 8
-.IX Item "never"
-The user need never enter a password to use the \fB\-v\fR option.
-.RE
-.RS 12
-.Sp
-If no value is specified, a value of \fIall\fR is implied.
-Negating the option results in a value of \fInever\fR being used.
-The default value is \fIall\fR.
-.RE
-.PP
-\&\fBLists that can be used in a boolean context\fR:
-.IP "env_check" 16
-.IX Item "env_check"
+\fBsudo\fR
+with the
+\fB\-v\fR
+option.
+It has the following possible values:
+.RS
+.TP 8n
+all
+All the user's
+\fIsudoers\fR
+entries for the current host must have the
+\fRNOPASSWD\fR
+flag set to avoid entering a password.
+.TP 8n
+always
+The user must always enter a password to use the
+\fB\-v\fR
+option.
+.TP 8n
+any
+At least one of the user's
+\fIsudoers\fR
+entries for the current host must have the
+\fRNOPASSWD\fR
+flag set to avoid entering a password.
+.TP 8n
+never
+The user need never enter a password to use the
+\fB\-v\fR
+option.
+.PP
+If no value is specified, a value of
+\fIall\fR
+is implied.
+Negating the option results in a value of
+\fInever\fR
+being used.
+The default value is
+\fIall\fR.
+.RE
+.PP
+\fBLists that can be used in a boolean context\fR:
+.TP 18n
+env_check
Environment variables to be removed from the user's environment if
-the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can
-be used to guard against printf-style format vulnerabilities in
-poorly-written programs. The argument may be a double-quoted,
-space-separated list or a single value without double-quotes. The
-list can be replaced, added to, deleted from, or disabled by using
-the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. Regardless
-of whether the \f(CW\*(C`env_reset\*(C'\fR option is enabled or disabled, variables
-specified by \f(CW\*(C`env_check\*(C'\fR will be preserved in the environment if
-they pass the aforementioned check. The default list of environment
-variables to check is displayed when \fBsudo\fR is run by root with
-the \fI\-V\fR option.
-.IP "env_delete" 16
-.IX Item "env_delete"
-Environment variables to be removed from the user's environment
-when the \fIenv_reset\fR option is not in effect. The argument may
-be a double-quoted, space-separated list or a single value without
-double-quotes. The list can be replaced, added to, deleted from,
-or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators
-respectively. The default list of environment variables to remove
-is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
+the variable's value contains
+`%'
+or
+`/'
+characters.
+This can be used to guard against printf-style format vulnerabilities
+in poorly-written programs.
+The argument may be a double-quoted, space-separated list or a
+single value without double-quotes.
+The list can be replaced, added to, deleted from, or disabled by using
+the
+\fR=\fR,
+\fR+=\fR,
+\fR-=\fR,
+and
+\fR\&!\fR
+operators respectively.
+Regardless of whether the
+\fRenv_reset\fR
+option is enabled or disabled, variables specified by
+\fRenv_check\fR
+will be preserved in the environment if they pass the aforementioned check.
+The default list of environment variables to check is displayed when
+\fBsudo\fR
+is run by root with
+the
+\fB\-V\fR
+option.
+.TP 18n
+env_delete
+Environment variables to be removed from the user's environment when the
+\fIenv_reset\fR
+option is not in effect.
+The argument may be a double-quoted, space-separated list or a
+single value without double-quotes.
+The list can be replaced, added to, deleted from, or disabled by using the
+\fR=\fR,
+\fR+=\fR,
+\fR-=\fR,
+and
+\fR\&!\fR
+operators respectively.
+The default list of environment variables to remove is displayed when
+\fBsudo\fR
+is run by root with the
+\fB\-V\fR
+option.
Note that many operating systems will remove potentially dangerous
variables from the environment of any setuid process (such as
-\&\fBsudo\fR).
-.IP "env_keep" 16
-.IX Item "env_keep"
-Environment variables to be preserved in the user's environment
-when the \fIenv_reset\fR option is in effect. This allows fine-grained
-control over the environment \fBsudo\fR\-spawned processes will receive.
+\fBsudo\fR).
+.TP 18n
+env_keep
+Environment variables to be preserved in the user's environment when the
+\fIenv_reset\fR
+option is in effect.
+This allows fine-grained control over the environment
+\fBsudo\fR-spawned
+processes will receive.
The argument may be a double-quoted, space-separated list or a
-single value without double-quotes. The list can be replaced, added
-to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
-\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep
-is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
+single value without double-quotes.
+The list can be replaced, added to, deleted from, or disabled by using the
+\fR=\fR,
+\fR+=\fR,
+\fR-=\fR,
+and
+\fR\&!\fR
+operators respectively.
+The default list of variables to keep
+is displayed when
+\fBsudo\fR
+is run by root with the
+\fB\-V\fR
+option.
+.SH "LOG FORMAT"
+\fBsudoers\fR
+can log events using either
+syslog(3)
+or a simple log file.
+In each case the log format is almost identical.
+.SS "Accepted command log entries"
+Commands that sudo runs are logged using the following format (split
+into multiple lines for readability):
+.nf
+.sp
+.RS 4n
+date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
+ USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
+ ENV=env_vars COMMAND=command
+.RE
+.fi
+.PP
+Where the fields are as follows:
+.TP 14n
+date
+The date the command was run.
+Typically, this is in the format
+``MMM, DD, HH:MM:SS''.
+If logging via
+syslog(3),
+the actual date format is controlled by the syslog daemon.
+If logging to a file and the
+\fIlog_year\fR
+option is enabled,
+the date will also include the year.
+.TP 14n
+hostname
+The name of the host
+\fBsudo\fR
+was run on.
+This field is only present when logging via
+syslog(3).
+.TP 14n
+progname
+The name of the program, usually
+\fIsudo\fR
+or
+\fIsudoedit\fR.
+This field is only present when logging via
+syslog(3).
+.TP 14n
+username
+The login name of the user who ran
+\fBsudo\fR.
+.TP 14n
+ttyname
+The short name of the terminal (e.g.\&
+``console'',
+``tty01'',
+or
+``pts/0'')
+\fBsudo\fR
+was run on, or
+``unknown''
+if there was no terminal present.
+.TP 14n
+cwd
+The current working directory that
+\fBsudo\fR
+was run in.
+.TP 14n
+runasuser
+The user the command was run as.
+.TP 14n
+runasgroup
+The group the command was run as if one was specified on the command line.
+.TP 14n
+logid
+An I/O log identifier that can be used to replay the command's output.
+This is only present when the
+\fIlog_input\fR
+or
+\fIlog_output\fR
+option is enabled.
+.TP 14n
+env_vars
+A list of environment variables specified on the command line,
+if specified.
+.TP 14n
+command
+The actual command that was executed.
+.PP
+Messages are logged using the locale specified by
+\fIsudoers_locale\fR,
+which defaults to the
+``\fRC\fR''
+locale.
+.SS "Denied command log entries"
+If the user is not allowed to run the command, the reason for the denial
+will follow the user name.
+Possible reasons include:
+.TP 3n
+user NOT in sudoers
+The user is not listed in the
+\fIsudoers\fR
+file.
+.TP 3n
+user NOT authorized on host
+The user is listed in the
+\fIsudoers\fR
+file but is not allowed to run commands on the host.
+.TP 3n
+command not allowed
+The user is listed in the
+\fIsudoers\fR
+file for the host but they are not allowed to run the specified command.
+.TP 3n
+3 incorrect password attempts
+The user failed to enter their password after 3 tries.
+The actual number of tries will vary based on the number of
+failed attempts and the value of the
+\fIpasswd_tries\fR
+option.
+.TP 3n
+a password is required
+\fBsudo\fR's
+\fB\-n\fR
+option was specified but a password was required.
+.TP 3n
+sorry, you are not allowed to set the following environment variables
+The user specified environment variables on the command line that
+were not allowed by
+\fIsudoers\fR.
+.SS "Error log entries"
+If an error occurs,
+\fBsudoers\fR
+will log a message and, in most cases, send a message to the
+administrator via email.
+Possible errors include:
+.TP 3n
+parse error in @sysconfdir@/sudoers near line N
+\fBsudoers\fR
+encountered an error when parsing the specified file.
+In some cases, the actual error may be one line above or below the
+line number listed, depending on the type of error.
+.TP 3n
+problem with defaults entries
+The
+\fIsudoers\fR
+file contains one or more unknown Defaults settings.
+This does not prevent
+\fBsudo\fR
+from running, but the
+\fIsudoers\fR
+file should be checked using
+\fBvisudo\fR.
+.TP 3n
+timestamp owner (username): \&No such user
+The time stamp directory owner, as specified by the
+\fItimestampowner\fR
+setting, could not be found in the password database.
+.TP 3n
+unable to open/read @sysconfdir@/sudoers
+The
+\fIsudoers\fR
+file could not be opened for reading.
+This can happen when the
+\fIsudoers\fR
+file is located on a remote file system that maps user ID 0 to
+a different value.
+Normally,
+\fBsudoers\fR
+tries to open
+\fIsudoers\fR
+using group permissions to avoid this problem.
+Consider changing the ownership of
+\fI@sysconfdir@/sudoers\fR
+by adding an option like
+``sudoers_uid=N''
+(where
+`N'
+is the user ID that owns the
+\fIsudoers\fR
+file) to the
+\fBsudoers\fR
+plugin line in the
+\fI@sysconfdir@/sudo.conf\fR
+file.
+.TP 3n
+unable to stat @sysconfdir@/sudoers
+The
+\fI@sysconfdir@/sudoers\fR
+file is missing.
+.TP 3n
+@sysconfdir@/sudoers is not a regular file
+The
+\fI@sysconfdir@/sudoers\fR
+file exists but is not a regular file or symbolic link.
+.TP 3n
+@sysconfdir@/sudoers is owned by uid N, should be 0
+The
+\fIsudoers\fR
+file has the wrong owner.
+If you wish to change the
+\fIsudoers\fR
+file owner, please add
+``sudoers_uid=N''
+(where
+`N'
+is the user ID that owns the
+\fIsudoers\fR
+file) to the
+\fBsudoers\fR
+plugin line in the
+\fI@sysconfdir@/sudo.conf\fR
+file.
+.TP 3n
+@sysconfdir@/sudoers is world writable
+The permissions on the
+\fIsudoers\fR
+file allow all users to write to it.
+The
+\fIsudoers\fR
+file must not be world-writable, the default file mode
+is 0440 (readable by owner and group, writable by none).
+The default mode may be changed via the
+``sudoers_mode''
+option to the
+\fBsudoers\fR
+plugin line in the
+\fI@sysconfdir@/sudo.conf\fR
+file.
+.TP 3n
+@sysconfdir@/sudoers is owned by gid N, should be 1
+The
+\fIsudoers\fR
+file has the wrong group ownership.
+If you wish to change the
+\fIsudoers\fR
+file group ownership, please add
+``sudoers_gid=N''
+(where
+`N'
+is the group ID that owns the
+\fIsudoers\fR
+file) to the
+\fBsudoers\fR
+plugin line in the
+\fI@sysconfdir@/sudo.conf\fR
+file.
+.TP 3n
+unable to open @timedir@/username/ttyname
+\fIsudoers\fR
+was unable to read or create the user's time stamp file.
+.TP 3n
+unable to write to @timedir@/username/ttyname
+\fIsudoers\fR
+was unable to write to the user's time stamp file.
+.TP 3n
+unable to mkdir to @timedir@/username
+\fIsudoers\fR
+was unable to create the user's time stamp directory.
+.SS "Notes on logging via syslog"
+By default,
+\fIsudoers\fR
+logs messages via
+syslog(3).
+The
+\fIdate\fR,
+\fIhostname\fR,
+and
+\fIprogname\fR
+fields are added by the syslog daemon, not
+\fIsudoers\fR
+itself.
+As such, they may vary in format on different systems.
+.PP
+On most systems,
+syslog(3)
+has a relatively small log buffer.
+To prevent the command line arguments from being truncated,
+\fBsudoers\fR
+will split up log messages that are larger than 960 characters
+(not including the date, hostname, and the string
+``sudo'').
+When a message is split, additional parts will include the string
+``(command continued)''
+after the user name and before the continued command line arguments.
+.SS "Notes on logging to a file"
+If the
+\fIlogfile\fR
+option is set,
+\fIsudoers\fR
+will log to a local file, such as
+\fI/var/log/sudo\fR.
+When logging to a file,
+\fIsudoers\fR
+uses a format similar to
+syslog(3),
+with a few important differences:
+.TP 5n
+1.
+The
+\fIprogname\fR
+and
+\fIhostname\fR
+fields are not present.
+.TP 5n
+2.
+If the
+\fIlog_year\fR
+option is enabled,
+the date will also include the year.
+.TP 5n
+3.
+Lines that are longer than
+\fIloglinelen\fR
+characters (80 by default) are word-wrapped and continued on the
+next line with a four character indent.
+This makes entries easier to read for a human being, but makes it
+more difficult to use
+grep(1)
+on the log files.
+If the
+\fIloglinelen\fR
+option is set to 0 (or negated with a
+`\&!'),
+word wrap will be disabled.
.SH "SUDO.CONF"
-.IX Header "SUDO.CONF"
-The \fI@sysconfdir@/sudo.conf\fR file determines which plugins the
-\&\fBsudo\fR front end will load. If no \fI@sysconfdir@/sudo.conf\fR file
-is present, or it contains no \f(CW\*(C`Plugin\*(C'\fR lines, \fBsudo\fR will use the
-\&\fIsudoers\fR security policy and I/O logging, which corresponds to
-the following \fI@sysconfdir@/sudo.conf\fR file.
-.PP
-.Vb 10
-\& #
-\& # Default @sysconfdir@/sudo.conf file
-\& #
-\& # Format:
-\& # Plugin plugin_name plugin_path plugin_options ...
-\& # Path askpass /path/to/askpass
-\& # Path noexec /path/to/sudo_noexec.so
-\& # Debug sudo /var/log/sudo_debug all@warn
-\& # Set disable_coredump true
-\& #
-\& # The plugin_path is relative to @prefix@/libexec unless
-\& # fully qualified.
-\& # The plugin_name corresponds to a global symbol in the plugin
-\& # that contains the plugin interface structure.
-\& # The plugin_options are optional.
-\& #
-\& Plugin policy_plugin sudoers.so
-\& Plugin io_plugin sudoers.so
-.Ve
-.SS "\s-1PLUGIN\s0 \s-1OPTIONS\s0"
-.IX Subsection "PLUGIN OPTIONS"
-Starting with \fBsudo\fR 1.8.5 it is possible to pass options to the
-\&\fIsudoers\fR plugin. Options may be listed after the path to the
-plugin (i.e. after \fIsudoers.so\fR); multiple options should be
-space-separated. For example:
-.PP
-.Vb 1
-\& Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
-.Ve
+The
+\fI@sysconfdir@/sudo.conf\fR
+file determines which plugins the
+\fBsudo\fR
+front end will load.
+If no
+\fI@sysconfdir@/sudo.conf\fR
+file
+is present, or it contains no
+\fRPlugin\fR
+lines,
+\fBsudo\fR
+will use the
+\fIsudoers\fR
+security policy and I/O logging, which corresponds to the following
+\fI@sysconfdir@/sudo.conf\fR
+file.
+.nf
+.sp
+.RS 0n
+#
+# Default @sysconfdir@/sudo.conf file
+#
+# Format:
+# Plugin plugin_name plugin_path plugin_options ...
+# Path askpass /path/to/askpass
+# Path noexec /path/to/sudo_noexec.so
+# Debug sudo /var/log/sudo_debug all@warn
+# Set disable_coredump true
+#
+# The plugin_path is relative to @prefix@/libexec unless
+# fully qualified.
+# The plugin_name corresponds to a global symbol in the plugin
+# that contains the plugin interface structure.
+# The plugin_options are optional.
+#
+Plugin policy_plugin sudoers.so
+Plugin io_plugin sudoers.so
+.RE
+.fi
+.SS "Plugin options"
+Starting with
+\fBsudo\fR
+1.8.5, it is possible to pass options to the
+\fIsudoers\fR
+plugin.
+Options may be listed after the path to the plugin (i.e.\& after
+\fIsudoers.so\fR);
+multiple options should be space-separated.
+For example:
+.nf
+.sp
+.RS 0n
+Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
+.RE
+.fi
.PP
The following plugin options are supported:
-.IP "sudoers_file=pathname" 10
-.IX Item "sudoers_file=pathname"
-The \fIsudoers_file\fR option can be used to override the default path
-to the \fIsudoers\fR file.
-.IP "sudoers_uid=uid" 10
-.IX Item "sudoers_uid=uid"
-The \fIsudoers_uid\fR option can be used to override the default owner
-of the sudoers file. It should be specified as a numeric user \s-1ID\s0.
-.IP "sudoers_gid=gid" 10
-.IX Item "sudoers_gid=gid"
-The \fIsudoers_gid\fR option can be used to override the default group
-of the sudoers file. It should be specified as a numeric group \s-1ID\s0.
-.IP "sudoers_mode=mode" 10
-.IX Item "sudoers_mode=mode"
-The \fIsudoers_mode\fR option can be used to override the default file
-mode for the sudoers file. It should be specified as an octal value.
-.SS "\s-1DEBUG\s0 \s-1FLAGS\s0"
-.IX Subsection "DEBUG FLAGS"
-Versions 1.8.4 and higher of the \fIsudoers\fR plugin supports a
-debugging framework that can help track down what the plugin is
-doing internally if there is a problem. This can be configured in
-the \fI@sysconfdir@/sudo.conf\fR file as described in \fIsudo\fR\|(@mansectsu@).
-.PP
-The \fIsudoers\fR plugin uses the same debug flag format as \fBsudo\fR
-itself: \fIsubsystem\fR@\fIpriority\fR.
-.PP
-The priorities used by \fIsudoers\fR, in order of decreasing severity,
-are: \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
-and \fIdebug\fR. Each priority, when specified, also includes all
-priorities higher than it. For example, a priority of \fInotice\fR
-would include debug messages logged at \fInotice\fR and higher.
-.PP
-The following subsystems are used by \fIsudoers\fR:
-.IP "\fIalias\fR" 10
-.IX Item "alias"
-\&\f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR processing
-.IP "\fIall\fR" 10
-.IX Item "all"
+.TP 10n
+sudoers_file=pathname
+The
+\fIsudoers_file\fR
+option can be used to override the default path
+to the
+\fIsudoers\fR
+file.
+.TP 10n
+sudoers_uid=uid
+The
+\fIsudoers_uid\fR
+option can be used to override the default owner of the sudoers file.
+It should be specified as a numeric user ID.
+.TP 10n
+sudoers_gid=gid
+The
+\fIsudoers_gid\fR
+option can be used to override the default group of the sudoers file.
+It should be specified as a numeric group ID.
+.TP 10n
+sudoers_mode=mode
+The
+\fIsudoers_mode\fR
+option can be used to override the default file mode for the sudoers file.
+It should be specified as an octal value.
+.SS "Debug flags"
+Versions 1.8.4 and higher of the
+\fIsudoers\fR
+plugin supports a debugging framework that can help track down what the
+plugin is doing internally if there is a problem.
+This can be configured in the
+\fI@sysconfdir@/sudo.conf\fR
+file as described in
+sudo(@mansectsu@).
+.PP
+The
+\fIsudoers\fR
+plugin uses the same debug flag format as the
+\fBsudo\fR
+front-end:
+\fIsubsystem\fR@\fIpriority\fR.
+.PP
+The priorities used by
+\fIsudoers\fR,
+in order of decreasing severity,
+are:
+\fIcrit\fR,
+\fIerr\fR,
+\fIwarn\fR,
+\fInotice\fR,
+\fIdiag\fR,
+\fIinfo\fR,
+\fItrace\fR
+and
+\fIdebug\fR.
+Each priority, when specified, also includes all priorities higher than it.
+For example, a priority of
+\fInotice\fR
+would include debug messages logged at
+\fInotice\fR
+and higher.
+.PP
+The following subsystems are used by
+\fIsudoers\fR:
+.TP 10n
+\fIalias\fR
+\fRUser_Alias\fR,
+\fRRunas_Alias\fR,
+\fRHost_Alias\fR
+and
+\fRCmnd_Alias\fR
+processing
+.TP 10n
+\fIall\fR
matches every subsystem
-.IP "\fIaudit\fR" 10
-.IX Item "audit"
-\&\s-1BSM\s0 and Linux audit code
-.IP "\fIauth\fR" 10
-.IX Item "auth"
+.TP 10n
+\fIaudit\fR
+BSM and Linux audit code
+.TP 10n
+\fIauth\fR
user authentication
-.IP "\fIdefaults\fR" 10
-.IX Item "defaults"
-\&\fIsudoers\fR \fIDefaults\fR settings
-.IP "\fIenv\fR" 10
-.IX Item "env"
+.TP 10n
+\fIdefaults\fR
+\fIsudoers\fR
+\fIDefaults\fR
+settings
+.TP 10n
+\fIenv\fR
environment handling
-.IP "\fIldap\fR" 10
-.IX Item "ldap"
+.TP 10n
+\fIldap\fR
LDAP-based sudoers
-.IP "\fIlogging\fR" 10
-.IX Item "logging"
+.TP 10n
+\fIlogging\fR
logging support
-.IP "\fImatch\fR" 10
-.IX Item "match"
-matching of users, groups, hosts and netgroups in \fIsudoers\fR
-.IP "\fInetif\fR" 10
-.IX Item "netif"
+.TP 10n
+\fImatch\fR
+matching of users, groups, hosts and netgroups in
+\fIsudoers\fR
+.TP 10n
+\fInetif\fR
network interface handling
-.IP "\fInss\fR" 10
-.IX Item "nss"
-network service switch handling in \fIsudoers\fR
-.IP "\fIparser\fR" 10
-.IX Item "parser"
-\&\fIsudoers\fR file parsing
-.IP "\fIperms\fR" 10
-.IX Item "perms"
+.TP 10n
+\fInss\fR
+network service switch handling in
+\fIsudoers\fR
+.TP 10n
+\fIparser\fR
+\fIsudoers\fR
+file parsing
+.TP 10n
+\fIperms\fR
permission setting
-.IP "\fIplugin\fR" 10
-.IX Item "plugin"
-The equivalent of \fImain\fR for the plugin.
-.IP "\fIpty\fR" 10
-.IX Item "pty"
+.TP 10n
+\fIplugin\fR
+The equivalent of
+\fImain\fR
+for the plugin.
+.TP 10n
+\fIpty\fR
pseudo-tty related code
-.IP "\fIrbtree\fR" 10
-.IX Item "rbtree"
+.TP 10n
+\fIrbtree\fR
redblack tree internals
-.IP "\fIutil\fR" 10
-.IX Item "util"
+.TP 10n
+\fIutil\fR
utility functions
.SH "FILES"
-.IX Header "FILES"
-.ie n .IP "\fI@sysconfdir@/sudo.conf\fR" 24
-.el .IP "\fI@sysconfdir@/sudo.conf\fR" 24
-.IX Item "@sysconfdir@/sudo.conf"
+.TP 26n
+\fI@sysconfdir@/sudo.conf\fR
Sudo front end configuration
-.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
-.el .IP "\fI@sysconfdir@/sudoers\fR" 24
-.IX Item "@sysconfdir@/sudoers"
+.TP 26n
+\fI@sysconfdir@/sudoers\fR
List of who can run what
-.IP "\fI/etc/group\fR" 24
-.IX Item "/etc/group"
+.TP 26n
+\fI/etc/group\fR
Local groups file
-.IP "\fI/etc/netgroup\fR" 24
-.IX Item "/etc/netgroup"
+.TP 26n
+\fI/etc/netgroup\fR
List of network groups
-.ie n .IP "\fI@iolog_dir@\fR" 24
-.el .IP "\fI@iolog_dir@\fR" 24
-.IX Item "@iolog_dir@"
+.TP 26n
+\fI@iolog_dir@\fR
I/O log files
-.ie n .IP "\fI@timedir@\fR" 24
-.el .IP "\fI@timedir@\fR" 24
-.IX Item "@timedir@"
-Directory containing time stamps for the \fIsudoers\fR security policy
-.IP "\fI/etc/environment\fR" 24
-.IX Item "/etc/environment"
-Initial environment for \fB\-i\fR mode on \s-1AIX\s0 and Linux systems
+.TP 26n
+\fI@timedir@\fR
+Directory containing time stamps for the
+\fIsudoers\fR
+security policy
+.TP 26n
+\fI/etc/environment\fR
+Initial environment for
+\fB\-i\fR
+mode on AIX and Linux systems
.SH "EXAMPLES"
-.IX Header "EXAMPLES"
-Below are example \fIsudoers\fR entries. Admittedly, some of
-these are a bit contrived. First, we allow a few environment
-variables to pass and then define our \fIaliases\fR:
-.PP
-.Vb 4
-\& # Run X applications through sudo; HOME is used to find the
-\& # .Xauthority file. Note that other programs use HOME to find
-\& # configuration files and this may lead to privilege escalation!
-\& Defaults env_keep += "DISPLAY HOME"
-\&
-\& # User alias specification
-\& User_Alias FULLTIMERS = millert, mikef, dowdy
-\& User_Alias PARTTIMERS = bostley, jwfox, crawl
-\& User_Alias WEBMASTERS = will, wendy, wim
-\&
-\& # Runas alias specification
-\& Runas_Alias OP = root, operator
-\& Runas_Alias DB = oracle, sybase
-\& Runas_Alias ADMINGRP = adm, oper
-\&
-\& # Host alias specification
-\& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
-\& SGI = grolsch, dandelion, black :\e
-\& ALPHA = widget, thalamus, foobar :\e
-\& HPPA = boa, nag, python
-\& Host_Alias CUNETS = 128.138.0.0/255.255.0.0
-\& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
-\& Host_Alias SERVERS = master, mail, www, ns
-\& Host_Alias CDROM = orion, perseus, hercules
-\&
-\& # Cmnd alias specification
-\& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
-\& /usr/sbin/restore, /usr/sbin/rrestore
-\& Cmnd_Alias KILL = /usr/bin/kill
-\& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
-\& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
-\& Cmnd_Alias HALT = /usr/sbin/halt
-\& Cmnd_Alias REBOOT = /usr/sbin/reboot
-\& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e
-\& /usr/local/bin/tcsh, /usr/bin/rsh, \e
-\& /usr/local/bin/zsh
-\& Cmnd_Alias SU = /usr/bin/su
-\& Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
-.Ve
-.PP
-Here we override some of the compiled in default values. We want
-\&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all
-cases. We don't want to subject the full time staff to the \fBsudo\fR
-lecture, user \fBmillert\fR need not give a password, and we don't
-want to reset the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR or \f(CW\*(C`USERNAME\*(C'\fR environment
-variables when running commands as root. Additionally, on the
-machines in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional
-local log file and make sure we log the year in each log line since
-the log entries will be kept around for several years. Lastly, we
-disable shell escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR
-(\fI/usr/bin/more\fR, \fI/usr/bin/pg\fR and \fI/usr/bin/less\fR).
-.PP
-.Vb 7
-\& # Override built\-in defaults
-\& Defaults syslog=auth
-\& Defaults>root !set_logname
-\& Defaults:FULLTIMERS !lecture
-\& Defaults:millert !authenticate
-\& Defaults@SERVERS log_year, logfile=/var/log/sudo.log
-\& Defaults!PAGERS noexec
-.Ve
-.PP
-The \fIUser specification\fR is the part that actually determines who may
-run what.
-.PP
-.Vb 2
-\& root ALL = (ALL) ALL
-\& %wheel ALL = (ALL) ALL
-.Ve
-.PP
-We let \fBroot\fR and any user in group \fBwheel\fR run any command on any
-host as any user.
-.PP
-.Vb 1
-\& FULLTIMERS ALL = NOPASSWD: ALL
-.Ve
-.PP
-Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any
-command on any host without authenticating themselves.
-.PP
-.Vb 1
-\& PARTTIMERS ALL = ALL
-.Ve
-.PP
-Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any
-command on any host but they must authenticate themselves first
-(since the entry lacks the \f(CW\*(C`NOPASSWD\*(C'\fR tag).
-.PP
-.Vb 1
-\& jack CSNETS = ALL
-.Ve
-.PP
-The user \fBjack\fR may run any command on the machines in the \fI\s-1CSNETS\s0\fR alias
-(the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR).
-Of those networks, only \f(CW128.138.204.0\fR has an explicit netmask (in
-\&\s-1CIDR\s0 notation) indicating it is a class C network. For the other
-networks in \fI\s-1CSNETS\s0\fR, the local machine's netmask will be used
-during matching.
-.PP
-.Vb 1
-\& lisa CUNETS = ALL
-.Ve
-.PP
-The user \fBlisa\fR may run any command on any host in the \fI\s-1CUNETS\s0\fR alias
-(the class B network \f(CW128.138.0.0\fR).
-.PP
-.Vb 2
-\& operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
-\& sudoedit /etc/printcap, /usr/oper/bin/
-.Ve
-.PP
-The \fBoperator\fR user may run commands limited to simple maintenance.
-Here, those are commands related to backups, killing processes, the
-printing system, shutting down the system, and any commands in the
-directory \fI/usr/oper/bin/\fR.
-.PP
-.Vb 1
-\& joe ALL = /usr/bin/su operator
-.Ve
-.PP
-The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
+Below are example
+\fIsudoers\fR
+entries.
+Admittedly, some of these are a bit contrived.
+First, we allow a few environment variables to pass and then define our
+\fIaliases\fR:
+.nf
+.sp
+.RS 0n
+# Run X applications through sudo; HOME is used to find the
+# .Xauthority file. Note that other programs use HOME to find
+# configuration files and this may lead to privilege escalation!
+Defaults env_keep += "DISPLAY HOME"
+
+# User alias specification
+User_Alias FULLTIMERS = millert, mikef, dowdy
+User_Alias PARTTIMERS = bostley, jwfox, crawl
+User_Alias WEBMASTERS = will, wendy, wim
+
+# Runas alias specification
+Runas_Alias OP = root, operator
+Runas_Alias DB = oracle, sybase
+Runas_Alias ADMINGRP = adm, oper
+
+# Host alias specification
+Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
+ SGI = grolsch, dandelion, black :\e
+ ALPHA = widget, thalamus, foobar :\e
+ HPPA = boa, nag, python
+Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+Host_Alias SERVERS = master, mail, www, ns
+Host_Alias CDROM = orion, perseus, hercules
+
+# Cmnd alias specification
+Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
+ /usr/sbin/restore, /usr/sbin/rrestore
+Cmnd_Alias KILL = /usr/bin/kill
+Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
+Cmnd_Alias HALT = /usr/sbin/halt
+Cmnd_Alias REBOOT = /usr/sbin/reboot
+Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
+ /usr/local/bin/tcsh, /usr/bin/rsh,\e
+ /usr/local/bin/zsh
+Cmnd_Alias SU = /usr/bin/su
+Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
+.RE
+.fi
.PP
-.Vb 1
-\& pete HPPA = /usr/bin/passwd [A\-Za\-z]*, !/usr/bin/passwd root
-\&
-\& %opers ALL = (: ADMINGRP) /usr/sbin/
-.Ve
+Here we override some of the compiled in default values.
+We want
+\fBsudo\fR
+to log via
+syslog(3)
+using the
+\fIauth\fR
+facility in all cases.
+We don't want to subject the full time staff to the
+\fBsudo\fR
+lecture, user
+\fBmillert\fR
+need not give a password, and we don't want to reset the
+\fRLOGNAME\fR,
+\fRUSER\fR
+or
+\fRUSERNAME\fR
+environment variables when running commands as root.
+Additionally, on the machines in the
+\fISERVERS\fR
+\fRHost_Alias\fR,
+we keep an additional local log file and make sure we log the year
+in each log line since the log entries will be kept around for several years.
+Lastly, we disable shell escapes for the commands in the PAGERS
+\fRCmnd_Alias\fR
+(\fI/usr/bin/more\fR,
+\fI/usr/bin/pg\fR
+and
+\fI/usr/bin/less\fR)
+\&.
+.nf
+.sp
+.RS 0n
+# Override built-in defaults
+Defaults syslog=auth
+Defaults>root !set_logname
+Defaults:FULLTIMERS !lecture
+Defaults:millert !authenticate
+Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+Defaults!PAGERS noexec
+.RE
+.fi
.PP
-Users in the \fBopers\fR group may run commands in \fI/usr/sbin/\fR as themselves
-with any group in the \fI\s-1ADMINGRP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (the \fBadm\fR and \fBoper\fR
-groups).
+The
+\fIUser specification\fR
+is the part that actually determines who may run what.
+.nf
+.sp
+.RS 0n
+root ALL = (ALL) ALL
+%wheel ALL = (ALL) ALL
+.RE
+.fi
.PP
-The user \fBpete\fR is allowed to change anyone's password except for
-root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1)
-does not take multiple user names on the command line.
+We let
+\fBroot\fR
+and any user in group
+\fBwheel\fR
+run any command on any host as any user.
+.nf
+.sp
+.RS 0n
+FULLTIMERS ALL = NOPASSWD: ALL
+.RE
+.fi
.PP
-.Vb 1
-\& bob SPARC = (OP) ALL : SGI = (OP) ALL
-.Ve
+Full time sysadmins
+(\fBmillert\fR,
+\fBmikef\fR,
+and
+\fBdowdy\fR)
+may run any command on any host without authenticating themselves.
+.nf
+.sp
+.RS 0n
+PARTTIMERS ALL = ALL
+.RE
+.fi
.PP
-The user \fBbob\fR may run anything on the \fI\s-1SPARC\s0\fR and \fI\s-1SGI\s0\fR machines
-as any user listed in the \fI\s-1OP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (\fBroot\fR and \fBoperator\fR).
+Part time sysadmins
+\fBbostley\fR,
+\fBjwfox\fR,
+and
+\fBcrawl\fR)
+may run any command on any host but they must authenticate themselves
+first (since the entry lacks the
+\fRNOPASSWD\fR
+tag).
+.nf
+.sp
+.RS 0n
+jack CSNETS = ALL
+.RE
+.fi
.PP
-.Vb 1
-\& jim +biglab = ALL
-.Ve
+The user
+\fBjack\fR
+may run any command on the machines in the
+\fICSNETS\fR
+alias (the networks
+\fR128.138.243.0\fR,
+\fR128.138.204.0\fR,
+and
+\fR128.138.242.0\fR).
+Of those networks, only
+\fR128.138.204.0\fR
+has an explicit netmask (in CIDR notation) indicating it is a class C network.
+For the other networks in
+\fICSNETS\fR,
+the local machine's netmask will be used during matching.
+.nf
+.sp
+.RS 0n
+lisa CUNETS = ALL
+.RE
+.fi
.PP
-The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
-\&\fBsudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix.
+The user
+\fBlisa\fR
+may run any command on any host in the
+\fICUNETS\fR
+alias (the class B network
+\fR128.138.0.0\fR).
+.nf
+.sp
+.RS 0n
+operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
+ sudoedit /etc/printcap, /usr/oper/bin/
+.RE
+.fi
.PP
-.Vb 1
-\& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
-.Ve
+The
+\fBoperator\fR
+user may run commands limited to simple maintenance.
+Here, those are commands related to backups, killing processes, the
+printing system, shutting down the system, and any commands in the
+directory
+\fI/usr/oper/bin/\fR.
+.nf
+.sp
+.RS 0n
+joe ALL = /usr/bin/su operator
+.RE
+.fi
.PP
-Users in the \fBsecretaries\fR netgroup need to help manage the printers
-as well as add and remove users, so they are allowed to run those
-commands on all machines.
+The user
+\fBjoe\fR
+may only
+su(1)
+to operator.
+.nf
+.sp
+.RS 0n
+pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+
+%opers ALL = (: ADMINGRP) /usr/sbin/
+.RE
+.fi
.PP
-.Vb 1
-\& fred ALL = (DB) NOPASSWD: ALL
-.Ve
+Users in the
+\fBopers\fR
+group may run commands in
+\fI/usr/sbin/\fR
+as themselves
+with any group in the
+\fIADMINGRP\fR
+\fRRunas_Alias\fR
+(the
+\fBadm\fR
+and
+\fBoper\fR
+groups).
.PP
-The user \fBfred\fR can run commands as any user in the \fI\s-1DB\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR
-(\fBoracle\fR or \fBsybase\fR) without giving a password.
+The user
+\fBpete\fR
+is allowed to change anyone's password except for
+root on the
+\fIHPPA\fR
+machines.
+Note that this assumes
+passwd(1)
+does not take multiple user names on the command line.
+.nf
+.sp
+.RS 0n
+bob SPARC = (OP) ALL : SGI = (OP) ALL
+.RE
+.fi
.PP
-.Vb 1
-\& john ALPHA = /usr/bin/su [!\-]*, !/usr/bin/su *root*
-.Ve
+The user
+\fBbob\fR
+may run anything on the
+\fISPARC\fR
+and
+\fISGI\fR
+machines as any user listed in the
+\fIOP\fR
+\fRRunas_Alias\fR
+(\fBroot\fR
+and
+\fBoperator\fR.)
+.nf
+.sp
+.RS 0n
+jim +biglab = ALL
+.RE
+.fi
.PP
-On the \fI\s-1ALPHA\s0\fR machines, user \fBjohn\fR may su to anyone except root
-but he is not allowed to specify any options to the \fIsu\fR\|(1) command.
+The user
+\fBjim\fR
+may run any command on machines in the
+\fIbiglab\fR
+netgroup.
+\fBsudo\fR
+knows that
+``biglab''
+is a netgroup due to the
+`+'
+prefix.
+.nf
+.sp
+.RS 0n
++secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+.RE
+.fi
.PP
-.Vb 1
-\& jen ALL, !SERVERS = ALL
-.Ve
+Users in the
+\fBsecretaries\fR
+netgroup need to help manage the printers as well as add and remove users,
+so they are allowed to run those commands on all machines.
+.nf
+.sp
+.RS 0n
+fred ALL = (DB) NOPASSWD: ALL
+.RE
+.fi
.PP
-The user \fBjen\fR may run any command on any machine except for those
-in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR (master, mail, www and ns).
+The user
+\fBfred\fR
+can run commands as any user in the
+\fIDB\fR
+\fRRunas_Alias\fR
+(\fBoracle\fR
+or
+\fBsybase\fR)
+without giving a password.
+.nf
+.sp
+.RS 0n
+john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+.RE
+.fi
.PP
-.Vb 1
-\& jill SERVERS = /usr/bin/, !SU, !SHELLS
-.Ve
+On the
+\fIALPHA\fR
+machines, user
+\fBjohn\fR
+may su to anyone except root but he is not allowed to specify any options
+to the
+su(1)
+command.
+.nf
+.sp
+.RS 0n
+jen ALL, !SERVERS = ALL
+.RE
+.fi
.PP
-For any machine in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, \fBjill\fR may run
-any commands in the directory \fI/usr/bin/\fR except for those commands
-belonging to the \fI\s-1SU\s0\fR and \fI\s-1SHELLS\s0\fR \f(CW\*(C`Cmnd_Aliases\*(C'\fR.
+The user
+\fBjen\fR
+may run any command on any machine except for those in the
+\fISERVERS\fR
+\fRHost_Alias\fR
+(master, mail, www and ns).
+.nf
+.sp
+.RS 0n
+jill SERVERS = /usr/bin/, !SU, !SHELLS
+.RE
+.fi
.PP
-.Vb 1
-\& steve CSNETS = (operator) /usr/local/op_commands/
-.Ve
+For any machine in the
+\fISERVERS\fR
+\fRHost_Alias\fR,
+\fBjill\fR
+may run
+any commands in the directory
+\fI/usr/bin/\fR
+except for those commands
+belonging to the
+\fISU\fR
+and
+\fISHELLS\fR
+\fRCmnd_Aliases\fR.
+.nf
+.sp
+.RS 0n
+steve CSNETS = (operator) /usr/local/op_commands/
+.RE
+.fi
.PP
-The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/
+The user
+\fBsteve\fR
+may run any command in the directory /usr/local/op_commands/
but only as user operator.
+.nf
+.sp
+.RS 0n
+matt valkyrie = KILL
+.RE
+.fi
.PP
-.Vb 1
-\& matt valkyrie = KILL
-.Ve
-.PP
-On his personal workstation, valkyrie, \fBmatt\fR needs to be able to
-kill hung processes.
-.PP
-.Vb 1
-\& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
-.Ve
-.PP
-On the host www, any user in the \fI\s-1WEBMASTERS\s0\fR \f(CW\*(C`User_Alias\*(C'\fR (will,
-wendy, and wim), may run any command as user www (which owns the
-web pages) or simply \fIsu\fR\|(1) to www.
+On his personal workstation, valkyrie,
+\fBmatt\fR
+needs to be able to kill hung processes.
+.nf
+.sp
+.RS 0n
+WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
+.RE
+.fi
.PP
-.Vb 2
-\& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
-\& /sbin/mount \-o nosuid\e,nodev /dev/cd0a /CDROM
-.Ve
+On the host www, any user in the
+\fIWEBMASTERS\fR
+\fRUser_Alias\fR
+(will, wendy, and wim), may run any command as user www (which owns the
+web pages) or simply
+su(1)
+to www.
+.nf
+.sp
+.RS 0n
+ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+.RE
+.fi
.PP
-Any user may mount or unmount a CD-ROM on the machines in the \s-1CDROM\s0
-\&\f(CW\*(C`Host_Alias\*(C'\fR (orion, perseus, hercules) without entering a password.
+Any user may mount or unmount a CD-ROM on the machines in the CDROM
+\fRHost_Alias\fR
+(orion, perseus, hercules) without entering a password.
This is a bit tedious for users to type, so it is a prime candidate
for encapsulating in a shell script.
.SH "SECURITY NOTES"
-.IX Header "SECURITY NOTES"
-.SS "Limitations of the '!' operator"
-.IX Subsection "Limitations of the '!' operator"
-It is generally not effective to \*(L"subtract\*(R" commands from \f(CW\*(C`ALL\*(C'\fR
-using the '!' operator. A user can trivially circumvent this
-by copying the desired command to a different name and then
-executing that. For example:
-.PP
-.Vb 1
-\& bill ALL = ALL, !SU, !SHELLS
-.Ve
-.PP
-Doesn't really prevent \fBbill\fR from running the commands listed in
-\&\fI\s-1SU\s0\fR or \fI\s-1SHELLS\s0\fR since he can simply copy those commands to a
-different name, or use a shell escape from an editor or other
-program. Therefore, these kind of restrictions should be considered
+.SS "Limitations of the `!\&' operator"
+It is generally not effective to
+``subtract''
+commands from
+\fBALL\fR
+using the
+`!\&'
+operator.
+A user can trivially circumvent this by copying the desired command
+to a different name and then executing that.
+For example:
+.nf
+.sp
+.RS 0n
+bill ALL = ALL, !SU, !SHELLS
+.RE
+.fi
+.PP
+Doesn't really prevent
+\fBbill\fR
+from running the commands listed in
+\fISU\fR
+or
+\fISHELLS\fR
+since he can simply copy those commands to a different name, or use
+a shell escape from an editor or other program.
+Therefore, these kind of restrictions should be considered
advisory at best (and reinforced by policy).
.PP
-In general, if a user has sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent
-them from creating their own program that gives them a root shell
-(or making their own copy of a shell) regardless of any '!' elements
-in the user specification.
-.SS "Security implications of \fIfast_glob\fP"
-.IX Subsection "Security implications of fast_glob"
-If the \fIfast_glob\fR option is in use, it is not possible
-to reliably negate commands where the path name includes globbing
-(aka wildcard) characters. This is because the C library's
-\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this
-is typically only an inconvenience for rules that grant privileges,
-it can result in a security issue for rules that subtract or revoke
-privileges.
+In general, if a user has sudo
+\fBALL\fR
+there is nothing to prevent them from creating their own program that gives
+them a root shell (or making their own copy of a shell) regardless of any
+`!\&'
+elements in the user specification.
+.SS "Security implications of \fIfast_glob\fR"
+If the
+\fIfast_glob\fR
+option is in use, it is not possible to reliably negate commands where the
+path name includes globbing (aka wildcard) characters.
+This is because the C library's
+fnmatch(3)
+function cannot resolve relative paths.
+While this is typically only an inconvenience for rules that grant privileges,
+it can result in a security issue for rules that subtract or revoke privileges.
+.PP
+For example, given the following
+\fIsudoers\fR
+entry:
+.nf
+.sp
+.RS 0n
+john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+.RE
+.fi
.PP
-For example, given the following \fIsudoers\fR entry:
-.PP
-.Vb 2
-\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,
-\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
-.Ve
-.PP
-User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is
-enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead.
-.SS "Preventing Shell Escapes"
-.IX Subsection "Preventing Shell Escapes"
-Once \fBsudo\fR executes a program, that program is free to do whatever
-it pleases, including run other programs. This can be a security
-issue since it is not uncommon for a program to allow shell escapes,
-which lets a user bypass \fBsudo\fR's access control and logging.
+User
+\fBjohn\fR
+can still run
+\fR/usr/bin/passwd root\fR
+if
+\fIfast_glob\fR
+is enabled by changing to
+\fI/usr/bin\fR
+and running
+\fR./passwd root\fR
+instead.
+.SS "Preventing shell escapes"
+Once
+\fBsudo\fR
+executes a program, that program is free to do whatever
+it pleases, including run other programs.
+This can be a security issue since it is not uncommon for a program to
+allow shell escapes, which lets a user bypass
+\fBsudo\fR's
+access control and logging.
Common programs that permit shell escapes include shells (obviously),
editors, paginators, mail and terminal programs.
.PP
There are two basic approaches to this problem:
-.IP "restrict" 10
-.IX Item "restrict"
+.TP 10n
+restrict
Avoid giving users access to commands that allow the user to run
-arbitrary commands. Many editors have a restricted mode where shell
-escapes are disabled, though \fBsudoedit\fR is a better solution to
-running editors via \fBsudo\fR. Due to the large number of programs that
+arbitrary commands.
+Many editors have a restricted mode where shell
+escapes are disabled, though
+\fBsudoedit\fR
+is a better solution to
+running editors via
+\fBsudo\fR.
+Due to the large number of programs that
offer shell escapes, restricting users to the set of programs that
do not is often unworkable.
-.IP "noexec" 10
-.IX Item "noexec"
+.TP 10n
+noexec
Many systems that support shared libraries have the ability to
override default library functions by pointing an environment
-variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library.
-On such systems, \fBsudo\fR's \fInoexec\fR functionality can be used to
-prevent a program run by \fBsudo\fR from executing any other programs.
+variable (usually
+\fRLD_PRELOAD\fR)
+to an alternate shared library.
+On such systems,
+\fBsudo\fR's
+\fInoexec\fR
+functionality can be used to prevent a program run by
+\fBsudo\fR
+from executing any other programs.
Note, however, that this applies only to native dynamically-linked
-executables. Statically-linked executables and foreign executables
+executables.
+Statically-linked executables and foreign executables
running under binary emulation are not affected.
-.Sp
-The \fInoexec\fR feature is known to work on SunOS, Solaris, *BSD,
-Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, HP-UX 11.x and \s-1AIX\s0 5.3 and above.
+.sp
+The
+\fInoexec\fR
+feature is known to work on SunOS, Solaris, *BSD,
+Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
It should be supported on most operating systems that support the
-\&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's
-manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
-dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported.
-.Sp
-On Solaris 10 and higher, \fInoexec\fR uses Solaris privileges instead
-of the \f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable.
-.Sp
-To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented
-in the User Specification section above. Here is that example again:
-.Sp
-.Vb 1
-\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-.Ve
-.Sp
-This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR
-with \fInoexec\fR enabled. This will prevent those two commands from
-executing other commands (such as a shell). If you are unsure
-whether or not your system is capable of supporting \fInoexec\fR you
-can always just try it out and check whether shell escapes work
-when \fInoexec\fR is enabled.
-.PP
-Note that restricting shell escapes is not a panacea. Programs
-running as root are still capable of many potentially hazardous
+\fRLD_PRELOAD\fR
+environment variable.
+Check your operating system's manual pages for the dynamic linker
+(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
+\fRLD_PRELOAD\fR
+is supported.
+.sp
+On Solaris 10 and higher,
+\fInoexec\fR
+uses Solaris privileges instead of the
+\fRLD_PRELOAD\fR
+environment variable.
+.sp
+To enable
+\fInoexec\fR
+for a command, use the
+\fRNOEXEC\fR
+tag as documented
+in the User Specification section above.
+Here is that example again:
+.RS
+.nf
+.sp
+.RS 0n
+aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+.RE
+.fi
+.sp
+This allows user
+\fBaaron\fR
+to run
+\fI/usr/bin/more\fR
+and
+\fI/usr/bin/vi\fR
+with
+\fInoexec\fR
+enabled.
+This will prevent those two commands from
+executing other commands (such as a shell).
+If you are unsure whether or not your system is capable of supporting
+\fInoexec\fR
+you can always just try it out and check whether shell escapes work when
+\fInoexec\fR
+is enabled.
+.RE
+.PP
+Note that restricting shell escapes is not a panacea.
+Programs running as root are still capable of many potentially hazardous
operations (such as changing or overwriting files) that could lead
-to unintended privilege escalation. In the specific case of an
-editor, a safer approach is to give the user permission to run
-\&\fBsudoedit\fR.
+to unintended privilege escalation.
+In the specific case of an editor, a safer approach is to give the
+user permission to run
+\fBsudoedit\fR.
.SS "Time stamp file checks"
-.IX Subsection "Time stamp file checks"
-\&\fIsudoers\fR will check the ownership of its time stamp directory
-(\fI@timedir@\fR by default) and ignore the directory's contents if
-it is not owned by root or if it is writable by a user other than
-root. On systems that allow non-root users to give away files via
-\&\fIchown\fR\|(2), if the time stamp directory is located in a world-writable
-directory (e.g., \fI/tmp\fR), it is possible for a user to create the
-time stamp directory before \fBsudo\fR is run. However, because
-\&\fIsudoers\fR checks the ownership and mode of the directory and its
-contents, the only damage that can be done is to \*(L"hide\*(R" files by
-putting them in the time stamp dir. This is unlikely to happen
-since once the time stamp dir is owned by root and inaccessible by
-any other user, the user placing files there would be unable to get
-them back out.
-.PP
-\&\fIsudoers\fR will not honor time stamps set far in the future. Time
-stamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR will
-be ignored and sudo will log and complain. This is done to keep a
-user from creating his/her own time stamp with a bogus date on
-systems that allow users to give away files if the time stamp directory
-is located in a world-writable directory.
-.PP
-On systems where the boot time is available, \fIsudoers\fR will ignore
-time stamps that date from before the machine booted.
+\fIsudoers\fR
+will check the ownership of its time stamp directory
+(\fI@timedir@\fR
+by default)
+and ignore the directory's contents if it is not owned by root or
+if it is writable by a user other than root.
+On systems that allow non-root users to give away files via
+chown(2),
+if the time stamp directory is located in a world-writable
+directory (e.g.\&,
+\fI/tmp\fR),
+it is possible for a user to create the time stamp directory before
+\fBsudo\fR
+is run.
+However, because
+\fIsudoers\fR
+checks the ownership and mode of the directory and its
+contents, the only damage that can be done is to
+``hide''
+files by putting them in the time stamp dir.
+This is unlikely to happen since once the time stamp dir is owned by root
+and inaccessible by any other user, the user placing files there would be
+unable to get them back out.
+.PP
+\fIsudoers\fR
+will not honor time stamps set far in the future.
+Time stamps with a date greater than current_time + 2 *
+\fRTIMEOUT\fR
+will be ignored and sudo will log and complain.
+This is done to keep a user from creating his/her own time stamp with a
+bogus date on systems that allow users to give away files if the time
+stamp directory is located in a world-writable directory.
+.PP
+On systems where the boot time is available,
+\fIsudoers\fR
+will ignore time stamps that date from before the machine booted.
.PP
Since time stamp files live in the file system, they can outlive a
-user's login session. As a result, a user may be able to login,
-run a command with \fBsudo\fR after authenticating, logout, login
-again, and run \fBsudo\fR without authenticating so long as the time
-stamp file's modification time is within \f(CW\*(C`@timeout@\*(C'\fR minutes (or
-whatever the timeout is set to in \fIsudoers\fR). When the \fItty_tickets\fR
+user's login session.
+As a result, a user may be able to login, run a command with
+\fBsudo\fR
+after authenticating, logout, login again, and run
+\fBsudo\fR
+without authenticating so long as the time stamp file's modification
+time is within
+\fR@timeout@\fR
+minutes (or whatever the timeout is set to in
+\fIsudoers\fR).
+When the
+\fItty_tickets\fR
option is enabled, the time stamp has per-tty granularity but still
-may outlive the user's session. On Linux systems where the devpts
-filesystem is used, Solaris systems with the devices filesystem,
-as well as other systems that utilize a devfs filesystem that
-monotonically increase the inode number of devices as they are
-created (such as Mac \s-1OS\s0 X), \fIsudoers\fR is able to determine when a
-tty-based time stamp file is stale and will ignore it. Administrators
-should not rely on this feature as it is not universally available.
+may outlive the user's session.
+On Linux systems where the devpts filesystem is used, Solaris systems
+with the devices filesystem, as well as other systems that utilize a
+devfs filesystem that monotonically increase the inode number of devices
+as they are created (such as Mac OS X),
+\fIsudoers\fR
+is able to determine when a tty-based time stamp file is stale and will
+ignore it.
+Administrators should not rely on this feature as it is not universally
+available.
.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fImktemp\fR\|(3), \fIstrftime\fR\|(3),
-\&\fIsudoers.ldap\fR\|(@mansectform@), \fIsudo_plugin\fR\|(@mansectsu@), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@)
+ssh(1),
+su(1),
+fnmatch(3),
+glob(3),
+mktemp(3),
+strftime(3),
+sudoers.ldap(@mansectform@),
+sudo_plugin(@mansectsu@),
+sudo(@mansectsu@),
+visudo(@mansectsu@)
.SH "CAVEATS"
-.IX Header "CAVEATS"
-The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
-command which locks the file and does grammatical checking. It is
-imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
-will not run with a syntactically incorrect \fIsudoers\fR file.
+The
+\fIsudoers\fR
+file should
+\fBalways\fR
+be edited by the
+\fBvisudo\fR
+command which locks the file and does grammatical checking.
+It is
+imperative that
+\fIsudoers\fR
+be free of syntax errors since
+\fBsudo\fR
+will not run with a syntactically incorrect
+\fIsudoers\fR
+file.
.PP
When using netgroups of machines (as opposed to users), if you
store fully qualified host name in the netgroup (as is usually the
case), you either need to have the machine's host name be fully qualified
-as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
-\&\fIsudoers\fR.
+as returned by the
+\fRhostname\fR
+command or use the
+\fIfqdn\fR
+option in
+\fIsudoers\fR.
.SH "BUGS"
-.IX Header "BUGS"
-If you feel you have found a bug in \fBsudo\fR, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
+If you feel you have found a bug in
+\fBsudo\fR,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
-.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
-.IX Header "DISCLAIMER"
-\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
-file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
-for complete details.
+\fBsudo\fR
+is provided
+``AS IS''
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+\fBsudo\fR
+or http://www.sudo.ws/sudo/license.html for complete details.
+++ /dev/null
-#!/usr/bin/perl -p
-
-BEGIN {
- $cond = -1;
-}
-
-# Initialize the numeric register we use for conditionals
-if ($cond == -1) {
- $_ = ".nr SL \@SEMAN\@\n.nr BA \@BAMAN\@\n.nr LC \@LCMAN\@\n.\\\"\n$_";
- $cond = 0;
-}
-
-# Make SELinux_Spec conditional
-if (/(.*)SELinux_Spec\? (.*)$/) {
- $_ = ".ie \\n(SL $_.el $1$2\n";
-} elsif (/^(.*SELinux_Spec ::=)/) {
- $_ = ".if \\n(SL \\{\\\n$_";
-} elsif (/^(.*Tag_Spec ::=)/) {
- $_ = "\\}\n$_";
-}
-
-if (/^\.S[Sh] "SELinux_Spec"/) {
- $_ = ".if \\n(SL \\{\\\n$_";
- $cond = 1;
-} elsif (/^\.IP "(role|type)"/) {
- $_ = ".if \\n(SL \\{\\\n$_";
- $cond = 1;
-} elsif (/^\.IP "use_loginclass"/) {
- $_ = ".if \\n(LC \\{\\\n$_";
- $cond = 1;
-} elsif ($cond && /^\.(Sh|SS|IP|PP)/) {
- $_ = "\\}\n$_";
- $cond = 0;
-}
-
-# Fix up broken pod2man formatting of F<@foo@/bar>
-s/\\fI\\f(\(C)?I\@([^\@]*)\\fI\@/\\fI\@$2\@/g;
-s/\\f\(\CW\@([^\@]*)\\fR\@/\@$1\@/g;
-#\f(CW@secure_path\fR@
--- /dev/null
+.\"
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" Sponsored in part by the Defense Advanced Research Projects
+.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
+.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
+.\"
+.Dd July 16, 2012
+.Dt SUDOERS @mansectform@
+.Os Sudo @PACKAGE_VERSION@
+.Sh NAME
+.Nm sudoers
+.Nd default sudo security policy module
+.Sh DESCRIPTION
+The
+.Em sudoers
+policy module determines a user's
+.Nm sudo
+privileges.
+It is the default
+.Nm sudo
+policy plugin.
+The policy is driven by
+the
+.Pa @sysconfdir@/sudoers
+file or, optionally in LDAP.
+The policy format is described in detail in the
+.Sx SUDOERS FILE FORMAT
+section.
+For information on storing
+.Em sudoers
+policy information
+in LDAP, please see
+.Xr sudoers.ldap @mansectform@ .
+.Ss Authentication and logging
+The
+.Em sudoers
+security policy requires that most users authenticate
+themselves before they can use
+.Nm sudo .
+A password is not required
+if the invoking user is root, if the target user is the same as the
+invoking user, or if the policy has disabled authentication for the
+user or command.
+Unlike
+.Xr su 1 ,
+when
+.Em sudoers
+requires
+authentication, it validates the invoking user's credentials, not
+the target user's (or root's) credentials.
+This can be changed via
+the
+.Em rootpw ,
+.Em targetpw
+and
+.Em runaspw
+flags, described later.
+.Pp
+If a user who is not listed in the policy tries to run a command
+via
+.Nm sudo ,
+mail is sent to the proper authorities.
+The address
+used for such mail is configurable via the
+.Em mailto
+Defaults entry
+(described later) and defaults to
+.Li @mailto@ .
+.Pp
+Note that mail will not be sent if an unauthorized user tries to
+run
+.Nm sudo
+with the
+.Fl l
+or
+.Fl v
+option.
+This allows users to
+determine for themselves whether or not they are allowed to use
+.Nm sudo .
+.Pp
+If
+.Nm sudo
+is run by root and the
+.Ev SUDO_USER
+environment variable
+is set, the
+.Em sudoers
+policy will use this value to determine who
+the actual user is.
+This can be used by a user to log commands
+through sudo even when a root shell has been invoked.
+It also
+allows the
+.Fl e
+option to remain useful even when invoked via a
+sudo-run script or program.
+Note, however, that the
+.Em sudoers
+lookup is still done for root, not the user specified by
+.Ev SUDO_USER .
+.Pp
+.Em sudoers
+uses time stamp files for credential caching.
+Once a
+user has been authenticated, the time stamp is updated and the user
+may then use sudo without a password for a short period of time
+.Po
+.Li @timeout@
+minutes unless overridden by the
+.Em timeout
+option
+.Pc .
+By default,
+.Em sudoers
+uses a tty-based time stamp which means that
+there is a separate time stamp for each of a user's login sessions.
+The
+.Em tty_tickets
+option can be disabled to force the use of a
+single time stamp for all of a user's sessions.
+.Pp
+.Em sudoers
+can log both successful and unsuccessful attempts (as well
+as errors) to
+.Xr syslog 3 ,
+a log file, or both.
+By default,
+.Em sudoers
+will log via
+.Xr syslog 3
+but this is changeable via the
+.Em syslog
+and
+.Em logfile
+Defaults settings.
+.Pp
+.Em sudoers
+also supports logging a command's input and output
+streams.
+I/O logging is not on by default but can be enabled using
+the
+.Em log_input
+and
+.Em log_output
+Defaults flags as well as the
+.Li LOG_INPUT
+and
+.Li LOG_OUTPUT
+command tags.
+.Ss Command environment
+Since environment variables can influence program behavior,
+.Em sudoers
+provides a means to restrict which variables from the user's
+environment are inherited by the command to be run.
+There are two
+distinct ways
+.Em sudoers
+can deal with environment variables.
+.Pp
+By default, the
+.Em env_reset
+option is enabled.
+This causes commands
+to be executed with a new, minimal environment.
+On AIX (and Linux
+systems without PAM), the environment is initialized with the
+contents of the
+.Pa /etc/environment
+file.
+On BSD systems, if the
+.Em use_loginclass
+option is enabled, the environment is initialized
+based on the
+.Em path
+and
+.Em setenv
+settings in
+.Pa /etc/login.conf .
+The new environment contains the
+.Ev TERM ,
+.Ev PATH ,
+.Ev HOME ,
+.Ev MAIL ,
+.Ev SHELL ,
+.Ev LOGNAME ,
+.Ev USER ,
+.Ev USERNAME
+and
+.Ev SUDO_*
+variables
+in addition to variables from the invoking process permitted by the
+.Em env_check
+and
+.Em env_keep
+options.
+This is effectively a whitelist
+for environment variables.
+.Pp
+If, however, the
+.Em env_reset
+option is disabled, any variables not
+explicitly denied by the
+.Em env_check
+and
+.Em env_delete
+options are
+inherited from the invoking process.
+In this case,
+.Em env_check
+and
+.Em env_delete
+behave like a blacklist.
+Since it is not possible
+to blacklist all potentially dangerous environment variables, use
+of the default
+.Em env_reset
+behavior is encouraged.
+.Pp
+In all cases, environment variables with a value beginning with
+.Li ()
+are removed as they could be interpreted as
+.Sy bash
+functions.
+The list of environment variables that
+.Nm sudo
+allows or denies is
+contained in the output of
+.Dq Li sudo -V
+when run as root.
+.Pp
+Note that the dynamic linker on most operating systems will remove
+variables that can control dynamic linking from the environment of
+setuid executables, including
+.Nm sudo .
+Depending on the operating
+system this may include
+.Ev _RLD* ,
+.Ev DYLD_* ,
+.Ev LD_* ,
+.Ev LDR_* ,
+.Ev LIBPATH ,
+.Ev SHLIB_PATH ,
+and others.
+These type of variables are
+removed from the environment before
+.Nm sudo
+even begins execution
+and, as such, it is not possible for
+.Nm sudo
+to preserve them.
+.Pp
+As a special case, if
+.Nm sudo Ns No 's
+.Fl i
+option (initial login) is
+specified,
+.Em sudoers
+will initialize the environment regardless
+of the value of
+.Em env_reset .
+The
+.Ev DISPLAY ,
+.Ev PATH
+and
+.Ev TERM
+variables remain unchanged;
+.Ev HOME ,
+.Ev MAIL ,
+.Ev SHELL ,
+.Ev USER ,
+and
+.Ev LOGNAME
+are set based on the target user.
+On AIX (and Linux
+systems without PAM), the contents of
+.Pa /etc/environment
+are also
+included.
+On BSD systems, if the
+.Em use_loginclass
+option is
+enabled, the
+.Em path
+and
+.Em setenv
+variables in
+.Pa /etc/login.conf
+are also applied.
+All other environment variables are removed.
+.Pp
+Finally, if the
+.Em env_file
+option is defined, any variables present
+in that file will be set to their specified values as long as they
+would not conflict with an existing environment variable.
+.Sh SUDOERS FILE FORMAT
+The
+.Em sudoers
+file is composed of two types of entries: aliases
+(basically variables) and user specifications (which specify who
+may run what).
+.Pp
+When multiple entries match for a user, they are applied in order.
+Where there are multiple matches, the last match is used (which is
+not necessarily the most specific match).
+.Pp
+The
+.Em sudoers
+grammar will be described below in Extended Backus-Naur
+Form (EBNF).
+Don't despair if you are unfamiliar with EBNF; it is fairly simple,
+and the definitions below are annotated.
+.Ss Quick guide to EBNF
+EBNF is a concise and exact way of describing the grammar of a language.
+Each EBNF definition is made up of
+.Em production rules .
+E.g.,
+.Pp
+.Li symbol ::= definition | alternate1 | alternate2 ...
+.Pp
+Each
+.Em production rule
+references others and thus makes up a
+grammar for the language.
+EBNF also contains the following
+operators, which many readers will recognize from regular
+expressions.
+Do not, however, confuse them with
+.Dq wildcard
+characters, which have different meanings.
+.Bl -tag -width 4n
+.It Li \&?
+Means that the preceding symbol (or group of symbols) is optional.
+That is, it may appear once or not at all.
+.It Li *
+Means that the preceding symbol (or group of symbols) may appear
+zero or more times.
+.It Li +
+Means that the preceding symbol (or group of symbols) may appear
+one or more times.
+.El
+.Pp
+Parentheses may be used to group symbols together.
+For clarity,
+we will use single quotes
+.Pq ''
+to designate what is a verbatim character string (as opposed to a symbol name).
+.Ss Aliases
+There are four kinds of aliases:
+.Li User_Alias ,
+.Li Runas_Alias ,
+.Li Host_Alias
+and
+.Li Cmnd_Alias .
+.Bd -literal
+Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
+ 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
+ 'Host_Alias' Host_Alias (':' Host_Alias)* |
+ 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
+
+User_Alias ::= NAME '=' User_List
+
+Runas_Alias ::= NAME '=' Runas_List
+
+Host_Alias ::= NAME '=' Host_List
+
+Cmnd_Alias ::= NAME '=' Cmnd_List
+
+NAME ::= [A-Z]([A-Z][0-9]_)*
+.Ed
+.Pp
+Each
+.Em alias
+definition is of the form
+.Bd -literal
+Alias_Type NAME = item1, item2, ...
+.Ed
+.Pp
+where
+.Em Alias_Type
+is one of
+.Li User_Alias ,
+.Li Runas_Alias ,
+.Li Host_Alias ,
+or
+.Li Cmnd_Alias .
+A
+.Li NAME
+is a string of uppercase letters, numbers,
+and underscore characters
+.Pq Ql _ .
+A
+.Li NAME
+.Sy must
+start with an
+uppercase letter.
+It is possible to put several alias definitions
+of the same type on a single line, joined by a colon
+.Pq Ql :\& .
+E.g.,
+.Bd -literal
+Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
+.Ed
+.Pp
+The definitions of what constitutes a valid
+.Em alias
+member follow.
+.Bd -literal
+User_List ::= User |
+ User ',' User_List
+
+User ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* +netgroup |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* User_Alias
+.Ed
+.Pp
+A
+.Li User_List
+is made up of one or more user names, user ids
+(prefixed with
+.Ql # ) ,
+system group names and ids (prefixed with
+.Ql %
+and
+.Ql %#
+respectively), netgroups (prefixed with
+.Ql + ) ,
+non-Unix group names and IDs (prefixed with
+.Ql %:
+and
+.Ql %:#
+respectively) and
+.Li User_Alias Ns No es.
+Each list item may be prefixed with zero or more
+.Ql \&!
+operators.
+An odd number of
+.Ql \&!
+operators negate the value of
+the item; an even number just cancel each other out.
+.Pp
+A
+.Li user name ,
+.Li uid ,
+.Li group ,
+.Li gid ,
+.Li netgroup ,
+.Li nonunix_group
+or
+.Li nonunix_gid
+may be enclosed in double quotes to avoid the
+need for escaping special characters.
+Alternately, special characters
+may be specified in escaped hex mode, e.g.\& \ex20 for space.
+When
+using double quotes, any prefix characters must be included inside
+the quotes.
+.Pp
+The actual
+.Li nonunix_group
+and
+.Li nonunix_gid
+syntax depends on
+the underlying group provider plugin (see the
+.Em group_plugin
+description below).
+For instance, the QAS AD plugin supports the following formats:
+.Bl -bullet -width 4n
+.It
+Group in the same domain: "%:Group Name"
+.It
+Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
+.It
+Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
+.El
+.Pp
+Note that quotes around group names are optional.
+Unquoted strings must use a backslash
+.Pq Ql \e
+to escape spaces and special characters.
+See
+.Sx Other special characters and reserved words
+for a list of
+characters that need to be escaped.
+.Bd -literal
+Runas_List ::= Runas_Member |
+ Runas_Member ',' Runas_List
+
+Runas_Member ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* +netgroup |
+ '!'* Runas_Alias
+.Ed
+.Pp
+A
+.Li Runas_List
+is similar to a
+.Li User_List
+except that instead
+of
+.Li User_Alias Ns No es
+it can contain
+.Li Runas_Alias Ns No es .
+Note that
+user names and groups are matched as strings.
+In other words, two
+users (groups) with the same uid (gid) are considered to be distinct.
+If you wish to match all user names with the same uid (e.g.\&
+root and toor), you can use a uid instead (#0 in the example given).
+.Bd -literal
+Host_List ::= Host |
+ Host ',' Host_List
+
+Host ::= '!'* host name |
+ '!'* ip_addr |
+ '!'* network(/netmask)? |
+ '!'* +netgroup |
+ '!'* Host_Alias
+.Ed
+.Pp
+A
+.Li Host_List
+is made up of one or more host names, IP addresses,
+network numbers, netgroups (prefixed with
+.Ql + )
+and other aliases.
+Again, the value of an item may be negated with the
+.Ql \&!
+operator.
+If you do not specify a netmask along with the network number,
+.Nm sudo
+will query each of the local host's network interfaces and,
+if the network number corresponds to one of the hosts's network
+interfaces, the corresponding netmask will be used.
+The netmask
+may be specified either in standard IP address notation
+(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
+or CIDR notation (number of bits, e.g.\& 24 or 64).
+A host name may include shell-style wildcards (see the
+.Sx Wildcards
+section below),
+but unless the
+.Li host name
+command on your machine returns the fully
+qualified host name, you'll need to use the
+.Em fqdn
+option for wildcards to be useful.
+Note that
+.Nm sudo
+only inspects actual network interfaces; this means that IP address
+127.0.0.1 (localhost) will never match.
+Also, the host name
+.Dq localhost
+will only match if that is the actual host name, which is usually
+only the case for non-networked systems.
+.Bd -literal
+Cmnd_List ::= Cmnd |
+ Cmnd ',' Cmnd_List
+
+command name ::= file name |
+ file name args |
+ file name '""'
+
+Cmnd ::= '!'* command name |
+ '!'* directory |
+ '!'* "sudoedit" |
+ '!'* Cmnd_Alias
+.Ed
+.Pp
+A
+.Li Cmnd_List
+is a list of one or more command names, directories, and other aliases.
+A command name is a fully qualified file name which may include
+shell-style wildcards (see the
+.Sx Wildcards
+section below).
+A simple file name allows the user to run the command with any
+arguments he/she wishes.
+However, you may also specify command line arguments (including
+wildcards).
+Alternately, you can specify
+.Li \&""
+to indicate that the command
+may only be run
+.Sy without
+command line arguments.
+A directory is a
+fully qualified path name ending in a
+.Ql / .
+When you specify a directory in a
+.Li Cmnd_List ,
+the user will be able to run any file within that directory
+(but not in any sub-directories therein).
+.Pp
+If a
+.Li Cmnd
+has associated command line arguments, then the arguments
+in the
+.Li Cmnd
+must match exactly those given by the user on the command line
+(or match the wildcards if there are any).
+Note that the following characters must be escaped with a
+.Ql \e
+if they are used in command arguments:
+.Ql ,\& ,
+.Ql :\& ,
+.Ql =\& ,
+.Ql \e .
+The special command
+.Dq Li sudoedit
+is used to permit a user to run
+.Nm sudo
+with the
+.Fl e
+option (or as
+.Nm sudoedit ) .
+It may take command line arguments just as a normal command does.
+.Ss Defaults
+Certain configuration options may be changed from their default
+values at run-time via one or more
+.Li Default_Entry
+lines.
+These may affect all users on any host, all users on a specific host, a
+specific user, a specific command, or commands being run as a specific user.
+Note that per-command entries may not include command line arguments.
+If you need to specify arguments, define a
+.Li Cmnd_Alias
+and reference
+that instead.
+.Bd -literal
+Default_Type ::= 'Defaults' |
+ 'Defaults' '@' Host_List |
+ 'Defaults' ':' User_List |
+ 'Defaults' '!' Cmnd_List |
+ 'Defaults' '>' Runas_List
+
+Default_Entry ::= Default_Type Parameter_List
+
+Parameter_List ::= Parameter |
+ Parameter ',' Parameter_List
+
+Parameter ::= Parameter '=' Value |
+ Parameter '+=' Value |
+ Parameter '-=' Value |
+ '!'* Parameter
+.Ed
+.Pp
+Parameters may be
+.Sy flags ,
+.Sy integer
+values,
+.Sy strings ,
+or
+.Sy lists .
+Flags are implicitly boolean and can be turned off via the
+.Ql \&!
+operator.
+Some integer, string and list parameters may also be
+used in a boolean context to disable them.
+Values may be enclosed
+in double quotes
+.Pq \&""
+when they contain multiple words.
+Special characters may be escaped with a backslash
+.Pq Ql \e .
+.Pp
+Lists have two additional assignment operators,
+.Li +=
+and
+.Li -= .
+These operators are used to add to and delete from a list respectively.
+It is not an error to use the
+.Li -=
+operator to remove an element
+that does not exist in a list.
+.Pp
+Defaults entries are parsed in the following order: generic, host
+and user Defaults first, then runas Defaults and finally command
+defaults.
+.Pp
+See
+.Sx SUDOERS OPTIONS
+for a list of supported Defaults parameters.
+.Ss User specification
+.Bd -literal
+User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
+ (':' Host_List '=' Cmnd_Spec_List)*
+
+Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
+
+Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
+
+Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
+
+SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
+
+Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
+
+Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
+ 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
+ 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
+.Ed
+.Pp
+A
+.Sy user specification
+determines which commands a user may run
+(and as what user) on specified hosts.
+By default, commands are
+run as
+.Sy root ,
+but this can be changed on a per-command basis.
+.Pp
+The basic structure of a user specification is
+.Dq who where = (as_whom) what .
+Let's break that down into its constituent parts:
+.Ss Runas_Spec
+A
+.Li Runas_Spec
+determines the user and/or the group that a command
+may be run as.
+A fully-specified
+.Li Runas_Spec
+consists of two
+.Li Runas_List Ns No s
+(as defined above) separated by a colon
+.Pq Ql :\&
+and enclosed in a set of parentheses.
+The first
+.Li Runas_List
+indicates
+which users the command may be run as via
+.Nm sudo Ns No 's
+.Fl u
+option.
+The second defines a list of groups that can be specified via
+.Nm sudo Ns No 's
+.Fl g
+option.
+If both
+.Li Runas_List Ns No s
+are specified, the command may be run with any combination of users
+and groups listed in their respective
+.Li Runas_List Ns No s.
+If only the first is specified, the command may be run as any user
+in the list but no
+.Fl g
+option
+may be specified.
+If the first
+.Li Runas_List
+is empty but the
+second is specified, the command may be run as the invoking user
+with the group set to any listed in the
+.Li Runas_List .
+If both
+.Li Runas_List Ns No s
+are empty, the command may only be run as the invoking user.
+If no
+.Li Runas_Spec
+is specified the command may be run as
+.Sy root
+and
+no group may be specified.
+.Pp
+A
+.Li Runas_Spec
+sets the default for the commands that follow it.
+What this means is that for the entry:
+.Bd -literal
+dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
+.Ed
+.Pp
+The user
+.Sy dgb
+may run
+.Pa /bin/ls ,
+.Pa /bin/kill ,
+and
+.Pa /usr/bin/lprm Ns No \(em Ns but
+only as
+.Sy operator .
+E.g.,
+.Bd -literal
+$ sudo -u operator /bin/ls
+.Ed
+.Pp
+It is also possible to override a
+.Li Runas_Spec
+later on in an entry.
+If we modify the entry like so:
+.Bd -literal
+dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+.Ed
+.Pp
+Then user
+.Sy dgb
+is now allowed to run
+.Pa /bin/ls
+as
+.Sy operator ,
+but
+.Pa /bin/kill
+and
+.Pa /usr/bin/lprm
+as
+.Sy root .
+.Pp
+We can extend this to allow
+.Sy dgb
+to run
+.Li /bin/ls
+with either
+the user or group set to
+.Sy operator :
+.Bd -literal
+dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
+ /usr/bin/lprm
+.Ed
+.Pp
+Note that while the group portion of the
+.Li Runas_Spec
+permits the
+user to run as command with that group, it does not force the user
+to do so.
+If no group is specified on the command line, the command
+will run with the group listed in the target user's password database
+entry.
+The following would all be permitted by the sudoers entry above:
+.Bd -literal
+$ sudo -u operator /bin/ls
+$ sudo -u operator -g operator /bin/ls
+$ sudo -g operator /bin/ls
+.Ed
+.Pp
+In the following example, user
+.Sy tcm
+may run commands that access
+a modem device file with the dialer group.
+.Bd -literal
+tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
+ /usr/local/bin/minicom
+.Ed
+.Pp
+Note that in this example only the group will be set, the command
+still runs as user
+.Sy tcm .
+E.g.\&
+.Bd -literal
+$ sudo -g dialer /usr/bin/cu
+.Ed
+.Pp
+Multiple users and groups may be present in a
+.Li Runas_Spec ,
+in which case the user may select any combination of users and groups via the
+.Fl u
+and
+.Fl g
+options.
+In this example:
+.Bd -literal
+alan ALL = (root, bin : operator, system) ALL
+.Ed
+.Pp
+user
+.Sy alan
+may run any command as either user root or bin,
+optionally setting the group to operator or system.
+.Ss SELinux_Spec
+On systems with SELinux support,
+.Em sudoers
+entries may optionally have an SELinux role and/or type associated
+with a command.
+If a role or
+type is specified with the command it will override any default values
+specified in
+.Em sudoers .
+A role or type specified on the command line,
+however, will supersede the values in
+.Em sudoers .
+.Ss Solaris_Priv_Spec
+On Solaris systems,
+.Em sudoers
+entries may optionally specify Solaris privilege set and/or limit
+privilege set associated with a command.
+If privileges or limit privileges are specified with the command
+it will override any default values specified in
+.Em sudoers .
+.Pp
+A privilege set is a comma-separated list of privilege names.
+The
+.Xr ppriv 1
+command can be used to list all privileges known to the system.
+For example:
+.Bd -literal
+$ ppriv -l
+.Ed
+.Pp
+In addition, there are several
+.Dq special
+privilege strings:
+.Bl -tag -width 8n
+.It none
+the empty set
+.It all
+the set of all privileges
+.It zone
+the set of all privileges available in the current zone
+.It basic
+the default set of privileges normal users are granted at login time
+.El
+.Pp
+Privileges can be excluded from a set by prefixing the privilege
+name with either an
+.Ql \&!
+or
+.Ql \-
+character.
+.Ss Tag_Spec
+A command may have zero or more tags associated with it.
+There are
+ten possible tag values:
+.Li NOPASSWD ,
+.Li PASSWD ,
+.Li NOEXEC ,
+.Li EXEC ,
+.Li SETENV ,
+.Li NOSETENV ,
+.Li LOG_INPUT ,
+.Li NOLOG_INPUT ,
+.Li LOG_OUTPUT
+and
+.Li NOLOG_OUTPUT .
+Once a tag is set on a
+.Li Cmnd ,
+subsequent
+.Li Cmnd Ns No s
+in the
+.Li Cmnd_Spec_List ,
+inherit the tag unless it is overridden by the opposite tag (in other words,
+.Li PASSWD
+overrides
+.Li NOPASSWD
+and
+.Li NOEXEC
+overrides
+.Li EXEC ) .
+.Pp
+.Em NOPASSWD and PASSWD
+.Pp
+By default,
+.Nm sudo
+requires that a user authenticate him or herself
+before running a command.
+This behavior can be modified via the
+.Li NOPASSWD
+tag.
+Like a
+.Li Runas_Spec ,
+the
+.Li NOPASSWD
+tag sets
+a default for the commands that follow it in the
+.Li Cmnd_Spec_List .
+Conversely, the
+.Li PASSWD
+tag can be used to reverse things.
+For example:
+.Bd -literal
+ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+.Ed
+.Pp
+would allow the user
+.Sy ray
+to run
+.Pa /bin/kill ,
+.Pa /bin/ls ,
+and
+.Pa /usr/bin/lprm
+as
+.Sy root
+on the machine rushmore without authenticating himself.
+If we only want
+.Sy ray
+to be able to
+run
+.Pa /bin/kill
+without a password the entry would be:
+.Bd -literal
+ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+.Ed
+.Pp
+Note, however, that the
+.Li PASSWD
+tag has no effect on users who are in the group specified by the
+.Em exempt_group
+option.
+.Pp
+By default, if the
+.Li NOPASSWD
+tag is applied to any of the entries for a user on the current host,
+he or she will be able to run
+.Dq Li sudo -l
+without a password.
+Additionally, a user may only run
+.Dq Li sudo -v
+without a password if the
+.Li NOPASSWD
+tag is present for all a user's entries that pertain to the current host.
+This behavior may be overridden via the
+.Em verifypw
+and
+.Em listpw
+options.
+.Pp
+.Em NOEXEC and EXEC
+.Pp
+If
+.Nm sudo
+has been compiled with
+.Em noexec
+support and the underlying operating system supports it, the
+.Li NOEXEC
+tag can be used to prevent a dynamically-linked executable from
+running further commands itself.
+.Pp
+In the following example, user
+.Sy aaron
+may run
+.Pa /usr/bin/more
+and
+.Pa /usr/bin/vi
+but shell escapes will be disabled.
+.Bd -literal
+aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+.Ed
+.Pp
+See the
+.Sx Preventing shell escapes
+section below for more details on how
+.Li NOEXEC
+works and whether or not it will work on your system.
+.Pp
+.Em SETENV and NOSETENV
+.Pp
+These tags override the value of the
+.Em setenv
+option on a per-command basis.
+Note that if
+.Li SETENV
+has been set for a command, the user may disable the
+.Em env_reset
+option from the command line via the
+.Fl E
+option.
+Additionally, environment variables set on the command
+line are not subject to the restrictions imposed by
+.Em env_check ,
+.Em env_delete ,
+or
+.Em env_keep .
+As such, only trusted users should be allowed to set variables in this manner.
+If the command matched is
+.Sy ALL ,
+the
+.Li SETENV
+tag is implied for that command; this default may be overridden by use of the
+.Li NOSETENV
+tag.
+.Pp
+.Em LOG_INPUT and NOLOG_INPUT
+.Pp
+These tags override the value of the
+.Em log_input
+option on a per-command basis.
+For more information, see the description of
+.Em log_input
+in the
+.Sx SUDOERS OPTIONS
+section below.
+.Pp
+.Em LOG_OUTPUT and NOLOG_OUTPUT
+.Pp
+These tags override the value of the
+.Em log_output
+option on a per-command basis.
+For more information, see the description of
+.Em log_output
+in the
+.Sx SUDOERS OPTIONS
+section below.
+.Ss Wildcards
+.Nm sudo
+allows shell-style
+.Em wildcards
+(aka meta or glob characters)
+to be used in host names, path names and command line arguments in the
+.Em sudoers
+file.
+Wildcard matching is done via the
+.Sy POSIX
+.Xr glob 3
+and
+.Xr fnmatch 3
+routines.
+Note that these are
+.Em not
+regular expressions.
+.Bl -tag -width 8n
+.It Li *
+Matches any set of zero or more characters.
+.It Li \&?
+Matches any single character.
+.It Li [...]
+Matches any character in the specified range.
+.It Li [!...]
+Matches any character
+.Sy not
+in the specified range.
+.It Li \ex
+For any character
+.Sq x ,
+evaluates to
+.Sq x .
+This is used to escape special characters such as:
+.Ql * ,
+.Ql \&? ,
+.Ql [\& ,
+and
+.Ql ]\& .
+.El
+.Pp
+POSIX character classes may also be used if your system's
+.Xr glob 3
+and
+.Xr fnmatch 3
+functions support them.
+However, because the
+.Ql :\&
+character has special meaning in
+.Em sudoers ,
+it must be
+escaped.
+For example:
+.Bd -literal -offset 4n
+/bin/ls [[\:alpha\:]]*
+.Ed
+.Pp
+Would match any file name beginning with a letter.
+.Pp
+Note that a forward slash
+.Pq Ql /
+will
+.Sy not
+be matched by
+wildcards used in the path name.
+This is to make a path like:
+.Bd -literal -offset 4n
+/usr/bin/*
+.Ed
+.Pp
+match
+.Pa /usr/bin/who
+but not
+.Pa /usr/bin/X11/xterm .
+.Pp
+When matching the command line arguments, however, a slash
+.Sy does
+get matched by wildcards since command line arguments may contain
+arbitrary strings and not just path names.
+.Pp
+Wildcards in command line arguments should be used with care.
+Because command line arguments are matched as a single, concatenated
+string, a wildcard such as
+.Ql \&?
+or
+.Ql *
+can match multiple words.
+For example, while a sudoers entry like:
+.Bd -literal -offset 4n
+%operator ALL = /bin/cat /var/log/messages*
+.Ed
+.Pp
+will allow command like:
+.Bd -literal -offset 4n
+$ sudo cat /var/log/messages.1
+.Ed
+.Pp
+It will also allow:
+.Bd -literal -offset 4n
+$ sudo cat /var/log/messages /etc/shadow
+.Ed
+.Pp
+which is probably not what was intended.
+.Ss Exceptions to wildcard rules
+The following exceptions apply to the above rules:
+.Bl -tag -width 8n
+.It Li \&""
+If the empty string
+.Li \&""
+is the only command line argument in the
+.Em sudoers
+entry it means that command is not allowed to be run with
+.Sy any
+arguments.
+.It sudoedit
+Command line arguments to the
+.Em sudoedit
+built-in command should always be path names, so a forward slash
+.Pq Ql /
+will not be matched by a wildcard.
+.El
+.Ss Including other files from within sudoers
+It is possible to include other
+.Em sudoers
+files from within the
+.Em sudoers
+file currently being parsed using the
+.Li #include
+and
+.Li #includedir
+directives.
+.Pp
+This can be used, for example, to keep a site-wide
+.Em sudoers
+file in addition to a local, per-machine file.
+For the sake of this example the site-wide
+.Em sudoers
+will be
+.Pa /etc/sudoers
+and the per-machine one will be
+.Pa /etc/sudoers.local .
+To include
+.Pa /etc/sudoers.local
+from within
+.Pa /etc/sudoers
+we would use the
+following line in
+.Pa /etc/sudoers :
+.Bd -literal -offset 4n
+#include /etc/sudoers.local
+.Ed
+.Pp
+When
+.Nm sudo
+reaches this line it will suspend processing of the current file
+.Pq Pa /etc/sudoers
+and switch to
+.Pa /etc/sudoers.local .
+Upon reaching the end of
+.Pa /etc/sudoers.local ,
+the rest of
+.Pa /etc/sudoers
+will be processed.
+Files that are included may themselves include other files.
+A hard limit of 128 nested include files is enforced to prevent include
+file loops.
+.Pp
+If the path to the include file is not fully-qualified (does not
+begin with a
+.Ql / ,
+it must be located in the same directory as the sudoers file it was
+included from.
+For example, if
+.Pa /etc/sudoers
+contains the line:
+.Bd -literal -offset 4n
+.Li #include sudoers.local
+.Ed
+.Pp
+the file that will be included is
+.Pa /etc/sudoers.local .
+.Pp
+The file name may also include the
+.Li %h
+escape, signifying the short form of the host name.
+In other words, if the machine's host name is
+.Dq xerxes ,
+then
+.Bd -literal -offset 4n
+#include /etc/sudoers.%h
+.Ed
+.Pp
+will cause
+.Nm sudo
+to include the file
+.Pa /etc/sudoers.xerxes .
+.Pp
+The
+.Li #includedir
+directive can be used to create a
+.Pa sudo.d
+directory that the system package manager can drop
+.Em sudoers
+rules
+into as part of package installation.
+For example, given:
+.Bd -literal -offset 4n
+#includedir /etc/sudoers.d
+.Ed
+.Pp
+.Nm sudo
+will read each file in
+.Pa /etc/sudoers.d ,
+skipping file names that end in
+.Ql ~
+or contain a
+.Ql .\&
+character to avoid causing problems with package manager or editor
+temporary/backup files.
+Files are parsed in sorted lexical order.
+That is,
+.Pa /etc/sudoers.d/01_first
+will be parsed before
+.Pa /etc/sudoers.d/10_second .
+Be aware that because the sorting is lexical, not numeric,
+.Pa /etc/sudoers.d/1_whoops
+would be loaded
+.Sy after
+.Pa /etc/sudoers.d/10_second .
+Using a consistent number of leading zeroes in the file names can be used
+to avoid such problems.
+.Pp
+Note that unlike files included via
+.Li #include ,
+.Nm visudo
+will not edit the files in a
+.Li #includedir
+directory unless one of them contains a syntax error.
+It is still possible to run
+.Nm visudo
+with the
+.Fl f
+flag to edit the files directly.
+.Ss Other special characters and reserved words
+The pound sign
+.Pq Ql #
+is used to indicate a comment (unless it is part of a #include
+directive or unless it occurs in the context of a user name and is
+followed by one or more digits, in which case it is treated as a
+uid).
+Both the comment character and any text after it, up to the end of
+the line, are ignored.
+.Pp
+The reserved word
+.Sy ALL
+is a built-in
+.Em alias
+that always causes a match to succeed.
+It can be used wherever one might otherwise use a
+.Li Cmnd_Alias ,
+.Li User_Alias ,
+.Li Runas_Alias ,
+or
+.Li Host_Alias .
+You should not try to define your own
+.Em alias
+called
+.Sy ALL
+as the built-in alias will be used in preference to your own.
+Please note that using
+.Sy ALL
+can be dangerous since in a command context, it allows the user to run
+.Sy any
+command on the system.
+.Pp
+An exclamation point
+.Pq Ql \&!
+can be used as a logical
+.Em not
+operator both in an
+.Em alias
+and in front of a
+.Li Cmnd .
+This allows one to exclude certain values.
+Note, however, that using a
+.Ql \&!
+in conjunction with the built-in
+.Sy ALL
+alias to allow a user to run
+.Dq all but a few
+commands rarely works as intended (see
+.Sx SECURITY NOTES
+below).
+.Pp
+Long lines can be continued with a backslash
+.Pq Ql \e
+as the last character on the line.
+.Pp
+White space between elements in a list as well as special syntactic
+characters in a
+.Em User Specification
+.Po
+.Ql =\& ,
+.Ql :\& ,
+.Ql (\& ,
+.Ql )\&
+.Pc
+is optional.
+.Pp
+The following characters must be escaped with a backslash
+.Pq Ql \e
+when used as part of a word (e.g.\& a user name or host name):
+.Ql \&! ,
+.Ql =\& ,
+.Ql :\& ,
+.Ql ,\& ,
+.Ql (\& ,
+.Ql )\& ,
+.Ql \e .
+.Sh SUDOERS OPTIONS
+.Nm sudo Ns No 's
+behavior can be modified by
+.Li Default_Entry
+lines, as explained earlier.
+A list of all supported Defaults parameters, grouped by type, are listed below.
+.Pp
+.Sy Boolean Flags :
+.Bl -tag -width 16n
+.It always_set_home
+If enabled,
+.Nm sudo
+will set the
+.Ev HOME
+environment variable to the home directory of the target user
+(which is root unless the
+.Fl u
+option is used).
+This effectively means that the
+.Fl H
+option is always implied.
+Note that
+.Ev HOME
+is already set when the the
+.Em env_reset
+option is enabled, so
+.Em always_set_home
+is only effective for configurations where either
+.Em env_reset
+is disabled or
+.Ev HOME
+is present in the
+.Em env_keep
+list.
+This flag is
+.Em off
+by default.
+.It authenticate
+If set, users must authenticate themselves via a password (or other
+means of authentication) before they may run commands.
+This default may be overridden via the
+.Li PASSWD
+and
+.Li NOPASSWD
+tags.
+This flag is
+.Em on
+by default.
+.It closefrom_override
+If set, the user may use
+.Nm sudo Ns No 's
+.Fl C
+option which overrides the default starting point at which
+.Nm sudo
+begins closing open file descriptors.
+This flag is
+.Em off
+by default.
+.It compress_io
+If set, and
+.Nm sudo
+is configured to log a command's input or output,
+the I/O logs will be compressed using
+.Sy zlib .
+This flag is
+.Em on
+by default when
+.Nm sudo
+is compiled with
+.Sy zlib
+support.
+.It env_editor
+If set,
+.Nm visudo
+will use the value of the
+.Ev EDITOR
+or
+.Ev VISUAL
+environment variables before falling back on the default editor list.
+Note that this may create a security hole as it allows the user to
+run any arbitrary command as root without logging.
+A safer alternative is to place a colon-separated list of editors
+in the
+.Li editor
+variable.
+.Nm visudo
+will then only use the
+.Ev EDITOR
+or
+.Ev VISUAL
+if they match a value specified in
+.Li editor .
+This flag is
+.Em @env_editor@
+by
+default.
+.It env_reset
+If set,
+.Nm sudo
+will run the command in a minimal environment containing the
+.Ev TERM ,
+.Ev PATH ,
+.Ev HOME ,
+.Ev MAIL ,
+.Ev SHELL ,
+.Ev LOGNAME ,
+.Ev USER ,
+.Ev USERNAME
+and
+.Ev SUDO_*
+variables.
+Any
+variables in the caller's environment that match the
+.Li env_keep
+and
+.Li env_check
+lists are then added, followed by any variables present in the file
+specified by the
+.Em env_file
+option (if any).
+The default contents of the
+.Li env_keep
+and
+.Li env_check
+lists are displayed when
+.Nm sudo
+is run by root with the
+.Fl V
+option.
+If the
+.Em secure_path
+option is set, its value will be used for the
+.Ev PATH
+environment variable.
+This flag is
+.Em @env_reset@
+by default.
+.It fast_glob
+Normally,
+.Nm sudo
+uses the
+.Xr glob 3
+function to do shell-style globbing when matching path names.
+However, since it accesses the file system,
+.Xr glob 3
+can take a long time to complete for some patterns, especially
+when the pattern references a network file system that is mounted
+on demand (auto mounted).
+The
+.Em fast_glob
+option causes
+.Nm sudo
+to use the
+.Xr fnmatch 3
+function, which does not access the file system to do its matching.
+The disadvantage of
+.Em fast_glob
+is that it is unable to match relative path names such as
+.Pa ./ls
+or
+.Pa ../bin/ls .
+This has security implications when path names that include globbing
+characters are used with the negation operator,
+.Ql !\& ,
+as such rules can be trivially bypassed.
+As such, this option should not be used when
+.Em sudoers
+contains rules that contain negated path names which include globbing
+characters.
+This flag is
+.Em off
+by default.
+.It fqdn
+Set this flag if you want to put fully qualified host names in the
+.Em sudoers
+file when the local host name (as returned by the
+.Li hostname
+command) does not contain the domain name.
+In other words, instead of myhost you would use myhost.mydomain.edu.
+You may still use the short form if you wish (and even mix the two).
+This option is only effective when the
+.Dq canonical
+host name, as returned by the
+.Fn getaddrinfo
+or
+.Fn gethostbyname
+function, is a fully-qualified domain name.
+This is usually the case when the system is configured to use DNS
+for host name resolution.
+.Pp
+If the system is configured to use the
+.Pa /etc/hosts
+file in preference to DNS, the
+.Dq canonical
+host name may not be fully-qualified.
+The order that sources are queried for hosts name resolution
+is usually specified in the
+.Pa @nsswitch_conf@ ,
+.Pa @netsvc_conf@ ,
+.Pa /etc/host.conf ,
+or, in some cases,
+.Pa /etc/resolv.conf
+file.
+In the
+.Pa /etc/hosts
+file, the first host name of the entry is considered to be the
+.Dq canonical
+name; subsequent names are aliases that are not used by
+.Nm sudoers .
+For example, the following hosts file line for the machine
+.Dq xyzzy
+has the fully-qualified domain name as the
+.Dq canonical
+host name, and the short version as an alias.
+.sp
+.Dl 192.168.1.1 xyzzy.sudo.ws xyzzy
+.sp
+If the machine's hosts file entry is not formatted properly, the
+.Em fqdn
+option will not be effective if it is queried before DNS.
+.Pp
+Beware that when using DNS for host name resolution, turning on
+.Em fqdn
+requires
+.Nm sudoers
+to make DNS lookups which renders
+.Nm sudo
+unusable if DNS stops working (for example if the machine is disconnected
+from the network).
+Also note that just like with the hosts file, you must use the
+.Dq canonical
+name as DNS knows it.
+That is, you may not use a host alias
+.Po
+.Li CNAME
+entry
+.Pc
+due to performance issues and the fact that there is no way to get all
+aliases from DNS.
+.Pp
+This flag is
+.Em @fqdn@
+by default.
+.It ignore_dot
+If set,
+.Nm sudo
+will ignore "." or "" (both denoting current directory) in the
+.Ev PATH
+environment variable; the
+.Ev PATH
+itself is not modified.
+This flag is
+.Em @ignore_dot@
+by default.
+.It ignore_local_sudoers
+If set via LDAP, parsing of
+.Pa @sysconfdir@/sudoers
+will be skipped.
+This is intended for Enterprises that wish to prevent the usage of local
+sudoers files so that only LDAP is used.
+This thwarts the efforts of rogue operators who would attempt to add roles to
+.Pa @sysconfdir@/sudoers .
+When this option is present,
+.Pa @sysconfdir@/sudoers
+does not even need to exist.
+Since this option tells
+.Nm sudo
+how to behave when no specific LDAP entries have been matched, this
+sudoOption is only meaningful for the
+.Li cn=defaults
+section.
+This flag is
+.Em off
+by default.
+.It insults
+If set,
+.Nm sudo
+will insult users when they enter an incorrect password.
+This flag is
+.Em @insults@
+by default.
+.It log_host
+If set, the host name will be logged in the (non-syslog)
+.Nm sudo
+log file.
+This flag is
+.Em off
+by default.
+.It log_input
+If set,
+.Nm sudo
+will run the command in a
+.Em pseudo tty
+and log all user input.
+If the standard input is not connected to the user's tty, due to
+I/O redirection or because the command is part of a pipeline, that
+input is also captured and stored in a separate log file.
+.Pp
+Input is logged to the directory specified by the
+.Em iolog_dir
+option
+.Po
+.Pa @iolog_dir@
+by default
+.Pc
+using a unique session ID that is included in the normal
+.Nm sudo
+log line, prefixed with
+.Dq Li TSID= .
+The
+.Em iolog_file
+option may be used to control the format of the session ID.
+.Pp
+Note that user input may contain sensitive information such as
+passwords (even if they are not echoed to the screen), which will
+be stored in the log file unencrypted.
+In most cases, logging the command output via
+.Em log_output
+is all that is required.
+.It log_output
+If set,
+.Nm sudo
+will run the command in a
+.Em pseudo tty
+and log all output that is sent to the screen, similar to the
+.Xr script 1
+command.
+If the standard output or standard error is not connected to the
+user's tty, due to I/O redirection or because the command is part
+of a pipeline, that output is also captured and stored in separate
+log files.
+.Pp
+Output is logged to the directory specified by the
+.Em iolog_dir
+option
+.Po
+.Pa @iolog_dir@
+by default
+.Pc
+using a unique session ID that is included in the normal
+.Nm sudo
+log line, prefixed with
+.Dq Li TSID= .
+The
+.Em iolog_file
+option may be used to control the format of the session ID.
+.Pp
+Output logs may be viewed with the
+.Xr sudoreplay @mansectsu@
+utility, which can also be used to list or search the available logs.
+.It log_year
+If set, the four-digit year will be logged in the (non-syslog)
+.Nm sudo
+log file.
+This flag is
+.Em off
+by default.
+.It long_otp_prompt
+When validating with a One Time Password (OTP) scheme such as
+.Sy S/Key
+or
+.Sy OPIE ,
+a two-line prompt is used to make it easier
+to cut and paste the challenge to a local window.
+It's not as pretty as the default but some people find it more convenient.
+This flag is
+.Em @long_otp_prompt@
+by default.
+.It mail_always
+Send mail to the
+.Em mailto
+user every time a users runs
+.Nm sudo .
+This flag is
+.Em off
+by default.
+.It mail_badpass
+Send mail to the
+.Em mailto
+user if the user running
+.Nm sudo
+does not enter the correct password.
+If the command the user is attempting to run is not permitted by
+.Em sudoers
+and one of the
+.Em mail_always ,
+.Em mail_no_host ,
+.Em mail_no_perms
+or
+.Em mail_no_user
+flags are set, this flag will have no effect.
+This flag is
+.Em off
+by default.
+.It mail_no_host
+If set, mail will be sent to the
+.Em mailto
+user if the invoking user exists in the
+.Em sudoers
+file, but is not allowed to run commands on the current host.
+This flag is
+.Em @mail_no_host@
+by default.
+.It mail_no_perms
+If set, mail will be sent to the
+.Em mailto
+user if the invoking user is allowed to use
+.Nm sudo
+but the command they are trying is not listed in their
+.Em sudoers
+file entry or is explicitly denied.
+This flag is
+.Em @mail_no_perms@
+by default.
+.It mail_no_user
+If set, mail will be sent to the
+.Em mailto
+user if the invoking user is not in the
+.Em sudoers
+file.
+This flag is
+.Em @mail_no_user@
+by default.
+.It noexec
+If set, all commands run via
+.Nm sudo
+will behave as if the
+.Li NOEXEC
+tag has been set, unless overridden by a
+.Li EXEC
+tag.
+See the description of
+.Em NOEXEC and EXEC
+below as well as the
+.Sx Preventing shell escapes
+section at the end of this manual.
+This flag is
+.Em off
+by default.
+.It path_info
+Normally,
+.Nm sudo
+will tell the user when a command could not be
+found in their
+.Ev PATH
+environment variable.
+Some sites may wish to disable this as it could be used to gather
+information on the location of executables that the normal user does
+not have access to.
+The disadvantage is that if the executable is simply not in the user's
+.Ev PATH ,
+.Nm sudo
+will tell the user that they are not allowed to run it, which can be confusing.
+This flag is
+.Em @path_info@
+by default.
+.It passprompt_override
+The password prompt specified by
+.Em passprompt
+will normally only be used if the password prompt provided by systems
+such as PAM matches the string
+.Dq Password: .
+If
+.Em passprompt_override
+is set,
+.Em passprompt
+will always be used.
+This flag is
+.Em off
+by default.
+.It preserve_groups
+By default,
+.Nm sudo
+will initialize the group vector to the list of groups the target user is in.
+When
+.Em preserve_groups
+is set, the user's existing group vector is left unaltered.
+The real and effective group IDs, however, are still set to match the
+target user.
+This flag is
+.Em off
+by default.
+.It pwfeedback
+By default,
+.Nm sudo
+reads the password like most other Unix programs,
+by turning off echo until the user hits the return (or enter) key.
+Some users become confused by this as it appears to them that
+.Nm sudo
+has hung at this point.
+When
+.Em pwfeedback
+is set,
+.Nm sudo
+will provide visual feedback when the user presses a key.
+Note that this does have a security impact as an onlooker may be able to
+determine the length of the password being entered.
+This flag is
+.Em off
+by default.
+.It requiretty
+If set,
+.Nm sudo
+will only run when the user is logged in to a real tty.
+When this flag is set,
+.Nm sudo
+can only be run from a login session and not via other means such as
+.Xr cron @mansectsu@
+or cgi-bin scripts.
+This flag is
+.Em off
+by default.
+.It root_sudo
+If set, root is allowed to run
+.Nm sudo
+too.
+Disabling this prevents users from
+.Dq chaining
+.Nm sudo
+commands to get a root shell by doing something like
+.Dq Li sudo sudo /bin/sh .
+Note, however, that turning off
+.Em root_sudo
+will also prevent root from running
+.Nm sudoedit .
+Disabling
+.Em root_sudo
+provides no real additional security; it exists purely for historical reasons.
+This flag is
+.Em @root_sudo@
+by default.
+.It rootpw
+If set,
+.Nm sudo
+will prompt for the root password instead of the password of the invoking user.
+This flag is
+.Em off
+by default.
+.It runaspw
+If set,
+.Nm sudo
+will prompt for the password of the user defined by the
+.Em runas_default
+option (defaults to
+.Li @runas_default@ )
+instead of the password of the invoking user.
+This flag is
+.Em off
+by default.
+.It set_home
+If enabled and
+.Nm sudo
+is invoked with the
+.Fl s
+option the
+.Ev HOME
+environment variable will be set to the home directory of the target
+user (which is root unless the
+.Fl u
+option is used).
+This effectively makes the
+.Fl s
+option imply
+.Fl H .
+Note that
+.Ev HOME
+is already set when the the
+.Em env_reset
+option is enabled, so
+.Em set_home
+is only effective for configurations where either
+.Em env_reset
+is disabled
+or
+.Ev HOME
+is present in the
+.Em env_keep
+list.
+This flag is
+.Em off
+by default.
+.It set_logname
+Normally,
+.Nm sudo
+will set the
+.Ev LOGNAME ,
+.Ev USER
+and
+.Ev USERNAME
+environment variables to the name of the target user (usually root unless the
+.Fl u
+option is given).
+However, since some programs (including the RCS revision control system) use
+.Ev LOGNAME
+to determine the real identity of the user, it may be desirable to
+change this behavior.
+This can be done by negating the set_logname option.
+Note that if the
+.Em env_reset
+option has not been disabled, entries in the
+.Em env_keep
+list will override the value of
+.Em set_logname .
+This flag is
+.Em on
+by default.
+.It set_utmp
+When enabled,
+.Nm sudo
+will create an entry in the utmp (or utmpx) file when a pseudo-tty
+is allocated.
+A pseudo-tty is allocated by
+.Nm sudo
+when the
+.Em log_input ,
+.Em log_output
+or
+.Em use_pty
+flags are enabled.
+By default, the new entry will be a copy of the user's existing utmp
+entry (if any), with the tty, time, type and pid fields updated.
+This flag is
+.Em on
+by default.
+.It setenv
+Allow the user to disable the
+.Em env_reset
+option from the command line via the
+.Fl E
+option.
+Additionally, environment variables set via the command line are
+not subject to the restrictions imposed by
+.Em env_check ,
+.Em env_delete ,
+or
+.Em env_keep .
+As such, only trusted users should be allowed to set variables in this manner.
+This flag is
+.Em off
+by default.
+.It shell_noargs
+If set and
+.Nm sudo
+is invoked with no arguments it acts as if the
+.Fl s
+option had been given.
+That is, it runs a shell as root (the shell is determined by the
+.Ev SHELL
+environment variable if it is set, falling back on the shell listed
+in the invoking user's /etc/passwd entry if not).
+This flag is
+.Em off
+by default.
+.It stay_setuid
+Normally, when
+.Nm sudo
+executes a command the real and effective UIDs are set to the target
+user (root by default).
+This option changes that behavior such that the real UID is left
+as the invoking user's UID.
+In other words, this makes
+.Nm sudo
+act as a setuid wrapper.
+This can be useful on systems that disable some potentially
+dangerous functionality when a program is run setuid.
+This option is only effective on systems that support either the
+.Xr setreuid 2
+or
+.Xr setresuid 2
+system call.
+This flag is
+.Em off
+by default.
+.It targetpw
+If set,
+.Nm sudo
+will prompt for the password of the user specified
+by the
+.Fl u
+option (defaults to
+.Li root )
+instead of the password of the invoking user.
+In addition, the time stamp file name will include the target user's name.
+Note that this flag precludes the use of a uid not listed in the passwd
+database as an argument to the
+.Fl u
+option.
+This flag is
+.Em off
+by default.
+.It tty_tickets
+If set, users must authenticate on a per-tty basis.
+With this flag enabled,
+.Nm sudo
+will use a file named for the tty the user is
+logged in on in the user's time stamp directory.
+If disabled, the time stamp of the directory is used instead.
+This flag is
+.Em @tty_tickets@
+by default.
+.It umask_override
+If set,
+.Nm sudo
+will set the umask as specified by
+.Em sudoers
+without modification.
+This makes it possible to specify a more permissive umask in
+.Em sudoers
+than the user's own umask and matches historical behavior.
+If
+.Em umask_override
+is not set,
+.Nm sudo
+will set the umask to be the union of the user's umask and what is specified in
+.Em sudoers .
+This flag is
+.Em @umask_override@
+by default.
+.It use_loginclass
+If set,
+.Nm sudo
+will apply the defaults specified for the target user's login class
+if one exists.
+Only available if
+.Nm sudo
+is configured with the
+.Li --with-logincap
+option.
+This flag is
+.Em off
+by default.
+.It use_pty
+If set,
+.Nm sudo
+will run the command in a pseudo-pty even if no I/O logging is being gone.
+A malicious program run under
+.Nm sudo
+could conceivably fork a background process that retains to the user's
+terminal device after the main program has finished executing.
+Use of this option will make that impossible.
+This flag is
+.Em off
+by default.
+.It utmp_runas
+If set,
+.Nm sudo
+will store the name of the runas user when updating the utmp (or utmpx) file.
+By default,
+.Nm sudo
+stores the name of the invoking user.
+This flag is
+.Em off
+by default.
+.It visiblepw
+By default,
+.Nm sudo
+will refuse to run if the user must enter a password but it is not
+possible to disable echo on the terminal.
+If the
+.Em visiblepw
+flag is set,
+.Nm sudo
+will prompt for a password even when it would be visible on the screen.
+This makes it possible to run things like
+.Dq Li ssh somehost sudo ls
+since by default,
+.Xr ssh 1
+does
+not allocate a tty when running a command.
+This flag is
+.Em off
+by default.
+.El
+.Pp
+.Sy Integers :
+.Bl -tag -width 16n
+.It closefrom
+Before it executes a command,
+.Nm sudo
+will close all open file descriptors other than standard input,
+standard output and standard error (ie: file descriptors 0-2).
+The
+.Em closefrom
+option can be used to specify a different file descriptor at which
+to start closing.
+The default is
+.Li 3 .
+.It passwd_tries
+The number of tries a user gets to enter his/her password before
+.Nm sudo
+logs the failure and exits.
+The default is
+.Li @passwd_tries@ .
+.El
+.Pp
+.Sy Integers that can be used in a boolean context :
+.Bl -tag -width 16n
+.It loglinelen
+Number of characters per line for the file log.
+This value is used to decide when to wrap lines for nicer log files.
+This has no effect on the syslog log file, only the file log.
+The default is
+.Li @loglen@
+(use 0 or negate the option to disable word wrap).
+.It passwd_timeout
+Number of minutes before the
+.Nm sudo
+password prompt times out, or
+.Li 0
+for no timeout.
+The timeout may include a fractional component
+if minute granularity is insufficient, for example
+.Li 2.5 .
+The
+default is
+.Li @password_timeout@ .
+.It timestamp_timeout
+Number of minutes that can elapse before
+.Nm sudo
+will ask for a passwd again.
+The timeout may include a fractional component if
+minute granularity is insufficient, for example
+.Li 2.5 .
+The default is
+.Li @timeout@ .
+Set this to
+.Li 0
+to always prompt for a password.
+If set to a value less than
+.Li 0
+the user's time stamp will never expire.
+This can be used to allow users to create or delete their own time stamps via
+.Dq Li sudo -v
+and
+.Dq Li sudo -k
+respectively.
+.It umask
+Umask to use when running the command.
+Negate this option or set it to 0777 to preserve the user's umask.
+The actual umask that is used will be the union of the user's umask
+and the value of the
+.Em umask
+option, which defaults to
+.Li @sudo_umask@ .
+This guarantees
+that
+.Nm sudo
+never lowers the umask when running a command.
+Note: on systems that use PAM, the default PAM configuration may specify
+its own umask which will override the value set in
+.Em sudoers .
+.El
+.Pp
+.Sy Strings :
+.Bl -tag -width 16n
+.It badpass_message
+Message that is displayed if a user enters an incorrect password.
+The default is
+.Li @badpass_message@
+unless insults are enabled.
+.It editor
+A colon
+.Pq Ql :\&
+separated list of editors allowed to be used with
+.Nm visudo .
+.Nm visudo
+will choose the editor that matches the user's
+.Ev EDITOR
+environment variable if possible, or the first editor in the
+list that exists and is executable.
+The default is
+.Pa @editor@ .
+.It iolog_dir
+The top-level directory to use when constructing the path name for
+the input/output log directory.
+Only used if the
+.Em log_input
+or
+.Em log_output
+options are enabled or when the
+.Li LOG_INPUT
+or
+.Li LOG_OUTPUT
+tags are present for a command.
+The session sequence number, if any, is stored in the directory.
+The default is
+.Pa @iolog_dir@ .
+.Pp
+The following percent
+.Pq Ql %
+escape sequences are supported:
+.Bl -tag -width 4n
+.It Li %{seq}
+expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
+where every two digits are used to form a new directory, e.g.\&
+.Pa 01/00/A5
+.It Li %{user}
+expanded to the invoking user's login name
+.It Li %{group}
+expanded to the name of the invoking user's real group ID
+.It Li %{runas_user}
+expanded to the login name of the user the command will
+be run as (e.g.\& root)
+.It Li %{runas_group}
+expanded to the group name of the user the command will
+be run as (e.g.\& wheel)
+.It Li %{hostname}
+expanded to the local host name without the domain name
+.It Li %{command}
+expanded to the base name of the command being run
+.El
+.Pp
+In addition, any escape sequences supported by the system's
+.Xr strftime 3
+function will be expanded.
+.Pp
+To include a literal
+.Ql %
+character, the string
+.Ql %%
+should be used.
+.It iolog_file
+The path name, relative to
+.Em iolog_dir ,
+in which to store input/output logs when the
+.Em log_input
+or
+.Em log_output
+options are enabled or when the
+.Li LOG_INPUT
+or
+.Li LOG_OUTPUT
+tags are present for a command.
+Note that
+.Em iolog_file
+may contain directory components.
+The default is
+.Dq Li %{seq} .
+.Pp
+See the
+.Em iolog_dir
+option above for a list of supported percent
+.Pq Ql %
+escape sequences.
+.Pp
+In addition to the escape sequences, path names that end in six or
+more
+.Li X Ns No s
+will have the
+.Li X Ns No s
+replaced with a unique combination of digits and letters, similar to the
+.Xr mktemp 3
+function.
+.It limitprivs
+The default Solaris limit privileges to use when constructing a new
+privilege set for a command.
+This bounds all privileges of the executing process.
+The default limit privileges may be overridden on a per-command basis in
+.Em sudoers .
+This option is only available if
+.Nm
+is built on Solaris 10 or higher.
+.It mailsub
+Subject of the mail sent to the
+.Em mailto
+user.
+The escape
+.Li %h
+will expand to the host name of the machine.
+Default is
+.Dq Li @mailsub@ .
+.It noexec_file
+This option is no longer supported.
+The path to the noexec file should now be set in the
+.Pa @sysconfdir@/sudo.conf
+file.
+.It passprompt
+The default prompt to use when asking for a password; can be overridden via the
+.Fl p
+option or the
+.Ev SUDO_PROMPT
+environment variable.
+The following percent
+.Pq Ql %
+escape sequences are supported:
+.Bl -tag -width 4n
+.It Li %H
+expanded to the local host name including the domain name
+(only if the machine's host name is fully qualified or the
+.Em fqdn
+option is set)
+.It Li %h
+expanded to the local host name without the domain name
+.It Li %p
+expanded to the user whose password is being asked for (respects the
+.Em rootpw ,
+.Em targetpw
+and
+.Em runaspw
+flags in
+.Em sudoers )
+.It Li \&%U
+expanded to the login name of the user the command will
+be run as (defaults to root)
+.It Li %u
+expanded to the invoking user's login name
+.It Li %%
+two consecutive
+.Li %
+characters are collapsed into a single
+.Li %
+character
+.El
+.Pp
+The default value is
+.Dq Li @passprompt@ .
+.It privs
+The default Solaris privileges to use when constructing a new
+privilege set for a command.
+This is passed to the executing process via the inherited privilege set,
+but is bounded by the limit privileges.
+If the
+.Em privs
+option is specified but the
+.Em limitprivs
+option is not, the limit privileges of the executing process is set to
+.Em privs .
+The default privileges may be overridden on a per-command basis in
+.Em sudoers .
+This option is only available if
+.Nm
+is built on Solaris 10 or higher.
+.It role
+The default SELinux role to use when constructing a new security
+context to run the command.
+The default role may be overridden on a per-command basis in
+.Em sudoers
+or via command line options.
+This option is only available when
+.Nm sudo
+is built with SELinux support.
+.It runas_default
+The default user to run commands as if the
+.Fl u
+option is not specified on the command line.
+This defaults to
+.Li @runas_default@ .
+.It syslog_badpri
+Syslog priority to use when user authenticates unsuccessfully.
+Defaults to
+.Li @badpri@ .
+.Pp
+The following syslog priorities are supported:
+.Sy alert ,
+.Sy crit ,
+.Sy debug ,
+.Sy emerg ,
+.Sy err ,
+.Sy info ,
+.Sy notice ,
+and
+.Sy warning .
+.It syslog_goodpri
+Syslog priority to use when user authenticates successfully.
+Defaults to
+.Li @goodpri@ .
+.Pp
+See
+.Sx syslog_badpri
+for the list of supported syslog priorities.
+.It sudoers_locale
+Locale to use when parsing the sudoers file, logging commands, and
+sending email.
+Note that changing the locale may affect how sudoers is interpreted.
+Defaults to
+.Dq Li C .
+.It timestampdir
+The directory in which
+.Nm sudo
+stores its time stamp files.
+The default is
+.Pa @timedir@ .
+.It timestampowner
+The owner of the time stamp directory and the time stamps stored therein.
+The default is
+.Li root .
+.It type
+The default SELinux type to use when constructing a new security
+context to run the command.
+The default type may be overridden on a per-command basis in
+.Em sudoers
+or via command line options.
+This option is only available when
+.Nm sudo
+is built with SELinux support.
+.El
+.Pp
+.Sy Strings that can be used in a boolean context :
+.Bl -tag -width 12n
+.It env_file
+The
+.Em env_file
+option specifies the fully qualified path to a file containing variables
+to be set in the environment of the program being run.
+Entries in this file should either be of the form
+.Dq Li VARIABLE=value
+or
+.Dq Li export VARIABLE=value .
+The value may optionally be surrounded by single or double quotes.
+Variables in this file are subject to other
+.Nm sudo
+environment settings such as
+.Em env_keep
+and
+.Em env_check .
+.It exempt_group
+Users in this group are exempt from password and PATH requirements.
+The group name specified should not include a
+.Li %
+prefix.
+This is not set by default.
+.It group_plugin
+A string containing a
+.Em sudoers
+group plugin with optional arguments.
+This can be used to implement support for the
+.Li nonunix_group
+syntax described earlier.
+The string should consist of the plugin
+path, either fully-qualified or relative to the
+.Pa @prefix@/libexec
+directory, followed by any configuration arguments the plugin requires.
+These arguments (if any) will be passed to the plugin's initialization function.
+If arguments are present, the string must be enclosed in double quotes
+.Pq \&"" .
+.Pp
+For example, given
+.Pa /etc/sudo-group ,
+a group file in Unix group format, the sample group plugin can be used:
+.Bd -literal
+Defaults group_plugin="sample_group.so /etc/sudo-group"
+.Ed
+.Pp
+For more information see
+.Xr sudo_plugin @mansectform@ .
+.It lecture
+This option controls when a short lecture will be printed along with
+the password prompt.
+It has the following possible values:
+.Bl -tag -width 6n
+.It always
+Always lecture the user.
+.It never
+Never lecture the user.
+.It once
+Only lecture the user the first time they run
+.Nm sudo .
+.El
+.Pp
+If no value is specified, a value of
+.Em once
+is implied.
+Negating the option results in a value of
+.Em never
+being used.
+The default value is
+.Em @lecture@ .
+.It lecture_file
+Path to a file containing an alternate
+.Nm sudo
+lecture that will be used in place of the standard lecture if the named
+file exists.
+By default,
+.Nm sudo
+uses a built-in lecture.
+.It listpw
+This option controls when a password will be required when a user runs
+.Nm sudo
+with the
+.Fl l
+option.
+It has the following possible values:
+.Bl -tag -width 8n
+.It all
+All the user's
+.Em sudoers
+entries for the current host must have
+the
+.Li NOPASSWD
+flag set to avoid entering a password.
+.It always
+The user must always enter a password to use the
+.Fl l
+option.
+.It any
+At least one of the user's
+.Em sudoers
+entries for the current host
+must have the
+.Li NOPASSWD
+flag set to avoid entering a password.
+.It never
+The user need never enter a password to use the
+.Fl l
+option.
+.El
+.Pp
+If no value is specified, a value of
+.Em any
+is implied.
+Negating the option results in a value of
+.Em never
+being used.
+The default value is
+.Em any .
+.It logfile
+Path to the
+.Nm sudo
+log file (not the syslog log file).
+Setting a path turns on logging to a file;
+negating this option turns it off.
+By default,
+.Nm sudo
+logs via syslog.
+.It mailerflags
+Flags to use when invoking mailer. Defaults to
+.Fl t .
+.It mailerpath
+Path to mail program used to send warning mail.
+Defaults to the path to sendmail found at configure time.
+.It mailfrom
+Address to use for the
+.Dq from
+address when sending warning and error mail.
+The address should be enclosed in double quotes
+.Pq \&""
+to protect against
+.Nm sudo
+interpreting the
+.Li @
+sign.
+Defaults to the name of the user running
+.Nm sudo .
+.It mailto
+Address to send warning and error mail to.
+The address should be enclosed in double quotes
+.Pq \&""
+to protect against
+.Nm sudo
+interpreting the
+.Li @
+sign.
+Defaults to
+.Li @mailto@ .
+.It secure_path
+Path used for every command run from
+.Nm sudo .
+If you don't trust the
+people running
+.Nm sudo
+to have a sane
+.Ev PATH
+environment variable you may want to use this.
+Another use is if you want to have the
+.Dq root path
+be separate from the
+.Dq user path .
+Users in the group specified by the
+.Em exempt_group
+option are not affected by
+.Em secure_path .
+This option is @secure_path@ by default.
+.It syslog
+Syslog facility if syslog is being used for logging (negate to
+disable syslog logging).
+Defaults to
+.Li @logfac@ .
+.Pp
+The following syslog facilities are supported:
+.Sy authpriv
+(if your
+OS supports it),
+.Sy auth ,
+.Sy daemon ,
+.Sy user ,
+.Sy local0 ,
+.Sy local1 ,
+.Sy local2 ,
+.Sy local3 ,
+.Sy local4 ,
+.Sy local5 ,
+.Sy local6 ,
+and
+.Sy local7 .
+.It verifypw
+This option controls when a password will be required when a user runs
+.Nm sudo
+with the
+.Fl v
+option.
+It has the following possible values:
+.Bl -tag -width 6n
+.It all
+All the user's
+.Em sudoers
+entries for the current host must have the
+.Li NOPASSWD
+flag set to avoid entering a password.
+.It always
+The user must always enter a password to use the
+.Fl v
+option.
+.It any
+At least one of the user's
+.Em sudoers
+entries for the current host must have the
+.Li NOPASSWD
+flag set to avoid entering a password.
+.It never
+The user need never enter a password to use the
+.Fl v
+option.
+.El
+.Pp
+If no value is specified, a value of
+.Em all
+is implied.
+Negating the option results in a value of
+.Em never
+being used.
+The default value is
+.Em all .
+.El
+.Pp
+.Sy Lists that can be used in a boolean context :
+.Bl -tag -width 16n
+.It env_check
+Environment variables to be removed from the user's environment if
+the variable's value contains
+.Ql %
+or
+.Ql /
+characters.
+This can be used to guard against printf-style format vulnerabilities
+in poorly-written programs.
+The argument may be a double-quoted, space-separated list or a
+single value without double-quotes.
+The list can be replaced, added to, deleted from, or disabled by using
+the
+.Li = ,
+.Li += ,
+.Li -= ,
+and
+.Li \&!
+operators respectively.
+Regardless of whether the
+.Li env_reset
+option is enabled or disabled, variables specified by
+.Li env_check
+will be preserved in the environment if they pass the aforementioned check.
+The default list of environment variables to check is displayed when
+.Nm sudo
+is run by root with
+the
+.Fl V
+option.
+.It env_delete
+Environment variables to be removed from the user's environment when the
+.Em env_reset
+option is not in effect.
+The argument may be a double-quoted, space-separated list or a
+single value without double-quotes.
+The list can be replaced, added to, deleted from, or disabled by using the
+.Li = ,
+.Li += ,
+.Li -= ,
+and
+.Li \&!
+operators respectively.
+The default list of environment variables to remove is displayed when
+.Nm sudo
+is run by root with the
+.Fl V
+option.
+Note that many operating systems will remove potentially dangerous
+variables from the environment of any setuid process (such as
+.Nm sudo ) .
+.It env_keep
+Environment variables to be preserved in the user's environment when the
+.Em env_reset
+option is in effect.
+This allows fine-grained control over the environment
+.Nm sudo Ns No -spawned
+processes will receive.
+The argument may be a double-quoted, space-separated list or a
+single value without double-quotes.
+The list can be replaced, added to, deleted from, or disabled by using the
+.Li = ,
+.Li += ,
+.Li -= ,
+and
+.Li \&!
+operators respectively.
+The default list of variables to keep
+is displayed when
+.Nm sudo
+is run by root with the
+.Fl V
+option.
+.El
+.Sh LOG FORMAT
+.Nm sudoers
+can log events using either
+.Xr syslog 3
+or a simple log file.
+In each case the log format is almost identical.
+.Ss Accepted command log entries
+Commands that sudo runs are logged using the following format (split
+into multiple lines for readability):
+.Bd -literal -offset 4n
+date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
+ USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
+ ENV=env_vars COMMAND=command
+.Ed
+.Pp
+Where the fields are as follows:
+.Bl -tag -width 12n
+.It date
+The date the command was run.
+Typically, this is in the format
+.Dq MMM, DD, HH:MM:SS .
+If logging via
+.Xr syslog 3 ,
+the actual date format is controlled by the syslog daemon.
+If logging to a file and the
+.Em log_year
+option is enabled,
+the date will also include the year.
+.It hostname
+The name of the host
+.Nm sudo
+was run on.
+This field is only present when logging via
+.Xr syslog 3 .
+.It progname
+The name of the program, usually
+.Em sudo
+or
+.Em sudoedit .
+This field is only present when logging via
+.Xr syslog 3 .
+.It username
+The login name of the user who ran
+.Nm sudo .
+.It ttyname
+The short name of the terminal (e.g.\&
+.Dq console ,
+.Dq tty01 ,
+or
+.Dq pts/0 )
+.Nm sudo
+was run on, or
+.Dq unknown
+if there was no terminal present.
+.It cwd
+The current working directory that
+.Nm sudo
+was run in.
+.It runasuser
+The user the command was run as.
+.It runasgroup
+The group the command was run as if one was specified on the command line.
+.It logid
+An I/O log identifier that can be used to replay the command's output.
+This is only present when the
+.Em log_input
+or
+.Em log_output
+option is enabled.
+.It env_vars
+A list of environment variables specified on the command line,
+if specified.
+.It command
+The actual command that was executed.
+.El
+.Pp
+Messages are logged using the locale specified by
+.Em sudoers_locale ,
+which defaults to the
+.Dq Li C
+locale.
+.Ss Denied command log entries
+If the user is not allowed to run the command, the reason for the denial
+will follow the user name.
+Possible reasons include:
+.Bl -tag -width 4
+.It user NOT in sudoers
+The user is not listed in the
+.Em sudoers
+file.
+.It user NOT authorized on host
+The user is listed in the
+.Em sudoers
+file but is not allowed to run commands on the host.
+.It command not allowed
+The user is listed in the
+.Em sudoers
+file for the host but they are not allowed to run the specified command.
+.It 3 incorrect password attempts
+The user failed to enter their password after 3 tries.
+The actual number of tries will vary based on the number of
+failed attempts and the value of the
+.Em passwd_tries
+option.
+.It a password is required
+.Nm sudo Ns No 's
+.Fl n
+option was specified but a password was required.
+.It sorry, you are not allowed to set the following environment variables
+The user specified environment variables on the command line that
+were not allowed by
+.Em sudoers .
+.El
+.Ss Error log entries
+If an error occurs,
+.Nm sudoers
+will log a message and, in most cases, send a message to the
+administrator via email.
+Possible errors include:
+.Bl -tag -width 4
+.It parse error in @sysconfdir@/sudoers near line N
+.Nm sudoers
+encountered an error when parsing the specified file.
+In some cases, the actual error may be one line above or below the
+line number listed, depending on the type of error.
+.It problem with defaults entries
+The
+.Em sudoers
+file contains one or more unknown Defaults settings.
+This does not prevent
+.Nm sudo
+from running, but the
+.Em sudoers
+file should be checked using
+.Nm visudo .
+.It timestamp owner (username): \&No such user
+The time stamp directory owner, as specified by the
+.Em timestampowner
+setting, could not be found in the password database.
+.It unable to open/read @sysconfdir@/sudoers
+The
+.Em sudoers
+file could not be opened for reading.
+This can happen when the
+.Em sudoers
+file is located on a remote file system that maps user ID 0 to
+a different value.
+Normally,
+.Nm sudoers
+tries to open
+.Em sudoers
+using group permissions to avoid this problem.
+Consider changing the ownership of
+.Pa @sysconfdir@/sudoers
+by adding an option like
+.Dq sudoers_uid=N
+(where
+.Sq N
+is the user ID that owns the
+.Em sudoers
+file) to the
+.Nm sudoers
+plugin line in the
+.Pa @sysconfdir@/sudo.conf
+file.
+.It unable to stat @sysconfdir@/sudoers
+The
+.Pa @sysconfdir@/sudoers
+file is missing.
+.It @sysconfdir@/sudoers is not a regular file
+The
+.Pa @sysconfdir@/sudoers
+file exists but is not a regular file or symbolic link.
+.It @sysconfdir@/sudoers is owned by uid N, should be 0
+The
+.Em sudoers
+file has the wrong owner.
+If you wish to change the
+.Em sudoers
+file owner, please add
+.Dq sudoers_uid=N
+(where
+.Sq N
+is the user ID that owns the
+.Em sudoers
+file) to the
+.Nm sudoers
+plugin line in the
+.Pa @sysconfdir@/sudo.conf
+file.
+.It @sysconfdir@/sudoers is world writable
+The permissions on the
+.Em sudoers
+file allow all users to write to it.
+The
+.Em sudoers
+file must not be world-writable, the default file mode
+is 0440 (readable by owner and group, writable by none).
+The default mode may be changed via the
+.Dq sudoers_mode
+option to the
+.Nm sudoers
+plugin line in the
+.Pa @sysconfdir@/sudo.conf
+file.
+.It @sysconfdir@/sudoers is owned by gid N, should be 1
+The
+.Em sudoers
+file has the wrong group ownership.
+If you wish to change the
+.Em sudoers
+file group ownership, please add
+.Dq sudoers_gid=N
+(where
+.Sq N
+is the group ID that owns the
+.Em sudoers
+file) to the
+.Nm sudoers
+plugin line in the
+.Pa @sysconfdir@/sudo.conf
+file.
+.It unable to open @timedir@/username/ttyname
+.Em sudoers
+was unable to read or create the user's time stamp file.
+.It unable to write to @timedir@/username/ttyname
+.Em sudoers
+was unable to write to the user's time stamp file.
+.It unable to mkdir to @timedir@/username
+.Em sudoers
+was unable to create the user's time stamp directory.
+.El
+.Ss Notes on logging via syslog
+By default,
+.Em sudoers
+logs messages via
+.Xr syslog 3 .
+The
+.Em date ,
+.Em hostname ,
+and
+.Em progname
+fields are added by the syslog daemon, not
+.Em sudoers
+itself.
+As such, they may vary in format on different systems.
+.Pp
+On most systems,
+.Xr syslog 3
+has a relatively small log buffer.
+To prevent the command line arguments from being truncated,
+.Nm sudoers
+will split up log messages that are larger than 960 characters
+(not including the date, hostname, and the string
+.Dq sudo ) .
+When a message is split, additional parts will include the string
+.Dq Pq command continued
+after the user name and before the continued command line arguments.
+.Ss Notes on logging to a file
+If the
+.Em logfile
+option is set,
+.Em sudoers
+will log to a local file, such as
+.Pa /var/log/sudo .
+When logging to a file,
+.Em sudoers
+uses a format similar to
+.Xr syslog 3 ,
+with a few important differences:
+.Bl -enum
+.It
+The
+.Em progname
+and
+.Em hostname
+fields are not present.
+.It
+If the
+.Em log_year
+option is enabled,
+the date will also include the year.
+.It
+Lines that are longer than
+.Em loglinelen
+characters (80 by default) are word-wrapped and continued on the
+next line with a four character indent.
+This makes entries easier to read for a human being, but makes it
+more difficult to use
+.Xr grep 1
+on the log files.
+If the
+.Em loglinelen
+option is set to 0 (or negated with a
+.Ql \&! ) ,
+word wrap will be disabled.
+.El
+.Sh SUDO.CONF
+The
+.Pa @sysconfdir@/sudo.conf
+file determines which plugins the
+.Nm sudo
+front end will load.
+If no
+.Pa @sysconfdir@/sudo.conf
+file
+is present, or it contains no
+.Li Plugin
+lines,
+.Nm sudo
+will use the
+.Em sudoers
+security policy and I/O logging, which corresponds to the following
+.Pa @sysconfdir@/sudo.conf
+file.
+.Bd -literal
+#
+# Default @sysconfdir@/sudo.conf file
+#
+# Format:
+# Plugin plugin_name plugin_path plugin_options ...
+# Path askpass /path/to/askpass
+# Path noexec /path/to/sudo_noexec.so
+# Debug sudo /var/log/sudo_debug all@warn
+# Set disable_coredump true
+#
+# The plugin_path is relative to @prefix@/libexec unless
+# fully qualified.
+# The plugin_name corresponds to a global symbol in the plugin
+# that contains the plugin interface structure.
+# The plugin_options are optional.
+#
+Plugin policy_plugin sudoers.so
+Plugin io_plugin sudoers.so
+.Ed
+.Ss Plugin options
+Starting with
+.Nm sudo
+1.8.5, it is possible to pass options to the
+.Em sudoers
+plugin.
+Options may be listed after the path to the plugin (i.e.\& after
+.Pa sudoers.so ) ;
+multiple options should be space-separated.
+For example:
+.Bd -literal
+Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
+.Ed
+.Pp
+The following plugin options are supported:
+.Bl -tag -width 8n
+.It sudoers_file=pathname
+The
+.Em sudoers_file
+option can be used to override the default path
+to the
+.Em sudoers
+file.
+.It sudoers_uid=uid
+The
+.Em sudoers_uid
+option can be used to override the default owner of the sudoers file.
+It should be specified as a numeric user ID.
+.It sudoers_gid=gid
+The
+.Em sudoers_gid
+option can be used to override the default group of the sudoers file.
+It should be specified as a numeric group ID.
+.It sudoers_mode=mode
+The
+.Em sudoers_mode
+option can be used to override the default file mode for the sudoers file.
+It should be specified as an octal value.
+.El
+.Ss Debug flags
+Versions 1.8.4 and higher of the
+.Em sudoers
+plugin supports a debugging framework that can help track down what the
+plugin is doing internally if there is a problem.
+This can be configured in the
+.Pa @sysconfdir@/sudo.conf
+file as described in
+.Xr sudo @mansectsu@ .
+.Pp
+The
+.Em sudoers
+plugin uses the same debug flag format as the
+.Nm sudo
+front-end:
+.Em subsystem Ns No @ Ns Em priority .
+.Pp
+The priorities used by
+.Em sudoers ,
+in order of decreasing severity,
+are:
+.Em crit ,
+.Em err ,
+.Em warn ,
+.Em notice ,
+.Em diag ,
+.Em info ,
+.Em trace
+and
+.Em debug .
+Each priority, when specified, also includes all priorities higher than it.
+For example, a priority of
+.Em notice
+would include debug messages logged at
+.Em notice
+and higher.
+.Pp
+The following subsystems are used by
+.Em sudoers :
+.Bl -tag -width 8n
+.It Em alias
+.Li User_Alias ,
+.Li Runas_Alias ,
+.Li Host_Alias
+and
+.Li Cmnd_Alias
+processing
+.It Em all
+matches every subsystem
+.It Em audit
+BSM and Linux audit code
+.It Em auth
+user authentication
+.It Em defaults
+.Em sudoers
+.Em Defaults
+settings
+.It Em env
+environment handling
+.It Em ldap
+LDAP-based sudoers
+.It Em logging
+logging support
+.It Em match
+matching of users, groups, hosts and netgroups in
+.Em sudoers
+.It Em netif
+network interface handling
+.It Em nss
+network service switch handling in
+.Em sudoers
+.It Em parser
+.Em sudoers
+file parsing
+.It Em perms
+permission setting
+.It Em plugin
+The equivalent of
+.Em main
+for the plugin.
+.It Em pty
+pseudo-tty related code
+.It Em rbtree
+redblack tree internals
+.It Em util
+utility functions
+.El
+.Sh FILES
+.Bl -tag -width 24n
+.It Pa @sysconfdir@/sudo.conf
+Sudo front end configuration
+.It Pa @sysconfdir@/sudoers
+List of who can run what
+.It Pa /etc/group
+Local groups file
+.It Pa /etc/netgroup
+List of network groups
+.It Pa @iolog_dir@
+I/O log files
+.It Pa @timedir@
+Directory containing time stamps for the
+.Em sudoers
+security policy
+.It Pa /etc/environment
+Initial environment for
+.Fl i
+mode on AIX and Linux systems
+.El
+.Sh EXAMPLES
+Below are example
+.Em sudoers
+entries.
+Admittedly, some of these are a bit contrived.
+First, we allow a few environment variables to pass and then define our
+.Em aliases :
+.Bd -literal
+# Run X applications through sudo; HOME is used to find the
+# .Xauthority file. Note that other programs use HOME to find
+# configuration files and this may lead to privilege escalation!
+Defaults env_keep += "DISPLAY HOME"
+
+# User alias specification
+User_Alias FULLTIMERS = millert, mikef, dowdy
+User_Alias PARTTIMERS = bostley, jwfox, crawl
+User_Alias WEBMASTERS = will, wendy, wim
+
+# Runas alias specification
+Runas_Alias OP = root, operator
+Runas_Alias DB = oracle, sybase
+Runas_Alias ADMINGRP = adm, oper
+
+# Host alias specification
+Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
+ SGI = grolsch, dandelion, black :\e
+ ALPHA = widget, thalamus, foobar :\e
+ HPPA = boa, nag, python
+Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+Host_Alias SERVERS = master, mail, www, ns
+Host_Alias CDROM = orion, perseus, hercules
+
+# Cmnd alias specification
+Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
+ /usr/sbin/restore, /usr/sbin/rrestore
+Cmnd_Alias KILL = /usr/bin/kill
+Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
+Cmnd_Alias HALT = /usr/sbin/halt
+Cmnd_Alias REBOOT = /usr/sbin/reboot
+Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
+ /usr/local/bin/tcsh, /usr/bin/rsh,\e
+ /usr/local/bin/zsh
+Cmnd_Alias SU = /usr/bin/su
+Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
+.Ed
+.Pp
+Here we override some of the compiled in default values.
+We want
+.Nm sudo
+to log via
+.Xr syslog 3
+using the
+.Em auth
+facility in all cases.
+We don't want to subject the full time staff to the
+.Nm sudo
+lecture, user
+.Sy millert
+need not give a password, and we don't want to reset the
+.Ev LOGNAME ,
+.Ev USER
+or
+.Ev USERNAME
+environment variables when running commands as root.
+Additionally, on the machines in the
+.Em SERVERS
+.Li Host_Alias ,
+we keep an additional local log file and make sure we log the year
+in each log line since the log entries will be kept around for several years.
+Lastly, we disable shell escapes for the commands in the PAGERS
+.Li Cmnd_Alias
+.Po
+.Pa /usr/bin/more ,
+.Pa /usr/bin/pg
+and
+.Pa /usr/bin/less
+.Pc .
+.Bd -literal
+# Override built-in defaults
+Defaults syslog=auth
+Defaults>root !set_logname
+Defaults:FULLTIMERS !lecture
+Defaults:millert !authenticate
+Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+Defaults!PAGERS noexec
+.Ed
+.Pp
+The
+.Em User specification
+is the part that actually determines who may run what.
+.Bd -literal
+root ALL = (ALL) ALL
+%wheel ALL = (ALL) ALL
+.Ed
+.Pp
+We let
+.Sy root
+and any user in group
+.Sy wheel
+run any command on any host as any user.
+.Bd -literal
+FULLTIMERS ALL = NOPASSWD: ALL
+.Ed
+.Pp
+Full time sysadmins
+.Po
+.Sy millert ,
+.Sy mikef ,
+and
+.Sy dowdy
+.Pc
+may run any command on any host without authenticating themselves.
+.Bd -literal
+PARTTIMERS ALL = ALL
+.Ed
+.Pp
+Part time sysadmins
+.Sy bostley ,
+.Sy jwfox ,
+and
+.Sy crawl )
+may run any command on any host but they must authenticate themselves
+first (since the entry lacks the
+.Li NOPASSWD
+tag).
+.Bd -literal
+jack CSNETS = ALL
+.Ed
+.Pp
+The user
+.Sy jack
+may run any command on the machines in the
+.Em CSNETS
+alias (the networks
+.Li 128.138.243.0 ,
+.Li 128.138.204.0 ,
+and
+.Li 128.138.242.0 ) .
+Of those networks, only
+.Li 128.138.204.0
+has an explicit netmask (in CIDR notation) indicating it is a class C network.
+For the other networks in
+.Em CSNETS ,
+the local machine's netmask will be used during matching.
+.Bd -literal
+lisa CUNETS = ALL
+.Ed
+.Pp
+The user
+.Sy lisa
+may run any command on any host in the
+.Em CUNETS
+alias (the class B network
+.Li 128.138.0.0 ) .
+.Bd -literal
+operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
+ sudoedit /etc/printcap, /usr/oper/bin/
+.Ed
+.Pp
+The
+.Sy operator
+user may run commands limited to simple maintenance.
+Here, those are commands related to backups, killing processes, the
+printing system, shutting down the system, and any commands in the
+directory
+.Pa /usr/oper/bin/ .
+.Bd -literal
+joe ALL = /usr/bin/su operator
+.Ed
+.Pp
+The user
+.Sy joe
+may only
+.Xr su 1
+to operator.
+.Bd -literal
+pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+
+%opers ALL = (: ADMINGRP) /usr/sbin/
+.Ed
+.Pp
+Users in the
+.Sy opers
+group may run commands in
+.Pa /usr/sbin/
+as themselves
+with any group in the
+.Em ADMINGRP
+.Li Runas_Alias
+(the
+.Sy adm
+and
+.Sy oper
+groups).
+.Pp
+The user
+.Sy pete
+is allowed to change anyone's password except for
+root on the
+.Em HPPA
+machines.
+Note that this assumes
+.Xr passwd 1
+does not take multiple user names on the command line.
+.Bd -literal
+bob SPARC = (OP) ALL : SGI = (OP) ALL
+.Ed
+.Pp
+The user
+.Sy bob
+may run anything on the
+.Em SPARC
+and
+.Em SGI
+machines as any user listed in the
+.Em OP
+.Li Runas_Alias
+.Po
+.Sy root
+and
+.Sy operator .
+.Pc
+.Bd -literal
+jim +biglab = ALL
+.Ed
+.Pp
+The user
+.Sy jim
+may run any command on machines in the
+.Em biglab
+netgroup.
+.Nm sudo
+knows that
+.Dq biglab
+is a netgroup due to the
+.Ql +
+prefix.
+.Bd -literal
++secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+.Ed
+.Pp
+Users in the
+.Sy secretaries
+netgroup need to help manage the printers as well as add and remove users,
+so they are allowed to run those commands on all machines.
+.Bd -literal
+fred ALL = (DB) NOPASSWD: ALL
+.Ed
+.Pp
+The user
+.Sy fred
+can run commands as any user in the
+.Em DB
+.Li Runas_Alias
+.Po
+.Sy oracle
+or
+.Sy sybase
+.Pc
+without giving a password.
+.Bd -literal
+john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+.Ed
+.Pp
+On the
+.Em ALPHA
+machines, user
+.Sy john
+may su to anyone except root but he is not allowed to specify any options
+to the
+.Xr su 1
+command.
+.Bd -literal
+jen ALL, !SERVERS = ALL
+.Ed
+.Pp
+The user
+.Sy jen
+may run any command on any machine except for those in the
+.Em SERVERS
+.Li Host_Alias
+(master, mail, www and ns).
+.Bd -literal
+jill SERVERS = /usr/bin/, !SU, !SHELLS
+.Ed
+.Pp
+For any machine in the
+.Em SERVERS
+.Li Host_Alias ,
+.Sy jill
+may run
+any commands in the directory
+.Pa /usr/bin/
+except for those commands
+belonging to the
+.Em SU
+and
+.Em SHELLS
+.Li Cmnd_Aliases .
+.Bd -literal
+steve CSNETS = (operator) /usr/local/op_commands/
+.Ed
+.Pp
+The user
+.Sy steve
+may run any command in the directory /usr/local/op_commands/
+but only as user operator.
+.Bd -literal
+matt valkyrie = KILL
+.Ed
+.Pp
+On his personal workstation, valkyrie,
+.Sy matt
+needs to be able to kill hung processes.
+.Bd -literal
+WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
+.Ed
+.Pp
+On the host www, any user in the
+.Em WEBMASTERS
+.Li User_Alias
+(will, wendy, and wim), may run any command as user www (which owns the
+web pages) or simply
+.Xr su 1
+to www.
+.Bd -literal
+ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+.Ed
+.Pp
+Any user may mount or unmount a CD-ROM on the machines in the CDROM
+.Li Host_Alias
+(orion, perseus, hercules) without entering a password.
+This is a bit tedious for users to type, so it is a prime candidate
+for encapsulating in a shell script.
+.Sh SECURITY NOTES
+.Ss Limitations of the So !\& Sc operator
+It is generally not effective to
+.Dq subtract
+commands from
+.Sy ALL
+using the
+.Ql !\&
+operator.
+A user can trivially circumvent this by copying the desired command
+to a different name and then executing that.
+For example:
+.Bd -literal
+bill ALL = ALL, !SU, !SHELLS
+.Ed
+.Pp
+Doesn't really prevent
+.Sy bill
+from running the commands listed in
+.Em SU
+or
+.Em SHELLS
+since he can simply copy those commands to a different name, or use
+a shell escape from an editor or other program.
+Therefore, these kind of restrictions should be considered
+advisory at best (and reinforced by policy).
+.Pp
+In general, if a user has sudo
+.Sy ALL
+there is nothing to prevent them from creating their own program that gives
+them a root shell (or making their own copy of a shell) regardless of any
+.Ql !\&
+elements in the user specification.
+.Ss Security implications of Em fast_glob
+If the
+.Em fast_glob
+option is in use, it is not possible to reliably negate commands where the
+path name includes globbing (aka wildcard) characters.
+This is because the C library's
+.Xr fnmatch 3
+function cannot resolve relative paths.
+While this is typically only an inconvenience for rules that grant privileges,
+it can result in a security issue for rules that subtract or revoke privileges.
+.Pp
+For example, given the following
+.Em sudoers
+entry:
+.Bd -literal
+john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+.Ed
+.Pp
+User
+.Sy john
+can still run
+.Li /usr/bin/passwd root
+if
+.Em fast_glob
+is enabled by changing to
+.Pa /usr/bin
+and running
+.Li ./passwd root
+instead.
+.Ss Preventing shell escapes
+Once
+.Nm sudo
+executes a program, that program is free to do whatever
+it pleases, including run other programs.
+This can be a security issue since it is not uncommon for a program to
+allow shell escapes, which lets a user bypass
+.Nm sudo Ns No 's
+access control and logging.
+Common programs that permit shell escapes include shells (obviously),
+editors, paginators, mail and terminal programs.
+.Pp
+There are two basic approaches to this problem:
+.Bl -tag -width 8n
+.It restrict
+Avoid giving users access to commands that allow the user to run
+arbitrary commands.
+Many editors have a restricted mode where shell
+escapes are disabled, though
+.Nm sudoedit
+is a better solution to
+running editors via
+.Nm sudo .
+Due to the large number of programs that
+offer shell escapes, restricting users to the set of programs that
+do not is often unworkable.
+.It noexec
+Many systems that support shared libraries have the ability to
+override default library functions by pointing an environment
+variable (usually
+.Ev LD_PRELOAD )
+to an alternate shared library.
+On such systems,
+.Nm sudo Ns No 's
+.Em noexec
+functionality can be used to prevent a program run by
+.Nm sudo
+from executing any other programs.
+Note, however, that this applies only to native dynamically-linked
+executables.
+Statically-linked executables and foreign executables
+running under binary emulation are not affected.
+.Pp
+The
+.Em noexec
+feature is known to work on SunOS, Solaris, *BSD,
+Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
+It should be supported on most operating systems that support the
+.Ev LD_PRELOAD
+environment variable.
+Check your operating system's manual pages for the dynamic linker
+(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
+.Ev LD_PRELOAD
+is supported.
+.Pp
+On Solaris 10 and higher,
+.Em noexec
+uses Solaris privileges instead of the
+.Ev LD_PRELOAD
+environment variable.
+.Pp
+To enable
+.Em noexec
+for a command, use the
+.Li NOEXEC
+tag as documented
+in the User Specification section above.
+Here is that example again:
+.Bd -literal
+aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+.Ed
+.Pp
+This allows user
+.Sy aaron
+to run
+.Pa /usr/bin/more
+and
+.Pa /usr/bin/vi
+with
+.Em noexec
+enabled.
+This will prevent those two commands from
+executing other commands (such as a shell).
+If you are unsure whether or not your system is capable of supporting
+.Em noexec
+you can always just try it out and check whether shell escapes work when
+.Em noexec
+is enabled.
+.El
+.Pp
+Note that restricting shell escapes is not a panacea.
+Programs running as root are still capable of many potentially hazardous
+operations (such as changing or overwriting files) that could lead
+to unintended privilege escalation.
+In the specific case of an editor, a safer approach is to give the
+user permission to run
+.Nm sudoedit .
+.Ss Time stamp file checks
+.Em sudoers
+will check the ownership of its time stamp directory
+.Po
+.Pa @timedir@
+by default
+.Pc
+and ignore the directory's contents if it is not owned by root or
+if it is writable by a user other than root.
+On systems that allow non-root users to give away files via
+.Xr chown 2 ,
+if the time stamp directory is located in a world-writable
+directory (e.g.\&,
+.Pa /tmp ) ,
+it is possible for a user to create the time stamp directory before
+.Nm sudo
+is run.
+However, because
+.Em sudoers
+checks the ownership and mode of the directory and its
+contents, the only damage that can be done is to
+.Dq hide
+files by putting them in the time stamp dir.
+This is unlikely to happen since once the time stamp dir is owned by root
+and inaccessible by any other user, the user placing files there would be
+unable to get them back out.
+.Pp
+.Em sudoers
+will not honor time stamps set far in the future.
+Time stamps with a date greater than current_time + 2 *
+.Li TIMEOUT
+will be ignored and sudo will log and complain.
+This is done to keep a user from creating his/her own time stamp with a
+bogus date on systems that allow users to give away files if the time
+stamp directory is located in a world-writable directory.
+.Pp
+On systems where the boot time is available,
+.Em sudoers
+will ignore time stamps that date from before the machine booted.
+.Pp
+Since time stamp files live in the file system, they can outlive a
+user's login session.
+As a result, a user may be able to login, run a command with
+.Nm sudo
+after authenticating, logout, login again, and run
+.Nm sudo
+without authenticating so long as the time stamp file's modification
+time is within
+.Li @timeout@
+minutes (or whatever the timeout is set to in
+.Em sudoers ) .
+When the
+.Em tty_tickets
+option is enabled, the time stamp has per-tty granularity but still
+may outlive the user's session.
+On Linux systems where the devpts filesystem is used, Solaris systems
+with the devices filesystem, as well as other systems that utilize a
+devfs filesystem that monotonically increase the inode number of devices
+as they are created (such as Mac OS X),
+.Em sudoers
+is able to determine when a tty-based time stamp file is stale and will
+ignore it.
+Administrators should not rely on this feature as it is not universally
+available.
+.Sh SEE ALSO
+.Xr ssh 1 ,
+.Xr su 1 ,
+.Xr fnmatch 3 ,
+.Xr glob 3 ,
+.Xr mktemp 3 ,
+.Xr strftime 3 ,
+.Xr sudoers.ldap @mansectform@ ,
+.Xr sudo_plugin @mansectsu@ ,
+.Xr sudo @mansectsu@ ,
+.Xr visudo @mansectsu@
+.Sh CAVEATS
+The
+.Em sudoers
+file should
+.Sy always
+be edited by the
+.Nm visudo
+command which locks the file and does grammatical checking.
+It is
+imperative that
+.Em sudoers
+be free of syntax errors since
+.Nm sudo
+will not run with a syntactically incorrect
+.Em sudoers
+file.
+.Pp
+When using netgroups of machines (as opposed to users), if you
+store fully qualified host name in the netgroup (as is usually the
+case), you either need to have the machine's host name be fully qualified
+as returned by the
+.Li hostname
+command or use the
+.Em fqdn
+option in
+.Em sudoers .
+.Sh BUGS
+If you feel you have found a bug in
+.Nm sudo ,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
+.Sh SUPPORT
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+.Sh DISCLAIMER
+.Nm sudo
+is provided
+.Dq AS IS
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+.Nm sudo
+or http://www.sudo.ws/sudo/license.html for complete details.
+++ /dev/null
-Copyright (c) 1994-1996, 1998-2005, 2007-2012
- Todd C. Miller <Todd.Miller@courtesan.com>
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-Sponsored in part by the Defense Advanced Research Projects
-Agency (DARPA) and Air Force Research Laboratory, Air Force
-Materiel Command, USAF, under agreement number F39502-99-1-0512.
-
-=pod
-
-=head1 NAME
-
-sudoers - default sudo security policy module
-
-=head1 DESCRIPTION
-
-The I<sudoers> policy module determines a user's B<sudo> privileges.
-It is the default B<sudo> policy plugin. The policy is driven by
-the F<@sysconfdir@/sudoers> file or, optionally in LDAP. The policy
-format is described in detail in the L<"SUDOERS FILE FORMAT">
-section. For information on storing I<sudoers> policy information
-in LDAP, please see L<sudoers.ldap(5)>.
-
-=head2 Authentication and Logging
-
-The I<sudoers> security policy requires that most users authenticate
-themselves before they can use B<sudo>. A password is not required
-if the invoking user is root, if the target user is the same as the
-invoking user, or if the policy has disabled authentication for the
-user or command. Unlike L<su(1)>, when I<sudoers> requires
-authentication, it validates the invoking user's credentials, not
-the target user's (or root's) credentials. This can be changed via
-the I<rootpw>, I<targetpw> and I<runaspw> flags, described later.
-
-If a user who is not listed in the policy tries to run a command
-via B<sudo>, mail is sent to the proper authorities. The address
-used for such mail is configurable via the I<mailto> Defaults entry
-(described later) and defaults to C<@mailto@>.
-
-Note that mail will not be sent if an unauthorized user tries to
-run B<sudo> with the B<-l> or B<-v> option. This allows users to
-determine for themselves whether or not they are allowed to use
-B<sudo>.
-
-If B<sudo> is run by root and the C<SUDO_USER> environment variable
-is set, the I<sudoers> policy will use this value to determine who
-the actual user is. This can be used by a user to log commands
-through sudo even when a root shell has been invoked. It also
-allows the B<-e> option to remain useful even when invoked via a
-sudo-run script or program. Note, however, that the I<sudoers>
-lookup is still done for root, not the user specified by C<SUDO_USER>.
-
-I<sudoers> uses time stamp files for credential caching. Once a
-user has been authenticated, a time stamp is updated and the user
-may then use sudo without a password for a short period of time
-(C<@timeout@> minutes unless overridden by the I<timeout> option.
-By default, I<sudoers> uses a tty-based time stamp which means that
-there is a separate time stamp for each of a user's login sessions.
-The I<tty_tickets> option can be disabled to force the use of a
-single time stamp for all of a user's sessions.
-
-I<sudoers> can log both successful and unsuccessful attempts (as well
-as errors) to syslog(3), a log file, or both. By default, I<sudoers>
-will log via syslog(3) but this is changeable via the I<syslog>
-and I<logfile> Defaults settings.
-
-I<sudoers> also supports logging a command's input and output
-streams. I/O logging is not on by default but can be enabled using
-the I<log_input> and I<log_output> Defaults flags as well as the
-C<LOG_INPUT> and C<LOG_OUTPUT> command tags.
-
-=head2 Command Environment
-
-Since environment variables can influence program behavior, I<sudoers>
-provides a means to restrict which variables from the user's
-environment are inherited by the command to be run. There are two
-distinct ways I<sudoers> can deal with environment variables.
-
-By default, the I<env_reset> option is enabled. This causes commands
-to be executed with a new, minimal environment. On AIX (and Linux
-systems without PAM), the environment is initialized with the
-contents of the F</etc/environment> file. On BSD systems, if the
-I<use_loginclass> option is enabled, the environment is initialized
-based on the I<path> and I<setenv> settings in F</etc/login.conf>.
-The new environment contains the C<TERM>, C<PATH>, C<HOME>, C<MAIL>,
-C<SHELL>, C<LOGNAME>, C<USER>, C<USERNAME> and C<SUDO_*> variables
-in addition to variables from the invoking process permitted by the
-I<env_check> and I<env_keep> options. This is effectively a whitelist
-for environment variables.
-
-If, however, the I<env_reset> option is disabled, any variables not
-explicitly denied by the I<env_check> and I<env_delete> options are
-inherited from the invoking process. In this case, I<env_check>
-and I<env_delete> behave like a blacklist. Since it is not possible
-to blacklist all potentially dangerous environment variables, use
-of the default I<env_reset> behavior is encouraged.
-
-In all cases, environment variables with a value beginning with
-C<()> are removed as they could be interpreted as B<bash> functions.
-The list of environment variables that B<sudo> allows or denies is
-contained in the output of C<sudo -V> when run as root.
-
-Note that the dynamic linker on most operating systems will remove
-variables that can control dynamic linking from the environment of
-setuid executables, including B<sudo>. Depending on the operating
-system this may include C<_RLD*>, C<DYLD_*>, C<LD_*>, C<LDR_*>,
-C<LIBPATH>, C<SHLIB_PATH>, and others. These type of variables are
-removed from the environment before B<sudo> even begins execution
-and, as such, it is not possible for B<sudo> to preserve them.
-
-As a special case, if B<sudo>'s B<-i> option (initial login) is
-specified, I<sudoers> will initialize the environment regardless
-of the value of I<env_reset>. The I<DISPLAY>, I<PATH> and I<TERM>
-variables remain unchanged; I<HOME>, I<MAIL>, I<SHELL>, I<USER>,
-and I<LOGNAME> are set based on the target user. On AIX (and Linux
-systems without PAM), the contents of F</etc/environment> are also
-included. On BSD systems, if the I<use_loginclass> option is
-enabled, the I<path> and I<setenv> variables in F</etc/login.conf>
-are also applied. All other environment variables are removed.
-
-Finally, if the I<env_file> option is defined, any variables present
-in that file will be set to their specified values as long as they
-would not conflict with an existing environment variable.
-
-=head1 SUDOERS FILE FORMAT
-
-The I<sudoers> file is composed of two types of entries: aliases
-(basically variables) and user specifications (which specify who
-may run what).
-
-When multiple entries match for a user, they are applied in order.
-Where there are multiple matches, the last match is used (which is
-not necessarily the most specific match).
-
-The I<sudoers> grammar will be described below in Extended Backus-Naur
-Form (EBNF). Don't despair if you don't know what EBNF is; it is
-fairly simple, and the definitions below are annotated.
-
-=head2 Quick guide to EBNF
-
-EBNF is a concise and exact way of describing the grammar of a language.
-Each EBNF definition is made up of I<production rules>. E.g.,
-
- symbol ::= definition | alternate1 | alternate2 ...
-
-Each I<production rule> references others and thus makes up a
-grammar for the language. EBNF also contains the following
-operators, which many readers will recognize from regular
-expressions. Do not, however, confuse them with "wildcard"
-characters, which have different meanings.
-
-=over 4
-
-=item C<?>
-
-Means that the preceding symbol (or group of symbols) is optional.
-That is, it may appear once or not at all.
-
-=item C<*>
-
-Means that the preceding symbol (or group of symbols) may appear
-zero or more times.
-
-=item C<+>
-
-Means that the preceding symbol (or group of symbols) may appear
-one or more times.
-
-=back
-
-Parentheses may be used to group symbols together. For clarity,
-we will use single quotes ('') to designate what is a verbatim character
-string (as opposed to a symbol name).
-
-=head2 Aliases
-
-There are four kinds of aliases: C<User_Alias>, C<Runas_Alias>,
-C<Host_Alias> and C<Cmnd_Alias>.
-
- Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
- 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
- 'Host_Alias' Host_Alias (':' Host_Alias)* |
- 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
-
- User_Alias ::= NAME '=' User_List
-
- Runas_Alias ::= NAME '=' Runas_List
-
- Host_Alias ::= NAME '=' Host_List
-
- Cmnd_Alias ::= NAME '=' Cmnd_List
-
- NAME ::= [A-Z]([A-Z][0-9]_)*
-
-Each I<alias> definition is of the form
-
- Alias_Type NAME = item1, item2, ...
-
-where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>,
-or C<Cmnd_Alias>. A C<NAME> is a string of uppercase letters, numbers,
-and underscore characters ('_'). A C<NAME> B<must> start with an
-uppercase letter. It is possible to put several alias definitions
-of the same type on a single line, joined by a colon (':'). E.g.,
-
- Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
-
-The definitions of what constitutes a valid I<alias> member follow.
-
- User_List ::= User |
- User ',' User_List
-
- User ::= '!'* user name |
- '!'* #uid |
- '!'* %group |
- '!'* %#gid |
- '!'* +netgroup |
- '!'* %:nonunix_group |
- '!'* %:#nonunix_gid |
- '!'* User_Alias
-
-A C<User_List> is made up of one or more user names, user ids
-(prefixed with '#'), system group names and ids (prefixed with '%'
-and '%#' respectively), netgroups (prefixed with '+'), non-Unix
-group names and IDs (prefixed with '%:' and '%:#' respectively) and
-C<User_Alias>es. Each list item may be prefixed with zero or more
-'!' operators. An odd number of '!' operators negate the value of
-the item; an even number just cancel each other out.
-
-A C<user name>, C<uid>, C<group>, C<gid>, C<netgroup>, C<nonunix_group>
-or C<nonunix_gid> may be enclosed in double quotes to avoid the
-need for escaping special characters. Alternately, special characters
-may be specified in escaped hex mode, e.g. \x20 for space. When
-using double quotes, any prefix characters must be included inside
-the quotes.
-
-The actual C<nonunix_group> and C<nonunix_gid> syntax depends on
-the underlying group provider plugin (see the I<group_plugin>
-description below). For instance, the QAS AD plugin supports the
-following formats:
-
-=over 4
-
-=item *
-
-Group in the same domain: "Group Name"
-
-=item *
-
-Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
-
-=item *
-
-Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
-
-=back
-
-Note that quotes around group names are optional. Unquoted strings
-must use a backslash (\) to escape spaces and special characters.
-See L<"Other special characters and reserved words"> for a list of
-characters that need to be escaped.
-
- Runas_List ::= Runas_Member |
- Runas_Member ',' Runas_List
-
- Runas_Member ::= '!'* user name |
- '!'* #uid |
- '!'* %group |
- '!'* %#gid |
- '!'* %:nonunix_group |
- '!'* %:#nonunix_gid |
- '!'* +netgroup |
- '!'* Runas_Alias
-
-A C<Runas_List> is similar to a C<User_List> except that instead
-of C<User_Alias>es it can contain C<Runas_Alias>es. Note that
-user names and groups are matched as strings. In other words, two
-users (groups) with the same uid (gid) are considered to be distinct.
-If you wish to match all user names with the same uid (e.g.E<nbsp>root
-and toor), you can use a uid instead (#0 in the example given).
-
- Host_List ::= Host |
- Host ',' Host_List
-
- Host ::= '!'* host name |
- '!'* ip_addr |
- '!'* network(/netmask)? |
- '!'* +netgroup |
- '!'* Host_Alias
-
-A C<Host_List> is made up of one or more host names, IP addresses,
-network numbers, netgroups (prefixed with '+') and other aliases.
-Again, the value of an item may be negated with the '!' operator.
-If you do not specify a netmask along with the network number,
-B<sudo> will query each of the local host's network interfaces and,
-if the network number corresponds to one of the hosts's network
-interfaces, the corresponding netmask will be used. The netmask
-may be specified either in standard IP address notation
-(e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::),
-or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A host name may
-include shell-style wildcards (see the L<Wildcards> section below),
-but unless the C<host name> command on your machine returns the fully
-qualified host name, you'll need to use the I<fqdn> option for
-wildcards to be useful. Note B<sudo> only inspects actual network
-interfaces; this means that IP address 127.0.0.1 (localhost) will
-never match. Also, the host name "localhost" will only match if
-that is the actual host name, which is usually only the case for
-non-networked systems.
-
- Cmnd_List ::= Cmnd |
- Cmnd ',' Cmnd_List
-
- commandname ::= file name |
- file name args |
- file name '""'
-
- Cmnd ::= '!'* commandname |
- '!'* directory |
- '!'* "sudoedit" |
- '!'* Cmnd_Alias
-
-A C<Cmnd_List> is a list of one or more commandnames, directories, and other
-aliases. A commandname is a fully qualified file name which may include
-shell-style wildcards (see the L<Wildcards> section below). A simple
-file name allows the user to run the command with any arguments he/she
-wishes. However, you may also specify command line arguments (including
-wildcards). Alternately, you can specify C<""> to indicate that the command
-may only be run B<without> command line arguments. A directory is a
-fully qualified path name ending in a '/'. When you specify a directory
-in a C<Cmnd_List>, the user will be able to run any file within that directory
-(but not in any subdirectories therein).
-
-If a C<Cmnd> has associated command line arguments, then the arguments
-in the C<Cmnd> must match exactly those given by the user on the command line
-(or match the wildcards if there are any). Note that the following
-characters must be escaped with a '\' if they are used in command
-arguments: ',', ':', '=', '\'. The special command C<"sudoedit">
-is used to permit a user to run B<sudo> with the B<-e> option (or
-as B<sudoedit>). It may take command line arguments just as
-a normal command does.
-
-=head2 Defaults
-
-Certain configuration options may be changed from their default
-values at runtime via one or more C<Default_Entry> lines. These
-may affect all users on any host, all users on a specific host, a
-specific user, a specific command, or commands being run as a specific user.
-Note that per-command entries may not include command line arguments.
-If you need to specify arguments, define a C<Cmnd_Alias> and reference
-that instead.
-
- Default_Type ::= 'Defaults' |
- 'Defaults' '@' Host_List |
- 'Defaults' ':' User_List |
- 'Defaults' '!' Cmnd_List |
- 'Defaults' '>' Runas_List
-
- Default_Entry ::= Default_Type Parameter_List
-
- Parameter_List ::= Parameter |
- Parameter ',' Parameter_List
-
- Parameter ::= Parameter '=' Value |
- Parameter '+=' Value |
- Parameter '-=' Value |
- '!'* Parameter
-
-Parameters may be B<flags>, B<integer> values, B<strings>, or B<lists>.
-Flags are implicitly boolean and can be turned off via the '!'
-operator. Some integer, string and list parameters may also be
-used in a boolean context to disable them. Values may be enclosed
-in double quotes (C<">) when they contain multiple words. Special
-characters may be escaped with a backslash (C<\>).
-
-Lists have two additional assignment operators, C<+=> and C<-=>.
-These operators are used to add to and delete from a list respectively.
-It is not an error to use the C<-=> operator to remove an element
-that does not exist in a list.
-
-Defaults entries are parsed in the following order: generic, host
-and user Defaults first, then runas Defaults and finally command
-defaults.
-
-See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
-
-=head2 User Specification
-
- User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
- (':' Host_List '=' Cmnd_Spec_List)*
-
- Cmnd_Spec_List ::= Cmnd_Spec |
- Cmnd_Spec ',' Cmnd_Spec_List
-
- Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
-
- Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
-
- SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
-
- Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
- 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
- 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
-
-A B<user specification> determines which commands a user may run
-(and as what user) on specified hosts. By default, commands are
-run as B<root>, but this can be changed on a per-command basis.
-
-The basic structure of a user specification is `who where = (as_whom)
-what'. Let's break that down into its constituent parts:
-
-=head2 Runas_Spec
-
-A C<Runas_Spec> determines the user and/or the group that a command
-may be run as. A fully-specified C<Runas_Spec> consists of two
-C<Runas_List>s (as defined above) separated by a colon (':') and
-enclosed in a set of parentheses. The first C<Runas_List> indicates
-which users the command may be run as via B<sudo>'s B<-u> option.
-The second defines a list of groups that can be specified via
-B<sudo>'s B<-g> option. If both C<Runas_List>s are specified, the
-command may be run with any combination of users and groups listed
-in their respective C<Runas_List>s. If only the first is specified,
-the command may be run as any user in the list but no B<-g> option
-may be specified. If the first C<Runas_List> is empty but the
-second is specified, the command may be run as the invoking user
-with the group set to any listed in the C<Runas_List>. If no
-C<Runas_Spec> is specified the command may be run as B<root> and
-no group may be specified.
-
-A C<Runas_Spec> sets the default for the commands that follow it.
-What this means is that for the entry:
-
- dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
-
-The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
-F</usr/bin/lprm> -- but only as B<operator>. E.g.,
-
- $ sudo -u operator /bin/ls
-
-It is also possible to override a C<Runas_Spec> later on in an
-entry. If we modify the entry like so:
-
- dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
-
-Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
-but F</bin/kill> and F</usr/bin/lprm> as B<root>.
-
-We can extend this to allow B<dgb> to run C</bin/ls> with either
-the user or group set to B<operator>:
-
- dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
- /usr/bin/lprm
-
-Note that while the group portion of the C<Runas_Spec> permits the
-user to run as command with that group, it does not force the user
-to do so. If no group is specified on the command line, the command
-will run with the group listed in the target user's password database
-entry. The following would all be permitted by the sudoers entry above:
-
- $ sudo -u operator /bin/ls
- $ sudo -u operator -g operator /bin/ls
- $ sudo -g operator /bin/ls
-
-In the following example, user B<tcm> may run commands that access
-a modem device file with the dialer group.
-
- tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
- /usr/local/bin/minicom
-
-Note that in this example only the group will be set, the command
-still runs as user B<tcm>. E.g.
-
- $ sudo -g dialer /usr/bin/cu
-
-Multiple users and groups may be present in a C<Runas_Spec>, in
-which case the user may select any combination of users and groups
-via the B<-u> and B<-g> options. In this example:
-
- alan ALL = (root, bin : operator, system) ALL
-
-user B<alan> may run any command as either user root or bin,
-optionally setting the group to operator or system.
-
-=head2 SELinux_Spec
-
-On systems with SELinux support, I<sudoers> entries may optionally have
-an SELinux role and/or type associated with a command. If a role or
-type is specified with the command it will override any default values
-specified in I<sudoers>. A role or type specified on the command line,
-however, will supercede the values in I<sudoers>.
-
-=head2 Tag_Spec
-
-A command may have zero or more tags associated with it. There are
-eight possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>,
-C<EXEC>, C<SETENV>, C<NOSETENV>, C<LOG_INPUT>, C<NOLOG_INPUT>,
-C<LOG_OUTPUT> and C<NOLOG_OUTPUT>. Once a tag is set on a C<Cmnd>,
-subsequent C<Cmnd>s in the C<Cmnd_Spec_List>, inherit the tag unless
-it is overridden by the opposite tag (i.e.: C<PASSWD> overrides
-C<NOPASSWD> and C<NOEXEC> overrides C<EXEC>).
-
-=head3 NOPASSWD and PASSWD
-
-By default, B<sudo> requires that a user authenticate him or herself
-before running a command. This behavior can be modified via the
-C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
-a default for the commands that follow it in the C<Cmnd_Spec_List>.
-Conversely, the C<PASSWD> tag can be used to reverse things.
-For example:
-
- ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
-
-would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
-F</usr/bin/lprm> as B<root> on the machine rushmore without
-authenticating himself. If we only want B<ray> to be able to
-run F</bin/kill> without a password the entry would be:
-
- ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
-
-Note, however, that the C<PASSWD> tag has no effect on users who are
-in the group specified by the I<exempt_group> option.
-
-By default, if the C<NOPASSWD> tag is applied to any of the entries
-for a user on the current host, he or she will be able to run
-C<sudo -l> without a password. Additionally, a user may only run
-C<sudo -v> without a password if the C<NOPASSWD> tag is present
-for all a user's entries that pertain to the current host.
-This behavior may be overridden via the verifypw and listpw options.
-
-=head3 NOEXEC and EXEC
-
-If B<sudo> has been compiled with I<noexec> support and the underlying
-operating system supports it, the C<NOEXEC> tag can be used to prevent
-a dynamically-linked executable from running further commands itself.
-
-In the following example, user B<aaron> may run F</usr/bin/more>
-and F</usr/bin/vi> but shell escapes will be disabled.
-
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-
-See the L<Preventing Shell Escapes> section below for more details
-on how C<NOEXEC> works and whether or not it will work on your system.
-
-=head3 SETENV and NOSETENV
-
-These tags override the value of the I<setenv> option on a per-command
-basis. Note that if C<SETENV> has been set for a command, the user
-may disable the I<env_reset> option from the command line via the
-B<-E> option. Additionally, environment variables set on the command
-line are not subject to the restrictions imposed by I<env_check>,
-I<env_delete>, or I<env_keep>. As such, only trusted users should
-be allowed to set variables in this manner. If the command matched
-is B<ALL>, the C<SETENV> tag is implied for that command; this
-default may be overridden by use of the C<NOSETENV> tag.
-
-=head3 LOG_INPUT and NOLOG_INPUT
-
-These tags override the value of the I<log_input> option on a
-per-command basis. For more information, see the description of
-I<log_input> in the L<"SUDOERS OPTIONS"> section below.
-
-=head3 LOG_OUTPUT and NOLOG_OUTPUT
-
-These tags override the value of the I<log_output> option on a
-per-command basis. For more information, see the description of
-I<log_output> in the L<"SUDOERS OPTIONS"> section below.
-
-=head2 Wildcards
-
-B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
-to be used in host names, path names and command line arguments in
-the I<sudoers> file. Wildcard matching is done via the B<POSIX>
-L<glob(3)> and L<fnmatch(3)> routines. Note that these are I<not>
-regular expressions.
-
-=over 8
-
-=item C<*>
-
-Matches any set of zero or more characters.
-
-=item C<?>
-
-Matches any single character.
-
-=item C<[...]>
-
-Matches any character in the specified range.
-
-=item C<[!...]>
-
-Matches any character B<not> in the specified range.
-
-=item C<\x>
-
-For any character "x", evaluates to "x". This is used to
-escape special characters such as: "*", "?", "[", and "}".
-
-=back
-
-POSIX character classes may also be used if your system's L<glob(3)>
-and L<fnmatch(3)> functions support them. However, because the
-C<':'> character has special meaning in I<sudoers>, it must be
-escaped. For example:
-
- /bin/ls [[\:alpha\:]]*
-
-Would match any file name beginning with a letter.
-
-Note that a forward slash ('/') will B<not> be matched by
-wildcards used in the path name. When matching the command
-line arguments, however, a slash B<does> get matched by
-wildcards. This is to make a path like:
-
- /usr/bin/*
-
-match F</usr/bin/who> but not F</usr/bin/X11/xterm>.
-
-=head2 Exceptions to wildcard rules
-
-The following exceptions apply to the above rules:
-
-=over 8
-
-=item C<"">
-
-If the empty string C<""> is the only command line argument in the
-I<sudoers> entry it means that command is not allowed to be run
-with B<any> arguments.
-
-=back
-
-=head2 Including other files from within sudoers
-
-It is possible to include other I<sudoers> files from within the
-I<sudoers> file currently being parsed using the C<#include> and
-C<#includedir> directives.
-
-This can be used, for example, to keep a site-wide I<sudoers> file
-in addition to a local, per-machine file. For the sake of this
-example the site-wide I<sudoers> will be F</etc/sudoers> and the
-per-machine one will be F</etc/sudoers.local>. To include
-F</etc/sudoers.local> from within F</etc/sudoers> we would use the
-following line in F</etc/sudoers>:
-
-=over 4
-
-C<#include /etc/sudoers.local>
-
-=back
-
-When B<sudo> reaches this line it will suspend processing of the
-current file (F</etc/sudoers>) and switch to F</etc/sudoers.local>.
-Upon reaching the end of F</etc/sudoers.local>, the rest of
-F</etc/sudoers> will be processed. Files that are included may
-themselves include other files. A hard limit of 128 nested include
-files is enforced to prevent include file loops.
-
-If the path to the include file is not fully-qualified (does not
-begin with a F</>), it must be located in the same directory as the
-sudoers file it was included from. For example, if F</etc/sudoers>
-contains the line:
-
-=over 4
-
-C<#include sudoers.local>
-
-=back
-
-the file that will be included is F</etc/sudoers.local>.
-
-The file name may also include the C<%h> escape, signifying the short form
-of the host name. I.e., if the machine's host name is "xerxes", then
-
-C<#include /etc/sudoers.%h>
-
-will cause B<sudo> to include the file F</etc/sudoers.xerxes>.
-
-The C<#includedir> directive can be used to create a F<sudo.d>
-directory that the system package manager can drop I<sudoers> rules
-into as part of package installation. For example, given:
-
-C<#includedir /etc/sudoers.d>
-
-B<sudo> will read each file in F</etc/sudoers.d>, skipping file
-names that end in C<~> or contain a C<.> character to avoid causing
-problems with package manager or editor temporary/backup files.
-Files are parsed in sorted lexical order. That is,
-F</etc/sudoers.d/01_first> will be parsed before
-F</etc/sudoers.d/10_second>. Be aware that because the sorting is
-lexical, not numeric, F</etc/sudoers.d/1_whoops> would be loaded
-B<after> F</etc/sudoers.d/10_second>. Using a consistent number
-of leading zeroes in the file names can be used to avoid such
-problems.
-
-Note that unlike files included via C<#include>, B<visudo> will not
-edit the files in a C<#includedir> directory unless one of them
-contains a syntax error. It is still possible to run B<visudo>
-with the C<-f> flag to edit the files directly.
-
-=head2 Other special characters and reserved words
-
-The pound sign ('#') is used to indicate a comment (unless it is
-part of a #include directive or unless it occurs in the context of
-a user name and is followed by one or more digits, in which case
-it is treated as a uid). Both the comment character and any text
-after it, up to the end of the line, are ignored.
-
-The reserved word B<ALL> is a built-in I<alias> that always causes
-a match to succeed. It can be used wherever one might otherwise
-use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
-You should not try to define your own I<alias> called B<ALL> as the
-built-in alias will be used in preference to your own. Please note
-that using B<ALL> can be dangerous since in a command context, it
-allows the user to run B<any> command on the system.
-
-An exclamation point ('!') can be used as a logical I<not> operator
-both in an I<alias> and in front of a C<Cmnd>. This allows one to
-exclude certain values. Note, however, that using a C<!> in
-conjunction with the built-in C<ALL> alias to allow a user to
-run "all but a few" commands rarely works as intended (see SECURITY
-NOTES below).
-
-Long lines can be continued with a backslash ('\') as the last
-character on the line.
-
-Whitespace between elements in a list as well as special syntactic
-characters in a I<User Specification> ('=', ':', '(', ')') is optional.
-
-The following characters must be escaped with a backslash ('\') when
-used as part of a word (e.g.E<nbsp>a user name or host name):
-'!', '=', ':', ',', '(', ')', '\'.
-
-=head1 SUDOERS OPTIONS
-
-B<sudo>'s behavior can be modified by C<Default_Entry> lines, as
-explained earlier. A list of all supported Defaults parameters,
-grouped by type, are listed below.
-
-B<Boolean Flags>:
-
-=over 16
-
-=item always_set_home
-
-If enabled, B<sudo> will set the C<HOME> environment variable to the
-home directory of the target user (which is root unless the B<-u>
-option is used). This effectively means that the B<-H> option is
-always implied. Note that C<HOME> is already set when the the
-I<env_reset> option is enabled, so I<always_set_home> is only
-effective for configurations where either I<env_reset> is disabled
-or C<HOME> is present in the I<env_keep> list.
-This flag is I<off> by default.
-
-=item authenticate
-
-If set, users must authenticate themselves via a password (or other
-means of authentication) before they may run commands. This default
-may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
-This flag is I<on> by default.
-
-=item closefrom_override
-
-If set, the user may use B<sudo>'s B<-C> option which
-overrides the default starting point at which B<sudo> begins
-closing open file descriptors. This flag is I<off> by default.
-
-=item compress_io
-
-If set, and B<sudo> is configured to log a command's input or output,
-the I/O logs will be compressed using B<zlib>. This flag is I<on>
-by default when B<sudo> is compiled with B<zlib> support.
-
-=item env_editor
-
-If set, B<visudo> will use the value of the EDITOR or VISUAL
-environment variables before falling back on the default editor list.
-Note that this may create a security hole as it allows the user to
-run any arbitrary command as root without logging. A safer alternative
-is to place a colon-separated list of editors in the C<editor>
-variable. B<visudo> will then only use the EDITOR or VISUAL if
-they match a value specified in C<editor>. This flag is I<@env_editor@> by
-default.
-
-=item env_reset
-
-If set, B<sudo> will run the command in a minimal environment
-containing the C<TERM>, C<PATH>, C<HOME>, C<MAIL>, C<SHELL>,
-C<LOGNAME>, C<USER>, C<USERNAME> and C<SUDO_*> variables. Any
-variables in the caller's environment that match the C<env_keep>
-and C<env_check> lists are then added, followed by any variables
-present in the file specified by the I<env_file> option (if any).
-The default contents of the C<env_keep> and C<env_check> lists are
-displayed when B<sudo> is run by root with the I<-V> option. If
-the I<secure_path> option is set, its value will be used for the
-C<PATH> environment variable. This flag is I<@env_reset@> by
-default.
-
-=item fast_glob
-
-Normally, B<sudo> uses the L<glob(3)> function to do shell-style
-globbing when matching path names. However, since it accesses the
-file system, L<glob(3)> can take a long time to complete for some
-patterns, especially when the pattern references a network file
-system that is mounted on demand (automounted). The I<fast_glob>
-option causes B<sudo> to use the L<fnmatch(3)> function, which does
-not access the file system to do its matching. The disadvantage
-of I<fast_glob> is that it is unable to match relative path names
-such as F<./ls> or F<../bin/ls>. This has security implications
-when path names that include globbing characters are used with the
-negation operator, C<'!'>, as such rules can be trivially bypassed.
-As such, this option should not be used when I<sudoers> contains rules
-that contain negated path names which include globbing characters.
-This flag is I<off> by default.
-
-=item fqdn
-
-Set this flag if you want to put fully qualified host names in the
-I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
-You may still use the short form if you wish (and even mix the two).
-Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
-which may make B<sudo> unusable if DNS stops working (for example
-if the machine is not plugged into the network). Also note that
-you must use the host's official name as DNS knows it. That is,
-you may not use a host alias (C<CNAME> entry) due to performance
-issues and the fact that there is no way to get all aliases from
-DNS. If your machine's host name (as returned by the C<hostname>
-command) is already fully qualified you shouldn't need to set
-I<fqdn>. This flag is I<@fqdn@> by default.
-
-=item ignore_dot
-
-If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH>
-environment variable; the C<PATH> itself is not modified. This
-flag is I<@ignore_dot@> by default.
-
-=item ignore_local_sudoers
-
-If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped.
-This is intended for Enterprises that wish to prevent the usage of local
-sudoers files so that only LDAP is used. This thwarts the efforts of
-rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>.
-When this option is present, F<@sysconfdir@/sudoers> does not even need to
-exist. Since this option tells B<sudo> how to behave when no specific LDAP
-entries have been matched, this sudoOption is only meaningful for the
-C<cn=defaults> section. This flag is I<off> by default.
-
-=item insults
-
-If set, B<sudo> will insult users when they enter an incorrect
-password. This flag is I<@insults@> by default.
-
-=item log_host
-
-If set, the host name will be logged in the (non-syslog) B<sudo> log file.
-This flag is I<off> by default.
-
-=item log_input
-
-If set, B<sudo> will run the command in a I<pseudo tty> and log all
-user input.
-If the standard input is not connected to the user's tty, due to
-I/O redirection or because the command is part of a pipeline, that
-input is also captured and stored in a separate log file.
-
-Input is logged to the directory specified by the I<iolog_dir>
-option (F<@iolog_dir@> by default) using a unique session ID that
-is included in the normal B<sudo> log line, prefixed with I<TSID=>.
-The I<iolog_file> option may be used to control the format of the
-session ID.
-
-Note that user input may contain sensitive information such as
-passwords (even if they are not echoed to the screen), which will
-be stored in the log file unencrypted. In most cases, logging the
-command output via I<log_output> is all that is required.
-
-=item log_output
-
-If set, B<sudo> will run the command in a I<pseudo tty> and log all
-output that is sent to the screen, similar to the script(1) command.
-If the standard output or standard error is not connected to the
-user's tty, due to I/O redirection or because the command is part
-of a pipeline, that output is also captured and stored in separate
-log files.
-
-Output is logged to the directory specified by the I<iolog_dir>
-option (F<@iolog_dir@> by default) using a unique session ID that
-is included in the normal B<sudo> log line, prefixed with I<TSID=>.
-The I<iolog_file> option may be used to control the format of the
-session ID.
-
-Output logs may be viewed with the L<sudoreplay(8)> utility, which
-can also be used to list or search the available logs.
-
-=item log_year
-
-If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
-This flag is I<off> by default.
-
-=item long_otp_prompt
-
-When validating with a One Time Password (OTP) scheme such as
-B<S/Key> or B<OPIE>, a two-line prompt is used to make it easier
-to cut and paste the challenge to a local window. It's not as
-pretty as the default but some people find it more convenient. This
-flag is I<@long_otp_prompt@> by default.
-
-=item mail_always
-
-Send mail to the I<mailto> user every time a users runs B<sudo>.
-This flag is I<off> by default.
-
-=item mail_badpass
-
-Send mail to the I<mailto> user if the user running B<sudo> does not
-enter the correct password. This flag is I<off> by default.
-
-=item mail_no_host
-
-If set, mail will be sent to the I<mailto> user if the invoking
-user exists in the I<sudoers> file, but is not allowed to run
-commands on the current host. This flag is I<@mail_no_host@> by default.
-
-=item mail_no_perms
-
-If set, mail will be sent to the I<mailto> user if the invoking
-user is allowed to use B<sudo> but the command they are trying is not
-listed in their I<sudoers> file entry or is explicitly denied.
-This flag is I<@mail_no_perms@> by default.
-
-=item mail_no_user
-
-If set, mail will be sent to the I<mailto> user if the invoking
-user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
-by default.
-
-=item noexec
-
-If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
-tag has been set, unless overridden by a C<EXEC> tag. See the
-description of I<NOEXEC and EXEC> below as well as the L<Preventing Shell
-Escapes> section at the end of this manual. This flag is I<off> by default.
-
-=item path_info
-
-Normally, B<sudo> will tell the user when a command could not be
-found in their C<PATH> environment variable. Some sites may wish
-to disable this as it could be used to gather information on the
-location of executables that the normal user does not have access
-to. The disadvantage is that if the executable is simply not in
-the user's C<PATH>, B<sudo> will tell the user that they are not
-allowed to run it, which can be confusing. This flag is I<@path_info@>
-by default.
-
-=item passprompt_override
-
-The password prompt specified by I<passprompt> will normally only
-be used if the password prompt provided by systems such as PAM matches
-the string "Password:". If I<passprompt_override> is set, I<passprompt>
-will always be used. This flag is I<off> by default.
-
-=item preserve_groups
-
-By default, B<sudo> will initialize the group vector to the list of
-groups the target user is in. When I<preserve_groups> is set, the
-user's existing group vector is left unaltered. The real and
-effective group IDs, however, are still set to match the target
-user. This flag is I<off> by default.
-
-=item pwfeedback
-
-By default, B<sudo> reads the password like most other Unix programs,
-by turning off echo until the user hits the return (or enter) key.
-Some users become confused by this as it appears to them that B<sudo>
-has hung at this point. When I<pwfeedback> is set, B<sudo> will
-provide visual feedback when the user presses a key. Note that
-this does have a security impact as an onlooker may be able to
-determine the length of the password being entered.
-This flag is I<off> by default.
-
-=item requiretty
-
-If set, B<sudo> will only run when the user is logged in to a real
-tty. When this flag is set, B<sudo> can only be run from a login
-session and not via other means such as L<cron(8)> or cgi-bin scripts.
-This flag is I<off> by default.
-
-=item root_sudo
-
-If set, root is allowed to run B<sudo> too. Disabling this prevents users
-from "chaining" B<sudo> commands to get a root shell by doing something
-like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo>
-will also prevent root from running B<sudoedit>.
-Disabling I<root_sudo> provides no real additional security; it
-exists purely for historical reasons.
-This flag is I<@root_sudo@> by default.
-
-=item rootpw
-
-If set, B<sudo> will prompt for the root password instead of the password
-of the invoking user. This flag is I<off> by default.
-
-=item runaspw
-
-If set, B<sudo> will prompt for the password of the user defined by the
-I<runas_default> option (defaults to C<@runas_default@>) instead of the
-password of the invoking user. This flag is I<off> by default.
-
-=item set_home
-
-If enabled and B<sudo> is invoked with the B<-s> option the C<HOME>
-environment variable will be set to the home directory of the target
-user (which is root unless the B<-u> option is used). This effectively
-makes the B<-s> option imply B<-H>. Note that C<HOME> is already
-set when the the I<env_reset> option is enabled, so I<set_home> is
-only effective for configurations where either I<env_reset> is disabled
-or C<HOME> is present in the I<env_keep> list.
-This flag is I<off> by default.
-
-=item set_logname
-
-Normally, B<sudo> will set the C<LOGNAME>, C<USER> and C<USERNAME>
-environment variables to the name of the target user (usually root
-unless the B<-u> option is given). However, since some programs
-(including the RCS revision control system) use C<LOGNAME> to
-determine the real identity of the user, it may be desirable to
-change this behavior. This can be done by negating the set_logname
-option. Note that if the I<env_reset> option has not been disabled,
-entries in the I<env_keep> list will override the value of
-I<set_logname>. This flag is I<on> by default.
-
-=item set_utmp
-
-When enabled, B<sudo> will create an entry in the utmp (or utmpx)
-file when a pseudo-tty is allocated. A pseudo-tty is allocated by
-B<sudo> when the I<log_input>, I<log_output> or I<use_pty> flags
-are enabled. By default, the new entry will be a copy of the user's
-existing utmp entry (if any), with the tty, time, type and pid
-fields updated. This flag is I<on> by default.
-
-=item setenv
-
-Allow the user to disable the I<env_reset> option from the command
-line via the B<-E> option. Additionally, environment variables set
-via the command line are not subject to the restrictions imposed
-by I<env_check>, I<env_delete>, or I<env_keep>. As such, only
-trusted users should be allowed to set variables in this manner.
-This flag is I<off> by default.
-
-=item shell_noargs
-
-If set and B<sudo> is invoked with no arguments it acts as if the
-B<-s> option had been given. That is, it runs a shell as root (the
-shell is determined by the C<SHELL> environment variable if it is
-set, falling back on the shell listed in the invoking user's
-/etc/passwd entry if not). This flag is I<off> by default.
-
-=item stay_setuid
-
-Normally, when B<sudo> executes a command the real and effective
-UIDs are set to the target user (root by default). This option
-changes that behavior such that the real UID is left as the invoking
-user's UID. In other words, this makes B<sudo> act as a setuid
-wrapper. This can be useful on systems that disable some potentially
-dangerous functionality when a program is run setuid. This option
-is only effective on systems with either the setreuid() or setresuid()
-function. This flag is I<off> by default.
-
-=item targetpw
-
-If set, B<sudo> will prompt for the password of the user specified
-by the B<-u> option (defaults to C<root>) instead of the password
-of the invoking user. In addition, the timestamp file name will
-include the target user's name. Note that this flag precludes the
-use of a uid not listed in the passwd database as an argument to
-the B<-u> option. This flag is I<off> by default.
-
-=item tty_tickets
-
-If set, users must authenticate on a per-tty basis. With this flag
-enabled, B<sudo> will use a file named for the tty the user is
-logged in on in the user's time stamp directory. If disabled, the
-time stamp of the directory is used instead. This flag is
-I<@tty_tickets@> by default.
-
-=item umask_override
-
-If set, B<sudo> will set the umask as specified by I<sudoers> without
-modification. This makes it possible to specify a more permissive
-umask in I<sudoers> than the user's own umask and matches historical
-behavior. If I<umask_override> is not set, B<sudo> will set the
-umask to be the union of the user's umask and what is specified in
-I<sudoers>. This flag is I<@umask_override@> by default.
-
-=item use_loginclass
-
-If set, B<sudo> will apply the defaults specified for the target user's
-login class if one exists. Only available if B<sudo> is configured with
-the --with-logincap option. This flag is I<off> by default.
-
-=item use_pty
-
-If set, B<sudo> will run the command in a pseudo-pty even if no I/O
-logging is being gone. A malicious program run under B<sudo> could
-conceivably fork a background process that retains to the user's
-terminal device after the main program has finished executing. Use
-of this option will make that impossible. This flag is I<off> by default.
-
-=item utmp_runas
-
-If set, B<sudo> will store the name of the runas user when updating
-the utmp (or utmpx) file. By default, B<sudo> stores the name of
-the invoking user. This flag is I<off> by default.
-
-=item visiblepw
-
-By default, B<sudo> will refuse to run if the user must enter a
-password but it is not possible to disable echo on the terminal.
-If the I<visiblepw> flag is set, B<sudo> will prompt for a password
-even when it would be visible on the screen. This makes it possible
-to run things like C<"rsh somehost sudo ls"> since L<rsh(1)> does
-not allocate a tty. This flag is I<off> by default.
-
-=back
-
-B<Integers>:
-
-=over 16
-
-=item closefrom
-
-Before it executes a command, B<sudo> will close all open file
-descriptors other than standard input, standard output and standard
-error (ie: file descriptors 0-2). The I<closefrom> option can be used
-to specify a different file descriptor at which to start closing.
-The default is C<3>.
-
-=item passwd_tries
-
-The number of tries a user gets to enter his/her password before
-B<sudo> logs the failure and exits. The default is C<@passwd_tries@>.
-
-=back
-
-B<Integers that can be used in a boolean context>:
-
-=over 16
-
-=item loglinelen
-
-Number of characters per line for the file log. This value is used
-to decide when to wrap lines for nicer log files. This has no
-effect on the syslog log file, only the file log. The default is
-C<@loglen@> (use 0 or negate the option to disable word wrap).
-
-=item passwd_timeout
-
-Number of minutes before the B<sudo> password prompt times out, or
-C<0> for no timeout. The timeout may include a fractional component
-if minute granularity is insufficient, for example C<2.5>. The
-default is C<@password_timeout@>.
-
-=item timestamp_timeout
-
-Number of minutes that can elapse before B<sudo> will ask for a
-passwd again. The timeout may include a fractional component if
-minute granularity is insufficient, for example C<2.5>. The default
-is C<@timeout@>. Set this to C<0> to always prompt for a password.
-If set to a value less than C<0> the user's timestamp will never
-expire. This can be used to allow users to create or delete their
-own timestamps via C<sudo -v> and C<sudo -k> respectively.
-
-=item umask
-
-Umask to use when running the command. Negate this option or set
-it to 0777 to preserve the user's umask. The actual umask that is
-used will be the union of the user's umask and the value of the
-I<umask> option, which defaults to C<@sudo_umask@>. This guarantees
-that B<sudo> never lowers the umask when running a command. Note
-on systems that use PAM, the default PAM configuration may specify
-its own umask which will override the value set in I<sudoers>.
-
-=back
-
-B<Strings>:
-
-=over 16
-
-=item badpass_message
-
-Message that is displayed if a user enters an incorrect password.
-The default is C<@badpass_message@> unless insults are enabled.
-
-=item editor
-
-A colon (':') separated list of editors allowed to be used with
-B<visudo>. B<visudo> will choose the editor that matches the user's
-EDITOR environment variable if possible, or the first editor in the
-list that exists and is executable. The default is C<"@editor@">.
-
-=item iolog_dir
-
-The top-level directory to use when constructing the path name for
-the input/output log directory. Only used if the I<log_input> or
-I<log_output> options are enabled or when the C<LOG_INPUT> or
-C<LOG_OUTPUT> tags are present for a command. The session sequence
-number, if any, is stored in the directory.
-The default is C<"@iolog_dir@">.
-
-The following percent (`C<%>') escape sequences are supported:
-
-=over 4
-
-=item C<%{seq}>
-
-expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
-where every two digits are used to form a new directory, e.g. F<01/00/A5>
-
-=item C<%{user}>
-
-expanded to the invoking user's login name
-
-=item C<%{group}>
-
-expanded to the name of the invoking user's real group ID
-
-=item C<%{runas_user}>
-
-expanded to the login name of the user the command will
-be run as (e.g. root)
-
-=item C<%{runas_group}>
-
-expanded to the group name of the user the command will
-be run as (e.g. wheel)
-
-=item C<%{hostname}>
-
-expanded to the local host name without the domain name
-
-=item C<%{command}>
-
-expanded to the base name of the command being run
-
-=back
-
-In addition, any escape sequences supported by the system's strftime()
-function will be expanded.
-
-To include a literal `C<%>' character, the string `C<%%>' should
-be used.
-
-=item iolog_file
-
-The path name, relative to I<iolog_dir>, in which to store input/output
-logs when the I<log_input> or I<log_output> options are enabled or
-when the C<LOG_INPUT> or C<LOG_OUTPUT> tags are present for a command.
-Note that I<iolog_file> may contain directory components.
-The default is C<"%{seq}">.
-
-See the I<iolog_dir> option above for a list of supported percent
-(`C<%>') escape sequences.
-
-In addition to the escape sequences, path names that end in six or
-more C<X>s will have the C<X>s replaced with a unique combination
-of digits and letters, similar to the mktemp() function.
-
-=item mailsub
-
-Subject of the mail sent to the I<mailto> user. The escape C<%h>
-will expand to the host name of the machine.
-Default is C<@mailsub@>.
-
-=item noexec_file
-
-This option is no longer supported. The path to the noexec file
-should now be set in the F<@sysconfdir@/sudo.conf> file.
-
-=item passprompt
-
-The default prompt to use when asking for a password; can be overridden
-via the B<-p> option or the C<SUDO_PROMPT> environment variable.
-The following percent (`C<%>') escape sequences are supported:
-
-=over 4
-
-=item C<%H>
-
-expanded to the local host name including the domain name
-(only if the machine's host name is fully qualified or the I<fqdn>
-option is set)
-
-=item C<%h>
-
-expanded to the local host name without the domain name
-
-=item C<%p>
-
-expanded to the user whose password is being asked for (respects the
-I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
-
-=item C<%U>
-
-expanded to the login name of the user the command will
-be run as (defaults to root)
-
-=item C<%u>
-
-expanded to the invoking user's login name
-
-=item C<%%>
-
-two consecutive C<%> characters are collapsed into a single C<%> character
-
-=back
-
-The default value is C<@passprompt@>.
-
-=item role
-
-The default SELinux role to use when constructing a new security
-context to run the command. The default role may be overridden on
-a per-command basis in I<sudoers> or via command line options.
-This option is only available whe B<sudo> is built with SELinux support.
-
-=item runas_default
-
-The default user to run commands as if the B<-u> option is not specified
-on the command line. This defaults to C<@runas_default@>.
-
-=item syslog_badpri
-
-Syslog priority to use when user authenticates unsuccessfully.
-Defaults to C<@badpri@>.
-
-The following syslog priorities are supported: B<alert>, B<crit>,
-B<debug>, B<emerg>, B<err>, B<info>, B<notice>, and B<warning>.
-
-=item syslog_goodpri
-
-Syslog priority to use when user authenticates successfully.
-Defaults to C<@goodpri@>.
-
-See L<syslog_badpri> for the list of supported syslog priorities.
-
-=item sudoers_locale
-
-Locale to use when parsing the sudoers file, logging commands, and
-sending email. Note that changing the locale may affect how sudoers
-is interpreted. Defaults to C<"C">.
-
-=item timestampdir
-
-The directory in which B<sudo> stores its timestamp files.
-The default is F<@timedir@>.
-
-=item timestampowner
-
-The owner of the timestamp directory and the timestamps stored therein.
-The default is C<root>.
-
-=item type
-
-The default SELinux type to use when constructing a new security
-context to run the command. The default type may be overridden on
-a per-command basis in I<sudoers> or via command line options.
-This option is only available whe B<sudo> is built with SELinux support.
-
-=back
-
-B<Strings that can be used in a boolean context>:
-
-=over 12
-
-=item env_file
-
-The I<env_file> option specifies the fully qualified path to a
-file containing variables to be set in the environment of the program
-being run. Entries in this file should either be of the form
-C<VARIABLE=value> or C<export VARIABLE=value>. The value may
-optionally be surrounded by single or double quotes. Variables in
-this file are subject to other B<sudo> environment settings such
-as I<env_keep> and I<env_check>.
-
-=item exempt_group
-
-Users in this group are exempt from password and PATH requirements.
-The group name specified should not include a C<%> prefix.
-This is not set by default.
-
-=item group_plugin
-
-A string containing a I<sudoers> group plugin with optional arguments.
-This can be used to implement support for the C<nonunix_group>
-syntax described earlier. The string should consist of the plugin
-path, either fully-qualified or relative to the F<@prefix@/libexec>
-directory, followed by any configuration arguments the plugin
-requires. These arguments (if any) will be passed to the plugin's
-initialization function. If arguments are present, the string must
-be enclosed in double quotes (C<">).
-
-For example, given F</etc/sudo-group>, a group file in Unix group
-format, the sample group plugin can be used:
-
- Defaults group_plugin="sample_group.so /etc/sudo-group"
-
-For more information see L<sudo_plugin(5)>.
-
-=item lecture
-
-This option controls when a short lecture will be printed along with
-the password prompt. It has the following possible values:
-
-=over 8
-
-=item always
-
-Always lecture the user.
-
-=item never
-
-Never lecture the user.
-
-=item once
-
-Only lecture the user the first time they run B<sudo>.
-
-=back
-
-If no value is specified, a value of I<once> is implied.
-Negating the option results in a value of I<never> being used.
-The default value is I<@lecture@>.
-
-=item lecture_file
-
-Path to a file containing an alternate B<sudo> lecture that will
-be used in place of the standard lecture if the named file exists.
-By default, B<sudo> uses a built-in lecture.
-
-=item listpw
-
-This option controls when a password will be required when a
-user runs B<sudo> with the B<-l> option. It has the following possible values:
-
-=over 8
-
-=item all
-
-All the user's I<sudoers> entries for the current host must have
-the C<NOPASSWD> flag set to avoid entering a password.
-
-=item always
-
-The user must always enter a password to use the B<-l> option.
-
-=item any
-
-At least one of the user's I<sudoers> entries for the current host
-must have the C<NOPASSWD> flag set to avoid entering a password.
-
-=item never
-
-The user need never enter a password to use the B<-l> option.
-
-=back
-
-If no value is specified, a value of I<any> is implied.
-Negating the option results in a value of I<never> being used.
-The default value is I<any>.
-
-=item logfile
-
-Path to the B<sudo> log file (not the syslog log file). Setting a path
-turns on logging to a file; negating this option turns it off.
-By default, B<sudo> logs via syslog.
-
-=item mailerflags
-
-Flags to use when invoking mailer. Defaults to B<-t>.
-
-=item mailerpath
-
-Path to mail program used to send warning mail.
-Defaults to the path to sendmail found at configure time.
-
-=item mailfrom
-
-Address to use for the "from" address when sending warning and error
-mail. The address should be enclosed in double quotes (C<">) to
-protect against B<sudo> interpreting the C<@> sign. Defaults to
-the name of the user running B<sudo>.
-
-=item mailto
-
-Address to send warning and error mail to. The address should
-be enclosed in double quotes (C<">) to protect against B<sudo>
-interpreting the C<@> sign. Defaults to C<@mailto@>.
-
-=item secure_path
-
-Path used for every command run from B<sudo>. If you don't trust the
-people running B<sudo> to have a sane C<PATH> environment variable you may
-want to use this. Another use is if you want to have the "root path"
-be separate from the "user path." Users in the group specified by the
-I<exempt_group> option are not affected by I<secure_path>.
-This option is @secure_path@ by default.
-
-=item syslog
-
-Syslog facility if syslog is being used for logging (negate to
-disable syslog logging). Defaults to C<@logfac@>.
-
-The following syslog facilities are supported: B<authpriv> (if your
-OS supports it), B<auth>, B<daemon>, B<user>, B<local0>, B<local1>,
-B<local2>, B<local3>, B<local4>, B<local5>, B<local6>, and B<local7>.
-
-=item verifypw
-
-This option controls when a password will be required when a user runs
-B<sudo> with the B<-v> option. It has the following possible values:
-
-=over 8
-
-=item all
-
-All the user's I<sudoers> entries for the current host must have
-the C<NOPASSWD> flag set to avoid entering a password.
-
-=item always
-
-The user must always enter a password to use the B<-v> option.
-
-=item any
-
-At least one of the user's I<sudoers> entries for the current host
-must have the C<NOPASSWD> flag set to avoid entering a password.
-
-=item never
-
-The user need never enter a password to use the B<-v> option.
-
-=back
-
-If no value is specified, a value of I<all> is implied.
-Negating the option results in a value of I<never> being used.
-The default value is I<all>.
-
-=back
-
-B<Lists that can be used in a boolean context>:
-
-=over 16
-
-=item env_check
-
-Environment variables to be removed from the user's environment if
-the variable's value contains C<%> or C</> characters. This can
-be used to guard against printf-style format vulnerabilities in
-poorly-written programs. The argument may be a double-quoted,
-space-separated list or a single value without double-quotes. The
-list can be replaced, added to, deleted from, or disabled by using
-the C<=>, C<+=>, C<-=>, and C<!> operators respectively. Regardless
-of whether the C<env_reset> option is enabled or disabled, variables
-specified by C<env_check> will be preserved in the environment if
-they pass the aforementioned check. The default list of environment
-variables to check is displayed when B<sudo> is run by root with
-the I<-V> option.
-
-=item env_delete
-
-Environment variables to be removed from the user's environment
-when the I<env_reset> option is not in effect. The argument may
-be a double-quoted, space-separated list or a single value without
-double-quotes. The list can be replaced, added to, deleted from,
-or disabled by using the C<=>, C<+=>, C<-=>, and C<!> operators
-respectively. The default list of environment variables to remove
-is displayed when B<sudo> is run by root with the I<-V> option.
-Note that many operating systems will remove potentially dangerous
-variables from the environment of any setuid process (such as
-B<sudo>).
-
-=item env_keep
-
-Environment variables to be preserved in the user's environment
-when the I<env_reset> option is in effect. This allows fine-grained
-control over the environment B<sudo>-spawned processes will receive.
-The argument may be a double-quoted, space-separated list or a
-single value without double-quotes. The list can be replaced, added
-to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
-C<!> operators respectively. The default list of variables to keep
-is displayed when B<sudo> is run by root with the I<-V> option.
-
-=back
-
-=head1 SUDO.CONF
-
-The F<@sysconfdir@/sudo.conf> file determines which plugins the
-B<sudo> front end will load. If no F<@sysconfdir@/sudo.conf> file
-is present, or it contains no C<Plugin> lines, B<sudo> will use the
-I<sudoers> security policy and I/O logging, which corresponds to
-the following F<@sysconfdir@/sudo.conf> file.
-
- #
- # Default @sysconfdir@/sudo.conf file
- #
- # Format:
- # Plugin plugin_name plugin_path plugin_options ...
- # Path askpass /path/to/askpass
- # Path noexec /path/to/sudo_noexec.so
- # Debug sudo /var/log/sudo_debug all@warn
- # Set disable_coredump true
- #
- # The plugin_path is relative to @prefix@/libexec unless
- # fully qualified.
- # The plugin_name corresponds to a global symbol in the plugin
- # that contains the plugin interface structure.
- # The plugin_options are optional.
- #
- Plugin policy_plugin sudoers.so
- Plugin io_plugin sudoers.so
-
-=head2 PLUGIN OPTIONS
-
-Starting with B<sudo> 1.8.5 it is possible to pass options to the
-I<sudoers> plugin. Options may be listed after the path to the
-plugin (i.e. after F<sudoers.so>); multiple options should be
-space-separated. For example:
-
- Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
-
-The following plugin options are supported:
-
-=over 10
-
-=item sudoers_file=pathname
-
-The I<sudoers_file> option can be used to override the default path
-to the I<sudoers> file.
-
-=item sudoers_uid=uid
-
-The I<sudoers_uid> option can be used to override the default owner
-of the sudoers file. It should be specified as a numeric user ID.
-
-=item sudoers_gid=gid
-
-The I<sudoers_gid> option can be used to override the default group
-of the sudoers file. It should be specified as a numeric group ID.
-
-=item sudoers_mode=mode
-
-The I<sudoers_mode> option can be used to override the default file
-mode for the sudoers file. It should be specified as an octal value.
-
-=back
-
-=head2 DEBUG FLAGS
-
-Versions 1.8.4 and higher of the I<sudoers> plugin supports a
-debugging framework that can help track down what the plugin is
-doing internally if there is a problem. This can be configured in
-the F<@sysconfdir@/sudo.conf> file as described in L<sudo(8)>.
-
-The I<sudoers> plugin uses the same debug flag format as B<sudo>
-itself: I<subsystem>@I<priority>.
-
-The priorities used by I<sudoers>, in order of decreasing severity,
-are: I<crit>, I<err>, I<warn>, I<notice>, I<diag>, I<info>, I<trace>
-and I<debug>. Each priority, when specified, also includes all
-priorities higher than it. For example, a priority of I<notice>
-would include debug messages logged at I<notice> and higher.
-
-The following subsystems are used by I<sudoers>:
-
-=over 10
-
-=item I<alias>
-
-C<User_Alias>, C<Runas_Alias>, C<Host_Alias> and C<Cmnd_Alias> processing
-
-=item I<all>
-
-matches every subsystem
-
-=item I<audit>
-
-BSM and Linux audit code
-
-=item I<auth>
-
-user authentication
-
-=item I<defaults>
-
-I<sudoers> I<Defaults> settings
-
-=item I<env>
-
-environment handling
-
-=item I<ldap>
-
-LDAP-based sudoers
-
-=item I<logging>
-
-logging support
-
-=item I<match>
-
-matching of users, groups, hosts and netgroups in I<sudoers>
-
-=item I<netif>
-
-network interface handling
-
-=item I<nss>
-
-network service switch handling in I<sudoers>
-
-=item I<parser>
-
-I<sudoers> file parsing
-
-=item I<perms>
-
-permission setting
-
-=item I<plugin>
-
-The equivalent of I<main> for the plugin.
-
-=item I<pty>
-
-pseudo-tty related code
-
-=item I<rbtree>
-
-redblack tree internals
-
-=item I<util>
-
-utility functions
-
-=back
-
-=head1 FILES
-
-=over 24
-
-=item F<@sysconfdir@/sudo.conf>
-
-Sudo front end configuration
-
-=item F<@sysconfdir@/sudoers>
-
-List of who can run what
-
-=item F</etc/group>
-
-Local groups file
-
-=item F</etc/netgroup>
-
-List of network groups
-
-=item F<@iolog_dir@>
-
-I/O log files
-
-=item F<@timedir@>
-
-Directory containing time stamps for the I<sudoers> security policy
-
-=item F</etc/environment>
-
-Initial environment for B<-i> mode on AIX and Linux systems
-
-=back
-
-=head1 EXAMPLES
-
-Below are example I<sudoers> entries. Admittedly, some of
-these are a bit contrived. First, we allow a few environment
-variables to pass and then define our I<aliases>:
-
- # Run X applications through sudo; HOME is used to find the
- # .Xauthority file. Note that other programs use HOME to find
- # configuration files and this may lead to privilege escalation!
- Defaults env_keep += "DISPLAY HOME"
-
- # User alias specification
- User_Alias FULLTIMERS = millert, mikef, dowdy
- User_Alias PARTTIMERS = bostley, jwfox, crawl
- User_Alias WEBMASTERS = will, wendy, wim
-
- # Runas alias specification
- Runas_Alias OP = root, operator
- Runas_Alias DB = oracle, sybase
- Runas_Alias ADMINGRP = adm, oper
-
- # Host alias specification
- Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
- SGI = grolsch, dandelion, black :\
- ALPHA = widget, thalamus, foobar :\
- HPPA = boa, nag, python
- Host_Alias CUNETS = 128.138.0.0/255.255.0.0
- Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
- Host_Alias SERVERS = master, mail, www, ns
- Host_Alias CDROM = orion, perseus, hercules
-
- # Cmnd alias specification
- Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
- /usr/sbin/restore, /usr/sbin/rrestore
- Cmnd_Alias KILL = /usr/bin/kill
- Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
- Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
- Cmnd_Alias HALT = /usr/sbin/halt
- Cmnd_Alias REBOOT = /usr/sbin/reboot
- Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
- /usr/local/bin/tcsh, /usr/bin/rsh, \
- /usr/local/bin/zsh
- Cmnd_Alias SU = /usr/bin/su
- Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
-
-Here we override some of the compiled in default values. We want
-B<sudo> to log via L<syslog(3)> using the I<auth> facility in all
-cases. We don't want to subject the full time staff to the B<sudo>
-lecture, user B<millert> need not give a password, and we don't
-want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment
-variables when running commands as root. Additionally, on the
-machines in the I<SERVERS> C<Host_Alias>, we keep an additional
-local log file and make sure we log the year in each log line since
-the log entries will be kept around for several years. Lastly, we
-disable shell escapes for the commands in the PAGERS C<Cmnd_Alias>
-(F</usr/bin/more>, F</usr/bin/pg> and F</usr/bin/less>).
-
- # Override built-in defaults
- Defaults syslog=auth
- Defaults>root !set_logname
- Defaults:FULLTIMERS !lecture
- Defaults:millert !authenticate
- Defaults@SERVERS log_year, logfile=/var/log/sudo.log
- Defaults!PAGERS noexec
-
-The I<User specification> is the part that actually determines who may
-run what.
-
- root ALL = (ALL) ALL
- %wheel ALL = (ALL) ALL
-
-We let B<root> and any user in group B<wheel> run any command on any
-host as any user.
-
- FULLTIMERS ALL = NOPASSWD: ALL
-
-Full time sysadmins (B<millert>, B<mikef>, and B<dowdy>) may run any
-command on any host without authenticating themselves.
-
- PARTTIMERS ALL = ALL
-
-Part time sysadmins (B<bostley>, B<jwfox>, and B<crawl>) may run any
-command on any host but they must authenticate themselves first
-(since the entry lacks the C<NOPASSWD> tag).
-
- jack CSNETS = ALL
-
-The user B<jack> may run any command on the machines in the I<CSNETS> alias
-(the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>).
-Of those networks, only C<128.138.204.0> has an explicit netmask (in
-CIDR notation) indicating it is a class C network. For the other
-networks in I<CSNETS>, the local machine's netmask will be used
-during matching.
-
- lisa CUNETS = ALL
-
-The user B<lisa> may run any command on any host in the I<CUNETS> alias
-(the class B network C<128.138.0.0>).
-
- operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
- sudoedit /etc/printcap, /usr/oper/bin/
-
-The B<operator> user may run commands limited to simple maintenance.
-Here, those are commands related to backups, killing processes, the
-printing system, shutting down the system, and any commands in the
-directory F</usr/oper/bin/>.
-
- joe ALL = /usr/bin/su operator
-
-The user B<joe> may only L<su(1)> to operator.
-
- pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
-
- %opers ALL = (: ADMINGRP) /usr/sbin/
-
-Users in the B<opers> group may run commands in F</usr/sbin/> as themselves
-with any group in the I<ADMINGRP> C<Runas_Alias> (the B<adm> and B<oper>
-groups).
-
-The user B<pete> is allowed to change anyone's password except for
-root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
-does not take multiple user names on the command line.
-
- bob SPARC = (OP) ALL : SGI = (OP) ALL
-
-The user B<bob> may run anything on the I<SPARC> and I<SGI> machines
-as any user listed in the I<OP> C<Runas_Alias> (B<root> and B<operator>).
-
- jim +biglab = ALL
-
-The user B<jim> may run any command on machines in the I<biglab> netgroup.
-B<sudo> knows that "biglab" is a netgroup due to the '+' prefix.
-
- +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
-
-Users in the B<secretaries> netgroup need to help manage the printers
-as well as add and remove users, so they are allowed to run those
-commands on all machines.
-
- fred ALL = (DB) NOPASSWD: ALL
-
-The user B<fred> can run commands as any user in the I<DB> C<Runas_Alias>
-(B<oracle> or B<sybase>) without giving a password.
-
- john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
-
-On the I<ALPHA> machines, user B<john> may su to anyone except root
-but he is not allowed to specify any options to the L<su(1)> command.
-
- jen ALL, !SERVERS = ALL
-
-The user B<jen> may run any command on any machine except for those
-in the I<SERVERS> C<Host_Alias> (master, mail, www and ns).
-
- jill SERVERS = /usr/bin/, !SU, !SHELLS
-
-For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run
-any commands in the directory F</usr/bin/> except for those commands
-belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>.
-
- steve CSNETS = (operator) /usr/local/op_commands/
-
-The user B<steve> may run any command in the directory /usr/local/op_commands/
-but only as user operator.
-
- matt valkyrie = KILL
-
-On his personal workstation, valkyrie, B<matt> needs to be able to
-kill hung processes.
-
- WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
-
-On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will,
-wendy, and wim), may run any command as user www (which owns the
-web pages) or simply L<su(1)> to www.
-
- ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
- /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
-
-Any user may mount or unmount a CD-ROM on the machines in the CDROM
-C<Host_Alias> (orion, perseus, hercules) without entering a password.
-This is a bit tedious for users to type, so it is a prime candidate
-for encapsulating in a shell script.
-
-=head1 SECURITY NOTES
-
-=head2 Limitations of the '!' operator
-
-It is generally not effective to "subtract" commands from C<ALL>
-using the '!' operator. A user can trivially circumvent this
-by copying the desired command to a different name and then
-executing that. For example:
-
- bill ALL = ALL, !SU, !SHELLS
-
-Doesn't really prevent B<bill> from running the commands listed in
-I<SU> or I<SHELLS> since he can simply copy those commands to a
-different name, or use a shell escape from an editor or other
-program. Therefore, these kind of restrictions should be considered
-advisory at best (and reinforced by policy).
-
-In general, if a user has sudo C<ALL> there is nothing to prevent
-them from creating their own program that gives them a root shell
-(or making their own copy of a shell) regardless of any '!' elements
-in the user specification.
-
-=head2 Security implications of I<fast_glob>
-
-If the I<fast_glob> option is in use, it is not possible
-to reliably negate commands where the path name includes globbing
-(aka wildcard) characters. This is because the C library's
-L<fnmatch(3)> function cannot resolve relative paths. While this
-is typically only an inconvenience for rules that grant privileges,
-it can result in a security issue for rules that subtract or revoke
-privileges.
-
-For example, given the following I<sudoers> entry:
-
- john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
- /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
-
-User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is
-enabled by changing to F</usr/bin> and running C<./passwd root> instead.
-
-=head2 Preventing Shell Escapes
-
-Once B<sudo> executes a program, that program is free to do whatever
-it pleases, including run other programs. This can be a security
-issue since it is not uncommon for a program to allow shell escapes,
-which lets a user bypass B<sudo>'s access control and logging.
-Common programs that permit shell escapes include shells (obviously),
-editors, paginators, mail and terminal programs.
-
-There are two basic approaches to this problem:
-
-=over 10
-
-=item restrict
-
-Avoid giving users access to commands that allow the user to run
-arbitrary commands. Many editors have a restricted mode where shell
-escapes are disabled, though B<sudoedit> is a better solution to
-running editors via B<sudo>. Due to the large number of programs that
-offer shell escapes, restricting users to the set of programs that
-do not is often unworkable.
-
-=item noexec
-
-Many systems that support shared libraries have the ability to
-override default library functions by pointing an environment
-variable (usually C<LD_PRELOAD>) to an alternate shared library.
-On such systems, B<sudo>'s I<noexec> functionality can be used to
-prevent a program run by B<sudo> from executing any other programs.
-Note, however, that this applies only to native dynamically-linked
-executables. Statically-linked executables and foreign executables
-running under binary emulation are not affected.
-
-The I<noexec> feature is known to work on SunOS, Solaris, *BSD,
-Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
-It should be supported on most operating systems that support the
-C<LD_PRELOAD> environment variable. Check your operating system's
-manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
-dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported.
-
-On Solaris 10 and higher, I<noexec> uses Solaris privileges instead
-of the C<LD_PRELOAD> environment variable.
-
-To enable I<noexec> for a command, use the C<NOEXEC> tag as documented
-in the User Specification section above. Here is that example again:
-
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-
-This allows user B<aaron> to run F</usr/bin/more> and F</usr/bin/vi>
-with I<noexec> enabled. This will prevent those two commands from
-executing other commands (such as a shell). If you are unsure
-whether or not your system is capable of supporting I<noexec> you
-can always just try it out and check whether shell escapes work
-when I<noexec> is enabled.
-
-=back
-
-Note that restricting shell escapes is not a panacea. Programs
-running as root are still capable of many potentially hazardous
-operations (such as changing or overwriting files) that could lead
-to unintended privilege escalation. In the specific case of an
-editor, a safer approach is to give the user permission to run
-B<sudoedit>.
-
-=head2 Time stamp file checks
-
-I<sudoers> will check the ownership of its time stamp directory
-(F<@timedir@> by default) and ignore the directory's contents if
-it is not owned by root or if it is writable by a user other than
-root. On systems that allow non-root users to give away files via
-L<chown(2)>, if the time stamp directory is located in a world-writable
-directory (e.g., F</tmp>), it is possible for a user to create the
-time stamp directory before B<sudo> is run. However, because
-I<sudoers> checks the ownership and mode of the directory and its
-contents, the only damage that can be done is to "hide" files by
-putting them in the time stamp dir. This is unlikely to happen
-since once the time stamp dir is owned by root and inaccessible by
-any other user, the user placing files there would be unable to get
-them back out.
-
-I<sudoers> will not honor time stamps set far in the future. Time
-stamps with a date greater than current_time + 2 * C<TIMEOUT> will
-be ignored and sudo will log and complain. This is done to keep a
-user from creating his/her own time stamp with a bogus date on
-systems that allow users to give away files if the time stamp directory
-is located in a world-writable directory.
-
-On systems where the boot time is available, I<sudoers> will ignore
-time stamps that date from before the machine booted.
-
-Since time stamp files live in the file system, they can outlive a
-user's login session. As a result, a user may be able to login,
-run a command with B<sudo> after authenticating, logout, login
-again, and run B<sudo> without authenticating so long as the time
-stamp file's modification time is within C<@timeout@> minutes (or
-whatever the timeout is set to in I<sudoers>). When the I<tty_tickets>
-option is enabled, the time stamp has per-tty granularity but still
-may outlive the user's session. On Linux systems where the devpts
-filesystem is used, Solaris systems with the devices filesystem,
-as well as other systems that utilize a devfs filesystem that
-monotonically increase the inode number of devices as they are
-created (such as Mac OS X), I<sudoers> is able to determine when a
-tty-based time stamp file is stale and will ignore it. Administrators
-should not rely on this feature as it is not universally available.
-
-=head1 SEE ALSO
-
-L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<glob(3)>, L<mktemp(3)>, L<strftime(3)>,
-L<sudoers.ldap(5)>, L<sudo_plugin(8)>, L<sudo(8)>, L<visudo(8)>
-
-=head1 CAVEATS
-
-The I<sudoers> file should B<always> be edited by the B<visudo>
-command which locks the file and does grammatical checking. It is
-imperative that I<sudoers> be free of syntax errors since B<sudo>
-will not run with a syntactically incorrect I<sudoers> file.
-
-When using netgroups of machines (as opposed to users), if you
-store fully qualified host name in the netgroup (as is usually the
-case), you either need to have the machine's host name be fully qualified
-as returned by the C<hostname> command or use the I<fqdn> option in
-I<sudoers>.
-
-=head1 BUGS
-
-If you feel you have found a bug in B<sudo>, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
-
-=head1 SUPPORT
-
-Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
-search the archives.
-
-=head1 DISCLAIMER
-
-B<sudo> is provided ``AS IS'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the LICENSE
-file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
-for complete details.
-SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
-
-
+SUDOREPLAY(1m) System Manager's Manual SUDOREPLAY(1m)
N\bNA\bAM\bME\bE
- sudoreplay - replay sudo session logs
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by - replay sudo session logs
S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-h\bh] [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] [-\b-f\bf _\bf_\bi_\bl_\bt_\be_\br] [-\b-m\bm _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt] [-\b-s\bs
- _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br] ID
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-h\bh] [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] [-\b-f\bf _\bf_\bi_\bl_\bt_\be_\br] [-\b-m\bm _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt]
+ [-\b-s\bs _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br] ID
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-h\bh] [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] -l [search expression]
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-h\bh] [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] -\b-l\bl [search expression]
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by plays back or lists the output logs created by s\bsu\bud\bdo\bo. When
- replaying, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by can play the session back in real-time, or the
- playback speed may be adjusted (faster or slower) based on the command
- line options.
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by plays back or lists the output logs created by s\bsu\bud\bdo\bo. When
+ replaying, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by can play the session back in real-time, or the
+ playback speed may be adjusted (faster or slower) based on the command
+ line options.
- The _\bI_\bD should either be a six character sequence of digits and upper
- case letters, e.g. 0100A5, or a pattern matching the _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be option
- in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. When a command is run via s\bsu\bud\bdo\bo with _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt
- enabled in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, a TSID=ID string is logged via syslog or
- to the s\bsu\bud\bdo\bo log file. The _\bI_\bD may also be determined using s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by's
- list mode.
+ The _\bI_\bD should either be a six character sequence of digits and upper case
+ letters, e.g. 0100A5, or a pattern matching the _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be option in the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file. When a command is run via s\bsu\bud\bdo\bo with _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt enabled in
+ the _\bs_\bu_\bd_\bo_\be_\br_\bs file, a TSID=ID string is logged via syslog or to the s\bsu\bud\bdo\bo
+ log file. The _\bI_\bD may also be determined using s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by's list mode.
- In list mode, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by can be used to find the ID of a session based
- on a number of criteria such as the user, tty or command run.
+ In list mode, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by can be used to find the ID of a session based on
+ a number of criteria such as the user, tty or command run.
- In replay mode, if the standard output has not been redirected,
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will act on the following keys:
+ In replay mode, if the standard output has not been redirected,
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will act on the following keys:
- ' ' (space)
- Pause output; press any key to resume.
+ ` ' (space) Pause output; press any key to resume.
- '<' Reduce the playback speed by one half.
+ `<' Reduce the playback speed by one half.
- '>' Double the playback speed.
+ `>' Double the playback speed.
-O\bOP\bPT\bTI\bIO\bON\bNS\bS
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by accepts the following command line options:
+ The options are as follows:
- -d _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by
- Use _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by to for the session logs instead of the
+ -\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by Use _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by to for the session logs instead of the
default, _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo.
- -f _\bf_\bi_\bl_\bt_\be_\br By default, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will play back the command's
- standard output, standard error and tty output. The _\b-_\bf
+ -\b-f\bf _\bf_\bi_\bl_\bt_\be_\br By default, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will play back the command's
+ standard output, standard error and tty output. The -\b-f\bf
option can be used to select which of these to output. The
_\bf_\bi_\bl_\bt_\be_\br argument is a comma-separated list, consisting of
one or more of following: _\bs_\bt_\bd_\bo_\bu_\bt, _\bs_\bt_\bd_\be_\br_\br, and _\bt_\bt_\by_\bo_\bu_\bt.
- -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to print a short
+ -\b-h\bh The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to print a short
help message to the standard output and exit.
- -l [_\bs_\be_\ba_\br_\bc_\bh _\be_\bx_\bp_\br_\be_\bs_\bs_\bi_\bo_\bn]
- Enable "list mode". In this mode, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will list
+ -\b-l\bl [_\bs_\be_\ba_\br_\bc_\bh _\be_\bx_\bp_\br_\be_\bs_\bs_\bi_\bo_\bn]
+ Enable ``list mode''. In this mode, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will list
available sessions in a format similar to the s\bsu\bud\bdo\bo log file
format, sorted by file name (or sequence number). If a
_\bs_\be_\ba_\br_\bc_\bh _\be_\bx_\bp_\br_\be_\bs_\bs_\bi_\bo_\bn is specified, it will be used to restrict
the IDs that are displayed. An expression is composed of
the following predicates:
- command _\bc_\bo_\bm_\bm_\ba_\bn_\bd _\bp_\ba_\bt_\bt_\be_\br_\bn
+ command _\bp_\ba_\bt_\bt_\be_\br_\bn
Evaluates to true if the command run matches
- _\bc_\bo_\bm_\bm_\ba_\bn_\bd _\bp_\ba_\bt_\bt_\be_\br_\bn. On systems with POSIX regular
- expression support, the pattern may be an extended
- regular expression. On systems without POSIX
- regular expression support, a simple substring
- match is performed instead.
+ _\bp_\ba_\bt_\bt_\be_\br_\bn. On systems with POSIX regular expression
+ support, the pattern may be an extended regular
+ expression. On systems without POSIX regular
+ expression support, a simple substring match is
+ performed instead.
cwd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by
Evaluates to true if the command was run with the
fromdate _\bd_\ba_\bt_\be
Evaluates to true if the command was run on or
- after _\bd_\ba_\bt_\be. See "Date and time format" for a
+ after _\bd_\ba_\bt_\be. See _\bD_\ba_\bt_\be _\ba_\bn_\bd _\bt_\bi_\bm_\be _\bf_\bo_\br_\bm_\ba_\bt for a
description of supported date and time formats.
group _\br_\bu_\bn_\ba_\bs_\b__\bg_\br_\bo_\bu_\bp
todate _\bd_\ba_\bt_\be
Evaluates to true if the command was run on or
- prior to _\bd_\ba_\bt_\be. See "Date and time format" for a
+ prior to _\bd_\ba_\bt_\be. See _\bD_\ba_\bt_\be _\ba_\bn_\bd _\bt_\bi_\bm_\be _\bf_\bo_\br_\bm_\ba_\bt for a
description of supported date and time formats.
- tty _\bt_\bt_\by Evaluates to true if the command was run on the
- specified terminal device. The _\bt_\bt_\by should be
- specified without the _\b/_\bd_\be_\bv_\b/ prefix, e.g. _\bt_\bt_\by_\b0_\b1
+ tty _\bt_\bt_\by _\bn_\ba_\bm_\be
+ Evaluates to true if the command was run on the
+ specified terminal device. The _\bt_\bt_\by _\bn_\ba_\bm_\be should be
+ specified without the _\b/_\bd_\be_\bv_\b/ prefix, e.g. _\bt_\bt_\by_\b0_\b1
instead of _\b/_\bd_\be_\bv_\b/_\bt_\bt_\by_\b0_\b1.
user _\bu_\bs_\be_\br _\bn_\ba_\bm_\be
character).
Predicates may be combined using _\ba_\bn_\bd, _\bo_\br and _\b! operators as
- well as '(' and ')' for grouping (note that parentheses
- must generally be escaped from the shell). The _\ba_\bn_\bd
- operator is optional, adjacent predicates have an implied
- _\ba_\bn_\bd unless separated by an _\bo_\br.
+ well as `(' and `)' grouping (note that parentheses must
+ generally be escaped from the shell). The _\ba_\bn_\bd operator is
+ optional, adjacent predicates have an implied _\ba_\bn_\bd unless
+ separated by an _\bo_\br.
- -m _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt Specify an upper bound on how long to wait between key
- presses or output data. By default, s\bsu\bud\bdo\bo_\b_r\bre\bep\bpl\bla\bay\by will
+ -\b-m\bm _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt Specify an upper bound on how long to wait between key
+ presses or output data. By default, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will
accurately reproduce the delays between key presses or
program output. However, this can be tedious when the
- session includes long pauses. When the _\b-_\bm option is
+ session includes long pauses. When the -\b-m\bm option is
specified, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will limit these pauses to at most
_\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt seconds. The value may be specified as a floating
- point number, .e.g. _\b2_\b._\b5.
+ point number, e.g. _\b2_\b._\b5.
- -s _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br
+ -\b-s\bs _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br
This option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to adjust the number of
seconds it will wait between key presses or program output.
This can be used to slow down or speed up the display. For
example, a _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br of _\b2 would make the output twice as
- fast whereas a _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br of <.5> would make the output
+ fast whereas a _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br of _\b._\b5 would make the output
twice as slow.
- -V The -\b-V\bV (version) option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to print its
+ -\b-V\bV The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to print its
version number and exit.
D\bDa\bat\bte\be a\ban\bnd\bd t\bti\bim\bme\be f\bfo\bor\brm\bma\bat\bt
- The time and date may be specified multiple ways, common formats
- include:
+ The time and date may be specified multiple ways, common formats include:
- HH:MM:SS am MM/DD/CCYY timezone
- 24 hour time may be used in place of am/pm.
+ HH:MM:SS am MM/DD/CCYY timezone
+ 24 hour time may be used in place of am/pm.
- HH:MM:SS am Month, Day Year timezone
- 24 hour time may be used in place of am/pm, and month and day
- names may be abbreviated. Note that month and day of the week
- names must be specified in English.
+ HH:MM:SS am Month, Day Year timezone
+ 24 hour time may be used in place of am/pm, and month and day
+ names may be abbreviated. Note that month and day of the week
+ names must be specified in English.
- CCYY-MM-DD HH:MM:SS
- ISO time format
+ CCYY-MM-DD HH:MM:SS
+ ISO time format
- DD Month CCYY HH:MM:SS
- The month name may be abbreviated.
+ DD Month CCYY HH:MM:SS
+ The month name may be abbreviated.
- Either time or date may be omitted, the am/pm and timezone are
- optional. If no date is specified, the current day is assumed; if no
- time is specified, the first second of the specified date is used. The
- less significant parts of both time and date may also be omitted, in
- which case zero is assumed. For example, the following are all valid:
+ Either time or date may be omitted, the am/pm and timezone are optional.
+ If no date is specified, the current day is assumed; if no time is
+ specified, the first second of the specified date is used. The less
+ significant parts of both time and date may also be omitted, in which
+ case zero is assumed.
- The following are all valid time and date specifications:
+ The following are all valid time and date specifications:
- now The current time and date.
+ now The current time and date.
- tomorrow
- Exactly one day from now.
+ tomorrow
+ Exactly one day from now.
- yesterday
- 24 hours ago.
+ yesterday
+ 24 hours ago.
- 2 hours ago
- 2 hours ago.
+ 2 hours ago
+ 2 hours ago.
- next Friday
- The first second of the next Friday.
+ next Friday
+ The first second of the next Friday.
- this week
- The current time but the first day of the coming week.
+ this week
+ The current time but the first day of the coming week.
- a fortnight ago
- The current time but 14 days ago.
+ a fortnight ago
+ The current time but 14 days ago.
- 10:01 am 9/17/2009
- 10:01 am, September 17, 2009.
+ 10:01 am 9/17/2009
+ 10:01 am, September 17, 2009.
- 10:01 am
- 10:01 am on the current day.
+ 10:01 am
+ 10:01 am on the current day.
- 10 10:00 am on the current day.
+ 10 10:00 am on the current day.
- 9/17/2009
- 00:00 am, September 17, 2009.
+ 9/17/2009
+ 00:00 am, September 17, 2009.
- 10:01 am Sep 17, 2009
- 10:01 am, September 17, 2009.
+ 10:01 am Sep 17, 2009
+ 10:01 am, September 17, 2009.
F\bFI\bIL\bLE\bES\bS
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo The default I/O log directory.
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo The default I/O log directory.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bl_\bo_\bg
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bl_\bo_\bg
Example session log info.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\bi_\bn
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\bi_\bn
Example session standard input log.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\bo_\bu_\bt
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\bo_\bu_\bt
Example session standard output log.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\be_\br_\br
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\be_\br_\br
Example session standard error log.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bt_\by_\bi_\bn
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bt_\by_\bi_\bn
Example session tty input file.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bt_\by_\bo_\bu_\bt
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bt_\by_\bo_\bu_\bt
Example session tty output file.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bi_\bm_\bi_\bn_\bg
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bi_\bm_\bi_\bn_\bg
Example session timing file.
- Note that the _\bs_\bt_\bd_\bi_\bn, _\bs_\bt_\bd_\bo_\bu_\bt and _\bs_\bt_\bd_\be_\br_\br files will be empty unless s\bsu\bud\bdo\bo
- was used as part of a pipeline for a particular command.
+ Note that the _\bs_\bt_\bd_\bi_\bn, _\bs_\bt_\bd_\bo_\bu_\bt and _\bs_\bt_\bd_\be_\br_\br files will be empty unless s\bsu\bud\bdo\bo
+ was used as part of a pipeline for a particular command.
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- List sessions run by user _\bm_\bi_\bl_\bl_\be_\br_\bt:
+ List sessions run by user _\bm_\bi_\bl_\bl_\be_\br_\bt:
- sudoreplay -l user millert
+ # sudoreplay -l user millert
- List sessions run by user _\bb_\bo_\bb with a command containing the string vi:
+ List sessions run by user _\bb_\bo_\bb with a command containing the string vi:
- sudoreplay -l user bob command vi
+ # sudoreplay -l user bob command vi
- List sessions run by user _\bj_\be_\bf_\bf that match a regular expression:
+ List sessions run by user _\bj_\be_\bf_\bf that match a regular expression:
- sudoreplay -l user jeff command '/bin/[a-z]*sh'
+ # sudoreplay -l user jeff command '/bin/[a-z]*sh'
- List sessions run by jeff or bob on the console:
+ List sessions run by jeff or bob on the console:
- sudoreplay -l ( user jeff or user bob ) tty console
+ # sudoreplay -l ( user jeff or user bob ) tty console
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bs_\bu_\bd_\bo(1m), _\bs_\bc_\br_\bi_\bp_\bt(1)
+ sudo(1m), script(1)
-A\bAU\bUT\bTH\bHO\bOR\bR
- Todd C. Miller
+A\bAU\bUT\bTH\bHO\bOR\bRS\bS
+ Todd C. Miller
B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by, please submit a bug
- report at http://www.sudo.ws/sudo/bugs/
+ If you feel you have found a bug in s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by, please submit a bug
+ report at http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
+ archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by is provided ``AS IS'' and any express or implied warranties,
- including, but not limited to, the implied warranties of
- merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with s\bsu\bud\bdo\bo or
- http://www.sudo.ws/sudo/license.html for complete details.
-
-
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantability
+ and fitness for a particular purpose are disclaimed. See the LICENSE
+ file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
+ complete details.
-1.8.5 April 16, 2012 SUDOREPLAY(1m)
+Sudo 1.8.6 July 12, 2012 Sudo 1.8.6
-.\" Copyright (c) 2009-2011 Todd C. Miller <Todd.Miller@courtesan.com>
-.\"
+.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
+.\" IT IS GENERATED AUTOMATICALLY FROM sudoreplay.mdoc.in
+.\"
+.\" Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
-.\"
+.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings. \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. \*(C+ will
-.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-. ds -- \(*W-
-. ds PI pi
-. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
-. ds L" ""
-. ds R" ""
-. ds C`
-. ds C'
-'br\}
-.el\{\
-. ds -- \|\(em\|
-. ds PI \(*p
-. ds L" ``
-. ds R" ''
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el .ds Aq '
-.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD. Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
-..
-. nr % 0
-. rr F
-.\}
-.el \{\
-. de IX
-..
-.\}
.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear. Run. Save yourself. No user-serviceable parts.
-. \" fudge factors for nroff and troff
-.if n \{\
-. ds #H 0
-. ds #V .8m
-. ds #F .3m
-. ds #[ \f1
-. ds #] \fP
-.\}
-.if t \{\
-. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-. ds #V .6m
-. ds #F 0
-. ds #[ \&
-. ds #] \&
-.\}
-. \" simple accents for nroff and troff
-.if n \{\
-. ds ' \&
-. ds ` \&
-. ds ^ \&
-. ds , \&
-. ds ~ ~
-. ds /
-.\}
-.if t \{\
-. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-. \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-. \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-. \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-. ds : e
-. ds 8 ss
-. ds o a
-. ds d- d\h'-1'\(ga
-. ds D- D\h'-1'\(hy
-. ds th \o'bp'
-. ds Th \o'LP'
-. ds ae ae
-. ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "SUDOREPLAY @mansectsu@"
-.TH SUDOREPLAY @mansectsu@ "April 16, 2012" "1.8.5" "MAINTENANCE COMMANDS"
-.\" For nroff, turn off justification. Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
+.TH "SUDOREPLAY" "@mansectsu@" "July 12, 2012" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
+.if n .ad l
.SH "NAME"
-sudoreplay \- replay sudo session logs
+\fBsudoreplay\fR
+\- replay sudo session logs
.SH "SYNOPSIS"
-.IX Header "SYNOPSIS"
-\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR \fIdirectory\fR] [\fB\-f\fR \fIfilter\fR] [\fB\-m\fR \fImax_wait\fR] [\fB\-s\fR \fIspeed_factor\fR] \s-1ID\s0
-.PP
-\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR \fIdirectory\fR] \-l [search expression]
+.HP 11n
+\fBsudoreplay\fR
+[\fB\-h\fR]
+[\fB\-d\fR\ \fIdirectory\fR]
+[\fB\-f\fR\ \fIfilter\fR]
+[\fB\-m\fR\ \fImax_wait\fR]
+[\fB\-s\fR\ \fIspeed_factor\fR]
+ID
+.HP 11n
+\fBsudoreplay\fR
+[\fB\-h\fR]
+[\fB\-d\fR\ \fIdirectory\fR]
+\fB\-l\fR
+[search expression]
.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-\&\fBsudoreplay\fR plays back or lists the output logs created by \fBsudo\fR.
-When replaying, \fBsudoreplay\fR can play the session back in real-time,
-or the playback speed may be adjusted (faster or slower) based on
-the command line options.
+\fBsudoreplay\fR
+plays back or lists the output logs created by
+\fBsudo\fR.
+When replaying,
+\fBsudoreplay\fR
+can play the session back in real-time, or the playback speed may be
+adjusted (faster or slower) based on the command line options.
.PP
-The \fI\s-1ID\s0\fR should either be a six character sequence of digits and
-upper case letters, e.g. \f(CW\*(C`0100A5\*(C'\fR, or a pattern matching the
-\&\fIiolog_file\fR option in the \fIsudoers\fR file. When a command is run
-via \fBsudo\fR with \fIlog_output\fR enabled in the \fIsudoers\fR file, a
-\&\f(CW\*(C`TSID=ID\*(C'\fR string is logged via syslog or to the \fBsudo\fR log file.
-The \fI\s-1ID\s0\fR may also be determined using \fBsudoreplay\fR's list mode.
+The
+\fIID\fR
+should either be a six character sequence of digits and
+upper case letters, e.g.\&
+\fR0100A5\fR,
+or a pattern matching the
+\fIiolog_file\fR
+option in the
+\fIsudoers\fR
+file.
+When a command is run via
+\fBsudo\fR
+with
+\fIlog_output\fR
+enabled in the
+\fIsudoers\fR
+file, a
+\fRTSID=ID\fR
+string is logged via syslog or to the
+\fBsudo\fR
+log file.
+The
+\fIID\fR
+may also be determined using
+\fBsudoreplay\fR's
+list mode.
.PP
-In list mode, \fBsudoreplay\fR can be used to find the \s-1ID\s0 of a session
-based on a number of criteria such as the user, tty or command run.
+In list mode,
+\fBsudoreplay\fR
+can be used to find the ID of a session based on a number of criteria
+such as the user, tty or command run.
.PP
In replay mode, if the standard output has not been redirected,
-\&\fBsudoreplay\fR will act on the following keys:
-.IP "' ' (space)" 8
-.IX Item "' ' (space)"
+\fBsudoreplay\fR
+will act on the following keys:
+.TP 14n
+`\fR\ \fR' (space)
Pause output; press any key to resume.
-.IP "'<'" 8
+.TP 14n
+`<'
Reduce the playback speed by one half.
-.IP "'>'" 8
+.TP 14n
+`>'
Double the playback speed.
-.SH "OPTIONS"
-.IX Header "OPTIONS"
-\&\fBsudoreplay\fR accepts the following command line options:
-.IP "\-d \fIdirectory\fR" 12
-.IX Item "-d directory"
-Use \fIdirectory\fR to for the session logs instead of the default,
-\&\fI/var/log/sudo\-io\fR.
-.IP "\-f \fIfilter\fR" 12
-.IX Item "-f filter"
-By default, \fBsudoreplay\fR will play back the command's standard
-output, standard error and tty output. The \fI\-f\fR option can be
-used to select which of these to output. The \fIfilter\fR argument
-is a comma-separated list, consisting of one or more of following:
-\&\fIstdout\fR, \fIstderr\fR, and \fIttyout\fR.
-.IP "\-h" 12
-.IX Item "-h"
-The \fB\-h\fR (\fIhelp\fR) option causes \fBsudoreplay\fR to print a short
-help message to the standard output and exit.
-.IP "\-l [\fIsearch expression\fR]" 12
-.IX Item "-l [search expression]"
-Enable \*(L"list mode\*(R". In this mode, \fBsudoreplay\fR will list available
-sessions in a format similar to the \fBsudo\fR log file format, sorted
-by file name (or sequence number). If a \fIsearch expression\fR is
-specified, it will be used to restrict the IDs that are displayed.
+.PP
+The options are as follows:
+.TP 14n
+\fB\-d\fR \fIdirectory\fR
+.br
+Use
+\fIdirectory\fR
+to for the session logs instead of the default,
+\fI@iolog_dir@\fR.
+.TP 14n
+\fB\-f\fR \fIfilter\fR
+By default,
+\fBsudoreplay\fR
+will play back the command's standard output, standard error and tty output.
+The
+\fB\-f\fR
+option can be used to select which of these to output.
+The
+\fIfilter\fR
+argument is a comma-separated list, consisting of one or more of following:
+\fIstdout\fR,
+\fIstderr\fR,
+and
+\fIttyout\fR.
+.TP 14n
+\fB\-h\fR
+The
+\fB\-h\fR (\fIhelp\fR)
+option causes
+\fBsudoreplay\fR
+to print a short help message to the standard output and exit.
+.TP 14n
+\fB\-l\fR [\fIsearch expression\fR]
+Enable
+``list mode''.
+In this mode,
+\fBsudoreplay\fR
+will list available sessions in a format similar to the
+\fBsudo\fR
+log file format, sorted by file name (or sequence number).
+If a
+\fIsearch expression\fR
+is specified, it will be used to restrict the IDs that are displayed.
An expression is composed of the following predicates:
-.RS 12
-.IP "command \fIcommand pattern\fR" 8
-.IX Item "command command pattern"
-Evaluates to true if the command run matches \fIcommand pattern\fR.
-On systems with \s-1POSIX\s0 regular expression support, the pattern may
-be an extended regular expression. On systems without \s-1POSIX\s0 regular
-expression support, a simple substring match is performed instead.
-.IP "cwd \fIdirectory\fR" 8
-.IX Item "cwd directory"
+.RS
+.TP 8n
+command \fIpattern\fR
+Evaluates to true if the command run matches
+\fIpattern\fR.
+On systems with POSIX regular expression support, the pattern may
+be an extended regular expression.
+On systems without POSIX regular expression support, a simple substring
+match is performed instead.
+.TP 8n
+cwd \fIdirectory\fR
Evaluates to true if the command was run with the specified current
working directory.
-.IP "fromdate \fIdate\fR" 8
-.IX Item "fromdate date"
-Evaluates to true if the command was run on or after \fIdate\fR.
-See \*(L"Date and time format\*(R" for a description of supported
-date and time formats.
-.IP "group \fIrunas_group\fR" 8
-.IX Item "group runas_group"
+.TP 8n
+fromdate \fIdate\fR
+Evaluates to true if the command was run on or after
+\fIdate\fR.
+See
+\fIDate and time format\fR
+for a description of supported date and time formats.
+.TP 8n
+group \fIrunas_group\fR
Evaluates to true if the command was run with the specified
-\&\fIrunas_group\fR. Note that unless a \fIrunas_group\fR was explicitly
-specified when \fBsudo\fR was run this field will be empty in the log.
-.IP "runas \fIrunas_user\fR" 8
-.IX Item "runas runas_user"
-Evaluates to true if the command was run as the specified \fIrunas_user\fR.
-Note that \fBsudo\fR runs commands as user \fIroot\fR by default.
-.IP "todate \fIdate\fR" 8
-.IX Item "todate date"
-Evaluates to true if the command was run on or prior to \fIdate\fR.
-See \*(L"Date and time format\*(R" for a description of supported
-date and time formats.
-.IP "tty \fItty\fR" 8
-.IX Item "tty tty"
-Evaluates to true if the command was run on the specified terminal
-device. The \fItty\fR should be specified without the \fI/dev/\fR prefix,
-e.g. \fItty01\fR instead of \fI/dev/tty01\fR.
-.IP "user \fIuser name\fR" 8
-.IX Item "user user name"
-Evaluates to true if the \s-1ID\s0 matches a command run by \fIuser name\fR.
-.RE
-.RS 12
-.Sp
+\fIrunas_group\fR.
+Note that unless a
+\fIrunas_group\fR
+was explicitly specified when
+\fBsudo\fR
+was run this field will be empty in the log.
+.TP 8n
+runas \fIrunas_user\fR
+Evaluates to true if the command was run as the specified
+\fIrunas_user\fR.
+Note that
+\fBsudo\fR
+runs commands as user
+\fIroot\fR
+by default.
+.TP 8n
+todate \fIdate\fR
+Evaluates to true if the command was run on or prior to
+\fIdate\fR.
+See
+\fIDate and time format\fR
+for a description of supported date and time formats.
+.TP 8n
+tty \fItty name\fR
+Evaluates to true if the command was run on the specified terminal device.
+The
+\fItty name\fR
+should be specified without the
+\fI/dev/\fR
+prefix, e.g.\&
+\fItty01\fR
+instead of
+\fI/dev/tty01\fR.
+.TP 8n
+user \fIuser name\fR
+Evaluates to true if the ID matches a command run by
+\fIuser name\fR.
+.PP
Predicates may be abbreviated to the shortest unique string (currently
all predicates may be shortened to a single character).
-.Sp
-Predicates may be combined using \fIand\fR, \fIor\fR and \fI!\fR operators
-as well as \f(CW\*(Aq(\*(Aq\fR and \f(CW\*(Aq)\*(Aq\fR for grouping (note that parentheses
-must generally be escaped from the shell). The \fIand\fR operator is
-optional, adjacent predicates have an implied \fIand\fR unless separated
-by an \fIor\fR.
+.sp
+Predicates may be combined using
+\fIand\fR,
+\fIor\fR
+and
+\fI\&!\fR
+operators as well as
+`\&('
+and
+`\&)'
+grouping (note that parentheses must generally be escaped from the shell).
+The
+\fIand\fR
+operator is optional, adjacent predicates have an implied
+\fIand\fR
+unless separated by an
+\fIor\fR.
+.PP
.RE
-.IP "\-m \fImax_wait\fR" 12
-.IX Item "-m max_wait"
-Specify an upper bound on how long to wait between key presses or
-output data. By default, \fBsudo_replay\fR will accurately reproduce
-the delays between key presses or program output. However, this
-can be tedious when the session includes long pauses. When the
-\&\fI\-m\fR option is specified, \fBsudoreplay\fR will limit these pauses
-to at most \fImax_wait\fR seconds. The value may be specified as a
-floating point number, .e.g. \fI2.5\fR.
-.IP "\-s \fIspeed_factor\fR" 12
-.IX Item "-s speed_factor"
-This option causes \fBsudoreplay\fR to adjust the number of seconds
-it will wait between key presses or program output. This can be
-used to slow down or speed up the display. For example, a
-\&\fIspeed_factor\fR of \fI2\fR would make the output twice as fast whereas
-a \fIspeed_factor\fR of <.5> would make the output twice as slow.
-.IP "\-V" 12
-.IX Item "-V"
-The \fB\-V\fR (version) option causes \fBsudoreplay\fR to print its version number
+.PD 0
+.TP 14n
+\fB\-m\fR \fImax_wait\fR
+Specify an upper bound on how long to wait between key presses or output data.
+By default,
+\fBsudoreplay\fR
+will accurately reproduce the delays between key presses or program output.
+However, this can be tedious when the session includes long pauses.
+When the
+\fB\-m\fR
+option is specified,
+\fBsudoreplay\fR
+will limit these pauses to at most
+\fImax_wait\fR
+seconds.
+The value may be specified as a floating point number, e.g.\&
+\fI2.5\fR.
+.PD
+.TP 14n
+\fB\-s\fR \fIspeed_factor\fR
+This option causes
+\fBsudoreplay\fR
+to adjust the number of seconds it will wait between key presses or
+program output.
+This can be used to slow down or speed up the display.
+For example, a
+\fIspeed_factor\fR
+of
+\fI2\fR
+would make the output twice as fast whereas a
+\fIspeed_factor\fR
+of
+\fI.5\fR
+would make the output twice as slow.
+.TP 14n
+\fB\-V\fR
+The
+\fB\-V\fR (\fIversion\fR)
+option causes
+\fBsudoreplay\fR
+to print its version number
and exit.
.SS "Date and time format"
-.IX Subsection "Date and time format"
The time and date may be specified multiple ways, common formats include:
-.IP "\s-1HH:MM:SS\s0 am \s-1MM/DD/CCYY\s0 timezone" 8
-.IX Item "HH:MM:SS am MM/DD/CCYY timezone"
+.TP 8n
+HH:MM:SS am MM/DD/CCYY timezone
24 hour time may be used in place of am/pm.
-.IP "\s-1HH:MM:SS\s0 am Month, Day Year timezone" 8
-.IX Item "HH:MM:SS am Month, Day Year timezone"
+.TP 8n
+HH:MM:SS am Month, Day Year timezone
24 hour time may be used in place of am/pm, and month and day names
-may be abbreviated. Note that month and day of the week names must
-be specified in English.
-.IP "CCYY-MM-DD \s-1HH:MM:SS\s0" 8
-.IX Item "CCYY-MM-DD HH:MM:SS"
-\&\s-1ISO\s0 time format
-.IP "\s-1DD\s0 Month \s-1CCYY\s0 \s-1HH:MM:SS\s0" 8
-.IX Item "DD Month CCYY HH:MM:SS"
+may be abbreviated.
+Note that month and day of the week names must be specified in English.
+.TP 8n
+CCYY-MM-DD HH:MM:SS
+ISO time format
+.TP 8n
+DD Month CCYY HH:MM:SS
The month name may be abbreviated.
.PP
-Either time or date may be omitted, the am/pm and timezone are
-optional. If no date is specified, the current day is assumed; if
-no time is specified, the first second of the specified date is
-used. The less significant parts of both time and date may also
-be omitted, in which case zero is assumed. For example, the following
-are all valid:
+Either time or date may be omitted, the am/pm and timezone are optional.
+If no date is specified, the current day is assumed; if no time is
+specified, the first second of the specified date is used.
+The less significant parts of both time and date may also be omitted,
+in which case zero is assumed.
.PP
The following are all valid time and date specifications:
-.IP "now" 8
-.IX Item "now"
+.TP 8n
+now
The current time and date.
-.IP "tomorrow" 8
-.IX Item "tomorrow"
+.TP 8n
+tomorrow
Exactly one day from now.
-.IP "yesterday" 8
-.IX Item "yesterday"
+.TP 8n
+yesterday
24 hours ago.
-.IP "2 hours ago" 8
-.IX Item "2 hours ago"
+.TP 8n
+2 hours ago
2 hours ago.
-.IP "next Friday" 8
-.IX Item "next Friday"
+.TP 8n
+next Friday
The first second of the next Friday.
-.IP "this week" 8
-.IX Item "this week"
+.TP 8n
+this week
The current time but the first day of the coming week.
-.IP "a fortnight ago" 8
-.IX Item "a fortnight ago"
+.TP 8n
+a fortnight ago
The current time but 14 days ago.
-.IP "10:01 am 9/17/2009" 8
-.IX Item "10:01 am 9/17/2009"
+.TP 8n
+10:01 am 9/17/2009
10:01 am, September 17, 2009.
-.IP "10:01 am" 8
-.IX Item "10:01 am"
+.TP 8n
+10:01 am
10:01 am on the current day.
-.IP "10" 8
-.IX Item "10"
+.TP 8n
+10
10:00 am on the current day.
-.IP "9/17/2009" 8
-.IX Item "9/17/2009"
+.TP 8n
+9/17/2009
00:00 am, September 17, 2009.
-.IP "10:01 am Sep 17, 2009" 8
-.IX Item "10:01 am Sep 17, 2009"
+.TP 8n
+10:01 am Sep 17, 2009
10:01 am, September 17, 2009.
.SH "FILES"
-.IX Header "FILES"
-.IP "\fI/var/log/sudo\-io\fR" 24
-.IX Item "/var/log/sudo-io"
+.TP 26n
+\fI@iolog_dir@\fR
The default I/O log directory.
-.IP "\fI/var/log/sudo\-io/00/00/01/log\fR" 24
-.IX Item "/var/log/sudo-io/00/00/01/log"
+.TP 26n
+\fI@iolog_dir@/00/00/01/log\fR
Example session log info.
-.IP "\fI/var/log/sudo\-io/00/00/01/stdin\fR" 24
-.IX Item "/var/log/sudo-io/00/00/01/stdin"
+.TP 26n
+\fI@iolog_dir@/00/00/01/stdin\fR
Example session standard input log.
-.IP "\fI/var/log/sudo\-io/00/00/01/stdout\fR" 24
-.IX Item "/var/log/sudo-io/00/00/01/stdout"
+.TP 26n
+\fI@iolog_dir@/00/00/01/stdout\fR
Example session standard output log.
-.IP "\fI/var/log/sudo\-io/00/00/01/stderr\fR" 24
-.IX Item "/var/log/sudo-io/00/00/01/stderr"
+.TP 26n
+\fI@iolog_dir@/00/00/01/stderr\fR
Example session standard error log.
-.IP "\fI/var/log/sudo\-io/00/00/01/ttyin\fR" 24
-.IX Item "/var/log/sudo-io/00/00/01/ttyin"
+.TP 26n
+\fI@iolog_dir@/00/00/01/ttyin\fR
Example session tty input file.
-.IP "\fI/var/log/sudo\-io/00/00/01/ttyout\fR" 24
-.IX Item "/var/log/sudo-io/00/00/01/ttyout"
+.TP 26n
+\fI@iolog_dir@/00/00/01/ttyout\fR
Example session tty output file.
-.IP "\fI/var/log/sudo\-io/00/00/01/timing\fR" 24
-.IX Item "/var/log/sudo-io/00/00/01/timing"
+.TP 26n
+\fI@iolog_dir@/00/00/01/timing\fR
Example session timing file.
.PP
-Note that the \fIstdin\fR, \fIstdout\fR and \fIstderr\fR files will be empty
-unless \fBsudo\fR was used as part of a pipeline for a particular
-command.
+Note that the
+\fIstdin\fR,
+\fIstdout\fR
+and
+\fIstderr\fR
+files will be empty unless
+\fBsudo\fR
+was used as part of a pipeline for a particular command.
.SH "EXAMPLES"
-.IX Header "EXAMPLES"
-List sessions run by user \fImillert\fR:
-.PP
-.Vb 1
-\& sudoreplay \-l user millert
-.Ve
-.PP
-List sessions run by user \fIbob\fR with a command containing the string vi:
-.PP
-.Vb 1
-\& sudoreplay \-l user bob command vi
-.Ve
+List sessions run by user
+\fImillert\fR:
+.nf
+.sp
+.RS 6n
+# sudoreplay -l user millert
+.RE
+.fi
.PP
-List sessions run by user \fIjeff\fR that match a regular expression:
+List sessions run by user
+\fIbob\fR
+with a command containing the string vi:
+.nf
+.sp
+.RS 6n
+# sudoreplay -l user bob command vi
+.RE
+.fi
.PP
-.Vb 1
-\& sudoreplay \-l user jeff command \*(Aq/bin/[a\-z]*sh\*(Aq
-.Ve
+List sessions run by user
+\fIjeff\fR
+that match a regular expression:
+.nf
+.sp
+.RS 6n
+# sudoreplay -l user jeff command '/bin/[a-z]*sh'
+.RE
+.fi
.PP
List sessions run by jeff or bob on the console:
-.PP
-.Vb 1
-\& sudoreplay \-l ( user jeff or user bob ) tty console
-.Ve
+.nf
+.sp
+.RS 6n
+# sudoreplay -l ( user jeff or user bob ) tty console
+.RE
+.fi
.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fIsudo\fR\|(@mansectsu@), \fIscript\fR\|(1)
-.SH "AUTHOR"
-.IX Header "AUTHOR"
+sudo(@mansectsu@),
+script(1)
+.SH "AUTHORS"
Todd C. Miller
.SH "BUGS"
-.IX Header "BUGS"
-If you feel you have found a bug in \fBsudoreplay\fR, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
+If you feel you have found a bug in
+\fBsudoreplay\fR,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
-.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
-.IX Header "DISCLAIMER"
-\&\fBsudoreplay\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
-file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
-for complete details.
+\fBsudoreplay\fR
+is provided
+``AS IS''
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+\fBsudo\fR
+or http://www.sudo.ws/sudo/license.html for complete details.
--- /dev/null
+.\"
+.\" Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd July 12, 2012
+.Dt SUDOREPLAY @mansectsu@
+.Os Sudo @PACKAGE_VERSION@
+.Sh NAME
+.Nm sudoreplay
+.Nd replay sudo session logs
+.Sh SYNOPSIS
+.Nm sudoreplay
+.Op Fl h
+.Bk -words
+.Op Fl d Ar directory
+.Ek
+.Bk -words
+.Op Fl f Ar filter
+.Ek
+.Bk -words
+.Op Fl m Ar max_wait
+.Ek
+.Bk -words
+.Op Fl s Ar speed_factor
+.Ek
+ID
+.Pp
+.Nm sudoreplay
+.Op Fl h
+.Bk -words
+.Op Fl d Ar directory
+.Ek
+.Fl l
+.Op search expression
+.Sh DESCRIPTION
+.Nm sudoreplay
+plays back or lists the output logs created by
+.Nm sudo .
+When replaying,
+.Nm sudoreplay
+can play the session back in real-time, or the playback speed may be
+adjusted (faster or slower) based on the command line options.
+.Pp
+The
+.Em ID
+should either be a six character sequence of digits and
+upper case letters, e.g.\&
+.Li 0100A5 ,
+or a pattern matching the
+.Em iolog_file
+option in the
+.Em sudoers
+file.
+When a command is run via
+.Nm sudo
+with
+.Em log_output
+enabled in the
+.Em sudoers
+file, a
+.Li TSID=ID
+string is logged via syslog or to the
+.Nm sudo
+log file.
+The
+.Em ID
+may also be determined using
+.Nm sudoreplay Ns No 's
+list mode.
+.Pp
+In list mode,
+.Nm sudoreplay
+can be used to find the ID of a session based on a number of criteria
+such as the user, tty or command run.
+.Pp
+In replay mode, if the standard output has not been redirected,
+.Nm sudoreplay
+will act on the following keys:
+.Bl -tag -width 12n
+.It So Li \ Sc No (space)
+Pause output; press any key to resume.
+.It Ql <
+Reduce the playback speed by one half.
+.It Ql >
+Double the playback speed.
+.El
+.Pp
+The options are as follows:
+.Bl -tag -width 12n
+.It Fl d Ar directory
+Use
+.Ar directory
+to for the session logs instead of the default,
+.Pa @iolog_dir@ .
+.It Fl f Ar filter
+By default,
+.Nm sudoreplay
+will play back the command's standard output, standard error and tty output.
+The
+.Fl f
+option can be used to select which of these to output.
+The
+.Ar filter
+argument is a comma-separated list, consisting of one or more of following:
+.Em stdout ,
+.Em stderr ,
+and
+.Em ttyout .
+.It Fl h
+The
+.Fl h No ( Em help Ns No )
+option causes
+.Nm sudoreplay
+to print a short help message to the standard output and exit.
+.It Fl l Op Ar search expression
+Enable
+.Dq list mode .
+In this mode,
+.Nm sudoreplay
+will list available sessions in a format similar to the
+.Nm sudo
+log file format, sorted by file name (or sequence number).
+If a
+.Ar search expression
+is specified, it will be used to restrict the IDs that are displayed.
+An expression is composed of the following predicates:
+.Bl -tag -width 6n
+.It command Ar pattern
+Evaluates to true if the command run matches
+.Ar pattern .
+On systems with POSIX regular expression support, the pattern may
+be an extended regular expression.
+On systems without POSIX regular expression support, a simple substring
+match is performed instead.
+.It cwd Ar directory
+Evaluates to true if the command was run with the specified current
+working directory.
+.It fromdate Ar date
+Evaluates to true if the command was run on or after
+.Ar date .
+See
+.Sx Date and time format
+for a description of supported date and time formats.
+.It group Ar runas_group
+Evaluates to true if the command was run with the specified
+.Ar runas_group .
+Note that unless a
+.Ar runas_group
+was explicitly specified when
+.Nm sudo
+was run this field will be empty in the log.
+.It runas Ar runas_user
+Evaluates to true if the command was run as the specified
+.Ar runas_user .
+Note that
+.Nm sudo
+runs commands as user
+.Em root
+by default.
+.It todate Ar date
+Evaluates to true if the command was run on or prior to
+.Ar date .
+See
+.Sx Date and time format
+for a description of supported date and time formats.
+.It tty Ar tty name
+Evaluates to true if the command was run on the specified terminal device.
+The
+.Ar tty name
+should be specified without the
+.Pa /dev/
+prefix, e.g.\&
+.Pa tty01
+instead of
+.Pa /dev/tty01 .
+.It user Ar user name
+Evaluates to true if the ID matches a command run by
+.Ar user name .
+.El
+.Pp
+Predicates may be abbreviated to the shortest unique string (currently
+all predicates may be shortened to a single character).
+.Pp
+Predicates may be combined using
+.Em and ,
+.Em or
+and
+.Em \&!
+operators as well as
+.Ql \&(
+and
+.Ql \&)
+grouping (note that parentheses must generally be escaped from the shell).
+The
+.Em and
+operator is optional, adjacent predicates have an implied
+.Em and
+unless separated by an
+.Em or .
+.It Fl m Ar max_wait
+Specify an upper bound on how long to wait between key presses or output data.
+By default,
+.Nm sudoreplay
+will accurately reproduce the delays between key presses or program output.
+However, this can be tedious when the session includes long pauses.
+When the
+.Fl m
+option is specified,
+.Nm sudoreplay
+will limit these pauses to at most
+.Em max_wait
+seconds.
+The value may be specified as a floating point number, e.g.\&
+.Em 2.5 .
+.It Fl s Ar speed_factor
+This option causes
+.Nm sudoreplay
+to adjust the number of seconds it will wait between key presses or
+program output.
+This can be used to slow down or speed up the display.
+For example, a
+.Ar speed_factor
+of
+.Em 2
+would make the output twice as fast whereas a
+.Ar speed_factor
+of
+.Em .5
+would make the output twice as slow.
+.It Fl V
+The
+.Fl V No ( Em version Ns No )
+option causes
+.Nm sudoreplay
+to print its version number
+and exit.
+.El
+.Ss Date and time format
+The time and date may be specified multiple ways, common formats include:
+.Bl -tag -width 6n
+.It HH:MM:SS am MM/DD/CCYY timezone
+24 hour time may be used in place of am/pm.
+.It HH:MM:SS am Month, Day Year timezone
+24 hour time may be used in place of am/pm, and month and day names
+may be abbreviated.
+Note that month and day of the week names must be specified in English.
+.It CCYY-MM-DD HH:MM:SS
+ISO time format
+.It DD Month CCYY HH:MM:SS
+The month name may be abbreviated.
+.El
+.Pp
+Either time or date may be omitted, the am/pm and timezone are optional.
+If no date is specified, the current day is assumed; if no time is
+specified, the first second of the specified date is used.
+The less significant parts of both time and date may also be omitted,
+in which case zero is assumed.
+.Pp
+The following are all valid time and date specifications:
+.Bl -tag -width 6n
+.It now
+The current time and date.
+.It tomorrow
+Exactly one day from now.
+.It yesterday
+24 hours ago.
+.It 2 hours ago
+2 hours ago.
+.It next Friday
+The first second of the next Friday.
+.It this week
+The current time but the first day of the coming week.
+.It a fortnight ago
+The current time but 14 days ago.
+.It 10:01 am 9/17/2009
+10:01 am, September 17, 2009.
+.It 10:01 am
+10:01 am on the current day.
+.It 10
+10:00 am on the current day.
+.It 9/17/2009
+00:00 am, September 17, 2009.
+.It 10:01 am Sep 17, 2009
+10:01 am, September 17, 2009.
+.El
+.Sh FILES
+.Bl -tag -width 24n
+.It Pa @iolog_dir@
+The default I/O log directory.
+.It Pa @iolog_dir@/00/00/01/log
+Example session log info.
+.It Pa @iolog_dir@/00/00/01/stdin
+Example session standard input log.
+.It Pa @iolog_dir@/00/00/01/stdout
+Example session standard output log.
+.It Pa @iolog_dir@/00/00/01/stderr
+Example session standard error log.
+.It Pa @iolog_dir@/00/00/01/ttyin
+Example session tty input file.
+.It Pa @iolog_dir@/00/00/01/ttyout
+Example session tty output file.
+.It Pa @iolog_dir@/00/00/01/timing
+Example session timing file.
+.El
+.Pp
+Note that the
+.Em stdin ,
+.Em stdout
+and
+.Em stderr
+files will be empty unless
+.Nm sudo
+was used as part of a pipeline for a particular command.
+.Sh EXAMPLES
+List sessions run by user
+.Em millert :
+.Bd -literal -offset indent
+# sudoreplay -l user millert
+.Ed
+.Pp
+List sessions run by user
+.Em bob
+with a command containing the string vi:
+.Bd -literal -offset indent
+# sudoreplay -l user bob command vi
+.Ed
+.Pp
+List sessions run by user
+.Em jeff
+that match a regular expression:
+.Bd -literal -offset indent
+# sudoreplay -l user jeff command '/bin/[a-z]*sh'
+.Ed
+.Pp
+List sessions run by jeff or bob on the console:
+.Bd -literal -offset indent
+# sudoreplay -l ( user jeff or user bob ) tty console
+.Ed
+.Sh SEE ALSO
+.Xr sudo @mansectsu@ ,
+.Xr script 1
+.Sh AUTHORS
+Todd C. Miller
+.Sh BUGS
+If you feel you have found a bug in
+.Nm sudoreplay ,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
+.Sh SUPPORT
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+.Sh DISCLAIMER
+.Nm sudoreplay
+is provided
+.Dq AS IS
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+.Nm sudo
+or http://www.sudo.ws/sudo/license.html for complete details.
+++ /dev/null
-Copyright (c) 2009-2011 Todd C. Miller <Todd.Miller@courtesan.com>
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-=pod
-
-=head1 NAME
-
-sudoreplay - replay sudo session logs
-
-=head1 SYNOPSIS
-
-B<sudoreplay> [B<-h>] [B<-d> I<directory>] [B<-f> I<filter>] [B<-m> I<max_wait>] [B<-s> I<speed_factor>] ID
-
-B<sudoreplay> [B<-h>] [B<-d> I<directory>] -l [search expression]
-
-=head1 DESCRIPTION
-
-B<sudoreplay> plays back or lists the output logs created by B<sudo>.
-When replaying, B<sudoreplay> can play the session back in real-time,
-or the playback speed may be adjusted (faster or slower) based on
-the command line options.
-
-The I<ID> should either be a six character sequence of digits and
-upper case letters, e.g. C<0100A5>, or a pattern matching the
-I<iolog_file> option in the I<sudoers> file. When a command is run
-via B<sudo> with I<log_output> enabled in the I<sudoers> file, a
-C<TSID=ID> string is logged via syslog or to the B<sudo> log file.
-The I<ID> may also be determined using B<sudoreplay>'s list mode.
-
-In list mode, B<sudoreplay> can be used to find the ID of a session
-based on a number of criteria such as the user, tty or command run.
-
-In replay mode, if the standard output has not been redirected,
-B<sudoreplay> will act on the following keys:
-
-=over 8
-
-=item ' ' (space)
-
-Pause output; press any key to resume.
-
-=item '<'
-
-Reduce the playback speed by one half.
-
-=item '>'
-
-Double the playback speed.
-
-=back
-
-=head1 OPTIONS
-
-B<sudoreplay> accepts the following command line options:
-
-=over 12
-
-=item -d I<directory>
-
-Use I<directory> to for the session logs instead of the default,
-F</var/log/sudo-io>.
-
-=item -f I<filter>
-
-By default, B<sudoreplay> will play back the command's standard
-output, standard error and tty output. The I<-f> option can be
-used to select which of these to output. The I<filter> argument
-is a comma-separated list, consisting of one or more of following:
-I<stdout>, I<stderr>, and I<ttyout>.
-
-=item -h
-
-The B<-h> (I<help>) option causes B<sudoreplay> to print a short
-help message to the standard output and exit.
-
-=item -l [I<search expression>]
-
-Enable "list mode". In this mode, B<sudoreplay> will list available
-sessions in a format similar to the B<sudo> log file format, sorted
-by file name (or sequence number). If a I<search expression> is
-specified, it will be used to restrict the IDs that are displayed.
-An expression is composed of the following predicates:
-
-=over 8
-
-=item command I<command pattern>
-
-Evaluates to true if the command run matches I<command pattern>.
-On systems with POSIX regular expression support, the pattern may
-be an extended regular expression. On systems without POSIX regular
-expression support, a simple substring match is performed instead.
-
-=item cwd I<directory>
-
-Evaluates to true if the command was run with the specified current
-working directory.
-
-=item fromdate I<date>
-
-Evaluates to true if the command was run on or after I<date>.
-See L<"Date and time format"> for a description of supported
-date and time formats.
-
-=item group I<runas_group>
-
-Evaluates to true if the command was run with the specified
-I<runas_group>. Note that unless a I<runas_group> was explicitly
-specified when B<sudo> was run this field will be empty in the log.
-
-=item runas I<runas_user>
-
-Evaluates to true if the command was run as the specified I<runas_user>.
-Note that B<sudo> runs commands as user I<root> by default.
-
-=item todate I<date>
-
-Evaluates to true if the command was run on or prior to I<date>.
-See L<"Date and time format"> for a description of supported
-date and time formats.
-
-=item tty I<tty>
-
-Evaluates to true if the command was run on the specified terminal
-device. The I<tty> should be specified without the F</dev/> prefix,
-e.g. F<tty01> instead of F</dev/tty01>.
-
-=item user I<user name>
-
-Evaluates to true if the ID matches a command run by I<user name>.
-
-=back
-
-Predicates may be abbreviated to the shortest unique string (currently
-all predicates may be shortened to a single character).
-
-Predicates may be combined using I<and>, I<or> and I<!> operators
-as well as C<'('> and C<')'> for grouping (note that parentheses
-must generally be escaped from the shell). The I<and> operator is
-optional, adjacent predicates have an implied I<and> unless separated
-by an I<or>.
-
-=item -m I<max_wait>
-
-Specify an upper bound on how long to wait between key presses or
-output data. By default, B<sudo_replay> will accurately reproduce
-the delays between key presses or program output. However, this
-can be tedious when the session includes long pauses. When the
-I<-m> option is specified, B<sudoreplay> will limit these pauses
-to at most I<max_wait> seconds. The value may be specified as a
-floating point number, .e.g. I<2.5>.
-
-=item -s I<speed_factor>
-
-This option causes B<sudoreplay> to adjust the number of seconds
-it will wait between key presses or program output. This can be
-used to slow down or speed up the display. For example, a
-I<speed_factor> of I<2> would make the output twice as fast whereas
-a I<speed_factor> of <.5> would make the output twice as slow.
-
-=item -V
-
-The B<-V> (version) option causes B<sudoreplay> to print its version number
-and exit.
-
-=back
-
-=head2 Date and time format
-
-The time and date may be specified multiple ways, common formats include:
-
-=over 8
-
-=item HH:MM:SS am MM/DD/CCYY timezone
-
-24 hour time may be used in place of am/pm.
-
-=item HH:MM:SS am Month, Day Year timezone
-
-24 hour time may be used in place of am/pm, and month and day names
-may be abbreviated. Note that month and day of the week names must
-be specified in English.
-
-=item CCYY-MM-DD HH:MM:SS
-
-ISO time format
-
-=item DD Month CCYY HH:MM:SS
-
-The month name may be abbreviated.
-
-=back
-
-Either time or date may be omitted, the am/pm and timezone are
-optional. If no date is specified, the current day is assumed; if
-no time is specified, the first second of the specified date is
-used. The less significant parts of both time and date may also
-be omitted, in which case zero is assumed. For example, the following
-are all valid:
-
-The following are all valid time and date specifications:
-
-=over 8
-
-=item now
-
-The current time and date.
-
-=item tomorrow
-
-Exactly one day from now.
-
-=item yesterday
-
-24 hours ago.
-
-=item 2 hours ago
-
-2 hours ago.
-
-=item next Friday
-
-The first second of the next Friday.
-
-=item this week
-
-The current time but the first day of the coming week.
-
-=item a fortnight ago
-
-The current time but 14 days ago.
-
-=item 10:01 am 9/17/2009
-
-10:01 am, September 17, 2009.
-
-=item 10:01 am
-
-10:01 am on the current day.
-
-=item 10
-
-10:00 am on the current day.
-
-=item 9/17/2009
-
-00:00 am, September 17, 2009.
-
-=item 10:01 am Sep 17, 2009
-
-10:01 am, September 17, 2009.
-
-=back
-
-=head1 FILES
-
-=over 24
-
-=item F</var/log/sudo-io>
-
-The default I/O log directory.
-
-=item F</var/log/sudo-io/00/00/01/log>
-
-Example session log info.
-
-=item F</var/log/sudo-io/00/00/01/stdin>
-
-Example session standard input log.
-
-=item F</var/log/sudo-io/00/00/01/stdout>
-
-Example session standard output log.
-
-=item F</var/log/sudo-io/00/00/01/stderr>
-
-Example session standard error log.
-
-=item F</var/log/sudo-io/00/00/01/ttyin>
-
-Example session tty input file.
-
-=item F</var/log/sudo-io/00/00/01/ttyout>
-
-Example session tty output file.
-
-=item F</var/log/sudo-io/00/00/01/timing>
-
-Example session timing file.
-
-=back
-
-Note that the I<stdin>, I<stdout> and I<stderr> files will be empty
-unless B<sudo> was used as part of a pipeline for a particular
-command.
-
-=head1 EXAMPLES
-
-List sessions run by user I<millert>:
-
- sudoreplay -l user millert
-
-List sessions run by user I<bob> with a command containing the string vi:
-
- sudoreplay -l user bob command vi
-
-List sessions run by user I<jeff> that match a regular expression:
-
- sudoreplay -l user jeff command '/bin/[a-z]*sh'
-
-List sessions run by jeff or bob on the console:
-
- sudoreplay -l ( user jeff or user bob ) tty console
-
-=head1 SEE ALSO
-
-L<sudo(8)>, L<script(1)>
-
-=head1 AUTHOR
-
-Todd C. Miller
-
-=head1 BUGS
-
-If you feel you have found a bug in B<sudoreplay>, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
-
-=head1 SUPPORT
-
-Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
-search the archives.
-
-=head1 DISCLAIMER
-
-B<sudoreplay> is provided ``AS IS'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the LICENSE
-file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
-for complete details.
-VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
-
-
+VISUDO(1m) System Manager's Manual VISUDO(1m)
N\bNA\bAM\bME\bE
- visudo - edit the sudoers file
+ v\bvi\bis\bsu\bud\bdo\bo - edit the sudoers file
S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- v\bvi\bis\bsu\bud\bdo\bo [-\b-c\bch\bhq\bqs\bsV\bV] [-\b-f\bf _\bs_\bu_\bd_\bo_\be_\br_\bs]
+ v\bvi\bis\bsu\bud\bdo\bo [-\b-c\bch\bhq\bqs\bsV\bV] [-\b-f\bf _\bs_\bu_\bd_\bo_\be_\br_\bs]
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- v\bvi\bis\bsu\bud\bdo\bo edits the _\bs_\bu_\bd_\bo_\be_\br_\bs file in a safe fashion, analogous to _\bv_\bi_\bp_\bw(1m).
- v\bvi\bis\bsu\bud\bdo\bo locks the _\bs_\bu_\bd_\bo_\be_\br_\bs file against multiple simultaneous edits,
- provides basic sanity checks, and checks for parse errors. If the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file is currently being edited you will receive a message to
- try again later.
-
- There is a hard-coded list of one or more editors that v\bvi\bis\bsu\bud\bdo\bo will use
- set at compile-time that may be overridden via the _\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs
- Default variable. This list defaults to "vi". Normally, v\bvi\bis\bsu\bud\bdo\bo does
- not honor the VISUAL or EDITOR environment variables unless they
- contain an editor in the aforementioned editors list. However, if
- v\bvi\bis\bsu\bud\bdo\bo is configured with the _\b-_\b-_\bw_\bi_\bt_\bh_\b-_\be_\bn_\bv_\b-_\be_\bd_\bi_\bt_\bo_\br option or the
- _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br Default variable is set in _\bs_\bu_\bd_\bo_\be_\br_\bs, v\bvi\bis\bsu\bud\bdo\bo will use any the
- editor defines by VISUAL or EDITOR. Note that this can be a security
- hole since it allows the user to execute any program they wish simply
- by setting VISUAL or EDITOR.
-
- v\bvi\bis\bsu\bud\bdo\bo parses the _\bs_\bu_\bd_\bo_\be_\br_\bs file after the edit and will not save the
- changes if there is a syntax error. Upon finding an error, v\bvi\bis\bsu\bud\bdo\bo will
- print a message stating the line number(s) where the error occurred and
- the user will receive the "What now?" prompt. At this point the user
- may enter "e" to re-edit the _\bs_\bu_\bd_\bo_\be_\br_\bs file, "x" to exit without saving
- the changes, or "Q" to quit and save changes. The "Q" option should be
- used with extreme care because if v\bvi\bis\bsu\bud\bdo\bo believes there to be a parse
- error, so will s\bsu\bud\bdo\bo and no one will be able to s\bsu\bud\bdo\bo again until the
- error is fixed. If "e" is typed to edit the _\bs_\bu_\bd_\bo_\be_\br_\bs file after a
- parse error has been detected, the cursor will be placed on the line
- where the error occurred (if the editor supports this feature).
-
-O\bOP\bPT\bTI\bIO\bON\bNS\bS
- v\bvi\bis\bsu\bud\bdo\bo accepts the following command line options:
-
- -c Enable c\bch\bhe\bec\bck\bk-\b-o\bon\bnl\bly\by mode. The existing _\bs_\bu_\bd_\bo_\be_\br_\bs file will be
- checked for syntax errors, owner and mode. A message will
- be printed to the standard output describing the status of
- _\bs_\bu_\bd_\bo_\be_\br_\bs unless the -\b-q\bq option was specified. If the check
- completes successfully, v\bvi\bis\bsu\bud\bdo\bo will exit with a value of 0.
- If an error is encountered, v\bvi\bis\bsu\bud\bdo\bo will exit with a value
- of 1.
-
- -f _\bs_\bu_\bd_\bo_\be_\br_\bs Specify and alternate _\bs_\bu_\bd_\bo_\be_\br_\bs file location. With this
- option v\bvi\bis\bsu\bud\bdo\bo will edit (or check) the _\bs_\bu_\bd_\bo_\be_\br_\bs file of your
- choice, instead of the default, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. The lock
- file used is the specified _\bs_\bu_\bd_\bo_\be_\br_\bs file with ".tmp"
- appended to it. In c\bch\bhe\bec\bck\bk-\b-o\bon\bnl\bly\by mode only, the argument to
- -\b-f\bf may be "-", indicating that _\bs_\bu_\bd_\bo_\be_\br_\bs will be read from
- the standard input.
-
- -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes v\bvi\bis\bsu\bud\bdo\bo to print a short help
- message to the standard output and exit.
-
- -q Enable q\bqu\bui\bie\bet\bt mode. In this mode details about syntax
- errors are not printed. This option is only useful when
- combined with the -\b-c\bc option.
-
- -s Enable s\bst\btr\bri\bic\bct\bt checking of the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If an alias is
- used before it is defined, v\bvi\bis\bsu\bud\bdo\bo will consider this a
- parse error. Note that it is not possible to differentiate
- between an alias and a host name or user name that consists
- solely of uppercase letters, digits, and the underscore
- ('_') character.
-
- -V The -\b-V\bV (version) option causes v\bvi\bis\bsu\bud\bdo\bo to print its version
- number and exit.
+ v\bvi\bis\bsu\bud\bdo\bo edits the _\bs_\bu_\bd_\bo_\be_\br_\bs file in a safe fashion, analogous to vipw(1m).
+ v\bvi\bis\bsu\bud\bdo\bo locks the _\bs_\bu_\bd_\bo_\be_\br_\bs file against multiple simultaneous edits,
+ provides basic sanity checks, and checks for parse errors. If the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file is currently being edited you will receive a message to try
+ again later.
+
+ There is a hard-coded list of one or more editors that v\bvi\bis\bsu\bud\bdo\bo will use
+ set at compile-time that may be overridden via the _\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs Default
+ variable. This list defaults to vi. Normally, v\bvi\bis\bsu\bud\bdo\bo does not honor the
+ VISUAL or EDITOR environment variables unless they contain an editor in
+ the aforementioned editors list. However, if v\bvi\bis\bsu\bud\bdo\bo is configured with
+ the --with-env-editor option or the _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br Default variable is set in
+ _\bs_\bu_\bd_\bo_\be_\br_\bs, v\bvi\bis\bsu\bud\bdo\bo will use any the editor defines by VISUAL or EDITOR.
+ Note that this can be a security hole since it allows the user to execute
+ any program they wish simply by setting VISUAL or EDITOR.
+
+ v\bvi\bis\bsu\bud\bdo\bo parses the _\bs_\bu_\bd_\bo_\be_\br_\bs file after the edit and will not save the
+ changes if there is a syntax error. Upon finding an error, v\bvi\bis\bsu\bud\bdo\bo will
+ print a message stating the line number(s) where the error occurred and
+ the user will receive the ``What now?'' prompt. At this point the user
+ may enter `e' to re-edit the _\bs_\bu_\bd_\bo_\be_\br_\bs file, `x' to exit without saving the
+ changes, or `Q' to quit and save changes. The `Q' option should be used
+ with extreme care because if v\bvi\bis\bsu\bud\bdo\bo believes there to be a parse error,
+ so will s\bsu\bud\bdo\bo and no one will be able to s\bsu\bud\bdo\bo again until the error is
+ fixed. If `e' is typed to edit the _\bs_\bu_\bd_\bo_\be_\br_\bs file after a parse error has
+ been detected, the cursor will be placed on the line where the error
+ occurred (if the editor supports this feature).
+
+ The options are as follows:
+
+ -\b-c\bc Enable _\bc_\bh_\be_\bc_\bk_\b-_\bo_\bn_\bl_\by mode. The existing _\bs_\bu_\bd_\bo_\be_\br_\bs file will be
+ checked for syntax errors, owner and mode. A message will be
+ printed to the standard output describing the status of
+ _\bs_\bu_\bd_\bo_\be_\br_\bs unless the -\b-q\bq option was specified. If the check
+ completes successfully, v\bvi\bis\bsu\bud\bdo\bo will exit with a value of 0.
+ If an error is encountered, v\bvi\bis\bsu\bud\bdo\bo will exit with a value of
+ 1.
+
+ -\b-f\bf _\bs_\bu_\bd_\bo_\be_\br_\bs Specify and alternate _\bs_\bu_\bd_\bo_\be_\br_\bs file location. With this
+ option v\bvi\bis\bsu\bud\bdo\bo will edit (or check) the _\bs_\bu_\bd_\bo_\be_\br_\bs file of your
+ choice, instead of the default, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. The lock file
+ used is the specified _\bs_\bu_\bd_\bo_\be_\br_\bs file with ``.tmp'' appended to
+ it. In _\bc_\bh_\be_\bc_\bk_\b-_\bo_\bn_\bl_\by mode only, the argument to -\b-f\bf may be `-',
+ indicating that _\bs_\bu_\bd_\bo_\be_\br_\bs will be read from the standard input.
+
+ -\b-h\bh The -\b-h\bh (_\bh_\be_\bl_\bp) option causes v\bvi\bis\bsu\bud\bdo\bo to print a short help
+ message to the standard output and exit.
+
+ -\b-q\bq Enable _\bq_\bu_\bi_\be_\bt mode. In this mode details about syntax errors
+ are not printed. This option is only useful when combined
+ with the -\b-c\bc option.
+
+ -\b-s\bs Enable _\bs_\bt_\br_\bi_\bc_\bt checking of the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If an alias is
+ used before it is defined, v\bvi\bis\bsu\bud\bdo\bo will consider this a parse
+ error. Note that it is not possible to differentiate between
+ an alias and a host name or user name that consists solely of
+ uppercase letters, digits, and the underscore (`_')
+ character.
+
+ -\b-V\bV The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes v\bvi\bis\bsu\bud\bdo\bo to print its version
+ number and exit.
E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
- The following environment variables may be consulted depending on the
- value of the _\be_\bd_\bi_\bt_\bo_\br and _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs variables:
+ The following environment variables may be consulted depending on the
+ value of the _\be_\bd_\bi_\bt_\bo_\br and _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs settings:
- VISUAL Invoked by visudo as the editor to use
+ VISUAL Invoked by v\bvi\bis\bsu\bud\bdo\bo as the editor to use
- EDITOR Used by visudo if VISUAL is not set
+ EDITOR Used by v\bvi\bis\bsu\bud\bdo\bo if VISUAL is not set
F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bt_\bm_\bp Lock file for visudo
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bt_\bm_\bp Lock file for visudo
D\bDI\bIA\bAG\bGN\bNO\bOS\bST\bTI\bIC\bCS\bS
- sudoers file busy, try again later.
+ sudoers file busy, try again later.
Someone else is currently editing the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
- /etc/sudoers.tmp: Permission denied
+ /etc/sudoers.tmp: Permission denied
You didn't run v\bvi\bis\bsu\bud\bdo\bo as root.
- Can't find you in the passwd database
- Your userid does not appear in the system passwd file.
+ Can't find you in the passwd database
+ Your user ID does not appear in the system passwd file.
- Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
- Either you are trying to use an undeclare
+ Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
+ Either you are trying to use an undeclared
{User,Runas,Host,Cmnd}_Alias or you have a user or host name listed
that consists solely of uppercase letters, digits, and the
- underscore ('_') character. In the latter case, you can ignore the
+ underscore (`_') character. In the latter case, you can ignore the
warnings (s\bsu\bud\bdo\bo will not complain). In -\b-s\bs (strict) mode these are
errors, not warnings.
- Warning: unused {User,Runas,Host,Cmnd}_Alias
+ Warning: unused {User,Runas,Host,Cmnd}_Alias
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
used. You may wish to comment out or remove the unused alias. In
-\b-s\bs (strict) mode this is an error, not a warning.
- Warning: cycle in {User,Runas,Host,Cmnd}_Alias
+ Warning: cycle in {User,Runas,Host,Cmnd}_Alias
The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
itself, either directly or through an alias it includes. This is
only a warning by default as s\bsu\bud\bdo\bo will ignore cycles when parsing
the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bv_\bi(1), _\bs_\bu_\bd_\bo_\be_\br_\bs(4), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bp_\bw(1m)
+ vi(1), sudoers(4), sudo(1m), vipw(1m)
-A\bAU\bUT\bTH\bHO\bOR\bR
- Many people have worked on s\bsu\bud\bdo\bo over the years; this version of v\bvi\bis\bsu\bud\bdo\bo
- was written by:
+A\bAU\bUT\bTH\bHO\bOR\bRS\bS
+ Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists of
+ code written primarily by:
- Todd Miller
+ Todd C. Miller
- See the CONTRIBUTORS file in the s\bsu\bud\bdo\bo distribution
- (http://www.sudo.ws/sudo/contributors.html) for a list of people who
- have contributed to s\bsu\bud\bdo\bo.
+ See the CONTRIBUTORS file in the s\bsu\bud\bdo\bo distribution
+ (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of
+ people who have contributed to s\bsu\bud\bdo\bo.
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- There is no easy way to prevent a user from gaining a root shell if the
- editor used by v\bvi\bis\bsu\bud\bdo\bo allows shell escapes.
+ There is no easy way to prevent a user from gaining a root shell if the
+ editor used by v\bvi\bis\bsu\bud\bdo\bo allows shell escapes.
B\bBU\bUG\bGS\bS
- If you feel you have found a bug in v\bvi\bis\bsu\bud\bdo\bo, please submit a bug report
- at http://www.sudo.ws/sudo/bugs/
+ If you feel you have found a bug in v\bvi\bis\bsu\bud\bdo\bo, please submit a bug report at
+ http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
+ archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- v\bvi\bis\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
- including, but not limited to, the implied warranties of
- merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with s\bsu\bud\bdo\bo or
- http://www.sudo.ws/sudo/license.html for complete details.
-
-
+ v\bvi\bis\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantability
+ and fitness for a particular purpose are disclaimed. See the LICENSE
+ file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
+ complete details.
-1.8.5 March 14, 2012 VISUDO(1m)
+Sudo 1.8.6 July 12, 2012 Sudo 1.8.6
+.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
+.\" IT IS GENERATED AUTOMATICALLY FROM visudo.mdoc.in
+.\"
.\" Copyright (c) 1996,1998-2005, 2007-2012
-.\" Todd C. Miller <Todd.Miller@courtesan.com>
-.\"
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
-.\"
+.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
+.\"
.\" Sponsored in part by the Defense Advanced Research Projects
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
-.\"
-.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings. \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. \*(C+ will
-.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-. ds -- \(*W-
-. ds PI pi
-. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
-. ds L" ""
-. ds R" ""
-. ds C`
-. ds C'
-'br\}
-.el\{\
-. ds -- \|\(em\|
-. ds PI \(*p
-. ds L" ``
-. ds R" ''
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD. Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
-..
-. nr % 0
-. rr F
-.\}
-.el \{\
-. de IX
-..
-.\}
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear. Run. Save yourself. No user-serviceable parts.
-. \" fudge factors for nroff and troff
-.if n \{\
-. ds #H 0
-. ds #V .8m
-. ds #F .3m
-. ds #[ \f1
-. ds #] \fP
-.\}
-.if t \{\
-. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-. ds #V .6m
-. ds #F 0
-. ds #[ \&
-. ds #] \&
-.\}
-. \" simple accents for nroff and troff
-.if n \{\
-. ds ' \&
-. ds ` \&
-. ds ^ \&
-. ds , \&
-. ds ~ ~
-. ds /
-.\}
-.if t \{\
-. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-. \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-. \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-. \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-. ds : e
-. ds 8 ss
-. ds o a
-. ds d- d\h'-1'\(ga
-. ds D- D\h'-1'\(hy
-. ds th \o'bp'
-. ds Th \o'LP'
-. ds ae ae
-. ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "March 14, 2012" "1.8.5" "MAINTENANCE COMMANDS"
-.\" For nroff, turn off justification. Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
+.TH "VISUDO" "@mansectsu@" "July 12, 2012" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
+.if n .ad l
.SH "NAME"
-visudo \- edit the sudoers file
+\fBvisudo\fR
+\- edit the sudoers file
.SH "SYNOPSIS"
-.IX Header "SYNOPSIS"
-\&\fBvisudo\fR [\fB\-chqsV\fR] [\fB\-f\fR \fIsudoers\fR]
+.HP 7n
+\fBvisudo\fR
+[\fB\-chqsV\fR]
+[\fB\-f\fR\ \fIsudoers\fR]
.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-\&\fBvisudo\fR edits the \fIsudoers\fR file in a safe fashion, analogous to
-\&\fIvipw\fR\|(@mansectsu@). \fBvisudo\fR locks the \fIsudoers\fR file against multiple
-simultaneous edits, provides basic sanity checks, and checks
-for parse errors. If the \fIsudoers\fR file is currently being
-edited you will receive a message to try again later.
+\fBvisudo\fR
+edits the
+\fIsudoers\fR
+file in a safe fashion, analogous to
+vipw(@mansectsu@).
+\fBvisudo\fR
+locks the
+\fIsudoers\fR
+file against multiple simultaneous edits, provides basic sanity checks,
+and checks for parse errors.
+If the
+\fIsudoers\fR
+file is currently being edited you will receive a message to try again later.
.PP
-There is a hard-coded list of one or more editors that \fBvisudo\fR will
-use set at compile-time that may be overridden via the \fIeditor\fR \fIsudoers\fR
-\&\f(CW\*(C`Default\*(C'\fR variable. This list defaults to \f(CW"@editor@"\fR. Normally,
-\&\fBvisudo\fR does not honor the \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR environment
-variables unless they contain an editor in the aforementioned editors
-list. However, if \fBvisudo\fR is configured with the \fI\-\-with\-env\-editor\fR
-option or the \fIenv_editor\fR \f(CW\*(C`Default\*(C'\fR variable is set in \fIsudoers\fR,
-\&\fBvisudo\fR will use any the editor defines by \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR.
+There is a hard-coded list of one or more editors that
+\fBvisudo\fR
+will use set at compile-time that may be overridden via the
+\fIeditor\fR
+\fIsudoers\fR
+\fRDefault\fR
+variable.
+This list defaults to
+\fR@editor@\fR.
+Normally,
+\fBvisudo\fR
+does not honor the
+\fRVISUAL\fR
+or
+\fREDITOR\fR
+environment variables unless they contain an editor in the aforementioned
+editors list.
+However, if
+\fBvisudo\fR
+is configured with the
+\fR--with-env-editor\fR
+option or the
+\fIenv_editor\fR
+\fRDefault\fR
+variable is set in
+\fIsudoers\fR,
+\fBvisudo\fR
+will use any the editor defines by
+\fRVISUAL\fR
+or
+\fREDITOR\fR.
Note that this can be a security hole since it allows the user to
-execute any program they wish simply by setting \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR.
+execute any program they wish simply by setting
+\fRVISUAL\fR
+or
+\fREDITOR\fR.
.PP
-\&\fBvisudo\fR parses the \fIsudoers\fR file after the edit and will
-not save the changes if there is a syntax error. Upon finding
-an error, \fBvisudo\fR will print a message stating the line number(s)
+\fBvisudo\fR
+parses the
+\fIsudoers\fR
+file after the edit and will
+not save the changes if there is a syntax error.
+Upon finding an error,
+\fBvisudo\fR
+will print a message stating the line number(s)
where the error occurred and the user will receive the
-\&\*(L"What now?\*(R" prompt. At this point the user may enter \*(L"e\*(R"
-to re-edit the \fIsudoers\fR file, \*(L"x\*(R" to exit without
-saving the changes, or \*(L"Q\*(R" to quit and save changes. The
-\&\*(L"Q\*(R" option should be used with extreme care because if \fBvisudo\fR
-believes there to be a parse error, so will \fBsudo\fR and no one
-will be able to \fBsudo\fR again until the error is fixed.
-If \*(L"e\*(R" is typed to edit the \fIsudoers\fR file after a parse error
-has been detected, the cursor will be placed on the line where the
-error occurred (if the editor supports this feature).
-.SH "OPTIONS"
-.IX Header "OPTIONS"
-\&\fBvisudo\fR accepts the following command line options:
-.IP "\-c" 12
-.IX Item "-c"
-Enable \fBcheck-only\fR mode. The existing \fIsudoers\fR file will be
-checked for syntax errors, owner and mode. A message will be printed
-to the standard output describing the status of \fIsudoers\fR unless
-the \fB\-q\fR option was specified. If the check completes successfully,
-\&\fBvisudo\fR will exit with a value of 0. If an error is encountered,
-\&\fBvisudo\fR will exit with a value of 1.
-.IP "\-f \fIsudoers\fR" 12
-.IX Item "-f sudoers"
-Specify and alternate \fIsudoers\fR file location. With this option
-\&\fBvisudo\fR will edit (or check) the \fIsudoers\fR file of your choice,
-instead of the default, \fI@sysconfdir@/sudoers\fR. The lock file used
-is the specified \fIsudoers\fR file with \*(L".tmp\*(R" appended to it.
-In \fBcheck-only\fR mode only, the argument to \fB\-f\fR may be \*(L"\-\*(R",
-indicating that \fIsudoers\fR will be read from the standard input.
-.IP "\-h" 12
-.IX Item "-h"
-The \fB\-h\fR (\fIhelp\fR) option causes \fBvisudo\fR to print a short help message
+``What now?''
+prompt.
+At this point the user may enter
+`e'
+to re-edit the
+\fIsudoers\fR
+file,
+`x'
+to exit without saving the changes, or
+`Q'
+to quit and save changes.
+The
+`Q'
+option should be used with extreme care because if
+\fBvisudo\fR
+believes there to be a parse error, so will
+\fBsudo\fR
+and no one
+will be able to
+\fBsudo\fR
+again until the error is fixed.
+If
+`e'
+is typed to edit the
+\fIsudoers\fR
+file after a parse error has been detected, the cursor will be placed on
+the line where the error occurred (if the editor supports this feature).
+.PP
+The options are as follows:
+.TP 12n
+\fB\-c\fR
+Enable
+\fIcheck-only\fR
+mode.
+The existing
+\fIsudoers\fR
+file will be
+checked for syntax errors, owner and mode.
+A message will be printed to the standard output describing the status of
+\fIsudoers\fR
+unless the
+\fB\-q\fR
+option was specified.
+If the check completes successfully,
+\fBvisudo\fR
+will exit with a value of 0.
+If an error is encountered,
+\fBvisudo\fR
+will exit with a value of 1.
+.TP 12n
+\fB\-f\fR \fIsudoers\fR
+.br
+Specify and alternate
+\fIsudoers\fR
+file location.
+With this option
+\fBvisudo\fR
+will edit (or check) the
+\fIsudoers\fR
+file of your choice,
+instead of the default,
+\fI@sysconfdir@/sudoers\fR.
+The lock file used is the specified
+\fIsudoers\fR
+file with
+``\.tmp''
+appended to it.
+In
+\fIcheck-only\fR
+mode only, the argument to
+\fB\-f\fR
+may be
+`-',
+indicating that
+\fIsudoers\fR
+will be read from the standard input.
+.TP 12n
+\fB\-h\fR
+The
+\fB\-h\fR (\fIhelp\fR)
+option causes
+\fBvisudo\fR
+to print a short help message
to the standard output and exit.
-.IP "\-q" 12
-.IX Item "-q"
-Enable \fBquiet\fR mode. In this mode details about syntax errors
-are not printed. This option is only useful when combined with
-the \fB\-c\fR option.
-.IP "\-s" 12
-.IX Item "-s"
-Enable \fBstrict\fR checking of the \fIsudoers\fR file. If an alias is
-used before it is defined, \fBvisudo\fR will consider this a parse
-error. Note that it is not possible to differentiate between an
+.TP 12n
+\fB\-q\fR
+Enable
+\fIquiet\fR
+mode.
+In this mode details about syntax errors are not printed.
+This option is only useful when combined with
+the
+\fB\-c\fR
+option.
+.TP 12n
+\fB\-s\fR
+Enable
+\fIstrict\fR
+checking of the
+\fIsudoers\fR
+file.
+If an alias is used before it is defined,
+\fBvisudo\fR
+will consider this a parse error.
+Note that it is not possible to differentiate between an
alias and a host name or user name that consists solely of uppercase
-letters, digits, and the underscore ('_') character.
-.IP "\-V" 12
-.IX Item "-V"
-The \fB\-V\fR (version) option causes \fBvisudo\fR to print its version number
+letters, digits, and the underscore
+(`_')
+character.
+.TP 12n
+\fB\-V\fR
+The
+\fB\-V\fR (\fIversion\fR)
+option causes
+\fBvisudo\fR
+to print its version number
and exit.
.SH "ENVIRONMENT"
-.IX Header "ENVIRONMENT"
The following environment variables may be consulted depending on
-the value of the \fIeditor\fR and \fIenv_editor\fR \fIsudoers\fR variables:
-.ie n .IP "\*(C`VISUAL\*(C'" 16
-.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16
-.IX Item "VISUAL"
-Invoked by visudo as the editor to use
-.ie n .IP "\*(C`EDITOR\*(C'" 16
-.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16
-.IX Item "EDITOR"
-Used by visudo if \s-1VISUAL\s0 is not set
+the value of the
+\fIeditor\fR
+and
+\fIenv_editor\fR
+\fIsudoers\fR
+settings:
+.TP 17n
+\fRVISUAL\fR
+Invoked by
+\fBvisudo\fR
+as the editor to use
+.TP 17n
+\fREDITOR\fR
+Used by
+\fBvisudo\fR
+if
+\fRVISUAL\fR
+is not set
.SH "FILES"
-.IX Header "FILES"
-.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
-.el .IP "\fI@sysconfdir@/sudoers\fR" 24
-.IX Item "@sysconfdir@/sudoers"
+.TP 26n
+\fI@sysconfdir@/sudoers\fR
List of who can run what
-.ie n .IP "\fI@sysconfdir@/sudoers.tmp\fR" 24
-.el .IP "\fI@sysconfdir@/sudoers.tmp\fR" 24
-.IX Item "@sysconfdir@/sudoers.tmp"
+.TP 26n
+\fI@sysconfdir@/sudoers.tmp\fR
Lock file for visudo
.SH "DIAGNOSTICS"
-.IX Header "DIAGNOSTICS"
-.IP "sudoers file busy, try again later." 4
-.IX Item "sudoers file busy, try again later."
-Someone else is currently editing the \fIsudoers\fR file.
-.ie n .IP "@sysconfdir@/sudoers.tmp: Permission denied" 4
-.el .IP "\f(CW@sysconfdir\fR@/sudoers.tmp: Permission denied" 4
-.IX Item "@sysconfdir@/sudoers.tmp: Permission denied"
-You didn't run \fBvisudo\fR as root.
-.IP "Can't find you in the passwd database" 4
-.IX Item "Can't find you in the passwd database"
-Your userid does not appear in the system passwd file.
-.IP "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" 4
-.IX Item "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined"
-Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias
+.TP 6n
+\fRsudoers file busy, try again later.\fR
+Someone else is currently editing the
+\fIsudoers\fR
+file.
+.TP 6n
+\fR@sysconfdir@/sudoers.tmp: Permission denied\fR
+You didn't run
+\fBvisudo\fR
+as root.
+.TP 6n
+\fRCan't find you in the passwd database\fR
+Your user ID does not appear in the system passwd file.
+.TP 6n
+\fRWarning: {User,Runas,Host,Cmnd}_Alias referenced but not defined\fR
+Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
or you have a user or host name listed that consists solely of
-uppercase letters, digits, and the underscore ('_') character. In
-the latter case, you can ignore the warnings (\fBsudo\fR will not
-complain). In \fB\-s\fR (strict) mode these are errors, not warnings.
-.IP "Warning: unused {User,Runas,Host,Cmnd}_Alias" 4
-.IX Item "Warning: unused {User,Runas,Host,Cmnd}_Alias"
+uppercase letters, digits, and the underscore
+(`_')
+character.
+In the latter case, you can ignore the warnings
+(\fBsudo\fR
+will not complain)
+\&.
+In
+\fB\-s\fR
+(strict) mode these are errors, not warnings.
+.TP 6n
+\fRWarning: unused {User,Runas,Host,Cmnd}_Alias\fR
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
-used. You may wish to comment out or remove the unused alias. In
-\&\fB\-s\fR (strict) mode this is an error, not a warning.
-.IP "Warning: cycle in {User,Runas,Host,Cmnd}_Alias" 4
-.IX Item "Warning: cycle in {User,Runas,Host,Cmnd}_Alias"
+used.
+You may wish to comment out or remove the unused alias.
+In
+\fB\-s\fR
+(strict) mode this is an error, not a warning.
+.TP 6n
+\fRWarning: cycle in {User,Runas,Host,Cmnd}_Alias\fR
The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
-itself, either directly or through an alias it includes. This is
-only a warning by default as \fBsudo\fR will ignore cycles when parsing
-the \fIsudoers\fR file.
+itself, either directly or through an alias it includes.
+This is only a warning by default as
+\fBsudo\fR
+will ignore cycles when parsing
+the
+\fIsudoers\fR
+file.
.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(@mansectsu@)
-.SH "AUTHOR"
-.IX Header "AUTHOR"
-Many people have worked on \fBsudo\fR over the years; this version of
-\&\fBvisudo\fR was written by:
-.PP
-.Vb 1
-\& Todd Miller
-.Ve
+vi(1),
+sudoers(@mansectform@),
+sudo(@mansectsu@),
+vipw(@mansectsu@)
+.SH "AUTHORS"
+Many people have worked on
+\fBsudo\fR
+over the years; this version consists of code written primarily by:
+.sp
+.RS 6n
+Todd C. Miller
+.RE
.PP
-See the \s-1CONTRIBUTORS\s0 file in the \fBsudo\fR distribution
-(http://www.sudo.ws/sudo/contributors.html) for a list of people
-who have contributed to \fBsudo\fR.
+See the CONTRIBUTORS file in the
+\fBsudo\fR
+distribution (http://www.sudo.ws/sudo/contributors.html) for an
+exhaustive list of people who have contributed to
+\fBsudo\fR.
.SH "CAVEATS"
-.IX Header "CAVEATS"
-There is no easy way to prevent a user from gaining a root shell if
-the editor used by \fBvisudo\fR allows shell escapes.
+There is no easy way to prevent a user from gaining a root shell if
+the editor used by
+\fBvisudo\fR
+allows shell escapes.
.SH "BUGS"
-.IX Header "BUGS"
-If you feel you have found a bug in \fBvisudo\fR, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
+If you feel you have found a bug in
+\fBvisudo\fR,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
-.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
-.IX Header "DISCLAIMER"
-\&\fBvisudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
-file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
-for complete details.
+\fBvisudo\fR
+is provided
+``AS IS''
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+\fBsudo\fR
+or http://www.sudo.ws/sudo/license.html for complete details.
--- /dev/null
+.\"
+.\" Copyright (c) 1996,1998-2005, 2007-2012
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" Sponsored in part by the Defense Advanced Research Projects
+.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
+.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
+.\"
+.Dd July 12, 2012
+.Dt VISUDO @mansectsu@
+.Os Sudo @PACKAGE_VERSION@
+.Sh NAME
+.Nm visudo
+.Nd edit the sudoers file
+.Sh SYNOPSIS
+.Nm visudo
+.Op Fl chqsV
+.Bk -words
+.Op Fl f Ar sudoers
+.Ek
+.Sh DESCRIPTION
+.Nm visudo
+edits the
+.Em sudoers
+file in a safe fashion, analogous to
+.Xr vipw @mansectsu@ .
+.Nm visudo
+locks the
+.Em sudoers
+file against multiple simultaneous edits, provides basic sanity checks,
+and checks for parse errors.
+If the
+.Em sudoers
+file is currently being edited you will receive a message to try again later.
+.Pp
+There is a hard-coded list of one or more editors that
+.Nm visudo
+will use set at compile-time that may be overridden via the
+.Em editor
+.Em sudoers
+.Li Default
+variable.
+This list defaults to
+.Li "@editor@" .
+Normally,
+.Nm visudo
+does not honor the
+.Ev VISUAL
+or
+.Ev EDITOR
+environment variables unless they contain an editor in the aforementioned
+editors list.
+However, if
+.Nm visudo
+is configured with the
+.Li --with-env-editor
+option or the
+.Em env_editor
+.Li Default
+variable is set in
+.Em sudoers ,
+.Nm visudo
+will use any the editor defines by
+.Ev VISUAL
+or
+.Ev EDITOR .
+Note that this can be a security hole since it allows the user to
+execute any program they wish simply by setting
+.Ev VISUAL
+or
+.Ev EDITOR .
+.Pp
+.Nm visudo
+parses the
+.Em sudoers
+file after the edit and will
+not save the changes if there is a syntax error.
+Upon finding an error,
+.Nm visudo
+will print a message stating the line number(s)
+where the error occurred and the user will receive the
+.Dq What now?
+prompt.
+At this point the user may enter
+.Ql e
+to re-edit the
+.Em sudoers
+file,
+.Ql x
+to exit without saving the changes, or
+.Ql Q
+to quit and save changes.
+The
+.Ql Q
+option should be used with extreme care because if
+.Nm visudo
+believes there to be a parse error, so will
+.Nm sudo
+and no one
+will be able to
+.Nm sudo
+again until the error is fixed.
+If
+.Ql e
+is typed to edit the
+.Em sudoers
+file after a parse error has been detected, the cursor will be placed on
+the line where the error occurred (if the editor supports this feature).
+.Pp
+The options are as follows:
+.Bl -tag -width Fl
+.It Fl c
+Enable
+.Em check-only
+mode.
+The existing
+.Em sudoers
+file will be
+checked for syntax errors, owner and mode.
+A message will be printed to the standard output describing the status of
+.Em sudoers
+unless the
+.Fl q
+option was specified.
+If the check completes successfully,
+.Nm visudo
+will exit with a value of 0.
+If an error is encountered,
+.Nm visudo
+will exit with a value of 1.
+.It Fl f Ar sudoers
+Specify and alternate
+.Em sudoers
+file location.
+With this option
+.Nm visudo
+will edit (or check) the
+.Em sudoers
+file of your choice,
+instead of the default,
+.Pa @sysconfdir@/sudoers .
+The lock file used is the specified
+.Em sudoers
+file with
+.Dq \.tmp
+appended to it.
+In
+.Em check-only
+mode only, the argument to
+.Fl f
+may be
+.Ql - ,
+indicating that
+.Em sudoers
+will be read from the standard input.
+.It Fl h
+The
+.Fl h No ( Em help Ns No )
+option causes
+.Nm visudo
+to print a short help message
+to the standard output and exit.
+.It Fl q
+Enable
+.Em quiet
+mode.
+In this mode details about syntax errors are not printed.
+This option is only useful when combined with
+the
+.Fl c
+option.
+.It Fl s
+Enable
+.Em strict
+checking of the
+.Em sudoers
+file.
+If an alias is used before it is defined,
+.Nm visudo
+will consider this a parse error.
+Note that it is not possible to differentiate between an
+alias and a host name or user name that consists solely of uppercase
+letters, digits, and the underscore
+.Pq Ql _
+character.
+.It Fl V
+The
+.Fl V ( Em version Ns No )
+option causes
+.Nm visudo
+to print its version number
+and exit.
+.El
+.Sh ENVIRONMENT
+The following environment variables may be consulted depending on
+the value of the
+.Em editor
+and
+.Em env_editor
+.Em sudoers
+settings:
+.Bl -tag -width 15n
+.It Ev VISUAL
+Invoked by
+.Nm visudo
+as the editor to use
+.It Ev EDITOR
+Used by
+.Nm visudo
+if
+.Ev VISUAL
+is not set
+.El
+.Sh FILES
+.Bl -tag -width 24n
+.It Pa @sysconfdir@/sudoers
+List of who can run what
+.It Pa @sysconfdir@/sudoers.tmp
+Lock file for visudo
+.El
+.Sh DIAGNOSTICS
+.Bl -tag -width 4n
+.It Li sudoers file busy, try again later.
+Someone else is currently editing the
+.Em sudoers
+file.
+.It Li @sysconfdir@/sudoers.tmp: Permission denied
+You didn't run
+.Nm visudo
+as root.
+.It Li Can't find you in the passwd database
+Your user ID does not appear in the system passwd file.
+.It Li Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
+Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
+or you have a user or host name listed that consists solely of
+uppercase letters, digits, and the underscore
+.Pq Ql _
+character.
+In the latter case, you can ignore the warnings
+.Po
+.Nm sudo
+will not complain
+.Pc .
+In
+.Fl s
+(strict) mode these are errors, not warnings.
+.It Li Warning: unused {User,Runas,Host,Cmnd}_Alias
+The specified {User,Runas,Host,Cmnd}_Alias was defined but never
+used.
+You may wish to comment out or remove the unused alias.
+In
+.Fl s
+(strict) mode this is an error, not a warning.
+.It Li Warning: cycle in {User,Runas,Host,Cmnd}_Alias
+The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
+itself, either directly or through an alias it includes.
+This is only a warning by default as
+.Nm sudo
+will ignore cycles when parsing
+the
+.Em sudoers
+file.
+.El
+.Sh SEE ALSO
+.Xr vi 1 ,
+.Xr sudoers @mansectform@ ,
+.Xr sudo @mansectsu@ ,
+.Xr vipw @mansectsu@
+.Sh AUTHORS
+Many people have worked on
+.Nm sudo
+over the years; this version consists of code written primarily by:
+.Bd -ragged -offset indent
+Todd C. Miller
+.Ed
+.Pp
+See the CONTRIBUTORS file in the
+.Nm sudo
+distribution (http://www.sudo.ws/sudo/contributors.html) for an
+exhaustive list of people who have contributed to
+.Nm sudo .
+.Sh CAVEATS
+There is no easy way to prevent a user from gaining a root shell if
+the editor used by
+.Nm visudo
+allows shell escapes.
+.Sh BUGS
+If you feel you have found a bug in
+.Nm visudo ,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
+.Sh SUPPORT
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+.Sh DISCLAIMER
+.Nm visudo
+is provided
+.Dq AS IS
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+.Nm sudo
+or http://www.sudo.ws/sudo/license.html for complete details.
+++ /dev/null
-Copyright (c) 1996,1998-2005, 2007-2012
- Todd C. Miller <Todd.Miller@courtesan.com>
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-Sponsored in part by the Defense Advanced Research Projects
-Agency (DARPA) and Air Force Research Laboratory, Air Force
-Materiel Command, USAF, under agreement number F39502-99-1-0512.
-
-=pod
-
-=head1 NAME
-
-visudo - edit the sudoers file
-
-=head1 SYNOPSIS
-
-B<visudo> [B<-chqsV>] [B<-f> I<sudoers>]
-
-=head1 DESCRIPTION
-
-B<visudo> edits the I<sudoers> file in a safe fashion, analogous to
-L<vipw(8)>. B<visudo> locks the I<sudoers> file against multiple
-simultaneous edits, provides basic sanity checks, and checks
-for parse errors. If the I<sudoers> file is currently being
-edited you will receive a message to try again later.
-
-There is a hard-coded list of one or more editors that B<visudo> will
-use set at compile-time that may be overridden via the I<editor> I<sudoers>
-C<Default> variable. This list defaults to C<"@editor@">. Normally,
-B<visudo> does not honor the C<VISUAL> or C<EDITOR> environment
-variables unless they contain an editor in the aforementioned editors
-list. However, if B<visudo> is configured with the I<--with-env-editor>
-option or the I<env_editor> C<Default> variable is set in I<sudoers>,
-B<visudo> will use any the editor defines by C<VISUAL> or C<EDITOR>.
-Note that this can be a security hole since it allows the user to
-execute any program they wish simply by setting C<VISUAL> or C<EDITOR>.
-
-B<visudo> parses the I<sudoers> file after the edit and will
-not save the changes if there is a syntax error. Upon finding
-an error, B<visudo> will print a message stating the line number(s)
-where the error occurred and the user will receive the
-"What now?" prompt. At this point the user may enter "e"
-to re-edit the I<sudoers> file, "x" to exit without
-saving the changes, or "Q" to quit and save changes. The
-"Q" option should be used with extreme care because if B<visudo>
-believes there to be a parse error, so will B<sudo> and no one
-will be able to B<sudo> again until the error is fixed.
-If "e" is typed to edit the I<sudoers> file after a parse error
-has been detected, the cursor will be placed on the line where the
-error occurred (if the editor supports this feature).
-
-=head1 OPTIONS
-
-B<visudo> accepts the following command line options:
-
-=over 12
-
-=item -c
-
-Enable B<check-only> mode. The existing I<sudoers> file will be
-checked for syntax errors, owner and mode. A message will be printed
-to the standard output describing the status of I<sudoers> unless
-the B<-q> option was specified. If the check completes successfully,
-B<visudo> will exit with a value of 0. If an error is encountered,
-B<visudo> will exit with a value of 1.
-
-=item -f I<sudoers>
-
-Specify and alternate I<sudoers> file location. With this option
-B<visudo> will edit (or check) the I<sudoers> file of your choice,
-instead of the default, F<@sysconfdir@/sudoers>. The lock file used
-is the specified I<sudoers> file with ".tmp" appended to it.
-In B<check-only> mode only, the argument to B<-f> may be "-",
-indicating that I<sudoers> will be read from the standard input.
-
-=item -h
-
-The B<-h> (I<help>) option causes B<visudo> to print a short help message
-to the standard output and exit.
-
-=item -q
-
-Enable B<quiet> mode. In this mode details about syntax errors
-are not printed. This option is only useful when combined with
-the B<-c> option.
-
-=item -s
-
-Enable B<strict> checking of the I<sudoers> file. If an alias is
-used before it is defined, B<visudo> will consider this a parse
-error. Note that it is not possible to differentiate between an
-alias and a host name or user name that consists solely of uppercase
-letters, digits, and the underscore ('_') character.
-
-=item -V
-
-The B<-V> (version) option causes B<visudo> to print its version number
-and exit.
-
-=back
-
-=head1 ENVIRONMENT
-
-The following environment variables may be consulted depending on
-the value of the I<editor> and I<env_editor> I<sudoers> variables:
-
-=over 16
-
-=item C<VISUAL>
-
-Invoked by visudo as the editor to use
-
-=item C<EDITOR>
-
-Used by visudo if VISUAL is not set
-
-=back
-
-=head1 FILES
-
-=over 24
-
-=item F<@sysconfdir@/sudoers>
-
-List of who can run what
-
-=item F<@sysconfdir@/sudoers.tmp>
-
-Lock file for visudo
-
-=back
-
-=head1 DIAGNOSTICS
-
-=over 4
-
-=item sudoers file busy, try again later.
-
-Someone else is currently editing the I<sudoers> file.
-
-=item @sysconfdir@/sudoers.tmp: Permission denied
-
-You didn't run B<visudo> as root.
-
-=item Can't find you in the passwd database
-
-Your userid does not appear in the system passwd file.
-
-=item Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
-
-Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias
-or you have a user or host name listed that consists solely of
-uppercase letters, digits, and the underscore ('_') character. In
-the latter case, you can ignore the warnings (B<sudo> will not
-complain). In B<-s> (strict) mode these are errors, not warnings.
-
-=item Warning: unused {User,Runas,Host,Cmnd}_Alias
-
-The specified {User,Runas,Host,Cmnd}_Alias was defined but never
-used. You may wish to comment out or remove the unused alias. In
-B<-s> (strict) mode this is an error, not a warning.
-
-=item Warning: cycle in {User,Runas,Host,Cmnd}_Alias
-
-The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
-itself, either directly or through an alias it includes. This is
-only a warning by default as B<sudo> will ignore cycles when parsing
-the I<sudoers> file.
-
-=back
-
-=head1 SEE ALSO
-
-L<vi(1)>, L<sudoers(5)>, L<sudo(8)>, L<vipw(8)>
-
-=head1 AUTHOR
-
-Many people have worked on B<sudo> over the years; this version of
-B<visudo> was written by:
-
- Todd Miller
-
-See the CONTRIBUTORS file in the B<sudo> distribution
-(http://www.sudo.ws/sudo/contributors.html) for a list of people
-who have contributed to B<sudo>.
-
-=head1 CAVEATS
-
-There is no easy way to prevent a user from gaining a root shell if
-the editor used by B<visudo> allows shell escapes.
-
-=head1 BUGS
-
-If you feel you have found a bug in B<visudo>, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
-
-=head1 SUPPORT
-
-Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
-search the archives.
-
-=head1 DISCLAIMER
-
-B<visudo> is provided ``AS IS'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the LICENSE
-file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
-for complete details.
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
includedir = @includedir@
+cross_compiling = @CROSS_COMPILING@
# Our install program supports extra flags...
INSTALL = $(SHELL) $(top_srcdir)/install-sh -c
install-doc:
install-includes: install-dirs
- $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0444 $(srcdir)/sudo_plugin.h $(DESTDIR)$(includedir)
+ $(INSTALL) -O $(install_uid) -G $(install_gid) -m 0644 $(srcdir)/sudo_plugin.h $(DESTDIR)$(includedir)
install-plugin:
*/
#if defined(SUDO_ERROR_WRAP) && SUDO_ERROR_WRAP == 0
# if defined(__GNUC__) && __GNUC__ == 2
-# define error(rval, fmt...) error2((rval), (fmt))
-# define errorx(rval, fmt...) errorx2((rval), (fmt))
-# define warning(fmt...) warning2((fmt))
-# define warningx(fmt...) warningx2((fmt))
+# define error(rval, fmt...) error2((rval), fmt)
+# define errorx(rval, fmt...) errorx2((rval), fmt)
+# define warning(fmt...) warning2(fmt)
+# define warningx(fmt...) warningx2(fmt)
# else
# define error(rval, ...) error2((rval), __VA_ARGS__)
# define errorx(rval, ...) errorx2((rval), __VA_ARGS__)
# define error(rval, fmt...) do { \
sudo_debug_printf2(__func__, __FILE__, __LINE__, \
SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO|sudo_debug_subsys, \
- (fmt)); \
- error2((rval), (fmt)); \
+ fmt); \
+ error2((rval), fmt); \
} while (0)
# define errorx(rval, fmt...) do { \
sudo_debug_printf2(__func__, __FILE__, __LINE__, \
- SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|sudo_debug_subsys, (fmt)); \
- errorx2((rval), (fmt)); \
+ SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|sudo_debug_subsys, fmt); \
+ errorx2((rval), fmt); \
} while (0)
# define warning(fmt...) do { \
sudo_debug_printf2(__func__, __FILE__, __LINE__, \
SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO|sudo_debug_subsys, \
- (fmt)); \
- warning2((fmt)); \
+ fmt); \
+ warning2(fmt); \
} while (0)
# define warningx(fmt...) do { \
sudo_debug_printf2(__func__, __FILE__, __LINE__, \
- SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|sudo_debug_subsys, (fmt)); \
- warningx2((fmt)); \
+ SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|sudo_debug_subsys, fmt); \
+ warningx2(fmt); \
} while (0)
# else
# define error(rval, ...) do { \
* Solaris locale.h includes libintl.h which causes problems when we
* redefine the gettext functions. We include it first to avoid this.
*/
-#if defined(HAVE_LOCALE_H) && defined(__sun__) && defined(__svr4__)
+#if defined(HAVE_SETLOCALE) && defined(__sun__) && defined(__svr4__)
# include <locale.h>
#endif
dngettext(DEFAULT_TEXT_DOMAIN, String, String_Plural, N)
# endif
+/*
+ * Older versions of Solaris lack ngettext() so we have to kludge it.
+ */
+# ifndef HAVE_NGETTEXT
+# undef ngettext
+# define ngettext(String, String_Plural, N) \
+ ((N) == 1 ? gettext(String) : gettext(String_Plural))
+# endif
+
/* Gettext convenience macros */
# define _(String) gettext(String)
# define gettext_noop(String) String
* Macros and functions that may be missing on some operating systems.
*/
+#ifndef __GNUC_PREREQ__
+# ifdef __GNUC__
+# define __GNUC_PREREQ__(ma, mi) \
+ ((__GNUC__ > (ma)) || (__GNUC__ == (ma) && __GNUC_MINOR__ >= (mi)))
+# else
+# define __GNUC_PREREQ__(ma, mi) 0
+# endif
+#endif
+
/* Define away __attribute__ for non-gcc or old gcc */
-#if !defined(__GNUC__) || __GNUC__ < 2 || __GNUC__ == 2 && __GNUC_MINOR__ < 5
+#if !defined(__attribute__) && !__GNUC_PREREQ__(2, 5)
# define __attribute__(x)
#endif
/* For catching format string mismatches */
#ifndef __printflike
-# if defined(__GNUC__) && (__GNUC__ > 2 || __GNUC__ == 2 && __GNUC_MINOR__ >= 7)
+# if __GNUC_PREREQ__(2, 7)
# define __printflike(f, v) __attribute__((__format__ (__printf__, f, v)))
# else
# define __printflike(f, v)
# endif
#endif
+#ifndef __dso_public
+# ifdef HAVE_DSO_VISIBILITY
+# if defined(__GNUC__)
+# define __dso_public __attribute__((__visibility__("default")))
+# define __dso_hidden __attribute__((__visibility__("hidden")))
+# elif defined(__SUNPRO_C)
+# define __dso_public __global
+# define __dso_hidden __hidden
+# else
+# define __dso_public __declspec(dllexport)
+# define __dso_hidden
+# endif
+# else
+# define __dso_public
+# define __dso_hidden
+# endif
+#endif
+
/*
* Some systems lack full limit definitions.
*/
# endif
#endif
+/* For sig2str() */
+#ifndef SIG2STR_MAX
+# define SIG2STR_MAX 32
+#endif
+
#ifndef WCOREDUMP
# define WCOREDUMP(x) ((x) & 0x80)
#endif
#ifndef HAVE_STRSIGNAL
char *strsignal(int);
#endif
+#ifndef HAVE_SIG2STR
+int sig2str(int, char *);
+#endif
#endif /* _SUDO_MISSING_H */
#define SUDO_DEBUG_PERMS (23<<6) /* uid/gid swapping functions */
#define SUDO_DEBUG_PLUGIN (24<<6) /* main plugin functions */
#define SUDO_DEBUG_HOOKS (25<<6) /* hook functions */
+#define SUDO_DEBUG_SSSD (26<<6) /* sudoers SSSD */
#define SUDO_DEBUG_ALL 0xfff0 /* all subsystems */
/* Flag to include string version of errno in debug info. */
#if defined(__GNUC__) && __GNUC__ == 2
# define sudo_debug_printf(pri, fmt...) \
sudo_debug_printf2(__func__, __FILE__, __LINE__, (pri)|sudo_debug_subsys, \
- (fmt))
+ fmt)
#else
# define sudo_debug_printf(pri, ...) \
sudo_debug_printf2(__func__, __FILE__, __LINE__, (pri)|sudo_debug_subsys, \
--- /dev/null
+# ===========================================================================
+# http://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS])
+#
+# DESCRIPTION
+#
+# Check whether the given FLAG works with the current language's compiler
+# or gives an error. (Warnings, however, are ignored)
+#
+# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
+# success/failure.
+#
+# If EXTRA-FLAGS is defined, it is added to the current language's default
+# flags (e.g. CFLAGS) when the check is done. The check is thus made with
+# the flags: "CFLAGS EXTRA-FLAGS FLAG". This can for example be used to
+# force the compiler to issue an error when a bad flag is given.
+#
+# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
+# macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG.
+#
+# LICENSE
+#
+# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+# Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception, the respective Autoconf Macro's copyright owner
+# gives unlimited permission to copy, distribute and modify the configure
+# scripts that are the output of Autoconf when processing the Macro. You
+# need not follow the terms of the GNU General Public License when using
+# or distributing such scripts, even though portions of the text of the
+# Macro appear in them. The GNU General Public License (GPL) does govern
+# all other use of the material that constitutes the Autoconf Macro.
+#
+# This special exception to the GPL applies to versions of the Autoconf
+# Macro released by the Autoconf Archive. When you make and distribute a
+# modified version of the Autoconf Macro, you may extend this special
+# exception to the GPL to apply to your modified version as well.
+
+#serial 2
+
+AC_DEFUN([AX_CHECK_COMPILE_FLAG],
+[AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX
+AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl
+AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [
+ ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS
+ _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1"
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM()],
+ [AS_VAR_SET(CACHEVAR,[yes])],
+ [AS_VAR_SET(CACHEVAR,[no])])
+ _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags])
+AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes],
+ [m4_default([$2], :)],
+ [m4_default([$3], :)])
+AS_VAR_POPDEF([CACHEVAR])dnl
+])dnl AX_CHECK_COMPILE_FLAGS
--- /dev/null
+# ===========================================================================
+# http://www.gnu.org/software/autoconf-archive/ax_check_link_flag.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_CHECK_LINK_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS])
+#
+# DESCRIPTION
+#
+# Check whether the given FLAG works with the linker or gives an error.
+# (Warnings, however, are ignored)
+#
+# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
+# success/failure.
+#
+# If EXTRA-FLAGS is defined, it is added to the linker's default flags
+# when the check is done. The check is thus made with the flags: "LDFLAGS
+# EXTRA-FLAGS FLAG". This can for example be used to force the linker to
+# issue an error when a bad flag is given.
+#
+# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
+# macro in sync with AX_CHECK_{PREPROC,COMPILE}_FLAG.
+#
+# LICENSE
+#
+# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
+#
+# This program is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation, either version 3 of the License, or (at your
+# option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+# Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# As a special exception, the respective Autoconf Macro's copyright owner
+# gives unlimited permission to copy, distribute and modify the configure
+# scripts that are the output of Autoconf when processing the Macro. You
+# need not follow the terms of the GNU General Public License when using
+# or distributing such scripts, even though portions of the text of the
+# Macro appear in them. The GNU General Public License (GPL) does govern
+# all other use of the material that constitutes the Autoconf Macro.
+#
+# This special exception to the GPL applies to versions of the Autoconf
+# Macro released by the Autoconf Archive. When you make and distribute a
+# modified version of the Autoconf Macro, you may extend this special
+# exception to the GPL to apply to your modified version as well.
+
+#serial 2
+
+AC_DEFUN([AX_CHECK_LINK_FLAG],
+[AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_ldflags_$4_$1])dnl
+AC_CACHE_CHECK([whether the linker accepts $1], CACHEVAR, [
+ ax_check_save_flags=$LDFLAGS
+ LDFLAGS="$LDFLAGS $4 $1"
+ AC_LINK_IFELSE([AC_LANG_PROGRAM()],
+ [AS_VAR_SET(CACHEVAR,[yes])],
+ [AS_VAR_SET(CACHEVAR,[no])])
+ LDFLAGS=$ax_check_save_flags])
+AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes],
+ [m4_default([$2], :)],
+ [m4_default([$3], :)])
+AS_VAR_POPDEF([CACHEVAR])dnl
+])dnl AX_CHECK_LINK_FLAGS
$makefile =~ s:\@DEV\@::g;
$makefile =~ s:\@COMMON_OBJS\@:aix.lo:;
$makefile =~ s:\@SUDO_OBJS\@:preload.o selinux.o sesh.o sudo_noexec.lo:;
- $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo plugin_error.lo:;
+ $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo plugin_error.lo sssd.lo:;
# XXX - fill in AUTH_OBJS from contents of the auth dir instead
$makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:;
- $makefile =~ s:\@LTLIBOBJS\@:closefrom.lo dlopen.lo fnmatch.lo getcwd.lo getgrouplist.lo getline.lo getprogname.lo glob.lo isblank.lo memrchr.lo mksiglist.lo mktemp.lo nanosleep.lo pw_dup.lo siglist.lo snprintf.lo strlcat.lo strlcpy.lo strsignal.lo utimes.lo globtest.o fnm_test.o:;
+ $makefile =~ s:\@LTLIBOBJS\@:closefrom.lo dlopen.lo fnmatch.lo getcwd.lo getgrouplist.lo getline.lo getprogname.lo glob.lo isblank.lo memrchr.lo mksiglist.lo mksigname.lo mktemp.lo nanosleep.lo pw_dup.lo sig2str.lo siglist.lo signame.lo snprintf.lo strlcat.lo strlcpy.lo strsignal.lo utimes.lo globtest.o fnm_test.o:;
# Parse OBJS lines
my %objs;
test -n "$osversion" || exit 1
osrelease=`echo "$osversion" | sed -e 's/^[^0-9]*//' -e 's/-.*$//'`
-# Default paths
-prefix=/usr/local
-
-# Linux distros may build binaries as pie files.
-# This is really something libtool should figure out, but it does not.
-case "$osversion" in
- *-s390*|*-sparc*|*-alpha*)
- F_PIE=-fPIE
- ;;
- *)
- F_PIE=-fpie
- ;;
-esac
-
# Choose compiler options by osversion if not cross-compiling.
if [ "$crossbuild" = "false" ]; then
case "$osversion" in
# We use the same configure options as vendor packages when possible.
case "$osversion" in
centos*|rhel*)
- prefix=/usr
if [ $osrelease -ge 40 ]; then
# RHEL 4 and up support SELinux
configure_opts="${configure_opts}${configure_opts+$tab}--with-selinux"
fi
if [ $osrelease -ge 50 ]; then
- # RHEL 5 and up build pies, have audit support and use a
- # separate PAM config file for "sudo -i".
- export CFLAGS="-O2 -g $F_PIE" LDFLAGS="-pie"
+ # RHEL 5 and up has audit support and uses a separate PAM
+ # config file for "sudo -i".
configure_opts="${configure_opts}${configure_opts+$tab}--with-linux-audit"
configure_opts="${configure_opts}${configure_opts+$tab}--with-pam-login"
PPVARS="${PPVARS}${PPVARS+$space}linux_audit=1.4.0"
fi
# Note, must indent with tabs, not spaces due to IFS trickery
- configure_opts="--prefix=$prefix
+ configure_opts="--prefix=/usr
--with-logging=syslog
--with-logfac=authpriv
--with-pam
$configure_opts"
;;
sles*)
- prefix=/usr
if [ $osrelease -ge 10 ]; then
- # SLES 10 and higher build pies
- export CFLAGS="-O2 -g $F_PIE" LDFLAGS="-pie"
+ # SLES 11 and higher has SELinux
if [ $osrelease -ge 11 ]; then
- # SLES 11 and higher has SELinux
configure_opts="${configure_opts}${configure_opts+$tab}--with-selinux"
fi
fi
esac
# Note, must indent with tabs, not spaces due to IFS trickery
# XXX - SuSE uses secure path but only for env_reset
- configure_opts="--prefix=$prefix
- --libexecdir=$prefix/$libexec/sudo
+ configure_opts="--prefix=/usr
+ --libexecdir=/usr/$libexec/sudo
--with-logging=syslog
--with-logfac=auth
--with-all-insults
make_opts='docdir=$(datarootdir)/doc/packages/$(PACKAGE_TARNAME)'
;;
deb*|ubu*)
- prefix=/usr
+ # Man pages should be compressed in .deb files
+ export MANCOMPRESS='gzip -9'
+ export MANCOMPRESSEXT='.gz'
# If Ubuntu, add --enable-admin-flag
case "$osversion" in
ubu*)
configure_opts="${configure_opts}${configure_opts+$tab}--enable-admin-flag${tab}--without-lecture"
- if [ $osrelease -ge 1004 ]; then
- export CFLAGS="-O2 -g $F_PIE" LDFLAGS="-pie"
- fi
- ;;
- deb*)
- if [ $osrelease -ge 600 ]; then
- export CFLAGS="-O2 -g $F_PIE" LDFLAGS="-pie"
- fi
;;
esac
# Note, must indent with tabs, not spaces due to IFS trickery
configure_opts="${configure_opts}${configure_opts+$tab}--with-ldap
--with-ldap-conf-file=/etc/sudo-ldap.conf"
fi
+ configure_opts="${configure_opts}${configure_opts+$tab}--with-selinux"
configure_opts="--prefix=/usr
--with-all-insults
--with-pam
fi
export CFLAGS="-O2 -g $ARCH_FLAGS $SDK_FLAGS"
export LDFLAGS="$ARCH_FLAGS $SDK_FLAGS"
- if [ $osrelease -ge 105 ]; then
- CFLAGS="$CFLAGS $F_PIE"
- LDFLAGS="$LDFLAGS -Wl,-pie"
- fi
# Note, must indent with tabs, not spaces due to IFS trickery
- configure_opts="--prefix=$prefix
- --with-pam
+ configure_opts="--with-pam
--without-tty-tickets
--enable-zlib=system
--with-ldap
--with-env-editor
$configure_opts"
;;
+ aix*)
+ # Note, must indent with tabs, not spaces due to IFS trickery
+ # Note: we include our own zlib instead of relying on the
+ # AIX freeware version being installed.
+ configure_opts="
+ --prefix=/opt/freeware
+ --mandir=/opt/freeware/man
+ --with-insults=disabled
+ --with-logging=syslog
+ --with-logfac=auth
+ --with-editor=/usr/bin/vi
+ --with-env-editor
+ --enable-zlib=builtin
+ --disable-nls
+ $configure_opts"
+ PPVARS="${PPVARS}${PPVARS+$space}aix_freeware=true"
+ ;;
*)
# For Solaris, add project support and use let configure choose zlib.
# For all others, use the builtin zlib and disable NLS support.
case "$osversion" in
- sol*) configure_opts="${configure_opts}${configure_opts+$tab}--with-project";;
+ sol*) configure_opts="${configure_opts}${configure_opts+$tab}--with-project${tab}--disable-pie";;
*) configure_opts="${configure_opts}${configure_opts+$tab}--enable-zlib=builtin${tab}--disable-nls";;
esac
if test "$flavor" = "ldap"; then
configure_opts="${configure_opts}${configure_opts+$tab}--with-ldap"
fi
# Note, must indent with tabs, not spaces due to IFS trickery
- configure_opts="--prefix=$prefix
+ configure_opts="
--with-insults=disabled
--with-logging=syslog
--with-logfac=auth
#undef _PATH_LDAP_SECRET
#endif /* _PATH_LDAP_SECRET */
+#ifndef _PATH_SSSD_LIB
+#undef _PATH_SSSD_LIB
+#endif /* _PATH_SSSD_LIB */
+
#ifndef _PATH_NSSWITCH_CONF
#undef _PATH_NSSWITCH_CONF
#endif /* _PATH_NSSWITCH_CONF */
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
incdir = $(top_srcdir)/include
+cross_compiling = @CROSS_COMPILING@
# Compiler & tools to use
CC = @CC@
# Flags to pass to the link stage
LDFLAGS = @LDFLAGS@
-LTLDFLAGS = @LTLDFLAGS@
+LT_LDFLAGS = @LT_LDFLAGS@ @LT_LDMAP@ @LT_LDOPT@ @LT_LDEXPORTS@
+
+# PIE flags
+PIE_CFLAGS = @PIE_CFLAGS@
+PIE_LDFLAGS = @PIE_LDFLAGS@
+
+# Stack smashing protection flags
+SSP_CFLAGS = @SSP_CFLAGS@
+SSP_LDFLAGS = @SSP_LDFLAGS@
# Where to install things...
prefix = @prefix@
datarootdir = @datarootdir@
localstatedir = @localstatedir@
plugindir = @PLUGINDIR@
+
+# File extension, mode and map file to use for shared libraries/objects
soext = @SOEXT@
+shlib_mode = @SHLIB_MODE@
+shlib_exp = $(srcdir)/sample_plugin.exp
+shlib_map = sample_plugin.map
+shlib_opt = sample_plugin.opt
# OS dependent defines
DEFS = @OSDEFS@
.SUFFIXES: .o .c .h .lo
.c.lo:
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $<
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $<
+
+$(shlib_map): $(shlib_exp)
+ @awk 'BEGIN { print "{\n\tglobal:" } { print "\t\t"$$0";" } END { print "\tlocal:\n\t\t*;\n};" }' $(shlib_exp) > $@
+
+$(shlib_opt): $(shlib_exp)
+ @sed 's/^/+e /' $(shlib_exp) > $@
-sample_plugin.la: $(OBJS)
- $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LTLDFLAGS) -o $@ $(OBJS) $(LIBS) -module -export-symbols $(srcdir)/sample_plugin.sym -avoid-version -rpath $(plugindir)
+sample_plugin.la: $(OBJS) @LT_LDDEP@
+ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o $@ $(OBJS) $(LIBS) -module -avoid-version -rpath $(plugindir)
pre-install:
install-doc:
install-plugin: install-dirs sample_plugin.la
- $(INSTALL) -b~ -m 0755 .libs/sample_plugin$(soext) $(DESTDIR)$(plugindir)
+ $(INSTALL) -b~ -m $(shlib_mode) .libs/sample_plugin$(soext) $(DESTDIR)$(plugindir)
uninstall:
-rm -f $(DESTDIR)$(plugindir)/sample_plugin$(soext)
sample_plugin.lo: $(srcdir)/sample_plugin.c $(top_builddir)/config.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/sudo_plugin.h $(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/sample_plugin.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/sample_plugin.c
}
static char **
-build_command_info(char *command)
+build_command_info(const char *command)
{
static char **command_info;
int i = 0;
(editor_path = find_in_path(editor, plugin_state.envp)) == NULL) {
return NULL;
}
+ if (editor_path != editor)
+ free(editor);
nargv = (char **) malloc((nargc + 1 + nfiles + 1) * sizeof(char *));
if (nargv == NULL) {
sudo_log(SUDO_CONV_ERROR_MSG, "unable to allocate memory\n");
+ free(editor_path);
return NULL;
}
for (ac = 0; cp != NULL && ac < nargc; ac++) {
if (use_sudoedit) {
/* Rebuild argv using editor */
+ free(command);
command = find_editor(argc - 1, argv + 1, argv_out);
if (command == NULL) {
sudo_log(SUDO_CONV_ERROR_MSG, "unable to find valid editor\n");
/* Setup command info. */
*command_info_out = build_command_info(command);
+ free(command);
if (*command_info_out == NULL) {
sudo_log(SUDO_CONV_ERROR_MSG, "out of memory\n");
return -1;
--- /dev/null
+sample_policy
+sample_io
+++ /dev/null
-sample_policy
-sample_io
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
incdir = $(top_srcdir)/include
+cross_compiling = @CROSS_COMPILING@
# Compiler & tools to use
CC = @CC@
# Flags to pass to the link stage
LDFLAGS = @LDFLAGS@
-LTLDFLAGS = @LTLDFLAGS@
+LT_LDFLAGS = @LT_LDFLAGS@ @LT_LDMAP@ @LT_LDOPT@ @LT_LDEXPORTS@
+
+# PIE flags
+PIE_CFLAGS = @PIE_CFLAGS@
+PIE_LDFLAGS = @PIE_LDFLAGS@
+
+# Stack smashing protection flags
+SSP_CFLAGS = @SSP_CFLAGS@
+SSP_LDFLAGS = @SSP_LDFLAGS@
# Where to install things...
prefix = @prefix@
datarootdir = @datarootdir@
localstatedir = @localstatedir@
plugindir = @PLUGINDIR@
+
+# File extension, mode and map file to use for shared libraries/objects
soext = @SOEXT@
+shlib_mode = @SHLIB_MODE@
+shlib_exp = $(srcdir)/sample_group.exp
+shlib_map = sample_group.map
+shlib_opt = sample_group.opt
# OS dependent defines
DEFS = @OSDEFS@
.SUFFIXES: .o .c .h .lo
.c.lo:
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $<
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $<
+
+$(shlib_map): $(shlib_exp)
+ @awk 'BEGIN { print "{\n\tglobal:" } { print "\t\t"$$0";" } END { print "\tlocal:\n\t\t*;\n};" }' $(shlib_exp) > $@
+
+$(shlib_opt): $(shlib_exp)
+ @sed 's/^/+e /' $(shlib_exp) > $@
-sample_group.la: $(OBJS) $(LT_LIBS)
- $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LTLDFLAGS) -o $@ $(OBJS) $(LIBS) -module -export-symbols $(srcdir)/sample_group.sym -avoid-version -rpath $(plugindir)
+sample_group.la: $(OBJS) $(LT_LIBS) @LT_LDDEP@
+ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o $@ $(OBJS) $(LIBS) -module -avoid-version -rpath $(plugindir)
pre-install:
install-doc:
install-plugin: install-dirs sample_group.la
- $(INSTALL) -b~ -m 0755 .libs/sample_group$(soext) $(DESTDIR)$(plugindir)
+ $(INSTALL) -b~ -m $(shlib_mode) .libs/sample_group$(soext) $(DESTDIR)$(plugindir)
uninstall:
-rm -f $(DESTDIR)$(plugindir)/sample_group$(soext)
# Autogenerated dependencies, do not modify
getgrent.lo: $(srcdir)/getgrent.c $(top_builddir)/config.h $(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/getgrent.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/getgrent.c
sample_group.lo: $(srcdir)/sample_group.c $(top_builddir)/config.h \
$(top_srcdir)/compat/stdbool.h $(incdir)/sudo_plugin.h \
$(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/sample_group.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/sample_group.c
--- /dev/null
+group_plugin
+++ /dev/null
-group_plugin
incdir = $(top_srcdir)/include
docdir = @docdir@
timedir = @timedir@
+libdir = @libdir@
+cross_compiling = @CROSS_COMPILING@
# Compiler & tools to use
CC = @CC@
REPLAY_LIBS = @REPLAY_LIBS@ @ZLIB@
# C preprocessor flags
-CPPFLAGS = -I$(incdir) -I$(top_builddir) -I$(devdir) -I$(srcdir) -I$(top_srcdir) @CPPFLAGS@
+CPPFLAGS = -I$(incdir) -I$(top_builddir) -I$(devdir) -I$(srcdir) -I$(top_srcdir) -DLIBDIR=\"$(libdir)\" @CPPFLAGS@
# Usually -O and/or -g
CFLAGS = @CFLAGS@
# Flags to pass to the link stage
LDFLAGS = @LDFLAGS@
-SUDOERS_LDFLAGS = $(LDFLAGS) @SUDOERS_LDFLAGS@
-LTLDFLAGS = @LTLDFLAGS@
+LT_LDFLAGS = @SUDOERS_LDFLAGS@ @LT_LDFLAGS@ @LT_LDMAP@ @LT_LDOPT@ @LT_LDEXPORTS@
+
+# PIE flags
+PIE_CFLAGS = @PIE_CFLAGS@
+PIE_LDFLAGS = @PIE_LDFLAGS@
+
+# Stack smashing protection flags
+SSP_CFLAGS = @SSP_CFLAGS@
+SSP_LDFLAGS = @SSP_LDFLAGS@
# Where to install things...
prefix = @prefix@
localedir = @localedir@
localstatedir = @localstatedir@
-# File extension for shared objects
+# File extension, mode and map file to use for shared libraries/objects
soext = @SOEXT@
+shlib_mode = @SHLIB_MODE@
+shlib_exp = $(srcdir)/sudoers.exp
+shlib_map = sudoers.map
+shlib_opt = sudoers.opt
# Directory in which to install the sudoers plugin
plugindir = @PLUGINDIR@
PROGS = sudoers.la visudo sudoreplay testsudoers
-TEST_PROGS = check_iolog_path check_fill check_wrap check_addr
+TEST_PROGS = check_iolog_path check_fill check_wrap check_addr check_symbols
AUTH_OBJS = sudo_auth.lo @AUTH_OBJS@
CHECK_IOLOG_PATH_OBJS = check_iolog_path.o error.o iolog_path.o pwutil.o \
redblack.o
+CHECK_SYMBOLS_OBJS = check_symbols.o error.o
+
CHECK_WRAP_OBJS = check_wrap.o logwrap.o error.o
LIBOBJDIR = $(top_builddir)/@ac_config_libobj_dir@/
.SUFFIXES: .o .c .h .l .y .lo
.c.o:
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $<
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $<
.c.lo:
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $<
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $<
+
+$(shlib_map): $(shlib_exp)
+ @awk 'BEGIN { print "{\n\tglobal:" } { print "\t\t"$$0";" } END { print "\tlocal:\n\t\t*;\n};" }' $(shlib_exp) > $@
+
+$(shlib_opt): $(shlib_exp)
+ @sed 's/^/+e /' $(shlib_exp) > $@
# Prevent default rules from building .c files from .l and .y files
.l.c:
libparsesudoers.la: $(LIBPARSESUDOERS_OBJS)
$(LIBTOOL) --mode=link $(CC) -o $@ $(LIBPARSESUDOERS_OBJS) -no-install
-sudoers.la: $(SUDOERS_OBJS) $(LT_LIBS) libparsesudoers.la
- $(LIBTOOL) @LT_STATIC@ --mode=link $(CC) $(SUDOERS_LDFLAGS) $(LTLDFLAGS) -o $@ $(SUDOERS_OBJS) libparsesudoers.la $(SUDOERS_LIBS) -module -export-symbols $(srcdir)/sudoers.sym -avoid-version -rpath $(plugindir)
+sudoers.la: $(SUDOERS_OBJS) $(LT_LIBS) libparsesudoers.la @LT_LDDEP@
+ $(LIBTOOL) @LT_STATIC@ --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o $@ $(SUDOERS_OBJS) libparsesudoers.la $(SUDOERS_LIBS) -module -avoid-version -rpath $(plugindir)
visudo: libparsesudoers.la $(VISUDO_OBJS) $(LT_LIBS)
- $(LIBTOOL) --mode=link $(CC) -o $@ $(VISUDO_OBJS) $(LDFLAGS) libparsesudoers.la $(LIBS) $(NET_LIBS)
+ $(LIBTOOL) --mode=link $(CC) -o $@ $(VISUDO_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) libparsesudoers.la $(LIBS) $(NET_LIBS)
sudoreplay: timestr.lo $(REPLAY_OBJS) $(LT_LIBS)
- $(LIBTOOL) --mode=link $(CC) -o $@ $(REPLAY_OBJS) $(LDFLAGS) timestr.lo $(REPLAY_LIBS) $(LIBS)
+ $(LIBTOOL) --mode=link $(CC) -o $@ $(REPLAY_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) timestr.lo $(REPLAY_LIBS) $(LIBS)
testsudoers: libparsesudoers.la $(TEST_OBJS) $(LT_LIBS)
- $(LIBTOOL) --mode=link $(CC) -o $@ $(TEST_OBJS) $(LDFLAGS) libparsesudoers.la $(LIBS) $(NET_LIBS) @LIBDL@
+ $(LIBTOOL) --mode=link $(CC) -o $@ $(TEST_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) libparsesudoers.la $(LIBS) $(NET_LIBS) @LIBDL@
check_addr: $(CHECK_ADDR_OBJS) $(LT_LIBS)
- $(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_ADDR_OBJS) $(LDFLAGS) $(LIBS) $(NET_LIBS)
+ $(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_ADDR_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) $(NET_LIBS)
check_iolog_path: $(CHECK_IOLOG_PATH_OBJS) $(LT_LIBS)
- $(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_IOLOG_PATH_OBJS) $(LDFLAGS) $(LIBS)
+ $(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_IOLOG_PATH_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
check_fill: $(CHECK_FILL_OBJS) $(LT_LIBS)
- $(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_FILL_OBJS) $(LDFLAGS) $(LIBS)
+ $(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_FILL_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
+
+check_symbols: $(CHECK_SYMBOLS_OBJS) $(LT_LIBS)
+ $(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_SYMBOLS_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) @SUDO_LIBS@
check_wrap: $(CHECK_WRAP_OBJS) $(LT_LIBS)
- $(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_WRAP_OBJS) $(LDFLAGS) $(LIBS)
+ $(LIBTOOL) --mode=link $(CC) -o $@ $(CHECK_WRAP_OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
GENERATED = gram.h gram.c toke.c def_data.c def_data.h getdate.c
else \
toke_l="$(srcdir)/toke.l"; \
fi; \
- cmd='$(FLEX) '"$$toke_l"'; echo "#include <config.h>" > $(devdir)/toke.c; cat lex.yy.c >> $(devdir)/toke.c'; \
+ cmd='$(FLEX) '"$$toke_l"'; echo "#include <config.h>" > $(devdir)/toke.c; cat lex.yy.c >> $(devdir)/toke.c; rm -f lex.yy.c'; \
echo "$$cmd"; eval $$cmd; \
fi
-# Uncomment the lines before -@true if you intend to modify getdate.y
$(devdir)/getdate.c: $(srcdir)/getdate.y
@if [ -n "$(DEVEL)" ]; then \
echo "expect 10 shift/reduce conflicts"; \
echo "$$cmd"; eval $$cmd; \
fi
-# Uncomment the following if you intend to modify def_data.in
$(devdir)/def_data.c $(devdir)/def_data.h: $(srcdir)/def_data.in
@if [ -n "$(DEVEL)" ]; then \
cmd='$(PERL) $(srcdir)/mkdefaults -o $(devdir)/def_data $(srcdir)/def_data.in'; \
(cd $(top_builddir) && $(SHELL) config.status --file=plugins/sudoers/$@)
pre-install:
- @if test -r $(DESTDIR)$(sudoersdir)/sudoers; then \
+ @if test X"$(cross_compiling)" != X"yes" -a -r $(DESTDIR)$(sudoersdir)/sudoers; then \
echo "Checking existing sudoers file for syntax errors."; \
./visudo -c -f $(DESTDIR)$(sudoersdir)/sudoers; \
fi
$(INSTALL) -d -O $(install_uid) -G $(install_gid) -m 0700 $(DESTDIR)$(timedir)
install-binaries: visudo sudoreplay install-dirs
- $(INSTALL) -b~ -O $(install_uid) -G $(install_gid) -M 0111 sudoreplay $(DESTDIR)$(replaydir)/sudoreplay
- $(INSTALL) -b~ -O $(install_uid) -G $(install_gid) -M 0111 visudo $(DESTDIR)$(visudodir)/visudo
+ $(INSTALL) -b~ -O $(install_uid) -G $(install_gid) -m 0755 sudoreplay $(DESTDIR)$(replaydir)/sudoreplay
+ $(INSTALL) -b~ -O $(install_uid) -G $(install_gid) -m 0755 visudo $(DESTDIR)$(visudodir)/visudo
install-includes:
install-doc: install-dirs
- @LDAP@$(INSTALL) -O $(install_uid) -G $(install_gid) -m 0555 $(srcdir)/sudoers2ldif $(DESTDIR)$(docdir)
+ @LDAP@$(INSTALL) -O $(install_uid) -G $(install_gid) -m 0755 $(srcdir)/sudoers2ldif $(DESTDIR)$(docdir)
install-plugin: sudoers.la install-dirs
if [ X"$(soext)" != X"" ]; then \
- $(INSTALL) -b~ -O $(install_uid) -G $(install_gid) -m 0755 .libs/sudoers$(soext) $(DESTDIR)$(plugindir); \
+ test X"$$SUDO_PREINSTALL_CMD" != X"" && \
+ $$SUDO_PREINSTALL_CMD .libs/sudoers$(soext); \
+ $(INSTALL) -b~ -O $(install_uid) -G $(install_gid) -m $(shlib_mode) .libs/sudoers$(soext) $(DESTDIR)$(plugindir); \
fi
install-sudoers: install-dirs
rm -f $(DESTDIR)$(sudoersdir)/sudoers
check: $(TEST_PROGS) visudo testsudoers
- @-rval=0; \
- ./check_addr $(srcdir)/regress/parser/check_addr.in; \
- rval=`expr $$rval + $$?`; \
- ./check_fill; \
- rval=`expr $$rval + $$?`; \
- ./check_iolog_path $(srcdir)/regress/iolog_path/data; \
- rval=`expr $$rval + $$?`; \
- ./check_wrap $(srcdir)/regress/logging/check_wrap.in > check_wrap.out; \
- diff check_wrap.out $(srcdir)/regress/logging/check_wrap.out.ok; \
- rval=`expr $$rval + $$?`; \
- passed=0; failed=0; total=0; \
- for t in $(srcdir)/regress/sudoers/*.in; do \
- dir=`dirname $$t`; \
- dirbase=`basename $$dir`; \
+ @-if test X"$(cross_compiling)" != X"yes"; then \
+ rval=0; \
+ PWD=`pwd`; \
+ ./check_addr $(srcdir)/regress/parser/check_addr.in; \
+ rval=`expr $$rval + $$?`; \
+ ./check_fill; \
+ rval=`expr $$rval + $$?`; \
+ ./check_iolog_path $(srcdir)/regress/iolog_path/data; \
+ rval=`expr $$rval + $$?`; \
+ if [ X"$(soext)" != X"" ]; then \
+ ./check_symbols .libs/sudoers$(soext) $(shlib_exp); \
+ rval=`expr $$rval + $$?`; \
+ fi; \
+ ./check_wrap $(srcdir)/regress/logging/check_wrap.in > check_wrap.out; \
+ diff check_wrap.out $(srcdir)/regress/logging/check_wrap.out.ok; \
+ rval=`expr $$rval + $$?`; \
+ passed=0; failed=0; total=0; \
+ mkdir -p regress/sudoers; \
+ dir=sudoers; \
+ for t in $(srcdir)/regress/$$dir/*.in; do \
base=`basename $$t .in`; \
- out="$${base}.out"; \
- toke="$${base}.toke"; \
+ out="regress/sudoers/$${base}.out"; \
+ toke="regress/sudoers/$${base}.toke"; \
./testsudoers -dt <$$t >$$out 2>$$toke; \
- if cmp $$out $$dir/$$out.ok >/dev/null; then \
+ if cmp $$out $(srcdir)/$$out.ok >/dev/null; then \
passed=`expr $$passed + 1`; \
- echo "$$dirbase/$$base (parse): OK"; \
+ echo "$$dir/$$base (parse): OK"; \
else \
failed=`expr $$failed + 1`; \
- echo "$$dirbase/$$base: FAIL"; \
- diff $$out $$dir/$$out.ok; \
+ echo "$$dir/$$base: FAIL"; \
+ diff $$out $(srcdir)/$$out.ok; \
fi; \
total=`expr $$total + 1`; \
- if cmp $$toke $$dir/$$toke.ok >/dev/null; then \
+ if cmp $$toke $(srcdir)/$$toke.ok >/dev/null; then \
passed=`expr $$passed + 1`; \
- echo "$$dirbase/$$base (toke): OK"; \
+ echo "$$dir/$$base (toke): OK"; \
else \
failed=`expr $$failed + 1`; \
- echo "$$dirbase/$$base (toke): FAIL"; \
- diff $$out $$dir/$$out.ok; \
+ echo "$$dir/$$base (toke): FAIL"; \
+ diff $$out $(srcdir)/$$out.ok; \
fi; \
total=`expr $$total + 1`; \
done; \
- echo "$$dirbase: $$passed/$$total tests passed; $$failed/$$total tests failed"; \
- rval=`expr $$rval + $$failed`; \
- passed=0; failed=0; total=0; \
- for t in $(srcdir)/regress/*/*.sh; do \
- dir=`dirname $$t`; \
- dirbase=`basename $$dir`; \
- base=`basename $$t .sh`; \
- out="$${base}.out"; \
- err="$${base}.err"; \
- $(SHELL) $$t >$$out 2>$$err; \
- if cmp $$out $$dir/$$out.ok >/dev/null; then \
- passed=`expr $$passed + 1`; \
- echo "$$dirbase/$$base: OK"; \
- else \
- failed=`expr $$failed + 1`; \
- echo "$$dirbase/$$base: FAIL"; \
- diff $$out $$dir/$$out.ok; \
- fi; \
- total=`expr $$total + 1`; \
- if test -s $$dir/$$err.ok; then \
- if cmp $$err $$dir/$$err.ok >/dev/null; then \
+ echo "$$dir: $$passed/$$total tests passed; $$failed/$$total tests failed"; \
+ rval=`expr $$rval + $$failed`; \
+ for dir in testsudoers visudo; do \
+ mkdir -p regress/$$dir; \
+ passed=0; failed=0; total=0; \
+ for t in $(srcdir)/regress/$$dir/*.sh; do \
+ base=`basename $$t .sh`; \
+ out="regress/$$dir/$${base}.out"; \
+ err="regress/$$dir/$${base}.err"; \
+ TESTDIR=$$PWD/$(srcdir)/regress/$$dir \
+ $(SHELL) $$t >$$out 2>$$err; \
+ if cmp $$out $(srcdir)/$$out.ok >/dev/null; then \
passed=`expr $$passed + 1`; \
- echo "$$dirbase/$$base (stderr): OK"; \
+ echo "$$dir/$$base: OK"; \
else \
failed=`expr $$failed + 1`; \
- echo "$$dirbase/$$base (stderr): FAIL"; \
- diff $$out $$dir/$$out.ok; \
+ echo "$$dir/$$base: FAIL"; \
+ diff $$out $(srcdir)/$$out.ok; \
fi; \
total=`expr $$total + 1`; \
- elif test -s $$err; then \
- cat $$err 1>&2; \
- fi; \
+ if test -s $(srcdir)/$$err.ok; then \
+ if cmp $$err $(srcdir)/$$err.ok >/dev/null; then \
+ passed=`expr $$passed + 1`; \
+ echo "$$dir/$$base (stderr): OK"; \
+ else \
+ failed=`expr $$failed + 1`; \
+ echo "$$dir/$$base (stderr): FAIL"; \
+ diff $$out $(srcdir)/$$out.ok; \
+ fi; \
+ total=`expr $$total + 1`; \
+ elif test -s $$err; then \
+ cat $$err 1>&2; \
+ fi; \
+ done; \
+ echo "$$dir: $$passed/$$total tests passed; $$failed/$$total tests failed"; \
+ rval=`expr $$rval + $$failed`; \
done; \
- echo "$$dirbase: $$passed/$$total tests passed; $$failed/$$total tests failed"; \
- rval=`expr $$rval + $$failed`; exit $$rval
+ exit $$rval; \
+ fi
clean:
- -$(LIBTOOL) --mode=clean rm -f $(PROGS) $(TEST_PROGS) *.lo *.o *.la *.a stamp-* core *.core core.* *.out *.toke *.err
+ -$(LIBTOOL) --mode=clean rm -f $(PROGS) $(TEST_PROGS) *.lo *.o *.la *.a stamp-* core *.core core.* *.out *.toke *.err *.inc
mostlyclean: clean
$(incdir)/list.h $(incdir)/fileops.h $(srcdir)/defaults.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(authdir)/afs.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/afs.c
aix_auth.lo: $(authdir)/aix_auth.c $(top_builddir)/config.h \
$(srcdir)/sudoers.h $(top_srcdir)/compat/stdbool.h \
$(top_builddir)/pathnames.h $(incdir)/missing.h $(incdir)/error.h \
$(srcdir)/defaults.h $(devdir)/def_data.h $(srcdir)/logging.h \
$(srcdir)/sudo_nss.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(authdir)/aix_auth.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/aix_auth.c
alias.lo: $(srcdir)/alias.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h \
$(srcdir)/parse.h $(srcdir)/redblack.h $(devdir)/gram.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/alias.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/alias.c
audit.lo: $(srcdir)/audit.c $(top_builddir)/config.h $(incdir)/missing.h \
$(srcdir)/logging.h $(incdir)/sudo_debug.h $(srcdir)/bsm_audit.h \
$(srcdir)/linux_audit.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/audit.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/audit.c
boottime.lo: $(srcdir)/boottime.c $(top_builddir)/config.h $(incdir)/missing.h \
$(incdir)/sudo_debug.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/boottime.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/boottime.c
bsdauth.lo: $(authdir)/bsdauth.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
$(incdir)/list.h $(incdir)/fileops.h $(srcdir)/defaults.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(authdir)/bsdauth.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/bsdauth.c
bsm_audit.lo: $(srcdir)/bsm_audit.c $(top_builddir)/config.h \
$(incdir)/gettext.h $(incdir)/error.h $(incdir)/sudo_debug.h \
$(srcdir)/bsm_audit.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/bsm_audit.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/bsm_audit.c
check.lo: $(srcdir)/check.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
$(incdir)/list.h $(incdir)/fileops.h $(srcdir)/defaults.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/check.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/check.c
check_addr.o: $(srcdir)/regress/parser/check_addr.c $(top_builddir)/config.h \
$(srcdir)/sudoers.h $(top_srcdir)/compat/stdbool.h \
$(top_builddir)/pathnames.h $(incdir)/missing.h \
$(srcdir)/logging.h $(srcdir)/sudo_nss.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_debug.h $(incdir)/gettext.h $(srcdir)/parse.h \
$(srcdir)/interfaces.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/regress/parser/check_addr.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/regress/parser/check_addr.c
check_fill.o: $(srcdir)/regress/parser/check_fill.c $(top_builddir)/config.h \
$(top_srcdir)/compat/stdbool.h $(incdir)/list.h \
$(srcdir)/parse.h $(srcdir)/toke.h $(incdir)/sudo_plugin.h \
$(devdir)/gram.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/regress/parser/check_fill.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/regress/parser/check_fill.c
check_iolog_path.o: $(srcdir)/regress/iolog_path/check_iolog_path.c \
$(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(srcdir)/sudo_nss.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_debug.h $(incdir)/gettext.h \
$(devdir)/def_data.c
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/regress/iolog_path/check_iolog_path.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/regress/iolog_path/check_iolog_path.c
+check_symbols.o: $(srcdir)/regress/check_symbols/check_symbols.c \
+ $(top_builddir)/config.h $(top_srcdir)/compat/dlfcn.h \
+ $(incdir)/missing.h $(incdir)/error.h
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/regress/check_symbols/check_symbols.c
check_wrap.o: $(srcdir)/regress/logging/check_wrap.c $(top_builddir)/config.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/sudo_plugin.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/regress/logging/check_wrap.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/regress/logging/check_wrap.c
dce.lo: $(authdir)/dce.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
$(incdir)/list.h $(incdir)/fileops.h $(srcdir)/defaults.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(authdir)/dce.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/dce.c
defaults.lo: $(srcdir)/defaults.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h \
$(incdir)/gettext.h $(srcdir)/parse.h $(devdir)/gram.h \
$(devdir)/def_data.c
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/defaults.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/defaults.c
env.lo: $(srcdir)/env.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
$(incdir)/list.h $(incdir)/fileops.h $(srcdir)/defaults.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/env.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/env.c
error.o: $(top_srcdir)/src/error.c $(top_builddir)/config.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/gettext.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(top_srcdir)/src/error.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(top_srcdir)/src/error.c
find_path.lo: $(srcdir)/find_path.c $(top_builddir)/config.h \
$(srcdir)/sudoers.h $(top_srcdir)/compat/stdbool.h \
$(top_builddir)/pathnames.h $(incdir)/missing.h \
$(incdir)/fileops.h $(srcdir)/defaults.h $(devdir)/def_data.h \
$(srcdir)/logging.h $(srcdir)/sudo_nss.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/find_path.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/find_path.c
find_path.o: find_path.lo
fwtk.lo: $(authdir)/fwtk.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/list.h $(incdir)/fileops.h $(srcdir)/defaults.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(authdir)/fwtk.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/fwtk.c
getdate.o: $(devdir)/getdate.c $(top_builddir)/config.h \
$(top_builddir)/config.h $(incdir)/missing.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(devdir)/getdate.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(devdir)/getdate.c
getspwuid.lo: $(srcdir)/getspwuid.c $(top_builddir)/config.h \
$(srcdir)/sudoers.h $(top_srcdir)/compat/stdbool.h \
$(top_builddir)/pathnames.h $(incdir)/missing.h \
$(incdir)/fileops.h $(srcdir)/defaults.h $(devdir)/def_data.h \
$(srcdir)/logging.h $(srcdir)/sudo_nss.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/getspwuid.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/getspwuid.c
goodpath.lo: $(srcdir)/goodpath.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
$(incdir)/list.h $(incdir)/fileops.h $(srcdir)/defaults.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/goodpath.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/goodpath.c
goodpath.o: goodpath.lo
gram.lo: $(devdir)/gram.c $(top_builddir)/config.h $(top_builddir)/config.h \
$(srcdir)/sudoers.h $(top_srcdir)/compat/stdbool.h \
$(srcdir)/defaults.h $(devdir)/def_data.h $(srcdir)/logging.h \
$(srcdir)/sudo_nss.h $(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h \
$(incdir)/gettext.h $(srcdir)/parse.h $(srcdir)/toke.h $(devdir)/gram.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(devdir)/gram.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(devdir)/gram.c
group_plugin.lo: $(srcdir)/group_plugin.c $(top_builddir)/config.h \
$(top_srcdir)/compat/dlfcn.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h \
$(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/group_plugin.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/group_plugin.c
group_plugin.o: group_plugin.lo
interfaces.lo: $(srcdir)/interfaces.c $(top_builddir)/config.h \
$(srcdir)/sudoers.h $(top_srcdir)/compat/stdbool.h \
$(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h \
$(incdir)/gettext.h $(srcdir)/interfaces.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/interfaces.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/interfaces.c
interfaces.o: interfaces.lo
iolog.lo: $(srcdir)/iolog.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/list.h $(incdir)/fileops.h $(srcdir)/defaults.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/iolog.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/iolog.c
iolog_path.lo: $(srcdir)/iolog_path.c $(top_builddir)/config.h \
$(srcdir)/sudoers.h $(top_srcdir)/compat/stdbool.h \
$(top_builddir)/pathnames.h $(incdir)/missing.h \
$(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h \
$(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/iolog_path.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/iolog_path.c
iolog_path.o: iolog_path.lo
kerb5.lo: $(authdir)/kerb5.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/list.h $(incdir)/fileops.h $(srcdir)/defaults.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(authdir)/kerb5.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/kerb5.c
ldap.lo: $(srcdir)/ldap.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h \
$(srcdir)/parse.h $(incdir)/lbuf.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/ldap.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/ldap.c
linux_audit.lo: $(srcdir)/linux_audit.c $(top_builddir)/config.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
$(incdir)/gettext.h $(incdir)/sudo_debug.h \
$(srcdir)/linux_audit.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/linux_audit.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/linux_audit.c
logging.lo: $(srcdir)/logging.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
$(incdir)/list.h $(incdir)/fileops.h $(srcdir)/defaults.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/logging.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/logging.c
logwrap.lo: $(srcdir)/logwrap.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
$(incdir)/list.h $(incdir)/fileops.h $(srcdir)/defaults.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/logwrap.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/logwrap.c
logwrap.o: logwrap.lo
match.lo: $(srcdir)/match.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h \
$(srcdir)/parse.h $(devdir)/gram.h $(top_srcdir)/compat/fnmatch.h \
$(top_srcdir)/compat/glob.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/match.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/match.c
match_addr.lo: $(srcdir)/match_addr.c $(top_builddir)/config.h \
$(srcdir)/sudoers.h $(top_srcdir)/compat/stdbool.h \
$(top_builddir)/pathnames.h $(incdir)/missing.h \
$(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h \
$(incdir)/gettext.h $(srcdir)/interfaces.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/match_addr.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/match_addr.c
match_addr.o: match_addr.lo
net_ifs.o: $(top_srcdir)/src/net_ifs.c $(top_builddir)/config.h \
$(incdir)/missing.h $(incdir)/alloc.h $(incdir)/error.h \
$(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(top_srcdir)/src/net_ifs.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(top_srcdir)/src/net_ifs.c
pam.lo: $(authdir)/pam.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
$(incdir)/list.h $(incdir)/fileops.h $(srcdir)/defaults.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(authdir)/pam.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/pam.c
parse.lo: $(srcdir)/parse.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h \
$(srcdir)/parse.h $(incdir)/lbuf.h $(devdir)/gram.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/parse.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/parse.c
passwd.lo: $(authdir)/passwd.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
$(incdir)/list.h $(incdir)/fileops.h $(srcdir)/defaults.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(authdir)/passwd.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/passwd.c
plugin_error.lo: $(srcdir)/plugin_error.c $(top_builddir)/config.h \
$(incdir)/missing.h $(incdir)/alloc.h $(incdir)/error.h \
$(incdir)/sudo_plugin.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/plugin_error.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/plugin_error.c
pwutil.lo: $(srcdir)/pwutil.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h \
$(srcdir)/redblack.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/pwutil.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/pwutil.c
pwutil.o: pwutil.lo
redblack.lo: $(srcdir)/redblack.c $(top_builddir)/config.h $(incdir)/missing.h \
$(incdir)/alloc.h $(incdir)/sudo_debug.h $(srcdir)/redblack.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/redblack.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/redblack.c
redblack.o: redblack.lo
rfc1938.lo: $(authdir)/rfc1938.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/list.h $(incdir)/fileops.h $(srcdir)/defaults.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(authdir)/rfc1938.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/rfc1938.c
secureware.lo: $(authdir)/secureware.c $(top_builddir)/config.h \
$(srcdir)/sudoers.h $(top_srcdir)/compat/stdbool.h \
$(top_builddir)/pathnames.h $(incdir)/missing.h \
$(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h \
$(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(authdir)/secureware.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/secureware.c
securid5.lo: $(authdir)/securid5.c $(top_builddir)/config.h \
$(srcdir)/sudoers.h $(top_srcdir)/compat/stdbool.h \
$(top_builddir)/pathnames.h $(incdir)/missing.h $(incdir)/error.h \
$(srcdir)/defaults.h $(devdir)/def_data.h $(srcdir)/logging.h \
$(srcdir)/sudo_nss.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(authdir)/securid5.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/securid5.c
set_perms.lo: $(srcdir)/set_perms.c $(top_builddir)/config.h \
$(srcdir)/sudoers.h $(top_srcdir)/compat/stdbool.h \
$(top_builddir)/pathnames.h $(incdir)/missing.h \
$(incdir)/fileops.h $(srcdir)/defaults.h $(devdir)/def_data.h \
$(srcdir)/logging.h $(srcdir)/sudo_nss.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/set_perms.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/set_perms.c
sia.lo: $(authdir)/sia.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
$(incdir)/list.h $(incdir)/fileops.h $(srcdir)/defaults.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(authdir)/sia.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/sia.c
+sssd.lo: $(srcdir)/sssd.c $(top_builddir)/config.h \
+ $(top_srcdir)/compat/dlfcn.h $(srcdir)/sudoers.h \
+ $(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
+ $(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
+ $(incdir)/list.h $(incdir)/fileops.h $(srcdir)/defaults.h \
+ $(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
+ $(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h \
+ $(srcdir)/parse.h $(incdir)/lbuf.h $(incdir)/sudo_debug.h
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/sssd.c
sudo_auth.lo: $(authdir)/sudo_auth.c $(top_builddir)/config.h \
$(srcdir)/sudoers.h $(top_srcdir)/compat/stdbool.h \
$(top_builddir)/pathnames.h $(incdir)/missing.h \
$(incdir)/sudo_debug.h $(incdir)/gettext.h $(srcdir)/insults.h \
$(srcdir)/ins_2001.h $(srcdir)/ins_goons.h \
$(srcdir)/ins_classic.h $(srcdir)/ins_csops.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(authdir)/sudo_auth.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(authdir)/sudo_auth.c
sudo_nss.lo: $(srcdir)/sudo_nss.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h \
$(incdir)/gettext.h $(incdir)/lbuf.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/sudo_nss.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/sudo_nss.c
sudoers.lo: $(srcdir)/sudoers.c $(top_builddir)/config.h \
$(top_srcdir)/compat/getaddrinfo.h $(top_builddir)/config.h \
$(srcdir)/sudoers.h $(top_srcdir)/compat/stdbool.h \
$(incdir)/sudo_debug.h $(incdir)/gettext.h $(srcdir)/interfaces.h \
$(srcdir)/sudoers_version.h $(srcdir)/auth/sudo_auth.h \
$(incdir)/secure_path.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/sudoers.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/sudoers.c
sudoreplay.o: $(srcdir)/sudoreplay.c $(top_builddir)/config.h \
$(top_srcdir)/compat/timespec.h $(top_srcdir)/compat/stdbool.h \
$(top_builddir)/pathnames.h $(incdir)/missing.h \
$(incdir)/alloc.h $(incdir)/error.h $(incdir)/gettext.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_conf.h $(incdir)/list.h \
$(incdir)/sudo_debug.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/sudoreplay.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/sudoreplay.c
testsudoers.o: $(srcdir)/testsudoers.c $(top_builddir)/config.h \
$(top_srcdir)/compat/fnmatch.h $(srcdir)/tsgetgrpw.h \
$(top_builddir)/config.h $(srcdir)/sudoers.h \
$(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
$(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h \
$(incdir)/gettext.h $(srcdir)/interfaces.h $(srcdir)/parse.h \
- $(incdir)/sudo_conf.h $(incdir)/list.h $(devdir)/gram.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/testsudoers.c
+ $(incdir)/sudo_conf.h $(incdir)/list.h $(incdir)/secure_path.h \
+ $(devdir)/gram.h
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/testsudoers.c
timestr.lo: $(srcdir)/timestr.c $(top_builddir)/config.h $(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/timestr.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/timestr.c
toke.lo: $(devdir)/toke.c $(top_builddir)/config.h $(top_builddir)/config.h \
$(srcdir)/sudoers.h $(top_srcdir)/compat/stdbool.h \
$(top_builddir)/pathnames.h $(incdir)/missing.h $(incdir)/error.h \
$(srcdir)/sudo_nss.h $(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h \
$(incdir)/gettext.h $(srcdir)/parse.h $(srcdir)/toke.h \
$(devdir)/gram.h $(incdir)/lbuf.h $(incdir)/secure_path.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(devdir)/toke.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(devdir)/toke.c
toke_util.lo: $(srcdir)/toke_util.c $(top_builddir)/config.h \
$(srcdir)/sudoers.h $(top_srcdir)/compat/stdbool.h \
$(top_builddir)/pathnames.h $(incdir)/missing.h \
$(srcdir)/logging.h $(srcdir)/sudo_nss.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_debug.h $(incdir)/gettext.h $(srcdir)/parse.h \
$(srcdir)/toke.h $(devdir)/gram.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/toke_util.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/toke_util.c
toke_util.o: toke_util.lo
tsgetgrpw.o: $(srcdir)/tsgetgrpw.c $(top_builddir)/config.h \
$(srcdir)/tsgetgrpw.h $(top_builddir)/config.h \
$(srcdir)/defaults.h $(devdir)/def_data.h $(srcdir)/logging.h \
$(srcdir)/sudo_nss.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/tsgetgrpw.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/tsgetgrpw.c
visudo.o: $(srcdir)/visudo.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
$(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
$(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
$(srcdir)/interfaces.h $(srcdir)/parse.h $(srcdir)/redblack.h \
$(incdir)/gettext.h $(srcdir)/sudoers_version.h \
$(incdir)/sudo_conf.h $(incdir)/list.h $(devdir)/gram.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/visudo.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/visudo.c
# include <stdlib.h>
# endif
#endif /* STDC_HEADERS */
+#ifdef HAVE_STDBOOL_H
+# include <stdbool.h>
+#else
+# include "compat/stdbool.h"
+#endif /* HAVE_STDBOOL_H */
#include <stdarg.h>
#include "missing.h"
char sav, *epass;
char *pw_epasswd = auth->data;
size_t pw_len;
- int error;
+ int matched = 0;
debug_decl(sudo_passwd_verify, SUDO_DEBUG_AUTH)
pw_len = strlen(pw_epasswd);
#ifdef HAVE_GETAUTHUID
/* Ultrix shadow passwords may use crypt16() */
- error = strcmp(pw_epasswd, (char *) crypt16(pass, pw_epasswd));
- if (!error)
+ epass = (char *) crypt16(pass, pw_epasswd);
+ if (epass != NULL && strcmp(pw_epasswd, epass) == 0)
debug_return_int(AUTH_SUCCESS);
#endif /* HAVE_GETAUTHUID */
*/
epass = (char *) crypt(pass, pw_epasswd);
pass[8] = sav;
- if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
- error = strncmp(pw_epasswd, epass, DESLEN);
- else
- error = strcmp(pw_epasswd, epass);
+ if (epass != NULL) {
+ if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
+ matched = !strncmp(pw_epasswd, epass, DESLEN);
+ else
+ matched = !strcmp(pw_epasswd, epass);
+ }
- debug_return_int(error ? AUTH_FAILURE : AUTH_SUCCESS);
+ debug_return_int(matched ? AUTH_SUCCESS : AUTH_FAILURE);
}
int
sudo_secureware_verify(struct passwd *pw, char *pass, sudo_auth *auth)
{
char *pw_epasswd = auth->data;
+ char *epass = NULL;
debug_decl(sudo_secureware_verify, SUDO_DEBUG_AUTH)
#ifdef __alpha
{
extern int crypt_type;
-# ifdef HAVE_DISPCRYPT
- if (strcmp(pw_epasswd, dispcrypt(pass, pw_epasswd, crypt_type)) == 0)
- debug_return_int(AUTH_SUCCESS);
-# else
- if (crypt_type == AUTH_CRYPT_BIGCRYPT) {
- if (strcmp(pw_epasswd, bigcrypt(pass, pw_epasswd)) == 0)
- debug_return_int(AUTH_SUCCESS);
- } else if (crypt_type == AUTH_CRYPT_CRYPT16) {
- if (strcmp(pw_epasswd, crypt(pass, pw_epasswd)) == 0)
- debug_return_int(AUTH_SUCCESS);
- }
+# ifdef HAVE_DISPCRYPT
+ epass = dispcrypt(pass, pw_epasswd, crypt_type);
+# else
+ if (crypt_type == AUTH_CRYPT_BIGCRYPT)
+ epass = bigcrypt(pass, pw_epasswd);
+ else if (crypt_type == AUTH_CRYPT_CRYPT16)
+ epass = crypt(pass, pw_epasswd);
}
-# endif /* HAVE_DISPCRYPT */
+# endif /* HAVE_DISPCRYPT */
#elif defined(HAVE_BIGCRYPT)
- if (strcmp(pw_epasswd, bigcrypt(pass, pw_epasswd)) == 0)
- debug_return_int(AUTH_SUCCESS);
+ epass = bigcrypt(pass, pw_epasswd);
#endif /* __alpha */
- debug_return_int(AUTH_FAILURE);
+ if (epass != NULL && strcmp(pw_epasswd, epass) == 0)
+ debug_return_int(AUTH_SUCCESS);
+ debug_return_int(AUTH_FAILURE);
}
int
static void pass_warn(void);
+/*
+ * Initialize sudoers authentication method(s).
+ * Returns 0 on success and -1 on error.
+ */
int
sudo_auth_init(struct passwd *pw)
{
debug_decl(sudo_auth_init, SUDO_DEBUG_AUTH)
if (auth_switch[0].name == NULL)
- debug_return_int(true);
+ debug_return_int(0);
/* Make sure we haven't mixed standalone and shared auth methods. */
standalone = IS_STANDALONE(&auth_switch[0]);
if (NEEDS_USER(auth))
restore_perms();
+ /* Disable if it failed to init unless there was a fatal error. */
if (status == AUTH_FAILURE)
SET(auth->flags, FLAG_DISABLED);
- else if (status == AUTH_FATAL) {
- /* XXX log */
- audit_failure(NewArgv, "authentication failure");
+ else if (status == AUTH_FATAL)
break; /* assume error msg already printed */
- }
}
}
- debug_return_int(status == AUTH_FATAL ? -1 : true);
+ debug_return_int(status == AUTH_FATAL ? -1 : 0);
}
+/*
+ * Cleanup all authentication methods.
+ * Returns 0 on success and -1 on error.
+ */
int
sudo_auth_cleanup(struct passwd *pw)
{
if (NEEDS_USER(auth))
restore_perms();
- if (status == AUTH_FATAL) {
- /* XXX log */
- audit_failure(NewArgv, "authentication failure");
+ if (status == AUTH_FATAL)
break; /* assume error msg already printed */
- }
}
}
- debug_return_int(status == AUTH_FATAL ? -1 : true);
+ debug_return_int(status == AUTH_FATAL ? -1 : 0);
}
+/*
+ * Verify the specified user.
+ * Returns true if verified, false if not or -1 on error.
+ */
int
-verify_user(struct passwd *pw, char *prompt)
+verify_user(struct passwd *pw, char *prompt, int validated)
{
int counter = def_passwd_tries + 1;
int success = AUTH_FAILURE;
- int flags, status, rval;
+ int status, rval;
char *p;
sudo_auth *auth;
sigaction_t sa, osa;
/* XXX - check FLAG_DISABLED too */
if (auth_switch[0].name == NULL) {
audit_failure(NewArgv, "no authentication methods");
- log_fatal(0,
+ log_error(0,
_("There are no authentication methods compiled into sudo! "
"If you want to turn off authentication, use the "
"--disable-authentication configure option."));
if (status == AUTH_FAILURE)
SET(auth->flags, FLAG_DISABLED);
- else if (status == AUTH_FATAL) {
- /* XXX log */
- audit_failure(NewArgv, "authentication failure");
- debug_return_int(-1);/* assume error msg already printed */
- }
+ else if (status == AUTH_FATAL)
+ goto done; /* assume error msg already printed */
}
}
break;
case AUTH_INTR:
case AUTH_FAILURE:
- if (counter != def_passwd_tries) {
- if (def_mail_badpass || def_mail_always)
- flags = 0;
- else
- flags = NO_MAIL;
- log_fatal(flags, ngettext("%d incorrect password attempt",
- "%d incorrect password attempts",
- def_passwd_tries - counter), def_passwd_tries - counter);
- }
- audit_failure(NewArgv, "authentication failure");
+ if (counter != def_passwd_tries)
+ validated |= FLAG_BAD_PASSWORD;
+ log_auth_failure(validated, def_passwd_tries - counter);
rval = false;
break;
case AUTH_FATAL:
default:
- audit_failure(NewArgv, "authentication failure");
+ log_auth_failure(validated | FLAG_AUTH_ERROR, 0);
rval = -1;
break;
}
debug_return_int(rval);
}
+/*
+ * Call authentication method begin session hooks.
+ * Returns 1 on success and -1 on error.
+ */
int
sudo_auth_begin_session(struct passwd *pw, char **user_env[])
{
sudo_auth *auth;
- int status;
+ int status = AUTH_SUCCESS;
debug_decl(auth_begin_session, SUDO_DEBUG_AUTH)
for (auth = auth_switch; auth->name; auth++) {
if (auth->begin_session && !IS_DISABLED(auth)) {
status = (auth->begin_session)(pw, user_env, auth);
- if (status == AUTH_FATAL) {
- /* XXX log */
- audit_failure(NewArgv, "authentication failure");
- debug_return_bool(-1); /* assume error msg already printed */
- }
+ if (status == AUTH_FATAL)
+ break; /* assume error msg already printed */
}
}
- debug_return_bool(true);
+ debug_return_int(status == AUTH_FATAL ? -1 : 1);
}
+/*
+ * Call authentication method end session hooks.
+ * Returns 1 on success and -1 on error.
+ */
int
sudo_auth_end_session(struct passwd *pw)
{
sudo_auth *auth;
- int status;
+ int status = AUTH_SUCCESS;
debug_decl(auth_end_session, SUDO_DEBUG_AUTH)
for (auth = auth_switch; auth->name; auth++) {
if (auth->end_session && !IS_DISABLED(auth)) {
status = (auth->end_session)(pw, auth);
- if (status == AUTH_FATAL) {
- /* XXX log */
- debug_return_bool(-1); /* assume error msg already printed */
- }
+ if (status == AUTH_FATAL)
+ break; /* assume error msg already printed */
}
}
- debug_return_bool(true);
+ debug_return_int(status == AUTH_FATAL ? -1 : 1);
}
static void
dev_t rdev; /* tty device ID */
ino_t ino; /* tty inode number */
struct timeval ctime; /* tty inode change time */
+ pid_t sid; /* ID of session with controlling tty */
} tty_info;
static int build_timestamp(char **, char **);
static struct passwd *get_authpw(void);
/*
- * Returns true if the user successfully authenticates, else false.
+ * Returns true if the user successfully authenticates, false if not
+ * or -1 on error.
*/
int
check_user(int validated, int mode)
char *prompt;
struct stat sb;
int status, rval = true;
- bool need_pass = def_authenticate;
debug_decl(check_user, SUDO_DEBUG_AUTH)
/*
goto done;
}
- if (need_pass) {
- /* Always need a password when -k was specified with the command. */
- if (ISSET(mode, MODE_IGNORE_TICKET)) {
- SET(validated, FLAG_CHECK_USER);
- } else {
- /*
- * Don't prompt for the root passwd or if the user is exempt.
- * If the user is not changing uid/gid, no need for a password.
- */
- if (user_uid == 0 || (user_uid == runas_pw->pw_uid &&
- (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name)))
- || user_is_exempt())
- need_pass = false;
- }
- }
- if (!need_pass)
+ /*
+ * Don't prompt for the root passwd or if the user is exempt.
+ * If the user is not changing uid/gid, no need for a password.
+ */
+ if (!def_authenticate || user_uid == 0 || user_is_exempt())
goto done;
+ if (user_uid == runas_pw->pw_uid &&
+ (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) {
+#ifdef HAVE_SELINUX
+ if (user_role == NULL && user_type == NULL)
+#endif
+#ifdef HAVE_PRIV_SET
+ if (runas_privs == NULL && runas_limitprivs == NULL)
+#endif
+ goto done;
+ }
- /* Stash the tty's ctime for tty ticket comparison. */
+ /* Always need a password when -k was specified with the command. */
+ if (ISSET(mode, MODE_IGNORE_TICKET))
+ SET(validated, FLAG_CHECK_USER);
+
+ /* Stash the tty's device, session ID and ctime for ticket comparison. */
if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) {
tty_info.dev = sb.st_dev;
tty_info.ino = sb.st_ino;
tty_info.rdev = sb.st_rdev;
if (tty_is_devpts(user_ttypath))
ctim_get(&sb, &tty_info.ctime);
+ tty_info.sid = user_sid;
}
if (build_timestamp(×tampdir, ×tampfile) == -1) {
if (status != TS_CURRENT || ISSET(validated, FLAG_CHECK_USER)) {
/* Bail out if we are non-interactive and a password is required */
if (ISSET(mode, MODE_NONINTERACTIVE)) {
- warningx(_("sorry, a password is required to run %s"), getprogname());
+ validated |= FLAG_NON_INTERACTIVE;
+ log_auth_failure(validated, 0);
rval = -1;
goto done;
}
prompt = expand_prompt(user_prompt ? user_prompt : def_passprompt,
user_name, user_shost);
- rval = verify_user(auth_pw, prompt);
+ rval = verify_user(auth_pw, prompt, validated);
}
/* Only update timestamp if user was validated. */
if (rval == true && ISSET(validated, VALIDATE_OK) &&
done:
sudo_auth_cleanup(auth_pw);
- pw_delref(auth_pw);
+ sudo_pw_delref(auth_pw);
debug_return_bool(rval);
}
oflow:
/* We pre-allocate enough space, so this should never happen. */
- errorx(1, _("internal error, expand_prompt() overflow"));
+ errorx(1, _("internal error, %s overflow"), "expand_prompt()");
}
/*
debug_decl(build_timestamp, SUDO_DEBUG_AUTH)
dirparent = def_timestampdir;
+ *timestampfile = NULL;
len = easprintf(timestampdir, "%s/%s", dirparent, user_name);
if (len >= PATH_MAX)
goto bad;
debug_return_int(len);
bad:
- log_fatal(0, _("timestamp path too long: %s"), *timestampfile);
+ log_fatal(0, _("timestamp path too long: %s"),
+ *timestampfile ? *timestampfile : *timestampdir);
+ /* NOTREACHED */
debug_return_int(-1);
}
*/
if (status == TS_OLD && !ISSET(flags, TS_REMOVE)) {
mtim_get(&sb, &mtime);
- /* Negative timeouts only expire manually (sudo -k). */
- if (def_timestamp_timeout < 0 && mtime.tv_sec != 0)
- status = TS_CURRENT;
- else {
- now = time(NULL);
- if (def_timestamp_timeout &&
- now - mtime.tv_sec < 60 * def_timestamp_timeout) {
- /*
- * Check for bogus time on the stampfile. The clock may
- * have been set back or someone could be trying to spoof us.
- */
- if (mtime.tv_sec > now + 60 * def_timestamp_timeout * 2) {
- time_t tv_sec = (time_t)mtime.tv_sec;
- log_error(0,
- _("timestamp too far in the future: %20.20s"),
- 4 + ctime(&tv_sec));
- if (timestampfile)
- (void) unlink(timestampfile);
- else
- (void) rmdir(timestampdir);
- status = TS_MISSING;
- } else if (get_boottime(&boottime) && timevalcmp(&mtime, &boottime, <)) {
- status = TS_OLD;
- } else {
- status = TS_CURRENT;
+ if (timevalisset(&mtime)) {
+ /* Negative timeouts only expire manually (sudo -k). */
+ if (def_timestamp_timeout < 0) {
+ status = TS_CURRENT;
+ } else {
+ now = time(NULL);
+ if (def_timestamp_timeout &&
+ now - mtime.tv_sec < 60 * def_timestamp_timeout) {
+ /*
+ * Check for bogus time on the stampfile. The clock may
+ * have been set back or user could be trying to spoof us.
+ */
+ if (mtime.tv_sec > now + 60 * def_timestamp_timeout * 2) {
+ time_t tv_sec = (time_t)mtime.tv_sec;
+ log_error(0,
+ _("timestamp too far in the future: %20.20s"),
+ 4 + ctime(&tv_sec));
+ if (timestampfile)
+ (void) unlink(timestampfile);
+ else
+ (void) rmdir(timestampdir);
+ status = TS_MISSING;
+ } else if (get_boottime(&boottime) &&
+ timevalcmp(&mtime, &boottime, <)) {
+ status = TS_OLD;
+ } else {
+ status = TS_CURRENT;
+ }
}
}
}
if (runas_pw->pw_name == NULL)
log_fatal(NO_MAIL|MSG_ONLY, _("unknown uid: %u"),
(unsigned int) runas_pw->pw_uid);
- pw_addref(runas_pw);
+ sudo_pw_addref(runas_pw);
pw = runas_pw;
} else {
- pw_addref(sudo_user.pw);
+ sudo_pw_addref(sudo_user.pw);
pw = sudo_user.pw;
}
"utmp_runas", T_FLAG,
N_("Set the user in utmp to the runas user, not the invoking user"),
NULL,
+ }, {
+ "privs", T_STR,
+ N_("Set of permitted privileges"),
+ NULL,
+ }, {
+ "limitprivs", T_STR,
+ N_("Set of limit privileges"),
+ NULL,
}, {
NULL, 0, NULL
}
#define I_SET_UTMP 78
#define def_utmp_runas (sudo_defs_table[79].sd_un.flag)
#define I_UTMP_RUNAS 79
+#define def_privs (sudo_defs_table[80].sd_un.str)
+#define I_PRIVS 80
+#define def_limitprivs (sudo_defs_table[81].sd_un.str)
+#define I_LIMITPRIVS 81
enum def_tuple {
never,
utmp_runas
T_FLAG
"Set the user in utmp to the runas user, not the invoking user"
+privs
+ T_STR
+ "Set of permitted privileges"
+limitprivs
+ T_STR
+ "Set of limit privileges"
* Update the defaults based on what was set by sudoers.
* Pass in an OR'd list of which default types to update.
*/
-int
+bool
update_defaults(int what)
{
struct defaults *def;
break;
case DEFAULTS_RUNAS:
if (ISSET(what, SETDEF_RUNAS) &&
- runaslist_matches(&def->binding, NULL) == ALLOW &&
+ runaslist_matches(&def->binding, NULL, NULL, NULL) == ALLOW &&
!set_default(def->var, def->val, def->op))
rc = false;
break;
debug_return_bool(rc);
}
+/*
+ * Check the defaults entries without actually setting them.
+ * Pass in an OR'd list of which default types to check.
+ */
+bool
+check_defaults(int what, bool quiet)
+{
+ struct sudo_defs_types *cur;
+ struct defaults *def;
+ bool rc = true;
+ debug_decl(check_defaults, SUDO_DEBUG_DEFAULTS)
+
+ tq_foreach_fwd(&defaults, def) {
+ switch (def->type) {
+ case DEFAULTS:
+ if (!ISSET(what, SETDEF_GENERIC))
+ continue;
+ break;
+ case DEFAULTS_USER:
+ if (!ISSET(what, SETDEF_USER))
+ continue;
+ break;
+ case DEFAULTS_RUNAS:
+ if (!ISSET(what, SETDEF_RUNAS))
+ continue;
+ break;
+ case DEFAULTS_HOST:
+ if (!ISSET(what, SETDEF_HOST))
+ continue;
+ break;
+ case DEFAULTS_CMND:
+ if (!ISSET(what, SETDEF_CMND))
+ continue;
+ break;
+ }
+ for (cur = sudo_defs_table; cur->name != NULL; cur++) {
+ if (strcmp(def->var, cur->name) == 0)
+ break;
+ }
+ if (cur->name == NULL) {
+ if (!quiet)
+ warningx(_("unknown defaults entry `%s'"), def->var);
+ rc = false;
+ }
+ }
+ debug_return_bool(rc);
+}
+
static bool
store_int(char *val, struct sudo_defs_types *def, int op)
{
#define T_PATH 0x200
/*
- * Argument to update_defaults()
+ * Argument to update_defaults() and check_defaults()
*/
#define SETDEF_GENERIC 0x01
#define SETDEF_HOST 0x02
*/
void dump_default(void);
void init_defaults(void);
-bool set_default(char *, char *, int);
-int update_defaults(int);
+bool set_default(char *var, char *val, int op);
+bool update_defaults(int what);
+bool check_defaults(int what, bool quiet);
extern struct sudo_defs_types sudo_defs_table[];
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#endif /* HAVE_UNISTD_H */
+#ifdef HAVE_INTTYPES_H
+# include <inttypes.h>
+#endif
#ifdef HAVE_LOGIN_CAP_H
# include <login_cap.h>
# ifndef LOGIN_SETENV
#endif /* HAVE_LOGIN_CAP_H */
#include <ctype.h>
#include <errno.h>
+#include <limits.h>
#include <pwd.h>
#include "sudoers.h"
+/*
+ * If there is no SIZE_MAX or SIZE_T_MAX we have to assume that size_t
+ * could be signed (as it is on SunOS 4.x). This just means that
+ * emalloc2() and erealloc3() cannot allocate huge amounts on such a
+ * platform but that is OK since sudo doesn't need to do so anyway.
+ */
+#ifndef SIZE_MAX
+# ifdef SIZE_T_MAX
+# define SIZE_MAX SIZE_T_MAX
+# else
+# define SIZE_MAX INT_MAX
+# endif /* SIZE_T_MAX */
+#endif /* SIZE_MAX */
+
/*
* Flags used in rebuild_env()
*/
memset(env.envp, 0, env.env_size * sizeof(char *));
#endif
memcpy(env.envp, envp, len * sizeof(char *));
- env.envp[len] = '\0';
+ env.envp[len] = NULL;
/* Free the old envp we allocated, if any. */
if (env.old_envp != NULL)
bool found = false;
/* Make sure there is room for the new entry plus a NULL. */
- if (env.env_len + 2 > env.env_size) {
+ if (env.env_size > 2 && env.env_len > env.env_size - 2) {
char **nenvp;
- size_t nsize = env.env_size + 128;
- nenvp = env.envp ? realloc(env.envp, nsize * sizeof(char *)) :
- malloc(nsize * sizeof(char *));
+ size_t nsize;
+
+ if (env.env_size > SIZE_MAX - 128) {
+ errorx2(1, _("internal error, %s overflow"),
+ "sudo_putenv_nodebug()");
+ }
+ nsize = env.env_size + 128;
+ if (nsize > SIZE_MAX / sizeof(char *)) {
+ errorx2(1, _("internal error, %s overflow"),
+ "sudo_putenv_nodebug()");
+ }
+ nenvp = realloc(env.envp, nsize * sizeof(char *));
if (nenvp == NULL) {
errno = ENOMEM;
return -1;
if (dupcheck) {
len = (strchr(str, '=') - str) + 1;
- for (ep = env.envp; !found && *ep != NULL; ep++) {
+ for (ep = env.envp; *ep != NULL; ep++) {
if (strncmp(str, *ep, len) == 0) {
if (overwrite)
*ep = str;
found = true;
+ break;
}
}
- /* Prune out duplicate variables. */
+ /* Prune out extra instances of the variable we just overwrote. */
if (found && overwrite) {
- while (*ep != NULL) {
+ while (*++ep != NULL) {
if (strncmp(str, *ep, len) == 0) {
char **cur = ep;
while ((*cur = *(cur + 1)) != NULL)
cur++;
- } else {
- ep++;
+ ep--;
}
}
env.env_len = ep - env.envp;
int rval;
debug_decl(sudo_putenv, SUDO_DEBUG_ENV)
+ sudo_debug_printf(SUDO_DEBUG_INFO, "sudo_putenv: %s", str);
+
rval = sudo_putenv_nodebug(str, dupcheck, overwrite);
if (rval == -1) {
#ifdef ENV_DEBUG
{
char *estring;
size_t esize;
+ int rval;
debug_decl(sudo_setenv2, SUDO_DEBUG_ENV)
esize = strlen(var) + 1 + strlen(val) + 1;
strlcat(estring, "=", esize) >= esize ||
strlcat(estring, val, esize) >= esize) {
- errorx(1, _("internal error, sudo_setenv2() overflow"));
+ errorx(1, _("internal error, %s overflow"), "sudo_setenv2()");
}
- debug_return_int(sudo_putenv(estring, dupcheck, overwrite));
+ rval = sudo_putenv(estring, dupcheck, overwrite);
+ if (rval == -1)
+ efree(estring);
+ debug_return_int(rval);
}
/*
{
char *estring;
size_t esize;
+ int rval = -1;
esize = strlen(var) + 1 + strlen(val) + 1;
if ((estring = malloc(esize)) == NULL) {
errno = ENOMEM;
- return -1;
+ goto done;
}
/* Build environment string and insert it. */
strlcat(estring, val, esize) >= esize) {
errno = EINVAL;
- return -1;
+ goto done;
}
- return sudo_putenv_nodebug(estring, true, overwrite);
+ rval = sudo_putenv_nodebug(estring, true, overwrite);
+done:
+ if (rval == -1)
+ efree(estring);
+ return rval;
}
/*
rval = sudo_setenv_nodebug(var, val, overwrite);
if (rval == -1) {
if (errno == EINVAL)
- errorx(1, _("internal error, sudo_setenv() overflow"));
+ errorx(1, _("internal error, %s overflow"), "sudo_setenv()");
errorx(1, _("unable to allocate memory"));
}
debug_return_int(rval);
int rval;
debug_decl(sudo_unsetenv, SUDO_DEBUG_ENV)
+ sudo_debug_printf(SUDO_DEBUG_INFO, "sudo_unsetenv: %s", name);
+
rval = sudo_unsetenv_nodebug(name);
debug_return_int(rval);
char *val;
debug_decl(sudo_getenv, SUDO_DEBUG_ENV)
+ sudo_debug_printf(SUDO_DEBUG_INFO, "sudo_getenv: %s", name);
+
val = sudo_getenv_nodebug(name);
debug_return_str(val);
delete_it = matches_env_delete(var);
if (!delete_it)
delete_it = matches_env_check(var) == false;
+
+ sudo_debug_printf(SUDO_DEBUG_INFO, "delete %s: %s",
+ var, delete_it ? "YES" : "NO");
debug_return_bool(delete_it);
}
if (keepit == -1)
keepit = matches_env_keep(var);
+ sudo_debug_printf(SUDO_DEBUG_INFO, "keep %s: %s",
+ var, keepit ? "YES" : "NO");
debug_return_bool(keepit == true);
}
rebuild_env(void)
{
char **old_envp, **ep, *cp, *ps1;
- char idbuf[MAX_UID_T_LEN];
+ char idbuf[MAX_UID_T_LEN + 1];
unsigned int didvar;
bool reset_home = false;
} else {
if (!ISSET(didvar, DID_SHELL))
sudo_setenv2("SHELL", sudo_user.pw->pw_shell, false, true);
- if (!ISSET(didvar, DID_LOGNAME))
- sudo_setenv2("LOGNAME", user_name, false, true);
- if (!ISSET(didvar, DID_USER))
- sudo_setenv2("USER", user_name, false, true);
- if (!ISSET(didvar, DID_USERNAME))
- sudo_setenv2("USERNAME", user_name, false, true);
+ /* We will set LOGNAME later in the !def_set_logname case. */
+ if (!def_set_logname) {
+ if (!ISSET(didvar, DID_LOGNAME))
+ sudo_setenv2("LOGNAME", user_name, false, true);
+ if (!ISSET(didvar, DID_USER))
+ sudo_setenv2("USER", user_name, false, true);
+ if (!ISSET(didvar, DID_USERNAME))
+ sudo_setenv2("USERNAME", user_name, false, true);
+ }
}
/* If we didn't keep HOME, reset it based on target user. */
/*
* Set $USER, $LOGNAME and $USERNAME to target if "set_logname" is not
* disabled. We skip this if we are running a login shell (because
- * they have already been set them) or sudoedit (because we want the
- * editor to find the user's startup files).
+ * they have already been set) or sudoedit (because we want the editor
+ * to find the invoking user's startup files).
*/
if (def_set_logname && !ISSET(sudo_mode, MODE_LOGIN_SHELL|MODE_EDIT)) {
if (!ISSET(didvar, KEPT_LOGNAME))
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#endif /* HAVE_UNISTD_H */
+#ifdef HAVE_INTTYPES_H
+# include <inttypes.h>
+#endif
#if defined(YYBISON) && defined(HAVE_ALLOCA_H) && !defined(__GNUC__)
# include <alloca.h>
#endif /* YYBISON && HAVE_ALLOCA_H && !__GNUC__ */
errorlineno = sudolineno;
errorfile = estrdup(sudoers);
}
- if (trace_print != NULL) {
+ if (sudoers_warnings && s != NULL) {
LEXTRACE("<*> ");
- } else if (sudoers_warnings && s != NULL) {
- warningx(_(">>> %s: %s near line %d <<<"), sudoers, s, sudolineno);
+#ifndef TRACELEXER
+ if (trace_print == NULL || trace_print == sudoers_trace_print)
+ warningx(_(">>> %s: %s near line %d <<<"), sudoers, s, sudolineno);
+#endif
}
parse_error = true;
debug_return;
}
-#line 117 "gram.y"
+#line 122 "gram.y"
#ifndef YYSTYPE_DEFINED
#define YYSTYPE_DEFINED
typedef union {
struct sudo_command command;
struct cmndtag tag;
struct selinux_info seinfo;
+ struct solaris_privs_info privinfo;
char *string;
int tok;
} YYSTYPE;
#endif /* YYSTYPE_DEFINED */
-#line 143 "gram.c"
+#line 149 "gram.c"
#define COMMAND 257
#define ALIAS 258
#define DEFVAR 259
#define ERROR 285
#define TYPE 286
#define ROLE 287
+#define PRIVS 288
+#define LIMITPRIVS 289
+#define MYSELF 290
#define YYERRCODE 256
#if defined(__cplusplus) || defined(__STDC__)
const short yylhs[] =
short yylhs[] =
#endif
{ -1,
- 0, 0, 25, 25, 26, 26, 26, 26, 26, 26,
- 26, 26, 26, 26, 26, 26, 4, 4, 3, 3,
+ 0, 0, 28, 28, 29, 29, 29, 29, 29, 29,
+ 29, 29, 29, 29, 29, 29, 4, 4, 3, 3,
3, 3, 3, 20, 20, 19, 10, 10, 8, 8,
8, 8, 8, 2, 2, 1, 6, 6, 23, 24,
- 22, 22, 22, 22, 22, 17, 17, 18, 18, 18,
+ 22, 22, 22, 22, 22, 26, 27, 25, 25, 25,
+ 25, 25, 17, 17, 18, 18, 18, 18, 18, 21,
21, 21, 21, 21, 21, 21, 21, 21, 21, 21,
- 21, 5, 5, 5, 28, 28, 31, 9, 9, 29,
- 29, 32, 7, 7, 30, 30, 33, 27, 27, 34,
- 13, 13, 11, 11, 12, 12, 12, 12, 12, 16,
- 16, 14, 14, 15, 15, 15,
+ 5, 5, 5, 31, 31, 34, 9, 9, 32, 32,
+ 35, 7, 7, 33, 33, 36, 30, 30, 37, 13,
+ 13, 11, 11, 12, 12, 12, 12, 12, 16, 16,
+ 14, 14, 15, 15, 15,
};
#if defined(__cplusplus) || defined(__STDC__)
const short yylen[] =
0, 1, 1, 2, 1, 2, 2, 2, 2, 2,
2, 2, 3, 3, 3, 3, 1, 3, 1, 2,
3, 3, 3, 1, 3, 3, 1, 2, 1, 1,
- 1, 1, 1, 1, 3, 4, 1, 2, 3, 3,
- 0, 1, 1, 2, 2, 0, 3, 1, 3, 2,
- 0, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 1, 1, 1, 1, 3, 3, 1, 3, 1,
- 3, 3, 1, 3, 1, 3, 3, 1, 3, 3,
- 1, 3, 1, 2, 1, 1, 1, 1, 1, 1,
- 3, 1, 2, 1, 1, 1,
+ 1, 1, 1, 1, 3, 5, 1, 2, 3, 3,
+ 0, 1, 1, 2, 2, 3, 3, 0, 1, 1,
+ 2, 2, 0, 3, 0, 1, 3, 2, 1, 0,
+ 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+ 1, 1, 1, 1, 3, 3, 1, 3, 1, 3,
+ 3, 1, 3, 1, 3, 3, 1, 3, 3, 1,
+ 3, 1, 2, 1, 1, 1, 1, 1, 1, 3,
+ 1, 2, 1, 1, 1,
};
#if defined(__cplusplus) || defined(__STDC__)
const short yydefred[] =
short yydefred[] =
#endif
{ 0,
- 0, 85, 87, 88, 89, 0, 0, 0, 0, 0,
- 86, 5, 0, 0, 0, 0, 0, 0, 81, 83,
+ 0, 94, 96, 97, 98, 0, 0, 0, 0, 0,
+ 95, 5, 0, 0, 0, 0, 0, 0, 90, 92,
0, 0, 3, 6, 0, 0, 17, 0, 29, 32,
- 31, 33, 30, 0, 27, 0, 68, 0, 0, 64,
- 63, 62, 0, 37, 73, 0, 0, 0, 65, 0,
- 0, 70, 0, 0, 78, 0, 0, 75, 84, 0,
+ 31, 33, 30, 0, 27, 0, 77, 0, 0, 73,
+ 72, 71, 0, 37, 82, 0, 0, 0, 74, 0,
+ 0, 79, 0, 0, 87, 0, 0, 84, 93, 0,
0, 24, 0, 4, 0, 0, 0, 20, 0, 28,
0, 0, 0, 0, 38, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 82, 0, 0, 21, 22,
- 23, 18, 69, 74, 0, 66, 0, 71, 0, 79,
- 0, 76, 0, 34, 0, 0, 25, 0, 0, 0,
- 0, 0, 0, 51, 0, 0, 94, 96, 95, 0,
- 90, 92, 0, 0, 47, 35, 0, 0, 0, 44,
- 45, 93, 0, 0, 40, 39, 52, 53, 54, 55,
- 56, 57, 58, 59, 60, 61, 36, 91,
+ 0, 0, 0, 0, 0, 91, 0, 0, 21, 22,
+ 23, 18, 78, 83, 0, 75, 0, 80, 0, 88,
+ 0, 85, 0, 34, 0, 0, 25, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 103, 105, 104, 0,
+ 99, 101, 0, 0, 54, 35, 0, 0, 0, 0,
+ 60, 0, 0, 44, 45, 102, 0, 0, 40, 39,
+ 0, 0, 0, 51, 52, 100, 46, 47, 61, 62,
+ 63, 64, 65, 66, 67, 68, 69, 70, 36,
};
#if defined(__cplusplus) || defined(__STDC__)
const short yydgoto[] =
{ 18,
104, 105, 27, 28, 44, 45, 46, 35, 61, 37,
19, 20, 21, 121, 122, 123, 106, 110, 62, 63,
- 129, 114, 115, 116, 22, 23, 54, 48, 51, 57,
- 49, 52, 58, 55,
+ 143, 114, 115, 116, 131, 132, 133, 22, 23, 54,
+ 48, 51, 57, 49, 52, 58, 55,
};
#if defined(__cplusplus) || defined(__STDC__)
const short yysindex[] =
#else
short yysindex[] =
#endif
- { 475,
- -270, 0, 0, 0, 0, -29, 567, 594, 594, -2,
- 0, 0, -240, -222, -216, -212, -241, 0, 0, 0,
- -25, 475, 0, 0, -10, -207, 0, 9, 0, 0,
- 0, 0, 0, -235, 0, -33, 0, -31, -31, 0,
- 0, 0, -242, 0, 0, -30, -7, 3, 0, -6,
- 4, 0, -5, 6, 0, -1, 8, 0, 0, 594,
- -20, 0, 10, 0, -205, -196, -194, 0, -29, 0,
- 567, 9, 9, 9, 0, -2, 9, 567, -240, -2,
- -222, 594, -216, 594, -212, 0, 31, 567, 0, 0,
- 0, 0, 0, 0, 26, 0, 28, 0, 29, 0,
- 29, 0, 541, 0, 32, -247, 0, 86, -15, 33,
- 31, 14, 16, 0, -208, -204, 0, 0, 0, -231,
- 0, 0, 38, 86, 0, 0, -179, -178, 491, 0,
- 0, 0, 86, 38, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,};
+ { 541,
+ -270, 0, 0, 0, 0, -21, -5, 553, 553, 20,
+ 0, 0, -242, -229, -216, -214, -240, 0, 0, 0,
+ -27, 541, 0, 0, -18, -227, 0, 2, 0, 0,
+ 0, 0, 0, -223, 0, -33, 0, -31, -31, 0,
+ 0, 0, -243, 0, 0, -24, -12, -6, 0, 3,
+ 4, 0, 5, 7, 0, 6, 10, 0, 0, 553,
+ -20, 0, 11, 0, -206, -193, -191, 0, -21, 0,
+ -5, 2, 2, 2, 0, 20, 2, -5, -242, 20,
+ -229, 553, -216, 553, -214, 0, 33, -5, 0, 0,
+ 0, 0, 0, 0, 31, 0, 32, 0, 34, 0,
+ 34, 0, 513, 0, 35, -226, 0, 86, -25, 36,
+ 33, 19, 21, -234, -202, -201, 0, 0, 0, -232,
+ 0, 0, 41, 86, 0, 0, -176, -173, 37, 38,
+ 0, -198, -195, 0, 0, 0, 86, 41, 0, 0,
+ -169, -168, 569, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0,};
#if defined(__cplusplus) || defined(__STDC__)
const short yyrindex[] =
#else
short yyrindex[] =
#endif
- { 87,
+ { 96,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 90, 0, 0, 1, 0, 0, 177, 0, 0,
+ 0, 97, 0, 0, 1, 0, 0, 177, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 207, 0, 0,
237, 0, 0, 271, 0, 0, 300, 0, 0, 0,
0, 0, 329, 0, 0, 0, 0, 0, 0, 0,
0, 358, 387, 417, 0, 0, 446, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, -26, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 463, 0, 0, 0,
0, 0, 0, 0, 30, 0, 59, 0, 89, 0,
- 118, 0, 0, 0, 148, 514, 0, 0, 45, 0,
- -26, 0, 0, 0, 537, 565, 0, 0, 0, 0,
- 0, 0, 50, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 52, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0,};
+ 118, 0, 60, 0, 148, -28, 0, 62, 63, 0,
+ 463, 0, 0, 594, 489, 512, 0, 0, 0, 0,
+ 0, 0, 64, 0, 0, 0, 0, 0, 0, 0,
+ 0, 623, 653, 0, 0, 0, 0, 65, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0,};
#if defined(__cplusplus) || defined(__STDC__)
const short yygindex[] =
#else
short yygindex[] =
#endif
{ 0,
- -17, 0, 27, 11, 54, -64, 15, 64, 2, 34,
- 39, 84, -3, -27, -18, -21, 0, 0, 19, 0,
- 0, 0, -12, -4, 0, 88, 0, 0, 0, 0,
- 35, 40, 23, 37,
+ -11, 0, 39, 12, 66, -72, 27, 76, -4, 40,
+ 52, 98, -1, -23, -7, -8, 0, 0, 42, 0,
+ 0, 0, 8, 13, 0, -13, -9, 0, 99, 0,
+ 0, 0, 0, 46, 45, 44, 48,
};
-#define YYTABLESIZE 873
+#define YYTABLESIZE 932
#if defined(__cplusplus) || defined(__STDC__)
const short yytable[] =
#else
short yytable[] =
#endif
{ 26,
- 19, 26, 26, 26, 38, 39, 46, 34, 36, 24,
- 71, 94, 60, 76, 40, 41, 2, 47, 60, 3,
- 4, 5, 29, 71, 30, 31, 117, 32, 60, 67,
- 43, 118, 66, 19, 67, 50, 42, 11, 112, 113,
- 87, 53, 124, 33, 19, 56, 72, 119, 73, 74,
- 65, 68, 69, 78, 80, 82, 77, 89, 72, 84,
- 79, 81, 67, 83, 147, 85, 90, 88, 91, 71,
- 103, 76, 60, 125, 127, 111, 128, 112, 99, 95,
- 101, 133, 113, 135, 136, 48, 1, 67, 80, 2,
- 50, 72, 49, 126, 97, 92, 75, 70, 86, 109,
- 59, 132, 134, 131, 93, 148, 107, 102, 0, 64,
- 130, 0, 0, 96, 0, 0, 72, 77, 120, 100,
- 98, 80, 0, 0, 0, 0, 0, 0, 0, 0,
+ 19, 26, 36, 94, 41, 34, 38, 39, 26, 24,
+ 71, 26, 60, 40, 41, 47, 60, 2, 60, 76,
+ 3, 4, 5, 71, 66, 117, 67, 34, 50, 76,
+ 118, 68, 124, 19, 29, 42, 30, 31, 11, 32,
+ 87, 53, 65, 56, 19, 69, 119, 72, 78, 73,
+ 74, 79, 43, 129, 130, 33, 89, 77, 81, 112,
+ 113, 81, 76, 80, 83, 82, 84, 85, 88, 90,
+ 159, 91, 103, 95, 71, 76, 125, 60, 111, 127,
+ 99, 128, 101, 112, 137, 113, 139, 76, 89, 140,
+ 130, 81, 129, 147, 148, 1, 2, 141, 142, 126,
+ 55, 109, 59, 56, 58, 57, 97, 92, 75, 70,
+ 93, 86, 136, 146, 59, 138, 81, 86, 120, 145,
+ 64, 89, 144, 135, 96, 98, 0, 134, 102, 107,
+ 100, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 89, 26, 0, 0,
+ 86, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 80, 26, 0, 0,
- 77, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 77, 12, 0, 0, 0,
+ 0, 0, 0, 0, 0, 86, 12, 0, 0, 0,
26, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 26, 9, 0, 0, 12,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 25, 0, 25, 25, 25,
- 46, 46, 29, 0, 30, 31, 10, 32, 0, 9,
- 0, 0, 46, 46, 46, 46, 46, 46, 46, 46,
- 46, 46, 46, 33, 40, 41, 19, 0, 19, 46,
- 46, 19, 19, 19, 19, 19, 19, 19, 19, 10,
- 8, 0, 0, 0, 0, 0, 42, 0, 0, 19,
- 19, 19, 19, 19, 19, 67, 0, 67, 0, 0,
- 67, 67, 67, 67, 67, 67, 67, 67, 0, 11,
- 0, 0, 0, 8, 0, 0, 0, 0, 67, 67,
- 67, 67, 67, 67, 72, 0, 72, 0, 0, 72,
- 72, 72, 72, 72, 72, 72, 72, 0, 7, 0,
- 0, 0, 11, 0, 0, 0, 0, 72, 72, 72,
- 72, 72, 72, 117, 80, 0, 80, 0, 118, 80,
- 80, 80, 80, 80, 80, 80, 80, 15, 0, 0,
- 0, 7, 0, 0, 119, 0, 0, 80, 80, 80,
- 80, 80, 80, 77, 0, 77, 0, 0, 77, 77,
- 77, 77, 77, 77, 77, 77, 13, 0, 0, 0,
- 15, 0, 0, 0, 0, 0, 77, 77, 77, 77,
- 77, 77, 0, 26, 0, 26, 0, 0, 26, 26,
+ 0, 0, 0, 0, 0, 25, 0, 25, 41, 41,
+ 29, 0, 30, 31, 25, 32, 10, 25, 0, 9,
+ 41, 41, 41, 41, 41, 41, 41, 41, 41, 41,
+ 41, 33, 29, 0, 30, 31, 19, 32, 19, 41,
+ 41, 19, 19, 19, 19, 19, 19, 19, 19, 10,
+ 8, 0, 0, 33, 0, 0, 40, 41, 0, 19,
+ 19, 19, 19, 19, 19, 76, 0, 76, 0, 0,
+ 76, 76, 76, 76, 76, 76, 76, 76, 42, 11,
+ 0, 0, 0, 8, 0, 0, 0, 0, 76, 76,
+ 76, 76, 76, 76, 81, 0, 81, 0, 0, 81,
+ 81, 81, 81, 81, 81, 81, 81, 0, 7, 0,
+ 0, 0, 11, 0, 0, 0, 0, 81, 81, 81,
+ 81, 81, 81, 117, 89, 0, 89, 0, 118, 89,
+ 89, 89, 89, 89, 89, 89, 89, 15, 0, 0,
+ 0, 7, 0, 0, 119, 0, 0, 89, 89, 89,
+ 89, 89, 89, 86, 0, 86, 0, 0, 86, 86,
+ 86, 86, 86, 86, 86, 86, 13, 0, 0, 0,
+ 15, 0, 0, 0, 0, 0, 86, 86, 86, 86,
+ 86, 86, 0, 26, 0, 26, 0, 0, 26, 26,
26, 26, 26, 26, 26, 26, 14, 0, 0, 13,
0, 0, 0, 0, 0, 0, 26, 26, 26, 26,
26, 26, 12, 0, 12, 0, 0, 12, 12, 12,
12, 0, 9, 0, 9, 0, 0, 9, 9, 9,
9, 9, 9, 9, 9, 0, 0, 0, 16, 0,
0, 0, 0, 0, 0, 9, 9, 9, 9, 9,
- 9, 0, 10, 0, 10, 0, 0, 10, 10, 10,
- 10, 10, 10, 10, 10, 0, 0, 17, 0, 0,
+ 9, 0, 10, 0, 10, 53, 0, 10, 10, 10,
+ 10, 10, 10, 10, 10, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 10, 10, 10, 10, 10,
- 10, 0, 0, 43, 0, 0, 8, 0, 8, 0,
+ 10, 42, 0, 0, 0, 0, 8, 0, 8, 0,
0, 8, 8, 8, 8, 8, 8, 8, 8, 0,
- 0, 0, 0, 0, 0, 0, 41, 0, 0, 8,
+ 0, 0, 0, 0, 43, 17, 0, 0, 0, 8,
8, 8, 8, 8, 8, 11, 0, 11, 0, 0,
- 11, 11, 11, 11, 11, 11, 11, 11, 0, 42,
- 0, 0, 0, 17, 0, 0, 0, 0, 11, 11,
- 11, 11, 11, 11, 7, 0, 7, 0, 0, 7,
- 7, 7, 7, 7, 7, 7, 7, 43, 108, 34,
- 0, 0, 0, 0, 0, 0, 0, 7, 7, 7,
+ 11, 11, 11, 11, 11, 11, 11, 11, 0, 0,
+ 108, 0, 0, 17, 0, 0, 0, 0, 11, 11,
+ 11, 11, 11, 11, 7, 17, 7, 0, 0, 7,
+ 7, 7, 7, 7, 7, 7, 7, 0, 0, 0,
+ 0, 43, 0, 0, 0, 0, 0, 7, 7, 7,
7, 7, 7, 15, 0, 15, 0, 0, 15, 15,
- 15, 15, 15, 15, 15, 15, 17, 0, 0, 0,
+ 15, 15, 15, 15, 15, 15, 48, 0, 0, 0,
0, 0, 0, 0, 0, 0, 15, 15, 15, 15,
15, 15, 13, 0, 13, 0, 0, 13, 13, 13,
- 13, 13, 13, 13, 13, 0, 0, 0, 0, 0,
+ 13, 13, 13, 13, 13, 49, 0, 0, 0, 0,
0, 0, 0, 0, 0, 13, 13, 13, 13, 13,
13, 0, 14, 0, 14, 0, 0, 14, 14, 14,
- 14, 14, 14, 14, 14, 0, 0, 0, 0, 0,
+ 14, 14, 14, 14, 14, 50, 0, 0, 0, 0,
0, 0, 0, 0, 0, 14, 14, 14, 14, 14,
14, 16, 0, 16, 0, 0, 16, 16, 16, 16,
- 16, 16, 16, 16, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 16, 16, 16, 16, 16, 16,
- 1, 0, 2, 0, 0, 3, 4, 5, 6, 7,
- 8, 9, 10, 0, 0, 0, 0, 40, 41, 0,
- 0, 0, 0, 11, 12, 13, 14, 15, 16, 137,
- 138, 139, 140, 141, 142, 143, 144, 145, 146, 42,
- 41, 41, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 41, 41, 41, 41, 41, 41, 41, 41,
- 41, 41, 41, 42, 42, 0, 0, 0, 2, 0,
- 0, 3, 4, 5, 0, 42, 42, 42, 42, 42,
- 42, 42, 42, 42, 42, 42, 0, 0, 0, 11,
- 0, 43, 43, 0, 29, 0, 30, 31, 0, 32,
- 0, 0, 0, 43, 43, 43, 43, 43, 43, 43,
- 43, 43, 43, 43, 0, 33, 0, 0, 0, 0,
- 0, 2, 0, 0, 3, 4, 5, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 11,
+ 16, 16, 16, 16, 0, 0, 0, 0, 0, 53,
+ 53, 0, 0, 0, 16, 16, 16, 16, 16, 16,
+ 0, 53, 53, 53, 53, 53, 53, 53, 53, 53,
+ 53, 53, 0, 0, 0, 42, 42, 0, 53, 53,
+ 53, 53, 0, 0, 0, 0, 0, 42, 42, 42,
+ 42, 42, 42, 42, 42, 42, 42, 42, 43, 43,
+ 2, 0, 0, 3, 4, 5, 42, 42, 0, 0,
+ 43, 43, 43, 43, 43, 43, 43, 43, 43, 43,
+ 43, 11, 0, 0, 0, 0, 1, 0, 2, 43,
+ 43, 3, 4, 5, 6, 7, 8, 9, 10, 0,
+ 2, 0, 0, 3, 4, 5, 0, 0, 0, 11,
+ 12, 13, 14, 15, 16, 40, 41, 0, 0, 0,
+ 0, 11, 0, 0, 0, 0, 0, 149, 150, 151,
+ 152, 153, 154, 155, 156, 157, 158, 42, 0, 0,
+ 48, 48, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 48, 48, 48, 48, 48, 48, 48, 48,
+ 48, 48, 48, 0, 0, 0, 0, 0, 0, 49,
+ 49, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 49, 49, 49, 49, 49, 49, 49, 49, 49,
+ 49, 49, 0, 0, 0, 0, 0, 0, 0, 50,
+ 50, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 50, 50, 50, 50, 50, 50, 50, 50, 50,
+ 50, 50,
};
#if defined(__cplusplus) || defined(__STDC__)
const short yycheck[] =
short yycheck[] =
#endif
{ 33,
- 0, 33, 33, 33, 8, 9, 33, 33, 7, 280,
- 44, 76, 44, 44, 257, 258, 258, 258, 44, 261,
- 262, 263, 258, 44, 260, 261, 258, 263, 44, 0,
- 33, 263, 43, 33, 45, 258, 279, 279, 286, 287,
- 61, 258, 58, 279, 44, 258, 36, 279, 38, 39,
- 61, 259, 44, 61, 61, 61, 46, 263, 0, 61,
- 58, 58, 33, 58, 129, 58, 263, 58, 263, 44,
- 40, 44, 44, 41, 61, 44, 61, 286, 82, 78,
- 84, 44, 287, 263, 263, 41, 0, 58, 0, 0,
- 41, 33, 41, 111, 80, 69, 43, 34, 60, 103,
- 17, 120, 124, 116, 71, 133, 88, 85, -1, 22,
- 115, -1, -1, 79, -1, -1, 58, 0, 33, 83,
- 81, 33, -1, -1, -1, -1, -1, -1, -1, -1,
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+ 0, 33, 7, 76, 33, 33, 8, 9, 33, 280,
+ 44, 33, 44, 257, 258, 258, 44, 258, 44, 44,
+ 261, 262, 263, 44, 43, 258, 45, 33, 258, 0,
+ 263, 259, 58, 33, 258, 279, 260, 261, 279, 263,
+ 61, 258, 61, 258, 44, 44, 279, 36, 61, 38,
+ 39, 58, 33, 288, 289, 279, 263, 46, 0, 286,
+ 287, 58, 33, 61, 58, 61, 61, 58, 58, 263,
+ 143, 263, 40, 78, 44, 44, 41, 44, 44, 61,
+ 82, 61, 84, 286, 44, 287, 263, 58, 0, 263,
+ 289, 33, 288, 263, 263, 0, 0, 61, 61, 111,
+ 41, 103, 41, 41, 41, 41, 80, 69, 43, 34,
+ 71, 60, 120, 137, 17, 124, 58, 0, 33, 133,
+ 22, 33, 132, 116, 79, 81, -1, 115, 85, 88,
+ 83, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, 58, 0, -1, -1,
33, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, 58, 0, -1, -1, 33,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
- -1, -1, -1, -1, -1, 259, -1, 259, 259, 259,
- 257, 258, 258, -1, 260, 261, 0, 263, -1, 33,
- -1, -1, 269, 270, 271, 272, 273, 274, 275, 276,
- 277, 278, 279, 279, 257, 258, 256, -1, 258, 286,
- 287, 261, 262, 263, 264, 265, 266, 267, 268, 33,
- 0, -1, -1, -1, -1, -1, 279, -1, -1, 279,
+ -1, -1, -1, -1, -1, 259, -1, 259, 257, 258,
+ 258, -1, 260, 261, 259, 263, 0, 259, -1, 33,
+ 269, 270, 271, 272, 273, 274, 275, 276, 277, 278,
+ 279, 279, 258, -1, 260, 261, 256, 263, 258, 288,
+ 289, 261, 262, 263, 264, 265, 266, 267, 268, 33,
+ 0, -1, -1, 279, -1, -1, 257, 258, -1, 279,
280, 281, 282, 283, 284, 256, -1, 258, -1, -1,
- 261, 262, 263, 264, 265, 266, 267, 268, -1, 0,
+ 261, 262, 263, 264, 265, 266, 267, 268, 279, 0,
-1, -1, -1, 33, -1, -1, -1, -1, 279, 280,
281, 282, 283, 284, 256, -1, 258, -1, -1, 261,
262, 263, 264, 265, 266, 267, 268, -1, 0, -1,
284, -1, 256, -1, 258, -1, -1, 261, 262, 263,
264, 265, 266, 267, 268, -1, -1, -1, 33, -1,
-1, -1, -1, -1, -1, 279, 280, 281, 282, 283,
- 284, -1, 256, -1, 258, -1, -1, 261, 262, 263,
- 264, 265, 266, 267, 268, -1, -1, 33, -1, -1,
+ 284, -1, 256, -1, 258, 33, -1, 261, 262, 263,
+ 264, 265, 266, 267, 268, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, 279, 280, 281, 282, 283,
- 284, -1, -1, 33, -1, -1, 256, -1, 258, -1,
+ 284, 33, -1, -1, -1, -1, 256, -1, 258, -1,
-1, 261, 262, 263, 264, 265, 266, 267, 268, -1,
- -1, -1, -1, -1, -1, -1, 33, -1, -1, 279,
+ -1, -1, -1, -1, 33, 33, -1, -1, -1, 279,
280, 281, 282, 283, 284, 256, -1, 258, -1, -1,
- 261, 262, 263, 264, 265, 266, 267, 268, -1, 33,
- -1, -1, -1, 33, -1, -1, -1, -1, 279, 280,
- 281, 282, 283, 284, 256, -1, 258, -1, -1, 261,
- 262, 263, 264, 265, 266, 267, 268, 33, 58, 33,
- -1, -1, -1, -1, -1, -1, -1, 279, 280, 281,
+ 261, 262, 263, 264, 265, 266, 267, 268, -1, -1,
+ 58, -1, -1, 33, -1, -1, -1, -1, 279, 280,
+ 281, 282, 283, 284, 256, 33, 258, -1, -1, 261,
+ 262, 263, 264, 265, 266, 267, 268, -1, -1, -1,
+ -1, 33, -1, -1, -1, -1, -1, 279, 280, 281,
282, 283, 284, 256, -1, 258, -1, -1, 261, 262,
263, 264, 265, 266, 267, 268, 33, -1, -1, -1,
-1, -1, -1, -1, -1, -1, 279, 280, 281, 282,
283, 284, 256, -1, 258, -1, -1, 261, 262, 263,
- 264, 265, 266, 267, 268, -1, -1, -1, -1, -1,
+ 264, 265, 266, 267, 268, 33, -1, -1, -1, -1,
-1, -1, -1, -1, -1, 279, 280, 281, 282, 283,
284, -1, 256, -1, 258, -1, -1, 261, 262, 263,
- 264, 265, 266, 267, 268, -1, -1, -1, -1, -1,
+ 264, 265, 266, 267, 268, 33, -1, -1, -1, -1,
-1, -1, -1, -1, -1, 279, 280, 281, 282, 283,
284, 256, -1, 258, -1, -1, 261, 262, 263, 264,
- 265, 266, 267, 268, -1, -1, -1, -1, -1, -1,
- -1, -1, -1, -1, 279, 280, 281, 282, 283, 284,
- 256, -1, 258, -1, -1, 261, 262, 263, 264, 265,
- 266, 267, 268, -1, -1, -1, -1, 257, 258, -1,
- -1, -1, -1, 279, 280, 281, 282, 283, 284, 269,
- 270, 271, 272, 273, 274, 275, 276, 277, 278, 279,
+ 265, 266, 267, 268, -1, -1, -1, -1, -1, 257,
+ 258, -1, -1, -1, 279, 280, 281, 282, 283, 284,
+ -1, 269, 270, 271, 272, 273, 274, 275, 276, 277,
+ 278, 279, -1, -1, -1, 257, 258, -1, 286, 287,
+ 288, 289, -1, -1, -1, -1, -1, 269, 270, 271,
+ 272, 273, 274, 275, 276, 277, 278, 279, 257, 258,
+ 258, -1, -1, 261, 262, 263, 288, 289, -1, -1,
+ 269, 270, 271, 272, 273, 274, 275, 276, 277, 278,
+ 279, 279, -1, -1, -1, -1, 256, -1, 258, 288,
+ 289, 261, 262, 263, 264, 265, 266, 267, 268, -1,
+ 258, -1, -1, 261, 262, 263, -1, -1, -1, 279,
+ 280, 281, 282, 283, 284, 257, 258, -1, -1, -1,
+ -1, 279, -1, -1, -1, -1, -1, 269, 270, 271,
+ 272, 273, 274, 275, 276, 277, 278, 279, -1, -1,
257, 258, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, 269, 270, 271, 272, 273, 274, 275, 276,
- 277, 278, 279, 257, 258, -1, -1, -1, 258, -1,
- -1, 261, 262, 263, -1, 269, 270, 271, 272, 273,
- 274, 275, 276, 277, 278, 279, -1, -1, -1, 279,
- -1, 257, 258, -1, 258, -1, 260, 261, -1, 263,
- -1, -1, -1, 269, 270, 271, 272, 273, 274, 275,
- 276, 277, 278, 279, -1, 279, -1, -1, -1, -1,
- -1, 258, -1, -1, 261, 262, 263, -1, -1, -1,
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
- -1, -1, 279,
+ 277, 278, 279, -1, -1, -1, -1, -1, -1, 257,
+ 258, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+ -1, 269, 270, 271, 272, 273, 274, 275, 276, 277,
+ 278, 279, -1, -1, -1, -1, -1, -1, -1, 257,
+ 258, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+ -1, 269, 270, 271, 272, 273, 274, 275, 276, 277,
+ 278, 279,
};
#define YYFINAL 18
#ifndef YYDEBUG
#define YYDEBUG 0
#endif
-#define YYMAXTOKEN 287
+#define YYMAXTOKEN 290
#if YYDEBUG
#if defined(__cplusplus) || defined(__STDC__)
const char * const yyname[] =
"DEFAULTS_HOST","DEFAULTS_USER","DEFAULTS_RUNAS","DEFAULTS_CMND","NOPASSWD",
"PASSWD","NOEXEC","EXEC","SETENV","NOSETENV","LOG_INPUT","NOLOG_INPUT",
"LOG_OUTPUT","NOLOG_OUTPUT","ALL","COMMENT","HOSTALIAS","CMNDALIAS","USERALIAS",
-"RUNASALIAS","ERROR","TYPE","ROLE",
+"RUNASALIAS","ERROR","TYPE","ROLE","PRIVS","LIMITPRIVS","MYSELF",
};
#if defined(__cplusplus) || defined(__STDC__)
const char * const yyrule[] =
"host : WORD",
"cmndspeclist : cmndspec",
"cmndspeclist : cmndspeclist ',' cmndspec",
-"cmndspec : runasspec selinux cmndtag opcmnd",
+"cmndspec : runasspec selinux solarisprivs cmndtag opcmnd",
"opcmnd : cmnd",
"opcmnd : '!' cmnd",
"rolespec : ROLE '=' WORD",
"selinux : typespec",
"selinux : rolespec typespec",
"selinux : typespec rolespec",
+"privsspec : PRIVS '=' WORD",
+"limitprivsspec : LIMITPRIVS '=' WORD",
+"solarisprivs :",
+"solarisprivs : privsspec",
+"solarisprivs : limitprivsspec",
+"solarisprivs : privsspec limitprivsspec",
+"solarisprivs : limitprivsspec privsspec",
"runasspec :",
"runasspec : '(' runaslist ')'",
+"runaslist :",
"runaslist : userlist",
"runaslist : userlist ':' grouplist",
"runaslist : ':' grouplist",
+"runaslist : ':'",
"cmndtag :",
"cmndtag : cmndtag NOPASSWD",
"cmndtag : cmndtag PASSWD",
short *yysslim;
YYSTYPE *yyvs;
int yystacksize;
-#line 611 "gram.y"
+#line 674 "gram.y"
static struct defaults *
new_default(char *var, char *val, int op)
{
* the current sudoers file to path.
*/
void
-init_parser(const char *path, int quiet)
+init_parser(const char *path, bool quiet)
{
struct defaults *d;
struct member *m, *binding;
#ifdef HAVE_SELINUX
char *role = NULL, *type = NULL;
#endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+ char *privs = NULL, *limitprivs = NULL;
+#endif /* HAVE_PRIV_SET */
while ((m = tq_pop(&priv->hostlist)) != NULL) {
efree(m->name);
efree(cs->type);
}
#endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+ /* Only free the first instance of privs/limitprivs. */
+ if (cs->privs != privs) {
+ privs = cs->privs;
+ efree(cs->privs);
+ }
+ if (cs->limitprivs != limitprivs) {
+ limitprivs = cs->limitprivs;
+ efree(cs->limitprivs);
+ }
+#endif /* HAVE_PRIV_SET */
if (tq_last(&cs->runasuserlist) != runasuser) {
runasuser = tq_last(&cs->runasuserlist);
while ((m = tq_pop(&cs->runasuserlist)) != NULL) {
debug_return;
}
-#line 778 "gram.c"
+#line 827 "gram.c"
/* allocate initial stack or double stack size, up to YYMAXDEPTH */
#if defined(__cplusplus) || defined(__STDC__)
static int yygrowstack(void)
short *newss;
YYSTYPE *newvs;
- if ((newsize = yystacksize) == 0)
- newsize = YYINITSTACKSIZE;
- else if (newsize >= YYMAXDEPTH)
+ newsize = yystacksize ? yystacksize : YYINITSTACKSIZE;
+ if (newsize >= YYMAXDEPTH)
return -1;
else if ((newsize *= 2) > YYMAXDEPTH)
newsize = YYMAXDEPTH;
- i = yyssp - yyss;
#ifdef SIZE_MAX
#define YY_SIZE_MAX SIZE_MAX
#else
#define YY_SIZE_MAX 0x7fffffff
#endif
- if (!newsize || YY_SIZE_MAX / newsize < sizeof *newss)
+ if (YY_SIZE_MAX / newsize < sizeof *newss)
goto bail;
+ i = yyssp - yyss;
newss = yyss ? (short *)realloc(yyss, newsize * sizeof *newss) :
(short *)malloc(newsize * sizeof *newss); /* overflow check above */
if (newss == NULL)
goto bail;
yyss = newss;
yyssp = newss + i;
- if (!newsize || YY_SIZE_MAX / newsize < sizeof *newvs)
- goto bail;
newvs = yyvs ? (YYSTYPE *)realloc(yyvs, newsize * sizeof *newvs) :
(YYSTYPE *)malloc(newsize * sizeof *newvs); /* overflow check above */
if (newvs == NULL)
switch (yyn)
{
case 1:
-#line 192 "gram.y"
+#line 204 "gram.y"
{ ; }
break;
case 5:
-#line 200 "gram.y"
+#line 212 "gram.y"
{
;
}
break;
case 6:
-#line 203 "gram.y"
+#line 215 "gram.y"
{
yyerrok;
}
break;
case 7:
-#line 206 "gram.y"
+#line 218 "gram.y"
{
add_userspec(yyvsp[-1].member, yyvsp[0].privilege);
}
break;
case 8:
-#line 209 "gram.y"
+#line 221 "gram.y"
{
;
}
break;
case 9:
-#line 212 "gram.y"
+#line 224 "gram.y"
{
;
}
break;
case 10:
-#line 215 "gram.y"
+#line 227 "gram.y"
{
;
}
break;
case 11:
-#line 218 "gram.y"
+#line 230 "gram.y"
{
;
}
break;
case 12:
-#line 221 "gram.y"
+#line 233 "gram.y"
{
add_defaults(DEFAULTS, NULL, yyvsp[0].defaults);
}
break;
case 13:
-#line 224 "gram.y"
+#line 236 "gram.y"
{
add_defaults(DEFAULTS_USER, yyvsp[-1].member, yyvsp[0].defaults);
}
break;
case 14:
-#line 227 "gram.y"
+#line 239 "gram.y"
{
add_defaults(DEFAULTS_RUNAS, yyvsp[-1].member, yyvsp[0].defaults);
}
break;
case 15:
-#line 230 "gram.y"
+#line 242 "gram.y"
{
add_defaults(DEFAULTS_HOST, yyvsp[-1].member, yyvsp[0].defaults);
}
break;
case 16:
-#line 233 "gram.y"
+#line 245 "gram.y"
{
add_defaults(DEFAULTS_CMND, yyvsp[-1].member, yyvsp[0].defaults);
}
break;
case 18:
-#line 239 "gram.y"
+#line 251 "gram.y"
{
list_append(yyvsp[-2].defaults, yyvsp[0].defaults);
yyval.defaults = yyvsp[-2].defaults;
}
break;
case 19:
-#line 245 "gram.y"
+#line 257 "gram.y"
{
yyval.defaults = new_default(yyvsp[0].string, NULL, true);
}
break;
case 20:
-#line 248 "gram.y"
+#line 260 "gram.y"
{
yyval.defaults = new_default(yyvsp[0].string, NULL, false);
}
break;
case 21:
-#line 251 "gram.y"
+#line 263 "gram.y"
{
yyval.defaults = new_default(yyvsp[-2].string, yyvsp[0].string, true);
}
break;
case 22:
-#line 254 "gram.y"
+#line 266 "gram.y"
{
yyval.defaults = new_default(yyvsp[-2].string, yyvsp[0].string, '+');
}
break;
case 23:
-#line 257 "gram.y"
+#line 269 "gram.y"
{
yyval.defaults = new_default(yyvsp[-2].string, yyvsp[0].string, '-');
}
break;
case 25:
-#line 263 "gram.y"
+#line 275 "gram.y"
{
list_append(yyvsp[-2].privilege, yyvsp[0].privilege);
yyval.privilege = yyvsp[-2].privilege;
}
break;
case 26:
-#line 269 "gram.y"
+#line 281 "gram.y"
{
struct privilege *p = ecalloc(1, sizeof(*p));
list2tq(&p->hostlist, yyvsp[-2].member);
}
break;
case 27:
-#line 279 "gram.y"
+#line 291 "gram.y"
{
yyval.member = yyvsp[0].member;
yyval.member->negated = false;
}
break;
case 28:
-#line 283 "gram.y"
+#line 295 "gram.y"
{
yyval.member = yyvsp[0].member;
yyval.member->negated = true;
}
break;
case 29:
-#line 289 "gram.y"
+#line 301 "gram.y"
{
yyval.member = new_member(yyvsp[0].string, ALIAS);
}
break;
case 30:
-#line 292 "gram.y"
+#line 304 "gram.y"
{
yyval.member = new_member(NULL, ALL);
}
break;
case 31:
-#line 295 "gram.y"
+#line 307 "gram.y"
{
yyval.member = new_member(yyvsp[0].string, NETGROUP);
}
break;
case 32:
-#line 298 "gram.y"
+#line 310 "gram.y"
{
yyval.member = new_member(yyvsp[0].string, NTWKADDR);
}
break;
case 33:
-#line 301 "gram.y"
+#line 313 "gram.y"
{
yyval.member = new_member(yyvsp[0].string, WORD);
}
break;
case 35:
-#line 307 "gram.y"
+#line 319 "gram.y"
{
list_append(yyvsp[-2].cmndspec, yyvsp[0].cmndspec);
#ifdef HAVE_SELINUX
if (yyvsp[0].cmndspec->type == NULL)
yyvsp[0].cmndspec->type = yyvsp[0].cmndspec->prev->type;
#endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+ /* propagate privs & limitprivs */
+ if (yyvsp[0].cmndspec->privs == NULL)
+ yyvsp[0].cmndspec->privs = yyvsp[0].cmndspec->prev->privs;
+ if (yyvsp[0].cmndspec->limitprivs == NULL)
+ yyvsp[0].cmndspec->limitprivs = yyvsp[0].cmndspec->prev->limitprivs;
+#endif /* HAVE_PRIV_SET */
/* propagate tags and runas list */
if (yyvsp[0].cmndspec->tags.nopasswd == UNSPEC)
yyvsp[0].cmndspec->tags.nopasswd = yyvsp[0].cmndspec->prev->tags.nopasswd;
}
break;
case 36:
-#line 339 "gram.y"
+#line 358 "gram.y"
{
struct cmndspec *cs = ecalloc(1, sizeof(*cs));
- if (yyvsp[-3].runas != NULL) {
- list2tq(&cs->runasuserlist, yyvsp[-3].runas->runasusers);
- list2tq(&cs->runasgrouplist, yyvsp[-3].runas->runasgroups);
- efree(yyvsp[-3].runas);
+ if (yyvsp[-4].runas != NULL) {
+ list2tq(&cs->runasuserlist, yyvsp[-4].runas->runasusers);
+ list2tq(&cs->runasgrouplist, yyvsp[-4].runas->runasgroups);
+ efree(yyvsp[-4].runas);
} else {
tq_init(&cs->runasuserlist);
tq_init(&cs->runasgrouplist);
}
#ifdef HAVE_SELINUX
- cs->role = yyvsp[-2].seinfo.role;
- cs->type = yyvsp[-2].seinfo.type;
+ cs->role = yyvsp[-3].seinfo.role;
+ cs->type = yyvsp[-3].seinfo.type;
+#endif
+#ifdef HAVE_PRIV_SET
+ cs->privs = yyvsp[-2].privinfo.privs;
+ cs->limitprivs = yyvsp[-2].privinfo.limitprivs;
#endif
cs->tags = yyvsp[-1].tag;
cs->cmnd = yyvsp[0].member;
}
break;
case 37:
-#line 365 "gram.y"
+#line 388 "gram.y"
{
yyval.member = yyvsp[0].member;
yyval.member->negated = false;
}
break;
case 38:
-#line 369 "gram.y"
+#line 392 "gram.y"
{
yyval.member = yyvsp[0].member;
yyval.member->negated = true;
}
break;
case 39:
-#line 375 "gram.y"
+#line 398 "gram.y"
{
yyval.string = yyvsp[0].string;
}
break;
case 40:
-#line 380 "gram.y"
+#line 403 "gram.y"
{
yyval.string = yyvsp[0].string;
}
break;
case 41:
-#line 385 "gram.y"
+#line 408 "gram.y"
{
yyval.seinfo.role = NULL;
yyval.seinfo.type = NULL;
}
break;
case 42:
-#line 389 "gram.y"
+#line 412 "gram.y"
{
yyval.seinfo.role = yyvsp[0].string;
yyval.seinfo.type = NULL;
}
break;
case 43:
-#line 393 "gram.y"
+#line 416 "gram.y"
{
yyval.seinfo.type = yyvsp[0].string;
yyval.seinfo.role = NULL;
}
break;
case 44:
-#line 397 "gram.y"
+#line 420 "gram.y"
{
yyval.seinfo.role = yyvsp[-1].string;
yyval.seinfo.type = yyvsp[0].string;
}
break;
case 45:
-#line 401 "gram.y"
+#line 424 "gram.y"
{
yyval.seinfo.type = yyvsp[-1].string;
yyval.seinfo.role = yyvsp[0].string;
}
break;
case 46:
-#line 407 "gram.y"
+#line 430 "gram.y"
{
- yyval.runas = NULL;
+ yyval.string = yyvsp[0].string;
}
break;
case 47:
-#line 410 "gram.y"
+#line 434 "gram.y"
{
- yyval.runas = yyvsp[-1].runas;
+ yyval.string = yyvsp[0].string;
}
break;
case 48:
-#line 415 "gram.y"
+#line 439 "gram.y"
+{
+ yyval.privinfo.privs = NULL;
+ yyval.privinfo.limitprivs = NULL;
+ }
+break;
+case 49:
+#line 443 "gram.y"
+{
+ yyval.privinfo.privs = yyvsp[0].string;
+ yyval.privinfo.limitprivs = NULL;
+ }
+break;
+case 50:
+#line 447 "gram.y"
+{
+ yyval.privinfo.privs = NULL;
+ yyval.privinfo.limitprivs = yyvsp[0].string;
+ }
+break;
+case 51:
+#line 451 "gram.y"
+{
+ yyval.privinfo.privs = yyvsp[-1].string;
+ yyval.privinfo.limitprivs = yyvsp[0].string;
+ }
+break;
+case 52:
+#line 455 "gram.y"
+{
+ yyval.privinfo.limitprivs = yyvsp[-1].string;
+ yyval.privinfo.privs = yyvsp[0].string;
+ }
+break;
+case 53:
+#line 460 "gram.y"
+{
+ yyval.runas = NULL;
+ }
+break;
+case 54:
+#line 463 "gram.y"
+{
+ yyval.runas = yyvsp[-1].runas;
+ }
+break;
+case 55:
+#line 468 "gram.y"
+{
+ yyval.runas = ecalloc(1, sizeof(struct runascontainer));
+ yyval.runas->runasusers = new_member(NULL, MYSELF);
+ /* $$->runasgroups = NULL; */
+ }
+break;
+case 56:
+#line 473 "gram.y"
{
yyval.runas = ecalloc(1, sizeof(struct runascontainer));
yyval.runas->runasusers = yyvsp[0].member;
/* $$->runasgroups = NULL; */
}
break;
-case 49:
-#line 420 "gram.y"
+case 57:
+#line 478 "gram.y"
{
yyval.runas = ecalloc(1, sizeof(struct runascontainer));
yyval.runas->runasusers = yyvsp[-2].member;
yyval.runas->runasgroups = yyvsp[0].member;
}
break;
-case 50:
-#line 425 "gram.y"
+case 58:
+#line 483 "gram.y"
{
yyval.runas = ecalloc(1, sizeof(struct runascontainer));
/* $$->runasusers = NULL; */
yyval.runas->runasgroups = yyvsp[0].member;
}
break;
-case 51:
-#line 432 "gram.y"
+case 59:
+#line 488 "gram.y"
+{
+ yyval.runas = ecalloc(1, sizeof(struct runascontainer));
+ yyval.runas->runasusers = new_member(NULL, MYSELF);
+ /* $$->runasgroups = NULL; */
+ }
+break;
+case 60:
+#line 495 "gram.y"
{
yyval.tag.nopasswd = yyval.tag.noexec = yyval.tag.setenv =
yyval.tag.log_input = yyval.tag.log_output = UNSPEC;
}
break;
-case 52:
-#line 436 "gram.y"
+case 61:
+#line 499 "gram.y"
{
yyval.tag.nopasswd = true;
}
break;
-case 53:
-#line 439 "gram.y"
+case 62:
+#line 502 "gram.y"
{
yyval.tag.nopasswd = false;
}
break;
-case 54:
-#line 442 "gram.y"
+case 63:
+#line 505 "gram.y"
{
yyval.tag.noexec = true;
}
break;
-case 55:
-#line 445 "gram.y"
+case 64:
+#line 508 "gram.y"
{
yyval.tag.noexec = false;
}
break;
-case 56:
-#line 448 "gram.y"
+case 65:
+#line 511 "gram.y"
{
yyval.tag.setenv = true;
}
break;
-case 57:
-#line 451 "gram.y"
+case 66:
+#line 514 "gram.y"
{
yyval.tag.setenv = false;
}
break;
-case 58:
-#line 454 "gram.y"
+case 67:
+#line 517 "gram.y"
{
yyval.tag.log_input = true;
}
break;
-case 59:
-#line 457 "gram.y"
+case 68:
+#line 520 "gram.y"
{
yyval.tag.log_input = false;
}
break;
-case 60:
-#line 460 "gram.y"
+case 69:
+#line 523 "gram.y"
{
yyval.tag.log_output = true;
}
break;
-case 61:
-#line 463 "gram.y"
+case 70:
+#line 526 "gram.y"
{
yyval.tag.log_output = false;
}
break;
-case 62:
-#line 468 "gram.y"
+case 71:
+#line 531 "gram.y"
{
yyval.member = new_member(NULL, ALL);
}
break;
-case 63:
-#line 471 "gram.y"
+case 72:
+#line 534 "gram.y"
{
yyval.member = new_member(yyvsp[0].string, ALIAS);
}
break;
-case 64:
-#line 474 "gram.y"
+case 73:
+#line 537 "gram.y"
{
struct sudo_command *c = ecalloc(1, sizeof(*c));
c->cmnd = yyvsp[0].command.cmnd;
yyval.member = new_member((char *)c, COMMAND);
}
break;
-case 67:
-#line 486 "gram.y"
+case 76:
+#line 549 "gram.y"
{
char *s;
if ((s = alias_add(yyvsp[-2].string, HOSTALIAS, yyvsp[0].member)) != NULL) {
}
}
break;
-case 69:
-#line 496 "gram.y"
+case 78:
+#line 559 "gram.y"
{
list_append(yyvsp[-2].member, yyvsp[0].member);
yyval.member = yyvsp[-2].member;
}
break;
-case 72:
-#line 506 "gram.y"
+case 81:
+#line 569 "gram.y"
{
char *s;
if ((s = alias_add(yyvsp[-2].string, CMNDALIAS, yyvsp[0].member)) != NULL) {
}
}
break;
-case 74:
-#line 516 "gram.y"
+case 83:
+#line 579 "gram.y"
{
list_append(yyvsp[-2].member, yyvsp[0].member);
yyval.member = yyvsp[-2].member;
}
break;
-case 77:
-#line 526 "gram.y"
+case 86:
+#line 589 "gram.y"
{
char *s;
if ((s = alias_add(yyvsp[-2].string, RUNASALIAS, yyvsp[0].member)) != NULL) {
}
}
break;
-case 80:
-#line 539 "gram.y"
+case 89:
+#line 602 "gram.y"
{
char *s;
if ((s = alias_add(yyvsp[-2].string, USERALIAS, yyvsp[0].member)) != NULL) {
}
}
break;
-case 82:
-#line 549 "gram.y"
+case 91:
+#line 612 "gram.y"
{
list_append(yyvsp[-2].member, yyvsp[0].member);
yyval.member = yyvsp[-2].member;
}
break;
-case 83:
-#line 555 "gram.y"
+case 92:
+#line 618 "gram.y"
{
yyval.member = yyvsp[0].member;
yyval.member->negated = false;
}
break;
-case 84:
-#line 559 "gram.y"
+case 93:
+#line 622 "gram.y"
{
yyval.member = yyvsp[0].member;
yyval.member->negated = true;
}
break;
-case 85:
-#line 565 "gram.y"
+case 94:
+#line 628 "gram.y"
{
yyval.member = new_member(yyvsp[0].string, ALIAS);
}
break;
-case 86:
-#line 568 "gram.y"
+case 95:
+#line 631 "gram.y"
{
yyval.member = new_member(NULL, ALL);
}
break;
-case 87:
-#line 571 "gram.y"
+case 96:
+#line 634 "gram.y"
{
yyval.member = new_member(yyvsp[0].string, NETGROUP);
}
break;
-case 88:
-#line 574 "gram.y"
+case 97:
+#line 637 "gram.y"
{
yyval.member = new_member(yyvsp[0].string, USERGROUP);
}
break;
-case 89:
-#line 577 "gram.y"
+case 98:
+#line 640 "gram.y"
{
yyval.member = new_member(yyvsp[0].string, WORD);
}
break;
-case 91:
-#line 583 "gram.y"
+case 100:
+#line 646 "gram.y"
{
list_append(yyvsp[-2].member, yyvsp[0].member);
yyval.member = yyvsp[-2].member;
}
break;
-case 92:
-#line 589 "gram.y"
+case 101:
+#line 652 "gram.y"
{
yyval.member = yyvsp[0].member;
yyval.member->negated = false;
}
break;
-case 93:
-#line 593 "gram.y"
+case 102:
+#line 656 "gram.y"
{
yyval.member = yyvsp[0].member;
yyval.member->negated = true;
}
break;
-case 94:
-#line 599 "gram.y"
+case 103:
+#line 662 "gram.y"
{
yyval.member = new_member(yyvsp[0].string, ALIAS);
}
break;
-case 95:
-#line 602 "gram.y"
+case 104:
+#line 665 "gram.y"
{
yyval.member = new_member(NULL, ALL);
}
break;
-case 96:
-#line 605 "gram.y"
+case 105:
+#line 668 "gram.y"
{
yyval.member = new_member(yyvsp[0].string, WORD);
}
break;
-#line 1547 "gram.c"
+#line 1667 "gram.c"
}
yyssp -= yym;
yystate = *yyssp;
#define ERROR 285
#define TYPE 286
#define ROLE 287
+#define PRIVS 288
+#define LIMITPRIVS 289
+#define MYSELF 290
#ifndef YYSTYPE_DEFINED
#define YYSTYPE_DEFINED
typedef union {
struct sudo_command command;
struct cmndtag tag;
struct selinux_info seinfo;
+ struct solaris_privs_info privinfo;
char *string;
int tok;
} YYSTYPE;
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#endif /* HAVE_UNISTD_H */
+#ifdef HAVE_INTTYPES_H
+# include <inttypes.h>
+#endif
#if defined(YYBISON) && defined(HAVE_ALLOCA_H) && !defined(__GNUC__)
# include <alloca.h>
#endif /* YYBISON && HAVE_ALLOCA_H && !__GNUC__ */
errorlineno = sudolineno;
errorfile = estrdup(sudoers);
}
- if (trace_print != NULL) {
+ if (sudoers_warnings && s != NULL) {
LEXTRACE("<*> ");
- } else if (sudoers_warnings && s != NULL) {
- warningx(_(">>> %s: %s near line %d <<<"), sudoers, s, sudolineno);
+#ifndef TRACELEXER
+ if (trace_print == NULL || trace_print == sudoers_trace_print)
+ warningx(_(">>> %s: %s near line %d <<<"), sudoers, s, sudolineno);
+#endif
}
parse_error = true;
debug_return;
struct sudo_command command;
struct cmndtag tag;
struct selinux_info seinfo;
+ struct solaris_privs_info privinfo;
char *string;
int tok;
}
%token <tok> ERROR
%token <tok> TYPE /* SELinux type */
%token <tok> ROLE /* SELinux role */
+%token <tok> PRIVS /* Solaris privileges */
+%token <tok> LIMITPRIVS /* Solaris limit privileges */
+%token <tok> MYSELF /* run as myself, not another user */
%type <cmndspec> cmndspec
%type <cmndspec> cmndspeclist
%type <seinfo> selinux
%type <string> rolespec
%type <string> typespec
+%type <privinfo> solarisprivs
+%type <string> privsspec
+%type <string> limitprivsspec
%%
if ($3->type == NULL)
$3->type = $3->prev->type;
#endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+ /* propagate privs & limitprivs */
+ if ($3->privs == NULL)
+ $3->privs = $3->prev->privs;
+ if ($3->limitprivs == NULL)
+ $3->limitprivs = $3->prev->limitprivs;
+#endif /* HAVE_PRIV_SET */
/* propagate tags and runas list */
if ($3->tags.nopasswd == UNSPEC)
$3->tags.nopasswd = $3->prev->tags.nopasswd;
}
;
-cmndspec : runasspec selinux cmndtag opcmnd {
+cmndspec : runasspec selinux solarisprivs cmndtag opcmnd {
struct cmndspec *cs = ecalloc(1, sizeof(*cs));
if ($1 != NULL) {
list2tq(&cs->runasuserlist, $1->runasusers);
cs->role = $2.role;
cs->type = $2.type;
#endif
- cs->tags = $3;
- cs->cmnd = $4;
+#ifdef HAVE_PRIV_SET
+ cs->privs = $3.privs;
+ cs->limitprivs = $3.limitprivs;
+#endif
+ cs->tags = $4;
+ cs->cmnd = $5;
cs->prev = cs;
cs->next = NULL;
/* sudo "ALL" implies the SETENV tag */
}
;
+privsspec : PRIVS '=' WORD {
+ $$ = $3;
+ }
+ ;
+limitprivsspec : LIMITPRIVS '=' WORD {
+ $$ = $3;
+ }
+ ;
+
+solarisprivs : /* empty */ {
+ $$.privs = NULL;
+ $$.limitprivs = NULL;
+ }
+ | privsspec {
+ $$.privs = $1;
+ $$.limitprivs = NULL;
+ }
+ | limitprivsspec {
+ $$.privs = NULL;
+ $$.limitprivs = $1;
+ }
+ | privsspec limitprivsspec {
+ $$.privs = $1;
+ $$.limitprivs = $2;
+ }
+ | limitprivsspec privsspec {
+ $$.limitprivs = $1;
+ $$.privs = $2;
+ }
+
runasspec : /* empty */ {
$$ = NULL;
}
}
;
-runaslist : userlist {
+runaslist : /* empty */ {
+ $$ = ecalloc(1, sizeof(struct runascontainer));
+ $$->runasusers = new_member(NULL, MYSELF);
+ /* $$->runasgroups = NULL; */
+ }
+ | userlist {
$$ = ecalloc(1, sizeof(struct runascontainer));
$$->runasusers = $1;
/* $$->runasgroups = NULL; */
/* $$->runasusers = NULL; */
$$->runasgroups = $2;
}
+ | ':' {
+ $$ = ecalloc(1, sizeof(struct runascontainer));
+ $$->runasusers = new_member(NULL, MYSELF);
+ /* $$->runasgroups = NULL; */
+ }
;
cmndtag : /* empty */ {
* the current sudoers file to path.
*/
void
-init_parser(const char *path, int quiet)
+init_parser(const char *path, bool quiet)
{
struct defaults *d;
struct member *m, *binding;
#ifdef HAVE_SELINUX
char *role = NULL, *type = NULL;
#endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+ char *privs = NULL, *limitprivs = NULL;
+#endif /* HAVE_PRIV_SET */
while ((m = tq_pop(&priv->hostlist)) != NULL) {
efree(m->name);
efree(cs->type);
}
#endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+ /* Only free the first instance of privs/limitprivs. */
+ if (cs->privs != privs) {
+ privs = cs->privs;
+ efree(cs->privs);
+ }
+ if (cs->limitprivs != limitprivs) {
+ limitprivs = cs->limitprivs;
+ efree(cs->limitprivs);
+ }
+#endif /* HAVE_PRIV_SET */
if (tq_last(&cs->runasuserlist) != runasuser) {
runasuser = tq_last(&cs->runasuserlist);
while ((m = tq_pop(&cs->runasuserlist)) != NULL) {
static int iolog_compress;
static struct timeval last_time;
static union io_fd io_fds[IOFD_MAX];
-extern struct io_plugin sudoers_io;
+extern __dso_public struct io_plugin sudoers_io;
/*
* Create parent directories for path as needed, but not path itself.
* Uses file locking to avoid sequence number collisions.
*/
void
-io_nextid(char *iolog_dir, char sessid[7])
+io_nextid(char *iolog_dir, char *iolog_dir_fallback, char sessid[7])
{
struct stat sb;
char buf[32], *ep;
log_fatal(USE_ERRNO, _("unable to open %s"), pathbuf);
lock_file(fd, SUDO_LOCK);
- /* Read seq number (base 36). */
- nread = read(fd, buf, sizeof(buf));
- if (nread != 0) {
- if (nread == -1)
- log_fatal(USE_ERRNO, _("unable to read %s"), pathbuf);
- id = strtoul(buf, &ep, 36);
- if (buf == ep || id >= SESSID_MAX)
- log_fatal(0, _("invalid sequence number %s"), pathbuf);
+ /*
+ * If there is no seq file in iolog_dir and a fallback dir was
+ * specified, look for seq in the fallback dir. This is to work
+ * around a bug in sudo 1.8.5 and older where iolog_dir was not
+ * expanded before the sequence number was updated.
+ */
+ if (iolog_dir_fallback != NULL && fstat(fd, &sb) == 0 && sb.st_size == 0) {
+ char fallback[PATH_MAX];
+
+ len = snprintf(fallback, sizeof(fallback), "%s/seq",
+ iolog_dir_fallback);
+ if (len > 0 && len < sizeof(fallback)) {
+ int fd2 = open(fallback, O_RDWR|O_CREAT, S_IRUSR|S_IWUSR);
+ if (fd2 != -1) {
+ nread = read(fd2, buf, sizeof(buf));
+ if (nread > 0) {
+ id = strtoul(buf, &ep, 36);
+ if (buf == ep || id >= SESSID_MAX)
+ id = 0;
+ }
+ close(fd2);
+ }
+ }
+ }
+
+ /* Read current seq number (base 36). */
+ if (id == 0) {
+ nread = read(fd, buf, sizeof(buf));
+ if (nread != 0) {
+ if (nread == -1)
+ log_fatal(USE_ERRNO, _("unable to read %s"), pathbuf);
+ id = strtoul(buf, &ep, 36);
+ if (buf == ep || id >= SESSID_MAX)
+ log_fatal(0, _("invalid sequence number %s"), pathbuf);
+ }
}
id++;
sessid[6] = '\0';
/* Rewind and overwrite old seq file. */
- if (lseek(fd, 0, SEEK_SET) == (off_t)-1 || write(fd, buf, 7) != 7)
+ if (lseek(fd, (off_t)0, SEEK_SET) == (off_t)-1 || write(fd, buf, 7) != 7)
log_fatal(USE_ERRNO, _("unable to write to %s"), pathbuf);
close(fd);
/* Get next session ID and convert it into a path. */
tofree = emalloc(sizeof(_PATH_SUDO_IO_LOGDIR) + sizeof(sessid) + 2);
memcpy(tofree, _PATH_SUDO_IO_LOGDIR, sizeof(_PATH_SUDO_IO_LOGDIR));
- io_nextid(tofree, sessid);
+ io_nextid(tofree, NULL, sessid);
snprintf(tofree + sizeof(_PATH_SUDO_IO_LOGDIR), sizeof(sessid) + 2,
"%c%c/%c%c/%c%c", sessid[0], sessid[1], sessid[2], sessid[3],
sessid[4], sessid[5]);
done:
efree(tofree);
if (details.runas_pw)
- pw_delref(details.runas_pw);
+ sudo_pw_delref(details.runas_pw);
sudo_endpwent();
if (details.runas_gr)
- gr_delref(details.runas_gr);
+ sudo_gr_delref(details.runas_gr);
sudo_endgrent();
debug_return_bool(rval);
return sudoers_io_log(buf, len, IOFD_STDERR);
}
-struct io_plugin sudoers_io = {
+__dso_public struct io_plugin sudoers_io = {
SUDO_IO_PLUGIN,
SUDO_API_VERSION,
sudoers_io_open,
struct path_escape {
const char *name;
- size_t (*copy_fn)(char *, size_t);
+ size_t (*copy_fn)(char *, size_t, char *);
};
-static size_t fill_seq(char *, size_t);
-static size_t fill_user(char *, size_t);
-static size_t fill_group(char *, size_t);
-static size_t fill_runas_user(char *, size_t);
-static size_t fill_runas_group(char *, size_t);
-static size_t fill_hostname(char *, size_t);
-static size_t fill_command(char *, size_t);
+static size_t fill_seq(char *, size_t, char *);
+static size_t fill_user(char *, size_t, char *);
+static size_t fill_group(char *, size_t, char *);
+static size_t fill_runas_user(char *, size_t, char *);
+static size_t fill_runas_group(char *, size_t, char *);
+static size_t fill_hostname(char *, size_t, char *);
+static size_t fill_command(char *, size_t, char *);
-static struct path_escape escapes[] = {
+/* Note: "seq" must be first in the list. */
+static struct path_escape io_path_escapes[] = {
{ "seq", fill_seq },
{ "user", fill_user },
{ "group", fill_group },
};
static size_t
-fill_seq(char *str, size_t strsize)
+fill_seq(char *str, size_t strsize, char *logdir)
{
static char sessid[7];
int len;
debug_decl(sudoers_io_version, SUDO_DEBUG_UTIL)
if (sessid[0] == '\0')
- io_nextid(def_iolog_dir, sessid);
+ io_nextid(logdir, def_iolog_dir, sessid);
/* Path is of the form /var/log/sudo-io/00/00/01. */
len = snprintf(str, strsize, "%c%c/%c%c/%c%c", sessid[0],
}
static size_t
-fill_user(char *str, size_t strsize)
+fill_user(char *str, size_t strsize, char *unused)
{
debug_decl(fill_user, SUDO_DEBUG_UTIL)
debug_return_size_t(strlcpy(str, user_name, strsize));
}
static size_t
-fill_group(char *str, size_t strsize)
+fill_group(char *str, size_t strsize, char *unused)
{
struct group *grp;
size_t len;
if ((grp = sudo_getgrgid(user_gid)) != NULL) {
len = strlcpy(str, grp->gr_name, strsize);
- gr_delref(grp);
+ sudo_gr_delref(grp);
} else {
len = strlen(str);
len = snprintf(str + len, strsize - len, "#%u",
}
static size_t
-fill_runas_user(char *str, size_t strsize)
+fill_runas_user(char *str, size_t strsize, char *unused)
{
debug_decl(fill_runas_user, SUDO_DEBUG_UTIL)
debug_return_size_t(strlcpy(str, runas_pw->pw_name, strsize));
}
static size_t
-fill_runas_group(char *str, size_t strsize)
+fill_runas_group(char *str, size_t strsize, char *unused)
{
struct group *grp;
size_t len;
} else {
if ((grp = sudo_getgrgid(runas_pw->pw_gid)) != NULL) {
len = strlcpy(str, grp->gr_name, strsize);
- gr_delref(grp);
+ sudo_gr_delref(grp);
} else {
len = strlen(str);
len = snprintf(str + len, strsize - len, "#%u",
}
static size_t
-fill_hostname(char *str, size_t strsize)
+fill_hostname(char *str, size_t strsize, char *unused)
{
debug_decl(fill_hostname, SUDO_DEBUG_UTIL)
debug_return_size_t(strlcpy(str, user_shost, strsize));
}
static size_t
-fill_command(char *str, size_t strsize)
+fill_command(char *str, size_t strsize, char *unused)
{
debug_decl(fill_command, SUDO_DEBUG_UTIL)
debug_return_size_t(strlcpy(str, user_base, strsize));
{
size_t len, prelen = 0;
char *dst, *dst0, *path, *pathend, tmpbuf[PATH_MAX];
+ char *slash = NULL;
const char *endbrace, *src = dir;
+ static struct path_escape *escapes;
int pass;
bool strfit;
debug_decl(expand_iolog_path, SUDO_DEBUG_UTIL)
switch (pass) {
case 0:
src = dir;
+ escapes = io_path_escapes + 1; /* skip "${seq}" */
break;
case 1:
/* Trim trailing slashes from dir component. */
while (dst - path - 1 > prelen && dst[-1] == '/')
dst--;
- if (slashp)
- *slashp = dst;
- src = "/";
- break;
+ /* The NUL will be replaced with a '/' at the end. */
+ if (dst + 1 >= pathend)
+ goto bad;
+ slash = dst++;
+ continue;
case 2:
src = file;
+ escapes = io_path_escapes;
break;
}
dst0 = dst;
break;
}
if (esc->name != NULL) {
- len = esc->copy_fn(dst, (size_t)(pathend - dst));
+ len = esc->copy_fn(dst, (size_t)(pathend - dst),
+ path + prelen);
if (len >= (size_t)(pathend - dst))
goto bad;
dst += len;
*dst = '\0';
}
}
+ if (slashp)
+ *slashp = slash;
+ *slash = '/';
debug_return_str(path);
bad:
extern int ldapssl_set_strength(LDAP *ldap, int strength);
#endif
+#if !defined(LDAP_OPT_NETWORK_TIMEOUT) && defined(LDAP_OPT_CONNECT_TIMEOUT)
+# define LDAP_OPT_NETWORK_TIMEOUT LDAP_OPT_CONNECT_TIMEOUT
+#endif
+
#ifndef LDAP_OPT_SUCCESS
# define LDAP_OPT_SUCCESS LDAP_SUCCESS
#endif
#define SUDO_LDAP_SSL 1
#define SUDO_LDAP_STARTTLS 2
-/* The TIMEFILTER_LENGTH includes the filter itself plus the global AND
- wrapped around the user filter and the time filter when timed entries
+/* The TIMEFILTER_LENGTH is the length of the filter when timed entries
are used. The length is computed as follows:
- 85 for the filter
- + 2 * 13 for the now timestamp
- + 3 for the global AND
+ 81 for the filter itself
+ + 2 * 17 for the now timestamp
*/
-#define TIMEFILTER_LENGTH 114
+#define TIMEFILTER_LENGTH 115
/*
* The ldap_search structure implements a linked list of ldap and
char *tls_cipher_suite;
char *tls_certfile;
char *tls_keyfile;
+ char *tls_keypw;
char *sasl_auth_id;
char *rootsasl_auth_id;
char *sasl_secprops;
#ifdef LDAP_OPT_X_TLS_CIPHER_SUITE
{ "tls_ciphers", CONF_STR, LDAP_OPT_X_TLS_CIPHER_SUITE,
&ldap_conf.tls_cipher_suite },
+#elif defined(LDAP_OPT_SSL_CIPHER)
+ { "tls_ciphers", CONF_STR, LDAP_OPT_SSL_CIPHER,
+ &ldap_conf.tls_cipher_suite },
#endif
#ifdef LDAP_OPT_X_TLS_CERTFILE
{ "tls_cert", CONF_STR, LDAP_OPT_X_TLS_CERTFILE,
&ldap_conf.tls_keyfile },
#else
{ "tls_key", CONF_STR, -1, &ldap_conf.tls_keyfile },
+#endif
+#ifdef HAVE_LDAP_SSL_CLIENT_INIT
+ { "tls_keypw", CONF_STR, -1, &ldap_conf.tls_keypw },
#endif
{ "binddn", CONF_STR, -1, &ldap_conf.binddn },
{ "bindpw", CONF_STR, -1, &ldap_conf.bindpw },
if ((ld = ldapssl_init(host, port, defsecure)) != NULL)
rc = LDAP_SUCCESS;
} else
+#elif defined(HAVE_LDAP_SSL_INIT) && defined(HAVE_LDAP_SSL_CLIENT_INIT)
+ if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
+ if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) {
+ warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc));
+ debug_return_int(-1);
+ }
+ DPRINTF(("ldap_ssl_init(%s, %d, NULL)", host, port), 2);
+ if ((ld = ldap_ssl_init((char *)host, port, NULL)) != NULL)
+ rc = LDAP_SUCCESS;
+ } else
#endif
{
#ifdef HAVE_LDAP_CREATE
rc = ldap_set_option(ld, LDAP_OPT_HOST_NAME, host);
#else
DPRINTF(("ldap_init(%s, %d)", host, port), 2);
- if ((ld = ldap_init(host, port)) != NULL)
+ if ((ld = ldap_init((char *)host, port)) != NULL)
rc = LDAP_SUCCESS;
#endif
}
{
struct tm *tp;
time_t now;
- char timebuffer[16];
+ char timebuffer[sizeof("20120727121554.0Z")];
int bytes = 0;
debug_decl(sudo_ldap_timefilter, SUDO_DEBUG_LDAP)
}
/* Format the timestamp according to the RFC. */
- if (strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%M%SZ", tp) == 0) {
- warning(_("unable to format timestamp"));
+ if (strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%M%S.0Z", tp) == 0) {
+ warningx(_("unable to format timestamp"));
goto done;
}
sudo_ldap_build_pass1(struct passwd *pw)
{
struct group *grp;
- char *buf, timebuffer[TIMEFILTER_LENGTH], gidbuf[MAX_UID_T_LEN];
+ char *buf, timebuffer[TIMEFILTER_LENGTH + 1], gidbuf[MAX_UID_T_LEN + 1];
struct group_list *grlist;
size_t sz = 0;
int i;
debug_decl(sudo_ldap_build_pass1, SUDO_DEBUG_LDAP)
- /* Start with LDAP search filter length + 3 */
+ /* If there is a filter, allocate space for the global AND. */
+ if (ldap_conf.timed || ldap_conf.search_filter)
+ sz += 3;
+
+ /* Add LDAP search filter if present. */
if (ldap_conf.search_filter)
- sz += strlen(ldap_conf.search_filter) + 3;
+ sz += strlen(ldap_conf.search_filter);
/* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
sz += 29 + sudo_ldap_value_len(pw->pw_name);
sz += 12 + sudo_ldap_value_len(grp->gr_name);
}
sz += 13 + MAX_UID_T_LEN;
- if ((grlist = get_group_list(pw)) != NULL) {
+ if ((grlist = sudo_get_grlist(pw)) != NULL) {
for (i = 0; i < grlist->ngroups; i++) {
if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0)
continue;
/* Done with groups. */
if (grlist != NULL)
- grlist_delref(grlist);
+ sudo_grlist_delref(grlist);
if (grp != NULL)
- gr_delref(grp);
+ sudo_gr_delref(grp);
/* Add ALL to list and end the global OR */
if (strlcat(buf, "(sudoUser=ALL)", sz) >= sz)
static char *
sudo_ldap_build_pass2(void)
{
- char *filt, timebuffer[TIMEFILTER_LENGTH];
+ char *filt, timebuffer[TIMEFILTER_LENGTH + 1];
debug_decl(sudo_ldap_build_pass2, SUDO_DEBUG_LDAP)
if (ldap_conf.timed)
sudo_ldap_set_options_table(LDAP *ld, struct ldap_config_table *table)
{
struct ldap_config_table *cur;
- int ival, rc;
+ int ival, rc, errors = 0;
char *sval;
debug_decl(sudo_ldap_set_options_table, SUDO_DEBUG_LDAP)
case CONF_INT:
ival = *(int *)(cur->valp);
if (ival >= 0) {
+ DPRINTF(("ldap_set_option: %s -> %d", cur->conf_str, ival), 1);
rc = ldap_set_option(ld, cur->opt_val, &ival);
if (rc != LDAP_OPT_SUCCESS) {
warningx("ldap_set_option: %s -> %d: %s",
cur->conf_str, ival, ldap_err2string(rc));
- debug_return_int(-1);
+ errors++;
}
- DPRINTF(("ldap_set_option: %s -> %d", cur->conf_str, ival), 1);
}
break;
case CONF_STR:
sval = *(char **)(cur->valp);
if (sval != NULL) {
+ DPRINTF(("ldap_set_option: %s -> %s", cur->conf_str, sval), 1);
rc = ldap_set_option(ld, cur->opt_val, sval);
if (rc != LDAP_OPT_SUCCESS) {
warningx("ldap_set_option: %s -> %s: %s",
cur->conf_str, sval, ldap_err2string(rc));
- debug_return_int(-1);
+ errors++;
}
- DPRINTF(("ldap_set_option: %s -> %s", cur->conf_str, sval), 1);
}
break;
}
}
- debug_return_int(0);
+ debug_return_int(errors ? -1 : 0);
}
/*
struct timeval tv;
tv.tv_sec = ldap_conf.timeout;
tv.tv_usec = 0;
+ DPRINTF(("ldap_set_option(LDAP_OPT_TIMEOUT, %ld)",
+ (long)tv.tv_sec), 1);
rc = ldap_set_option(ld, LDAP_OPT_TIMEOUT, &tv);
if (rc != LDAP_OPT_SUCCESS) {
warningx("ldap_set_option(TIMEOUT, %ld): %s",
(long)tv.tv_sec, ldap_err2string(rc));
- debug_return_int(-1);
}
- DPRINTF(("ldap_set_option(LDAP_OPT_TIMEOUT, %ld)",
- (long)tv.tv_sec), 1);
}
#endif
#ifdef LDAP_OPT_NETWORK_TIMEOUT
struct timeval tv;
tv.tv_sec = ldap_conf.bind_timelimit / 1000;
tv.tv_usec = 0;
+ DPRINTF(("ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, %ld)",
+ (long)tv.tv_sec), 1);
rc = ldap_set_option(ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
+# if !defined(LDAP_OPT_CONNECT_TIMEOUT) || LDAP_VENDOR_VERSION != 510
+ /* Tivoli Directory Server 6.3 libs always return a (bogus) error. */
if (rc != LDAP_OPT_SUCCESS) {
warningx("ldap_set_option(NETWORK_TIMEOUT, %ld): %s",
(long)tv.tv_sec, ldap_err2string(rc));
- debug_return_int(-1);
}
- DPRINTF(("ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, %ld)",
- (long)tv.tv_sec), 1);
+# endif
}
#endif
#if defined(LDAP_OPT_X_TLS) && !defined(HAVE_LDAPSSL_INIT)
if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
int val = LDAP_OPT_X_TLS_HARD;
+ DPRINTF(("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)"), 1);
rc = ldap_set_option(ld, LDAP_OPT_X_TLS, &val);
if (rc != LDAP_SUCCESS) {
warningx("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD): %s",
ldap_err2string(rc));
debug_return_int(-1);
}
- DPRINTF(("ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)"), 1);
}
#endif
debug_return_int(0);
}
DPRINTF(("ldap_start_tls_s() ok"), 1);
#elif defined(HAVE_LDAP_SSL_CLIENT_INIT) && defined(HAVE_LDAP_START_TLS_S_NP)
- if (ldap_ssl_client_init(NULL, NULL, 0, &rc) != LDAP_SUCCESS) {
+ if (ldap_ssl_client_init(ldap_conf.tls_keyfile, ldap_conf.tls_keypw, 0, &rc) != LDAP_SUCCESS) {
warningx("ldap_ssl_client_init(): %s", ldap_err2string(rc));
debug_return_int(-1);
}
command = cp = emalloc(size);
for (av = argv; *av != NULL; av++) {
n = strlcpy(cp, *av, size - (cp - command));
- if (n >= size - (cp - command))
- errorx(1, _("internal error, linux_audit_command() overflow"));
+ if (n >= size - (cp - command)) {
+ errorx(1, _("internal error, %s overflow"),
+ "linux_audit_command()");
+ }
cp += n;
*cp++ = ' ';
}
extern sigjmp_buf error_jmp;
+extern char **NewArgv; /* XXX - for auditing */
+
#define MAXSYSLOGTRIES 16 /* num of retries for broken syslogs */
/*
size_t len, maxlen;
char *p, *tmp, save;
const char *fmt;
+#ifdef HAVE_SETLOCALE
+ const char *old_locale = estrdup(setlocale(LC_ALL, NULL));
+#endif
debug_decl(do_syslog, SUDO_DEBUG_LOGGING)
#ifdef HAVE_SETLOCALE
- const char *old_locale = estrdup(setlocale(LC_ALL, NULL));
if (!setlocale(LC_ALL, def_sudoers_locale))
setlocale(LC_ALL, "C");
#endif /* HAVE_SETLOCALE */
}
/*
- * Log and mail the denial message, optionally informing the user.
+ * Log, audit and mail the denial message, optionally informing the user.
*/
void
-log_denial(int status, int inform_user)
+log_denial(int status, bool inform_user)
{
char *logline, *message;
debug_decl(log_denial, SUDO_DEBUG_LOGGING)
+ /* Handle auditing first. */
+ if (ISSET(status, FLAG_NO_USER | FLAG_NO_HOST))
+ audit_failure(NewArgv, _("No user or host"));
+ else
+ audit_failure(NewArgv, _("validation failure"));
+
/* Set error message. */
if (ISSET(status, FLAG_NO_USER))
message = _("user NOT in sudoers");
debug_return;
}
+/*
+ * Log and audit that user was not allowed to run the command.
+ */
+void
+log_failure(int status, int flags)
+{
+ debug_decl(log_failure, SUDO_DEBUG_LOGGING)
+ bool inform_user = true;
+
+ /* The user doesn't always get to see the log message (path info). */
+ if (!ISSET(status, FLAG_NO_USER | FLAG_NO_HOST) && def_path_info &&
+ (flags == NOT_FOUND_DOT || flags == NOT_FOUND))
+ inform_user = false;
+ log_denial(status, inform_user);
+
+ if (!inform_user) {
+ /*
+ * We'd like to not leak path info at all here, but that can
+ * *really* confuse the users. To really close the leak we'd
+ * have to say "not allowed to run foo" even when the problem
+ * is just "no foo in path" since the user can trivially set
+ * their path to just contain a single dir.
+ */
+ if (flags == NOT_FOUND)
+ warningx(_("%s: command not found"), user_cmnd);
+ else if (flags == NOT_FOUND_DOT)
+ warningx(_("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run."), user_cmnd, user_cmnd, user_cmnd);
+ }
+
+ debug_return;
+}
+
+/*
+ * Log and audit that user was not able to authenticate themselves.
+ */
+void
+log_auth_failure(int status, int tries)
+{
+ int flags = NO_MAIL;
+ debug_decl(log_auth_failure, SUDO_DEBUG_LOGGING)
+
+ /* Handle auditing first. */
+ audit_failure(NewArgv, _("authentication failure"));
+
+ /*
+ * Do we need to send mail?
+ * We want to avoid sending multiple messages for the same command
+ * so if we are going to send an email about the denial, that takes
+ * precedence.
+ */
+ if (ISSET(status, VALIDATE_OK)) {
+ /* Command allowed, auth failed; do we need to send mail? */
+ if (def_mail_badpass || def_mail_always)
+ flags = 0;
+ } else {
+ /* Command denied, auth failed; make sure we don't send mail twice. */
+ if (def_mail_badpass && !should_mail(status))
+ flags = 0;
+ /* Don't log the bad password message, we'll log a denial instead. */
+ flags |= NO_LOG;
+ }
+
+ /*
+ * If sudoers denied the command we'll log that separately.
+ */
+ if (ISSET(status, FLAG_BAD_PASSWORD)) {
+ log_error(flags, ngettext("%d incorrect password attempt",
+ "%d incorrect password attempts", tries), tries);
+ } else if (ISSET(status, FLAG_NON_INTERACTIVE)) {
+ log_error(flags, _("a password is required"));
+ }
+
+ debug_return;
+}
+
/*
* Log and potentially mail the allowed command.
*/
/*
* Log to syslog and/or a file.
*/
- if (def_syslog)
- do_syslog(def_syslog_badpri, logline);
- if (def_logfile)
- do_logfile(logline);
+ if (!ISSET(flags, NO_LOG)) {
+ if (def_syslog)
+ do_syslog(def_syslog_badpri, logline);
+ if (def_logfile)
+ do_logfile(logline);
+ }
efree(logline);
#define USE_ERRNO 0x02
#define NO_MAIL 0x04
#define NO_STDERR 0x08
+#define NO_LOG 0x10
/*
* Maximum number of characters to log per entry. The syslogger
*/
#define LOG_INDENT " "
-void audit_success(char *[]);
-void audit_failure(char *[], char const * const, ...);
-void log_allowed(int);
-void log_denial(int, int);
+void audit_success(char *exec_args[]);
+void audit_failure(char *exec_args[], char const *const fmt, ...);
+void log_allowed(int status);
+void log_auth_failure(int status, int tries);
+void log_denial(int status, bool inform_user);
+void log_failure(int status, int flags);
void log_error(int flags, const char *fmt, ...) __printflike(2, 3);
void log_fatal(int flags, const char *fmt, ...) __printflike(2, 3) __attribute__((__noreturn__));
-void reapchild(int);
void writeln_wrap(FILE *fp, char *line, size_t len, size_t maxlen);
#endif /* _LOGGING_H */
* Returns ALLOW, DENY or UNSPEC.
*/
static int
-_runaslist_matches(struct member_list *user_list, struct member_list *group_list)
+_runaslist_matches(struct member_list *user_list,
+ struct member_list *group_list, struct member **matching_user,
+ struct member **matching_group)
{
struct member *m;
struct alias *a;
break;
case ALIAS:
if ((a = alias_find(m->name, RUNASALIAS)) != NULL) {
- rval = _runaslist_matches(&a->members, &empty);
+ rval = _runaslist_matches(&a->members, &empty,
+ matching_user, NULL);
if (rval != UNSPEC)
user_matched = m->negated ? !rval : rval;
break;
if (userpw_matches(m->name, runas_pw->pw_name, runas_pw))
user_matched = !m->negated;
break;
+ case MYSELF:
+ if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) ||
+ strcmp(user_name, runas_pw->pw_name) == 0)
+ user_matched = !m->negated;
+ break;
}
- if (user_matched != UNSPEC)
+ if (user_matched != UNSPEC) {
+ if (matching_user != NULL && m->type != ALIAS)
+ *matching_user = m;
break;
+ }
}
}
break;
case ALIAS:
if ((a = alias_find(m->name, RUNASALIAS)) != NULL) {
- rval = _runaslist_matches(&empty, &a->members);
+ rval = _runaslist_matches(&empty, &a->members,
+ NULL, matching_group);
if (rval != UNSPEC)
group_matched = m->negated ? !rval : rval;
break;
group_matched = !m->negated;
break;
}
- if (group_matched != UNSPEC)
+ if (group_matched != UNSPEC) {
+ if (matching_group != NULL && m->type != ALIAS)
+ *matching_group = m;
break;
+ }
}
if (group_matched == UNSPEC) {
if (runas_pw != NULL && runas_pw->pw_gid == runas_gr->gr_gid)
}
int
-runaslist_matches(struct member_list *user_list, struct member_list *group_list)
+runaslist_matches(struct member_list *user_list,
+ struct member_list *group_list, struct member **matching_user,
+ struct member **matching_group)
{
alias_seqno++;
return _runaslist_matches(user_list ? user_list : &empty,
- group_list ? group_list : &empty);
+ group_list ? group_list : &empty, matching_user, matching_group);
}
/*
done:
if (pw0 != NULL)
- pw_delref(pw0);
+ sudo_pw_delref(pw0);
debug_return_bool(matched);
}
debug_decl(sudo_file_close, SUDO_DEBUG_NSS)
/* Free parser data structures and close sudoers file. */
- init_parser(NULL, 0);
+ init_parser(NULL, false);
if (nss->handle != NULL) {
fclose(nss->handle);
nss->handle = NULL;
if (nss->handle == NULL)
debug_return_int(-1);
- init_parser(sudoers_file, 0);
+ init_parser(sudoers_file, false);
yyin = nss->handle;
if (yyparse() != 0 || parse_error) {
if (errorlineno != -1) {
struct cmndtag *tags = NULL;
struct privilege *priv;
struct userspec *us;
+ struct member *matching_user;
debug_decl(sudo_file_lookup, SUDO_DEBUG_NSS)
if (nss->handle == NULL)
else
continue;
tq_foreach_rev(&priv->cmndlist, cs) {
+ matching_user = NULL;
runas_match = runaslist_matches(&cs->runasuserlist,
- &cs->runasgrouplist);
+ &cs->runasgrouplist, &matching_user, NULL);
if (runas_match == ALLOW) {
cmnd_match = cmnd_matches(cs->cmnd);
if (cmnd_match != UNSPEC) {
if (user_type == NULL)
user_type = cs->type ? estrdup(cs->type) : def_type;
#endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+ /* Set Solaris privilege sets */
+ if (runas_privs == NULL)
+ runas_privs = cs->privs ? estrdup(cs->privs) : def_privs;
+ if (runas_limitprivs == NULL)
+ runas_limitprivs = cs->limitprivs ? estrdup(cs->limitprivs) : def_limitprivs;
+#endif /* HAVE_PRIV_SET */
+ /*
+ * If user is running command as himself,
+ * set runas_pw = sudo_user.pw.
+ * XXX - hack, want more general solution
+ */
+ if (matching_user && matching_user->type == MYSELF) {
+ sudo_pw_delref(runas_pw);
+ sudo_pw_addref(sudo_user.pw);
+ runas_pw = sudo_user.pw;
+ }
goto matched2;
}
}
struct member *m;
debug_decl(sudo_file_append_cmnd, SUDO_DEBUG_NSS)
+#ifdef HAVE_PRIV_SET
+ if (cs->privs)
+ lbuf_append(lbuf, "PRIVS=\"%s\" ", cs->privs);
+ if (cs->limitprivs)
+ lbuf_append(lbuf, "LIMITPRIVS=\"%s\" ", cs->limitprivs);
+#endif /* HAVE_PRIV_SET */
#ifdef HAVE_SELINUX
if (cs->role)
lbuf_append(lbuf, "ROLE=%s ", cs->role);
continue;
tq_foreach_rev(&priv->cmndlist, cs) {
runas_match = runaslist_matches(&cs->runasuserlist,
- &cs->runasgrouplist);
+ &cs->runasgrouplist, NULL, NULL);
if (runas_match == ALLOW) {
cmnd_match = cmnd_matches(cs->cmnd);
if (cmnd_match != UNSPEC) {
case ALL:
lbuf_append(lbuf, "%sALL", negated ? "!" : "");
break;
+ case MYSELF:
+ lbuf_append(lbuf, "%s%s", negated ? "!" : "", user_name);
+ break;
case COMMAND:
c = (struct sudo_command *) name;
if (negated)
};
/*
- * The parses sudoers file is stored as a collection of linked lists,
+ * Solaris privileges container struct
+ * Currently just contains permitted and limit privileges.
+ * It could have PFEXEC and PRIV_AWARE flags added in the future.
+ */
+struct solaris_privs_info {
+ char *privs;
+ char *limitprivs;
+};
+
+/*
+ * The parsed sudoers file is stored as a collection of linked lists,
* modelled after the yacc grammar.
*
* Other than the alias struct, which is stored in a red-black tree,
#ifdef HAVE_SELINUX
char *role, *type; /* SELinux role and type */
#endif
+#ifdef HAVE_PRIV_SET
+ char *privs, *limitprivs; /* Solaris privilege sets */
+#endif
};
/*
bool hostname_matches(char *, char *, char *);
bool netgr_matches(char *, char *, char *, char *);
bool no_aliases(void);
-int runaslist_matches(struct member_list *, struct member_list *);
+int runaslist_matches(struct member_list *, struct member_list *, struct member **, struct member **);
int userlist_matches(struct passwd *, struct member_list *);
bool usergr_matches(char *, char *, struct passwd *);
bool userpw_matches(char *, char *, struct passwd *);
void alias_apply(int (*)(void *, void *), void *);
void init_aliases(void);
void init_lexer(void);
-void init_parser(const char *, int);
+void init_parser(const char *, bool);
int alias_compare(const void *, const void *);
#endif /* _SUDO_PARSE_H */
#
msgid ""
msgstr ""
-"Project-Id-Version: sudoers 1.8.5rc1\n"
+"Project-Id-Version: sudoers 1.8.6b3\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-04-13 16:21-0400\n"
-"PO-Revision-Date: 2012-04-18 23:06+0100\n"
+"POT-Creation-Date: 2012-07-11 16:27-0400\n"
+"PO-Revision-Date: 2012-08-10 23:06+0100\n"
"Last-Translator: Joe Hansen <joedalton2@yahoo.dk>\n"
"Language-Team: Danish <dansk@dansk-gruppen.dk>\n"
"Language: da\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+#: gram.y:110
+#, c-format
+msgid ">>> %s: %s near line %d <<<"
+msgstr ">>> %s: %s nær linje %d <<<"
+
#: plugins/sudoers/alias.c:125
#, c-format
msgid "Alias `%s' already defined"
msgstr "Alias »%s« er allerede defineret"
+#: plugins/sudoers/auth/bsdauth.c:78
+#, c-format
+msgid "unable to get login class for user %s"
+msgstr "kan ikke hente logindklasse for bruger %s"
+
+#: plugins/sudoers/auth/bsdauth.c:84
+msgid "unable to begin bsd authentication"
+msgstr "kan ikke starte bsd-godkendelse"
+
+#: plugins/sudoers/auth/bsdauth.c:92
+msgid "invalid authentication type"
+msgstr "ugyldig godkendelsestype"
+
+#: plugins/sudoers/auth/bsdauth.c:101
+msgid "unable to setup authentication"
+msgstr "kan ikke opsætte godkendelse"
+
+#: plugins/sudoers/auth/fwtk.c:60
+#, c-format
+msgid "unable to read fwtk config"
+msgstr "kan ikke læse fwtk-konfiguration"
+
+#: plugins/sudoers/auth/fwtk.c:65
+#, c-format
+msgid "unable to connect to authentication server"
+msgstr "kan ikke forbinde til godkendelsesserver"
+
+#: plugins/sudoers/auth/fwtk.c:71 plugins/sudoers/auth/fwtk.c:95
+#: plugins/sudoers/auth/fwtk.c:128
+#, c-format
+msgid "lost connection to authentication server"
+msgstr "mistede forbindelsen til godkendelseserveren"
+
+#: plugins/sudoers/auth/fwtk.c:75
+#, c-format
+msgid ""
+"authentication server error:\n"
+"%s"
+msgstr ""
+"godkendelsesserverfejl:\n"
+"%s"
+
+#: plugins/sudoers/auth/kerb5.c:117
+#, c-format
+msgid "%s: unable to unparse princ ('%s'): %s"
+msgstr "%s: Kan ikke fjerne fortolkning af princ (»%s«): %s"
+
+#: plugins/sudoers/auth/kerb5.c:160
+#, c-format
+msgid "%s: unable to parse '%s': %s"
+msgstr "%s: Kan ikke fortolke »%s«: %s"
+
+#: plugins/sudoers/auth/kerb5.c:170
+#, c-format
+msgid "%s: unable to resolve ccache: %s"
+msgstr "%s: Kan ikke løse ccache: %s"
+
+#: plugins/sudoers/auth/kerb5.c:218
+#, c-format
+msgid "%s: unable to allocate options: %s"
+msgstr "%s: Kan ikke allokere tilvalg: %s"
+
+#: plugins/sudoers/auth/kerb5.c:234
+#, c-format
+msgid "%s: unable to get credentials: %s"
+msgstr "%s: Kan ikke indhente akkreditiver: %s"
+
+#: plugins/sudoers/auth/kerb5.c:247
+#, c-format
+msgid "%s: unable to initialize ccache: %s"
+msgstr "%s: Kan ikke initialisere ccache: %s"
+
+#: plugins/sudoers/auth/kerb5.c:251
+#, c-format
+msgid "%s: unable to store cred in ccache: %s"
+msgstr "%s: Kan ikke gemme cred i ccache: %s"
+
+#: plugins/sudoers/auth/kerb5.c:316
+#, c-format
+msgid "%s: unable to get host principal: %s"
+msgstr "%s: Kan ikke indhente værtshovedstol: %s"
+
+#: plugins/sudoers/auth/kerb5.c:331
+#, c-format
+msgid "%s: Cannot verify TGT! Possible attack!: %s"
+msgstr "%s: Kan ikke verifiere TGT! Muligt angreb!: %s"
+
+#: plugins/sudoers/auth/pam.c:100
+msgid "unable to initialize PAM"
+msgstr "kan ikke initialisere PAM"
+
+#: plugins/sudoers/auth/pam.c:144
+msgid "account validation failure, is your account locked?"
+msgstr "valideringsfejl for konto, er din konto låst?"
+
+#: plugins/sudoers/auth/pam.c:148
+msgid "Account or password is expired, reset your password and try again"
+msgstr "Konto eller adgangskoder er udløbet, nulstil din adgangskode og forsøg igen"
+
+#: plugins/sudoers/auth/pam.c:155
+#, c-format
+msgid "pam_chauthtok: %s"
+msgstr "pam_chauthtok: %s"
+
+#: plugins/sudoers/auth/pam.c:159
+msgid "Password expired, contact your system administrator"
+msgstr "Adgangskode udløbet, kontakt din systemadministrator"
+
+#: plugins/sudoers/auth/pam.c:163
+msgid "Account expired or PAM config lacks an \"account\" section for sudo, contact your system administrator"
+msgstr "Konto udløbet eller PAM-konfiguration mangler et »kontoafsnit« for sudo. Kontakt din systemadministrator"
+
+#: plugins/sudoers/auth/pam.c:180
+#, c-format
+msgid "pam_authenticate: %s"
+msgstr "pam_authenticate: %s"
+
+#: plugins/sudoers/auth/pam.c:332
+msgid "Password: "
+msgstr "Adgangskode: "
+
+#: plugins/sudoers/auth/pam.c:333
+msgid "Password:"
+msgstr "Adgangskode:"
+
+#: plugins/sudoers/auth/rfc1938.c:104 plugins/sudoers/visudo.c:220
+#, c-format
+msgid "you do not exist in the %s database"
+msgstr "du findes ikke i %s-databasen"
+
+#: plugins/sudoers/auth/securid5.c:81
+#, c-format
+msgid "failed to initialise the ACE API library"
+msgstr "kunne ikke initialisere ACE API-biblioteket"
+
+#: plugins/sudoers/auth/securid5.c:107
+#, c-format
+msgid "unable to contact the SecurID server"
+msgstr "kan ikke kontakte SecurID-serveren"
+
+#: plugins/sudoers/auth/securid5.c:116
+#, c-format
+msgid "User ID locked for SecurID Authentication"
+msgstr "Bruger-ID låst for SecurID-godkendelse"
+
+#: plugins/sudoers/auth/securid5.c:120 plugins/sudoers/auth/securid5.c:171
+#, c-format
+msgid "invalid username length for SecurID"
+msgstr "ugyldigt brugernavnslængde for SecurID"
+
+#: plugins/sudoers/auth/securid5.c:124 plugins/sudoers/auth/securid5.c:176
+#, c-format
+msgid "invalid Authentication Handle for SecurID"
+msgstr "ugyldigt godkendelseshåndtag for SecurID"
+
+#: plugins/sudoers/auth/securid5.c:128
+#, c-format
+msgid "SecurID communication failed"
+msgstr "SecurID-kommunikation fejlede"
+
+#: plugins/sudoers/auth/securid5.c:132 plugins/sudoers/auth/securid5.c:215
+#, c-format
+msgid "unknown SecurID error"
+msgstr "ukendt SecurID-fejl"
+
+#: plugins/sudoers/auth/securid5.c:166
+#, c-format
+msgid "invalid passcode length for SecurID"
+msgstr "ugyldig adgangskodelængde for SecurID"
+
+#: plugins/sudoers/auth/sia.c:109
+msgid "unable to initialize SIA session"
+msgstr "kan ikke initialisere SIA-session"
+
+#: plugins/sudoers/auth/sudo_auth.c:121
+msgid "Invalid authentication methods compiled into sudo! You may mix standalone and non-standalone authentication."
+msgstr "Ugyldige godkendelsesmetoder kompileret ind i sudo! Du kan blande alenestående og ikkealenestående godkendelse."
+
+#: plugins/sudoers/auth/sudo_auth.c:206
+msgid "There are no authentication methods compiled into sudo! If you want to turn off authentication, use the --disable-authentication configure option."
+msgstr "Der er ingen godkendelsesmetoder kompileret ind i sudo! Hvis du ønsker at fravælge godkendelse så brug konfigurationstilvalget --disable-authentication."
+
+#: plugins/sudoers/auth/sudo_auth.c:374
+msgid "Authentication methods:"
+msgstr "Godkendelsesmetoder:"
+
#: plugins/sudoers/bsm_audit.c:60 plugins/sudoers/bsm_audit.c:63
#: plugins/sudoers/bsm_audit.c:112 plugins/sudoers/bsm_audit.c:116
#: plugins/sudoers/bsm_audit.c:168 plugins/sudoers/bsm_audit.c:172
msgid "au_to_text: failed"
msgstr "au_to_text: fejlede"
-#: plugins/sudoers/check.c:158
-#, c-format
-msgid "sorry, a password is required to run %s"
-msgstr "beklager men en adgangskode er krævet for at køre %s"
-
-#: plugins/sudoers/check.c:249 plugins/sudoers/iolog.c:172
-#: plugins/sudoers/sudoers.c:979 plugins/sudoers/sudoreplay.c:353
-#: plugins/sudoers/sudoreplay.c:709 plugins/sudoers/sudoreplay.c:866
+#: plugins/sudoers/check.c:244 plugins/sudoers/iolog.c:172
+#: plugins/sudoers/sudoers.c:978 plugins/sudoers/sudoreplay.c:355
+#: plugins/sudoers/sudoreplay.c:817 plugins/sudoers/sudoreplay.c:974
#: plugins/sudoers/visudo.c:815
#, c-format
msgid "unable to open %s"
msgstr "kan ikke åbne %s"
-#: plugins/sudoers/check.c:253 plugins/sudoers/iolog.c:202
+#: plugins/sudoers/check.c:248 plugins/sudoers/iolog.c:229
#, c-format
msgid "unable to write to %s"
msgstr "kan ikke skrive til %s"
-#: plugins/sudoers/check.c:261 plugins/sudoers/check.c:506
-#: plugins/sudoers/check.c:556 plugins/sudoers/iolog.c:123
+#: plugins/sudoers/check.c:256 plugins/sudoers/check.c:501
+#: plugins/sudoers/check.c:551 plugins/sudoers/iolog.c:123
#: plugins/sudoers/iolog.c:156
#, c-format
msgid "unable to mkdir %s"
msgstr "kan ikke mkdir %s"
-#: plugins/sudoers/check.c:396
+#: plugins/sudoers/check.c:391
#, c-format
msgid "internal error, expand_prompt() overflow"
msgstr "intern fejl, expand_prompt()-overløb"
-#: plugins/sudoers/check.c:456
+#: plugins/sudoers/check.c:451
#, c-format
msgid "timestamp path too long: %s"
msgstr "tidsstempelsti er for lang: %s"
-#: plugins/sudoers/check.c:485 plugins/sudoers/check.c:529
+#: plugins/sudoers/check.c:480 plugins/sudoers/check.c:524
#: plugins/sudoers/iolog.c:158
#, c-format
msgid "%s exists but is not a directory (0%o)"
msgstr "%s findes men er ikke en mappe (0%o)"
-#: plugins/sudoers/check.c:488 plugins/sudoers/check.c:532
-#: plugins/sudoers/check.c:577
+#: plugins/sudoers/check.c:483 plugins/sudoers/check.c:527
+#: plugins/sudoers/check.c:572
#, c-format
msgid "%s owned by uid %u, should be uid %u"
msgstr "%s ejet af uid %u, bør være uid %u"
-#: plugins/sudoers/check.c:493 plugins/sudoers/check.c:537
+#: plugins/sudoers/check.c:488 plugins/sudoers/check.c:532
#, c-format
msgid "%s writable by non-owner (0%o), should be mode 0700"
msgstr "%s er skrivbar for ikkeejer (0%o), bør være tilstand 0700"
-#: plugins/sudoers/check.c:501 plugins/sudoers/check.c:545
-#: plugins/sudoers/check.c:613 plugins/sudoers/sudoers.c:998
+#: plugins/sudoers/check.c:496 plugins/sudoers/check.c:540
+#: plugins/sudoers/check.c:608 plugins/sudoers/sudoers.c:993
#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:581
#, c-format
msgid "unable to stat %s"
msgstr "kan ikke stat %s"
-#: plugins/sudoers/check.c:571
+#: plugins/sudoers/check.c:566
#, c-format
msgid "%s exists but is not a regular file (0%o)"
msgstr "%s findes men er ikke en regulær fil (0%o)"
-#: plugins/sudoers/check.c:583
+#: plugins/sudoers/check.c:578
#, c-format
msgid "%s writable by non-owner (0%o), should be mode 0600"
msgstr "%s skrivbar af ikkeejer (0%o), bør være tilstand 0600"
-#: plugins/sudoers/check.c:637
+#: plugins/sudoers/check.c:632
#, c-format
msgid "timestamp too far in the future: %20.20s"
msgstr "tidsstempel for langt ude i fremtiden: %20.20s"
-#: plugins/sudoers/check.c:684
+#: plugins/sudoers/check.c:679
#, c-format
msgid "unable to remove %s (%s), will reset to the epoch"
msgstr "kan ikke fjerne %s (%s), vil nulstille til epoken"
-#: plugins/sudoers/check.c:692
+#: plugins/sudoers/check.c:687
#, c-format
msgid "unable to reset %s to the epoch"
msgstr "kan ikke nulstille %s til epoken"
-#: plugins/sudoers/check.c:752 plugins/sudoers/check.c:758
-#: plugins/sudoers/sudoers.c:856 plugins/sudoers/sudoers.c:860
+#: plugins/sudoers/check.c:747 plugins/sudoers/check.c:753
+#: plugins/sudoers/sudoers.c:841 plugins/sudoers/sudoers.c:845
#, c-format
msgid "unknown uid: %u"
msgstr "ukendt uid: %u"
-#: plugins/sudoers/check.c:755 plugins/sudoers/sudoers.c:797
-#: plugins/sudoers/sudoers.c:1115 plugins/sudoers/testsudoers.c:218
-#: plugins/sudoers/testsudoers.c:362
+#: plugins/sudoers/check.c:750 plugins/sudoers/sudoers.c:782
+#: plugins/sudoers/sudoers.c:1110 plugins/sudoers/testsudoers.c:225
+#: plugins/sudoers/testsudoers.c:369
#, c-format
msgid "unknown user: %s"
msgstr "ukendt bruger: %s"
msgid "sudo_putenv: corrupted envp, length mismatch"
msgstr "sudo_putenv: ødelagt envp, forskellig længde"
-#: plugins/sudoers/env.c:341 plugins/sudoers/env.c:411 toke.l:682 toke.l:812
-#: toke.l:870 toke.l:966 plugins/sudoers/toke_util.c:113
-#: plugins/sudoers/toke_util.c:167 plugins/sudoers/toke_util.c:207
+#: plugins/sudoers/env.c:341 plugins/sudoers/env.c:411
+#: plugins/sudoers/toke_util.c:113 plugins/sudoers/toke_util.c:167
+#: plugins/sudoers/toke_util.c:207 toke.l:682 toke.l:812 toke.l:872 toke.l:968
#, c-format
msgid "unable to allocate memory"
msgstr "kan ikke allokere hukommelse"
msgstr "beklager, du har ikke tilladelse til at angive de følgende miljøvariabler: %s"
#: plugins/sudoers/find_path.c:69 plugins/sudoers/find_path.c:108
-#: plugins/sudoers/find_path.c:123 plugins/sudoers/iolog.c:125 toke.l:678
-#: toke.l:866 plugins/sudoers/sudoers.c:950
+#: plugins/sudoers/find_path.c:123 plugins/sudoers/iolog.c:125
+#: plugins/sudoers/sudoers.c:935 toke.l:678 toke.l:868
#, c-format
msgid "%s: %s"
msgstr "%s: %s"
-#: gram.y:110
-#, c-format
-msgid ">>> %s: %s near line %d <<<"
-msgstr ">>> %s: %s nær linje %d <<<"
-
#: plugins/sudoers/group_plugin.c:91
#, c-format
msgid "%s%s: %s"
msgid "Local IP address and netmask pairs:\n"
msgstr "Lokal IP-adresse og netmaskepar:\n"
-#: plugins/sudoers/iolog.c:179 plugins/sudoers/sudoers.c:986
+#: plugins/sudoers/iolog.c:205 plugins/sudoers/sudoers.c:981
#, c-format
msgid "unable to read %s"
msgstr "kan ikke læse %s"
-#: plugins/sudoers/iolog.c:182
+#: plugins/sudoers/iolog.c:208
#, c-format
msgid "invalid sequence number %s"
msgstr "ugyldig sekvenstal %s"
-#: plugins/sudoers/iolog.c:231 plugins/sudoers/iolog.c:234
-#: plugins/sudoers/iolog.c:499 plugins/sudoers/iolog.c:504
-#: plugins/sudoers/iolog.c:510 plugins/sudoers/iolog.c:518
-#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:534
-#: plugins/sudoers/iolog.c:542
+#: plugins/sudoers/iolog.c:258 plugins/sudoers/iolog.c:261
+#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:531
+#: plugins/sudoers/iolog.c:537 plugins/sudoers/iolog.c:545
+#: plugins/sudoers/iolog.c:553 plugins/sudoers/iolog.c:561
+#: plugins/sudoers/iolog.c:569
#, c-format
msgid "unable to create %s"
msgstr "kan ikke oprette %s"
-#: plugins/sudoers/iolog_path.c:256 plugins/sudoers/sudoers.c:373
+#: plugins/sudoers/iolog_path.c:263 plugins/sudoers/sudoers.c:378
#, c-format
msgid "unable to set locale to \"%s\", using \"C\""
msgstr "kan ikke angive sprog til »%s«, bruger »C«"
-#: plugins/sudoers/ldap.c:374
+#: plugins/sudoers/ldap.c:389
#, c-format
msgid "sudo_ldap_conf_add_ports: port too large"
msgstr "sudo_ldap_conf_add_ports: port for stor"
-#: plugins/sudoers/ldap.c:397
+#: plugins/sudoers/ldap.c:412
#, c-format
msgid "sudo_ldap_conf_add_ports: out of space expanding hostbuf"
msgstr "sudo_ldap_conf_add_ports: stigende mellemlager for vært (hostbuf) har ikke nok plads"
-#: plugins/sudoers/ldap.c:427
+#: plugins/sudoers/ldap.c:442
#, c-format
msgid "unsupported LDAP uri type: %s"
msgstr "ikkeunderstøttet LDAP uri-type: %s"
-#: plugins/sudoers/ldap.c:456
+#: plugins/sudoers/ldap.c:471
#, c-format
msgid "invalid uri: %s"
msgstr "ugyldig uri: %s"
-#: plugins/sudoers/ldap.c:462
+#: plugins/sudoers/ldap.c:477
#, c-format
msgid "unable to mix ldap and ldaps URIs"
msgstr "kan ikke blande ldap og ldaps URI'er"
-#: plugins/sudoers/ldap.c:466
+#: plugins/sudoers/ldap.c:481
#, c-format
msgid "unable to mix ldaps and starttls"
msgstr "kan ikke blande ldaps og starttls"
-#: plugins/sudoers/ldap.c:485
+#: plugins/sudoers/ldap.c:500
#, c-format
msgid "sudo_ldap_parse_uri: out of space building hostbuf"
msgstr "sudo_ldap_parse_uri: opbyggende mellemlager for vært (hostbuf) har ikke nok plads"
-#: plugins/sudoers/ldap.c:550
+#: plugins/sudoers/ldap.c:574
#, c-format
msgid "unable to initialize SSL cert and key db: %s"
msgstr "kan ikke initialisere SSL-cert og key db: %s"
-#: plugins/sudoers/ldap.c:958
+#: plugins/sudoers/ldap.c:577
+#, c-format
+msgid "you must set TLS_CERT in %s to use SSL"
+msgstr "du skal angive at TLS_CERT i %s skal bruge SSL"
+
+#: plugins/sudoers/ldap.c:994
#, c-format
msgid "unable to get GMT time"
msgstr "kan ikke indhente GMT-tid"
-#: plugins/sudoers/ldap.c:964
+#: plugins/sudoers/ldap.c:1000
#, c-format
msgid "unable to format timestamp"
msgstr "kan ikke formatere tidsstempel"
-#: plugins/sudoers/ldap.c:972
+#: plugins/sudoers/ldap.c:1008
#, c-format
msgid "unable to build time filter"
msgstr "kan ikke bygge tidsfilter"
-#: plugins/sudoers/ldap.c:1187
+#: plugins/sudoers/ldap.c:1223
#, c-format
msgid "sudo_ldap_build_pass1 allocation mismatch"
msgstr "sudo_ldap_build_pass1 forskellige allokeringer"
-#: plugins/sudoers/ldap.c:1707
+#: plugins/sudoers/ldap.c:1759
#, c-format
msgid ""
"\n"
"\n"
"LDAP-rolle: %s\n"
-#: plugins/sudoers/ldap.c:1709
+#: plugins/sudoers/ldap.c:1761
#, c-format
msgid ""
"\n"
"\n"
"LDAP-rolle: UKENDT\n"
-#: plugins/sudoers/ldap.c:1756
+#: plugins/sudoers/ldap.c:1808
#, c-format
msgid " Order: %s\n"
msgstr " Rækkefølge: %s\n"
-#: plugins/sudoers/ldap.c:1764
+#: plugins/sudoers/ldap.c:1816
#, c-format
msgid " Commands:\n"
msgstr " Kommandoer:\n"
-#: plugins/sudoers/ldap.c:2156
+#: plugins/sudoers/ldap.c:2238
#, c-format
msgid "unable to initialize LDAP: %s"
msgstr "kan ikke initialisere LDAP: %s"
-#: plugins/sudoers/ldap.c:2187
+#: plugins/sudoers/ldap.c:2272
#, c-format
msgid "start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()"
msgstr "start_tls angivet men LDAP libs understøtter ikke ldap_start_tls_s() eller ldap_start_tls_s_np()"
-#: plugins/sudoers/ldap.c:2423
+#: plugins/sudoers/ldap.c:2508
#, c-format
msgid "invalid sudoOrder attribute: %s"
msgstr "ugyldig sudoOrder-attribut: %s"
-#: toke.l:805
-msgid "too many levels of includes"
-msgstr "for mange niveauer af includes (inkluderinger)"
-
-#: toke.l:829 plugins/sudoers/sudoers.c:1004
-#, c-format
-msgid "%s is owned by uid %u, should be %u"
-msgstr "%s er ejet af uid %u, bør være %u"
-
-#: toke.l:836 plugins/sudoers/sudoers.c:1008
-#, c-format
-msgid "%s is world writable"
-msgstr "%s er skrivbar for alle"
-
-#: toke.l:841 plugins/sudoers/sudoers.c:1011
-#, c-format
-msgid "%s is owned by gid %u, should be %u"
-msgstr "%s er eget af gid %u, bør være %u"
-
#: plugins/sudoers/linux_audit.c:57
#, c-format
msgid "unable to open audit system"
msgid "unable to send audit message"
msgstr "kan ikke sende overvågningsbesked"
-#: plugins/sudoers/logging.c:198
+#: plugins/sudoers/logging.c:202
#, c-format
msgid "unable to open log file: %s: %s"
msgstr "kan ikke åbne logfil: %s: %s"
-#: plugins/sudoers/logging.c:201
+#: plugins/sudoers/logging.c:205
#, c-format
msgid "unable to lock log file: %s: %s"
msgstr "kan ikke låse logfil: %s: %s"
-#: plugins/sudoers/logging.c:256
+#: plugins/sudoers/logging.c:260
msgid "user NOT in sudoers"
msgstr "bruger IKKE i sudoers"
-#: plugins/sudoers/logging.c:258
+#: plugins/sudoers/logging.c:262
msgid "user NOT authorized on host"
msgstr "bruger IKKE autoriseret på vært"
-#: plugins/sudoers/logging.c:260
+#: plugins/sudoers/logging.c:264
msgid "command not allowed"
msgstr "kommando ikke tilladt"
-#: plugins/sudoers/logging.c:270
+#: plugins/sudoers/logging.c:274
#, c-format
msgid "%s is not in the sudoers file. This incident will be reported.\n"
msgstr "%s er ikke sudoersfilen. Denne handling vil blive rapporteret.\n"
-#: plugins/sudoers/logging.c:273
+#: plugins/sudoers/logging.c:277
#, c-format
msgid "%s is not allowed to run sudo on %s. This incident will be reported.\n"
msgstr "%s har ikke tilladelse til at køre sudo på %s. Denne handling vil blive rapporteret.\n"
-#: plugins/sudoers/logging.c:277
+#: plugins/sudoers/logging.c:281
#, c-format
msgid "Sorry, user %s may not run sudo on %s.\n"
msgstr "Beklager. Bruger %s må ikke køre sudo på %s.\n"
-#: plugins/sudoers/logging.c:280
+#: plugins/sudoers/logging.c:284
#, c-format
msgid "Sorry, user %s is not allowed to execute '%s%s%s' as %s%s%s on %s.\n"
msgstr "Beklager. Bruger %s har ikke tilladelse til at køre »%s%s%s« som %s%s%s på %s.\n"
-#: plugins/sudoers/logging.c:447
+#: plugins/sudoers/logging.c:317
+msgid "No user or host"
+msgstr "Ingen bruger eller vært"
+
+#: plugins/sudoers/logging.c:319
+msgid "validation failure"
+msgstr "valideringsfejl"
+
+#: plugins/sudoers/logging.c:334 plugins/sudoers/sudoers.c:498
+#: plugins/sudoers/sudoers.c:499 plugins/sudoers/sudoers.c:1517
+#: plugins/sudoers/sudoers.c:1518
+#, c-format
+msgid "%s: command not found"
+msgstr "%s: Kommando ikke fundet"
+
+#: plugins/sudoers/logging.c:336 plugins/sudoers/sudoers.c:495
+#, c-format
+msgid ""
+"ignoring `%s' found in '.'\n"
+"Use `sudo ./%s' if this is the `%s' you wish to run."
+msgstr ""
+"ignorerer »%s« fundet i ».«\n"
+"Brug »sudo ./%s« hvis dette er »%s«, du ønsker at køre."
+
+#: plugins/sudoers/logging.c:350
+msgid "authentication failure"
+msgstr "godkendelsesfejl"
+
+#: plugins/sudoers/logging.c:374
+#, c-format
+msgid "%d incorrect password attempt"
+msgid_plural "%d incorrect password attempts"
+msgstr[0] "%d ukorrekt adgangskodeforsøg"
+msgstr[1] "%d ukorrekte adgangskodeforsøg"
+
+#: plugins/sudoers/logging.c:377
+msgid "a password is required"
+msgstr "der kræves en adgangskode"
+
+#: plugins/sudoers/logging.c:528
#, c-format
msgid "unable to fork"
msgstr "kan ikke forgrene"
-#: plugins/sudoers/logging.c:454 plugins/sudoers/logging.c:516
+#: plugins/sudoers/logging.c:535 plugins/sudoers/logging.c:597
#, c-format
msgid "unable to fork: %m"
msgstr "kan ikke forgrene: %m"
-#: plugins/sudoers/logging.c:506
+#: plugins/sudoers/logging.c:587
#, c-format
msgid "unable to open pipe: %m"
msgstr "kan ikke åbne datakanal: %m"
-#: plugins/sudoers/logging.c:531
+#: plugins/sudoers/logging.c:612
#, c-format
msgid "unable to dup stdin: %m"
msgstr "kan ikke dup stdin: %m"
-#: plugins/sudoers/logging.c:567
+#: plugins/sudoers/logging.c:648
#, c-format
msgid "unable to execute %s: %m"
msgstr "kan ikke køre %s: %m"
-#: plugins/sudoers/logging.c:782
+#: plugins/sudoers/logging.c:863
#, c-format
msgid "internal error: insufficient space for log line"
msgstr "intern fejl: utilstrækkelig plads for loglinje"
msgid ": "
msgstr ": "
-#: plugins/sudoers/pwutil.c:260
+#: plugins/sudoers/pwutil.c:278
#, c-format
msgid "unable to cache uid %u (%s), already exists"
msgstr "kan ikke cache uid %u (%s), findes allerede"
-#: plugins/sudoers/pwutil.c:268
+#: plugins/sudoers/pwutil.c:286
#, c-format
msgid "unable to cache uid %u, already exists"
msgstr "kan ikke cache uid %u, findes allerede"
-#: plugins/sudoers/pwutil.c:305 plugins/sudoers/pwutil.c:314
+#: plugins/sudoers/pwutil.c:322 plugins/sudoers/pwutil.c:331
#, c-format
msgid "unable to cache user %s, already exists"
msgstr "kan ikke cache bruger %s, findes allerede"
-#: plugins/sudoers/pwutil.c:653
+#: plugins/sudoers/pwutil.c:668
#, c-format
msgid "unable to cache gid %u (%s), already exists"
msgstr "kan ikke cache gid %u (%s), findes allerede"
-#: plugins/sudoers/pwutil.c:661
+#: plugins/sudoers/pwutil.c:676
#, c-format
msgid "unable to cache gid %u, already exists"
msgstr "kan ikke cache gid %u, findes allerede"
-#: plugins/sudoers/pwutil.c:691 plugins/sudoers/pwutil.c:700
+#: plugins/sudoers/pwutil.c:706 plugins/sudoers/pwutil.c:715
#, c-format
msgid "unable to cache group %s, already exists"
msgstr "kan ikke cache gruppe %s, findes allerede"
msgid "User %s may run the following commands on this host:\n"
msgstr "Bruger %s må ikke køre de følgende kommandoer på denne vært:\n"
-#: plugins/sudoers/sudo_nss.c:279
+#: plugins/sudoers/sudo_nss.c:278
#, c-format
msgid "User %s is not allowed to run sudo on %s.\n"
msgstr "Bruger %s har ikke tilladelse til at køre sudo på %s.\n"
#: plugins/sudoers/sudoers.c:208 plugins/sudoers/sudoers.c:239
-#: plugins/sudoers/sudoers.c:958
+#: plugins/sudoers/sudoers.c:943
msgid "problem with defaults entries"
msgstr "problem med standardpunkter"
msgid "unable to execute %s: %s"
msgstr "kan ikke udføre %s: %s"
-#: plugins/sudoers/sudoers.c:322
+#: plugins/sudoers/sudoers.c:331
#, c-format
msgid "sudoers specifies that root is not allowed to sudo"
msgstr "sudoers angiver at administrator (root) ikke har tilladelse til sudo"
-#: plugins/sudoers/sudoers.c:329
+#: plugins/sudoers/sudoers.c:338
#, c-format
msgid "you are not permitted to use the -C option"
msgstr "du har ikke tilladelse til at bruge tilvalget -C"
-#: plugins/sudoers/sudoers.c:422
+#: plugins/sudoers/sudoers.c:427
#, c-format
msgid "timestamp owner (%s): No such user"
msgstr "tidsstempelejer (%s): Ingen sådan bruger"
-#: plugins/sudoers/sudoers.c:438
+#: plugins/sudoers/sudoers.c:443
msgid "no tty"
msgstr "ingen tty"
-#: plugins/sudoers/sudoers.c:439
+#: plugins/sudoers/sudoers.c:444
#, c-format
msgid "sorry, you must have a tty to run sudo"
msgstr "beklager, du skal bruge en tty for at køre sudo"
-#: plugins/sudoers/sudoers.c:478
-msgid "No user or host"
-msgstr "Ingen bruger eller vært"
-
-#: plugins/sudoers/sudoers.c:492 plugins/sudoers/sudoers.c:513
-#: plugins/sudoers/sudoers.c:514 plugins/sudoers/sudoers.c:1522
-#: plugins/sudoers/sudoers.c:1523
-#, c-format
-msgid "%s: command not found"
-msgstr "%s: Kommando ikke fundet"
-
-#: plugins/sudoers/sudoers.c:494 plugins/sudoers/sudoers.c:510
-#, c-format
-msgid ""
-"ignoring `%s' found in '.'\n"
-"Use `sudo ./%s' if this is the `%s' you wish to run."
-msgstr ""
-"ignorerer »%s« fundet i ».«\n"
-"Brug »sudo ./%s« hvis dette er »%s«, du ønsker at køre."
-
-#: plugins/sudoers/sudoers.c:499
-msgid "validation failure"
-msgstr "valideringsfejl"
-
-#: plugins/sudoers/sudoers.c:509
+#: plugins/sudoers/sudoers.c:494
msgid "command in current directory"
msgstr "kommando i aktuel mappe"
-#: plugins/sudoers/sudoers.c:521
+#: plugins/sudoers/sudoers.c:506
#, c-format
msgid "sorry, you are not allowed to preserve the environment"
msgstr "beklager men du har ikke tilladelse til at bevare miljøet"
-#: plugins/sudoers/sudoers.c:681 plugins/sudoers/sudoers.c:688
+#: plugins/sudoers/sudoers.c:666 plugins/sudoers/sudoers.c:673
#, c-format
msgid "internal error, runas_groups overflow"
msgstr "intern fejl, runas_groups-overløb"
-#: plugins/sudoers/sudoers.c:941
+#: plugins/sudoers/sudoers.c:926
#, c-format
msgid "internal error, set_cmnd() overflow"
msgstr "intern fejl, set_cmnd()-overløb"
-#: plugins/sudoers/sudoers.c:1001
+#: plugins/sudoers/sudoers.c:996
#, c-format
msgid "%s is not a regular file"
msgstr "%s er ikke en regulær fil"
-#: plugins/sudoers/sudoers.c:1038
+#: plugins/sudoers/sudoers.c:999 toke.l:831
+#, c-format
+msgid "%s is owned by uid %u, should be %u"
+msgstr "%s er ejet af uid %u, bør være %u"
+
+#: plugins/sudoers/sudoers.c:1003 toke.l:838
+#, c-format
+msgid "%s is world writable"
+msgstr "%s er skrivbar for alle"
+
+#: plugins/sudoers/sudoers.c:1006 toke.l:843
+#, c-format
+msgid "%s is owned by gid %u, should be %u"
+msgstr "%s er eget af gid %u, bør være %u"
+
+#: plugins/sudoers/sudoers.c:1033
#, c-format
msgid "only root can use `-c %s'"
msgstr "kun administrator (root) kan bruge »-c %s«"
-#: plugins/sudoers/sudoers.c:1055 plugins/sudoers/sudoers.c:1057
+#: plugins/sudoers/sudoers.c:1050 plugins/sudoers/sudoers.c:1052
#, c-format
msgid "unknown login class: %s"
msgstr "ukendt logindklasse: %s"
-#: plugins/sudoers/sudoers.c:1084
+#: plugins/sudoers/sudoers.c:1079
#, c-format
msgid "unable to resolve host %s"
msgstr "kan ikke slå vært %s op"
-#: plugins/sudoers/sudoers.c:1136 plugins/sudoers/testsudoers.c:380
+#: plugins/sudoers/sudoers.c:1131 plugins/sudoers/testsudoers.c:387
#, c-format
msgid "unknown group: %s"
msgstr "ukendt gruppe: %s"
-#: plugins/sudoers/sudoers.c:1185
+#: plugins/sudoers/sudoers.c:1180
#, c-format
msgid "Sudoers policy plugin version %s\n"
msgstr "Udvidelsesmodulversion %s for sudoerspolitik\n"
-#: plugins/sudoers/sudoers.c:1187
+#: plugins/sudoers/sudoers.c:1182
#, c-format
msgid "Sudoers file grammar version %d\n"
msgstr "Grammatikversion %d for sudoersfil\n"
-#: plugins/sudoers/sudoers.c:1191
+#: plugins/sudoers/sudoers.c:1186
#, c-format
msgid ""
"\n"
"\n"
"Sudoers-sti: %s\n"
-#: plugins/sudoers/sudoers.c:1194
+#: plugins/sudoers/sudoers.c:1189
#, c-format
msgid "nsswitch path: %s\n"
msgstr "nsswitch-sti: %s\n"
-#: plugins/sudoers/sudoers.c:1196
+#: plugins/sudoers/sudoers.c:1191
#, c-format
msgid "ldap.conf path: %s\n"
msgstr "ldap.conf-sti: %s\n"
-#: plugins/sudoers/sudoers.c:1197
+#: plugins/sudoers/sudoers.c:1192
#, c-format
msgid "ldap.secret path: %s\n"
msgstr "ldap.secret-sti: %s\n"
-#: plugins/sudoers/sudoreplay.c:291
+#: plugins/sudoers/sudoreplay.c:293
#, c-format
msgid "invalid filter option: %s"
msgstr "ugyldigt filtertilvalg: %s"
-#: plugins/sudoers/sudoreplay.c:304
+#: plugins/sudoers/sudoreplay.c:306
#, c-format
msgid "invalid max wait: %s"
msgstr "ugyldig maks ventetid: %s"
-#: plugins/sudoers/sudoreplay.c:310
+#: plugins/sudoers/sudoreplay.c:312
#, c-format
msgid "invalid speed factor: %s"
msgstr "ugyldig hastighedsfaktor: %s"
-#: plugins/sudoers/sudoreplay.c:313 plugins/sudoers/visudo.c:187
+#: plugins/sudoers/sudoreplay.c:315 plugins/sudoers/visudo.c:187
#, c-format
msgid "%s version %s\n"
msgstr "%s version %s\n"
-#: plugins/sudoers/sudoreplay.c:338
+#: plugins/sudoers/sudoreplay.c:340
#, c-format
msgid "%s/%.2s/%.2s/%.2s/timing: %s"
msgstr "%s/%.2s/%.2s/%.2s/timing: %s"
-#: plugins/sudoers/sudoreplay.c:344
+#: plugins/sudoers/sudoreplay.c:346
#, c-format
msgid "%s/%s/timing: %s"
msgstr "%s/%s/timing: %s"
-#: plugins/sudoers/sudoreplay.c:362
+#: plugins/sudoers/sudoreplay.c:364
#, c-format
msgid "Replaying sudo session: %s\n"
msgstr "Genafspiller sudosession: %s\n"
-#: plugins/sudoers/sudoreplay.c:368
+#: plugins/sudoers/sudoreplay.c:370
#, c-format
msgid "Warning: your terminal is too small to properly replay the log.\n"
msgstr "Advarsel: Din terminal er for lille til korrekt at afspille loggen.\n"
-#: plugins/sudoers/sudoreplay.c:369
+#: plugins/sudoers/sudoreplay.c:371
#, c-format
msgid "Log geometry is %d x %d, your terminal's geometry is %d x %d."
msgstr "Loggeometri er %d x %d, din terminals geometri er %d x %d."
-#: plugins/sudoers/sudoreplay.c:399
+#: plugins/sudoers/sudoreplay.c:401
#, c-format
msgid "unable to set tty to raw mode"
msgstr "kan ikke angive tty til rå (raw) tilstand"
-#: plugins/sudoers/sudoreplay.c:412
+#: plugins/sudoers/sudoreplay.c:418
#, c-format
msgid "invalid timing file line: %s"
msgstr "ugyldig timingfillinje: %s"
-#: plugins/sudoers/sudoreplay.c:454
+#: plugins/sudoers/sudoreplay.c:501
#, c-format
msgid "writing to standard output"
msgstr "skriver til standarduddata"
-#: plugins/sudoers/sudoreplay.c:486
+#: plugins/sudoers/sudoreplay.c:530
#, c-format
msgid "nanosleep: tv_sec %ld, tv_nsec %ld"
msgstr "nanosleep: tv_sec %ld, tv_nsec %ld"
-#: plugins/sudoers/sudoreplay.c:535 plugins/sudoers/sudoreplay.c:560
+#: plugins/sudoers/sudoreplay.c:643 plugins/sudoers/sudoreplay.c:668
#, c-format
msgid "ambiguous expression \"%s\""
msgstr "tvetydigt udtryk »%s«"
-#: plugins/sudoers/sudoreplay.c:577
+#: plugins/sudoers/sudoreplay.c:685
#, c-format
msgid "too many parenthesized expressions, max %d"
msgstr "for mange udtryk i parentes, maks %d"
-#: plugins/sudoers/sudoreplay.c:588
+#: plugins/sudoers/sudoreplay.c:696
#, c-format
msgid "unmatched ')' in expression"
msgstr "manglende »)« i udtryk"
-#: plugins/sudoers/sudoreplay.c:594
+#: plugins/sudoers/sudoreplay.c:702
#, c-format
msgid "unknown search term \"%s\""
msgstr "ukendt søgeterm »%s«"
-#: plugins/sudoers/sudoreplay.c:608
+#: plugins/sudoers/sudoreplay.c:716
#, c-format
msgid "%s requires an argument"
msgstr "%s kræver et argument"
-#: plugins/sudoers/sudoreplay.c:612
+#: plugins/sudoers/sudoreplay.c:720
#, c-format
msgid "invalid regular expression: %s"
msgstr "ugyldigt regulært udtryk: %s"
-#: plugins/sudoers/sudoreplay.c:618
+#: plugins/sudoers/sudoreplay.c:726
#, c-format
msgid "could not parse date \"%s\""
msgstr "kunne ikke fortolke dato »%s«"
-#: plugins/sudoers/sudoreplay.c:631
+#: plugins/sudoers/sudoreplay.c:739
#, c-format
msgid "unmatched '(' in expression"
msgstr "mangler »(« i udtryk"
-#: plugins/sudoers/sudoreplay.c:633
+#: plugins/sudoers/sudoreplay.c:741
#, c-format
msgid "illegal trailing \"or\""
msgstr "ugyldig kæde »or« (eller)"
-#: plugins/sudoers/sudoreplay.c:635
+#: plugins/sudoers/sudoreplay.c:743
#, c-format
msgid "illegal trailing \"!\""
msgstr "ugyldig kæde »!«"
-#: plugins/sudoers/sudoreplay.c:942
+#: plugins/sudoers/sudoreplay.c:1050
#, c-format
msgid "invalid regex: %s"
msgstr "ugyldigt regulært udtryk: %s"
-#: plugins/sudoers/sudoreplay.c:1066
+#: plugins/sudoers/sudoreplay.c:1174
#, c-format
msgid "usage: %s [-h] [-d directory] [-m max_wait] [-s speed_factor] ID\n"
msgstr "brug: %s [-h] [-d mappe] [-m maks_ventetid] [-s hastighedsfaktor] ID\n"
-#: plugins/sudoers/sudoreplay.c:1069
+#: plugins/sudoers/sudoreplay.c:1177
#, c-format
msgid "usage: %s [-h] [-d directory] -l [search expression]\n"
msgstr "brug: %s [-h] [-d mappe] -l [søgeudtryk]\n"
-#: plugins/sudoers/sudoreplay.c:1078
+#: plugins/sudoers/sudoreplay.c:1186
#, c-format
msgid ""
"%s - replay sudo session logs\n"
"%s - genafspil sudosessionslogge\n"
"\n"
-#: plugins/sudoers/sudoreplay.c:1080
+#: plugins/sudoers/sudoreplay.c:1188
msgid ""
"\n"
"Options:\n"
" -s hastighedsfaktor øg eller sænk uddata\n"
" -V vis versionsinformation og afslut"
-#: plugins/sudoers/testsudoers.c:246
+#: plugins/sudoers/testsudoers.c:253
#, c-format
msgid "internal error, init_vars() overflow"
msgstr "intern fejl, init_vars()-overløb"
-#: plugins/sudoers/testsudoers.c:331
+#: plugins/sudoers/testsudoers.c:338
msgid "\thost unmatched"
msgstr "\thost matchede ikke"
-#: plugins/sudoers/testsudoers.c:334
+#: plugins/sudoers/testsudoers.c:341
msgid ""
"\n"
"Command allowed"
"\n"
"Kommando tilladt"
-#: plugins/sudoers/testsudoers.c:335
+#: plugins/sudoers/testsudoers.c:342
msgid ""
"\n"
"Command denied"
"\n"
"Kommando nægtet"
-#: plugins/sudoers/testsudoers.c:335
+#: plugins/sudoers/testsudoers.c:342
msgid ""
"\n"
"Command unmatched"
msgid "%s grammar version %d\n"
msgstr "%s grammatikversion %d\n"
-#: plugins/sudoers/visudo.c:220 plugins/sudoers/auth/rfc1938.c:104
-#, c-format
-msgid "you do not exist in the %s database"
-msgstr "du findes ikke i %s-databasen"
-
#: plugins/sudoers/visudo.c:252 plugins/sudoers/visudo.c:538
#, c-format
msgid "press return to edit %s: "
" -s streng syntakskontrol\n"
" -V vis information om version og afslut"
-#: plugins/sudoers/auth/bsdauth.c:78
-#, c-format
-msgid "unable to get login class for user %s"
-msgstr "kan ikke hente logindklasse for bruger %s"
-
-#: plugins/sudoers/auth/bsdauth.c:84
-msgid "unable to begin bsd authentication"
-msgstr "kan ikke starte bsd-godkendelse"
-
-#: plugins/sudoers/auth/bsdauth.c:92
-msgid "invalid authentication type"
-msgstr "ugyldig godkendelsestype"
-
-#: plugins/sudoers/auth/bsdauth.c:101
-msgid "unable to setup authentication"
-msgstr "kan ikke opsætte godkendelse"
-
-#: plugins/sudoers/auth/fwtk.c:60
-#, c-format
-msgid "unable to read fwtk config"
-msgstr "kan ikke læse fwtk-konfiguration"
-
-#: plugins/sudoers/auth/fwtk.c:65
-#, c-format
-msgid "unable to connect to authentication server"
-msgstr "kan ikke forbinde til godkendelsesserver"
-
-#: plugins/sudoers/auth/fwtk.c:71 plugins/sudoers/auth/fwtk.c:95
-#: plugins/sudoers/auth/fwtk.c:128
-#, c-format
-msgid "lost connection to authentication server"
-msgstr "mistede forbindelsen til godkendelseserveren"
-
-#: plugins/sudoers/auth/fwtk.c:75
-#, c-format
-msgid ""
-"authentication server error:\n"
-"%s"
-msgstr ""
-"godkendelsesserverfejl:\n"
-"%s"
-
-#: plugins/sudoers/auth/kerb5.c:117
-#, c-format
-msgid "%s: unable to unparse princ ('%s'): %s"
-msgstr "%s: Kan ikke fjerne fortolkning af princ (»%s«): %s"
-
-#: plugins/sudoers/auth/kerb5.c:160
-#, c-format
-msgid "%s: unable to parse '%s': %s"
-msgstr "%s: Kan ikke fortolke »%s«: %s"
-
-#: plugins/sudoers/auth/kerb5.c:170
-#, c-format
-msgid "%s: unable to resolve ccache: %s"
-msgstr "%s: Kan ikke løse ccache: %s"
-
-#: plugins/sudoers/auth/kerb5.c:218
-#, c-format
-msgid "%s: unable to allocate options: %s"
-msgstr "%s: Kan ikke allokere tilvalg: %s"
-
-#: plugins/sudoers/auth/kerb5.c:234
-#, c-format
-msgid "%s: unable to get credentials: %s"
-msgstr "%s: Kan ikke indhente akkreditiver: %s"
-
-#: plugins/sudoers/auth/kerb5.c:247
-#, c-format
-msgid "%s: unable to initialize ccache: %s"
-msgstr "%s: Kan ikke initialisere ccache: %s"
-
-#: plugins/sudoers/auth/kerb5.c:251
-#, c-format
-msgid "%s: unable to store cred in ccache: %s"
-msgstr "%s: Kan ikke gemme cred i ccache: %s"
-
-#: plugins/sudoers/auth/kerb5.c:316
-#, c-format
-msgid "%s: unable to get host principal: %s"
-msgstr "%s: Kan ikke indhente værtshovedstol: %s"
-
-#: plugins/sudoers/auth/kerb5.c:331
-#, c-format
-msgid "%s: Cannot verify TGT! Possible attack!: %s"
-msgstr "%s: Kan ikke verifiere TGT! Muligt angreb!: %s"
-
-#: plugins/sudoers/auth/pam.c:100
-msgid "unable to initialize PAM"
-msgstr "kan ikke initialisere PAM"
-
-#: plugins/sudoers/auth/pam.c:144
-msgid "account validation failure, is your account locked?"
-msgstr "valideringsfejl for konto, er din konto låst?"
-
-#: plugins/sudoers/auth/pam.c:148
-msgid "Account or password is expired, reset your password and try again"
-msgstr "Konto eller adgangskoder er udløbet, nulstil din adgangskode og forsøg igen"
-
-#: plugins/sudoers/auth/pam.c:155
-#, c-format
-msgid "pam_chauthtok: %s"
-msgstr "pam_chauthtok: %s"
-
-#: plugins/sudoers/auth/pam.c:159
-msgid "Password expired, contact your system administrator"
-msgstr "Adgangskode udløbet, kontakt din systemadministrator"
-
-#: plugins/sudoers/auth/pam.c:163
-msgid "Account expired or PAM config lacks an \"account\" section for sudo, contact your system administrator"
-msgstr "Konto udløbet eller PAM-konfiguration mangler et »kontoafsnit« for sudo. Kontakt din systemadministrator"
-
-#: plugins/sudoers/auth/pam.c:180
-#, c-format
-msgid "pam_authenticate: %s"
-msgstr "pam_authenticate: %s"
-
-#: plugins/sudoers/auth/pam.c:330
-msgid "Password: "
-msgstr "Adgangskode: "
-
-#: plugins/sudoers/auth/pam.c:331
-msgid "Password:"
-msgstr "Adgangskode:"
-
-#: plugins/sudoers/auth/securid5.c:81
-#, c-format
-msgid "failed to initialise the ACE API library"
-msgstr "kunne ikke initialisere ACE API-biblioteket"
-
-#: plugins/sudoers/auth/securid5.c:107
-#, c-format
-msgid "unable to contact the SecurID server"
-msgstr "kan ikke kontakte SecurID-serveren"
-
-#: plugins/sudoers/auth/securid5.c:116
-#, c-format
-msgid "User ID locked for SecurID Authentication"
-msgstr "Bruger-ID låst for SecurID-godkendelse"
-
-#: plugins/sudoers/auth/securid5.c:120 plugins/sudoers/auth/securid5.c:171
-#, c-format
-msgid "invalid username length for SecurID"
-msgstr "ugyldigt brugernavnslængde for SecurID"
-
-#: plugins/sudoers/auth/securid5.c:124 plugins/sudoers/auth/securid5.c:176
-#, c-format
-msgid "invalid Authentication Handle for SecurID"
-msgstr "ugyldigt godkendelseshåndtag for SecurID"
-
-#: plugins/sudoers/auth/securid5.c:128
-#, c-format
-msgid "SecurID communication failed"
-msgstr "SecurID-kommunikation fejlede"
-
-#: plugins/sudoers/auth/securid5.c:132 plugins/sudoers/auth/securid5.c:215
-#, c-format
-msgid "unknown SecurID error"
-msgstr "ukendt SecurID-fejl"
-
-#: plugins/sudoers/auth/securid5.c:166
-#, c-format
-msgid "invalid passcode length for SecurID"
-msgstr "ugyldig adgangskodelængde for SecurID"
-
-#: plugins/sudoers/auth/sia.c:109
-msgid "unable to initialize SIA session"
-msgstr "kan ikke initialisere SIA-session"
-
-#: plugins/sudoers/auth/sudo_auth.c:117
-msgid "Invalid authentication methods compiled into sudo! You may mix standalone and non-standalone authentication."
-msgstr "Ugyldige godkendelsesmetoder kompileret ind i sudo! Du kan blande alenestående og ikkealenestående godkendelse."
-
-#: plugins/sudoers/auth/sudo_auth.c:199
-msgid "There are no authentication methods compiled into sudo! If you want to turn off authentication, use the --disable-authentication configure option."
-msgstr "Der er ingen godkendelsesmetoder kompileret ind i sudo! Hvis du ønsker at fravælge godkendelse så brug konfigurationstilvalget --disable-authentication."
-
-#: plugins/sudoers/auth/sudo_auth.c:271
-#, c-format
-msgid "%d incorrect password attempt"
-msgid_plural "%d incorrect password attempts"
-msgstr[0] "%d ukorrekt adgangskodeforsøg"
-msgstr[1] "%d ukorrekte adgangskodeforsøg"
-
-#: plugins/sudoers/auth/sudo_auth.c:374
-msgid "Authentication methods:"
-msgstr "Godkendelsesmetoder:"
-
-#~ msgid "invalid log file %s"
-#~ msgstr "ugyldig logfil %s"
-
-#~ msgid "fixed mode on %s"
-#~ msgstr "fast tilstand på %s"
-
-#~ msgid "set group on %s"
-#~ msgstr "angiv gruppe på %s"
-
-#~ msgid "unable to set group on %s"
-#~ msgstr "kan ikke angive gruppe på %s"
-
-#~ msgid "unable to fix mode on %s"
-#~ msgstr "kan ikke rette tilstand på %s"
-
-#~ msgid "%s is mode 0%o, should be 0%o"
-#~ msgstr "%s er tilstand 0%o, bør være 0%o"
-
-#~ msgid "File containing dummy exec functions: %s"
-#~ msgstr "Fil der indeholder attrap-udførelsesfunktioner: %s"
-
-#~ msgid ""
-#~ "Available options in a sudoers ``Defaults'' line:\n"
-#~ "\n"
-#~ msgstr ""
-#~ "Tilgængelige indstillinger i en sudoers »standardlinje«:\n"
-#~ "\n"
-
-#~ msgid "%s: %s\n"
-#~ msgstr "%s: %s\n"
-
-#~ msgid "%s: %.*s\n"
-#~ msgstr "%s: %.*s\n"
+#: toke.l:805
+msgid "too many levels of includes"
+msgstr "for mange niveauer af includes (inkluderinger)"
#
msgid ""
msgstr ""
-"Project-Id-Version: sudoers 1.8.5rc3\n"
+"Project-Id-Version: sudoers 1.8.6b3\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-04-24 13:41-0400\n"
-"PO-Revision-Date: 2012-04-29 19:01-0400\n"
+"POT-Creation-Date: 2012-07-11 16:27-0400\n"
+"PO-Revision-Date: 2012-07-31 01:59-0400\n"
"Last-Translator: Keith Bowes <zooplah@gmail.com>\n"
"Language-Team: Esperanto <translation-team-eo@lists.sourceforge.net>\n"
"Language: eo\n"
msgid "unable to initialize SIA session"
msgstr "ne eblas iniciati SIA-seascon"
-#: plugins/sudoers/auth/sudo_auth.c:117
+#: plugins/sudoers/auth/sudo_auth.c:121
msgid "Invalid authentication methods compiled into sudo! You may mix standalone and non-standalone authentication."
msgstr "Nevalidaj konstatantaj metodoj muntitaj en sudo! Vi rajtas miksi dependan kaj sendependan konstatadon."
-#: plugins/sudoers/auth/sudo_auth.c:199
+#: plugins/sudoers/auth/sudo_auth.c:206
msgid "There are no authentication methods compiled into sudo! If you want to turn off authentication, use the --disable-authentication configure option."
msgstr "Ekzistas neniaj konstatantaj metodoj muntitaj en sudo! Se vi volas malŝalti konstatadon, uzu la munta parametro --disable-authentication."
-#: plugins/sudoers/auth/sudo_auth.c:271
-#, c-format
-msgid "%d incorrect password attempt"
-msgid_plural "%d incorrect password attempts"
-msgstr[0] "%d malĝusta pasvorta provo"
-msgstr[1] "%d malĝustaj pasvortaj provoj"
-
#: plugins/sudoers/auth/sudo_auth.c:374
msgid "Authentication methods:"
msgstr "Konstatantaj metodoj:"
msgid "au_to_text: failed"
msgstr "au_to_text: malsukcesis"
-#: plugins/sudoers/check.c:158
-#, c-format
-msgid "sorry, a password is required to run %s"
-msgstr "bedaŭri pasvorto estas bezonata por plenumi: %s"
-
-#: plugins/sudoers/check.c:249 plugins/sudoers/iolog.c:172
-#: plugins/sudoers/sudoers.c:979 plugins/sudoers/sudoreplay.c:353
-#: plugins/sudoers/sudoreplay.c:709 plugins/sudoers/sudoreplay.c:866
+#: plugins/sudoers/check.c:244 plugins/sudoers/iolog.c:172
+#: plugins/sudoers/sudoers.c:978 plugins/sudoers/sudoreplay.c:355
+#: plugins/sudoers/sudoreplay.c:817 plugins/sudoers/sudoreplay.c:974
#: plugins/sudoers/visudo.c:815
#, c-format
msgid "unable to open %s"
msgstr "ne eblas malfermi: %s"
-#: plugins/sudoers/check.c:253 plugins/sudoers/iolog.c:202
+#: plugins/sudoers/check.c:248 plugins/sudoers/iolog.c:229
#, c-format
msgid "unable to write to %s"
msgstr "ne eblas skribi al %s"
-#: plugins/sudoers/check.c:261 plugins/sudoers/check.c:506
-#: plugins/sudoers/check.c:556 plugins/sudoers/iolog.c:123
+#: plugins/sudoers/check.c:256 plugins/sudoers/check.c:501
+#: plugins/sudoers/check.c:551 plugins/sudoers/iolog.c:123
#: plugins/sudoers/iolog.c:156
#, c-format
msgid "unable to mkdir %s"
msgstr "ne eblas mkdir-i: %s"
-#: plugins/sudoers/check.c:396
+#: plugins/sudoers/check.c:391
#, c-format
msgid "internal error, expand_prompt() overflow"
msgstr "ena eraro, superfluo en expand_prompt()"
-#: plugins/sudoers/check.c:456
+#: plugins/sudoers/check.c:451
#, c-format
msgid "timestamp path too long: %s"
msgstr "tempo-indikila pado tro longa: %s"
-#: plugins/sudoers/check.c:485 plugins/sudoers/check.c:529
+#: plugins/sudoers/check.c:480 plugins/sudoers/check.c:524
#: plugins/sudoers/iolog.c:158
#, c-format
msgid "%s exists but is not a directory (0%o)"
msgstr "%s ekzistas sed ne dosierujo (0%o)"
-#: plugins/sudoers/check.c:488 plugins/sudoers/check.c:532
-#: plugins/sudoers/check.c:577
+#: plugins/sudoers/check.c:483 plugins/sudoers/check.c:527
+#: plugins/sudoers/check.c:572
#, c-format
msgid "%s owned by uid %u, should be uid %u"
msgstr "%s estas estrita de uid %u, devas esti uid %u"
-#: plugins/sudoers/check.c:493 plugins/sudoers/check.c:537
+#: plugins/sudoers/check.c:488 plugins/sudoers/check.c:532
#, c-format
msgid "%s writable by non-owner (0%o), should be mode 0700"
msgstr "%s skribebla de ne-estro (0%o), devas esti reĝimo 0700"
-#: plugins/sudoers/check.c:501 plugins/sudoers/check.c:545
-#: plugins/sudoers/check.c:613 plugins/sudoers/sudoers.c:998
+#: plugins/sudoers/check.c:496 plugins/sudoers/check.c:540
+#: plugins/sudoers/check.c:608 plugins/sudoers/sudoers.c:993
#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:581
#, c-format
msgid "unable to stat %s"
msgstr "ne eblas stat-i: %s"
-#: plugins/sudoers/check.c:571
+#: plugins/sudoers/check.c:566
#, c-format
msgid "%s exists but is not a regular file (0%o)"
msgstr "%s ekzistas sed ne estas normala dosiero (0%o)"
-#: plugins/sudoers/check.c:583
+#: plugins/sudoers/check.c:578
#, c-format
msgid "%s writable by non-owner (0%o), should be mode 0600"
msgstr "%s skribebla de ne-estro (0%o), devas esti reĝimo 0600"
-#: plugins/sudoers/check.c:637
+#: plugins/sudoers/check.c:632
#, c-format
msgid "timestamp too far in the future: %20.20s"
msgstr "tempo-indikilo tro estonte: %20.20s"
-#: plugins/sudoers/check.c:684
+#: plugins/sudoers/check.c:679
#, c-format
msgid "unable to remove %s (%s), will reset to the epoch"
msgstr "ne eblas forigi: %s (%s); restarigos al la epoko"
-#: plugins/sudoers/check.c:692
+#: plugins/sudoers/check.c:687
#, c-format
msgid "unable to reset %s to the epoch"
msgstr "ne eblas restarigi al la epoko: %s"
-#: plugins/sudoers/check.c:752 plugins/sudoers/check.c:758
-#: plugins/sudoers/sudoers.c:856 plugins/sudoers/sudoers.c:860
+#: plugins/sudoers/check.c:747 plugins/sudoers/check.c:753
+#: plugins/sudoers/sudoers.c:841 plugins/sudoers/sudoers.c:845
#, c-format
msgid "unknown uid: %u"
msgstr "nekonata uid: %u"
-#: plugins/sudoers/check.c:755 plugins/sudoers/sudoers.c:797
-#: plugins/sudoers/sudoers.c:1115 plugins/sudoers/testsudoers.c:218
-#: plugins/sudoers/testsudoers.c:362
+#: plugins/sudoers/check.c:750 plugins/sudoers/sudoers.c:782
+#: plugins/sudoers/sudoers.c:1110 plugins/sudoers/testsudoers.c:225
+#: plugins/sudoers/testsudoers.c:369
#, c-format
msgid "unknown user: %s"
msgstr "nekonata uzanto: %s"
#: plugins/sudoers/env.c:341 plugins/sudoers/env.c:411
#: plugins/sudoers/toke_util.c:113 plugins/sudoers/toke_util.c:167
-#: plugins/sudoers/toke_util.c:207 toke.l:682 toke.l:812 toke.l:870 toke.l:966
+#: plugins/sudoers/toke_util.c:207 toke.l:682 toke.l:812 toke.l:872 toke.l:968
#, c-format
msgid "unable to allocate memory"
msgstr "ne eblas generi memoron"
#: plugins/sudoers/find_path.c:69 plugins/sudoers/find_path.c:108
#: plugins/sudoers/find_path.c:123 plugins/sudoers/iolog.c:125
-#: plugins/sudoers/sudoers.c:950 toke.l:678 toke.l:866
+#: plugins/sudoers/sudoers.c:935 toke.l:678 toke.l:868
#, c-format
msgid "%s: %s"
msgstr "%s: %s"
msgid "Local IP address and netmask pairs:\n"
msgstr "Loka IP-adresa kaj retmaska paroj:\n"
-#: plugins/sudoers/iolog.c:179 plugins/sudoers/sudoers.c:986
+#: plugins/sudoers/iolog.c:205 plugins/sudoers/sudoers.c:981
#, c-format
msgid "unable to read %s"
msgstr "ne eblas legi %s"
-#: plugins/sudoers/iolog.c:182
+#: plugins/sudoers/iolog.c:208
#, c-format
msgid "invalid sequence number %s"
msgstr "nevalida sinsekva numero %s"
-#: plugins/sudoers/iolog.c:231 plugins/sudoers/iolog.c:234
-#: plugins/sudoers/iolog.c:499 plugins/sudoers/iolog.c:504
-#: plugins/sudoers/iolog.c:510 plugins/sudoers/iolog.c:518
-#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:534
-#: plugins/sudoers/iolog.c:542
+#: plugins/sudoers/iolog.c:258 plugins/sudoers/iolog.c:261
+#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:531
+#: plugins/sudoers/iolog.c:537 plugins/sudoers/iolog.c:545
+#: plugins/sudoers/iolog.c:553 plugins/sudoers/iolog.c:561
+#: plugins/sudoers/iolog.c:569
#, c-format
msgid "unable to create %s"
msgstr "ne eblas krei: %s"
-#: plugins/sudoers/iolog_path.c:256 plugins/sudoers/sudoers.c:373
+#: plugins/sudoers/iolog_path.c:263 plugins/sudoers/sudoers.c:378
#, c-format
msgid "unable to set locale to \"%s\", using \"C\""
msgstr "ne eblas elekti lokaĵaron \"%s\", uzanta lokaĵaron \"C\""
-#: plugins/sudoers/ldap.c:378
+#: plugins/sudoers/ldap.c:389
#, c-format
msgid "sudo_ldap_conf_add_ports: port too large"
msgstr "sudo_ldap_conf_add_ports: pordo tro granda"
-#: plugins/sudoers/ldap.c:401
+#: plugins/sudoers/ldap.c:412
#, c-format
msgid "sudo_ldap_conf_add_ports: out of space expanding hostbuf"
msgstr "sudo_ldap_conf_add_ports: eluzis spacon etendanta la bufron"
-#: plugins/sudoers/ldap.c:431
+#: plugins/sudoers/ldap.c:442
#, c-format
msgid "unsupported LDAP uri type: %s"
msgstr "nekonata retadresa tipo de LDAP: %s"
-#: plugins/sudoers/ldap.c:460
+#: plugins/sudoers/ldap.c:471
#, c-format
msgid "invalid uri: %s"
msgstr "nevalida retadreso: %s"
-#: plugins/sudoers/ldap.c:466
+#: plugins/sudoers/ldap.c:477
#, c-format
msgid "unable to mix ldap and ldaps URIs"
msgstr "ne eblas miksi sekurajn kaj nesekurajn retadresojn de LDAP"
-#: plugins/sudoers/ldap.c:470
+#: plugins/sudoers/ldap.c:481
#, c-format
msgid "unable to mix ldaps and starttls"
msgstr "ne eblas miksi protokolojn ldaps kaj starttls"
-#: plugins/sudoers/ldap.c:489
+#: plugins/sudoers/ldap.c:500
#, c-format
msgid "sudo_ldap_parse_uri: out of space building hostbuf"
msgstr "sudo_ldap_parse_uri: eluzis spacon muntanta la bufron"
-#: plugins/sudoers/ldap.c:563
+#: plugins/sudoers/ldap.c:574
#, c-format
msgid "unable to initialize SSL cert and key db: %s"
msgstr "ne eblas iniciati SSL-asertilon kaj ŝlosilan datumbazon: %s"
-#: plugins/sudoers/ldap.c:566
+#: plugins/sudoers/ldap.c:577
#, c-format
msgid "you must set TLS_CERT in %s to use SSL"
msgstr "TLS_CERT devas havi valoron en %s antaŭ ol SSL uzeblos"
-#: plugins/sudoers/ldap.c:973
+#: plugins/sudoers/ldap.c:994
#, c-format
msgid "unable to get GMT time"
msgstr "ne eblas atingi GMT-tempon"
-#: plugins/sudoers/ldap.c:979
+#: plugins/sudoers/ldap.c:1000
#, c-format
msgid "unable to format timestamp"
msgstr "ne eblas aranĝi tempostampon"
-#: plugins/sudoers/ldap.c:987
+#: plugins/sudoers/ldap.c:1008
#, c-format
msgid "unable to build time filter"
msgstr "ne eblas munti tempan filtrilon"
-#: plugins/sudoers/ldap.c:1202
+#: plugins/sudoers/ldap.c:1223
#, c-format
msgid "sudo_ldap_build_pass1 allocation mismatch"
msgstr "sudo_ldap_build_pass1: genra malkongruaĵo"
-#: plugins/sudoers/ldap.c:1738
+#: plugins/sudoers/ldap.c:1759
#, c-format
msgid ""
"\n"
"\n"
"LDAP-rolo: %s\n"
-#: plugins/sudoers/ldap.c:1740
+#: plugins/sudoers/ldap.c:1761
#, c-format
msgid ""
"\n"
"\n"
"LDAP-rolo: NEKONATA\n"
-#: plugins/sudoers/ldap.c:1787
+#: plugins/sudoers/ldap.c:1808
#, c-format
msgid " Order: %s\n"
msgstr " Ordo: %s\n"
-#: plugins/sudoers/ldap.c:1795
+#: plugins/sudoers/ldap.c:1816
#, c-format
msgid " Commands:\n"
msgstr " Komandoj:\n"
-#: plugins/sudoers/ldap.c:2216
+#: plugins/sudoers/ldap.c:2238
#, c-format
msgid "unable to initialize LDAP: %s"
msgstr "ne eblas iniciati LDAP-on: %s"
-#: plugins/sudoers/ldap.c:2250
+#: plugins/sudoers/ldap.c:2272
#, c-format
msgid "start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()"
msgstr "start_tls specifita sed LDAP-bibliotekoj ne havas la funkciojn ldap_start_tls_s() kaj ldap_start_tls_s_np()"
-#: plugins/sudoers/ldap.c:2486
+#: plugins/sudoers/ldap.c:2508
#, c-format
msgid "invalid sudoOrder attribute: %s"
msgstr "nevalida atributo de sudoOrdo: %s"
msgid "unable to send audit message"
msgstr "ne eblas sendi revizian mesaĝon"
-#: plugins/sudoers/logging.c:198
+#: plugins/sudoers/logging.c:202
#, c-format
msgid "unable to open log file: %s: %s"
msgstr "ne eblas malfermi protokolon: %s: %s"
-#: plugins/sudoers/logging.c:201
+#: plugins/sudoers/logging.c:205
#, c-format
msgid "unable to lock log file: %s: %s"
msgstr "ne eblas ŝlosi protokolon: %s: %s"
-#: plugins/sudoers/logging.c:256
+#: plugins/sudoers/logging.c:260
msgid "user NOT in sudoers"
msgstr "uzanto NE estas en sudoers"
-#: plugins/sudoers/logging.c:258
+#: plugins/sudoers/logging.c:262
msgid "user NOT authorized on host"
msgstr "uzanto NE permesata en gastiganto"
-#: plugins/sudoers/logging.c:260
+#: plugins/sudoers/logging.c:264
msgid "command not allowed"
msgstr "komando ne permesata"
-#: plugins/sudoers/logging.c:270
+#: plugins/sudoers/logging.c:274
#, c-format
msgid "%s is not in the sudoers file. This incident will be reported.\n"
msgstr "%s ne estas en la dosiero sudoers. Ĉi tiu estos raportita.\n"
-#: plugins/sudoers/logging.c:273
+#: plugins/sudoers/logging.c:277
#, c-format
msgid "%s is not allowed to run sudo on %s. This incident will be reported.\n"
msgstr "%s estas ne permesata plenumigi sudo-on en %s. Ĉi tio estos raportita\n"
-#: plugins/sudoers/logging.c:277
+#: plugins/sudoers/logging.c:281
#, c-format
msgid "Sorry, user %s may not run sudo on %s.\n"
msgstr "Bedaŭre uzanto %s ne rajtas plenumigi sudo-on en %s.\n"
-#: plugins/sudoers/logging.c:280
+#: plugins/sudoers/logging.c:284
#, c-format
msgid "Sorry, user %s is not allowed to execute '%s%s%s' as %s%s%s on %s.\n"
msgstr "Bedaŭre uzanto %s ne rajtas plenumigi '%s%s%s'-on kiel %s%s%s en %s.\n"
-#: plugins/sudoers/logging.c:447
+#: plugins/sudoers/logging.c:317
+msgid "No user or host"
+msgstr "Neniu uzanto aŭ gastiganto"
+
+#: plugins/sudoers/logging.c:319
+msgid "validation failure"
+msgstr "validiga malsukceso"
+
+#: plugins/sudoers/logging.c:334 plugins/sudoers/sudoers.c:498
+#: plugins/sudoers/sudoers.c:499 plugins/sudoers/sudoers.c:1517
+#: plugins/sudoers/sudoers.c:1518
+#, c-format
+msgid "%s: command not found"
+msgstr "%s: komando ne trovita"
+
+#: plugins/sudoers/logging.c:336 plugins/sudoers/sudoers.c:495
+#, c-format
+msgid ""
+"ignoring `%s' found in '.'\n"
+"Use `sudo ./%s' if this is the `%s' you wish to run."
+msgstr ""
+"Ignoranta '%s'-on trovita en '.'\n"
+"Uzu 'sudo ./%s'-on se tio estas la '%s', kiun vi volas plenumigi."
+
+#: plugins/sudoers/logging.c:350
+msgid "authentication failure"
+msgstr "aŭtentiga malsukceso"
+
+#: plugins/sudoers/logging.c:374
+#, c-format
+msgid "%d incorrect password attempt"
+msgid_plural "%d incorrect password attempts"
+msgstr[0] "%d malĝusta pasvorta provo"
+msgstr[1] "%d malĝustaj pasvortaj provoj"
+
+#: plugins/sudoers/logging.c:377
+msgid "a password is required"
+msgstr "pasvorto estas bezonata"
+
+#: plugins/sudoers/logging.c:528
#, c-format
msgid "unable to fork"
msgstr "ne eblas forki"
-#: plugins/sudoers/logging.c:454 plugins/sudoers/logging.c:516
+#: plugins/sudoers/logging.c:535 plugins/sudoers/logging.c:597
#, c-format
msgid "unable to fork: %m"
msgstr "ne eblas forki: %m"
-#: plugins/sudoers/logging.c:506
+#: plugins/sudoers/logging.c:587
#, c-format
msgid "unable to open pipe: %m"
msgstr "ne eblas malfermi tubon: %m"
-#: plugins/sudoers/logging.c:531
+#: plugins/sudoers/logging.c:612
#, c-format
msgid "unable to dup stdin: %m"
msgstr "ne eblas kopii enigon: %m"
-#: plugins/sudoers/logging.c:567
+#: plugins/sudoers/logging.c:648
#, c-format
msgid "unable to execute %s: %m"
msgstr "ne eblas plenumigi %s-on: %m"
-#: plugins/sudoers/logging.c:782
+#: plugins/sudoers/logging.c:863
#, c-format
msgid "internal error: insufficient space for log line"
msgstr "ena eraro: nesufiĉa spaco por protokola linio"
msgid ": "
msgstr ": "
-#: plugins/sudoers/pwutil.c:260
+#: plugins/sudoers/pwutil.c:278
#, c-format
msgid "unable to cache uid %u (%s), already exists"
msgstr "ne eblas konservi uid-on %u (%s), jam ekzistas"
-#: plugins/sudoers/pwutil.c:268
+#: plugins/sudoers/pwutil.c:286
#, c-format
msgid "unable to cache uid %u, already exists"
msgstr "ne eblas konservi uid-on %u, jam ekzistas"
-#: plugins/sudoers/pwutil.c:305 plugins/sudoers/pwutil.c:314
+#: plugins/sudoers/pwutil.c:322 plugins/sudoers/pwutil.c:331
#, c-format
msgid "unable to cache user %s, already exists"
msgstr "ne eblas konservi uzanton %s, jam ekzistas"
-#: plugins/sudoers/pwutil.c:653
+#: plugins/sudoers/pwutil.c:668
#, c-format
msgid "unable to cache gid %u (%s), already exists"
msgstr "ne eblas konservi gid-on %u (%s), jam ekzistas"
-#: plugins/sudoers/pwutil.c:661
+#: plugins/sudoers/pwutil.c:676
#, c-format
msgid "unable to cache gid %u, already exists"
msgstr "ne eblas konservi gid-on %u, jam ekzistas"
-#: plugins/sudoers/pwutil.c:691 plugins/sudoers/pwutil.c:700
+#: plugins/sudoers/pwutil.c:706 plugins/sudoers/pwutil.c:715
#, c-format
msgid "unable to cache group %s, already exists"
msgstr "ne eblas konservi grupon %s, jam ekzistas"
msgid "User %s may run the following commands on this host:\n"
msgstr "Uzanto %s rajtas plenumigi la jenajn komandojn en ĉi tiu gastiganto:\n"
-#: plugins/sudoers/sudo_nss.c:279
+#: plugins/sudoers/sudo_nss.c:278
#, c-format
msgid "User %s is not allowed to run sudo on %s.\n"
msgstr "Uzanto %s ne rajtas plenumigi sudo-on en %s.\n"
#: plugins/sudoers/sudoers.c:208 plugins/sudoers/sudoers.c:239
-#: plugins/sudoers/sudoers.c:958
+#: plugins/sudoers/sudoers.c:943
msgid "problem with defaults entries"
msgstr "problemoj kun aŭtomataj eroj"
msgid "unable to execute %s: %s"
msgstr "ne eblas plenumigi %s-on: %s"
-#: plugins/sudoers/sudoers.c:322
+#: plugins/sudoers/sudoers.c:331
#, c-format
msgid "sudoers specifies that root is not allowed to sudo"
msgstr "sudoers specifas, ke ĉefuzanto ne rajtas sudo-i"
-#: plugins/sudoers/sudoers.c:329
+#: plugins/sudoers/sudoers.c:338
#, c-format
msgid "you are not permitted to use the -C option"
msgstr "vi ne rajtas uzi la parametron -C"
-#: plugins/sudoers/sudoers.c:422
+#: plugins/sudoers/sudoers.c:427
#, c-format
msgid "timestamp owner (%s): No such user"
msgstr "posedanto de tempindiko estas %s -- sed tiu uzanto ne ekzistas"
-#: plugins/sudoers/sudoers.c:438
+#: plugins/sudoers/sudoers.c:443
msgid "no tty"
msgstr "neniu tty"
-#: plugins/sudoers/sudoers.c:439
+#: plugins/sudoers/sudoers.c:444
#, c-format
msgid "sorry, you must have a tty to run sudo"
msgstr "bedaŭre vi devas havi tty-on por plenumigi sudo-on"
-#: plugins/sudoers/sudoers.c:478
-msgid "No user or host"
-msgstr "Neniu uzanto aŭ gastiganto"
-
-#: plugins/sudoers/sudoers.c:492 plugins/sudoers/sudoers.c:513
-#: plugins/sudoers/sudoers.c:514 plugins/sudoers/sudoers.c:1522
-#: plugins/sudoers/sudoers.c:1523
-#, c-format
-msgid "%s: command not found"
-msgstr "%s: komando ne trovita"
-
-#: plugins/sudoers/sudoers.c:494 plugins/sudoers/sudoers.c:510
-#, c-format
-msgid ""
-"ignoring `%s' found in '.'\n"
-"Use `sudo ./%s' if this is the `%s' you wish to run."
-msgstr ""
-"Ignoranta '%s'-on trovita en '.'\n"
-"Uzu 'sudo ./%s'-on se tio estas la '%s', kiun vi volas plenumigi."
-
-#: plugins/sudoers/sudoers.c:499
-msgid "validation failure"
-msgstr "validiga malsukceso"
-
-#: plugins/sudoers/sudoers.c:509
+#: plugins/sudoers/sudoers.c:494
msgid "command in current directory"
msgstr "komando en nuna dosierujo"
-#: plugins/sudoers/sudoers.c:521
+#: plugins/sudoers/sudoers.c:506
#, c-format
msgid "sorry, you are not allowed to preserve the environment"
msgstr "bedaŭre vi ne rajtas konservi la medion"
-#: plugins/sudoers/sudoers.c:681 plugins/sudoers/sudoers.c:688
+#: plugins/sudoers/sudoers.c:666 plugins/sudoers/sudoers.c:673
#, c-format
msgid "internal error, runas_groups overflow"
msgstr "ena eraro, runas_groups superfluo"
-#: plugins/sudoers/sudoers.c:941
+#: plugins/sudoers/sudoers.c:926
#, c-format
msgid "internal error, set_cmnd() overflow"
msgstr "ena eraro, superfluo en set_cmnd()"
-#: plugins/sudoers/sudoers.c:1001
+#: plugins/sudoers/sudoers.c:996
#, c-format
msgid "%s is not a regular file"
msgstr "%s ne estas normala dosiero"
-#: plugins/sudoers/sudoers.c:1004 toke.l:829
+#: plugins/sudoers/sudoers.c:999 toke.l:831
#, c-format
msgid "%s is owned by uid %u, should be %u"
msgstr "%s estas estrita de uid %u, devas esti %u"
-#: plugins/sudoers/sudoers.c:1008 toke.l:836
+#: plugins/sudoers/sudoers.c:1003 toke.l:838
#, c-format
msgid "%s is world writable"
msgstr "%s estas skribebla de ĉiuj"
-#: plugins/sudoers/sudoers.c:1011 toke.l:841
+#: plugins/sudoers/sudoers.c:1006 toke.l:843
#, c-format
msgid "%s is owned by gid %u, should be %u"
msgstr "%s estas estrita de gid %u, devas esti %u"
-#: plugins/sudoers/sudoers.c:1038
+#: plugins/sudoers/sudoers.c:1033
#, c-format
msgid "only root can use `-c %s'"
msgstr "nur ĉefuzanto rajtas uzi '-c %s'"
-#: plugins/sudoers/sudoers.c:1055 plugins/sudoers/sudoers.c:1057
+#: plugins/sudoers/sudoers.c:1050 plugins/sudoers/sudoers.c:1052
#, c-format
msgid "unknown login class: %s"
msgstr "nekonata ensaluta klaso: %s"
-#: plugins/sudoers/sudoers.c:1084
+#: plugins/sudoers/sudoers.c:1079
#, c-format
msgid "unable to resolve host %s"
msgstr "ne eblas trovi gastiganton %s"
-#: plugins/sudoers/sudoers.c:1136 plugins/sudoers/testsudoers.c:380
+#: plugins/sudoers/sudoers.c:1131 plugins/sudoers/testsudoers.c:387
#, c-format
msgid "unknown group: %s"
msgstr "nekonata grupo: %s"
-#: plugins/sudoers/sudoers.c:1185
+#: plugins/sudoers/sudoers.c:1180
#, c-format
msgid "Sudoers policy plugin version %s\n"
msgstr "Eldono %s de la konduta kromprogramo\n"
-#: plugins/sudoers/sudoers.c:1187
+#: plugins/sudoers/sudoers.c:1182
#, c-format
msgid "Sudoers file grammar version %d\n"
msgstr "Eldono %d de la gramatikilo de sudoers\n"
-#: plugins/sudoers/sudoers.c:1191
+#: plugins/sudoers/sudoers.c:1186
#, c-format
msgid ""
"\n"
"\n"
"Pado de sudoers: %s\n"
-#: plugins/sudoers/sudoers.c:1194
+#: plugins/sudoers/sudoers.c:1189
#, c-format
msgid "nsswitch path: %s\n"
msgstr "pado de nsswitch: %s\n"
-#: plugins/sudoers/sudoers.c:1196
+#: plugins/sudoers/sudoers.c:1191
#, c-format
msgid "ldap.conf path: %s\n"
msgstr "pado de ldap.conf: %s\n"
-#: plugins/sudoers/sudoers.c:1197
+#: plugins/sudoers/sudoers.c:1192
#, c-format
msgid "ldap.secret path: %s\n"
msgstr "pado de ldap.secret: %s\n"
-#: plugins/sudoers/sudoreplay.c:291
+#: plugins/sudoers/sudoreplay.c:293
#, c-format
msgid "invalid filter option: %s"
msgstr "nevalida filtrila elekto: %s"
-#: plugins/sudoers/sudoreplay.c:304
+#: plugins/sudoers/sudoreplay.c:306
#, c-format
msgid "invalid max wait: %s"
msgstr "nevalida maksimuma atendo: %s"
-#: plugins/sudoers/sudoreplay.c:310
+#: plugins/sudoers/sudoreplay.c:312
#, c-format
msgid "invalid speed factor: %s"
msgstr "nevalida rapida faktoro: %s"
-#: plugins/sudoers/sudoreplay.c:313 plugins/sudoers/visudo.c:187
+#: plugins/sudoers/sudoreplay.c:315 plugins/sudoers/visudo.c:187
#, c-format
msgid "%s version %s\n"
msgstr "%s eldono %s\n"
-#: plugins/sudoers/sudoreplay.c:338
+#: plugins/sudoers/sudoreplay.c:340
#, c-format
msgid "%s/%.2s/%.2s/%.2s/timing: %s"
msgstr "%s/%.2s/%.2s/%.2s tempo-registrado: %s"
-#: plugins/sudoers/sudoreplay.c:344
+#: plugins/sudoers/sudoreplay.c:346
#, c-format
msgid "%s/%s/timing: %s"
msgstr "%s/%s/tempo-registrado: %s"
-#: plugins/sudoers/sudoreplay.c:362
+#: plugins/sudoers/sudoreplay.c:364
#, c-format
msgid "Replaying sudo session: %s\n"
msgstr "Refaranta sudo-seancon: %s\n"
-#: plugins/sudoers/sudoreplay.c:368
+#: plugins/sudoers/sudoreplay.c:370
#, c-format
msgid "Warning: your terminal is too small to properly replay the log.\n"
msgstr "Averto: via terminalo estas tro malgranda por konvene reskribi la protokolon.\n"
-#: plugins/sudoers/sudoreplay.c:369
+#: plugins/sudoers/sudoreplay.c:371
#, c-format
msgid "Log geometry is %d x %d, your terminal's geometry is %d x %d."
msgstr "Protokola grando estas %dx%d, sed via terminala grando estas %dx%d."
-#: plugins/sudoers/sudoreplay.c:399
+#: plugins/sudoers/sudoreplay.c:401
#, c-format
msgid "unable to set tty to raw mode"
msgstr "ne eblas elekti tty-on en nudan reĝimon"
-#: plugins/sudoers/sudoreplay.c:412
+#: plugins/sudoers/sudoreplay.c:418
#, c-format
msgid "invalid timing file line: %s"
msgstr "nevalida linio en la tempo-registran dosieron: %s"
-#: plugins/sudoers/sudoreplay.c:454
+#: plugins/sudoers/sudoreplay.c:501
#, c-format
msgid "writing to standard output"
msgstr "skribanta al eligo"
-#: plugins/sudoers/sudoreplay.c:486
+#: plugins/sudoers/sudoreplay.c:530
#, c-format
msgid "nanosleep: tv_sec %ld, tv_nsec %ld"
msgstr "nanosleep: tv_sec %ld, tv_nsec %ld"
-#: plugins/sudoers/sudoreplay.c:535 plugins/sudoers/sudoreplay.c:560
+#: plugins/sudoers/sudoreplay.c:643 plugins/sudoers/sudoreplay.c:668
#, c-format
msgid "ambiguous expression \"%s\""
msgstr "ambigua esprimo \"%s\""
-#: plugins/sudoers/sudoreplay.c:577
+#: plugins/sudoers/sudoreplay.c:685
#, c-format
msgid "too many parenthesized expressions, max %d"
msgstr "tro da esprimoj en krampoj; maksimumo estas %d"
-#: plugins/sudoers/sudoreplay.c:588
+#: plugins/sudoers/sudoreplay.c:696
#, c-format
msgid "unmatched ')' in expression"
msgstr "esprimo kun ')' sen samnivela '('"
-#: plugins/sudoers/sudoreplay.c:594
+#: plugins/sudoers/sudoreplay.c:702
#, c-format
msgid "unknown search term \"%s\""
msgstr "nekonata serĉaĵo \"%s\""
-#: plugins/sudoers/sudoreplay.c:608
+#: plugins/sudoers/sudoreplay.c:716
#, c-format
msgid "%s requires an argument"
msgstr "%s bezonas parametron"
-#: plugins/sudoers/sudoreplay.c:612
+#: plugins/sudoers/sudoreplay.c:720
#, c-format
msgid "invalid regular expression: %s"
msgstr "nevalida regulesprimo: %s"
-#: plugins/sudoers/sudoreplay.c:618
+#: plugins/sudoers/sudoreplay.c:726
#, c-format
msgid "could not parse date \"%s\""
msgstr "ne eblis analizi daton \"%s\""
-#: plugins/sudoers/sudoreplay.c:631
+#: plugins/sudoers/sudoreplay.c:739
#, c-format
msgid "unmatched '(' in expression"
msgstr "esprimo kun '(' sen samnivela ')'"
-#: plugins/sudoers/sudoreplay.c:633
+#: plugins/sudoers/sudoreplay.c:741
#, c-format
msgid "illegal trailing \"or\""
msgstr "nevalida posta \"or\""
-#: plugins/sudoers/sudoreplay.c:635
+#: plugins/sudoers/sudoreplay.c:743
#, c-format
msgid "illegal trailing \"!\""
msgstr "nevalida posta \"!\""
-#: plugins/sudoers/sudoreplay.c:942
+#: plugins/sudoers/sudoreplay.c:1050
#, c-format
msgid "invalid regex: %s"
msgstr "nevalida regulesprimo: %s"
-#: plugins/sudoers/sudoreplay.c:1066
+#: plugins/sudoers/sudoreplay.c:1174
#, c-format
msgid "usage: %s [-h] [-d directory] [-m max_wait] [-s speed_factor] ID\n"
msgstr "uzado: %s [-h] [-d dosierujo] [-m maksimuma_atendo] [-s rapida_faktoro] identigilo\n"
-#: plugins/sudoers/sudoreplay.c:1069
+#: plugins/sudoers/sudoreplay.c:1177
#, c-format
msgid "usage: %s [-h] [-d directory] -l [search expression]\n"
msgstr "uzado: %s [-h] [-d dosierujo] -l [serĉaĵo]\n"
-#: plugins/sudoers/sudoreplay.c:1078
+#: plugins/sudoers/sudoreplay.c:1186
#, c-format
msgid ""
"%s - replay sudo session logs\n"
"%s - refari sudo-seancajn protokolojn\n"
"\n"
-#: plugins/sudoers/sudoreplay.c:1080
+#: plugins/sudoers/sudoreplay.c:1188
msgid ""
"\n"
"Options:\n"
" -s [rapido] rapidigi aŭ malrapidigi eligon\n"
" -V eligi eldonan informon kaj eliri"
-#: plugins/sudoers/testsudoers.c:246
+#: plugins/sudoers/testsudoers.c:253
#, c-format
msgid "internal error, init_vars() overflow"
msgstr "ena eraro, superfluo en init_vars()"
-#: plugins/sudoers/testsudoers.c:331
+#: plugins/sudoers/testsudoers.c:338
msgid "\thost unmatched"
msgstr "\thost sen egalo"
-#: plugins/sudoers/testsudoers.c:334
+#: plugins/sudoers/testsudoers.c:341
msgid ""
"\n"
"Command allowed"
"\n"
"Komando permesata"
-#: plugins/sudoers/testsudoers.c:335
+#: plugins/sudoers/testsudoers.c:342
msgid ""
"\n"
"Command denied"
"\n"
"Komando rifuzata"
-#: plugins/sudoers/testsudoers.c:335
+#: plugins/sudoers/testsudoers.c:342
msgid ""
"\n"
"Command unmatched"
#
msgid ""
msgstr ""
-"Project-Id-Version: sudoers 1.8.5rc3\n"
+"Project-Id-Version: sudoers 1.8.6b4\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-04-24 13:41-0400\n"
-"PO-Revision-Date: 2012-04-29 10:05+0200\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-14 09:15+0200\n"
"Last-Translator: Jorma Karvonen <karvonen.jorma@gmail.com>\n"
"Language-Team: Finnish <translation-team-fi@lists.sourceforge.net>\n"
"Language: fi\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=n != 1;\n"
-#: gram.y:110
+#: gram.y:112
#, c-format
msgid ">>> %s: %s near line %d <<<"
msgstr ">>> %s: %s lähellä riviä %d <<<"
msgid "unable to initialize SIA session"
msgstr "ei kyetä alustamaan SIA-istuntoa"
-#: plugins/sudoers/auth/sudo_auth.c:117
+#: plugins/sudoers/auth/sudo_auth.c:121
msgid "Invalid authentication methods compiled into sudo! You may mix standalone and non-standalone authentication."
msgstr "Virheellisiä todennusmenetelmiä käännetty sudo-ohjelmaan! Yksittäisiä ja ei-yksittäisiä todennuksia on ehkä sekoitettu keskenään."
-#: plugins/sudoers/auth/sudo_auth.c:199
+#: plugins/sudoers/auth/sudo_auth.c:206
msgid "There are no authentication methods compiled into sudo! If you want to turn off authentication, use the --disable-authentication configure option."
msgstr "Sudo-ohjelmaan ei ole käännetty todentamismenelmiä! Jos haluat kääntää pois todentamisen, käytä asetusvalitsinta --disable-authentication."
-#: plugins/sudoers/auth/sudo_auth.c:271
-#, c-format
-msgid "%d incorrect password attempt"
-msgid_plural "%d incorrect password attempts"
-msgstr[0] "%d väärä salasana yritetty"
-msgstr[1] "%d väärää salasanaa yritetty"
-
#: plugins/sudoers/auth/sudo_auth.c:374
msgid "Authentication methods:"
msgstr "Todennusmenetelmät:"
msgid "au_to_text: failed"
msgstr "au_to_text: epäonnistui"
-#: plugins/sudoers/check.c:158
-#, c-format
-msgid "sorry, a password is required to run %s"
-msgstr "kohteen %s suorittamiseen vaaditaan salasana"
-
# Avaamisen kohde voi olla timestamp file, sudoers file tai pathbuf
-#: plugins/sudoers/check.c:249 plugins/sudoers/iolog.c:172
-#: plugins/sudoers/sudoers.c:979 plugins/sudoers/sudoreplay.c:353
-#: plugins/sudoers/sudoreplay.c:709 plugins/sudoers/sudoreplay.c:866
-#: plugins/sudoers/visudo.c:815
+#: plugins/sudoers/check.c:252 plugins/sudoers/iolog.c:172
+#: plugins/sudoers/sudoers.c:988 plugins/sudoers/sudoreplay.c:355
+#: plugins/sudoers/sudoreplay.c:817 plugins/sudoers/sudoreplay.c:974
+#: plugins/sudoers/visudo.c:818
#, c-format
msgid "unable to open %s"
msgstr "ei kyetä avaamaan kohdetta %s"
# Kirjoittamisen kohde voi olla timestamp file tai pathbuf
-#: plugins/sudoers/check.c:253 plugins/sudoers/iolog.c:202
+#: plugins/sudoers/check.c:256 plugins/sudoers/iolog.c:229
#, c-format
msgid "unable to write to %s"
msgstr "ei kyetä kirjoittamaan kohteeseen %s"
-#: plugins/sudoers/check.c:261 plugins/sudoers/check.c:506
-#: plugins/sudoers/check.c:556 plugins/sudoers/iolog.c:123
+#: plugins/sudoers/check.c:264 plugins/sudoers/check.c:512
+#: plugins/sudoers/check.c:562 plugins/sudoers/iolog.c:123
#: plugins/sudoers/iolog.c:156
#, c-format
msgid "unable to mkdir %s"
msgstr "ei kyetä suorittamaan käskyä mkdir %s"
-#: plugins/sudoers/check.c:396
+#: plugins/sudoers/check.c:399 plugins/sudoers/env.c:289
+#: plugins/sudoers/env.c:294 plugins/sudoers/env.c:395
+#: plugins/sudoers/env.c:447 plugins/sudoers/linux_audit.c:82
+#: plugins/sudoers/sudoers.c:670 plugins/sudoers/sudoers.c:677
+#: plugins/sudoers/sudoers.c:936 plugins/sudoers/testsudoers.c:253
#, c-format
-msgid "internal error, expand_prompt() overflow"
-msgstr "sisäinen virhe, expand_prompt()-ylivuoto"
+msgid "internal error, %s overflow"
+msgstr "sisäinen virhe, %s-ylivuoto"
-#: plugins/sudoers/check.c:456
+#: plugins/sudoers/check.c:460
#, c-format
msgid "timestamp path too long: %s"
msgstr "aikaleimapolku on liian pitkä: %s"
-#: plugins/sudoers/check.c:485 plugins/sudoers/check.c:529
+#: plugins/sudoers/check.c:491 plugins/sudoers/check.c:535
#: plugins/sudoers/iolog.c:158
#, c-format
msgid "%s exists but is not a directory (0%o)"
msgstr "%s on olemassa, mutta ei ole hakemisto (0%o)"
-#: plugins/sudoers/check.c:488 plugins/sudoers/check.c:532
-#: plugins/sudoers/check.c:577
+#: plugins/sudoers/check.c:494 plugins/sudoers/check.c:538
+#: plugins/sudoers/check.c:583
#, c-format
msgid "%s owned by uid %u, should be uid %u"
msgstr "%s on uid %u:n omistama, pitäisi olla uid %u:n omistama"
-#: plugins/sudoers/check.c:493 plugins/sudoers/check.c:537
+#: plugins/sudoers/check.c:499 plugins/sudoers/check.c:543
#, c-format
msgid "%s writable by non-owner (0%o), should be mode 0700"
msgstr "%s on kirjoitettava ei-omistajalle (0%o), pitäisi olla tila 0700"
-#: plugins/sudoers/check.c:501 plugins/sudoers/check.c:545
-#: plugins/sudoers/check.c:613 plugins/sudoers/sudoers.c:998
-#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:581
+#: plugins/sudoers/check.c:507 plugins/sudoers/check.c:551
+#: plugins/sudoers/check.c:619 plugins/sudoers/sudoers.c:1003
+#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:584
#, c-format
msgid "unable to stat %s"
msgstr "ei kyetä kutsumaan funktiota stat %s"
-#: plugins/sudoers/check.c:571
+#: plugins/sudoers/check.c:577
#, c-format
msgid "%s exists but is not a regular file (0%o)"
msgstr "%s on olemassa, mutta ei ole tavallinen tiedosto (0%o)"
-#: plugins/sudoers/check.c:583
+#: plugins/sudoers/check.c:589
#, c-format
msgid "%s writable by non-owner (0%o), should be mode 0600"
msgstr "%s on kirjoitettava ei-omistajalle (0%o), pitäisi olla tila 0600"
-#: plugins/sudoers/check.c:637
+#: plugins/sudoers/check.c:643
#, c-format
msgid "timestamp too far in the future: %20.20s"
msgstr "aikaleima liian kaukana tulevaisuudessa: %20.20s"
-#: plugins/sudoers/check.c:684
+#: plugins/sudoers/check.c:690
#, c-format
msgid "unable to remove %s (%s), will reset to the epoch"
msgstr "ei kyetä poistamaan %s (%s), nollataan aika"
-#: plugins/sudoers/check.c:692
+#: plugins/sudoers/check.c:698
#, c-format
msgid "unable to reset %s to the epoch"
msgstr "ei kyetä nollaamaan %s ajaksi"
-#: plugins/sudoers/check.c:752 plugins/sudoers/check.c:758
-#: plugins/sudoers/sudoers.c:856 plugins/sudoers/sudoers.c:860
+#: plugins/sudoers/check.c:758 plugins/sudoers/check.c:764
+#: plugins/sudoers/sudoers.c:851 plugins/sudoers/sudoers.c:855
#, c-format
msgid "unknown uid: %u"
msgstr "tuntematon uid-käyttäjätunniste: %u"
-#: plugins/sudoers/check.c:755 plugins/sudoers/sudoers.c:797
-#: plugins/sudoers/sudoers.c:1115 plugins/sudoers/testsudoers.c:218
-#: plugins/sudoers/testsudoers.c:362
+#: plugins/sudoers/check.c:761 plugins/sudoers/sudoers.c:792
+#: plugins/sudoers/sudoers.c:1120 plugins/sudoers/testsudoers.c:225
+#: plugins/sudoers/testsudoers.c:369
#, c-format
msgid "unknown user: %s"
msgstr "tuntematon käyttäjä: %s"
msgid "Set the user in utmp to the runas user, not the invoking user"
msgstr "Aseta käyttäjäksi utmp-tiedostoon suorittava käyttäjä, ei kutsuva käyttäjä"
+#: plugins/sudoers/def_data.c:347
+msgid "Set of permitted privileges"
+msgstr "Sallittuja käyttöoikeuksia"
+
+#: plugins/sudoers/def_data.c:351
+msgid "Set of limit privileges"
+msgstr "Rajoitettuja käyttöoikeuksia"
+
#: plugins/sudoers/defaults.c:208
#, c-format
msgid "unknown defaults entry `%s'"
msgid "option `%s' does not take a value"
msgstr "valitsin ”%s” ei ota arvoa"
-#: plugins/sudoers/env.c:339
+#: plugins/sudoers/env.c:367
#, c-format
msgid "sudo_putenv: corrupted envp, length mismatch"
msgstr "sudo_putenv: rikkoutunut envp, pituus ei täsmää"
-#: plugins/sudoers/env.c:341 plugins/sudoers/env.c:411
+#: plugins/sudoers/env.c:369 plugins/sudoers/env.c:448
#: plugins/sudoers/toke_util.c:113 plugins/sudoers/toke_util.c:167
-#: plugins/sudoers/toke_util.c:207 toke.l:682 toke.l:812 toke.l:870 toke.l:966
+#: plugins/sudoers/toke_util.c:207 toke.l:697 toke.l:827 toke.l:887 toke.l:983
#, c-format
msgid "unable to allocate memory"
msgstr "ei kyetä varaamaan muistia"
-#: plugins/sudoers/env.c:366
-#, c-format
-msgid "internal error, sudo_setenv2() overflow"
-msgstr "sisäinen virhe, sudo_setenv2()-ylivuoto"
-
-#: plugins/sudoers/env.c:410
-#, c-format
-msgid "internal error, sudo_setenv() overflow"
-msgstr "sisäinen virhe, sudo_setenv()-ylivuoto"
-
-#: plugins/sudoers/env.c:955
+#: plugins/sudoers/env.c:992
#, c-format
msgid "sorry, you are not allowed to set the following environment variables: %s"
msgstr "seuraavia ympäristömuuttujia ei ole lupa asettaa: %s"
#: plugins/sudoers/find_path.c:69 plugins/sudoers/find_path.c:108
#: plugins/sudoers/find_path.c:123 plugins/sudoers/iolog.c:125
-#: plugins/sudoers/sudoers.c:950 toke.l:678 toke.l:866
+#: plugins/sudoers/sudoers.c:945 toke.l:693 toke.l:883
#, c-format
msgid "%s: %s"
msgstr "%s: %s"
msgstr "Paikallinen ip-osoite ja verkkopeiteparit:\n"
# Parametrinä on sudoers-tiedosto tai pathbuf
-#: plugins/sudoers/iolog.c:179 plugins/sudoers/sudoers.c:986
+#: plugins/sudoers/iolog.c:205 plugins/sudoers/sudoers.c:991
#, c-format
msgid "unable to read %s"
msgstr "ei kyetä lukemaan kohdetta %s"
-#: plugins/sudoers/iolog.c:182
+#: plugins/sudoers/iolog.c:208
#, c-format
msgid "invalid sequence number %s"
msgstr "virheellinen sarjanumero %s"
# Parametrina on pathbuf
-#: plugins/sudoers/iolog.c:231 plugins/sudoers/iolog.c:234
-#: plugins/sudoers/iolog.c:499 plugins/sudoers/iolog.c:504
-#: plugins/sudoers/iolog.c:510 plugins/sudoers/iolog.c:518
-#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:534
-#: plugins/sudoers/iolog.c:542
+#: plugins/sudoers/iolog.c:258 plugins/sudoers/iolog.c:261
+#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:531
+#: plugins/sudoers/iolog.c:537 plugins/sudoers/iolog.c:545
+#: plugins/sudoers/iolog.c:553 plugins/sudoers/iolog.c:561
+#: plugins/sudoers/iolog.c:569
#, c-format
msgid "unable to create %s"
msgstr "ei kyetä luomaan hakemistopolkua %s"
-#: plugins/sudoers/iolog_path.c:256 plugins/sudoers/sudoers.c:373
+#: plugins/sudoers/iolog_path.c:263 plugins/sudoers/sudoers.c:382
#, c-format
msgid "unable to set locale to \"%s\", using \"C\""
msgstr "ei kyetä asettamaan locale-asetukseksi ”%s”, käytetään ”C”"
-#: plugins/sudoers/ldap.c:378
+#: plugins/sudoers/ldap.c:387
#, c-format
msgid "sudo_ldap_conf_add_ports: port too large"
msgstr "sudo_ldap_conf_add_ports: portti on liian suuri"
-#: plugins/sudoers/ldap.c:401
+#: plugins/sudoers/ldap.c:410
#, c-format
msgid "sudo_ldap_conf_add_ports: out of space expanding hostbuf"
msgstr "sudo_ldap_conf_add_ports: hostbuf-puskuritila loppui"
# URL on verkko-osoite, loogisesti URI on verkkoresurssi(osoite)
-#: plugins/sudoers/ldap.c:431
+#: plugins/sudoers/ldap.c:440
#, c-format
msgid "unsupported LDAP uri type: %s"
msgstr "tukematon LDAP-verkkoresurssin tunnustyyppi: %s"
-#: plugins/sudoers/ldap.c:460
+#: plugins/sudoers/ldap.c:469
#, c-format
msgid "invalid uri: %s"
msgstr "virheellinen verkkoresurssin tunnus: %s"
-#: plugins/sudoers/ldap.c:466
+#: plugins/sudoers/ldap.c:475
#, c-format
msgid "unable to mix ldap and ldaps URIs"
msgstr "ei kyetä sekottamaan ldap:n ja ldap-kohteiden verkkoresurssitunnuksia"
-#: plugins/sudoers/ldap.c:470
+#: plugins/sudoers/ldap.c:479
#, c-format
msgid "unable to mix ldaps and starttls"
msgstr "ei kyetä sekoittamaan ldap- ja starttl-kohteita"
-#: plugins/sudoers/ldap.c:489
+#: plugins/sudoers/ldap.c:498
#, c-format
msgid "sudo_ldap_parse_uri: out of space building hostbuf"
msgstr "sudo_ldap_parse_uri: hostbuf-puskuritila loppui"
-#: plugins/sudoers/ldap.c:563
+#: plugins/sudoers/ldap.c:572
#, c-format
msgid "unable to initialize SSL cert and key db: %s"
msgstr "ei kyetä alustamaan SSL-varmenne- ja -avaintietokantaa: %s"
-#: plugins/sudoers/ldap.c:566
+#: plugins/sudoers/ldap.c:575
#, c-format
msgid "you must set TLS_CERT in %s to use SSL"
msgstr "kohteessa %s TLS_CERT on asetettava käyttämään SSL:ää"
-#: plugins/sudoers/ldap.c:973
+#: plugins/sudoers/ldap.c:992
#, c-format
msgid "unable to get GMT time"
msgstr "ei kyetä saamaan GMT-aikaa"
-#: plugins/sudoers/ldap.c:979
+#: plugins/sudoers/ldap.c:998
#, c-format
msgid "unable to format timestamp"
msgstr "ei kyetä muotoilemaan aikaleimaa"
-#: plugins/sudoers/ldap.c:987
+#: plugins/sudoers/ldap.c:1006
#, c-format
msgid "unable to build time filter"
msgstr "ei kyetä rakentamaan aikasuodatinta"
-#: plugins/sudoers/ldap.c:1202
+#: plugins/sudoers/ldap.c:1225
#, c-format
msgid "sudo_ldap_build_pass1 allocation mismatch"
msgstr "sudo_ldap_build_pass1-varaustäsmäämättömyys"
-#: plugins/sudoers/ldap.c:1738
+#: plugins/sudoers/ldap.c:1761
#, c-format
msgid ""
"\n"
"\n"
"LDAP-rooli: %s\n"
-#: plugins/sudoers/ldap.c:1740
+#: plugins/sudoers/ldap.c:1763
#, c-format
msgid ""
"\n"
"\n"
"LDAP-rooli: TUNTEMATON\n"
-#: plugins/sudoers/ldap.c:1787
+#: plugins/sudoers/ldap.c:1810
#, c-format
msgid " Order: %s\n"
msgstr " Järjestys: %s\n"
-#: plugins/sudoers/ldap.c:1795
+#: plugins/sudoers/ldap.c:1818 plugins/sudoers/sssd.c:1168
#, c-format
msgid " Commands:\n"
msgstr " Komennot:\n"
-#: plugins/sudoers/ldap.c:2216
+#: plugins/sudoers/ldap.c:2240
#, c-format
msgid "unable to initialize LDAP: %s"
msgstr "ei kyetä alustamaan kohdetta LDAP: %s"
-#: plugins/sudoers/ldap.c:2250
+#: plugins/sudoers/ldap.c:2274
#, c-format
msgid "start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()"
msgstr "start_tls määritelty mutta LDAP-kirjastot ei tue funktiota ldap_start_tls_s() tai funktiota ldap_start_tls_s_np()"
-#: plugins/sudoers/ldap.c:2486
+#: plugins/sudoers/ldap.c:2510
#, c-format
msgid "invalid sudoOrder attribute: %s"
msgstr "virheellinen sudoOrder-attribuutti: %s"
msgid "unable to open audit system"
msgstr "ei kyetä avaamaan audit-järjestelmää"
-#: plugins/sudoers/linux_audit.c:82
-#, c-format
-msgid "internal error, linux_audit_command() overflow"
-msgstr "sisäinen virhe, linux_audit_command()-ylivuoto"
-
-#: plugins/sudoers/linux_audit.c:91
+#: plugins/sudoers/linux_audit.c:93
#, c-format
msgid "unable to send audit message"
msgstr "ei kyetä lähettämään audit-viestiä"
-#: plugins/sudoers/logging.c:198
+#: plugins/sudoers/logging.c:202
#, c-format
msgid "unable to open log file: %s: %s"
msgstr "ei kyetä avaamaan lokitiedostoa: %s: %s"
-#: plugins/sudoers/logging.c:201
+#: plugins/sudoers/logging.c:205
#, c-format
msgid "unable to lock log file: %s: %s"
msgstr "ei kyetä lukitsemaan lokitiedostoa: %s: %s"
-#: plugins/sudoers/logging.c:256
+#: plugins/sudoers/logging.c:260
msgid "user NOT in sudoers"
msgstr "käyttäjä EI ole sudoers-tiedostossa"
-#: plugins/sudoers/logging.c:258
+#: plugins/sudoers/logging.c:262
msgid "user NOT authorized on host"
msgstr "käyttäjä ei ole varmennettu tietokoneella"
-#: plugins/sudoers/logging.c:260
+#: plugins/sudoers/logging.c:264
msgid "command not allowed"
msgstr "komento ei ole sallittu"
-#: plugins/sudoers/logging.c:270
+#: plugins/sudoers/logging.c:274
#, c-format
msgid "%s is not in the sudoers file. This incident will be reported.\n"
msgstr "käyttäjä %s ei ole sudoers-tiedostossa. Tästä tapahtumasta ilmoitetaan.\n"
-#: plugins/sudoers/logging.c:273
+#: plugins/sudoers/logging.c:277
#, c-format
msgid "%s is not allowed to run sudo on %s. This incident will be reported.\n"
msgstr "käyttäjä %s ei saa suorittaa komentoa sudo tietokoneella %s. Tästä tapahtumasta ilmoitetaan.\n"
-#: plugins/sudoers/logging.c:277
+#: plugins/sudoers/logging.c:281
#, c-format
msgid "Sorry, user %s may not run sudo on %s.\n"
msgstr "Käyttäjä %s ei voi suorittaa komentoa sudo tietokoneella %s.\n"
-#: plugins/sudoers/logging.c:280
+#: plugins/sudoers/logging.c:284
#, c-format
msgid "Sorry, user %s is not allowed to execute '%s%s%s' as %s%s%s on %s.\n"
msgstr "Käyttäjän %s ei sallita suorittaa ’%s%s%s’ käyttäjänä %s%s%s tietokoneella %s.\n"
-#: plugins/sudoers/logging.c:447
+#: plugins/sudoers/logging.c:317
+msgid "No user or host"
+msgstr "Ei käyttäjä eikä tietokone"
+
+#: plugins/sudoers/logging.c:319
+msgid "validation failure"
+msgstr "kelpuutushäiriö"
+
+#: plugins/sudoers/logging.c:336 plugins/sudoers/sudoers.c:502
+#: plugins/sudoers/sudoers.c:503 plugins/sudoers/sudoers.c:1539
+#: plugins/sudoers/sudoers.c:1540
+#, c-format
+msgid "%s: command not found"
+msgstr "%s: komentoa ei löytynyt"
+
+#: plugins/sudoers/logging.c:338 plugins/sudoers/sudoers.c:499
+#, c-format
+msgid ""
+"ignoring `%s' found in '.'\n"
+"Use `sudo ./%s' if this is the `%s' you wish to run."
+msgstr ""
+"ohitetaan komento ”%s”, joka löytyi kohteesta ’.’\n"
+"Käytä ”sudo ./%s”, jos tämä on ”%s”-komento, joka halutaan suorittaa."
+
+#: plugins/sudoers/logging.c:352
+msgid "authentication failure"
+msgstr "todentamishäiriö"
+
+#: plugins/sudoers/logging.c:376
+#, c-format
+msgid "%d incorrect password attempt"
+msgid_plural "%d incorrect password attempts"
+msgstr[0] "%d väärä salasana yritetty"
+msgstr[1] "%d väärää salasanaa yritetty"
+
+#: plugins/sudoers/logging.c:379
+msgid "a password is required"
+msgstr "vaaditaan salasana"
+
+#: plugins/sudoers/logging.c:530
#, c-format
msgid "unable to fork"
msgstr "ei kyetä kutsumaan fork-funktiota"
-#: plugins/sudoers/logging.c:454 plugins/sudoers/logging.c:516
+#: plugins/sudoers/logging.c:537 plugins/sudoers/logging.c:599
#, c-format
msgid "unable to fork: %m"
msgstr "ei kyetä kutsumaan fork-funktiota: %m"
-#: plugins/sudoers/logging.c:506
+#: plugins/sudoers/logging.c:589
#, c-format
msgid "unable to open pipe: %m"
msgstr "ei kyetä avaamaan putkea: %m"
-#: plugins/sudoers/logging.c:531
+#: plugins/sudoers/logging.c:614
#, c-format
msgid "unable to dup stdin: %m"
msgstr "ei kyetä kutsumaan funktiota dup vakiosyötteellä: %m"
-#: plugins/sudoers/logging.c:567
+#: plugins/sudoers/logging.c:650
#, c-format
msgid "unable to execute %s: %m"
msgstr "ei kyetä suorittamaan %s: %m"
-#: plugins/sudoers/logging.c:782
+#: plugins/sudoers/logging.c:865
#, c-format
msgid "internal error: insufficient space for log line"
msgstr "sisäinen virhe: riittämättömästi tilaa lokiriville"
msgid "parse error in %s"
msgstr "jäsentämisvirhe tiedostossa %s"
-#: plugins/sudoers/parse.c:389
+#: plugins/sudoers/parse.c:414
#, c-format
msgid ""
"\n"
"\n"
"Sudoers-rivi:\n"
-#: plugins/sudoers/parse.c:391
+#: plugins/sudoers/parse.c:416
#, c-format
msgid " RunAsUsers: "
msgstr " SuoritaKäyttäjänä: "
-#: plugins/sudoers/parse.c:406
+#: plugins/sudoers/parse.c:431
#, c-format
msgid " RunAsGroups: "
msgstr " SuoritaRyhmänä: "
-#: plugins/sudoers/parse.c:415
+#: plugins/sudoers/parse.c:440
#, c-format
msgid ""
" Commands:\n"
msgid ": "
msgstr ": "
-#: plugins/sudoers/pwutil.c:260
+#: plugins/sudoers/pwutil.c:278
#, c-format
msgid "unable to cache uid %u (%s), already exists"
msgstr "ei kyetä laittamaan välimuistiin uid %u (%s) -käyttäjää, on jo siellä"
-#: plugins/sudoers/pwutil.c:268
+#: plugins/sudoers/pwutil.c:286
#, c-format
msgid "unable to cache uid %u, already exists"
msgstr "ei kyetä laittamaan välimuistiin uid %u -käyttäjää, on jo siellä"
-#: plugins/sudoers/pwutil.c:305 plugins/sudoers/pwutil.c:314
+#: plugins/sudoers/pwutil.c:322 plugins/sudoers/pwutil.c:331
#, c-format
msgid "unable to cache user %s, already exists"
msgstr "ei kyetä laittamaan välimuistiin käyttäjää %s, on jo siellä"
-#: plugins/sudoers/pwutil.c:653
+#: plugins/sudoers/pwutil.c:668
#, c-format
msgid "unable to cache gid %u (%s), already exists"
msgstr "ei kyetä laittamaan välimuistiin gid %u (%s) -ryhmää, on jo siellä"
-#: plugins/sudoers/pwutil.c:661
+#: plugins/sudoers/pwutil.c:676
#, c-format
msgid "unable to cache gid %u, already exists"
msgstr "ei kyetä laittamaan välimuistiin gid %u -ryhmää, on jo siellä"
-#: plugins/sudoers/pwutil.c:691 plugins/sudoers/pwutil.c:700
+#: plugins/sudoers/pwutil.c:706 plugins/sudoers/pwutil.c:715
#, c-format
msgid "unable to cache group %s, already exists"
msgstr "ei kyetä laittamaan välimuistiin ryhmää %s, on jo siellä"
msgid "unable to set runas group vector"
msgstr "ei kyetä asettaan runas-ryhmävektoria"
-#: plugins/sudoers/sudo_nss.c:243
+#: plugins/sudoers/sssd.c:251
+#, c-format
+msgid "Unable to dlopen %s: %s"
+msgstr "Ei kyetä kutsumaan funktiota dlopen %s: %s"
+
+#: plugins/sudoers/sssd.c:252
+#, c-format
+msgid "Unable to initialize SSS source. Is SSSD installed on your machine?"
+msgstr "Ei kyetä alustamaan SSS-lähdettä. Onko SSSD asennettu tietokoneeseesi?"
+
+# parametrina on path
+#: plugins/sudoers/sssd.c:258 plugins/sudoers/sssd.c:266
+#: plugins/sudoers/sssd.c:273 plugins/sudoers/sssd.c:280
+#: plugins/sudoers/sssd.c:287
+#, c-format
+msgid "unable to find symbol \"%s\" in %s"
+msgstr "ei kyetä löytämään symbolia ”%s” polusta %s"
+
+#: plugins/sudoers/sudo_nss.c:267
#, c-format
msgid "Matching Defaults entries for %s on this host:\n"
msgstr "Täsmäävät Defaults-rivit kohteelle %s tällä tietokoneella:\n"
-#: plugins/sudoers/sudo_nss.c:256
+#: plugins/sudoers/sudo_nss.c:280
#, c-format
msgid "Runas and Command-specific defaults for %s:\n"
msgstr "Runas- ja Command-kohtaiset oletukset kohteelle %s:\n"
-#: plugins/sudoers/sudo_nss.c:269
+#: plugins/sudoers/sudo_nss.c:293
#, c-format
msgid "User %s may run the following commands on this host:\n"
msgstr "Käyttäjä %s voi suorittaa seuraavat komennot tällä tietokoneella:\n"
-#: plugins/sudoers/sudo_nss.c:279
+#: plugins/sudoers/sudo_nss.c:302
#, c-format
msgid "User %s is not allowed to run sudo on %s.\n"
msgstr "Käyttäjä %s ei saa suorittaa komentoa sudo tietokoneella %s.\n"
-#: plugins/sudoers/sudoers.c:208 plugins/sudoers/sudoers.c:239
-#: plugins/sudoers/sudoers.c:958
+#: plugins/sudoers/sudoers.c:210 plugins/sudoers/sudoers.c:243
+#: plugins/sudoers/sudoers.c:953
msgid "problem with defaults entries"
msgstr "oletusrivien pulma"
-#: plugins/sudoers/sudoers.c:212
+#: plugins/sudoers/sudoers.c:216
#, c-format
msgid "no valid sudoers sources found, quitting"
msgstr "ei löytynyt kelvollisia sudoers-lähteitä, poistutaan"
-#: plugins/sudoers/sudoers.c:264
+#: plugins/sudoers/sudoers.c:268
#, c-format
msgid "unable to execute %s: %s"
msgstr "ei kyetä suorittamaan komentoa %s: %s"
-#: plugins/sudoers/sudoers.c:322
+#: plugins/sudoers/sudoers.c:335
#, c-format
msgid "sudoers specifies that root is not allowed to sudo"
msgstr "sudoers määrittelee, että root ei saa suorittaa sudo-komentoa"
-#: plugins/sudoers/sudoers.c:329
+#: plugins/sudoers/sudoers.c:342
#, c-format
msgid "you are not permitted to use the -C option"
msgstr "ei käyttöoikeuksia valitsimelle -C"
-#: plugins/sudoers/sudoers.c:422
+#: plugins/sudoers/sudoers.c:431
#, c-format
msgid "timestamp owner (%s): No such user"
msgstr "aikaleimaomistaja (%s): Tuntematon käyttäjä"
-#: plugins/sudoers/sudoers.c:438
+#: plugins/sudoers/sudoers.c:447
msgid "no tty"
msgstr "ei tty:tä"
-#: plugins/sudoers/sudoers.c:439
+#: plugins/sudoers/sudoers.c:448
#, c-format
msgid "sorry, you must have a tty to run sudo"
msgstr "sudo-komennon suorittamiseksi on oltava tty"
-#: plugins/sudoers/sudoers.c:478
-msgid "No user or host"
-msgstr "Ei käyttäjä eikä tietokone"
-
-#: plugins/sudoers/sudoers.c:492 plugins/sudoers/sudoers.c:513
-#: plugins/sudoers/sudoers.c:514 plugins/sudoers/sudoers.c:1522
-#: plugins/sudoers/sudoers.c:1523
-#, c-format
-msgid "%s: command not found"
-msgstr "%s: komentoa ei löytynyt"
-
-#: plugins/sudoers/sudoers.c:494 plugins/sudoers/sudoers.c:510
-#, c-format
-msgid ""
-"ignoring `%s' found in '.'\n"
-"Use `sudo ./%s' if this is the `%s' you wish to run."
-msgstr ""
-"ohitetaan komento ”%s”, joka löytyi kohteesta ’.’\n"
-"Käytä ”sudo ./%s”, jos tämä on ”%s”-komento, joka halutaan suorittaa."
-
-#: plugins/sudoers/sudoers.c:499
-msgid "validation failure"
-msgstr "kelpuutushäiriö"
-
-#: plugins/sudoers/sudoers.c:509
+#: plugins/sudoers/sudoers.c:498
msgid "command in current directory"
msgstr "komento nykyisessä hakemistossa"
-#: plugins/sudoers/sudoers.c:521
+#: plugins/sudoers/sudoers.c:510
#, c-format
msgid "sorry, you are not allowed to preserve the environment"
msgstr "ympäristöä ei ole lupa säilyttää"
-#: plugins/sudoers/sudoers.c:681 plugins/sudoers/sudoers.c:688
-#, c-format
-msgid "internal error, runas_groups overflow"
-msgstr "sisäinen virhe, runas_groups-ylivuoto"
-
-#: plugins/sudoers/sudoers.c:941
-#, c-format
-msgid "internal error, set_cmnd() overflow"
-msgstr "sisäinen virhe, set_cmnd()-ylivuoto"
-
-#: plugins/sudoers/sudoers.c:1001
+#: plugins/sudoers/sudoers.c:1006
#, c-format
msgid "%s is not a regular file"
msgstr "%s ei ole tavallinen tiedosto"
-#: plugins/sudoers/sudoers.c:1004 toke.l:829
+#: plugins/sudoers/sudoers.c:1009 toke.l:846
#, c-format
msgid "%s is owned by uid %u, should be %u"
msgstr "%s on uid %u -käyttäjän omistama, pitäisi olla %u"
-#: plugins/sudoers/sudoers.c:1008 toke.l:836
+#: plugins/sudoers/sudoers.c:1013 toke.l:853
#, c-format
msgid "%s is world writable"
msgstr "%s on yleiskirjoitettava"
-#: plugins/sudoers/sudoers.c:1011 toke.l:841
+#: plugins/sudoers/sudoers.c:1016 toke.l:858
#, c-format
msgid "%s is owned by gid %u, should be %u"
msgstr "%s on gid %u -ryhmän omistama, pitäisi olla %u"
-#: plugins/sudoers/sudoers.c:1038
+#: plugins/sudoers/sudoers.c:1043
#, c-format
msgid "only root can use `-c %s'"
msgstr "vain root-käyttäjä voi käyttää valitsinta ”-c %s”"
-#: plugins/sudoers/sudoers.c:1055 plugins/sudoers/sudoers.c:1057
+#: plugins/sudoers/sudoers.c:1060 plugins/sudoers/sudoers.c:1062
#, c-format
msgid "unknown login class: %s"
msgstr "tuntematon kirjautumisluokka: %s"
-#: plugins/sudoers/sudoers.c:1084
+#: plugins/sudoers/sudoers.c:1089
#, c-format
msgid "unable to resolve host %s"
msgstr "ei kyetä ratkaisemaan tietokonetta %s"
-#: plugins/sudoers/sudoers.c:1136 plugins/sudoers/testsudoers.c:380
+#: plugins/sudoers/sudoers.c:1141 plugins/sudoers/testsudoers.c:387
#, c-format
msgid "unknown group: %s"
msgstr "tuntematon ryhmä: %s"
-#: plugins/sudoers/sudoers.c:1185
+#: plugins/sudoers/sudoers.c:1190
#, c-format
msgid "Sudoers policy plugin version %s\n"
msgstr "Sudoers-menettelytapalisäosaversio %s\n"
-#: plugins/sudoers/sudoers.c:1187
+#: plugins/sudoers/sudoers.c:1192
#, c-format
msgid "Sudoers file grammar version %d\n"
msgstr "Sudoers-tiedostokielioppiversio %d\n"
-#: plugins/sudoers/sudoers.c:1191
+#: plugins/sudoers/sudoers.c:1196
#, c-format
msgid ""
"\n"
"\n"
"Sudoers-polku: %s\n"
-#: plugins/sudoers/sudoers.c:1194
+#: plugins/sudoers/sudoers.c:1199
#, c-format
msgid "nsswitch path: %s\n"
msgstr "nsswitch-polku: %s\n"
-#: plugins/sudoers/sudoers.c:1196
+#: plugins/sudoers/sudoers.c:1201
#, c-format
msgid "ldap.conf path: %s\n"
msgstr "ldap.conf-polku: %s\n"
-#: plugins/sudoers/sudoers.c:1197
+#: plugins/sudoers/sudoers.c:1202
#, c-format
msgid "ldap.secret path: %s\n"
msgstr "ldap.secret-polku: %s\n"
-#: plugins/sudoers/sudoreplay.c:291
+#: plugins/sudoers/sudoreplay.c:293
#, c-format
msgid "invalid filter option: %s"
msgstr "virheellinen suodatinvalitsin: %s"
-#: plugins/sudoers/sudoreplay.c:304
+#: plugins/sudoers/sudoreplay.c:306
#, c-format
msgid "invalid max wait: %s"
msgstr "virheellinen enimmäisodotusaika: %s"
-#: plugins/sudoers/sudoreplay.c:310
+#: plugins/sudoers/sudoreplay.c:312
#, c-format
msgid "invalid speed factor: %s"
msgstr "virheellinen nopeustekijä: %s"
-#: plugins/sudoers/sudoreplay.c:313 plugins/sudoers/visudo.c:187
+#: plugins/sudoers/sudoreplay.c:315 plugins/sudoers/visudo.c:187
#, c-format
msgid "%s version %s\n"
msgstr "%s versio %s\n"
-#: plugins/sudoers/sudoreplay.c:338
+#: plugins/sudoers/sudoreplay.c:340
#, c-format
msgid "%s/%.2s/%.2s/%.2s/timing: %s"
msgstr "%s/%.2s/%.2s/%.2s/ajoitus: %s"
-#: plugins/sudoers/sudoreplay.c:344
+#: plugins/sudoers/sudoreplay.c:346
#, c-format
msgid "%s/%s/timing: %s"
msgstr "%s/%s/ajoitus: %s"
-#: plugins/sudoers/sudoreplay.c:362
+#: plugins/sudoers/sudoreplay.c:364
#, c-format
msgid "Replaying sudo session: %s\n"
msgstr "Toistetaan sudo-istunto: %s\n"
-#: plugins/sudoers/sudoreplay.c:368
+#: plugins/sudoers/sudoreplay.c:370
#, c-format
msgid "Warning: your terminal is too small to properly replay the log.\n"
msgstr "Varoitus: pääteikkunasi on liian pieni tämän lokin toistamiseksi oikein.\n"
-#: plugins/sudoers/sudoreplay.c:369
+#: plugins/sudoers/sudoreplay.c:371
#, c-format
msgid "Log geometry is %d x %d, your terminal's geometry is %d x %d."
msgstr "Lokigeometria on %d x %d, pääteikkunasi geometria on %d x %d."
-#: plugins/sudoers/sudoreplay.c:399
+#: plugins/sudoers/sudoreplay.c:401
#, c-format
msgid "unable to set tty to raw mode"
msgstr "ei kyetä asettamaa tty:ta raakatilaan"
-#: plugins/sudoers/sudoreplay.c:412
+#: plugins/sudoers/sudoreplay.c:418
#, c-format
msgid "invalid timing file line: %s"
msgstr "virheellinen ajoitustiedostorivi: %s"
-#: plugins/sudoers/sudoreplay.c:454
+#: plugins/sudoers/sudoreplay.c:501
#, c-format
msgid "writing to standard output"
msgstr "kirjoitetaan vakiotulosteeseen"
-#: plugins/sudoers/sudoreplay.c:486
+#: plugins/sudoers/sudoreplay.c:530
#, c-format
msgid "nanosleep: tv_sec %ld, tv_nsec %ld"
msgstr "nanosleep: tv_sec %ld, tv_nsec %ld"
-#: plugins/sudoers/sudoreplay.c:535 plugins/sudoers/sudoreplay.c:560
+#: plugins/sudoers/sudoreplay.c:643 plugins/sudoers/sudoreplay.c:668
#, c-format
msgid "ambiguous expression \"%s\""
msgstr "monimerkityksellinen lauseke ”%s”"
-#: plugins/sudoers/sudoreplay.c:577
+#: plugins/sudoers/sudoreplay.c:685
#, c-format
msgid "too many parenthesized expressions, max %d"
msgstr "liian monta sulkumerkillistä lauseketta, enintään %d"
-#: plugins/sudoers/sudoreplay.c:588
+#: plugins/sudoers/sudoreplay.c:696
#, c-format
msgid "unmatched ')' in expression"
msgstr "täsmäämätön ’)’ lausekkeessa"
-#: plugins/sudoers/sudoreplay.c:594
+#: plugins/sudoers/sudoreplay.c:702
#, c-format
msgid "unknown search term \"%s\""
msgstr "tuntematon hakutermi ”%s”"
-#: plugins/sudoers/sudoreplay.c:608
+#: plugins/sudoers/sudoreplay.c:716
#, c-format
msgid "%s requires an argument"
msgstr "%s vaatii argumentin"
-#: plugins/sudoers/sudoreplay.c:612
+#: plugins/sudoers/sudoreplay.c:720
#, c-format
msgid "invalid regular expression: %s"
msgstr "virheellinen säännöllinen lauseke: %s"
-#: plugins/sudoers/sudoreplay.c:618
+#: plugins/sudoers/sudoreplay.c:726
#, c-format
msgid "could not parse date \"%s\""
msgstr "ei voitu jäsentää päivämäärää ”%s”"
-#: plugins/sudoers/sudoreplay.c:631
+#: plugins/sudoers/sudoreplay.c:739
#, c-format
msgid "unmatched '(' in expression"
msgstr "täsmäämätön ’(’ lausekkeessa"
-#: plugins/sudoers/sudoreplay.c:633
+#: plugins/sudoers/sudoreplay.c:741
#, c-format
msgid "illegal trailing \"or\""
msgstr "virheellinen jäljessä oleva ”or”"
-#: plugins/sudoers/sudoreplay.c:635
+#: plugins/sudoers/sudoreplay.c:743
#, c-format
msgid "illegal trailing \"!\""
msgstr "virheellinen jäljessä oleva ”!”"
-#: plugins/sudoers/sudoreplay.c:942
+#: plugins/sudoers/sudoreplay.c:1050
#, c-format
msgid "invalid regex: %s"
msgstr "virheellinen säännöllinen lauseke: %s"
-#: plugins/sudoers/sudoreplay.c:1066
+#: plugins/sudoers/sudoreplay.c:1174
#, c-format
msgid "usage: %s [-h] [-d directory] [-m max_wait] [-s speed_factor] ID\n"
msgstr "käyttö: %s [-h] [-d hakemisto] [-m enimmäisodotusaika] [-s nopeustekijä] ID-tunniste\n"
-#: plugins/sudoers/sudoreplay.c:1069
+#: plugins/sudoers/sudoreplay.c:1177
#, c-format
msgid "usage: %s [-h] [-d directory] -l [search expression]\n"
msgstr "käyttö: %s [-h] [-d hakemisto] -l [hakulauseke]\n"
-#: plugins/sudoers/sudoreplay.c:1078
+#: plugins/sudoers/sudoreplay.c:1186
#, c-format
msgid ""
"%s - replay sudo session logs\n"
"%s - toista sudo-istuntolokit\n"
"\n"
-#: plugins/sudoers/sudoreplay.c:1080
+#: plugins/sudoers/sudoreplay.c:1188
msgid ""
"\n"
"Options:\n"
" -s nopeustekijä nopeuta tai hidasta tulostusta\n"
" -V näytä versiotiedot ja poistu"
-#: plugins/sudoers/testsudoers.c:246
-#, c-format
-msgid "internal error, init_vars() overflow"
-msgstr "sisäinen virhe, init_vars()-ylivuoto"
-
-#: plugins/sudoers/testsudoers.c:331
+#: plugins/sudoers/testsudoers.c:338
msgid "\thost unmatched"
msgstr "\ttietokone täsmäämätön"
-#: plugins/sudoers/testsudoers.c:334
+#: plugins/sudoers/testsudoers.c:341
msgid ""
"\n"
"Command allowed"
"\n"
"Komento sallittu"
-#: plugins/sudoers/testsudoers.c:335
+#: plugins/sudoers/testsudoers.c:342
msgid ""
"\n"
"Command denied"
"\n"
"Komento kielletty"
-#: plugins/sudoers/testsudoers.c:335
+#: plugins/sudoers/testsudoers.c:342
msgid ""
"\n"
"Command unmatched"
msgid "%s grammar version %d\n"
msgstr "%s kielioppiversio %d\n"
-#: plugins/sudoers/visudo.c:252 plugins/sudoers/visudo.c:538
+#: plugins/sudoers/visudo.c:252 plugins/sudoers/visudo.c:541
#, c-format
msgid "press return to edit %s: "
msgstr "muokkaa %s painamalla enter-painiketta: "
msgid "%s unchanged"
msgstr "%s ennallaan"
-#: plugins/sudoers/visudo.c:483
+#: plugins/sudoers/visudo.c:486
#, c-format
msgid "unable to re-open temporary file (%s), %s unchanged."
msgstr "ei kyetä avaamaan uudelleen tilapäistä tiedostoa (%s), %s ennallaan."
-#: plugins/sudoers/visudo.c:493
+#: plugins/sudoers/visudo.c:496
#, c-format
msgid "unabled to parse temporary file (%s), unknown error"
msgstr "ei kyetä jäsentämään tilapäistä tiedostoa (%s), tuntematon virhe"
-#: plugins/sudoers/visudo.c:531
+#: plugins/sudoers/visudo.c:534
#, c-format
msgid "internal error, unable to find %s in list!"
msgstr "sisäinen virhe, ei kyetä löytämään %s luettelosta!"
-#: plugins/sudoers/visudo.c:583 plugins/sudoers/visudo.c:592
+#: plugins/sudoers/visudo.c:586 plugins/sudoers/visudo.c:595
#, c-format
msgid "unable to set (uid, gid) of %s to (%u, %u)"
msgstr "ei kyetä asettamaan kohdetta %s (uid, gid) arvoihin (%u, %u)"
-#: plugins/sudoers/visudo.c:587 plugins/sudoers/visudo.c:597
+#: plugins/sudoers/visudo.c:590 plugins/sudoers/visudo.c:600
#, c-format
msgid "unable to change mode of %s to 0%o"
msgstr "ei kyetä muuttamaan %s-tilaa arvoon 0%o"
-#: plugins/sudoers/visudo.c:614
+#: plugins/sudoers/visudo.c:617
#, c-format
msgid "%s and %s not on the same file system, using mv to rename"
msgstr "%s ja %s eivät ole samassa tiedostojärjestelmässä, käytetään komentoa mv uudelleennimeämiseen"
-#: plugins/sudoers/visudo.c:628
+#: plugins/sudoers/visudo.c:631
#, c-format
msgid "command failed: '%s %s %s', %s unchanged"
msgstr "komento epäonnistui: ’%s %s %s’, %s ennallaan"
-#: plugins/sudoers/visudo.c:638
+#: plugins/sudoers/visudo.c:641
#, c-format
msgid "error renaming %s, %s unchanged"
msgstr "virhe nimettäessä %s uudelleen, %s ennallaan"
-#: plugins/sudoers/visudo.c:701
+#: plugins/sudoers/visudo.c:704
msgid "What now? "
msgstr "Mitä nyt?"
-#: plugins/sudoers/visudo.c:715
+#: plugins/sudoers/visudo.c:718
msgid ""
"Options are:\n"
" (e)dit sudoers file again\n"
" (Q) poistu ja tallenna muutokset sudoers-tiedostoon (VAARA!)\n"
# Parametri on path, mutta saattaa sisältää suoritettavan ohjelman
-#: plugins/sudoers/visudo.c:756
+#: plugins/sudoers/visudo.c:759
#, c-format
msgid "unable to execute %s"
msgstr "ei kyetä suorittamaan kohdetta %s"
# Parametri on path, mutta saattaa sisältää suoritettavan ohjelman
-#: plugins/sudoers/visudo.c:763
+#: plugins/sudoers/visudo.c:766
#, c-format
msgid "unable to run %s"
msgstr "ei kyetä suorittamaan kohdetta %s"
-#: plugins/sudoers/visudo.c:789
+#: plugins/sudoers/visudo.c:792
#, c-format
msgid "%s: wrong owner (uid, gid) should be (%u, %u)\n"
msgstr "%s: väärä omistaja (uid, gid), pitäisi olla (%u, %u)\n"
-#: plugins/sudoers/visudo.c:796
+#: plugins/sudoers/visudo.c:799
#, c-format
msgid "%s: bad permissions, should be mode 0%o\n"
msgstr "%s: väärät käyttöoikeudet, pitäisi olla tila 0%o\n"
-#: plugins/sudoers/visudo.c:821
+#: plugins/sudoers/visudo.c:824
#, c-format
msgid "failed to parse %s file, unknown error"
msgstr "tiedoston %s jäsentäminen epäonnistui, tuntematon virhe"
-#: plugins/sudoers/visudo.c:834
+#: plugins/sudoers/visudo.c:837
#, c-format
msgid "parse error in %s near line %d\n"
msgstr "jäsentämisvirhe tiedostossa %s lähellä riviä %d\n"
-#: plugins/sudoers/visudo.c:837
+#: plugins/sudoers/visudo.c:840
#, c-format
msgid "parse error in %s\n"
msgstr "jäsentämisvirhe tiedostossa %s\n"
-#: plugins/sudoers/visudo.c:844 plugins/sudoers/visudo.c:849
+#: plugins/sudoers/visudo.c:847 plugins/sudoers/visudo.c:852
#, c-format
msgid "%s: parsed OK\n"
msgstr "%s: jäsentäminen valmis\n"
-#: plugins/sudoers/visudo.c:896
+#: plugins/sudoers/visudo.c:899
#, c-format
msgid "%s busy, try again later"
msgstr "%s varattu, yritä myöhemmin uudelleen"
-#: plugins/sudoers/visudo.c:940
+#: plugins/sudoers/visudo.c:943
#, c-format
msgid "specified editor (%s) doesn't exist"
msgstr "määritelty editori (%s) ei ole olemassa"
-#: plugins/sudoers/visudo.c:963
+#: plugins/sudoers/visudo.c:966
#, c-format
msgid "unable to stat editor (%s)"
msgstr "ei kyetä kutsumaan funktiota stat editori (%s)"
-#: plugins/sudoers/visudo.c:1011
+#: plugins/sudoers/visudo.c:1014
#, c-format
msgid "no editor found (editor path = %s)"
msgstr "editoria ei löytynyt (editoripolku = %s)"
-#: plugins/sudoers/visudo.c:1105
+#: plugins/sudoers/visudo.c:1108
#, c-format
msgid "Error: cycle in %s_Alias `%s'"
msgstr "Virhe: jakso kohteessa %s_Alias ”%s”"
-#: plugins/sudoers/visudo.c:1106
+#: plugins/sudoers/visudo.c:1109
#, c-format
msgid "Warning: cycle in %s_Alias `%s'"
msgstr "Varoitus: jakso kohteessa %s_Alias ”%s”"
-#: plugins/sudoers/visudo.c:1109
+#: plugins/sudoers/visudo.c:1112
#, c-format
msgid "Error: %s_Alias `%s' referenced but not defined"
msgstr "Virhe: %s_Alias ”%s” uudelleenviitattu, mutta ei määritelty"
-#: plugins/sudoers/visudo.c:1110
+#: plugins/sudoers/visudo.c:1113
#, c-format
msgid "Warning: %s_Alias `%s' referenced but not defined"
msgstr "Varoitus: %s_Alias ”%s” uudelleenviitattu, mutta ei määritelty"
-#: plugins/sudoers/visudo.c:1245
+#: plugins/sudoers/visudo.c:1248
#, c-format
msgid "%s: unused %s_Alias %s"
msgstr "%s: käyttämätön %s_Alias %s"
-#: plugins/sudoers/visudo.c:1301
+#: plugins/sudoers/visudo.c:1304
#, c-format
msgid ""
"%s - safely edit the sudoers file\n"
"%s - muokkaa sudoers-tiedostoa turvallisesti\n"
"\n"
-#: plugins/sudoers/visudo.c:1303
+#: plugins/sudoers/visudo.c:1306
msgid ""
"\n"
"Options:\n"
" -s tiukka syntaksitarkistus\n"
" -V näytä versiotiedot ja poistu"
-#: toke.l:805
+#: toke.l:820
msgid "too many levels of includes"
msgstr "liian monta include-tasoa"
+#~ msgid "internal error, expand_prompt() overflow"
+#~ msgstr "sisäinen virhe, expand_prompt()-ylivuoto"
+
+#~ msgid "internal error, sudo_setenv2() overflow"
+#~ msgstr "sisäinen virhe, sudo_setenv2()-ylivuoto"
+
+#~ msgid "internal error, sudo_setenv() overflow"
+#~ msgstr "sisäinen virhe, sudo_setenv()-ylivuoto"
+
+#~ msgid "internal error, linux_audit_command() overflow"
+#~ msgstr "sisäinen virhe, linux_audit_command()-ylivuoto"
+
+#~ msgid "internal error, runas_groups overflow"
+#~ msgstr "sisäinen virhe, runas_groups-ylivuoto"
+
+#~ msgid "internal error, init_vars() overflow"
+#~ msgstr "sisäinen virhe, init_vars()-ylivuoto"
+
#~ msgid "invalid log file %s"
#~ msgstr "virheellinen lokitiedosto %s"
# Translation of sudoers to Croatian.
# This file is put in the public domain.
-# Tomislav Krznar <tomislav.krznar@gmail.com>, 2012.
#
+# Tomislav Krznar <tomislav.krznar@gmail.com>, 2012.
msgid ""
msgstr ""
-"Project-Id-Version: sudoers 1.8.5rc1\n"
+"Project-Id-Version: sudoers 1.8.6b4\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-04-13 16:21-0400\n"
-"PO-Revision-Date: 2012-04-18 01:56+0200\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-13 22:56+0200\n"
"Last-Translator: Tomislav Krznar <tomislav.krznar@gmail.com>\n"
"Language-Team: Croatian <lokalizacija@linux.hr>\n"
-"Language: \n"
+"Language: hr\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2)\n"
+"X-Generator: Lokalize 1.4\n"
+
+#: gram.y:112
+#, c-format
+msgid ">>> %s: %s near line %d <<<"
+msgstr ">>> %s: %s kod retka %d <<<"
#: plugins/sudoers/alias.c:125
#, c-format
msgid "Alias `%s' already defined"
msgstr "Alias „%s” je već definiran"
+#: plugins/sudoers/auth/bsdauth.c:78
+#, c-format
+msgid "unable to get login class for user %s"
+msgstr "ne mogu dobiti razred prijave korisnika %s"
+
+#: plugins/sudoers/auth/bsdauth.c:84
+msgid "unable to begin bsd authentication"
+msgstr "ne mogu započeti bsd provjeru"
+
+#: plugins/sudoers/auth/bsdauth.c:92
+msgid "invalid authentication type"
+msgstr "neispravna vrsta provjere"
+
+#: plugins/sudoers/auth/bsdauth.c:101
+msgid "unable to setup authentication"
+msgstr "ne mogu postaviti provjeru"
+
+#: plugins/sudoers/auth/fwtk.c:60
+#, c-format
+msgid "unable to read fwtk config"
+msgstr "ne mogu čitati fwtk konfiguraciju"
+
+#: plugins/sudoers/auth/fwtk.c:65
+#, c-format
+msgid "unable to connect to authentication server"
+msgstr "ne mogu se spojiti na poslužitelj za provjeru"
+
+#: plugins/sudoers/auth/fwtk.c:71 plugins/sudoers/auth/fwtk.c:95
+#: plugins/sudoers/auth/fwtk.c:128
+#, c-format
+msgid "lost connection to authentication server"
+msgstr "izgubljena veza na poslužitelj za provjeru"
+
+#: plugins/sudoers/auth/fwtk.c:75
+#, c-format
+msgid ""
+"authentication server error:\n"
+"%s"
+msgstr ""
+"greška poslužitelja za provjeru:\n"
+"%s"
+
+#: plugins/sudoers/auth/kerb5.c:117
+#, c-format
+msgid "%s: unable to unparse princ ('%s'): %s"
+msgstr "%s: ne mogu ukloniti analizu upravitelja („%s”): %s"
+
+#: plugins/sudoers/auth/kerb5.c:160
+#, c-format
+msgid "%s: unable to parse '%s': %s"
+msgstr "%s: ne mogu analizirati „%s”: %s"
+
+#: plugins/sudoers/auth/kerb5.c:170
+#, c-format
+msgid "%s: unable to resolve ccache: %s"
+msgstr "%s: ne mogu pronaći ccache: %s"
+
+#: plugins/sudoers/auth/kerb5.c:218
+#, c-format
+msgid "%s: unable to allocate options: %s"
+msgstr "%s: ne mogu alocirati opcije: %s"
+
+#: plugins/sudoers/auth/kerb5.c:234
+#, c-format
+msgid "%s: unable to get credentials: %s"
+msgstr "%s: ne mogu dobiti vjerodajnice: %s"
+
+#: plugins/sudoers/auth/kerb5.c:247
+#, c-format
+msgid "%s: unable to initialize ccache: %s"
+msgstr "%s: ne mogu inicijalizirati ccache: %s"
+
+#: plugins/sudoers/auth/kerb5.c:251
+#, c-format
+msgid "%s: unable to store cred in ccache: %s"
+msgstr "%s: ne mogu spremiti vjerodajnicu u ccache: %s"
+
+#: plugins/sudoers/auth/kerb5.c:316
+#, c-format
+msgid "%s: unable to get host principal: %s"
+msgstr "%s: ne mogu dobiti upravitelja računala: %s"
+
+#: plugins/sudoers/auth/kerb5.c:331
+#, c-format
+msgid "%s: Cannot verify TGT! Possible attack!: %s"
+msgstr "%s: Ne mogu provjeriti TGT! Moguć napad!: %s"
+
+#: plugins/sudoers/auth/pam.c:100
+msgid "unable to initialize PAM"
+msgstr "ne mogu inicijalizirati PAM"
+
+#: plugins/sudoers/auth/pam.c:144
+msgid "account validation failure, is your account locked?"
+msgstr "potvrđivanje računa nije uspjelo, je li vaš račun zaključan?"
+
+#: plugins/sudoers/auth/pam.c:148
+msgid "Account or password is expired, reset your password and try again"
+msgstr "Račun ili lozinka su istekli, vratite izvornu lozinku i pokušajte ponovo"
+
+#: plugins/sudoers/auth/pam.c:155
+#, c-format
+msgid "pam_chauthtok: %s"
+msgstr "pam_chauthtok: %s"
+
+#: plugins/sudoers/auth/pam.c:159
+msgid "Password expired, contact your system administrator"
+msgstr "Lozinka je istekla, javite vašem administratoru sustava"
+
+#: plugins/sudoers/auth/pam.c:163
+msgid "Account expired or PAM config lacks an \"account\" section for sudo, contact your system administrator"
+msgstr "Račun je istekao ili PAM konfiguracija nema odjeljak „account” za sudo, javite vašem administratoru sustava"
+
+#: plugins/sudoers/auth/pam.c:180
+#, c-format
+msgid "pam_authenticate: %s"
+msgstr "pam_authenticate: %s"
+
+#: plugins/sudoers/auth/pam.c:332
+msgid "Password: "
+msgstr "Lozinka: "
+
+#: plugins/sudoers/auth/pam.c:333
+msgid "Password:"
+msgstr "Lozinka:"
+
+#: plugins/sudoers/auth/rfc1938.c:104 plugins/sudoers/visudo.c:220
+#, c-format
+msgid "you do not exist in the %s database"
+msgstr "niste navedeni u %s bazi podataka"
+
+#: plugins/sudoers/auth/securid5.c:81
+#, c-format
+msgid "failed to initialise the ACE API library"
+msgstr "nisam uspio inicijalizirati ACE API biblioteku"
+
+#: plugins/sudoers/auth/securid5.c:107
+#, c-format
+msgid "unable to contact the SecurID server"
+msgstr "ne mogu uspostaviti vezu s SecurID poslužiteljem"
+
+#: plugins/sudoers/auth/securid5.c:116
+#, c-format
+msgid "User ID locked for SecurID Authentication"
+msgstr "Korisnički ID zaključan za SecurID provjeru"
+
+#: plugins/sudoers/auth/securid5.c:120 plugins/sudoers/auth/securid5.c:171
+#, c-format
+msgid "invalid username length for SecurID"
+msgstr "neispravna duljina korisničkog imena za SecurID"
+
+#: plugins/sudoers/auth/securid5.c:124 plugins/sudoers/auth/securid5.c:176
+#, c-format
+msgid "invalid Authentication Handle for SecurID"
+msgstr "neispravni postupak provjere za SecurID"
+
+#: plugins/sudoers/auth/securid5.c:128
+#, c-format
+msgid "SecurID communication failed"
+msgstr "SecurID komunikacija nije uspjela"
+
+#: plugins/sudoers/auth/securid5.c:132 plugins/sudoers/auth/securid5.c:215
+#, c-format
+msgid "unknown SecurID error"
+msgstr "nepoznata SecurID greška"
+
+#: plugins/sudoers/auth/securid5.c:166
+#, c-format
+msgid "invalid passcode length for SecurID"
+msgstr "neispravna duljina lozinke za SecurID"
+
+#: plugins/sudoers/auth/sia.c:109
+msgid "unable to initialize SIA session"
+msgstr "ne mogu inicijalizirati SIA sjednicu"
+
+#: plugins/sudoers/auth/sudo_auth.c:121
+msgid "Invalid authentication methods compiled into sudo! You may mix standalone and non-standalone authentication."
+msgstr "Neispravne metode provjere kompajlirane u sudo! Možete miješati samostalne i nesamostalne provjere."
+
+#: plugins/sudoers/auth/sudo_auth.c:206
+msgid "There are no authentication methods compiled into sudo! If you want to turn off authentication, use the --disable-authentication configure option."
+msgstr "Nema metoda provjere kompajliranih u sudo! Ako želite isključiti provjeru, koristite konfiguracijsku opciju --disable-authentication."
+
+#: plugins/sudoers/auth/sudo_auth.c:374
+msgid "Authentication methods:"
+msgstr "Metode provjere:"
+
#: plugins/sudoers/bsm_audit.c:60 plugins/sudoers/bsm_audit.c:63
#: plugins/sudoers/bsm_audit.c:112 plugins/sudoers/bsm_audit.c:116
#: plugins/sudoers/bsm_audit.c:168 plugins/sudoers/bsm_audit.c:172
msgid "au_to_text: failed"
msgstr "au_to_text: nije uspio"
-#: plugins/sudoers/check.c:158
-#, c-format
-msgid "sorry, a password is required to run %s"
-msgstr "žao mi je, potrebna je lozinka za pokretanje %s"
-
-#: plugins/sudoers/check.c:249 plugins/sudoers/iolog.c:172
-#: plugins/sudoers/sudoers.c:979 plugins/sudoers/sudoreplay.c:353
-#: plugins/sudoers/sudoreplay.c:709 plugins/sudoers/sudoreplay.c:866
-#: plugins/sudoers/visudo.c:815
+#: plugins/sudoers/check.c:252 plugins/sudoers/iolog.c:172
+#: plugins/sudoers/sudoers.c:988 plugins/sudoers/sudoreplay.c:355
+#: plugins/sudoers/sudoreplay.c:817 plugins/sudoers/sudoreplay.c:974
+#: plugins/sudoers/visudo.c:818
#, c-format
msgid "unable to open %s"
msgstr "ne mogu otvoriti %s"
-#: plugins/sudoers/check.c:253 plugins/sudoers/iolog.c:202
+#: plugins/sudoers/check.c:256 plugins/sudoers/iolog.c:229
#, c-format
msgid "unable to write to %s"
msgstr "ne mogu pisati u %s"
-#: plugins/sudoers/check.c:261 plugins/sudoers/check.c:506
-#: plugins/sudoers/check.c:556 plugins/sudoers/iolog.c:123
+#: plugins/sudoers/check.c:264 plugins/sudoers/check.c:512
+#: plugins/sudoers/check.c:562 plugins/sudoers/iolog.c:123
#: plugins/sudoers/iolog.c:156
#, c-format
msgid "unable to mkdir %s"
msgstr "ne mogu napraviti direktorij %s"
-#: plugins/sudoers/check.c:396
+#: plugins/sudoers/check.c:399 plugins/sudoers/env.c:289
+#: plugins/sudoers/env.c:294 plugins/sudoers/env.c:395
+#: plugins/sudoers/env.c:447 plugins/sudoers/linux_audit.c:82
+#: plugins/sudoers/sudoers.c:670 plugins/sudoers/sudoers.c:677
+#: plugins/sudoers/sudoers.c:936 plugins/sudoers/testsudoers.c:253
#, c-format
-msgid "internal error, expand_prompt() overflow"
-msgstr "interna greška, expand_prompt() preljev"
+msgid "internal error, %s overflow"
+msgstr "interna greška, %s preljev"
-#: plugins/sudoers/check.c:456
+#: plugins/sudoers/check.c:460
#, c-format
msgid "timestamp path too long: %s"
msgstr "putanja vremenske oznake predugačka: %s"
-#: plugins/sudoers/check.c:485 plugins/sudoers/check.c:529
+#: plugins/sudoers/check.c:491 plugins/sudoers/check.c:535
#: plugins/sudoers/iolog.c:158
#, c-format
msgid "%s exists but is not a directory (0%o)"
msgstr "%s postoji, ali nije direktorij (0%o)"
-#: plugins/sudoers/check.c:488 plugins/sudoers/check.c:532
-#: plugins/sudoers/check.c:577
+#: plugins/sudoers/check.c:494 plugins/sudoers/check.c:538
+#: plugins/sudoers/check.c:583
#, c-format
msgid "%s owned by uid %u, should be uid %u"
msgstr "vlasnik %s je uid %u, treba biti uid %u"
-#: plugins/sudoers/check.c:493 plugins/sudoers/check.c:537
+#: plugins/sudoers/check.c:499 plugins/sudoers/check.c:543
#, c-format
msgid "%s writable by non-owner (0%o), should be mode 0700"
msgstr "nevlasnici imaju dozvolu za pisanje u %s (0%o), treba biti mod 0700"
-#: plugins/sudoers/check.c:501 plugins/sudoers/check.c:545
-#: plugins/sudoers/check.c:613 plugins/sudoers/sudoers.c:998
-#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:581
+#: plugins/sudoers/check.c:507 plugins/sudoers/check.c:551
+#: plugins/sudoers/check.c:619 plugins/sudoers/sudoers.c:1003
+#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:584
#, c-format
msgid "unable to stat %s"
msgstr "ne mogu izvršiti stat %s"
-#: plugins/sudoers/check.c:571
+#: plugins/sudoers/check.c:577
#, c-format
msgid "%s exists but is not a regular file (0%o)"
msgstr "%s postoji, ali nije obična datoteka (0%o)"
-#: plugins/sudoers/check.c:583
+#: plugins/sudoers/check.c:589
#, c-format
msgid "%s writable by non-owner (0%o), should be mode 0600"
msgstr "nevlasnici imaju dozvolu za pisanje u %s (0%o), treba biti mod 0600"
-#: plugins/sudoers/check.c:637
+#: plugins/sudoers/check.c:643
#, c-format
msgid "timestamp too far in the future: %20.20s"
msgstr "vremenska oznaka predaleko u budućnosti: %20.20s"
-#: plugins/sudoers/check.c:684
+#: plugins/sudoers/check.c:690
#, c-format
msgid "unable to remove %s (%s), will reset to the epoch"
msgstr "ne mogu ukloniti %s (%s), vratit ću na početnu epohu"
-#: plugins/sudoers/check.c:692
+#: plugins/sudoers/check.c:698
#, c-format
msgid "unable to reset %s to the epoch"
msgstr "ne mogu vratiti %s na početnu epohu"
-#: plugins/sudoers/check.c:752 plugins/sudoers/check.c:758
-#: plugins/sudoers/sudoers.c:856 plugins/sudoers/sudoers.c:860
+#: plugins/sudoers/check.c:758 plugins/sudoers/check.c:764
+#: plugins/sudoers/sudoers.c:851 plugins/sudoers/sudoers.c:855
#, c-format
msgid "unknown uid: %u"
msgstr "nepoznat uid: %u"
-#: plugins/sudoers/check.c:755 plugins/sudoers/sudoers.c:797
-#: plugins/sudoers/sudoers.c:1115 plugins/sudoers/testsudoers.c:218
-#: plugins/sudoers/testsudoers.c:362
+#: plugins/sudoers/check.c:761 plugins/sudoers/sudoers.c:792
+#: plugins/sudoers/sudoers.c:1120 plugins/sudoers/testsudoers.c:225
+#: plugins/sudoers/testsudoers.c:369
#, c-format
msgid "unknown user: %s"
msgstr "nepoznat korisnik: %s"
#: plugins/sudoers/def_data.c:31
#, c-format
msgid "Syslog priority to use when user authenticates successfully: %s"
-msgstr "Syslog prioritet koji se koristi pri uspješnoj autentifikaciji korisnika: %s"
+msgstr "Syslog prioritet koji se koristi pri uspješnoj provjeri korisnika: %s"
#: plugins/sudoers/def_data.c:35
#, c-format
msgid "Syslog priority to use when user authenticates unsuccessfully: %s"
-msgstr "Syslog prioritet koji se koristi pri neuspješnoj autentifikaciji korisnika: %s"
+msgstr "Syslog prioritet koji se koristi pri neuspješnoj provjeri korisnika: %s"
#: plugins/sudoers/def_data.c:39
msgid "Put OTP prompt on its own line"
#: plugins/sudoers/def_data.c:51
msgid "Send mail if user authentication fails"
-msgstr "Pošalji poštu ako autentifikacija korisnika nije uspjela"
+msgstr "Pošalji poštu ako provjera korisnika nije uspjela"
#: plugins/sudoers/def_data.c:55
msgid "Send mail if the user is not in sudoers"
#: plugins/sudoers/def_data.c:79
msgid "Require users to authenticate by default"
-msgstr "Uobičajeno traži autentifikaciju korisnika"
+msgstr "Uobičajeno traži provjeru korisnika"
#: plugins/sudoers/def_data.c:83
msgid "Root may run sudo"
#: plugins/sudoers/def_data.c:159
#, c-format
msgid "Authentication timestamp timeout: %.1f minutes"
-msgstr "Istek vremenske oznake autentifikacije: %.1f minuta"
+msgstr "Istek vremenske oznake provjere: %.1f minuta"
#: plugins/sudoers/def_data.c:163
#, c-format
#: plugins/sudoers/def_data.c:203
#, c-format
msgid "Path to authentication timestamp dir: %s"
-msgstr "Putanja do direktorija vremenske oznake autentifikacije: %s"
+msgstr "Putanja do direktorija vremenske oznake provjere: %s"
#: plugins/sudoers/def_data.c:207
#, c-format
msgid "Owner of the authentication timestamp dir: %s"
-msgstr "Vlasnik direktorija vremenske oznake autentifikacije: %s"
+msgstr "Vlasnik direktorija vremenske oznake provjere: %s"
#: plugins/sudoers/def_data.c:211
#, c-format
msgid "Set the user in utmp to the runas user, not the invoking user"
msgstr "Postavi korisnika u utmp u „pokreni kao” korisnika umjesto pozivatelja"
+#: plugins/sudoers/def_data.c:347
+msgid "Set of permitted privileges"
+msgstr "Skup dozvoljenih ovlasti"
+
+#: plugins/sudoers/def_data.c:351
+msgid "Set of limit privileges"
+msgstr "Skup ograničenih ovlasti"
+
#: plugins/sudoers/defaults.c:208
#, c-format
msgid "unknown defaults entry `%s'"
msgid "option `%s' does not take a value"
msgstr "opcija „%s” ne prihvaća vrijednost"
-#: plugins/sudoers/env.c:339
+#: plugins/sudoers/env.c:367
#, c-format
msgid "sudo_putenv: corrupted envp, length mismatch"
msgstr "sudo_putenv: oštećen envp, duljina ne odgovara"
-#: plugins/sudoers/env.c:341 plugins/sudoers/env.c:411 toke.l:682 toke.l:812
-#: toke.l:870 toke.l:966 plugins/sudoers/toke_util.c:113
-#: plugins/sudoers/toke_util.c:167 plugins/sudoers/toke_util.c:207
+#: plugins/sudoers/env.c:369 plugins/sudoers/env.c:448
+#: plugins/sudoers/toke_util.c:113 plugins/sudoers/toke_util.c:167
+#: plugins/sudoers/toke_util.c:207 toke.l:697 toke.l:827 toke.l:887 toke.l:983
#, c-format
msgid "unable to allocate memory"
msgstr "ne mogu alocirati memoriju"
-#: plugins/sudoers/env.c:366
-#, c-format
-msgid "internal error, sudo_setenv2() overflow"
-msgstr "interna greška, sudo_setenv2() preljev"
-
-#: plugins/sudoers/env.c:410
-#, c-format
-msgid "internal error, sudo_setenv() overflow"
-msgstr "interna greška, sudo_setenv() preljev"
-
-#: plugins/sudoers/env.c:955
+#: plugins/sudoers/env.c:992
#, c-format
msgid "sorry, you are not allowed to set the following environment variables: %s"
msgstr "žao mi je, nemate dozvolu za postavljanje sljedećih varijabli okoline: %s"
#: plugins/sudoers/find_path.c:69 plugins/sudoers/find_path.c:108
-#: plugins/sudoers/find_path.c:123 plugins/sudoers/iolog.c:125 toke.l:678
-#: toke.l:866 plugins/sudoers/sudoers.c:950
+#: plugins/sudoers/find_path.c:123 plugins/sudoers/iolog.c:125
+#: plugins/sudoers/sudoers.c:945 toke.l:693 toke.l:883
#, c-format
msgid "%s: %s"
msgstr "%s: %s"
-#: gram.y:110
-#, c-format
-msgid ">>> %s: %s near line %d <<<"
-msgstr ">>> %s: %s kod retka %d <<<"
-
#: plugins/sudoers/group_plugin.c:91
#, c-format
msgid "%s%s: %s"
msgid "Local IP address and netmask pairs:\n"
msgstr "Parovi lokalnih IP adresa i mrežnih maski:\n"
-#: plugins/sudoers/iolog.c:179 plugins/sudoers/sudoers.c:986
+#: plugins/sudoers/iolog.c:205 plugins/sudoers/sudoers.c:991
#, c-format
msgid "unable to read %s"
msgstr "ne mogu čitati %s"
-#: plugins/sudoers/iolog.c:182
+#: plugins/sudoers/iolog.c:208
#, c-format
msgid "invalid sequence number %s"
msgstr "neispravan broj niza %s"
-#: plugins/sudoers/iolog.c:231 plugins/sudoers/iolog.c:234
-#: plugins/sudoers/iolog.c:499 plugins/sudoers/iolog.c:504
-#: plugins/sudoers/iolog.c:510 plugins/sudoers/iolog.c:518
-#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:534
-#: plugins/sudoers/iolog.c:542
+#: plugins/sudoers/iolog.c:258 plugins/sudoers/iolog.c:261
+#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:531
+#: plugins/sudoers/iolog.c:537 plugins/sudoers/iolog.c:545
+#: plugins/sudoers/iolog.c:553 plugins/sudoers/iolog.c:561
+#: plugins/sudoers/iolog.c:569
#, c-format
msgid "unable to create %s"
msgstr "ne mogu napraviti %s"
-#: plugins/sudoers/iolog_path.c:256 plugins/sudoers/sudoers.c:373
+#: plugins/sudoers/iolog_path.c:263 plugins/sudoers/sudoers.c:382
#, c-format
msgid "unable to set locale to \"%s\", using \"C\""
msgstr "ne mogu postaviti lokal u „%s”, koristim „C”"
-#: plugins/sudoers/ldap.c:374
+#: plugins/sudoers/ldap.c:387
#, c-format
msgid "sudo_ldap_conf_add_ports: port too large"
msgstr "sudo_ldap_conf_add_ports: port je prevelik"
-#: plugins/sudoers/ldap.c:397
+#: plugins/sudoers/ldap.c:410
#, c-format
msgid "sudo_ldap_conf_add_ports: out of space expanding hostbuf"
msgstr "sudo_ldap_conf_add_ports: nema dovoljno prostora za proširenje međuspremnika računala"
-#: plugins/sudoers/ldap.c:427
+#: plugins/sudoers/ldap.c:440
#, c-format
msgid "unsupported LDAP uri type: %s"
msgstr "nepodržana vrsta LDAP uri-ja: %s"
-#: plugins/sudoers/ldap.c:456
+#: plugins/sudoers/ldap.c:469
#, c-format
msgid "invalid uri: %s"
msgstr "neispravan uri: %s"
-#: plugins/sudoers/ldap.c:462
+#: plugins/sudoers/ldap.c:475
#, c-format
msgid "unable to mix ldap and ldaps URIs"
msgstr "ne mogu miješati ldap i ldaps URI-je"
-#: plugins/sudoers/ldap.c:466
+#: plugins/sudoers/ldap.c:479
#, c-format
msgid "unable to mix ldaps and starttls"
msgstr "ne mogu miješati ldaps i starttls"
-#: plugins/sudoers/ldap.c:485
+#: plugins/sudoers/ldap.c:498
#, c-format
msgid "sudo_ldap_parse_uri: out of space building hostbuf"
msgstr "sudo_ldap_parse_uri: nema dovoljno prostora za izgradnju međuspremnika računala"
-#: plugins/sudoers/ldap.c:550
+#: plugins/sudoers/ldap.c:572
#, c-format
msgid "unable to initialize SSL cert and key db: %s"
msgstr "ne mogu inicijalizirati SSL certifikat i bazu podataka ključeva: %s"
-#: plugins/sudoers/ldap.c:958
+#: plugins/sudoers/ldap.c:575
+#, c-format
+msgid "you must set TLS_CERT in %s to use SSL"
+msgstr "morate postaviti TLS_CERT u %s za korištenje SSL-a"
+
+#: plugins/sudoers/ldap.c:992
#, c-format
msgid "unable to get GMT time"
msgstr "ne mogu dohvatiti GMT vrijeme"
-#: plugins/sudoers/ldap.c:964
+#: plugins/sudoers/ldap.c:998
#, c-format
msgid "unable to format timestamp"
msgstr "ne mogu oblikovati vremensku oznaku"
-#: plugins/sudoers/ldap.c:972
+#: plugins/sudoers/ldap.c:1006
#, c-format
msgid "unable to build time filter"
msgstr "ne mogu izgraditi filtar vremena"
-#: plugins/sudoers/ldap.c:1187
+#: plugins/sudoers/ldap.c:1225
#, c-format
msgid "sudo_ldap_build_pass1 allocation mismatch"
msgstr "neodgovarajuća sudo_ldap_build_pass1 alokacija"
-#: plugins/sudoers/ldap.c:1707
+#: plugins/sudoers/ldap.c:1761
#, c-format
msgid ""
"\n"
"\n"
"LDAP uloga: %s\n"
-#: plugins/sudoers/ldap.c:1709
+#: plugins/sudoers/ldap.c:1763
#, c-format
msgid ""
"\n"
"\n"
"LDAP uloga: NEPOZNATA\n"
-#: plugins/sudoers/ldap.c:1756
+#: plugins/sudoers/ldap.c:1810
#, c-format
msgid " Order: %s\n"
msgstr " Redoslijed: %s\n"
-#: plugins/sudoers/ldap.c:1764
+#: plugins/sudoers/ldap.c:1818 plugins/sudoers/sssd.c:1168
#, c-format
msgid " Commands:\n"
msgstr " Naredbe:\n"
-#: plugins/sudoers/ldap.c:2156
+#: plugins/sudoers/ldap.c:2240
#, c-format
msgid "unable to initialize LDAP: %s"
msgstr "ne mogu inicijalizirati LDAP: %s"
-#: plugins/sudoers/ldap.c:2187
+#: plugins/sudoers/ldap.c:2274
#, c-format
msgid "start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()"
msgstr "naveden je start_tls, ali LDAP biblioteke ne podržavaju ldap_start_tls_s() ili ldap_start_tls_s_np()"
-#: plugins/sudoers/ldap.c:2423
+#: plugins/sudoers/ldap.c:2510
#, c-format
msgid "invalid sudoOrder attribute: %s"
msgstr "neispravno sudoOrder svojstvo: %s"
-#: toke.l:805
-msgid "too many levels of includes"
-msgstr "previše razina uključivanja"
-
-#: toke.l:829 plugins/sudoers/sudoers.c:1004
-#, c-format
-msgid "%s is owned by uid %u, should be %u"
-msgstr "vlasnik %s je uid %u, treba biti %u"
-
-#: toke.l:836 plugins/sudoers/sudoers.c:1008
-#, c-format
-msgid "%s is world writable"
-msgstr "%s ima dozvole za pisanje svih korisnika"
-
-#: toke.l:841 plugins/sudoers/sudoers.c:1011
-#, c-format
-msgid "%s is owned by gid %u, should be %u"
-msgstr "vlasnik %s je gid %u, treba biti %u"
-
#: plugins/sudoers/linux_audit.c:57
#, c-format
msgid "unable to open audit system"
msgstr "ne mogu otvoriti sustav revizije"
-#: plugins/sudoers/linux_audit.c:82
-#, c-format
-msgid "internal error, linux_audit_command() overflow"
-msgstr "interna greška, linux_audit_command() preljev"
-
-#: plugins/sudoers/linux_audit.c:91
+#: plugins/sudoers/linux_audit.c:93
#, c-format
msgid "unable to send audit message"
msgstr "ne mogu poslati poruku revizije"
-#: plugins/sudoers/logging.c:198
+#: plugins/sudoers/logging.c:202
#, c-format
msgid "unable to open log file: %s: %s"
msgstr "ne mogu otvoriti dnevičku datoteku: %s: %s"
-#: plugins/sudoers/logging.c:201
+#: plugins/sudoers/logging.c:205
#, c-format
msgid "unable to lock log file: %s: %s"
msgstr "ne mogu zaključati dnevničku datoteku: %s: %s"
-#: plugins/sudoers/logging.c:256
+#: plugins/sudoers/logging.c:260
msgid "user NOT in sudoers"
msgstr "korisnik NIJE u sudoers"
-#: plugins/sudoers/logging.c:258
+#: plugins/sudoers/logging.c:262
msgid "user NOT authorized on host"
msgstr "korisnik NIJE ovlašten na računalu"
-#: plugins/sudoers/logging.c:260
+#: plugins/sudoers/logging.c:264
msgid "command not allowed"
msgstr "naredba nije dozvoljena"
-#: plugins/sudoers/logging.c:270
+#: plugins/sudoers/logging.c:274
#, c-format
msgid "%s is not in the sudoers file. This incident will be reported.\n"
msgstr "%s nije u datoteci sudoers. Ovaj će incident biti prijavljen.\n"
-#: plugins/sudoers/logging.c:273
+#: plugins/sudoers/logging.c:277
#, c-format
msgid "%s is not allowed to run sudo on %s. This incident will be reported.\n"
msgstr "Korisniku %s nije dozvoljeno pokrenuti sudo na %s. Ovaj će incident biti prijavljen.\n"
-#: plugins/sudoers/logging.c:277
+#: plugins/sudoers/logging.c:281
#, c-format
msgid "Sorry, user %s may not run sudo on %s.\n"
msgstr "Žao mi je, korisnik %s ne može pokrenuti sudo na %s.\n"
-#: plugins/sudoers/logging.c:280
+#: plugins/sudoers/logging.c:284
#, c-format
msgid "Sorry, user %s is not allowed to execute '%s%s%s' as %s%s%s on %s.\n"
msgstr "Žao mi je, korisniku %s nije dozvoljeno izvršiti „%s%s%s” kao %s%s%s na %s.\n"
-#: plugins/sudoers/logging.c:447
+#: plugins/sudoers/logging.c:317
+msgid "No user or host"
+msgstr "Nema korisnika ili računala"
+
+#: plugins/sudoers/logging.c:319
+msgid "validation failure"
+msgstr "provjera nije uspjela"
+
+#: plugins/sudoers/logging.c:336 plugins/sudoers/sudoers.c:502
+#: plugins/sudoers/sudoers.c:503 plugins/sudoers/sudoers.c:1539
+#: plugins/sudoers/sudoers.c:1540
+#, c-format
+msgid "%s: command not found"
+msgstr "%s: naredba nije pronađena"
+
+#: plugins/sudoers/logging.c:338 plugins/sudoers/sudoers.c:499
+#, c-format
+msgid ""
+"ignoring `%s' found in '.'\n"
+"Use `sudo ./%s' if this is the `%s' you wish to run."
+msgstr ""
+"zanemarujem „%s” pronađen u „.”\n"
+"Koristite „sudo ./%s” ako je ovo „%s” koji želite pokrenuti."
+
+#: plugins/sudoers/logging.c:352
+msgid "authentication failure"
+msgstr "provjera nije uspjela"
+
+#: plugins/sudoers/logging.c:376
+#, c-format
+msgid "%d incorrect password attempt"
+msgid_plural "%d incorrect password attempts"
+msgstr[0] "%d netočan pokušaj unosa lozinke"
+msgstr[1] "%d netočna pokušaja unosa lozinke"
+msgstr[2] "%d netočnih pokušaja unosa lozinke"
+
+#: plugins/sudoers/logging.c:379
+msgid "a password is required"
+msgstr "potrebna je lozinka"
+
+#: plugins/sudoers/logging.c:530
#, c-format
msgid "unable to fork"
msgstr "ne mogu razdvojiti"
-#: plugins/sudoers/logging.c:454 plugins/sudoers/logging.c:516
+#: plugins/sudoers/logging.c:537 plugins/sudoers/logging.c:599
#, c-format
msgid "unable to fork: %m"
msgstr "ne mogu razdvojiti: %m"
-#: plugins/sudoers/logging.c:506
+#: plugins/sudoers/logging.c:589
#, c-format
msgid "unable to open pipe: %m"
msgstr "ne mogu otvoriti cjevovod: %m"
-#: plugins/sudoers/logging.c:531
+#: plugins/sudoers/logging.c:614
#, c-format
msgid "unable to dup stdin: %m"
msgstr "ne mogu izvršiti dup stdin: %m"
-#: plugins/sudoers/logging.c:567
+#: plugins/sudoers/logging.c:650
#, c-format
msgid "unable to execute %s: %m"
msgstr "ne mogu izvršiti %s: %m"
-#: plugins/sudoers/logging.c:782
+#: plugins/sudoers/logging.c:865
#, c-format
msgid "internal error: insufficient space for log line"
msgstr "interna greška: nema dovoljno prostora za redak dnevnika"
msgid "parse error in %s"
msgstr "greška analize u %s"
-#: plugins/sudoers/parse.c:389
+#: plugins/sudoers/parse.c:414
#, c-format
msgid ""
"\n"
"\n"
"Sudoers stavka:\n"
-#: plugins/sudoers/parse.c:391
+#: plugins/sudoers/parse.c:416
#, c-format
msgid " RunAsUsers: "
msgstr " PokreniKaoKorisnici: "
-#: plugins/sudoers/parse.c:406
+#: plugins/sudoers/parse.c:431
#, c-format
msgid " RunAsGroups: "
msgstr " PokreniKaoGrupe: "
-#: plugins/sudoers/parse.c:415
+#: plugins/sudoers/parse.c:440
#, c-format
msgid ""
" Commands:\n"
msgid ": "
msgstr ": "
-#: plugins/sudoers/pwutil.c:260
+#: plugins/sudoers/pwutil.c:278
#, c-format
msgid "unable to cache uid %u (%s), already exists"
msgstr "ne mogu staviti uid %u (%s) u spremnik, već postoji"
-#: plugins/sudoers/pwutil.c:268
+#: plugins/sudoers/pwutil.c:286
#, c-format
msgid "unable to cache uid %u, already exists"
msgstr "ne mogu staviti uid %u u spremnik, već postoji"
-#: plugins/sudoers/pwutil.c:305 plugins/sudoers/pwutil.c:314
+#: plugins/sudoers/pwutil.c:322 plugins/sudoers/pwutil.c:331
#, c-format
msgid "unable to cache user %s, already exists"
msgstr "ne mogu staviti korisnika %s u spremnik, već postoji"
-#: plugins/sudoers/pwutil.c:653
+#: plugins/sudoers/pwutil.c:668
#, c-format
msgid "unable to cache gid %u (%s), already exists"
msgstr "ne mogu staviti gid %u (%s) u spremnik, već postoji"
-#: plugins/sudoers/pwutil.c:661
+#: plugins/sudoers/pwutil.c:676
#, c-format
msgid "unable to cache gid %u, already exists"
msgstr "ne mogu staviti gid %u u spremnik, već postoji"
-#: plugins/sudoers/pwutil.c:691 plugins/sudoers/pwutil.c:700
+#: plugins/sudoers/pwutil.c:706 plugins/sudoers/pwutil.c:715
#, c-format
msgid "unable to cache group %s, already exists"
msgstr "ne mogu staviti grupu %s u spremnik, već postoji"
msgid "unable to set runas group vector"
msgstr "ne mogu postaviti „pokreni kao” grupni vektor"
-#: plugins/sudoers/sudo_nss.c:243
+#: plugins/sudoers/sssd.c:251
+#, c-format
+msgid "Unable to dlopen %s: %s"
+msgstr "Ne mogu izvršiti dlopen %s: %s"
+
+#: plugins/sudoers/sssd.c:252
+#, c-format
+msgid "Unable to initialize SSS source. Is SSSD installed on your machine?"
+msgstr "Ne mogu inicijalizirati SSS izvor. Je li SSSD instaliran na vašem stroju?"
+
+#: plugins/sudoers/sssd.c:258 plugins/sudoers/sssd.c:266
+#: plugins/sudoers/sssd.c:273 plugins/sudoers/sssd.c:280
+#: plugins/sudoers/sssd.c:287
+#, c-format
+msgid "unable to find symbol \"%s\" in %s"
+msgstr "ne mogu pronaći simbol „%s” u %s"
+
+#: plugins/sudoers/sudo_nss.c:267
#, c-format
msgid "Matching Defaults entries for %s on this host:\n"
msgstr "Spajam stavke zadanih vrijednosti za %s na ovom računalu:\n"
-#: plugins/sudoers/sudo_nss.c:256
+#: plugins/sudoers/sudo_nss.c:280
#, c-format
msgid "Runas and Command-specific defaults for %s:\n"
msgstr "Zadane vrijednosti „pokreni kao” i specifične za naredbe za %s:\n"
-#: plugins/sudoers/sudo_nss.c:269
+#: plugins/sudoers/sudo_nss.c:293
#, c-format
msgid "User %s may run the following commands on this host:\n"
msgstr "Korisnik %s može pokrenuti sljedeće naredbe na ovom računalu:\n"
-#: plugins/sudoers/sudo_nss.c:279
+#: plugins/sudoers/sudo_nss.c:302
#, c-format
msgid "User %s is not allowed to run sudo on %s.\n"
msgstr "Korisniku %s nije dozvoljeno pokrenuti sudo na %s.\n"
-#: plugins/sudoers/sudoers.c:208 plugins/sudoers/sudoers.c:239
-#: plugins/sudoers/sudoers.c:958
+#: plugins/sudoers/sudoers.c:210 plugins/sudoers/sudoers.c:243
+#: plugins/sudoers/sudoers.c:953
msgid "problem with defaults entries"
msgstr "problem sa stavkama zadanih vrijednosti"
-#: plugins/sudoers/sudoers.c:212
+#: plugins/sudoers/sudoers.c:216
#, c-format
msgid "no valid sudoers sources found, quitting"
msgstr "nisu pronađeni ispravni sudoers izvori, izlazim"
-#: plugins/sudoers/sudoers.c:264
+#: plugins/sudoers/sudoers.c:268
#, c-format
msgid "unable to execute %s: %s"
msgstr "ne mogu izvršiti %s: %s"
-#: plugins/sudoers/sudoers.c:322
+#: plugins/sudoers/sudoers.c:335
#, c-format
msgid "sudoers specifies that root is not allowed to sudo"
msgstr "sudoers navodi da root ne može koristiti sudo"
-#: plugins/sudoers/sudoers.c:329
+#: plugins/sudoers/sudoers.c:342
#, c-format
msgid "you are not permitted to use the -C option"
msgstr "nemate dozvolu za korištenje opcije -C"
-#: plugins/sudoers/sudoers.c:422
+#: plugins/sudoers/sudoers.c:431
#, c-format
msgid "timestamp owner (%s): No such user"
msgstr "vlasnik vremenske oznake (%s): Nema takvog korisnika"
-#: plugins/sudoers/sudoers.c:438
+#: plugins/sudoers/sudoers.c:447
msgid "no tty"
msgstr "nema terminala"
-#: plugins/sudoers/sudoers.c:439
+#: plugins/sudoers/sudoers.c:448
#, c-format
msgid "sorry, you must have a tty to run sudo"
msgstr "žao mi je, morate imati terminal za pokretanje sudo"
-#: plugins/sudoers/sudoers.c:478
-msgid "No user or host"
-msgstr "Nema korisnika ili računala"
-
-#: plugins/sudoers/sudoers.c:492 plugins/sudoers/sudoers.c:513
-#: plugins/sudoers/sudoers.c:514 plugins/sudoers/sudoers.c:1522
-#: plugins/sudoers/sudoers.c:1523
-#, c-format
-msgid "%s: command not found"
-msgstr "%s: naredba nije pronađena"
-
-#: plugins/sudoers/sudoers.c:494 plugins/sudoers/sudoers.c:510
-#, c-format
-msgid ""
-"ignoring `%s' found in '.'\n"
-"Use `sudo ./%s' if this is the `%s' you wish to run."
-msgstr ""
-"zanemarujem „%s” pronađen u „.”\n"
-"Koristite „sudo ./%s” ako je ovo „%s” koji želite pokrenuti."
-
-#: plugins/sudoers/sudoers.c:499
-msgid "validation failure"
-msgstr "provjera nije uspjela"
-
-#: plugins/sudoers/sudoers.c:509
+#: plugins/sudoers/sudoers.c:498
msgid "command in current directory"
msgstr "naredba u trenutnom direktoriju"
-#: plugins/sudoers/sudoers.c:521
+#: plugins/sudoers/sudoers.c:510
#, c-format
msgid "sorry, you are not allowed to preserve the environment"
msgstr "žao mi je, nemate dozvolu za očuvanje okoline"
-#: plugins/sudoers/sudoers.c:681 plugins/sudoers/sudoers.c:688
+#: plugins/sudoers/sudoers.c:1006
#, c-format
-msgid "internal error, runas_groups overflow"
-msgstr "interna greška, runas_groups preljev"
+msgid "%s is not a regular file"
+msgstr "%s nije obična datoteka"
-#: plugins/sudoers/sudoers.c:941
+#: plugins/sudoers/sudoers.c:1009 toke.l:846
#, c-format
-msgid "internal error, set_cmnd() overflow"
-msgstr "interna greška, set_cmnd() preljev"
+msgid "%s is owned by uid %u, should be %u"
+msgstr "vlasnik %s je uid %u, treba biti %u"
-#: plugins/sudoers/sudoers.c:1001
+#: plugins/sudoers/sudoers.c:1013 toke.l:853
#, c-format
-msgid "%s is not a regular file"
-msgstr "%s nije obična datoteka"
+msgid "%s is world writable"
+msgstr "%s ima dozvole za pisanje svih korisnika"
-#: plugins/sudoers/sudoers.c:1038
+#: plugins/sudoers/sudoers.c:1016 toke.l:858
+#, c-format
+msgid "%s is owned by gid %u, should be %u"
+msgstr "vlasnik %s je gid %u, treba biti %u"
+
+#: plugins/sudoers/sudoers.c:1043
#, c-format
msgid "only root can use `-c %s'"
msgstr "samo root smije koristiti „-c %s”"
-#: plugins/sudoers/sudoers.c:1055 plugins/sudoers/sudoers.c:1057
+#: plugins/sudoers/sudoers.c:1060 plugins/sudoers/sudoers.c:1062
#, c-format
msgid "unknown login class: %s"
msgstr "nepoznat razred prijave: %s"
-#: plugins/sudoers/sudoers.c:1084
+#: plugins/sudoers/sudoers.c:1089
#, c-format
msgid "unable to resolve host %s"
msgstr "ne mogu pronaći računalo %s"
-#: plugins/sudoers/sudoers.c:1136 plugins/sudoers/testsudoers.c:380
+#: plugins/sudoers/sudoers.c:1141 plugins/sudoers/testsudoers.c:387
#, c-format
msgid "unknown group: %s"
msgstr "nepoznata grupa: %s"
-#: plugins/sudoers/sudoers.c:1185
+#: plugins/sudoers/sudoers.c:1190
#, c-format
msgid "Sudoers policy plugin version %s\n"
msgstr "Inačica sudoers priključka police %s\n"
-#: plugins/sudoers/sudoers.c:1187
+#: plugins/sudoers/sudoers.c:1192
#, c-format
msgid "Sudoers file grammar version %d\n"
msgstr "Inačica sudoers gramatike datoteke %d\n"
-#: plugins/sudoers/sudoers.c:1191
+#: plugins/sudoers/sudoers.c:1196
#, c-format
msgid ""
"\n"
"\n"
"Sudoers putanja: %s\n"
-#: plugins/sudoers/sudoers.c:1194
+#: plugins/sudoers/sudoers.c:1199
#, c-format
msgid "nsswitch path: %s\n"
msgstr "nsswitch putanja: %s\n"
-#: plugins/sudoers/sudoers.c:1196
+#: plugins/sudoers/sudoers.c:1201
#, c-format
msgid "ldap.conf path: %s\n"
msgstr "ldap.conf putanja: %s\n"
-#: plugins/sudoers/sudoers.c:1197
+#: plugins/sudoers/sudoers.c:1202
#, c-format
msgid "ldap.secret path: %s\n"
msgstr "ldap.secret putanja: %s\n"
-#: plugins/sudoers/sudoreplay.c:291
+#: plugins/sudoers/sudoreplay.c:293
#, c-format
msgid "invalid filter option: %s"
msgstr "neispravna opcija filtra: %s"
-#: plugins/sudoers/sudoreplay.c:304
+#: plugins/sudoers/sudoreplay.c:306
#, c-format
msgid "invalid max wait: %s"
msgstr "neispravno najveće čekanje: %s"
-#: plugins/sudoers/sudoreplay.c:310
+#: plugins/sudoers/sudoreplay.c:312
#, c-format
msgid "invalid speed factor: %s"
msgstr "neispravni faktor brzine: %s"
-#: plugins/sudoers/sudoreplay.c:313 plugins/sudoers/visudo.c:187
+#: plugins/sudoers/sudoreplay.c:315 plugins/sudoers/visudo.c:187
#, c-format
msgid "%s version %s\n"
msgstr "%s inačica %s\n"
-#: plugins/sudoers/sudoreplay.c:338
+#: plugins/sudoers/sudoreplay.c:340
#, c-format
msgid "%s/%.2s/%.2s/%.2s/timing: %s"
msgstr "%s/%.2s/%.2s/%.2s/vrijeme: %s"
-#: plugins/sudoers/sudoreplay.c:344
+#: plugins/sudoers/sudoreplay.c:346
#, c-format
msgid "%s/%s/timing: %s"
msgstr "%s/%s/vrijeme: %s"
-#: plugins/sudoers/sudoreplay.c:362
+#: plugins/sudoers/sudoreplay.c:364
#, c-format
msgid "Replaying sudo session: %s\n"
msgstr "Prikazujem sudo sjednicu: %s\n"
-#: plugins/sudoers/sudoreplay.c:368
+#: plugins/sudoers/sudoreplay.c:370
#, c-format
msgid "Warning: your terminal is too small to properly replay the log.\n"
msgstr "Upozorenje: vaš terminal je premalen za ispravno prikazivanje dnevnika.\n"
-#: plugins/sudoers/sudoreplay.c:369
+#: plugins/sudoers/sudoreplay.c:371
#, c-format
msgid "Log geometry is %d x %d, your terminal's geometry is %d x %d."
msgstr "Veličina dnevnika je %d x %d, a veličina vašeg terminala %d x %d."
-#: plugins/sudoers/sudoreplay.c:399
+#: plugins/sudoers/sudoreplay.c:401
#, c-format
msgid "unable to set tty to raw mode"
msgstr "ne mogu postaviti terminal u sirovi način"
-#: plugins/sudoers/sudoreplay.c:412
+#: plugins/sudoers/sudoreplay.c:418
#, c-format
msgid "invalid timing file line: %s"
msgstr "neispravan redak datoteke mjerenja vremena: %s"
-#: plugins/sudoers/sudoreplay.c:454
+#: plugins/sudoers/sudoreplay.c:501
#, c-format
msgid "writing to standard output"
msgstr "ispisujem na standardni izlaz"
-#: plugins/sudoers/sudoreplay.c:486
+#: plugins/sudoers/sudoreplay.c:530
#, c-format
msgid "nanosleep: tv_sec %ld, tv_nsec %ld"
msgstr "nanosleep: tv_sec %ld, tv_nsec %ld"
-#: plugins/sudoers/sudoreplay.c:535 plugins/sudoers/sudoreplay.c:560
+#: plugins/sudoers/sudoreplay.c:643 plugins/sudoers/sudoreplay.c:668
#, c-format
msgid "ambiguous expression \"%s\""
msgstr "višeznačni izraz „%s”"
-#: plugins/sudoers/sudoreplay.c:577
+#: plugins/sudoers/sudoreplay.c:685
#, c-format
msgid "too many parenthesized expressions, max %d"
msgstr "previše izraza u zagradama, najviše %d"
-#: plugins/sudoers/sudoreplay.c:588
+#: plugins/sudoers/sudoreplay.c:696
#, c-format
msgid "unmatched ')' in expression"
msgstr "nesparena „)” u izrazu"
-#: plugins/sudoers/sudoreplay.c:594
+#: plugins/sudoers/sudoreplay.c:702
#, c-format
msgid "unknown search term \"%s\""
msgstr "nepoznat pojam pretrage „%s”"
-#: plugins/sudoers/sudoreplay.c:608
+#: plugins/sudoers/sudoreplay.c:716
#, c-format
msgid "%s requires an argument"
msgstr "%s zahtijeva argument"
-#: plugins/sudoers/sudoreplay.c:612
+#: plugins/sudoers/sudoreplay.c:720
#, c-format
msgid "invalid regular expression: %s"
msgstr "neispravan regularni izraz: %s"
-#: plugins/sudoers/sudoreplay.c:618
+#: plugins/sudoers/sudoreplay.c:726
#, c-format
msgid "could not parse date \"%s\""
msgstr "ne mogu analizirati datum „%s”"
-#: plugins/sudoers/sudoreplay.c:631
+#: plugins/sudoers/sudoreplay.c:739
#, c-format
msgid "unmatched '(' in expression"
msgstr "nesparena „(” u izrazu"
-#: plugins/sudoers/sudoreplay.c:633
+#: plugins/sudoers/sudoreplay.c:741
#, c-format
msgid "illegal trailing \"or\""
msgstr "nedozvoljeni „or” na kraju"
-#: plugins/sudoers/sudoreplay.c:635
+#: plugins/sudoers/sudoreplay.c:743
#, c-format
msgid "illegal trailing \"!\""
msgstr "nedozvoljeni „!” na kraju"
-#: plugins/sudoers/sudoreplay.c:942
+#: plugins/sudoers/sudoreplay.c:1050
#, c-format
msgid "invalid regex: %s"
msgstr "neispravni regularni izraz: %s"
-#: plugins/sudoers/sudoreplay.c:1066
+#: plugins/sudoers/sudoreplay.c:1174
#, c-format
msgid "usage: %s [-h] [-d directory] [-m max_wait] [-s speed_factor] ID\n"
msgstr "uporaba: %s [-h] [-d direktorij] [-m max_čekanje] [-s faktor_brzine] ID\n"
-#: plugins/sudoers/sudoreplay.c:1069
+#: plugins/sudoers/sudoreplay.c:1177
#, c-format
msgid "usage: %s [-h] [-d directory] -l [search expression]\n"
msgstr "uporaba: %s [-h] [-d direktorij] -l [izraz pretrage]\n"
-#: plugins/sudoers/sudoreplay.c:1078
+#: plugins/sudoers/sudoreplay.c:1186
#, c-format
msgid ""
"%s - replay sudo session logs\n"
"%s - prikaži dnevnike sudo sjednica\n"
"\n"
-#: plugins/sudoers/sudoreplay.c:1080
+#: plugins/sudoers/sudoreplay.c:1188
msgid ""
"\n"
"Options:\n"
" -s faktor_brzine ubrzaj ili uspori ispis\n"
" -V prikaži informacije o inačici i izađi"
-#: plugins/sudoers/testsudoers.c:246
-#, c-format
-msgid "internal error, init_vars() overflow"
-msgstr "interna greška, init_vars() preljev"
-
-#: plugins/sudoers/testsudoers.c:331
+#: plugins/sudoers/testsudoers.c:338
msgid "\thost unmatched"
msgstr "\tračunalo nije pronađeno"
-#: plugins/sudoers/testsudoers.c:334
+#: plugins/sudoers/testsudoers.c:341
msgid ""
"\n"
"Command allowed"
"\n"
"Naredba dozvoljena"
-#: plugins/sudoers/testsudoers.c:335
+#: plugins/sudoers/testsudoers.c:342
msgid ""
"\n"
"Command denied"
"\n"
"Naredba zabranjena"
-#: plugins/sudoers/testsudoers.c:335
+#: plugins/sudoers/testsudoers.c:342
msgid ""
"\n"
"Command unmatched"
msgid "%s grammar version %d\n"
msgstr "%s inačica gramatike %d\n"
-#: plugins/sudoers/visudo.c:220 plugins/sudoers/auth/rfc1938.c:104
-#, c-format
-msgid "you do not exist in the %s database"
-msgstr "niste navedeni u %s bazi podataka"
-
-#: plugins/sudoers/visudo.c:252 plugins/sudoers/visudo.c:538
+#: plugins/sudoers/visudo.c:252 plugins/sudoers/visudo.c:541
#, c-format
msgid "press return to edit %s: "
msgstr "pritisnite return za uređivanje %s: "
msgid "%s unchanged"
msgstr "%s nepromijenjen"
-#: plugins/sudoers/visudo.c:483
+#: plugins/sudoers/visudo.c:486
#, c-format
msgid "unable to re-open temporary file (%s), %s unchanged."
msgstr "ne mogu ponovo otvoriti privremenu datoteku (%s), %s nepromijenjen."
-#: plugins/sudoers/visudo.c:493
+#: plugins/sudoers/visudo.c:496
#, c-format
msgid "unabled to parse temporary file (%s), unknown error"
msgstr "ne mogu analizirati privremenu datoteku (%s), nepoznata greška"
-#: plugins/sudoers/visudo.c:531
+#: plugins/sudoers/visudo.c:534
#, c-format
msgid "internal error, unable to find %s in list!"
msgstr "interna greška, ne mogu pronaći %s na popisu!"
-#: plugins/sudoers/visudo.c:583 plugins/sudoers/visudo.c:592
+#: plugins/sudoers/visudo.c:586 plugins/sudoers/visudo.c:595
#, c-format
msgid "unable to set (uid, gid) of %s to (%u, %u)"
msgstr "na mogu postaviti (uid, gid) od %s na (%u, %u)"
-#: plugins/sudoers/visudo.c:587 plugins/sudoers/visudo.c:597
+#: plugins/sudoers/visudo.c:590 plugins/sudoers/visudo.c:600
#, c-format
msgid "unable to change mode of %s to 0%o"
msgstr "ne mogu promijeniti mod od %s u 0%o"
-#: plugins/sudoers/visudo.c:614
+#: plugins/sudoers/visudo.c:617
#, c-format
msgid "%s and %s not on the same file system, using mv to rename"
msgstr "%s i %s nisu na istom datotečnom sustavu, koristim mv za preimenovanje"
-#: plugins/sudoers/visudo.c:628
+#: plugins/sudoers/visudo.c:631
#, c-format
msgid "command failed: '%s %s %s', %s unchanged"
msgstr "naredba nije uspjela: „%s %s %s”, %s nepromijenjen"
-#: plugins/sudoers/visudo.c:638
+#: plugins/sudoers/visudo.c:641
#, c-format
msgid "error renaming %s, %s unchanged"
msgstr "greška preimenovanja %s, %s nepromijenjen"
-#: plugins/sudoers/visudo.c:701
+#: plugins/sudoers/visudo.c:704
msgid "What now? "
msgstr "Što sada? "
-#: plugins/sudoers/visudo.c:715
+#: plugins/sudoers/visudo.c:718
msgid ""
"Options are:\n"
" (e)dit sudoers file again\n"
" (x) izađi bez spremanja promjena u datoteku sudoers\n"
" (Q) izađi i spremi promjene u datoteku sudoers (OPASNO!)\n"
-#: plugins/sudoers/visudo.c:756
+#: plugins/sudoers/visudo.c:759
#, c-format
msgid "unable to execute %s"
msgstr "ne mogu izvršiti %s"
-#: plugins/sudoers/visudo.c:763
+#: plugins/sudoers/visudo.c:766
#, c-format
msgid "unable to run %s"
msgstr "ne mogu pokrenuti %s"
-#: plugins/sudoers/visudo.c:789
+#: plugins/sudoers/visudo.c:792
#, c-format
msgid "%s: wrong owner (uid, gid) should be (%u, %u)\n"
msgstr "%s: krivi vlasnički (uid, gid), treba biti (%u, %u)\n"
-#: plugins/sudoers/visudo.c:796
+#: plugins/sudoers/visudo.c:799
#, c-format
msgid "%s: bad permissions, should be mode 0%o\n"
msgstr "%s: neispravne dozvole, treba biti mod 0%o\n"
-#: plugins/sudoers/visudo.c:821
+#: plugins/sudoers/visudo.c:824
#, c-format
msgid "failed to parse %s file, unknown error"
msgstr "nisam uspio analizirati %s datoteku, nepoznata greška"
-#: plugins/sudoers/visudo.c:834
+#: plugins/sudoers/visudo.c:837
#, c-format
msgid "parse error in %s near line %d\n"
msgstr "greška analize u %s kod retka %d\n"
-#: plugins/sudoers/visudo.c:837
+#: plugins/sudoers/visudo.c:840
#, c-format
msgid "parse error in %s\n"
msgstr "greška analize u %s\n"
-#: plugins/sudoers/visudo.c:844 plugins/sudoers/visudo.c:849
+#: plugins/sudoers/visudo.c:847 plugins/sudoers/visudo.c:852
#, c-format
msgid "%s: parsed OK\n"
msgstr "%s: analiza u redu\n"
-#: plugins/sudoers/visudo.c:896
+#: plugins/sudoers/visudo.c:899
#, c-format
msgid "%s busy, try again later"
msgstr "%s je zauzet, pokušajte ponovo kasnije"
-#: plugins/sudoers/visudo.c:940
+#: plugins/sudoers/visudo.c:943
#, c-format
msgid "specified editor (%s) doesn't exist"
msgstr "navedeni uređivač (%s) ne postoji"
-#: plugins/sudoers/visudo.c:963
+#: plugins/sudoers/visudo.c:966
#, c-format
msgid "unable to stat editor (%s)"
msgstr "ne mogu odrediti stanje uređivača (%s)"
-#: plugins/sudoers/visudo.c:1011
+#: plugins/sudoers/visudo.c:1014
#, c-format
msgid "no editor found (editor path = %s)"
msgstr "nije pronađen uređivač (putanja uređivača = %s)"
-#: plugins/sudoers/visudo.c:1105
+#: plugins/sudoers/visudo.c:1108
#, c-format
msgid "Error: cycle in %s_Alias `%s'"
msgstr "Greška: petlja u %s_Alias „%s”"
-#: plugins/sudoers/visudo.c:1106
+#: plugins/sudoers/visudo.c:1109
#, c-format
msgid "Warning: cycle in %s_Alias `%s'"
msgstr "Upozorenje: petlja u %s_Alias „%s”"
-#: plugins/sudoers/visudo.c:1109
+#: plugins/sudoers/visudo.c:1112
#, c-format
msgid "Error: %s_Alias `%s' referenced but not defined"
msgstr "Greška: %s_Alias „%s” je referenciran, ali nije definiran"
-#: plugins/sudoers/visudo.c:1110
+#: plugins/sudoers/visudo.c:1113
#, c-format
msgid "Warning: %s_Alias `%s' referenced but not defined"
msgstr "Upozorenje: %s_Alias „%s” je referenciran, ali nije definiran"
-#: plugins/sudoers/visudo.c:1245
+#: plugins/sudoers/visudo.c:1248
#, c-format
msgid "%s: unused %s_Alias %s"
msgstr "%s: nekorišteni %s_Alias %s"
-#: plugins/sudoers/visudo.c:1301
+#: plugins/sudoers/visudo.c:1304
#, c-format
msgid ""
"%s - safely edit the sudoers file\n"
"%s - sigurno uređivanje datoteke sudoers\n"
"\n"
-#: plugins/sudoers/visudo.c:1303
+#: plugins/sudoers/visudo.c:1306
msgid ""
"\n"
"Options:\n"
" -s strogo provjeravanje sintakse\n"
" -V prikaži informacije o inačici i izađi"
-#: plugins/sudoers/auth/bsdauth.c:78
-#, c-format
-msgid "unable to get login class for user %s"
-msgstr "ne mogu dobiti razred prijave korisnika %s"
-
-#: plugins/sudoers/auth/bsdauth.c:84
-msgid "unable to begin bsd authentication"
-msgstr "ne mogu započeti bsd autentifikaciju"
-
-#: plugins/sudoers/auth/bsdauth.c:92
-msgid "invalid authentication type"
-msgstr "neispravna vrsta autentifikacije"
-
-#: plugins/sudoers/auth/bsdauth.c:101
-msgid "unable to setup authentication"
-msgstr "ne mogu postaviti autentifikaciju"
-
-#: plugins/sudoers/auth/fwtk.c:60
-#, c-format
-msgid "unable to read fwtk config"
-msgstr "ne mogu čitati fwtk konfiguraciju"
-
-#: plugins/sudoers/auth/fwtk.c:65
-#, c-format
-msgid "unable to connect to authentication server"
-msgstr "ne mogu se spojiti na autentifikacijski poslužitelj"
-
-#: plugins/sudoers/auth/fwtk.c:71 plugins/sudoers/auth/fwtk.c:95
-#: plugins/sudoers/auth/fwtk.c:128
-#, c-format
-msgid "lost connection to authentication server"
-msgstr "izgubljena veza na autentifikacijski poslužitelj"
-
-#: plugins/sudoers/auth/fwtk.c:75
-#, c-format
-msgid ""
-"authentication server error:\n"
-"%s"
-msgstr ""
-"greška autentifikacijskog poslužitelja:\n"
-"%s"
-
-#: plugins/sudoers/auth/kerb5.c:117
-#, c-format
-msgid "%s: unable to unparse princ ('%s'): %s"
-msgstr "%s: ne mogu ukloniti analizu upravitelja („%s”): %s"
-
-#: plugins/sudoers/auth/kerb5.c:160
-#, c-format
-msgid "%s: unable to parse '%s': %s"
-msgstr "%s: ne mogu analizirati „%s”: %s"
-
-#: plugins/sudoers/auth/kerb5.c:170
-#, c-format
-msgid "%s: unable to resolve ccache: %s"
-msgstr "%s: ne mogu pronaći ccache: %s"
-
-#: plugins/sudoers/auth/kerb5.c:218
-#, c-format
-msgid "%s: unable to allocate options: %s"
-msgstr "%s: ne mogu alocirati opcije: %s"
-
-#: plugins/sudoers/auth/kerb5.c:234
-#, c-format
-msgid "%s: unable to get credentials: %s"
-msgstr "%s: ne mogu dobiti vjerodajnice: %s"
-
-#: plugins/sudoers/auth/kerb5.c:247
-#, c-format
-msgid "%s: unable to initialize ccache: %s"
-msgstr "%s: ne mogu inicijalizirati ccache: %s"
-
-#: plugins/sudoers/auth/kerb5.c:251
-#, c-format
-msgid "%s: unable to store cred in ccache: %s"
-msgstr "%s: ne mogu spremiti vjerodajnicu u ccache: %s"
-
-#: plugins/sudoers/auth/kerb5.c:316
-#, c-format
-msgid "%s: unable to get host principal: %s"
-msgstr "%s: ne mogu dobiti upravitelja računala: %s"
-
-#: plugins/sudoers/auth/kerb5.c:331
-#, c-format
-msgid "%s: Cannot verify TGT! Possible attack!: %s"
-msgstr "%s: Ne mogu provjeriti TGT! Moguć napad!: %s"
-
-#: plugins/sudoers/auth/pam.c:100
-msgid "unable to initialize PAM"
-msgstr "ne mogu inicijalizirati PAM"
-
-#: plugins/sudoers/auth/pam.c:144
-msgid "account validation failure, is your account locked?"
-msgstr "potvrđivanje računa nije uspjelo, je li vaš račun zaključan?"
-
-#: plugins/sudoers/auth/pam.c:148
-msgid "Account or password is expired, reset your password and try again"
-msgstr "Račun ili lozinka su istekli, vratite izvornu lozinku i pokušajte ponovo"
-
-#: plugins/sudoers/auth/pam.c:155
-#, c-format
-msgid "pam_chauthtok: %s"
-msgstr "pam_chauthtok: %s"
-
-#: plugins/sudoers/auth/pam.c:159
-msgid "Password expired, contact your system administrator"
-msgstr "Lozinka je istekla, javite vašem administratoru sustava"
-
-#: plugins/sudoers/auth/pam.c:163
-msgid "Account expired or PAM config lacks an \"account\" section for sudo, contact your system administrator"
-msgstr "Račun je istekao ili PAM konfiguracija nema odjeljak „account” za sudo, javite vašem administratoru sustava"
-
-#: plugins/sudoers/auth/pam.c:180
-#, c-format
-msgid "pam_authenticate: %s"
-msgstr "pam_authenticate: %s"
-
-#: plugins/sudoers/auth/pam.c:330
-msgid "Password: "
-msgstr "Lozinka: "
-
-#: plugins/sudoers/auth/pam.c:331
-msgid "Password:"
-msgstr "Lozinka:"
-
-#: plugins/sudoers/auth/securid5.c:81
-#, c-format
-msgid "failed to initialise the ACE API library"
-msgstr "nisam uspio inicijalizirati ACE API biblioteku"
-
-#: plugins/sudoers/auth/securid5.c:107
-#, c-format
-msgid "unable to contact the SecurID server"
-msgstr "ne mogu uspostaviti vezu s SecurID poslužiteljem"
-
-#: plugins/sudoers/auth/securid5.c:116
-#, c-format
-msgid "User ID locked for SecurID Authentication"
-msgstr "Korisnički ID zaključan za SecurID autentifikaciju"
-
-#: plugins/sudoers/auth/securid5.c:120 plugins/sudoers/auth/securid5.c:171
-#, c-format
-msgid "invalid username length for SecurID"
-msgstr "neispravna duljina korisničkog imena za SecurID"
-
-#: plugins/sudoers/auth/securid5.c:124 plugins/sudoers/auth/securid5.c:176
-#, c-format
-msgid "invalid Authentication Handle for SecurID"
-msgstr "neispravni postupak autentifikacije za SecurID"
-
-#: plugins/sudoers/auth/securid5.c:128
-#, c-format
-msgid "SecurID communication failed"
-msgstr "SecurID komunikacija nije uspjela"
-
-#: plugins/sudoers/auth/securid5.c:132 plugins/sudoers/auth/securid5.c:215
-#, c-format
-msgid "unknown SecurID error"
-msgstr "nepoznata SecurID greška"
+#: toke.l:820
+msgid "too many levels of includes"
+msgstr "previše razina uključivanja"
-#: plugins/sudoers/auth/securid5.c:166
-#, c-format
-msgid "invalid passcode length for SecurID"
-msgstr "neispravna duljina lozinke za SecurID"
+#~ msgid "internal error, expand_prompt() overflow"
+#~ msgstr "interna greška, expand_prompt() preljev"
-#: plugins/sudoers/auth/sia.c:109
-msgid "unable to initialize SIA session"
-msgstr "ne mogu inicijalizirati SIA sjednicu"
+#~ msgid "internal error, sudo_setenv2() overflow"
+#~ msgstr "interna greška, sudo_setenv2() preljev"
-#: plugins/sudoers/auth/sudo_auth.c:117
-msgid "Invalid authentication methods compiled into sudo! You may mix standalone and non-standalone authentication."
-msgstr "Neispravne autentifikacijske metode kompajlirane u sudo! Možete miješati samostalne i nesamostalne autentifikacije."
+#~ msgid "internal error, sudo_setenv() overflow"
+#~ msgstr "interna greška, sudo_setenv() preljev"
-#: plugins/sudoers/auth/sudo_auth.c:199
-msgid "There are no authentication methods compiled into sudo! If you want to turn off authentication, use the --disable-authentication configure option."
-msgstr "Nema autentifikacijskih metoda kompajliranih u sudo! Ako želite isključiti autentifikaciju, koristite konfiguracijsku opciju --disable-authentication."
+#~ msgid "internal error, linux_audit_command() overflow"
+#~ msgstr "interna greška, linux_audit_command() preljev"
-#: plugins/sudoers/auth/sudo_auth.c:271
-#, c-format
-msgid "%d incorrect password attempt"
-msgid_plural "%d incorrect password attempts"
-msgstr[0] "%d netočan pokušaj unosa lozinke"
-msgstr[1] "%d netočna pokušaja unosa lozinke"
-msgstr[2] "%d netočnih pokušaja unosa lozinke"
+#~ msgid "internal error, runas_groups overflow"
+#~ msgstr "interna greška, runas_groups preljev"
-#: plugins/sudoers/auth/sudo_auth.c:374
-msgid "Authentication methods:"
-msgstr "Metode autentifikacije:"
+#~ msgid "internal error, init_vars() overflow"
+#~ msgstr "interna greška, init_vars() preljev"
--- /dev/null
+# Italian translations for sudoers package
+# Copyright (C) 2011, 2012 The Free Software Foundation
+# This file is distributed under the same license as the sudo package.
+#
+# Milo Casagrande <milo@casagrande.name>, 2011, 2012.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: sudoers-1.8.6b4\n"
+"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-15 18:27+0200\n"
+"Last-Translator: Milo Casagrande <milo@casagrande.name>\n"
+"Language-Team: Italian <tp@lists.linux.it>\n"
+"Language: it\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8-bit\n"
+"Plural-Forms: nplurals=2; plural=(n!=1);\n"
+
+#: gram.y:112
+#, c-format
+msgid ">>> %s: %s near line %d <<<"
+msgstr ">>> %s: %s vicino alla riga %d <<<"
+
+#: plugins/sudoers/alias.c:125
+#, c-format
+msgid "Alias `%s' already defined"
+msgstr "Alias \"%s\" già definito"
+
+#: plugins/sudoers/auth/bsdauth.c:78
+#, c-format
+msgid "unable to get login class for user %s"
+msgstr "impossibile ottenere la classe di login per l'utente %s"
+
+#: plugins/sudoers/auth/bsdauth.c:84
+msgid "unable to begin bsd authentication"
+msgstr "impossibile iniziare l'autenticazione bsd"
+
+#: plugins/sudoers/auth/bsdauth.c:92
+msgid "invalid authentication type"
+msgstr "tipo di autenticazione non valida"
+
+#: plugins/sudoers/auth/bsdauth.c:101
+msgid "unable to setup authentication"
+msgstr "impossibile impostare l'autenticazione"
+
+#: plugins/sudoers/auth/fwtk.c:60
+#, c-format
+msgid "unable to read fwtk config"
+msgstr "impossibile leggere la configurazione fwtk"
+
+#: plugins/sudoers/auth/fwtk.c:65
+#, c-format
+msgid "unable to connect to authentication server"
+msgstr "impossibile connettersi al server di autenticazione"
+
+#: plugins/sudoers/auth/fwtk.c:71 plugins/sudoers/auth/fwtk.c:95
+#: plugins/sudoers/auth/fwtk.c:128
+#, c-format
+msgid "lost connection to authentication server"
+msgstr "connessione al server di autenticazione persa"
+
+#: plugins/sudoers/auth/fwtk.c:75
+#, c-format
+msgid ""
+"authentication server error:\n"
+"%s"
+msgstr ""
+"errore del server di autenticazione:\n"
+"%s"
+
+#: plugins/sudoers/auth/kerb5.c:117
+#, c-format
+msgid "%s: unable to unparse princ ('%s'): %s"
+msgstr "%s: impossibile eseguire l'unparse di princ (\"%s\"): %s"
+
+#: plugins/sudoers/auth/kerb5.c:160
+#, c-format
+msgid "%s: unable to parse '%s': %s"
+msgstr "%s: impossibile analizzare \"%s\": %s"
+
+#: plugins/sudoers/auth/kerb5.c:170
+#, c-format
+msgid "%s: unable to resolve ccache: %s"
+msgstr "%s: impossibile risolvere la ccache: %s"
+
+#: plugins/sudoers/auth/kerb5.c:218
+#, c-format
+msgid "%s: unable to allocate options: %s"
+msgstr "%s: impossibile allocare le opzioni: %s"
+
+#: plugins/sudoers/auth/kerb5.c:234
+#, c-format
+msgid "%s: unable to get credentials: %s"
+msgstr "%s: impossibile ottenere le credenziali: %s"
+
+#: plugins/sudoers/auth/kerb5.c:247
+#, c-format
+msgid "%s: unable to initialize ccache: %s"
+msgstr "%s: impossibile inizializzare la ccache: %s"
+
+#: plugins/sudoers/auth/kerb5.c:251
+#, c-format
+msgid "%s: unable to store cred in ccache: %s"
+msgstr "%s: impossibile salvare le credenziali nella cchace: %s"
+
+#: plugins/sudoers/auth/kerb5.c:316
+#, c-format
+msgid "%s: unable to get host principal: %s"
+msgstr "%s: impossibile ottenere il principal dell'host: %s"
+
+#: plugins/sudoers/auth/kerb5.c:331
+#, c-format
+msgid "%s: Cannot verify TGT! Possible attack!: %s"
+msgstr "%s: impossibile verificare TGT. Possibile attacco in corso: %s"
+
+#: plugins/sudoers/auth/pam.c:100
+msgid "unable to initialize PAM"
+msgstr "impossibile inizializzare PAM"
+
+#: plugins/sudoers/auth/pam.c:144
+msgid "account validation failure, is your account locked?"
+msgstr "validazione dell'account non riuscita: forse è bloccato?"
+
+#: plugins/sudoers/auth/pam.c:148
+msgid "Account or password is expired, reset your password and try again"
+msgstr "Account o password scaduto: reimpostare la password e provare nuovamente"
+
+#: plugins/sudoers/auth/pam.c:155
+#, c-format
+msgid "pam_chauthtok: %s"
+msgstr "pam_chauthtok: %s"
+
+#: plugins/sudoers/auth/pam.c:159
+msgid "Password expired, contact your system administrator"
+msgstr "Password scaduta, contattare l'amministratore di sistema"
+
+#: plugins/sudoers/auth/pam.c:163
+msgid "Account expired or PAM config lacks an \"account\" section for sudo, contact your system administrator"
+msgstr "Account scaduto o alla configurazione PAM manca una sezione \"account\" per sudo: contattare l'amministratore di sistema"
+
+#: plugins/sudoers/auth/pam.c:180
+#, c-format
+msgid "pam_authenticate: %s"
+msgstr "pam_authenticate: %s"
+
+#: plugins/sudoers/auth/pam.c:332
+msgid "Password: "
+msgstr "Password: "
+
+#: plugins/sudoers/auth/pam.c:333
+msgid "Password:"
+msgstr "Password:"
+
+#: plugins/sudoers/auth/rfc1938.c:104 plugins/sudoers/visudo.c:220
+#, c-format
+msgid "you do not exist in the %s database"
+msgstr "l'utente attuale non esiste nel database %s"
+
+#: plugins/sudoers/auth/securid5.c:81
+#, c-format
+msgid "failed to initialise the ACE API library"
+msgstr "inizializzazione della libreria API ACE non riuscita"
+
+#: plugins/sudoers/auth/securid5.c:107
+#, c-format
+msgid "unable to contact the SecurID server"
+msgstr "impossibile contattare il server SecurID"
+
+#: plugins/sudoers/auth/securid5.c:116
+#, c-format
+msgid "User ID locked for SecurID Authentication"
+msgstr "ID utente bloccato per l'autenticazione SecurID"
+
+#: plugins/sudoers/auth/securid5.c:120 plugins/sudoers/auth/securid5.c:171
+#, c-format
+msgid "invalid username length for SecurID"
+msgstr "lunghezza del nome utente per SecurID non valida"
+
+#: plugins/sudoers/auth/securid5.c:124 plugins/sudoers/auth/securid5.c:176
+#, c-format
+msgid "invalid Authentication Handle for SecurID"
+msgstr "gestore di autenticazione per SecurID non valido"
+
+#: plugins/sudoers/auth/securid5.c:128
+#, c-format
+msgid "SecurID communication failed"
+msgstr "Comunicazione SecurID non riuscita"
+
+#: plugins/sudoers/auth/securid5.c:132 plugins/sudoers/auth/securid5.c:215
+#, c-format
+msgid "unknown SecurID error"
+msgstr "errore SecurID sconosciuto"
+
+#: plugins/sudoers/auth/securid5.c:166
+#, c-format
+msgid "invalid passcode length for SecurID"
+msgstr "lunghezza del passcode per SecurID errata"
+
+#: plugins/sudoers/auth/sia.c:109
+msgid "unable to initialize SIA session"
+msgstr "impossibile inizializzare la sessione SIA"
+
+#: plugins/sudoers/auth/sudo_auth.c:121
+msgid "Invalid authentication methods compiled into sudo! You may mix standalone and non-standalone authentication."
+msgstr "Metodi di autenticazione non validi compilati all'interno di sudo. È possibile usare assieme autenticazione standalone e non-standalone."
+
+#: plugins/sudoers/auth/sudo_auth.c:206
+msgid "There are no authentication methods compiled into sudo! If you want to turn off authentication, use the --disable-authentication configure option."
+msgstr "Non ci sono metodi di autenticazione compilati all'interno di sudo. Per disabilitare l'autenticazione, usare l'opzione di configurazione --disable-authentication."
+
+#: plugins/sudoers/auth/sudo_auth.c:374
+msgid "Authentication methods:"
+msgstr "Metodi di autenticazione:"
+
+#: plugins/sudoers/bsm_audit.c:60 plugins/sudoers/bsm_audit.c:63
+#: plugins/sudoers/bsm_audit.c:112 plugins/sudoers/bsm_audit.c:116
+#: plugins/sudoers/bsm_audit.c:168 plugins/sudoers/bsm_audit.c:172
+#, c-format
+msgid "getaudit: failed"
+msgstr "getaudit non riuscita"
+
+#: plugins/sudoers/bsm_audit.c:90 plugins/sudoers/bsm_audit.c:153
+#, c-format
+msgid "Could not determine audit condition"
+msgstr "Impossibile determinare la condizione di audit"
+
+#: plugins/sudoers/bsm_audit.c:101
+#, c-format
+msgid "getauid failed"
+msgstr "getauid non riuscita"
+
+#: plugins/sudoers/bsm_audit.c:103 plugins/sudoers/bsm_audit.c:162
+#, c-format
+msgid "au_open: failed"
+msgstr "au_open non riuscita"
+
+#: plugins/sudoers/bsm_audit.c:118 plugins/sudoers/bsm_audit.c:174
+#, c-format
+msgid "au_to_subject: failed"
+msgstr "au_to_subject non riuscita"
+
+#: plugins/sudoers/bsm_audit.c:122 plugins/sudoers/bsm_audit.c:178
+#, c-format
+msgid "au_to_exec_args: failed"
+msgstr "au_to_exec_args non riuscita"
+
+#: plugins/sudoers/bsm_audit.c:126 plugins/sudoers/bsm_audit.c:187
+#, c-format
+msgid "au_to_return32: failed"
+msgstr "au_to_return32 non riuscita"
+
+#: plugins/sudoers/bsm_audit.c:129 plugins/sudoers/bsm_audit.c:190
+#, c-format
+msgid "unable to commit audit record"
+msgstr "impossibile inviare il record di audit"
+
+#: plugins/sudoers/bsm_audit.c:160
+#, c-format
+msgid "getauid: failed"
+msgstr "getauid non riuscita"
+
+#: plugins/sudoers/bsm_audit.c:183
+#, c-format
+msgid "au_to_text: failed"
+msgstr "au_to_text non riuscita"
+
+#: plugins/sudoers/check.c:252 plugins/sudoers/iolog.c:172
+#: plugins/sudoers/sudoers.c:988 plugins/sudoers/sudoreplay.c:355
+#: plugins/sudoers/sudoreplay.c:817 plugins/sudoers/sudoreplay.c:974
+#: plugins/sudoers/visudo.c:818
+#, c-format
+msgid "unable to open %s"
+msgstr "impossibile aprire %s"
+
+#: plugins/sudoers/check.c:256 plugins/sudoers/iolog.c:229
+#, c-format
+msgid "unable to write to %s"
+msgstr "impossibile scrivere su %s"
+
+#: plugins/sudoers/check.c:264 plugins/sudoers/check.c:512
+#: plugins/sudoers/check.c:562 plugins/sudoers/iolog.c:123
+#: plugins/sudoers/iolog.c:156
+#, c-format
+msgid "unable to mkdir %s"
+msgstr "impossibile creare la directory %s"
+
+#: plugins/sudoers/check.c:399 plugins/sudoers/env.c:289
+#: plugins/sudoers/env.c:294 plugins/sudoers/env.c:395
+#: plugins/sudoers/env.c:447 plugins/sudoers/linux_audit.c:82
+#: plugins/sudoers/sudoers.c:670 plugins/sudoers/sudoers.c:677
+#: plugins/sudoers/sudoers.c:936 plugins/sudoers/testsudoers.c:253
+#, c-format
+msgid "internal error, %s overflow"
+msgstr "errore interno, overflow di %s"
+
+#: plugins/sudoers/check.c:460
+#, c-format
+msgid "timestamp path too long: %s"
+msgstr "percorso marcatura temporale troppo lungo: %s"
+
+#: plugins/sudoers/check.c:491 plugins/sudoers/check.c:535
+#: plugins/sudoers/iolog.c:158
+#, c-format
+msgid "%s exists but is not a directory (0%o)"
+msgstr "%s esiste, ma non è una directory (0%o)"
+
+#: plugins/sudoers/check.c:494 plugins/sudoers/check.c:538
+#: plugins/sudoers/check.c:583
+#, c-format
+msgid "%s owned by uid %u, should be uid %u"
+msgstr "%s è di proprietà dell'uid %u, dovrebbe essere dell'uid %u"
+
+#: plugins/sudoers/check.c:499 plugins/sudoers/check.c:543
+#, c-format
+msgid "%s writable by non-owner (0%o), should be mode 0700"
+msgstr "%s è accessibile in scrittura dal non-proprietario (0%o), dovrebbe avere modalità 0700"
+
+#: plugins/sudoers/check.c:507 plugins/sudoers/check.c:551
+#: plugins/sudoers/check.c:619 plugins/sudoers/sudoers.c:1003
+#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:584
+#, c-format
+msgid "unable to stat %s"
+msgstr "impossibile eseguire stat su %s"
+
+#: plugins/sudoers/check.c:577
+#, c-format
+msgid "%s exists but is not a regular file (0%o)"
+msgstr "%s esiste, ma non è un file regolare (0%o)"
+
+#: plugins/sudoers/check.c:589
+#, c-format
+msgid "%s writable by non-owner (0%o), should be mode 0600"
+msgstr "%s è accessibile in scrittura dal non-proprietario (0%o), dovrebbe avere modalità 0600"
+
+#: plugins/sudoers/check.c:643
+#, c-format
+msgid "timestamp too far in the future: %20.20s"
+msgstr "marcatura temporale troppo avanti nel tempo: %20.20s"
+
+#: plugins/sudoers/check.c:690
+#, c-format
+msgid "unable to remove %s (%s), will reset to the epoch"
+msgstr "impossibile rimuovere %s (%s), viene reimpostato al tempo epoch"
+
+#: plugins/sudoers/check.c:698
+#, c-format
+msgid "unable to reset %s to the epoch"
+msgstr "impossibile reimpostare %s al tempo epoch"
+
+#: plugins/sudoers/check.c:758 plugins/sudoers/check.c:764
+#: plugins/sudoers/sudoers.c:851 plugins/sudoers/sudoers.c:855
+#, c-format
+msgid "unknown uid: %u"
+msgstr "uid sconosciuto: %u"
+
+#: plugins/sudoers/check.c:761 plugins/sudoers/sudoers.c:792
+#: plugins/sudoers/sudoers.c:1120 plugins/sudoers/testsudoers.c:225
+#: plugins/sudoers/testsudoers.c:369
+#, c-format
+msgid "unknown user: %s"
+msgstr "utente sconosciuto: %s"
+
+#: plugins/sudoers/def_data.c:27
+#, c-format
+msgid "Syslog facility if syslog is being used for logging: %s"
+msgstr "Infrastruttura syslog se syslog viene utilizzato per le registrazioni: %s"
+
+#: plugins/sudoers/def_data.c:31
+#, c-format
+msgid "Syslog priority to use when user authenticates successfully: %s"
+msgstr "Priorità di syslog se l'utente si identifica con successo: %s"
+
+#: plugins/sudoers/def_data.c:35
+#, c-format
+msgid "Syslog priority to use when user authenticates unsuccessfully: %s"
+msgstr "Priorità di syslog se l'utente non si identifica con successo: %s"
+
+#: plugins/sudoers/def_data.c:39
+msgid "Put OTP prompt on its own line"
+msgstr "Mette il prompt OTP su un'altra riga"
+
+#: plugins/sudoers/def_data.c:43
+msgid "Ignore '.' in $PATH"
+msgstr "Ignora \".\" in $PATH"
+
+#: plugins/sudoers/def_data.c:47
+msgid "Always send mail when sudo is run"
+msgstr "Invia sempre una email quando viene eseguito sudo"
+
+#: plugins/sudoers/def_data.c:51
+msgid "Send mail if user authentication fails"
+msgstr "Invia una email se l'autenticazione utente non riesce"
+
+#: plugins/sudoers/def_data.c:55
+msgid "Send mail if the user is not in sudoers"
+msgstr "Invia una email se l'utente non è tra i sudoers"
+
+#: plugins/sudoers/def_data.c:59
+msgid "Send mail if the user is not in sudoers for this host"
+msgstr "Invia una email se l'utente non è tra i sudoers per questo host"
+
+#: plugins/sudoers/def_data.c:63
+msgid "Send mail if the user is not allowed to run a command"
+msgstr "Invia una email se l'utente non è abilitato a eseguire un comando"
+
+#: plugins/sudoers/def_data.c:67
+msgid "Use a separate timestamp for each user/tty combo"
+msgstr "Usa una marcatura temporale diversa per ogni combinazione utente/tty"
+
+#: plugins/sudoers/def_data.c:71
+msgid "Lecture user the first time they run sudo"
+msgstr "Aiuta gli utenti alla prima esecuzione di sudo"
+
+#: plugins/sudoers/def_data.c:75
+#, c-format
+msgid "File containing the sudo lecture: %s"
+msgstr "File contenente la lezione su sudo: %s"
+
+#: plugins/sudoers/def_data.c:79
+msgid "Require users to authenticate by default"
+msgstr "Richiede in modo predefinito l'autenticazione degli utenti"
+
+#: plugins/sudoers/def_data.c:83
+msgid "Root may run sudo"
+msgstr "Root può eseguire sudo"
+
+#: plugins/sudoers/def_data.c:87
+msgid "Log the hostname in the (non-syslog) log file"
+msgstr "Registra il nome host nel file di registro (non-syslog)"
+
+#: plugins/sudoers/def_data.c:91
+msgid "Log the year in the (non-syslog) log file"
+msgstr "Registra l'anno nel file di registro (non-syslog)"
+
+#: plugins/sudoers/def_data.c:95
+msgid "If sudo is invoked with no arguments, start a shell"
+msgstr "Se sudo viene lanciato senza alcun argomento, avvia una shell"
+
+#: plugins/sudoers/def_data.c:99
+msgid "Set $HOME to the target user when starting a shell with -s"
+msgstr "Imposta $HOME all'utente definito quando viene avviata una shell con -s"
+
+#: plugins/sudoers/def_data.c:103
+msgid "Always set $HOME to the target user's home directory"
+msgstr "Imposta sempre $HOME alla directory home dell'utente definito"
+
+#: plugins/sudoers/def_data.c:107
+msgid "Allow some information gathering to give useful error messages"
+msgstr "Consente la raccolta di alcune informazioni per dare messaggi di errore utili"
+
+#: plugins/sudoers/def_data.c:111
+msgid "Require fully-qualified hostnames in the sudoers file"
+msgstr "Richiede nomi host completi nel file sudoers"
+
+#: plugins/sudoers/def_data.c:115
+msgid "Insult the user when they enter an incorrect password"
+msgstr "Apostrofa l'utente quando inserisce una password errata"
+
+#: plugins/sudoers/def_data.c:119
+msgid "Only allow the user to run sudo if they have a tty"
+msgstr "Consente all'utente di seguire sudo solo se dispone di un tty"
+
+#: plugins/sudoers/def_data.c:123
+msgid "Visudo will honor the EDITOR environment variable"
+msgstr "visudo utilizzerà il valore definito nella variabile EDITOR"
+
+#: plugins/sudoers/def_data.c:127
+msgid "Prompt for root's password, not the users's"
+msgstr "Chiede la password di root, non quella dell'utente"
+
+#: plugins/sudoers/def_data.c:131
+msgid "Prompt for the runas_default user's password, not the users's"
+msgstr "Chiede la password dell'utente runas_default, non quella dell'utente"
+
+#: plugins/sudoers/def_data.c:135
+msgid "Prompt for the target user's password, not the users's"
+msgstr "Chiede la password dell'utente definito, non quella dell'invocante"
+
+#: plugins/sudoers/def_data.c:139
+msgid "Apply defaults in the target user's login class if there is one"
+msgstr "Applica i Defaults nella classe di login dell'utente definito, se presente"
+
+#: plugins/sudoers/def_data.c:143
+msgid "Set the LOGNAME and USER environment variables"
+msgstr "Imposta le variabili d'ambiente LOGNAME e USER"
+
+#: plugins/sudoers/def_data.c:147
+msgid "Only set the effective uid to the target user, not the real uid"
+msgstr "Imposta lo uid effettivo all'utente definito, non lo uid reale"
+
+#: plugins/sudoers/def_data.c:151
+msgid "Don't initialize the group vector to that of the target user"
+msgstr "Non inizializza il vettore di gruppo con quello dell'utente definito"
+
+#: plugins/sudoers/def_data.c:155
+#, c-format
+msgid "Length at which to wrap log file lines (0 for no wrap): %d"
+msgstr "Lunghezza a cui andare a capo nei file di registro (0 per non andare a capo): %d"
+
+#: plugins/sudoers/def_data.c:159
+#, c-format
+msgid "Authentication timestamp timeout: %.1f minutes"
+msgstr "Timeout marcatura temporale di autenticazione: %.1f minuti"
+
+#: plugins/sudoers/def_data.c:163
+#, c-format
+msgid "Password prompt timeout: %.1f minutes"
+msgstr "Timeout per inserimento password: %.1f minuti"
+
+#: plugins/sudoers/def_data.c:167
+#, c-format
+msgid "Number of tries to enter a password: %d"
+msgstr "Numero di tentativi per l'inserimento della password: %d"
+
+#: plugins/sudoers/def_data.c:171
+#, c-format
+msgid "Umask to use or 0777 to use user's: 0%o"
+msgstr "umask da utilizzare o 0777 per utilizzare quella dell'utente: 0%o"
+
+#: plugins/sudoers/def_data.c:175
+#, c-format
+msgid "Path to log file: %s"
+msgstr "Percorso al file di registro: %s"
+
+#: plugins/sudoers/def_data.c:179
+#, c-format
+msgid "Path to mail program: %s"
+msgstr "Percorso al programma email: %s"
+
+#: plugins/sudoers/def_data.c:183
+#, c-format
+msgid "Flags for mail program: %s"
+msgstr "Flag per il programma email: %s"
+
+#: plugins/sudoers/def_data.c:187
+#, c-format
+msgid "Address to send mail to: %s"
+msgstr "Indirizzo a cui mandare l'email: %s"
+
+#: plugins/sudoers/def_data.c:191
+#, c-format
+msgid "Address to send mail from: %s"
+msgstr "Indirizzo da cui mandare l'email: %s"
+
+#: plugins/sudoers/def_data.c:195
+#, c-format
+msgid "Subject line for mail messages: %s"
+msgstr "Oggetto dell'email: %s"
+
+#: plugins/sudoers/def_data.c:199
+#, c-format
+msgid "Incorrect password message: %s"
+msgstr "Messaggio password errata: %s"
+
+#: plugins/sudoers/def_data.c:203
+#, c-format
+msgid "Path to authentication timestamp dir: %s"
+msgstr "Percorso directory con la marcatura temporale di autenticazione: %s"
+
+#: plugins/sudoers/def_data.c:207
+#, c-format
+msgid "Owner of the authentication timestamp dir: %s"
+msgstr "Proprietario directory con la marcatura temporale di autenticazione: %s"
+
+#: plugins/sudoers/def_data.c:211
+#, c-format
+msgid "Users in this group are exempt from password and PATH requirements: %s"
+msgstr "Agli utenti di questo gruppo non sono richiesti password e PATH: %s"
+
+#: plugins/sudoers/def_data.c:215
+#, c-format
+msgid "Default password prompt: %s"
+msgstr "Prompt predefinito per la password: %s"
+
+#: plugins/sudoers/def_data.c:219
+msgid "If set, passprompt will override system prompt in all cases."
+msgstr "Se impostato, passprompt scavalcherà sempre il prompt di sistema."
+
+#: plugins/sudoers/def_data.c:223
+#, c-format
+msgid "Default user to run commands as: %s"
+msgstr "Utente predefinito con cui eseguire i comandi: %s"
+
+#: plugins/sudoers/def_data.c:227
+#, c-format
+msgid "Value to override user's $PATH with: %s"
+msgstr "Valore con cui sovrascrivere la variabile $PATH dell'utente: %s"
+
+#: plugins/sudoers/def_data.c:231
+#, c-format
+msgid "Path to the editor for use by visudo: %s"
+msgstr "Percorso all'editor per visudo: %s"
+
+#: plugins/sudoers/def_data.c:235
+#, c-format
+msgid "When to require a password for 'list' pseudocommand: %s"
+msgstr "Quando richiedere una password per il pseudo-comando \"list\": %s"
+
+#: plugins/sudoers/def_data.c:239
+#, c-format
+msgid "When to require a password for 'verify' pseudocommand: %s"
+msgstr "Quando richiedere una password per il pseudo-comando \"verify\": %s"
+
+#: plugins/sudoers/def_data.c:243
+msgid "Preload the dummy exec functions contained in the sudo_noexec library"
+msgstr "Pre-carica le funzioni exec dummy contenute nella libreria sudo_noexec"
+
+#: plugins/sudoers/def_data.c:247
+msgid "If LDAP directory is up, do we ignore local sudoers file"
+msgstr "Se LDAP è funzionante, viene ignorato il file sudoers locale"
+
+#: plugins/sudoers/def_data.c:251
+#, c-format
+msgid "File descriptors >= %d will be closed before executing a command"
+msgstr "I descrittori di file >= %d verranno chiusi prima dell'esecuzione di un comando"
+
+#: plugins/sudoers/def_data.c:255
+msgid "If set, users may override the value of `closefrom' with the -C option"
+msgstr "Se impostata, gli utenti possono sovrascrivere il valore di \"closefrom\" con l'opzione -C"
+
+#: plugins/sudoers/def_data.c:259
+msgid "Allow users to set arbitrary environment variables"
+msgstr "Consente agli utenti di impostare variabili d'ambiente"
+
+#: plugins/sudoers/def_data.c:263
+msgid "Reset the environment to a default set of variables"
+msgstr "Reimposta l'ambiente con le variabile predefinite"
+
+#: plugins/sudoers/def_data.c:267
+msgid "Environment variables to check for sanity:"
+msgstr "Variabile d'ambiente da validare:"
+
+#: plugins/sudoers/def_data.c:271
+msgid "Environment variables to remove:"
+msgstr "Variabili d'ambiente da rimuovere:"
+
+#: plugins/sudoers/def_data.c:275
+msgid "Environment variables to preserve:"
+msgstr "Variabili d'ambiente da preservare:"
+
+#: plugins/sudoers/def_data.c:279
+#, c-format
+msgid "SELinux role to use in the new security context: %s"
+msgstr "Ruolo SELinux da usare nel nuovo contesto di sicurezza: %s"
+
+#: plugins/sudoers/def_data.c:283
+#, c-format
+msgid "SELinux type to use in the new security context: %s"
+msgstr "Tipologia di SELinux da usare nel nuovo contesto di sicurezza: %s"
+
+#: plugins/sudoers/def_data.c:287
+#, c-format
+msgid "Path to the sudo-specific environment file: %s"
+msgstr "Percorso al file d'ambiente specifico di sudo: %s"
+
+#: plugins/sudoers/def_data.c:291
+#, c-format
+msgid "Locale to use while parsing sudoers: %s"
+msgstr "Lingua da usare durante l'analisi del file sudoers: %s"
+
+#: plugins/sudoers/def_data.c:295
+msgid "Allow sudo to prompt for a password even if it would be visible"
+msgstr "Abilita sudo a chiedere una password anche se sarebbe visibile"
+
+#: plugins/sudoers/def_data.c:299
+msgid "Provide visual feedback at the password prompt when there is user input"
+msgstr "Fornisce riscontro visibile al prompt della password quando è presente input utente"
+
+#: plugins/sudoers/def_data.c:303
+msgid "Use faster globbing that is less accurate but does not access the filesystem"
+msgstr "Usa glob più veloce e meno preciso, ma non accede al file system"
+
+#: plugins/sudoers/def_data.c:307
+msgid "The umask specified in sudoers will override the user's, even if it is more permissive"
+msgstr "La umask definita in sudoers scavalca quella dell'utente, anche se è più permissiva"
+
+#: plugins/sudoers/def_data.c:311
+msgid "Log user's input for the command being run"
+msgstr "Registra l'input dell'utente per il comando in esecuzione"
+
+#: plugins/sudoers/def_data.c:315
+msgid "Log the output of the command being run"
+msgstr "Registra l'output del comando in esecuzione"
+
+#: plugins/sudoers/def_data.c:319
+msgid "Compress I/O logs using zlib"
+msgstr "Comprime i registri utilizzando zlib"
+
+#: plugins/sudoers/def_data.c:323
+msgid "Always run commands in a pseudo-tty"
+msgstr "Esegue sempre i comandi in uno pseudo-tty"
+
+#: plugins/sudoers/def_data.c:327
+#, c-format
+msgid "Plugin for non-Unix group support: %s"
+msgstr "Plugin per supporto ai gruppi non-Unix: %s"
+
+#: plugins/sudoers/def_data.c:331
+#, c-format
+msgid "Directory in which to store input/output logs: %s"
+msgstr "Directory in cui salvare i registri di I/O: %s"
+
+#: plugins/sudoers/def_data.c:335
+#, c-format
+msgid "File in which to store the input/output log: %s"
+msgstr "File in cui salvare il registro I/O: %s"
+
+#: plugins/sudoers/def_data.c:339
+msgid "Add an entry to the utmp/utmpx file when allocating a pty"
+msgstr "Aggiunge una voce al file utmp/utmpx quando viene allocato un pty"
+
+#: plugins/sudoers/def_data.c:343
+msgid "Set the user in utmp to the runas user, not the invoking user"
+msgstr "Imposta l'utente in utmp all'utente runas, non l'utente invocante"
+
+#: plugins/sudoers/def_data.c:347
+msgid "Set of permitted privileges"
+msgstr "Privilegi concessi"
+
+#: plugins/sudoers/def_data.c:351
+msgid "Set of limit privileges"
+msgstr "Privilegi non concessi"
+
+#: plugins/sudoers/defaults.c:208
+#, c-format
+msgid "unknown defaults entry `%s'"
+msgstr "voce Defaults \"%s\" sconosciuta"
+
+#: plugins/sudoers/defaults.c:216 plugins/sudoers/defaults.c:226
+#: plugins/sudoers/defaults.c:246 plugins/sudoers/defaults.c:259
+#: plugins/sudoers/defaults.c:272 plugins/sudoers/defaults.c:285
+#: plugins/sudoers/defaults.c:298 plugins/sudoers/defaults.c:318
+#: plugins/sudoers/defaults.c:328
+#, c-format
+msgid "value `%s' is invalid for option `%s'"
+msgstr "il valore \"%s\" non è valido per l'opzione \"%s\""
+
+#: plugins/sudoers/defaults.c:219 plugins/sudoers/defaults.c:229
+#: plugins/sudoers/defaults.c:237 plugins/sudoers/defaults.c:254
+#: plugins/sudoers/defaults.c:267 plugins/sudoers/defaults.c:280
+#: plugins/sudoers/defaults.c:293 plugins/sudoers/defaults.c:313
+#: plugins/sudoers/defaults.c:324
+#, c-format
+msgid "no value specified for `%s'"
+msgstr "nessun valore specificato per \"%s\""
+
+#: plugins/sudoers/defaults.c:242
+#, c-format
+msgid "values for `%s' must start with a '/'"
+msgstr "i valori per \"%s\" devono iniziare con un carattere \"/\""
+
+#: plugins/sudoers/defaults.c:304
+#, c-format
+msgid "option `%s' does not take a value"
+msgstr "l'opzione \"%s\" non accetta un valore"
+
+#: plugins/sudoers/env.c:367
+#, c-format
+msgid "sudo_putenv: corrupted envp, length mismatch"
+msgstr "sudo_putenv: envp danneggiato, non corrispondenza in lunghezza"
+
+#: plugins/sudoers/env.c:369 plugins/sudoers/env.c:448
+#: plugins/sudoers/toke_util.c:113 plugins/sudoers/toke_util.c:167
+#: plugins/sudoers/toke_util.c:207 toke.l:697 toke.l:827 toke.l:887 toke.l:983
+#, c-format
+msgid "unable to allocate memory"
+msgstr "impossibile allocare memoria"
+
+#: plugins/sudoers/env.c:992
+#, c-format
+msgid "sorry, you are not allowed to set the following environment variables: %s"
+msgstr "permessi non sufficienti per impostare le seguenti variabili d'ambiente: %s"
+
+#: plugins/sudoers/find_path.c:69 plugins/sudoers/find_path.c:108
+#: plugins/sudoers/find_path.c:123 plugins/sudoers/iolog.c:125
+#: plugins/sudoers/sudoers.c:945 toke.l:693 toke.l:883
+#, c-format
+msgid "%s: %s"
+msgstr "%s: %s"
+
+#: plugins/sudoers/group_plugin.c:91
+#, c-format
+msgid "%s%s: %s"
+msgstr "%s%s: %s"
+
+#: plugins/sudoers/group_plugin.c:103
+#, c-format
+msgid "%s must be owned by uid %d"
+msgstr "%s deve essere di proprietà dello uid %d"
+
+#: plugins/sudoers/group_plugin.c:107
+#, c-format
+msgid "%s must only be writable by owner"
+msgstr "%s deve essere scrivibile solo dal proprietario"
+
+#: plugins/sudoers/group_plugin.c:114
+#, c-format
+msgid "unable to dlopen %s: %s"
+msgstr "impossibile eseguire dlopen su %s: %s"
+
+#: plugins/sudoers/group_plugin.c:119
+#, c-format
+msgid "unable to find symbol \"group_plugin\" in %s"
+msgstr "impossibile trovare il simbolo \"group_plugin\" in %s"
+
+#: plugins/sudoers/group_plugin.c:124
+#, c-format
+msgid "%s: incompatible group plugin major version %d, expected %d"
+msgstr "%s: version major %d del plugin per il gruppo non compatibile, atteso %d"
+
+#: plugins/sudoers/interfaces.c:112
+msgid "Local IP address and netmask pairs:\n"
+msgstr "Coppia indirizzo IP locale e maschera di rete:\n"
+
+#: plugins/sudoers/iolog.c:205 plugins/sudoers/sudoers.c:991
+#, c-format
+msgid "unable to read %s"
+msgstr "impossibile leggere %s"
+
+#: plugins/sudoers/iolog.c:208
+#, c-format
+msgid "invalid sequence number %s"
+msgstr "numero di sequenze %s non valido"
+
+#: plugins/sudoers/iolog.c:258 plugins/sudoers/iolog.c:261
+#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:531
+#: plugins/sudoers/iolog.c:537 plugins/sudoers/iolog.c:545
+#: plugins/sudoers/iolog.c:553 plugins/sudoers/iolog.c:561
+#: plugins/sudoers/iolog.c:569
+#, c-format
+msgid "unable to create %s"
+msgstr "impossibile creare %s"
+
+#: plugins/sudoers/iolog_path.c:263 plugins/sudoers/sudoers.c:382
+#, c-format
+msgid "unable to set locale to \"%s\", using \"C\""
+msgstr "impossibile impostare il locale a \"%s\", viene usato \"C\""
+
+#: plugins/sudoers/ldap.c:387
+#, c-format
+msgid "sudo_ldap_conf_add_ports: port too large"
+msgstr "sudo_ldap_conf_add_ports: porta troppo grande"
+
+#: plugins/sudoers/ldap.c:410
+#, c-format
+msgid "sudo_ldap_conf_add_ports: out of space expanding hostbuf"
+msgstr "sudo_ldap_conf_add_ports: spazio esaurito nell'espansione di hostbuf"
+
+#: plugins/sudoers/ldap.c:440
+#, c-format
+msgid "unsupported LDAP uri type: %s"
+msgstr "tipologia di uri LDAP non supportata: %s"
+
+#: plugins/sudoers/ldap.c:469
+#, c-format
+msgid "invalid uri: %s"
+msgstr "uri non valido: %s"
+
+#: plugins/sudoers/ldap.c:475
+#, c-format
+msgid "unable to mix ldap and ldaps URIs"
+msgstr "impossibile utilizzare URI ldap e ldaps assieme"
+
+#: plugins/sudoers/ldap.c:479
+#, c-format
+msgid "unable to mix ldaps and starttls"
+msgstr "impossibile utilizzare ldaps e starttls assieme"
+
+#: plugins/sudoers/ldap.c:498
+#, c-format
+msgid "sudo_ldap_parse_uri: out of space building hostbuf"
+msgstr "sudo_ldap_parse_uri: spazio esaurito nella generazione di hostbuf"
+
+#: plugins/sudoers/ldap.c:572
+#, c-format
+msgid "unable to initialize SSL cert and key db: %s"
+msgstr "impossibile inizializzare il certificato SSL e il database delle chiavi: %s"
+
+#: plugins/sudoers/ldap.c:575
+#, c-format
+msgid "you must set TLS_CERT in %s to use SSL"
+msgstr "è necessario selezionare TLS_CERT in %s per usare SSL"
+
+#: plugins/sudoers/ldap.c:992
+#, c-format
+msgid "unable to get GMT time"
+msgstr "impossibile ottenere orario GMT"
+
+#: plugins/sudoers/ldap.c:998
+#, c-format
+msgid "unable to format timestamp"
+msgstr "impossibile formattare la marcatura temporale"
+
+#: plugins/sudoers/ldap.c:1006
+#, c-format
+msgid "unable to build time filter"
+msgstr "impossibile creare filtro temporale"
+
+#: plugins/sudoers/ldap.c:1225
+#, c-format
+msgid "sudo_ldap_build_pass1 allocation mismatch"
+msgstr "non corrispondenza nell'allocazione sudo_ldap_build_pass1"
+
+#: plugins/sudoers/ldap.c:1761
+#, c-format
+msgid ""
+"\n"
+"LDAP Role: %s\n"
+msgstr ""
+"\n"
+"Ruolo LDAP: %s\n"
+
+#: plugins/sudoers/ldap.c:1763
+#, c-format
+msgid ""
+"\n"
+"LDAP Role: UNKNOWN\n"
+msgstr ""
+"\n"
+"Ruolo LDAP: sconosciuto\n"
+
+#: plugins/sudoers/ldap.c:1810
+#, c-format
+msgid " Order: %s\n"
+msgstr " Ordine: %s\n"
+
+#: plugins/sudoers/ldap.c:1818 plugins/sudoers/sssd.c:1168
+#, c-format
+msgid " Commands:\n"
+msgstr " Comandi:\n"
+
+#: plugins/sudoers/ldap.c:2240
+#, c-format
+msgid "unable to initialize LDAP: %s"
+msgstr "impossibile inizializzare LDAP: %s"
+
+#: plugins/sudoers/ldap.c:2274
+#, c-format
+msgid "start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()"
+msgstr "specificato start_tls ma le librerie LDAP non supportano ldap_start_tls_s() o ldap_start_tls_s_np()"
+
+#: plugins/sudoers/ldap.c:2510
+#, c-format
+msgid "invalid sudoOrder attribute: %s"
+msgstr "attributo sudoOrder non valido: %s"
+
+#: plugins/sudoers/linux_audit.c:57
+#, c-format
+msgid "unable to open audit system"
+msgstr "impossibile aprire il sistema di audit"
+
+#: plugins/sudoers/linux_audit.c:93
+#, c-format
+msgid "unable to send audit message"
+msgstr "impossibile inviare il messaggio di audit"
+
+#: plugins/sudoers/logging.c:202
+#, c-format
+msgid "unable to open log file: %s: %s"
+msgstr "impossibile aprire il file di registro: %s: %s"
+
+#: plugins/sudoers/logging.c:205
+#, c-format
+msgid "unable to lock log file: %s: %s"
+msgstr "impossibile impostare il blocco sul file di registro: %s: %s"
+
+#: plugins/sudoers/logging.c:260
+msgid "user NOT in sudoers"
+msgstr "utente non tra i sudoers"
+
+#: plugins/sudoers/logging.c:262
+msgid "user NOT authorized on host"
+msgstr "utente non autorizzato sull'host"
+
+#: plugins/sudoers/logging.c:264
+msgid "command not allowed"
+msgstr "comando non consentito"
+
+#: plugins/sudoers/logging.c:274
+#, c-format
+msgid "%s is not in the sudoers file. This incident will be reported.\n"
+msgstr "%s non è nel file sudoers. Questo evento verrà segnalato.\n"
+
+#: plugins/sudoers/logging.c:277
+#, c-format
+msgid "%s is not allowed to run sudo on %s. This incident will be reported.\n"
+msgstr "A %s non è consentito eseguire sudo su %s. Questo evento verrà segnalato.\n"
+
+#: plugins/sudoers/logging.c:281
+#, c-format
+msgid "Sorry, user %s may not run sudo on %s.\n"
+msgstr "L'utente %s non può eseguire sudo su %s.\n"
+
+#: plugins/sudoers/logging.c:284
+#, c-format
+msgid "Sorry, user %s is not allowed to execute '%s%s%s' as %s%s%s on %s.\n"
+msgstr "All'utente %s non è consentito eseguire \"%s%s%s\" come %s%s%s su %s.\n"
+
+#: plugins/sudoers/logging.c:317
+msgid "No user or host"
+msgstr "Nessun utente o host"
+
+#: plugins/sudoers/logging.c:319
+msgid "validation failure"
+msgstr "validazione non riuscita"
+
+#: plugins/sudoers/logging.c:336 plugins/sudoers/sudoers.c:502
+#: plugins/sudoers/sudoers.c:503 plugins/sudoers/sudoers.c:1539
+#: plugins/sudoers/sudoers.c:1540
+#, c-format
+msgid "%s: command not found"
+msgstr "%s: comando non trovato"
+
+#: plugins/sudoers/logging.c:338 plugins/sudoers/sudoers.c:499
+#, c-format
+msgid ""
+"ignoring `%s' found in '.'\n"
+"Use `sudo ./%s' if this is the `%s' you wish to run."
+msgstr ""
+"viene ignorato \"%s\" trovato in \".\"\n"
+"Usare \"sudo ./%s\" se \"%s\" è quello da eseguire."
+
+#: plugins/sudoers/logging.c:352
+msgid "authentication failure"
+msgstr "autenticazione non riuscita"
+
+#: plugins/sudoers/logging.c:376
+#, c-format
+msgid "%d incorrect password attempt"
+msgid_plural "%d incorrect password attempts"
+msgstr[0] "%d tentativo di immissione password non corretto"
+msgstr[1] "%d tentativi di immissione password non corretti"
+
+#: plugins/sudoers/logging.c:379
+msgid "a password is required"
+msgstr "è necessaria una password"
+
+#: plugins/sudoers/logging.c:530
+#, c-format
+msgid "unable to fork"
+msgstr "impossibile eseguire fork"
+
+#: plugins/sudoers/logging.c:537 plugins/sudoers/logging.c:599
+#, c-format
+msgid "unable to fork: %m"
+msgstr "impossibile eseguire fork: %m"
+
+#: plugins/sudoers/logging.c:589
+#, c-format
+msgid "unable to open pipe: %m"
+msgstr "impossibile aprire una pipe: %m"
+
+#: plugins/sudoers/logging.c:614
+#, c-format
+msgid "unable to dup stdin: %m"
+msgstr "impossibile eseguire dup sullo stdin: %m"
+
+#: plugins/sudoers/logging.c:650
+#, c-format
+msgid "unable to execute %s: %m"
+msgstr "impossibile eseguire %s: %m"
+
+#: plugins/sudoers/logging.c:865
+#, c-format
+msgid "internal error: insufficient space for log line"
+msgstr "errore interno: spazio insufficiente per la riga di registro"
+
+#: plugins/sudoers/parse.c:123
+#, c-format
+msgid "parse error in %s near line %d"
+msgstr "errore di analisi in %s vicino alla riga %d"
+
+#: plugins/sudoers/parse.c:126
+#, c-format
+msgid "parse error in %s"
+msgstr "errore di analisi in %s"
+
+#: plugins/sudoers/parse.c:414
+#, c-format
+msgid ""
+"\n"
+"Sudoers entry:\n"
+msgstr ""
+"\n"
+"Voce sudoers:\n"
+
+#: plugins/sudoers/parse.c:416
+#, c-format
+msgid " RunAsUsers: "
+msgstr " RunAsUsers: "
+
+#: plugins/sudoers/parse.c:431
+#, c-format
+msgid " RunAsGroups: "
+msgstr " RunAsGroups: "
+
+#: plugins/sudoers/parse.c:440
+#, c-format
+msgid ""
+" Commands:\n"
+"\t"
+msgstr ""
+" Comandi:\n"
+"\t"
+
+#: plugins/sudoers/plugin_error.c:100 plugins/sudoers/plugin_error.c:105
+msgid ": "
+msgstr ": "
+
+#: plugins/sudoers/pwutil.c:278
+#, c-format
+msgid "unable to cache uid %u (%s), already exists"
+msgstr "impossibile salvare in cache lo uid %u (%s), esiste già"
+
+#: plugins/sudoers/pwutil.c:286
+#, c-format
+msgid "unable to cache uid %u, already exists"
+msgstr "impossibile salvare in cache lo uid %u, esiste già"
+
+#: plugins/sudoers/pwutil.c:322 plugins/sudoers/pwutil.c:331
+#, c-format
+msgid "unable to cache user %s, already exists"
+msgstr "impossibile salvare in cache l'utente %s, esiste già"
+
+#: plugins/sudoers/pwutil.c:668
+#, c-format
+msgid "unable to cache gid %u (%s), already exists"
+msgstr "impossibile salvare in cache il gid %u (%s), esiste già"
+
+#: plugins/sudoers/pwutil.c:676
+#, c-format
+msgid "unable to cache gid %u, already exists"
+msgstr "impossibile salvare in cache il gid %u, esiste già"
+
+#: plugins/sudoers/pwutil.c:706 plugins/sudoers/pwutil.c:715
+#, c-format
+msgid "unable to cache group %s, already exists"
+msgstr "impossibile salvare in cache il gruppo %s, esiste già"
+
+#: plugins/sudoers/set_perms.c:122 plugins/sudoers/set_perms.c:436
+#: plugins/sudoers/set_perms.c:828 plugins/sudoers/set_perms.c:1114
+#: plugins/sudoers/set_perms.c:1396
+msgid "perm stack overflow"
+msgstr "overflow dello stack perm"
+
+#: plugins/sudoers/set_perms.c:130 plugins/sudoers/set_perms.c:444
+#: plugins/sudoers/set_perms.c:836 plugins/sudoers/set_perms.c:1122
+#: plugins/sudoers/set_perms.c:1404
+msgid "perm stack underflow"
+msgstr "underflow dello stack perm"
+
+#: plugins/sudoers/set_perms.c:270 plugins/sudoers/set_perms.c:580
+#: plugins/sudoers/set_perms.c:957 plugins/sudoers/set_perms.c:1243
+msgid "unable to change to runas gid"
+msgstr "impossibile passare al gid runas"
+
+#: plugins/sudoers/set_perms.c:282 plugins/sudoers/set_perms.c:592
+#: plugins/sudoers/set_perms.c:967 plugins/sudoers/set_perms.c:1253
+msgid "unable to change to runas uid"
+msgstr "impossibile passare allo uid runas"
+
+#: plugins/sudoers/set_perms.c:300 plugins/sudoers/set_perms.c:610
+#: plugins/sudoers/set_perms.c:983 plugins/sudoers/set_perms.c:1269
+msgid "unable to change to sudoers gid"
+msgstr "impossibile passare al gid sudoers"
+
+#: plugins/sudoers/set_perms.c:353 plugins/sudoers/set_perms.c:681
+#: plugins/sudoers/set_perms.c:1029 plugins/sudoers/set_perms.c:1315
+#: plugins/sudoers/set_perms.c:1474
+msgid "too many processes"
+msgstr "troppi processi"
+
+#: plugins/sudoers/set_perms.c:1542
+msgid "unable to set runas group vector"
+msgstr "impossibile impostare il vettore di gruppo per runas"
+
+#: plugins/sudoers/sssd.c:251
+#, c-format
+msgid "Unable to dlopen %s: %s"
+msgstr "Impossibile eseguire dlopen su %s: %s"
+
+#: plugins/sudoers/sssd.c:252
+#, c-format
+msgid "Unable to initialize SSS source. Is SSSD installed on your machine?"
+msgstr "Impossibile inizializzare la sorgente SSS. È stato installato SSSD?"
+
+#: plugins/sudoers/sssd.c:258 plugins/sudoers/sssd.c:266
+#: plugins/sudoers/sssd.c:273 plugins/sudoers/sssd.c:280
+#: plugins/sudoers/sssd.c:287
+#, c-format
+msgid "unable to find symbol \"%s\" in %s"
+msgstr "impossibile trovare il simbolo \"%s\" in \"%s\""
+
+#: plugins/sudoers/sudo_nss.c:267
+#, c-format
+msgid "Matching Defaults entries for %s on this host:\n"
+msgstr "Corrispondenza voci Defaults per %s su questo host:\n"
+
+#: plugins/sudoers/sudo_nss.c:280
+#, c-format
+msgid "Runas and Command-specific defaults for %s:\n"
+msgstr "Valori predefiniti per Runas e Command per %s:\n"
+
+#: plugins/sudoers/sudo_nss.c:293
+#, c-format
+msgid "User %s may run the following commands on this host:\n"
+msgstr "L'utente %s può eseguire i seguenti comandi su questo host:\n"
+
+#: plugins/sudoers/sudo_nss.c:302
+#, c-format
+msgid "User %s is not allowed to run sudo on %s.\n"
+msgstr "L'utente %s non è abilitato all'esecuzione di sudo su %s.\n"
+
+#: plugins/sudoers/sudoers.c:210 plugins/sudoers/sudoers.c:243
+#: plugins/sudoers/sudoers.c:953
+msgid "problem with defaults entries"
+msgstr "problema con le voci Defaults"
+
+#: plugins/sudoers/sudoers.c:216
+#, c-format
+msgid "no valid sudoers sources found, quitting"
+msgstr "nessuna sorgente valida di sudoers trovata, uscita"
+
+#: plugins/sudoers/sudoers.c:268
+#, c-format
+msgid "unable to execute %s: %s"
+msgstr "impossibile eseguire %s: %s"
+
+#: plugins/sudoers/sudoers.c:335
+#, c-format
+msgid "sudoers specifies that root is not allowed to sudo"
+msgstr "sudoers indica che a root non è consentito usare sudo"
+
+#: plugins/sudoers/sudoers.c:342
+#, c-format
+msgid "you are not permitted to use the -C option"
+msgstr "non è consentito usare l'opzione -C"
+
+#: plugins/sudoers/sudoers.c:431
+#, c-format
+msgid "timestamp owner (%s): No such user"
+msgstr "proprietario marcatura temporale (%s): utente inesistente"
+
+#: plugins/sudoers/sudoers.c:447
+msgid "no tty"
+msgstr "nessun tty"
+
+#: plugins/sudoers/sudoers.c:448
+#, c-format
+msgid "sorry, you must have a tty to run sudo"
+msgstr "è necessario disporre di un tty per eseguire sudo"
+
+#: plugins/sudoers/sudoers.c:498
+msgid "command in current directory"
+msgstr "comando nella directory corrente"
+
+#: plugins/sudoers/sudoers.c:510
+#, c-format
+msgid "sorry, you are not allowed to preserve the environment"
+msgstr "non è consentito preservare l'ambiente"
+
+#: plugins/sudoers/sudoers.c:1006
+#, c-format
+msgid "%s is not a regular file"
+msgstr "%s non è un file regolare"
+
+#: plugins/sudoers/sudoers.c:1009 toke.l:846
+#, c-format
+msgid "%s is owned by uid %u, should be %u"
+msgstr "%s è di proprietà dello uid %u, dovrebbe essere di %u"
+
+#: plugins/sudoers/sudoers.c:1013 toke.l:853
+#, c-format
+msgid "%s is world writable"
+msgstr "%s è scrivibile da tutti"
+
+#: plugins/sudoers/sudoers.c:1016 toke.l:858
+#, c-format
+msgid "%s is owned by gid %u, should be %u"
+msgstr "%s è di proprietà del gid %u, dovrebbe essere di %u"
+
+#: plugins/sudoers/sudoers.c:1043
+#, c-format
+msgid "only root can use `-c %s'"
+msgstr "solo root può usare \"-c %s\""
+
+#: plugins/sudoers/sudoers.c:1060 plugins/sudoers/sudoers.c:1062
+#, c-format
+msgid "unknown login class: %s"
+msgstr "classe di login sconosciuta: %s"
+
+#: plugins/sudoers/sudoers.c:1089
+#, c-format
+msgid "unable to resolve host %s"
+msgstr "impossibile risolvere l'host %s"
+
+#: plugins/sudoers/sudoers.c:1141 plugins/sudoers/testsudoers.c:387
+#, c-format
+msgid "unknown group: %s"
+msgstr "gruppo sconosciuto: %s"
+
+#: plugins/sudoers/sudoers.c:1190
+#, c-format
+msgid "Sudoers policy plugin version %s\n"
+msgstr "Versione %s del plugin della politica sudoers\n"
+
+#: plugins/sudoers/sudoers.c:1192
+#, c-format
+msgid "Sudoers file grammar version %d\n"
+msgstr "Versione %d della grammatica del file sudoers\n"
+
+#: plugins/sudoers/sudoers.c:1196
+#, c-format
+msgid ""
+"\n"
+"Sudoers path: %s\n"
+msgstr ""
+"\n"
+"Percorso sudoers: %s\n"
+
+#: plugins/sudoers/sudoers.c:1199
+#, c-format
+msgid "nsswitch path: %s\n"
+msgstr "percorso nsswitch: %s\n"
+
+#: plugins/sudoers/sudoers.c:1201
+#, c-format
+msgid "ldap.conf path: %s\n"
+msgstr "percorso ldap.conf: %s\n"
+
+#: plugins/sudoers/sudoers.c:1202
+#, c-format
+msgid "ldap.secret path: %s\n"
+msgstr "percorso ldap.secret: %s\n"
+
+#: plugins/sudoers/sudoreplay.c:293
+#, c-format
+msgid "invalid filter option: %s"
+msgstr "opzione di filtro non valida: %s"
+
+#: plugins/sudoers/sudoreplay.c:306
+#, c-format
+msgid "invalid max wait: %s"
+msgstr "attesa massima non valida: %s"
+
+#: plugins/sudoers/sudoreplay.c:312
+#, c-format
+msgid "invalid speed factor: %s"
+msgstr "fattore di velocità non valido: %s"
+
+#: plugins/sudoers/sudoreplay.c:315 plugins/sudoers/visudo.c:187
+#, c-format
+msgid "%s version %s\n"
+msgstr "%s versione %s\n"
+
+#: plugins/sudoers/sudoreplay.c:340
+#, c-format
+msgid "%s/%.2s/%.2s/%.2s/timing: %s"
+msgstr "%s/%.2s/%.2s/%.2s/timing: %s"
+
+#: plugins/sudoers/sudoreplay.c:346
+#, c-format
+msgid "%s/%s/timing: %s"
+msgstr "%s/%s/timing: %s"
+
+#: plugins/sudoers/sudoreplay.c:364
+#, c-format
+msgid "Replaying sudo session: %s\n"
+msgstr "Riproduzione della sessione sudo: %s\n"
+
+#: plugins/sudoers/sudoreplay.c:370
+#, c-format
+msgid "Warning: your terminal is too small to properly replay the log.\n"
+msgstr "Attenzione: il terminale è troppo piccolo per riprodurre correttamente il registro.\n"
+
+#: plugins/sudoers/sudoreplay.c:371
+#, c-format
+msgid "Log geometry is %d x %d, your terminal's geometry is %d x %d."
+msgstr "La geometria del registro è %dx%d, quella del terminale è %dx%d."
+
+#: plugins/sudoers/sudoreplay.c:401
+#, c-format
+msgid "unable to set tty to raw mode"
+msgstr "impossibile impostare il terminale in modalità raw"
+
+#: plugins/sudoers/sudoreplay.c:418
+#, c-format
+msgid "invalid timing file line: %s"
+msgstr "riga di timing del file non valida: %sas"
+
+#: plugins/sudoers/sudoreplay.c:501
+#, c-format
+msgid "writing to standard output"
+msgstr "scrittura sullo standard output"
+
+#: plugins/sudoers/sudoreplay.c:530
+#, c-format
+msgid "nanosleep: tv_sec %ld, tv_nsec %ld"
+msgstr "nanosleep: tv_sec %ld, tv_nsec %ld"
+
+#: plugins/sudoers/sudoreplay.c:643 plugins/sudoers/sudoreplay.c:668
+#, c-format
+msgid "ambiguous expression \"%s\""
+msgstr "espressione \"%s\" ambigua"
+
+#: plugins/sudoers/sudoreplay.c:685
+#, c-format
+msgid "too many parenthesized expressions, max %d"
+msgstr "troppe espressioni con parentesi, massimo %d"
+
+#: plugins/sudoers/sudoreplay.c:696
+#, c-format
+msgid "unmatched ')' in expression"
+msgstr "carattere \"(\" nell'espressione non corrisposto"
+
+#: plugins/sudoers/sudoreplay.c:702
+#, c-format
+msgid "unknown search term \"%s\""
+msgstr "termine di ricerca \"%s\" non conosciuto"
+
+#: plugins/sudoers/sudoreplay.c:716
+#, c-format
+msgid "%s requires an argument"
+msgstr "%s richiede un argomento"
+
+#: plugins/sudoers/sudoreplay.c:720
+#, c-format
+msgid "invalid regular expression: %s"
+msgstr "espressione regolare non valida: %s"
+
+#: plugins/sudoers/sudoreplay.c:726
+#, c-format
+msgid "could not parse date \"%s\""
+msgstr "impossibile analizzare la data \"%s\""
+
+#: plugins/sudoers/sudoreplay.c:739
+#, c-format
+msgid "unmatched '(' in expression"
+msgstr "carattere \"(\" nell'espressione non corrisposto"
+
+#: plugins/sudoers/sudoreplay.c:741
+#, c-format
+msgid "illegal trailing \"or\""
+msgstr "\"or\" finale non consentito"
+
+#: plugins/sudoers/sudoreplay.c:743
+#, c-format
+msgid "illegal trailing \"!\""
+msgstr "carattere \"!\" finale non consentito"
+
+#: plugins/sudoers/sudoreplay.c:1050
+#, c-format
+msgid "invalid regex: %s"
+msgstr "espressione regolare non valida: %s"
+
+#: plugins/sudoers/sudoreplay.c:1174
+#, c-format
+msgid "usage: %s [-h] [-d directory] [-m max_wait] [-s speed_factor] ID\n"
+msgstr "uso: %s [-h] [-d DIRECTORY] [-m MAX_WAIT] [-s SPEED_FACTOR] ID\n"
+
+#: plugins/sudoers/sudoreplay.c:1177
+#, c-format
+msgid "usage: %s [-h] [-d directory] -l [search expression]\n"
+msgstr "uso: %s [-h] [-d DIRECTORY] -l [ESPRESSIONE DI RICERCA]\n"
+
+#: plugins/sudoers/sudoreplay.c:1186
+#, c-format
+msgid ""
+"%s - replay sudo session logs\n"
+"\n"
+msgstr ""
+"%s - Riproduce i registri di sessione di sudo\n"
+"\n"
+
+#: plugins/sudoers/sudoreplay.c:1188
+msgid ""
+"\n"
+"Options:\n"
+" -d directory specify directory for session logs\n"
+" -f filter specify which I/O type to display\n"
+" -h display help message and exit\n"
+" -l [expression] list available session IDs that match expression\n"
+" -m max_wait max number of seconds to wait between events\n"
+" -s speed_factor speed up or slow down output\n"
+" -V display version information and exit"
+msgstr ""
+"\n"
+"Opzioni:\n"
+" -d DIRECTORY Specifica la directory per i registri di sessione\n"
+" -f filter Specifica il tipo di I/O da mostrare\n"
+" -h Visualizza il messaggio di aiuto ed esce\n"
+" -l [ESPRESSIONE] Elenca gli ID di sessione disponibili corrispondenti\n"
+" -m MAX_WAIT Secondi da attendere tra gli eventi\n"
+" -s SPEED_FACTOR Velocizza o rallenta l'output\n"
+" -V Visualizza la versione ed esce"
+
+#: plugins/sudoers/testsudoers.c:338
+msgid "\thost unmatched"
+msgstr "\thost non trovato"
+
+#: plugins/sudoers/testsudoers.c:341
+msgid ""
+"\n"
+"Command allowed"
+msgstr ""
+"\n"
+"Comando consentito"
+
+#: plugins/sudoers/testsudoers.c:342
+msgid ""
+"\n"
+"Command denied"
+msgstr ""
+"\n"
+"Comando negato"
+
+#: plugins/sudoers/testsudoers.c:342
+msgid ""
+"\n"
+"Command unmatched"
+msgstr ""
+"\n"
+"Comando non trovato"
+
+#: plugins/sudoers/toke_util.c:218
+msgid "fill_args: buffer overflow"
+msgstr "fill_args: buffer overflow"
+
+#: plugins/sudoers/visudo.c:188
+#, c-format
+msgid "%s grammar version %d\n"
+msgstr "%s versione grammaticale %d\n"
+
+#: plugins/sudoers/visudo.c:252 plugins/sudoers/visudo.c:541
+#, c-format
+msgid "press return to edit %s: "
+msgstr "premere Invio per modificare %s:"
+
+#: plugins/sudoers/visudo.c:335 plugins/sudoers/visudo.c:341
+#, c-format
+msgid "write error"
+msgstr "errore di scrittura"
+
+#: plugins/sudoers/visudo.c:423
+#, c-format
+msgid "unable to stat temporary file (%s), %s unchanged"
+msgstr "impossibile eseguire stat sul file temporaneo (%s), %s non modificato"
+
+#: plugins/sudoers/visudo.c:428
+#, c-format
+msgid "zero length temporary file (%s), %s unchanged"
+msgstr "file temporaneo di lunghezza pari a zero (%s), %s non modificato"
+
+#: plugins/sudoers/visudo.c:434
+#, c-format
+msgid "editor (%s) failed, %s unchanged"
+msgstr "editor (%s) non riuscito, %s non modificato"
+
+#: plugins/sudoers/visudo.c:457
+#, c-format
+msgid "%s unchanged"
+msgstr "%s non modificato"
+
+#: plugins/sudoers/visudo.c:486
+#, c-format
+msgid "unable to re-open temporary file (%s), %s unchanged."
+msgstr "impossibile riaprire il file temporaneo (%s), %s non modificato"
+
+#: plugins/sudoers/visudo.c:496
+#, c-format
+msgid "unabled to parse temporary file (%s), unknown error"
+msgstr "impossibile analizzare il file temporaneo (%s), errore sconosciuto"
+
+#: plugins/sudoers/visudo.c:534
+#, c-format
+msgid "internal error, unable to find %s in list!"
+msgstr "errore interno, impossibile trovare %s nell'elenco."
+
+#: plugins/sudoers/visudo.c:586 plugins/sudoers/visudo.c:595
+#, c-format
+msgid "unable to set (uid, gid) of %s to (%u, %u)"
+msgstr "impossibile impostare (uid, gid) di %s a (%u, %u)"
+
+#: plugins/sudoers/visudo.c:590 plugins/sudoers/visudo.c:600
+#, c-format
+msgid "unable to change mode of %s to 0%o"
+msgstr "impossibile modificare la modalità di %s a 0%o"
+
+#: plugins/sudoers/visudo.c:617
+#, c-format
+msgid "%s and %s not on the same file system, using mv to rename"
+msgstr "%s e %s non sono sullo stesso file system, viene usato \"mv\" per rinominare"
+
+#: plugins/sudoers/visudo.c:631
+#, c-format
+msgid "command failed: '%s %s %s', %s unchanged"
+msgstr "comando non riuscito: \"%s %s %s\", %s non modificato"
+
+#: plugins/sudoers/visudo.c:641
+#, c-format
+msgid "error renaming %s, %s unchanged"
+msgstr "errore nel rinominare %s, %s non è stato modificato"
+
+#: plugins/sudoers/visudo.c:704
+msgid "What now? "
+msgstr "Cosa fare ora?"
+
+#: plugins/sudoers/visudo.c:718
+msgid ""
+"Options are:\n"
+" (e)dit sudoers file again\n"
+" e(x)it without saving changes to sudoers file\n"
+" (Q)uit and save changes to sudoers file (DANGER!)\n"
+msgstr ""
+"Le opzioni sono:\n"
+" (e) Modifica nuovamente il file sudoers\n"
+" (x) Esce senza salvare le modifiche al file sudoers\n"
+" (Q) Esce e salva le modifiche al file sudoers (pericoloso)\n"
+
+#: plugins/sudoers/visudo.c:759
+#, c-format
+msgid "unable to execute %s"
+msgstr "impossibile eseguire %s"
+
+#: plugins/sudoers/visudo.c:766
+#, c-format
+msgid "unable to run %s"
+msgstr "impossibile avviare %s"
+
+#: plugins/sudoers/visudo.c:792
+#, c-format
+msgid "%s: wrong owner (uid, gid) should be (%u, %u)\n"
+msgstr "%s: proprietario errato (uid, gid), dovrebbe essere (%u, %u)\n"
+
+#: plugins/sudoers/visudo.c:799
+#, c-format
+msgid "%s: bad permissions, should be mode 0%o\n"
+msgstr "%s: permessi errati, dovrebbe avere modalità 0%o\n"
+
+#: plugins/sudoers/visudo.c:824
+#, c-format
+msgid "failed to parse %s file, unknown error"
+msgstr "analisi del file %s non riuscita, errore sconosciuto"
+
+#: plugins/sudoers/visudo.c:837
+#, c-format
+msgid "parse error in %s near line %d\n"
+msgstr "errore di analisi in %s vicino alla riga %d\n"
+
+#: plugins/sudoers/visudo.c:840
+#, c-format
+msgid "parse error in %s\n"
+msgstr "errore di analisi in %s\n"
+
+#: plugins/sudoers/visudo.c:847 plugins/sudoers/visudo.c:852
+#, c-format
+msgid "%s: parsed OK\n"
+msgstr "%s: analisi effettuata correttamente\n"
+
+#: plugins/sudoers/visudo.c:899
+#, c-format
+msgid "%s busy, try again later"
+msgstr "%s occupato, riprovare"
+
+#: plugins/sudoers/visudo.c:943
+#, c-format
+msgid "specified editor (%s) doesn't exist"
+msgstr "l'editor specificato (%s) non esiste"
+
+#: plugins/sudoers/visudo.c:966
+#, c-format
+msgid "unable to stat editor (%s)"
+msgstr "impossibile eseguire stat sull'editor (%s)"
+
+#: plugins/sudoers/visudo.c:1014
+#, c-format
+msgid "no editor found (editor path = %s)"
+msgstr "nessun editor trovato (percorso dell'editor = %s)"
+
+#: plugins/sudoers/visudo.c:1108
+#, c-format
+msgid "Error: cycle in %s_Alias `%s'"
+msgstr "Errore: ciclo in %s_Alias \"%s\""
+
+#: plugins/sudoers/visudo.c:1109
+#, c-format
+msgid "Warning: cycle in %s_Alias `%s'"
+msgstr "Attenzione: ciclo in %s_Alias \"%s\""
+
+#: plugins/sudoers/visudo.c:1112
+#, c-format
+msgid "Error: %s_Alias `%s' referenced but not defined"
+msgstr "Errore: riferimento a \"%2$s\" %1$s_Alias, ma non definito"
+
+#: plugins/sudoers/visudo.c:1113
+#, c-format
+msgid "Warning: %s_Alias `%s' referenced but not defined"
+msgstr "Attenzione: riferimento a \"%2$s\" %1$s_Alias, ma non definito"
+
+#: plugins/sudoers/visudo.c:1248
+#, c-format
+msgid "%s: unused %s_Alias %s"
+msgstr "%1$s: %3$s di %2$s_Alias non utilizzato"
+
+#: plugins/sudoers/visudo.c:1304
+#, c-format
+msgid ""
+"%s - safely edit the sudoers file\n"
+"\n"
+msgstr "%s - Modifica in sicurezza il file sudoers\n"
+
+#: plugins/sudoers/visudo.c:1306
+msgid ""
+"\n"
+"Options:\n"
+" -c check-only mode\n"
+" -f sudoers specify sudoers file location\n"
+" -h display help message and exit\n"
+" -q less verbose (quiet) syntax error messages\n"
+" -s strict syntax checking\n"
+" -V display version information and exit"
+msgstr ""
+"\n"
+"Opzioni:\n"
+" -c Modalità solo verifica\n"
+" -f sudoers Specifica la posizione del file sudoers\n"
+" -h Visualizza il messaggio di aiuto ed esce\n"
+" -q Messaggi di errore meno prolissi\n"
+" -s Verifica precisa della sintassi\n"
+" -V Visualizza la versione ed esce"
+
+#: toke.l:820
+msgid "too many levels of includes"
+msgstr "troppi livelli di inclusioni"
# Takeshi Hamasaki <hmatrjp@users.sourceforge.jp>, 2012.
msgid ""
msgstr ""
-"Project-Id-Version: sudoers 1.8.5rc3\n"
+"Project-Id-Version: sudoers 1.8.6b4\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-04-24 13:41-0400\n"
-"PO-Revision-Date: 2012-04-30 16:10+0900\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-18 19:27+0900\n"
"Last-Translator: Takeshi Hamasaki <hmatrjp@users.sourceforge.jp>\n"
"Language-Team: Japanese <translation-team-ja@lists.sourceforge.net>\n"
"Language: ja\n"
"Plural-Forms: nplurals=1; plural=0;\n"
"X-Poedit-Basepath: /factory/ja-po/sudoers/sudo-1.8.5rc3\n"
-#: gram.y:110
+#: gram.y:112
#, c-format
msgid ">>> %s: %s near line %d <<<"
msgstr ">>> %s: %s (%d行付近) <<<"
msgid "unable to initialize SIA session"
msgstr "SIA セッションを初期化できません"
-#: plugins/sudoers/auth/sudo_auth.c:117
+#: plugins/sudoers/auth/sudo_auth.c:121
msgid "Invalid authentication methods compiled into sudo! You may mix standalone and non-standalone authentication."
msgstr "無効な認証方法が sudo のコンパイル時に組み込まれています! スタンドアローンと非スタンドアローン認証を組み合わせているようです。"
-#: plugins/sudoers/auth/sudo_auth.c:199
+#: plugins/sudoers/auth/sudo_auth.c:206
msgid "There are no authentication methods compiled into sudo! If you want to turn off authentication, use the --disable-authentication configure option."
msgstr "認証方法が sudo のコンパイル時に組み込まれていません! 認証を無効にする場合には、configure オプションで --disable-authentication を指定してください。"
-#: plugins/sudoers/auth/sudo_auth.c:271
-#, c-format
-msgid "%d incorrect password attempt"
-msgid_plural "%d incorrect password attempts"
-msgstr[0] "%d 回パスワード試行を間違えました"
-
#: plugins/sudoers/auth/sudo_auth.c:374
msgid "Authentication methods:"
msgstr "認証方法:"
msgid "au_to_text: failed"
msgstr "au_to_text: 失敗しました"
-#: plugins/sudoers/check.c:158
-#, c-format
-msgid "sorry, a password is required to run %s"
-msgstr "%s を実行するにはパスワードが必要です。すみません"
-
-#: plugins/sudoers/check.c:249 plugins/sudoers/iolog.c:172
-#: plugins/sudoers/sudoers.c:979 plugins/sudoers/sudoreplay.c:353
-#: plugins/sudoers/sudoreplay.c:709 plugins/sudoers/sudoreplay.c:866
-#: plugins/sudoers/visudo.c:815
+#: plugins/sudoers/check.c:252 plugins/sudoers/iolog.c:172
+#: plugins/sudoers/sudoers.c:988 plugins/sudoers/sudoreplay.c:355
+#: plugins/sudoers/sudoreplay.c:817 plugins/sudoers/sudoreplay.c:974
+#: plugins/sudoers/visudo.c:818
#, c-format
msgid "unable to open %s"
msgstr "%s を開けません"
-#: plugins/sudoers/check.c:253 plugins/sudoers/iolog.c:202
+#: plugins/sudoers/check.c:256 plugins/sudoers/iolog.c:229
#, c-format
msgid "unable to write to %s"
msgstr "%s へ書き込むことができません"
-#: plugins/sudoers/check.c:261 plugins/sudoers/check.c:506
-#: plugins/sudoers/check.c:556 plugins/sudoers/iolog.c:123
+#: plugins/sudoers/check.c:264 plugins/sudoers/check.c:512
+#: plugins/sudoers/check.c:562 plugins/sudoers/iolog.c:123
#: plugins/sudoers/iolog.c:156
#, c-format
msgid "unable to mkdir %s"
msgstr "ディレクトリ %s を作成できません"
-#: plugins/sudoers/check.c:396
+#: plugins/sudoers/check.c:399 plugins/sudoers/env.c:289
+#: plugins/sudoers/env.c:294 plugins/sudoers/env.c:395
+#: plugins/sudoers/env.c:447 plugins/sudoers/linux_audit.c:82
+#: plugins/sudoers/sudoers.c:670 plugins/sudoers/sudoers.c:677
+#: plugins/sudoers/sudoers.c:936 plugins/sudoers/testsudoers.c:253
#, c-format
-msgid "internal error, expand_prompt() overflow"
-msgstr "内部エラー、expand_prompt() がオーバーフローしました"
+msgid "internal error, %s overflow"
+msgstr "内部エラー、%s がオーバーフローしました"
-#: plugins/sudoers/check.c:456
+#: plugins/sudoers/check.c:460
#, c-format
msgid "timestamp path too long: %s"
msgstr "タイムスタンプ用パスが長すぎます: %s"
-#: plugins/sudoers/check.c:485 plugins/sudoers/check.c:529
+#: plugins/sudoers/check.c:491 plugins/sudoers/check.c:535
#: plugins/sudoers/iolog.c:158
#, c-format
msgid "%s exists but is not a directory (0%o)"
msgstr "%s が存在しますがディレクトリではありません (0%o)"
-#: plugins/sudoers/check.c:488 plugins/sudoers/check.c:532
-#: plugins/sudoers/check.c:577
+#: plugins/sudoers/check.c:494 plugins/sudoers/check.c:538
+#: plugins/sudoers/check.c:583
#, c-format
msgid "%s owned by uid %u, should be uid %u"
msgstr "%s はユーザーID (uid) %u によって所有されています。これはユーザーID %u であるべきです"
-#: plugins/sudoers/check.c:493 plugins/sudoers/check.c:537
+#: plugins/sudoers/check.c:499 plugins/sudoers/check.c:543
#, c-format
msgid "%s writable by non-owner (0%o), should be mode 0700"
msgstr "%s は所有者以外でも書き込み可能 (0%o) です。アクセス権限のモードは 0700 であるべきです"
-#: plugins/sudoers/check.c:501 plugins/sudoers/check.c:545
-#: plugins/sudoers/check.c:613 plugins/sudoers/sudoers.c:998
-#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:581
+#: plugins/sudoers/check.c:507 plugins/sudoers/check.c:551
+#: plugins/sudoers/check.c:619 plugins/sudoers/sudoers.c:1003
+#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:584
#, c-format
msgid "unable to stat %s"
msgstr "%s の状態取得 (stat) ができません"
-#: plugins/sudoers/check.c:571
+#: plugins/sudoers/check.c:577
#, c-format
msgid "%s exists but is not a regular file (0%o)"
msgstr "%s が存在しますが通常ファイル (0%o) ではありません"
-#: plugins/sudoers/check.c:583
+#: plugins/sudoers/check.c:589
#, c-format
msgid "%s writable by non-owner (0%o), should be mode 0600"
msgstr "%s は所有者以外でも書き込み可能 (0%o) です。アクセス権限のモードは 0600 であるべきです"
-#: plugins/sudoers/check.c:637
+#: plugins/sudoers/check.c:643
#, c-format
msgid "timestamp too far in the future: %20.20s"
msgstr "タイムスタンプが遠すぎる将来になっています: %20.20s"
-#: plugins/sudoers/check.c:684
+#: plugins/sudoers/check.c:690
#, c-format
msgid "unable to remove %s (%s), will reset to the epoch"
msgstr "%s (%s) を削除できません。エポックにリセットします"
-#: plugins/sudoers/check.c:692
+#: plugins/sudoers/check.c:698
#, c-format
msgid "unable to reset %s to the epoch"
msgstr "%s をエポックにリセットできません"
-#: plugins/sudoers/check.c:752 plugins/sudoers/check.c:758
-#: plugins/sudoers/sudoers.c:856 plugins/sudoers/sudoers.c:860
+#: plugins/sudoers/check.c:758 plugins/sudoers/check.c:764
+#: plugins/sudoers/sudoers.c:851 plugins/sudoers/sudoers.c:855
#, c-format
msgid "unknown uid: %u"
msgstr "不明なユーザーID (uid) です: %u"
-#: plugins/sudoers/check.c:755 plugins/sudoers/sudoers.c:797
-#: plugins/sudoers/sudoers.c:1115 plugins/sudoers/testsudoers.c:218
-#: plugins/sudoers/testsudoers.c:362
+#: plugins/sudoers/check.c:761 plugins/sudoers/sudoers.c:792
+#: plugins/sudoers/sudoers.c:1120 plugins/sudoers/testsudoers.c:225
+#: plugins/sudoers/testsudoers.c:369
#, c-format
msgid "unknown user: %s"
msgstr "不明なユーザーです: %s"
msgid "Set the user in utmp to the runas user, not the invoking user"
msgstr "utmp に記録するユーザーを、実行したユーザーではなく、変更後のユーザーにします"
+#: plugins/sudoers/def_data.c:347
+msgid "Set of permitted privileges"
+msgstr "許容される権限の集合"
+
+#: plugins/sudoers/def_data.c:351
+msgid "Set of limit privileges"
+msgstr "制限される権限の集合"
+
#: plugins/sudoers/defaults.c:208
#, c-format
msgid "unknown defaults entry `%s'"
msgid "option `%s' does not take a value"
msgstr "オプション `%s' は値をとりません"
-#: plugins/sudoers/env.c:339
+#: plugins/sudoers/env.c:367
#, c-format
msgid "sudo_putenv: corrupted envp, length mismatch"
msgstr "sudo_putenv: envp が破損しています。長さが合いません"
-#: plugins/sudoers/env.c:341 plugins/sudoers/env.c:411
+#: plugins/sudoers/env.c:369 plugins/sudoers/env.c:448
#: plugins/sudoers/toke_util.c:113 plugins/sudoers/toke_util.c:167
-#: plugins/sudoers/toke_util.c:207 toke.l:682 toke.l:812 toke.l:870 toke.l:966
+#: plugins/sudoers/toke_util.c:207 toke.l:697 toke.l:827 toke.l:887 toke.l:983
#, c-format
msgid "unable to allocate memory"
msgstr "メモリ割り当てを行えませんでした"
-#: plugins/sudoers/env.c:366
-#, c-format
-msgid "internal error, sudo_setenv2() overflow"
-msgstr "内部エラー、 sudo_setenv2() がオーバーフローしました"
-
-#: plugins/sudoers/env.c:410
-#, c-format
-msgid "internal error, sudo_setenv() overflow"
-msgstr "内部エラー、 sudo_setenv() がオーバーフローしました"
-
-#: plugins/sudoers/env.c:955
+#: plugins/sudoers/env.c:992
#, c-format
msgid "sorry, you are not allowed to set the following environment variables: %s"
msgstr "すみませんが、あなたは次の環境変数を設定することを許可されていません: %s"
#: plugins/sudoers/find_path.c:69 plugins/sudoers/find_path.c:108
#: plugins/sudoers/find_path.c:123 plugins/sudoers/iolog.c:125
-#: plugins/sudoers/sudoers.c:950 toke.l:678 toke.l:866
+#: plugins/sudoers/sudoers.c:945 toke.l:693 toke.l:883
#, c-format
msgid "%s: %s"
msgstr "%s: %s"
msgid "Local IP address and netmask pairs:\n"
msgstr "ローカル IP アドレスとネットマスクの組:\n"
-#: plugins/sudoers/iolog.c:179 plugins/sudoers/sudoers.c:986
+#: plugins/sudoers/iolog.c:205 plugins/sudoers/sudoers.c:991
#, c-format
msgid "unable to read %s"
msgstr "%s を読み込めません"
-#: plugins/sudoers/iolog.c:182
+#: plugins/sudoers/iolog.c:208
#, c-format
msgid "invalid sequence number %s"
msgstr "無効な順序番号です: %s"
-#: plugins/sudoers/iolog.c:231 plugins/sudoers/iolog.c:234
-#: plugins/sudoers/iolog.c:499 plugins/sudoers/iolog.c:504
-#: plugins/sudoers/iolog.c:510 plugins/sudoers/iolog.c:518
-#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:534
-#: plugins/sudoers/iolog.c:542
+#: plugins/sudoers/iolog.c:258 plugins/sudoers/iolog.c:261
+#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:531
+#: plugins/sudoers/iolog.c:537 plugins/sudoers/iolog.c:545
+#: plugins/sudoers/iolog.c:553 plugins/sudoers/iolog.c:561
+#: plugins/sudoers/iolog.c:569
#, c-format
msgid "unable to create %s"
msgstr "%s を作成できません"
-#: plugins/sudoers/iolog_path.c:256 plugins/sudoers/sudoers.c:373
+#: plugins/sudoers/iolog_path.c:263 plugins/sudoers/sudoers.c:382
#, c-format
msgid "unable to set locale to \"%s\", using \"C\""
msgstr "ロケールを \"%s\" に設定できません。 \"C\" を使用します"
-#: plugins/sudoers/ldap.c:378
+#: plugins/sudoers/ldap.c:387
#, c-format
msgid "sudo_ldap_conf_add_ports: port too large"
msgstr "sudo_ldap_conf_add_ports: ポートが大きすぎます"
-#: plugins/sudoers/ldap.c:401
+#: plugins/sudoers/ldap.c:410
#, c-format
msgid "sudo_ldap_conf_add_ports: out of space expanding hostbuf"
msgstr "sudo_ldap_conf_add_ports: hostbuf を拡張中にメモリ空間が不足しました"
-#: plugins/sudoers/ldap.c:431
+#: plugins/sudoers/ldap.c:440
#, c-format
msgid "unsupported LDAP uri type: %s"
msgstr "サポートされてない LDAP URI タイプです: %s"
-#: plugins/sudoers/ldap.c:460
+#: plugins/sudoers/ldap.c:469
#, c-format
msgid "invalid uri: %s"
msgstr "無効な URI です: %s"
-#: plugins/sudoers/ldap.c:466
+#: plugins/sudoers/ldap.c:475
#, c-format
msgid "unable to mix ldap and ldaps URIs"
msgstr "ldap と ldaps の URI を混ぜて使用できません"
-#: plugins/sudoers/ldap.c:470
+#: plugins/sudoers/ldap.c:479
#, c-format
msgid "unable to mix ldaps and starttls"
msgstr "ldaps と starttls を混ぜて使用できません"
-#: plugins/sudoers/ldap.c:489
+#: plugins/sudoers/ldap.c:498
#, c-format
msgid "sudo_ldap_parse_uri: out of space building hostbuf"
msgstr "sudo_ldap_parse_uri: hostbuf を構築中にメモリ空間が不足しました"
-#: plugins/sudoers/ldap.c:563
+#: plugins/sudoers/ldap.c:572
#, c-format
msgid "unable to initialize SSL cert and key db: %s"
msgstr "SSL 証明書と鍵データベースを初期化できません: %s"
-#: plugins/sudoers/ldap.c:566
+#: plugins/sudoers/ldap.c:575
#, c-format
msgid "you must set TLS_CERT in %s to use SSL"
msgstr "SSL を使用するためには %s の中の TLS_CERT を設定する必要があります"
-#: plugins/sudoers/ldap.c:973
+#: plugins/sudoers/ldap.c:992
#, c-format
msgid "unable to get GMT time"
msgstr "GMT 時刻を取得できません"
-#: plugins/sudoers/ldap.c:979
+#: plugins/sudoers/ldap.c:998
#, c-format
msgid "unable to format timestamp"
msgstr "タイムスタンプを書式整形できません"
-#: plugins/sudoers/ldap.c:987
+#: plugins/sudoers/ldap.c:1006
#, c-format
msgid "unable to build time filter"
msgstr "時刻フィルターを構築できません"
-#: plugins/sudoers/ldap.c:1202
+#: plugins/sudoers/ldap.c:1225
#, c-format
msgid "sudo_ldap_build_pass1 allocation mismatch"
msgstr "sudo_ldap_build_pass1 配置が一致しません"
-#: plugins/sudoers/ldap.c:1738
+#: plugins/sudoers/ldap.c:1761
#, c-format
msgid ""
"\n"
"\n"
"LDAP 役割: %s\n"
-#: plugins/sudoers/ldap.c:1740
+#: plugins/sudoers/ldap.c:1763
#, c-format
msgid ""
"\n"
"\n"
"LDAP 役割: 不明\n"
-#: plugins/sudoers/ldap.c:1787
+#: plugins/sudoers/ldap.c:1810
#, c-format
msgid " Order: %s\n"
msgstr " Order: %s\n"
-#: plugins/sudoers/ldap.c:1795
+#: plugins/sudoers/ldap.c:1818 plugins/sudoers/sssd.c:1168
#, c-format
msgid " Commands:\n"
msgstr " コマンド:\n"
-#: plugins/sudoers/ldap.c:2216
+#: plugins/sudoers/ldap.c:2240
#, c-format
msgid "unable to initialize LDAP: %s"
msgstr "LDAP を初期化できません: %s"
-#: plugins/sudoers/ldap.c:2250
+#: plugins/sudoers/ldap.c:2274
#, c-format
msgid "start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()"
msgstr "start_tls が指定されていますが、LDAP ライブラリが ldap_start_tls_s() または ldap_start_tls_s_np() をサポートしていません"
-#: plugins/sudoers/ldap.c:2486
+#: plugins/sudoers/ldap.c:2510
#, c-format
msgid "invalid sudoOrder attribute: %s"
msgstr "無効な sudoOrder 属性です: %s"
msgid "unable to open audit system"
msgstr "監査システムを開くことができません"
-#: plugins/sudoers/linux_audit.c:82
-#, c-format
-msgid "internal error, linux_audit_command() overflow"
-msgstr "内部エラー、linux_audit_command() がオーバーフローしました"
-
-#: plugins/sudoers/linux_audit.c:91
+#: plugins/sudoers/linux_audit.c:93
#, c-format
msgid "unable to send audit message"
msgstr "監査メッセージを送ることができません"
-#: plugins/sudoers/logging.c:198
+#: plugins/sudoers/logging.c:202
#, c-format
msgid "unable to open log file: %s: %s"
msgstr "ログファイルを開けません: %s: %s"
-#: plugins/sudoers/logging.c:201
+#: plugins/sudoers/logging.c:205
#, c-format
msgid "unable to lock log file: %s: %s"
msgstr "ログファイルをロックできません: %s: %s"
-#: plugins/sudoers/logging.c:256
+#: plugins/sudoers/logging.c:260
msgid "user NOT in sudoers"
msgstr "ユーザーが sudoers 内にありません"
-#: plugins/sudoers/logging.c:258
+#: plugins/sudoers/logging.c:262
msgid "user NOT authorized on host"
msgstr "ホスト上でユーザーが認証されていません"
-#: plugins/sudoers/logging.c:260
+#: plugins/sudoers/logging.c:264
msgid "command not allowed"
msgstr "コマンドが許可されていません"
-#: plugins/sudoers/logging.c:270
+#: plugins/sudoers/logging.c:274
#, c-format
msgid "%s is not in the sudoers file. This incident will be reported.\n"
msgstr "%s は sudoers ファイル内にありません。この事象は記録・報告されます。\n"
-#: plugins/sudoers/logging.c:273
+#: plugins/sudoers/logging.c:277
#, c-format
msgid "%s is not allowed to run sudo on %s. This incident will be reported.\n"
msgstr "%s は %s 上で sudo を実行することを許可されていません。この事象は記録・報告されます。\n"
-#: plugins/sudoers/logging.c:277
+#: plugins/sudoers/logging.c:281
#, c-format
msgid "Sorry, user %s may not run sudo on %s.\n"
msgstr "ユーザー %s は %s 上で sudo を実行できません。すみません。\n"
-#: plugins/sudoers/logging.c:280
+#: plugins/sudoers/logging.c:284
#, c-format
msgid "Sorry, user %s is not allowed to execute '%s%s%s' as %s%s%s on %s.\n"
msgstr "ユーザー %s は'%s%s%s' を %s%s%s として %s 上で実行することは許可されていません。すみません。\n"
-#: plugins/sudoers/logging.c:447
+#: plugins/sudoers/logging.c:317
+msgid "No user or host"
+msgstr "ユーザーまたはホストがありません"
+
+#: plugins/sudoers/logging.c:319
+msgid "validation failure"
+msgstr "検証に失敗しました"
+
+#: plugins/sudoers/logging.c:336 plugins/sudoers/sudoers.c:502
+#: plugins/sudoers/sudoers.c:503 plugins/sudoers/sudoers.c:1539
+#: plugins/sudoers/sudoers.c:1540
+#, c-format
+msgid "%s: command not found"
+msgstr "%s: コマンドが見つかりません"
+
+#: plugins/sudoers/logging.c:338 plugins/sudoers/sudoers.c:499
+#, c-format
+msgid ""
+"ignoring `%s' found in '.'\n"
+"Use `sudo ./%s' if this is the `%s' you wish to run."
+msgstr ""
+"'.' 内で見つかった `%1$s' を無視します\n"
+"この `%3$s' を実行したい場合は `sudo ./%2$s' を使用してください。"
+
+#: plugins/sudoers/logging.c:352
+msgid "authentication failure"
+msgstr "認証失敗"
+
+#: plugins/sudoers/logging.c:376
+#, c-format
+msgid "%d incorrect password attempt"
+msgid_plural "%d incorrect password attempts"
+msgstr[0] "%d 回パスワード試行を間違えました"
+
+#: plugins/sudoers/logging.c:379
+msgid "a password is required"
+msgstr "パスワードが必要です"
+
+#: plugins/sudoers/logging.c:530
#, c-format
msgid "unable to fork"
msgstr "fork できません"
-#: plugins/sudoers/logging.c:454 plugins/sudoers/logging.c:516
+#: plugins/sudoers/logging.c:537 plugins/sudoers/logging.c:599
#, c-format
msgid "unable to fork: %m"
msgstr "fork できません: %m"
-#: plugins/sudoers/logging.c:506
+#: plugins/sudoers/logging.c:589
#, c-format
msgid "unable to open pipe: %m"
msgstr "パイプを開けません: %m"
-#: plugins/sudoers/logging.c:531
+#: plugins/sudoers/logging.c:614
#, c-format
msgid "unable to dup stdin: %m"
msgstr "標準入力を複製できません: %m"
-#: plugins/sudoers/logging.c:567
+#: plugins/sudoers/logging.c:650
#, c-format
msgid "unable to execute %s: %m"
msgstr "%s を実行できません: %m"
-#: plugins/sudoers/logging.c:782
+#: plugins/sudoers/logging.c:865
#, c-format
msgid "internal error: insufficient space for log line"
msgstr "内部エラー: ログの行に十分な空間がありません"
msgid "parse error in %s"
msgstr "%s 内で構文解析エラーが発生しました"
-#: plugins/sudoers/parse.c:389
+#: plugins/sudoers/parse.c:414
#, c-format
msgid ""
"\n"
"\n"
"sudoers 項目:\n"
-#: plugins/sudoers/parse.c:391
+#: plugins/sudoers/parse.c:416
#, c-format
msgid " RunAsUsers: "
msgstr " RunAsUsers: "
-#: plugins/sudoers/parse.c:406
+#: plugins/sudoers/parse.c:431
#, c-format
msgid " RunAsGroups: "
msgstr " RunAsGroups: "
-#: plugins/sudoers/parse.c:415
+#: plugins/sudoers/parse.c:440
#, c-format
msgid ""
" Commands:\n"
msgid ": "
msgstr ": "
-#: plugins/sudoers/pwutil.c:260
+#: plugins/sudoers/pwutil.c:278
#, c-format
msgid "unable to cache uid %u (%s), already exists"
msgstr "ユーザーID %u (%s) をキャッシュできません。すでに存在します"
-#: plugins/sudoers/pwutil.c:268
+#: plugins/sudoers/pwutil.c:286
#, c-format
msgid "unable to cache uid %u, already exists"
msgstr "ユーザーID %u をキャッシュできません。すでに存在します"
-#: plugins/sudoers/pwutil.c:305 plugins/sudoers/pwutil.c:314
+#: plugins/sudoers/pwutil.c:322 plugins/sudoers/pwutil.c:331
#, c-format
msgid "unable to cache user %s, already exists"
msgstr "ユーザー %s をキャッシュできません。すでに存在します"
-#: plugins/sudoers/pwutil.c:653
+#: plugins/sudoers/pwutil.c:668
#, c-format
msgid "unable to cache gid %u (%s), already exists"
msgstr "グループID %u (%s) をキャッシュできません。すでに存在します"
-#: plugins/sudoers/pwutil.c:661
+#: plugins/sudoers/pwutil.c:676
#, c-format
msgid "unable to cache gid %u, already exists"
msgstr "グループID %u をキャッシュできません。すでに存在します"
-#: plugins/sudoers/pwutil.c:691 plugins/sudoers/pwutil.c:700
+#: plugins/sudoers/pwutil.c:706 plugins/sudoers/pwutil.c:715
#, c-format
msgid "unable to cache group %s, already exists"
msgstr "グループ %s をキャッシュできません。すでに存在します"
msgid "unable to set runas group vector"
msgstr "グループベクトルを実行するためのものに変更できません"
-#: plugins/sudoers/sudo_nss.c:243
+#: plugins/sudoers/sssd.c:251
+#, c-format
+msgid "Unable to dlopen %s: %s"
+msgstr "dlopen %s を行うことができません: %s"
+
+#: plugins/sudoers/sssd.c:252
+#, c-format
+msgid "Unable to initialize SSS source. Is SSSD installed on your machine?"
+msgstr "SSS のソースを初期化できません。SSSD はあなたのマシンにインストールされていますか?"
+
+#: plugins/sudoers/sssd.c:258 plugins/sudoers/sssd.c:266
+#: plugins/sudoers/sssd.c:273 plugins/sudoers/sssd.c:280
+#: plugins/sudoers/sssd.c:287
+#, c-format
+msgid "unable to find symbol \"%s\" in %s"
+msgstr "シンボル \"%s\" が %s 内にありません"
+
+#: plugins/sudoers/sudo_nss.c:267
#, c-format
msgid "Matching Defaults entries for %s on this host:\n"
msgstr "このホスト上でユーザー %s に一致したデフォルト項目:\n"
-#: plugins/sudoers/sudo_nss.c:256
+#: plugins/sudoers/sudo_nss.c:280
#, c-format
msgid "Runas and Command-specific defaults for %s:\n"
msgstr "ユーザー %s 用の Runas およびコマンド特有のデフォルト:\n"
-#: plugins/sudoers/sudo_nss.c:269
+#: plugins/sudoers/sudo_nss.c:293
#, c-format
msgid "User %s may run the following commands on this host:\n"
msgstr "ユーザー %s は次のコマンドをこのホスト上で実行できます:\n"
-#: plugins/sudoers/sudo_nss.c:279
+#: plugins/sudoers/sudo_nss.c:302
#, c-format
msgid "User %s is not allowed to run sudo on %s.\n"
msgstr "ユーザー %s は %s 上で sudo を実行することを許可されていません。\n"
-#: plugins/sudoers/sudoers.c:208 plugins/sudoers/sudoers.c:239
-#: plugins/sudoers/sudoers.c:958
+#: plugins/sudoers/sudoers.c:210 plugins/sudoers/sudoers.c:243
+#: plugins/sudoers/sudoers.c:953
msgid "problem with defaults entries"
msgstr "デフォルト項目で問題が発生しました"
-#: plugins/sudoers/sudoers.c:212
+#: plugins/sudoers/sudoers.c:216
#, c-format
msgid "no valid sudoers sources found, quitting"
msgstr "有効な sudoers のソースが見つかりません。終了します"
-#: plugins/sudoers/sudoers.c:264
+#: plugins/sudoers/sudoers.c:268
#, c-format
msgid "unable to execute %s: %s"
msgstr "%s を実行できません: %s"
-#: plugins/sudoers/sudoers.c:322
+#: plugins/sudoers/sudoers.c:335
#, c-format
msgid "sudoers specifies that root is not allowed to sudo"
msgstr "sudoers の指定により root が sudo を使用することは禁止されています"
-#: plugins/sudoers/sudoers.c:329
+#: plugins/sudoers/sudoers.c:342
#, c-format
msgid "you are not permitted to use the -C option"
msgstr "-C オプションを使用することは許可されていません"
-#: plugins/sudoers/sudoers.c:422
+#: plugins/sudoers/sudoers.c:431
#, c-format
msgid "timestamp owner (%s): No such user"
msgstr "タイムスタンプの所有者 (%s): そのようなユーザーはありません"
-#: plugins/sudoers/sudoers.c:438
+#: plugins/sudoers/sudoers.c:447
msgid "no tty"
msgstr "tty がありません"
-#: plugins/sudoers/sudoers.c:439
+#: plugins/sudoers/sudoers.c:448
#, c-format
msgid "sorry, you must have a tty to run sudo"
msgstr "sudo を実行するには tty がなければいけません。すみません"
-#: plugins/sudoers/sudoers.c:478
-msgid "No user or host"
-msgstr "ユーザーまたはホストがありません"
-
-#: plugins/sudoers/sudoers.c:492 plugins/sudoers/sudoers.c:513
-#: plugins/sudoers/sudoers.c:514 plugins/sudoers/sudoers.c:1522
-#: plugins/sudoers/sudoers.c:1523
-#, c-format
-msgid "%s: command not found"
-msgstr "%s: コマンドが見つかりません"
-
-#: plugins/sudoers/sudoers.c:494 plugins/sudoers/sudoers.c:510
-#, c-format
-msgid ""
-"ignoring `%s' found in '.'\n"
-"Use `sudo ./%s' if this is the `%s' you wish to run."
-msgstr ""
-"'.' 内で見つかった `%1$s' を無視します\n"
-"この `%3$s' を実行したい場合は `sudo ./%2$s' を使用してください。"
-
-#: plugins/sudoers/sudoers.c:499
-msgid "validation failure"
-msgstr "検証に失敗しました"
-
-#: plugins/sudoers/sudoers.c:509
+#: plugins/sudoers/sudoers.c:498
msgid "command in current directory"
msgstr "コマンドがカレントディレクトリにあります"
-#: plugins/sudoers/sudoers.c:521
+#: plugins/sudoers/sudoers.c:510
#, c-format
msgid "sorry, you are not allowed to preserve the environment"
msgstr "あなたは環境変数を保護することを許可されていません。すみません"
-#: plugins/sudoers/sudoers.c:681 plugins/sudoers/sudoers.c:688
-#, c-format
-msgid "internal error, runas_groups overflow"
-msgstr "内部エラー、runas_groups がオーバーフローしました"
-
-#: plugins/sudoers/sudoers.c:941
-#, c-format
-msgid "internal error, set_cmnd() overflow"
-msgstr "内部エラー、set_cmnd() がオーバーフローしました"
-
-#: plugins/sudoers/sudoers.c:1001
+#: plugins/sudoers/sudoers.c:1006
#, c-format
msgid "%s is not a regular file"
msgstr "%s は通常ファイルではありません"
-#: plugins/sudoers/sudoers.c:1004 toke.l:829
+#: plugins/sudoers/sudoers.c:1009 toke.l:846
#, c-format
msgid "%s is owned by uid %u, should be %u"
msgstr "%s はユーザーID %u によって所有されています。これは %u であるべきです"
-#: plugins/sudoers/sudoers.c:1008 toke.l:836
+#: plugins/sudoers/sudoers.c:1013 toke.l:853
#, c-format
msgid "%s is world writable"
msgstr "%s は誰でも書き込み可能です"
-#: plugins/sudoers/sudoers.c:1011 toke.l:841
+#: plugins/sudoers/sudoers.c:1016 toke.l:858
#, c-format
msgid "%s is owned by gid %u, should be %u"
msgstr "%s のグループIDは %u になっています。これは %u であるべきです"
-#: plugins/sudoers/sudoers.c:1038
+#: plugins/sudoers/sudoers.c:1043
#, c-format
msgid "only root can use `-c %s'"
msgstr "root のみ `-c %s' を使用できます"
-#: plugins/sudoers/sudoers.c:1055 plugins/sudoers/sudoers.c:1057
+#: plugins/sudoers/sudoers.c:1060 plugins/sudoers/sudoers.c:1062
#, c-format
msgid "unknown login class: %s"
msgstr "不明なログインクラスです: %s"
-#: plugins/sudoers/sudoers.c:1084
+#: plugins/sudoers/sudoers.c:1089
#, c-format
msgid "unable to resolve host %s"
msgstr "ホスト %s の名前解決ができません"
-#: plugins/sudoers/sudoers.c:1136 plugins/sudoers/testsudoers.c:380
+#: plugins/sudoers/sudoers.c:1141 plugins/sudoers/testsudoers.c:387
#, c-format
msgid "unknown group: %s"
msgstr "不明なグループです: %s"
-#: plugins/sudoers/sudoers.c:1185
+#: plugins/sudoers/sudoers.c:1190
#, c-format
msgid "Sudoers policy plugin version %s\n"
msgstr "sudoers ポリシープラグイン バージョン %s\n"
-#: plugins/sudoers/sudoers.c:1187
+#: plugins/sudoers/sudoers.c:1192
#, c-format
msgid "Sudoers file grammar version %d\n"
msgstr "sudoers ファイル文法バージョン %d\n"
-#: plugins/sudoers/sudoers.c:1191
+#: plugins/sudoers/sudoers.c:1196
#, c-format
msgid ""
"\n"
"\n"
"sudoers のパス: %s\n"
-#: plugins/sudoers/sudoers.c:1194
+#: plugins/sudoers/sudoers.c:1199
#, c-format
msgid "nsswitch path: %s\n"
msgstr "nsswitch のパス: %s\n"
-#: plugins/sudoers/sudoers.c:1196
+#: plugins/sudoers/sudoers.c:1201
#, c-format
msgid "ldap.conf path: %s\n"
msgstr "ldap.conf のパス: %s\n"
-#: plugins/sudoers/sudoers.c:1197
+#: plugins/sudoers/sudoers.c:1202
#, c-format
msgid "ldap.secret path: %s\n"
msgstr "ldap.secret のパス: %s\n"
-#: plugins/sudoers/sudoreplay.c:291
+#: plugins/sudoers/sudoreplay.c:293
#, c-format
msgid "invalid filter option: %s"
msgstr "無効なフィルターオプションです: %s"
-#: plugins/sudoers/sudoreplay.c:304
+#: plugins/sudoers/sudoreplay.c:306
#, c-format
msgid "invalid max wait: %s"
msgstr "無効な最大待機時間です: %s"
-#: plugins/sudoers/sudoreplay.c:310
+#: plugins/sudoers/sudoreplay.c:312
#, c-format
msgid "invalid speed factor: %s"
msgstr "無効な speed_factor の値です: %s"
-#: plugins/sudoers/sudoreplay.c:313 plugins/sudoers/visudo.c:187
+#: plugins/sudoers/sudoreplay.c:315 plugins/sudoers/visudo.c:187
#, c-format
msgid "%s version %s\n"
msgstr "%s バージョン %s\n"
-#: plugins/sudoers/sudoreplay.c:338
+#: plugins/sudoers/sudoreplay.c:340
#, c-format
msgid "%s/%.2s/%.2s/%.2s/timing: %s"
msgstr "%s/%.2s/%.2s/%.2s/タイミング: %s"
-#: plugins/sudoers/sudoreplay.c:344
+#: plugins/sudoers/sudoreplay.c:346
#, c-format
msgid "%s/%s/timing: %s"
msgstr "%s/%s/タイミング: %s"
-#: plugins/sudoers/sudoreplay.c:362
+#: plugins/sudoers/sudoreplay.c:364
#, c-format
msgid "Replaying sudo session: %s\n"
msgstr "リプレイする sudo セッション: %s\n"
-#: plugins/sudoers/sudoreplay.c:368
+#: plugins/sudoers/sudoreplay.c:370
#, c-format
msgid "Warning: your terminal is too small to properly replay the log.\n"
msgstr "警告: ログをきちんとリプレイするには端末が小さすぎます。\n"
-#: plugins/sudoers/sudoreplay.c:369
+#: plugins/sudoers/sudoreplay.c:371
#, c-format
msgid "Log geometry is %d x %d, your terminal's geometry is %d x %d."
msgstr "ログの大きさは %d x %d で、端末の大きさは %d x %d です。"
-#: plugins/sudoers/sudoreplay.c:399
+#: plugins/sudoers/sudoreplay.c:401
#, c-format
msgid "unable to set tty to raw mode"
msgstr "tty を raw モードに設定できません"
-#: plugins/sudoers/sudoreplay.c:412
+#: plugins/sudoers/sudoreplay.c:418
#, c-format
msgid "invalid timing file line: %s"
msgstr "無効なタイミングファイルの行です: %s"
-#: plugins/sudoers/sudoreplay.c:454
+#: plugins/sudoers/sudoreplay.c:501
#, c-format
msgid "writing to standard output"
msgstr "標準出力に書き込んでいます"
-#: plugins/sudoers/sudoreplay.c:486
+#: plugins/sudoers/sudoreplay.c:530
#, c-format
msgid "nanosleep: tv_sec %ld, tv_nsec %ld"
msgstr "nanosleep: tv_sec %ld, tv_nsec %ld"
-#: plugins/sudoers/sudoreplay.c:535 plugins/sudoers/sudoreplay.c:560
+#: plugins/sudoers/sudoreplay.c:643 plugins/sudoers/sudoreplay.c:668
#, c-format
msgid "ambiguous expression \"%s\""
msgstr "曖昧な式 \"%s です\""
-#: plugins/sudoers/sudoreplay.c:577
+#: plugins/sudoers/sudoreplay.c:685
#, c-format
msgid "too many parenthesized expressions, max %d"
msgstr "式内の小括弧のくくりが多すぎます。最大は %d です。"
-#: plugins/sudoers/sudoreplay.c:588
+#: plugins/sudoers/sudoreplay.c:696
#, c-format
msgid "unmatched ')' in expression"
msgstr "式内で ')' が不一致です"
-#: plugins/sudoers/sudoreplay.c:594
+#: plugins/sudoers/sudoreplay.c:702
#, c-format
msgid "unknown search term \"%s\""
msgstr "不明な検索語 \"%s\" です"
-#: plugins/sudoers/sudoreplay.c:608
+#: plugins/sudoers/sudoreplay.c:716
#, c-format
msgid "%s requires an argument"
msgstr "%s は引数が必要です"
-#: plugins/sudoers/sudoreplay.c:612
+#: plugins/sudoers/sudoreplay.c:720
#, c-format
msgid "invalid regular expression: %s"
msgstr "無効な正規表現です: %s"
-#: plugins/sudoers/sudoreplay.c:618
+#: plugins/sudoers/sudoreplay.c:726
#, c-format
msgid "could not parse date \"%s\""
msgstr "日付 \"%s\" を構文解析できませんでした"
-#: plugins/sudoers/sudoreplay.c:631
+#: plugins/sudoers/sudoreplay.c:739
#, c-format
msgid "unmatched '(' in expression"
msgstr "式内で '(' が不一致です"
-#: plugins/sudoers/sudoreplay.c:633
+#: plugins/sudoers/sudoreplay.c:741
#, c-format
msgid "illegal trailing \"or\""
msgstr "末尾に \"or\" を配置できません"
-#: plugins/sudoers/sudoreplay.c:635
+#: plugins/sudoers/sudoreplay.c:743
#, c-format
msgid "illegal trailing \"!\""
msgstr "末尾に \"!\" を配置できません"
-#: plugins/sudoers/sudoreplay.c:942
+#: plugins/sudoers/sudoreplay.c:1050
#, c-format
msgid "invalid regex: %s"
msgstr "無効な正規表現です: %s"
-#: plugins/sudoers/sudoreplay.c:1066
+#: plugins/sudoers/sudoreplay.c:1174
#, c-format
msgid "usage: %s [-h] [-d directory] [-m max_wait] [-s speed_factor] ID\n"
msgstr "使用法: %s [-h] [-d directory] [-m max_wait] [-s speed_factor] ID\n"
-#: plugins/sudoers/sudoreplay.c:1069
+#: plugins/sudoers/sudoreplay.c:1177
#, c-format
msgid "usage: %s [-h] [-d directory] -l [search expression]\n"
msgstr "使用法: %s [-h] [-d directory] -l [search expression]\n"
-#: plugins/sudoers/sudoreplay.c:1078
+#: plugins/sudoers/sudoreplay.c:1186
#, c-format
msgid ""
"%s - replay sudo session logs\n"
"%s - sudo セッションログをリプレイします\n"
"\n"
-#: plugins/sudoers/sudoreplay.c:1080
+#: plugins/sudoers/sudoreplay.c:1188
msgid ""
"\n"
"Options:\n"
" -s speed_factor 出力速度を速くする、または遅くする\n"
" -V バージョン情報を表示して終了する"
-#: plugins/sudoers/testsudoers.c:246
-#, c-format
-msgid "internal error, init_vars() overflow"
-msgstr "内部エラー、init_vars() がオーバーフローしました"
-
-#: plugins/sudoers/testsudoers.c:331
+#: plugins/sudoers/testsudoers.c:338
msgid "\thost unmatched"
msgstr "\tホストが一致しません"
-#: plugins/sudoers/testsudoers.c:334
+#: plugins/sudoers/testsudoers.c:341
msgid ""
"\n"
"Command allowed"
"\n"
"コマンドが許可されました"
-#: plugins/sudoers/testsudoers.c:335
+#: plugins/sudoers/testsudoers.c:342
msgid ""
"\n"
"Command denied"
"\n"
"コマンドが拒否されました"
-#: plugins/sudoers/testsudoers.c:335
+#: plugins/sudoers/testsudoers.c:342
msgid ""
"\n"
"Command unmatched"
msgid "%s grammar version %d\n"
msgstr "%s 文法バージョン %d\n"
-#: plugins/sudoers/visudo.c:252 plugins/sudoers/visudo.c:538
+#: plugins/sudoers/visudo.c:252 plugins/sudoers/visudo.c:541
#, c-format
msgid "press return to edit %s: "
msgstr "%s を編集するためにリターンを押してください: "
msgid "%s unchanged"
msgstr "%s は変更されません"
-#: plugins/sudoers/visudo.c:483
+#: plugins/sudoers/visudo.c:486
#, c-format
msgid "unable to re-open temporary file (%s), %s unchanged."
msgstr "一時ファイル (%s) を再度開くことができません。%s は変更されません。"
-#: plugins/sudoers/visudo.c:493
+#: plugins/sudoers/visudo.c:496
#, c-format
msgid "unabled to parse temporary file (%s), unknown error"
msgstr "一時ファイル (%s) の構文解析ができません。不明なエラーです"
-#: plugins/sudoers/visudo.c:531
+#: plugins/sudoers/visudo.c:534
#, c-format
msgid "internal error, unable to find %s in list!"
msgstr "内部エラー、リスト内に %s が見つかりません!"
-#: plugins/sudoers/visudo.c:583 plugins/sudoers/visudo.c:592
+#: plugins/sudoers/visudo.c:586 plugins/sudoers/visudo.c:595
#, c-format
msgid "unable to set (uid, gid) of %s to (%u, %u)"
msgstr "%s の (ユーザーID, グループID) を (%u, %u) に設定できません"
-#: plugins/sudoers/visudo.c:587 plugins/sudoers/visudo.c:597
+#: plugins/sudoers/visudo.c:590 plugins/sudoers/visudo.c:600
#, c-format
msgid "unable to change mode of %s to 0%o"
msgstr "%s のアクセス権限のモードを 0%o に変更できません"
-#: plugins/sudoers/visudo.c:614
+#: plugins/sudoers/visudo.c:617
#, c-format
msgid "%s and %s not on the same file system, using mv to rename"
msgstr "%s と %s は同じファイルシステム上にありません。名前を変更するために mv を使用しています"
-#: plugins/sudoers/visudo.c:628
+#: plugins/sudoers/visudo.c:631
#, c-format
msgid "command failed: '%s %s %s', %s unchanged"
msgstr "コマンドの失敗です: '%s %s %s'。%s は変更されません"
-#: plugins/sudoers/visudo.c:638
+#: plugins/sudoers/visudo.c:641
#, c-format
msgid "error renaming %s, %s unchanged"
msgstr "%s の名前変更に失敗しました。%s は変更されません"
-#: plugins/sudoers/visudo.c:701
+#: plugins/sudoers/visudo.c:704
msgid "What now? "
msgstr "次は何でしょうか? "
-#: plugins/sudoers/visudo.c:715
+#: plugins/sudoers/visudo.c:718
msgid ""
"Options are:\n"
" (e)dit sudoers file again\n"
" x -- sudoers ファイルへの変更を保存せずに終了します\n"
" Q -- sudoers ファイルへの変更を保存して終了します (*危険です!*)\n"
-#: plugins/sudoers/visudo.c:756
+#: plugins/sudoers/visudo.c:759
#, c-format
msgid "unable to execute %s"
msgstr "%s を実行できません"
-#: plugins/sudoers/visudo.c:763
+#: plugins/sudoers/visudo.c:766
#, c-format
msgid "unable to run %s"
msgstr "%s を実行できません"
-#: plugins/sudoers/visudo.c:789
+#: plugins/sudoers/visudo.c:792
#, c-format
msgid "%s: wrong owner (uid, gid) should be (%u, %u)\n"
msgstr "%s: 所有権に誤りがあります。(ユーザーID, グループID) は (%u, %u) であるべきです\n"
-#: plugins/sudoers/visudo.c:796
+#: plugins/sudoers/visudo.c:799
#, c-format
msgid "%s: bad permissions, should be mode 0%o\n"
msgstr "%s: アクセス権限に誤りがあります。モードは 0%o であるべきです\n"
-#: plugins/sudoers/visudo.c:821
+#: plugins/sudoers/visudo.c:824
#, c-format
msgid "failed to parse %s file, unknown error"
msgstr "%s ファイルの構文解析に失敗しました。不明なエラーです"
-#: plugins/sudoers/visudo.c:834
+#: plugins/sudoers/visudo.c:837
#, c-format
msgid "parse error in %s near line %d\n"
msgstr "%s 内 %d 行付近で構文解析エラーが発生しました\n"
-#: plugins/sudoers/visudo.c:837
+#: plugins/sudoers/visudo.c:840
#, c-format
msgid "parse error in %s\n"
msgstr "%s 内で構文解析エラーが発生しました\n"
-#: plugins/sudoers/visudo.c:844 plugins/sudoers/visudo.c:849
+#: plugins/sudoers/visudo.c:847 plugins/sudoers/visudo.c:852
#, c-format
msgid "%s: parsed OK\n"
msgstr "%s: 正しく構文解析されました\n"
-#: plugins/sudoers/visudo.c:896
+#: plugins/sudoers/visudo.c:899
#, c-format
msgid "%s busy, try again later"
msgstr "%s がビジー状態です。後で再試行してください"
-#: plugins/sudoers/visudo.c:940
+#: plugins/sudoers/visudo.c:943
#, c-format
msgid "specified editor (%s) doesn't exist"
msgstr "指定したエディター (%s) が存在しません"
-#: plugins/sudoers/visudo.c:963
+#: plugins/sudoers/visudo.c:966
#, c-format
msgid "unable to stat editor (%s)"
msgstr "エディター (%s) の状態取得 (stat) ができません"
-#: plugins/sudoers/visudo.c:1011
+#: plugins/sudoers/visudo.c:1014
#, c-format
msgid "no editor found (editor path = %s)"
msgstr "エディターが見つかりません (エディターのパス = %s)"
-#: plugins/sudoers/visudo.c:1105
+#: plugins/sudoers/visudo.c:1108
#, c-format
msgid "Error: cycle in %s_Alias `%s'"
msgstr "エラー: %s_Alias `%s' 内に循環があります"
-#: plugins/sudoers/visudo.c:1106
+#: plugins/sudoers/visudo.c:1109
#, c-format
msgid "Warning: cycle in %s_Alias `%s'"
msgstr "警告: %s_Alias `%s' 内に循環があります"
-#: plugins/sudoers/visudo.c:1109
+#: plugins/sudoers/visudo.c:1112
#, c-format
msgid "Error: %s_Alias `%s' referenced but not defined"
msgstr "エラー: %s_Alias `%s' は参照されていますが定義されていません"
-#: plugins/sudoers/visudo.c:1110
+#: plugins/sudoers/visudo.c:1113
#, c-format
msgid "Warning: %s_Alias `%s' referenced but not defined"
msgstr "警告: %s_Alias `%s' は参照されていますが定義されていません"
-#: plugins/sudoers/visudo.c:1245
+#: plugins/sudoers/visudo.c:1248
#, c-format
msgid "%s: unused %s_Alias %s"
msgstr "%s: %s_Alias %s は使用されていません"
-#: plugins/sudoers/visudo.c:1301
+#: plugins/sudoers/visudo.c:1304
#, c-format
msgid ""
"%s - safely edit the sudoers file\n"
"%s - sudoers ファイルを安全に編集する\n"
"\n"
-#: plugins/sudoers/visudo.c:1303
+#: plugins/sudoers/visudo.c:1306
msgid ""
"\n"
"Options:\n"
" -s 厳密な文法検査を行う\n"
" -V バージョン情報を表示して終了する"
-#: toke.l:805
+#: toke.l:820
msgid "too many levels of includes"
msgstr "インクルードの階層が大きすぎます"
+#~ msgid "internal error, expand_prompt() overflow"
+#~ msgstr "内部エラー、expand_prompt() がオーバーフローしました"
+
+#~ msgid "internal error, sudo_setenv2() overflow"
+#~ msgstr "内部エラー、 sudo_setenv2() がオーバーフローしました"
+
+#~ msgid "internal error, sudo_setenv() overflow"
+#~ msgstr "内部エラー、 sudo_setenv() がオーバーフローしました"
+
+#~ msgid "internal error, linux_audit_command() overflow"
+#~ msgstr "内部エラー、linux_audit_command() がオーバーフローしました"
+
+#~ msgid "internal error, runas_groups overflow"
+#~ msgstr "内部エラー、runas_groups がオーバーフローしました"
+
+#~ msgid "internal error, init_vars() overflow"
+#~ msgstr "内部エラー、init_vars() がオーバーフローしました"
+
#~ msgid "invalid log file %s"
#~ msgstr "ログファイル %s は無効です"
#
msgid ""
msgstr ""
-"Project-Id-Version: sudoers 1.8.5rc3\n"
+"Project-Id-Version: sudoers 1.8.6b4\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-04-24 13:41-0400\n"
-"PO-Revision-Date: 2012-05-06 21:40+0200\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-20 19:07+0200\n"
"Last-Translator: Jakub Bogusz <qboosh@pld-linux.org>\n"
"Language-Team: Polish <translation-team-pl@lists.sourceforge.net>\n"
"Language: pl\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
-#: gram.y:110
+#: gram.y:112
#, c-format
msgid ">>> %s: %s near line %d <<<"
msgstr ">>> %s: %s w okolicy linii %d <<<"
msgid "unable to initialize SIA session"
msgstr "nie udało się zainicjować sesji SIA"
-#: plugins/sudoers/auth/sudo_auth.c:117
+#: plugins/sudoers/auth/sudo_auth.c:121
msgid "Invalid authentication methods compiled into sudo! You may mix standalone and non-standalone authentication."
msgstr "W sudo wkompilowano błędne metody uwierzytelniania! Można mieszać samodzielne i niesamodzielne sposoby uwierzytelniania."
-#: plugins/sudoers/auth/sudo_auth.c:199
+#: plugins/sudoers/auth/sudo_auth.c:206
msgid "There are no authentication methods compiled into sudo! If you want to turn off authentication, use the --disable-authentication configure option."
msgstr "W sudo nie wkompilowano żadnych metod uwierzytelniania! Aby wyłączyć uwierzytelnianie, proszę użyć opcji konfiguracyjnej --disable-authentication."
-#: plugins/sudoers/auth/sudo_auth.c:271
-#, c-format
-msgid "%d incorrect password attempt"
-msgid_plural "%d incorrect password attempts"
-msgstr[0] "%d błędna próba wprowadzenia hasła"
-msgstr[1] "%d błędne próby wprowadzenia hasła"
-msgstr[2] "%d błędnych prób wprowadzenia hasła"
-
#: plugins/sudoers/auth/sudo_auth.c:374
msgid "Authentication methods:"
msgstr "Metody uwierzytelniania:"
msgid "au_to_text: failed"
msgstr "au_to_text: niepowodzenie"
-#: plugins/sudoers/check.c:158
-#, c-format
-msgid "sorry, a password is required to run %s"
-msgstr "niestety do uruchomienia %s wymagane jest hasło"
-
-#: plugins/sudoers/check.c:249 plugins/sudoers/iolog.c:172
-#: plugins/sudoers/sudoers.c:979 plugins/sudoers/sudoreplay.c:353
-#: plugins/sudoers/sudoreplay.c:709 plugins/sudoers/sudoreplay.c:866
-#: plugins/sudoers/visudo.c:815
+#: plugins/sudoers/check.c:252 plugins/sudoers/iolog.c:172
+#: plugins/sudoers/sudoers.c:988 plugins/sudoers/sudoreplay.c:355
+#: plugins/sudoers/sudoreplay.c:817 plugins/sudoers/sudoreplay.c:974
+#: plugins/sudoers/visudo.c:818
#, c-format
msgid "unable to open %s"
msgstr "nie udało się otworzyć %s"
-#: plugins/sudoers/check.c:253 plugins/sudoers/iolog.c:202
+#: plugins/sudoers/check.c:256 plugins/sudoers/iolog.c:229
#, c-format
msgid "unable to write to %s"
msgstr "nie udało się zapisać do %s"
-#: plugins/sudoers/check.c:261 plugins/sudoers/check.c:506
-#: plugins/sudoers/check.c:556 plugins/sudoers/iolog.c:123
+#: plugins/sudoers/check.c:264 plugins/sudoers/check.c:512
+#: plugins/sudoers/check.c:562 plugins/sudoers/iolog.c:123
#: plugins/sudoers/iolog.c:156
#, c-format
msgid "unable to mkdir %s"
msgstr "nie udało się wykonać mkdir %s"
-#: plugins/sudoers/check.c:396
+#: plugins/sudoers/check.c:399 plugins/sudoers/env.c:289
+#: plugins/sudoers/env.c:294 plugins/sudoers/env.c:395
+#: plugins/sudoers/env.c:447 plugins/sudoers/linux_audit.c:82
+#: plugins/sudoers/sudoers.c:670 plugins/sudoers/sudoers.c:677
+#: plugins/sudoers/sudoers.c:936 plugins/sudoers/testsudoers.c:253
#, c-format
-msgid "internal error, expand_prompt() overflow"
-msgstr "błąd wewnętrzny, przepełnienie expand_prompt()"
+msgid "internal error, %s overflow"
+msgstr "błąd wewnętrzny, przepełnienie %s"
-#: plugins/sudoers/check.c:456
+#: plugins/sudoers/check.c:460
#, c-format
msgid "timestamp path too long: %s"
msgstr "ścieżka znacznika czasu zbyt długa: %s"
-#: plugins/sudoers/check.c:485 plugins/sudoers/check.c:529
+#: plugins/sudoers/check.c:491 plugins/sudoers/check.c:535
#: plugins/sudoers/iolog.c:158
#, c-format
msgid "%s exists but is not a directory (0%o)"
msgstr "%s istnieje, ale nie jest katalogiem (0%o)"
-#: plugins/sudoers/check.c:488 plugins/sudoers/check.c:532
-#: plugins/sudoers/check.c:577
+#: plugins/sudoers/check.c:494 plugins/sudoers/check.c:538
+#: plugins/sudoers/check.c:583
#, c-format
msgid "%s owned by uid %u, should be uid %u"
msgstr "właścicielem %s jest uid %u, powinien być uid %u"
-#: plugins/sudoers/check.c:493 plugins/sudoers/check.c:537
+#: plugins/sudoers/check.c:499 plugins/sudoers/check.c:543
#, c-format
msgid "%s writable by non-owner (0%o), should be mode 0700"
msgstr "%s zapisywalny nie tylko dla właściciela (uprawnienia 0%o, powinny być 0700)"
-#: plugins/sudoers/check.c:501 plugins/sudoers/check.c:545
-#: plugins/sudoers/check.c:613 plugins/sudoers/sudoers.c:998
-#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:581
+#: plugins/sudoers/check.c:507 plugins/sudoers/check.c:551
+#: plugins/sudoers/check.c:619 plugins/sudoers/sudoers.c:1003
+#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:584
#, c-format
msgid "unable to stat %s"
msgstr "nie udało się wykonać stat na %s"
-#: plugins/sudoers/check.c:571
+#: plugins/sudoers/check.c:577
#, c-format
msgid "%s exists but is not a regular file (0%o)"
msgstr "%s istnieje, ale nie jest zwykłym plikiem (0%o)"
-#: plugins/sudoers/check.c:583
+#: plugins/sudoers/check.c:589
#, c-format
msgid "%s writable by non-owner (0%o), should be mode 0600"
msgstr "%s zapisywalny nie tylko dla właściciela (uprawnienia 0%o, powinny być 0600)"
-#: plugins/sudoers/check.c:637
+#: plugins/sudoers/check.c:643
#, c-format
msgid "timestamp too far in the future: %20.20s"
msgstr "znacznik czasu zbyt daleko w przyszłości: %20.20s"
-#: plugins/sudoers/check.c:684
+#: plugins/sudoers/check.c:690
#, c-format
msgid "unable to remove %s (%s), will reset to the epoch"
msgstr "nie udało się usunąć %s (%s), zostanie zresetowany do epoch"
-#: plugins/sudoers/check.c:692
+#: plugins/sudoers/check.c:698
#, c-format
msgid "unable to reset %s to the epoch"
msgstr "nie udało się zresetować %s do epoch"
-#: plugins/sudoers/check.c:752 plugins/sudoers/check.c:758
-#: plugins/sudoers/sudoers.c:856 plugins/sudoers/sudoers.c:860
+#: plugins/sudoers/check.c:758 plugins/sudoers/check.c:764
+#: plugins/sudoers/sudoers.c:851 plugins/sudoers/sudoers.c:855
#, c-format
msgid "unknown uid: %u"
msgstr "nieznany uid: %u"
-#: plugins/sudoers/check.c:755 plugins/sudoers/sudoers.c:797
-#: plugins/sudoers/sudoers.c:1115 plugins/sudoers/testsudoers.c:218
-#: plugins/sudoers/testsudoers.c:362
+#: plugins/sudoers/check.c:761 plugins/sudoers/sudoers.c:792
+#: plugins/sudoers/sudoers.c:1120 plugins/sudoers/testsudoers.c:225
+#: plugins/sudoers/testsudoers.c:369
#, c-format
msgid "unknown user: %s"
msgstr "nieznany użytkownik: %s"
msgid "Set the user in utmp to the runas user, not the invoking user"
msgstr "Ustawianie użytkownika w utmp jako docelowego, nie wywołującego"
+#: plugins/sudoers/def_data.c:347
+msgid "Set of permitted privileges"
+msgstr "Zbiór dozwolonych uprawnień"
+
+#: plugins/sudoers/def_data.c:351
+msgid "Set of limit privileges"
+msgstr "Zbiór ograniczonych uprawnień"
+
#: plugins/sudoers/defaults.c:208
#, c-format
msgid "unknown defaults entry `%s'"
msgid "option `%s' does not take a value"
msgstr "opcja `%s' nie przyjmuje wartości"
-#: plugins/sudoers/env.c:339
+#: plugins/sudoers/env.c:367
#, c-format
msgid "sudo_putenv: corrupted envp, length mismatch"
msgstr "sudo_putenv: uszkodzone envp, niezgodność długości"
-#: plugins/sudoers/env.c:341 plugins/sudoers/env.c:411
+#: plugins/sudoers/env.c:369 plugins/sudoers/env.c:448
#: plugins/sudoers/toke_util.c:113 plugins/sudoers/toke_util.c:167
-#: plugins/sudoers/toke_util.c:207 toke.l:682 toke.l:812 toke.l:870 toke.l:966
+#: plugins/sudoers/toke_util.c:207 toke.l:697 toke.l:827 toke.l:887 toke.l:983
#, c-format
msgid "unable to allocate memory"
msgstr "nie udało się przydzielić pamięci"
-#: plugins/sudoers/env.c:366
-#, c-format
-msgid "internal error, sudo_setenv2() overflow"
-msgstr "błąd wewnętrzny, przepełnienie sudo_setenv2()"
-
-#: plugins/sudoers/env.c:410
-#, c-format
-msgid "internal error, sudo_setenv() overflow"
-msgstr "błąd wewnętrzny, przepełnienie sudo_setenv()"
-
-#: plugins/sudoers/env.c:955
+#: plugins/sudoers/env.c:992
#, c-format
msgid "sorry, you are not allowed to set the following environment variables: %s"
msgstr "niestety nie jest dozwolone ustawianie następujących zmiennych środowiskowych: %s"
#: plugins/sudoers/find_path.c:69 plugins/sudoers/find_path.c:108
#: plugins/sudoers/find_path.c:123 plugins/sudoers/iolog.c:125
-#: plugins/sudoers/sudoers.c:950 toke.l:678 toke.l:866
+#: plugins/sudoers/sudoers.c:945 toke.l:693 toke.l:883
#, c-format
msgid "%s: %s"
msgstr "%s: %s"
msgid "Local IP address and netmask pairs:\n"
msgstr "Pary lokalnych adresów IP i masek:\n"
-#: plugins/sudoers/iolog.c:179 plugins/sudoers/sudoers.c:986
+#: plugins/sudoers/iolog.c:205 plugins/sudoers/sudoers.c:991
#, c-format
msgid "unable to read %s"
msgstr "nie udało się odczytać %s"
-#: plugins/sudoers/iolog.c:182
+#: plugins/sudoers/iolog.c:208
#, c-format
msgid "invalid sequence number %s"
msgstr "błędny numer sekwencyjny %s"
-#: plugins/sudoers/iolog.c:231 plugins/sudoers/iolog.c:234
-#: plugins/sudoers/iolog.c:499 plugins/sudoers/iolog.c:504
-#: plugins/sudoers/iolog.c:510 plugins/sudoers/iolog.c:518
-#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:534
-#: plugins/sudoers/iolog.c:542
+#: plugins/sudoers/iolog.c:258 plugins/sudoers/iolog.c:261
+#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:531
+#: plugins/sudoers/iolog.c:537 plugins/sudoers/iolog.c:545
+#: plugins/sudoers/iolog.c:553 plugins/sudoers/iolog.c:561
+#: plugins/sudoers/iolog.c:569
#, c-format
msgid "unable to create %s"
msgstr "nie udało się utworzyć %s"
-#: plugins/sudoers/iolog_path.c:256 plugins/sudoers/sudoers.c:373
+#: plugins/sudoers/iolog_path.c:263 plugins/sudoers/sudoers.c:382
#, c-format
msgid "unable to set locale to \"%s\", using \"C\""
msgstr "nie udało się ustawić lokalizacji na \"%s\", użyto \"C\""
-#: plugins/sudoers/ldap.c:378
+#: plugins/sudoers/ldap.c:387
#, c-format
msgid "sudo_ldap_conf_add_ports: port too large"
msgstr "sudo_ldap_conf_add_ports: port zbyt duży"
-#: plugins/sudoers/ldap.c:401
+#: plugins/sudoers/ldap.c:410
#, c-format
msgid "sudo_ldap_conf_add_ports: out of space expanding hostbuf"
msgstr "sudo_ldap_conf_add_ports: brak miejsca podczas rozszerzania hostbuf"
-#: plugins/sudoers/ldap.c:431
+#: plugins/sudoers/ldap.c:440
#, c-format
msgid "unsupported LDAP uri type: %s"
msgstr "nieobsługiwany rodzaj URI LDAP: %s"
-#: plugins/sudoers/ldap.c:460
+#: plugins/sudoers/ldap.c:469
#, c-format
msgid "invalid uri: %s"
msgstr "błędny URI: %s"
-#: plugins/sudoers/ldap.c:466
+#: plugins/sudoers/ldap.c:475
#, c-format
msgid "unable to mix ldap and ldaps URIs"
msgstr "nie można mieszać URI ldap i ldaps"
-#: plugins/sudoers/ldap.c:470
+#: plugins/sudoers/ldap.c:479
#, c-format
msgid "unable to mix ldaps and starttls"
msgstr "nie można mieszać ldaps i starttls"
-#: plugins/sudoers/ldap.c:489
+#: plugins/sudoers/ldap.c:498
#, c-format
msgid "sudo_ldap_parse_uri: out of space building hostbuf"
msgstr "sudo_ldap_parse_uri: brak miejsca podczas konstruowania hostbuf"
-#: plugins/sudoers/ldap.c:563
+#: plugins/sudoers/ldap.c:572
#, c-format
msgid "unable to initialize SSL cert and key db: %s"
msgstr "nie udało się zainicjować bazy certyfikatów i kluczy SSL: %s"
-#: plugins/sudoers/ldap.c:566
+#: plugins/sudoers/ldap.c:575
#, c-format
msgid "you must set TLS_CERT in %s to use SSL"
msgstr "aby używać SSL, trzeba ustawić TLS_CERT w %s"
-#: plugins/sudoers/ldap.c:973
+#: plugins/sudoers/ldap.c:992
#, c-format
msgid "unable to get GMT time"
msgstr "nie udało się pobrać czasu GMT"
-#: plugins/sudoers/ldap.c:979
+#: plugins/sudoers/ldap.c:998
#, c-format
msgid "unable to format timestamp"
msgstr "nie udało się sformatować znacznika czasu"
-#: plugins/sudoers/ldap.c:987
+#: plugins/sudoers/ldap.c:1006
#, c-format
msgid "unable to build time filter"
msgstr "nie udało się stworzyć filtra czasu"
-#: plugins/sudoers/ldap.c:1202
+#: plugins/sudoers/ldap.c:1225
#, c-format
msgid "sudo_ldap_build_pass1 allocation mismatch"
msgstr "niezgodność przydzielenia sudo_ldap_build_pass1"
-#: plugins/sudoers/ldap.c:1738
+#: plugins/sudoers/ldap.c:1761
#, c-format
msgid ""
"\n"
"\n"
"Rola LDAP: %s\n"
-#: plugins/sudoers/ldap.c:1740
+#: plugins/sudoers/ldap.c:1763
#, c-format
msgid ""
"\n"
"\n"
"Rola LDAP: NIEZNANA\n"
-#: plugins/sudoers/ldap.c:1787
+#: plugins/sudoers/ldap.c:1810
#, c-format
msgid " Order: %s\n"
msgstr " Porządek: %s\n"
-#: plugins/sudoers/ldap.c:1795
+#: plugins/sudoers/ldap.c:1818 plugins/sudoers/sssd.c:1168
#, c-format
msgid " Commands:\n"
msgstr " Polecenia:\n"
-#: plugins/sudoers/ldap.c:2216
+#: plugins/sudoers/ldap.c:2240
#, c-format
msgid "unable to initialize LDAP: %s"
msgstr "nie udało się zainicjować LDAP: %s"
-#: plugins/sudoers/ldap.c:2250
+#: plugins/sudoers/ldap.c:2274
#, c-format
msgid "start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()"
msgstr "wybrano start_tls, ale biblioteki LDAP nie obsługują ldap_start_tls_s() ani ldap_start_tls_s_np()"
-#: plugins/sudoers/ldap.c:2486
+#: plugins/sudoers/ldap.c:2510
#, c-format
msgid "invalid sudoOrder attribute: %s"
msgstr "błędny atrybut sudoOrder: %s"
msgid "unable to open audit system"
msgstr "nie udało się otworzyć systemu audytowego"
-#: plugins/sudoers/linux_audit.c:82
-#, c-format
-msgid "internal error, linux_audit_command() overflow"
-msgstr "błąd wewnętrzny, przepełnienie linux_audit_command()"
-
-#: plugins/sudoers/linux_audit.c:91
+#: plugins/sudoers/linux_audit.c:93
#, c-format
msgid "unable to send audit message"
msgstr "nie udało się wysłać komunikatu audytowego"
-#: plugins/sudoers/logging.c:198
+#: plugins/sudoers/logging.c:202
#, c-format
msgid "unable to open log file: %s: %s"
msgstr "nie udało się otworzyć pliku logu: %s: %s"
-#: plugins/sudoers/logging.c:201
+#: plugins/sudoers/logging.c:205
#, c-format
msgid "unable to lock log file: %s: %s"
msgstr "nie udało się zablokować pliku logu: %s: %s"
-#: plugins/sudoers/logging.c:256
+#: plugins/sudoers/logging.c:260
msgid "user NOT in sudoers"
msgstr "użytkownik NIE występuje w sudoers"
-#: plugins/sudoers/logging.c:258
+#: plugins/sudoers/logging.c:262
msgid "user NOT authorized on host"
msgstr "użytkownik NIE jest autoryzowany na hoście"
-#: plugins/sudoers/logging.c:260
+#: plugins/sudoers/logging.c:264
msgid "command not allowed"
msgstr "polecenie niedozwolone"
-#: plugins/sudoers/logging.c:270
+#: plugins/sudoers/logging.c:274
#, c-format
msgid "%s is not in the sudoers file. This incident will be reported.\n"
msgstr "%s nie występuje w pliku sudoers. Ten incydent zostanie zgłoszony.\n"
-#: plugins/sudoers/logging.c:273
+#: plugins/sudoers/logging.c:277
#, c-format
msgid "%s is not allowed to run sudo on %s. This incident will be reported.\n"
msgstr "%s nie ma uprawnień do uruchamiania sudo na %s. Ten incydent zostanie zgłoszony.\n"
-#: plugins/sudoers/logging.c:277
+#: plugins/sudoers/logging.c:281
#, c-format
msgid "Sorry, user %s may not run sudo on %s.\n"
msgstr "Niestety użytkownik %s nie może uruchamiać sudo na %s.\n"
-#: plugins/sudoers/logging.c:280
+#: plugins/sudoers/logging.c:284
#, c-format
msgid "Sorry, user %s is not allowed to execute '%s%s%s' as %s%s%s on %s.\n"
msgstr "Niestety użytkownik %s nie ma uprawnień do uruchamiania '%s%s%s' jako %s%s%s na %s.\n"
-#: plugins/sudoers/logging.c:447
+#: plugins/sudoers/logging.c:317
+msgid "No user or host"
+msgstr "Brak użytkownika lub hosta"
+
+#: plugins/sudoers/logging.c:319
+msgid "validation failure"
+msgstr "błąd kontroli poprawności"
+
+#: plugins/sudoers/logging.c:336 plugins/sudoers/sudoers.c:502
+#: plugins/sudoers/sudoers.c:503 plugins/sudoers/sudoers.c:1539
+#: plugins/sudoers/sudoers.c:1540
+#, c-format
+msgid "%s: command not found"
+msgstr "%s: nie znaleziono polecenia"
+
+#: plugins/sudoers/logging.c:338 plugins/sudoers/sudoers.c:499
+#, c-format
+msgid ""
+"ignoring `%s' found in '.'\n"
+"Use `sudo ./%s' if this is the `%s' you wish to run."
+msgstr ""
+"zignorowano plik `%s' znaleziony w '.'\n"
+"Proszę użyć `sudo ./%s', jeśli to `%s' ma być uruchomiony."
+
+#: plugins/sudoers/logging.c:352
+msgid "authentication failure"
+msgstr "błąd uwierzytelniania"
+
+#: plugins/sudoers/logging.c:376
+#, c-format
+msgid "%d incorrect password attempt"
+msgid_plural "%d incorrect password attempts"
+msgstr[0] "%d błędna próba wprowadzenia hasła"
+msgstr[1] "%d błędne próby wprowadzenia hasła"
+msgstr[2] "%d błędnych prób wprowadzenia hasła"
+
+#: plugins/sudoers/logging.c:379
+msgid "a password is required"
+msgstr "wymagane jest hasło"
+
+#: plugins/sudoers/logging.c:530
#, c-format
msgid "unable to fork"
msgstr "nie udało się wykonać fork"
-#: plugins/sudoers/logging.c:454 plugins/sudoers/logging.c:516
+#: plugins/sudoers/logging.c:537 plugins/sudoers/logging.c:599
#, c-format
msgid "unable to fork: %m"
msgstr "nie udało się wykonać fork: %m"
-#: plugins/sudoers/logging.c:506
+#: plugins/sudoers/logging.c:589
#, c-format
msgid "unable to open pipe: %m"
msgstr "nie udało się otworzyć potoku: %m"
-#: plugins/sudoers/logging.c:531
+#: plugins/sudoers/logging.c:614
#, c-format
msgid "unable to dup stdin: %m"
msgstr "nie udało się wykonać dup na stdin: %m"
-#: plugins/sudoers/logging.c:567
+#: plugins/sudoers/logging.c:650
#, c-format
msgid "unable to execute %s: %m"
msgstr "nie udało się wywołać %s: %m"
-#: plugins/sudoers/logging.c:782
+#: plugins/sudoers/logging.c:865
#, c-format
msgid "internal error: insufficient space for log line"
msgstr "błąd wewnętrzny: za mało miejsca na linię logu"
msgid "parse error in %s"
msgstr "błąd składni w %s"
-#: plugins/sudoers/parse.c:389
+#: plugins/sudoers/parse.c:414
#, c-format
msgid ""
"\n"
"\n"
"Wpis sudoers:\n"
-#: plugins/sudoers/parse.c:391
+#: plugins/sudoers/parse.c:416
#, c-format
msgid " RunAsUsers: "
msgstr " Jako użytkownicy: "
-#: plugins/sudoers/parse.c:406
+#: plugins/sudoers/parse.c:431
#, c-format
msgid " RunAsGroups: "
msgstr " Jako grupy: "
-#: plugins/sudoers/parse.c:415
+#: plugins/sudoers/parse.c:440
#, c-format
msgid ""
" Commands:\n"
msgid ": "
msgstr ": "
-#: plugins/sudoers/pwutil.c:260
+#: plugins/sudoers/pwutil.c:278
#, c-format
msgid "unable to cache uid %u (%s), already exists"
msgstr "nie udało się zapamiętać uid-a %u (%s), już istnieje"
-#: plugins/sudoers/pwutil.c:268
+#: plugins/sudoers/pwutil.c:286
#, c-format
msgid "unable to cache uid %u, already exists"
msgstr "nie udało się zapamiętać uid-a %u, już istnieje"
-#: plugins/sudoers/pwutil.c:305 plugins/sudoers/pwutil.c:314
+#: plugins/sudoers/pwutil.c:322 plugins/sudoers/pwutil.c:331
#, c-format
msgid "unable to cache user %s, already exists"
msgstr "nie udało się zapamiętać użytkownika %s, już istnieje"
-#: plugins/sudoers/pwutil.c:653
+#: plugins/sudoers/pwutil.c:668
#, c-format
msgid "unable to cache gid %u (%s), already exists"
msgstr "nie udało się zapamiętać gid-a %u (%s), już istnieje"
-#: plugins/sudoers/pwutil.c:661
+#: plugins/sudoers/pwutil.c:676
#, c-format
msgid "unable to cache gid %u, already exists"
msgstr "nie udało się zapamiętać gid-a %u, już istnieje"
-#: plugins/sudoers/pwutil.c:691 plugins/sudoers/pwutil.c:700
+#: plugins/sudoers/pwutil.c:706 plugins/sudoers/pwutil.c:715
#, c-format
msgid "unable to cache group %s, already exists"
msgstr "nie udało się zapamiętać grupy %s, już istnieje"
msgid "unable to set runas group vector"
msgstr "nie udało się ustawić wektora grup docelowych"
-#: plugins/sudoers/sudo_nss.c:243
+#: plugins/sudoers/sssd.c:251
+#, c-format
+msgid "Unable to dlopen %s: %s"
+msgstr "Nie udało się wykonać dlopen %s: %s"
+
+#: plugins/sudoers/sssd.c:252
+#, c-format
+msgid "Unable to initialize SSS source. Is SSSD installed on your machine?"
+msgstr "Nie udało się zainicjować źródła SSS. Czy SSSD jest zainstalowany na tej maszynie?"
+
+#: plugins/sudoers/sssd.c:258 plugins/sudoers/sssd.c:266
+#: plugins/sudoers/sssd.c:273 plugins/sudoers/sssd.c:280
+#: plugins/sudoers/sssd.c:287
+#, c-format
+msgid "unable to find symbol \"%s\" in %s"
+msgstr "nie udało się odnaleźć symbolu \"%s\" w %s"
+
+#: plugins/sudoers/sudo_nss.c:267
#, c-format
msgid "Matching Defaults entries for %s on this host:\n"
msgstr "Pasujące wpisy Defaults dla %s na tym hoście:\n"
-#: plugins/sudoers/sudo_nss.c:256
+#: plugins/sudoers/sudo_nss.c:280
#, c-format
msgid "Runas and Command-specific defaults for %s:\n"
msgstr "Wartości specyficzne dla Runas i Command dla %s:\n"
-#: plugins/sudoers/sudo_nss.c:269
+#: plugins/sudoers/sudo_nss.c:293
#, c-format
msgid "User %s may run the following commands on this host:\n"
msgstr "Użytkownik %s może uruchamiać na tym hoście następujące polecenia:\n"
-#: plugins/sudoers/sudo_nss.c:279
+#: plugins/sudoers/sudo_nss.c:302
#, c-format
msgid "User %s is not allowed to run sudo on %s.\n"
msgstr "Użytkownik %s nie ma uprawnień do uruchamiania sudo na %s.\n"
-#: plugins/sudoers/sudoers.c:208 plugins/sudoers/sudoers.c:239
-#: plugins/sudoers/sudoers.c:958
+#: plugins/sudoers/sudoers.c:210 plugins/sudoers/sudoers.c:243
+#: plugins/sudoers/sudoers.c:953
msgid "problem with defaults entries"
msgstr "problem z wpisami domyślnymi"
-#: plugins/sudoers/sudoers.c:212
+#: plugins/sudoers/sudoers.c:216
#, c-format
msgid "no valid sudoers sources found, quitting"
msgstr "nie znaleziono poprawnych źródeł sudoers, zakończenie"
-#: plugins/sudoers/sudoers.c:264
+#: plugins/sudoers/sudoers.c:268
#, c-format
msgid "unable to execute %s: %s"
msgstr "nie udało się wywołać %s: %s"
-#: plugins/sudoers/sudoers.c:322
+#: plugins/sudoers/sudoers.c:335
#, c-format
msgid "sudoers specifies that root is not allowed to sudo"
msgstr "wg sudoers root nie ma prawa używać sudo"
-#: plugins/sudoers/sudoers.c:329
+#: plugins/sudoers/sudoers.c:342
#, c-format
msgid "you are not permitted to use the -C option"
msgstr "brak uprawnień do używania opcji -C"
-#: plugins/sudoers/sudoers.c:422
+#: plugins/sudoers/sudoers.c:431
#, c-format
msgid "timestamp owner (%s): No such user"
msgstr "właściciel znacznika czasu (%s): nie ma takiego użytkownika"
-#: plugins/sudoers/sudoers.c:438
+#: plugins/sudoers/sudoers.c:447
msgid "no tty"
msgstr "brak tty"
-#: plugins/sudoers/sudoers.c:439
+#: plugins/sudoers/sudoers.c:448
#, c-format
msgid "sorry, you must have a tty to run sudo"
msgstr "niestety do uruchomienia sudo konieczny jest tty"
-#: plugins/sudoers/sudoers.c:478
-msgid "No user or host"
-msgstr "Brak użytkownika lub hosta"
-
-#: plugins/sudoers/sudoers.c:492 plugins/sudoers/sudoers.c:513
-#: plugins/sudoers/sudoers.c:514 plugins/sudoers/sudoers.c:1522
-#: plugins/sudoers/sudoers.c:1523
-#, c-format
-msgid "%s: command not found"
-msgstr "%s: nie znaleziono polecenia"
-
-#: plugins/sudoers/sudoers.c:494 plugins/sudoers/sudoers.c:510
-#, c-format
-msgid ""
-"ignoring `%s' found in '.'\n"
-"Use `sudo ./%s' if this is the `%s' you wish to run."
-msgstr ""
-"zignorowano plik `%s' znaleziony w '.'\n"
-"Proszę użyć `sudo ./%s', jeśli to `%s' ma być uruchomiony."
-
-#: plugins/sudoers/sudoers.c:499
-msgid "validation failure"
-msgstr "błąd kontroli poprawności"
-
-#: plugins/sudoers/sudoers.c:509
+#: plugins/sudoers/sudoers.c:498
msgid "command in current directory"
msgstr "polecenie w bieżącym katalogu"
-#: plugins/sudoers/sudoers.c:521
+#: plugins/sudoers/sudoers.c:510
#, c-format
msgid "sorry, you are not allowed to preserve the environment"
msgstr "niestety brak uprawnień do zachowania środowiska"
-#: plugins/sudoers/sudoers.c:681 plugins/sudoers/sudoers.c:688
-#, c-format
-msgid "internal error, runas_groups overflow"
-msgstr "błąd wewnętrzny, przepełnienie runas_groups"
-
-#: plugins/sudoers/sudoers.c:941
-#, c-format
-msgid "internal error, set_cmnd() overflow"
-msgstr "błąd wewnętrzny, przepełnienie set_cmnd()"
-
-#: plugins/sudoers/sudoers.c:1001
+#: plugins/sudoers/sudoers.c:1006
#, c-format
msgid "%s is not a regular file"
msgstr "%s nie jest zwykłym plikiem"
-#: plugins/sudoers/sudoers.c:1004 toke.l:829
+#: plugins/sudoers/sudoers.c:1009 toke.l:846
#, c-format
msgid "%s is owned by uid %u, should be %u"
msgstr "właścicielem %s jest uid %u, powinien być %u"
-#: plugins/sudoers/sudoers.c:1008 toke.l:836
+#: plugins/sudoers/sudoers.c:1013 toke.l:853
#, c-format
msgid "%s is world writable"
msgstr "%s jest zapisywalny dla świata"
-#: plugins/sudoers/sudoers.c:1011 toke.l:841
+#: plugins/sudoers/sudoers.c:1016 toke.l:858
#, c-format
msgid "%s is owned by gid %u, should be %u"
msgstr "właścicielem %s jest gid %u, powinien być %u"
-#: plugins/sudoers/sudoers.c:1038
+#: plugins/sudoers/sudoers.c:1043
#, c-format
msgid "only root can use `-c %s'"
msgstr "tylko root może używać `-c %s'"
-#: plugins/sudoers/sudoers.c:1055 plugins/sudoers/sudoers.c:1057
+#: plugins/sudoers/sudoers.c:1060 plugins/sudoers/sudoers.c:1062
#, c-format
msgid "unknown login class: %s"
msgstr "nieznana klasa logowania: %s"
-#: plugins/sudoers/sudoers.c:1084
+#: plugins/sudoers/sudoers.c:1089
#, c-format
msgid "unable to resolve host %s"
msgstr "nie udało się rozwiązać nazwy hosta %s"
-#: plugins/sudoers/sudoers.c:1136 plugins/sudoers/testsudoers.c:380
+#: plugins/sudoers/sudoers.c:1141 plugins/sudoers/testsudoers.c:387
#, c-format
msgid "unknown group: %s"
msgstr "nieznana grupa: %s"
-#: plugins/sudoers/sudoers.c:1185
+#: plugins/sudoers/sudoers.c:1190
#, c-format
msgid "Sudoers policy plugin version %s\n"
msgstr "Wersja wtyczki polityki sudoers %s\n"
-#: plugins/sudoers/sudoers.c:1187
+#: plugins/sudoers/sudoers.c:1192
#, c-format
msgid "Sudoers file grammar version %d\n"
msgstr "Wersja gramatyki pliku sudoers %d\n"
-#: plugins/sudoers/sudoers.c:1191
+#: plugins/sudoers/sudoers.c:1196
#, c-format
msgid ""
"\n"
"\n"
"Ścieżka do sudoers: %s\n"
-#: plugins/sudoers/sudoers.c:1194
+#: plugins/sudoers/sudoers.c:1199
#, c-format
msgid "nsswitch path: %s\n"
msgstr "ścieżka do nsswitch: %s\n"
-#: plugins/sudoers/sudoers.c:1196
+#: plugins/sudoers/sudoers.c:1201
#, c-format
msgid "ldap.conf path: %s\n"
msgstr "ścieżka do ldap.conf: %s\n"
-#: plugins/sudoers/sudoers.c:1197
+#: plugins/sudoers/sudoers.c:1202
#, c-format
msgid "ldap.secret path: %s\n"
msgstr "ścieżka do ldap.secret: %s\n"
-#: plugins/sudoers/sudoreplay.c:291
+#: plugins/sudoers/sudoreplay.c:293
#, c-format
msgid "invalid filter option: %s"
msgstr "błędna opcja filtra: %s"
-#: plugins/sudoers/sudoreplay.c:304
+#: plugins/sudoers/sudoreplay.c:306
#, c-format
msgid "invalid max wait: %s"
msgstr "błędny maksymalny czas oczekiwania: %s"
-#: plugins/sudoers/sudoreplay.c:310
+#: plugins/sudoers/sudoreplay.c:312
#, c-format
msgid "invalid speed factor: %s"
msgstr "błędny współczynnik szybkości: %s"
-#: plugins/sudoers/sudoreplay.c:313 plugins/sudoers/visudo.c:187
+#: plugins/sudoers/sudoreplay.c:315 plugins/sudoers/visudo.c:187
#, c-format
msgid "%s version %s\n"
msgstr "%s wersja %s\n"
-#: plugins/sudoers/sudoreplay.c:338
+#: plugins/sudoers/sudoreplay.c:340
#, c-format
msgid "%s/%.2s/%.2s/%.2s/timing: %s"
msgstr "%s/%.2s/%.2s/%.2s/czas: %s"
-#: plugins/sudoers/sudoreplay.c:344
+#: plugins/sudoers/sudoreplay.c:346
#, c-format
msgid "%s/%s/timing: %s"
msgstr "%s/%s/czas: %s"
-#: plugins/sudoers/sudoreplay.c:362
+#: plugins/sudoers/sudoreplay.c:364
#, c-format
msgid "Replaying sudo session: %s\n"
msgstr "Odtwarzanie sesji sudo: %s\n"
-#: plugins/sudoers/sudoreplay.c:368
+#: plugins/sudoers/sudoreplay.c:370
#, c-format
msgid "Warning: your terminal is too small to properly replay the log.\n"
msgstr "Uwaga: ten terminal jest za mały, aby właściwie odtworzyć log.\n"
-#: plugins/sudoers/sudoreplay.c:369
+#: plugins/sudoers/sudoreplay.c:371
#, c-format
msgid "Log geometry is %d x %d, your terminal's geometry is %d x %d."
msgstr "Geometria logu to %d x %d, geometria terminala to %d x %d."
-#: plugins/sudoers/sudoreplay.c:399
+#: plugins/sudoers/sudoreplay.c:401
#, c-format
msgid "unable to set tty to raw mode"
msgstr "nie udało się przestawić tty w tryb surowy"
-#: plugins/sudoers/sudoreplay.c:412
+#: plugins/sudoers/sudoreplay.c:418
#, c-format
msgid "invalid timing file line: %s"
msgstr "błędna linia pliku czasu: %s"
-#: plugins/sudoers/sudoreplay.c:454
+#: plugins/sudoers/sudoreplay.c:501
#, c-format
msgid "writing to standard output"
msgstr "zapis na standardowe wyjście"
-#: plugins/sudoers/sudoreplay.c:486
+#: plugins/sudoers/sudoreplay.c:530
#, c-format
msgid "nanosleep: tv_sec %ld, tv_nsec %ld"
msgstr "nanospeep: tv_sec %ld, tv_nsec %ld"
-#: plugins/sudoers/sudoreplay.c:535 plugins/sudoers/sudoreplay.c:560
+#: plugins/sudoers/sudoreplay.c:643 plugins/sudoers/sudoreplay.c:668
#, c-format
msgid "ambiguous expression \"%s\""
msgstr "niejednoznaczne wyrażenie \"%s\""
-#: plugins/sudoers/sudoreplay.c:577
+#: plugins/sudoers/sudoreplay.c:685
#, c-format
msgid "too many parenthesized expressions, max %d"
msgstr "zbyt dużo zagnieżdżonych wyrażeń w nawiasach, maksimum to %d"
-#: plugins/sudoers/sudoreplay.c:588
+#: plugins/sudoers/sudoreplay.c:696
#, c-format
msgid "unmatched ')' in expression"
msgstr "niesparowany ')' w wyrażeniu"
-#: plugins/sudoers/sudoreplay.c:594
+#: plugins/sudoers/sudoreplay.c:702
#, c-format
msgid "unknown search term \"%s\""
msgstr "nieznany warunek wyszukiwania \"%s\""
-#: plugins/sudoers/sudoreplay.c:608
+#: plugins/sudoers/sudoreplay.c:716
#, c-format
msgid "%s requires an argument"
msgstr "%s wymaga argumentu"
-#: plugins/sudoers/sudoreplay.c:612
+#: plugins/sudoers/sudoreplay.c:720
#, c-format
msgid "invalid regular expression: %s"
msgstr "błędne wyrażenie regularne: %s"
-#: plugins/sudoers/sudoreplay.c:618
+#: plugins/sudoers/sudoreplay.c:726
#, c-format
msgid "could not parse date \"%s\""
msgstr "nie udało się przeanalizować daty \"%s\""
-#: plugins/sudoers/sudoreplay.c:631
+#: plugins/sudoers/sudoreplay.c:739
#, c-format
msgid "unmatched '(' in expression"
msgstr "niesparowany '(' w wyrażeniu"
-#: plugins/sudoers/sudoreplay.c:633
+#: plugins/sudoers/sudoreplay.c:741
#, c-format
msgid "illegal trailing \"or\""
msgstr "niedozwolone kończące \"or\""
-#: plugins/sudoers/sudoreplay.c:635
+#: plugins/sudoers/sudoreplay.c:743
#, c-format
msgid "illegal trailing \"!\""
msgstr "niedozwolony kończący \"!\""
-#: plugins/sudoers/sudoreplay.c:942
+#: plugins/sudoers/sudoreplay.c:1050
#, c-format
msgid "invalid regex: %s"
msgstr "błędne wyrażenie regularne: %s"
-#: plugins/sudoers/sudoreplay.c:1066
+#: plugins/sudoers/sudoreplay.c:1174
#, c-format
msgid "usage: %s [-h] [-d directory] [-m max_wait] [-s speed_factor] ID\n"
msgstr "Składnia: %s [-h] [-d katalog] [-m maks_oczek] [-s wsp_szybkości] ID\n"
-#: plugins/sudoers/sudoreplay.c:1069
+#: plugins/sudoers/sudoreplay.c:1177
#, c-format
msgid "usage: %s [-h] [-d directory] -l [search expression]\n"
msgstr "Składnia: %s [-h] [-d katalog] -k [wyrażenie wyszukiwania]\n"
-#: plugins/sudoers/sudoreplay.c:1078
+#: plugins/sudoers/sudoreplay.c:1186
#, c-format
msgid ""
"%s - replay sudo session logs\n"
"%s - odtwarzanie logów sesji sudo\n"
"\n"
-#: plugins/sudoers/sudoreplay.c:1080
+#: plugins/sudoers/sudoreplay.c:1188
msgid ""
"\n"
"Options:\n"
" -s wsp_szybkości przyspieszenie lub spowolnienie wyjścia\n"
" -V wyświetlenie informacji o wersji i zakończenie"
-#: plugins/sudoers/testsudoers.c:246
-#, c-format
-msgid "internal error, init_vars() overflow"
-msgstr "błąd wewnętrzny, przepełnienie init_vars()"
-
-#: plugins/sudoers/testsudoers.c:331
+#: plugins/sudoers/testsudoers.c:338
msgid "\thost unmatched"
msgstr "\thost nie znaleziony"
-#: plugins/sudoers/testsudoers.c:334
+#: plugins/sudoers/testsudoers.c:341
msgid ""
"\n"
"Command allowed"
"\n"
"Polecenie dozwolone"
-#: plugins/sudoers/testsudoers.c:335
+#: plugins/sudoers/testsudoers.c:342
msgid ""
"\n"
"Command denied"
"\n"
"Polecenie niedozwolone"
-#: plugins/sudoers/testsudoers.c:335
+#: plugins/sudoers/testsudoers.c:342
msgid ""
"\n"
"Command unmatched"
msgid "%s grammar version %d\n"
msgstr "%s, wersja gramatyki %d\n"
-#: plugins/sudoers/visudo.c:252 plugins/sudoers/visudo.c:538
+#: plugins/sudoers/visudo.c:252 plugins/sudoers/visudo.c:541
#, c-format
msgid "press return to edit %s: "
msgstr "wciśnięcie return przejdzie do edycji %s: "
msgid "%s unchanged"
msgstr "%s nie zmieniony"
-#: plugins/sudoers/visudo.c:483
+#: plugins/sudoers/visudo.c:486
#, c-format
msgid "unable to re-open temporary file (%s), %s unchanged."
msgstr "nie udało się ponownie otworzyć pliku tymczasowego (%s), %s nie zmieniony."
-#: plugins/sudoers/visudo.c:493
+#: plugins/sudoers/visudo.c:496
#, c-format
msgid "unabled to parse temporary file (%s), unknown error"
msgstr "nie udało się przeanalizować pliku tymczasowego (%s), nieznany błąd"
-#: plugins/sudoers/visudo.c:531
+#: plugins/sudoers/visudo.c:534
#, c-format
msgid "internal error, unable to find %s in list!"
msgstr "błąd wewnętrzny, nie znaleziono %s na liście!"
-#: plugins/sudoers/visudo.c:583 plugins/sudoers/visudo.c:592
+#: plugins/sudoers/visudo.c:586 plugins/sudoers/visudo.c:595
#, c-format
msgid "unable to set (uid, gid) of %s to (%u, %u)"
msgstr "nie udało się ustawić (uid, gid) %s na (%u, %u)"
-#: plugins/sudoers/visudo.c:587 plugins/sudoers/visudo.c:597
+#: plugins/sudoers/visudo.c:590 plugins/sudoers/visudo.c:600
#, c-format
msgid "unable to change mode of %s to 0%o"
msgstr "nie udało się zmienić uprawnień %s na 0%o"
-#: plugins/sudoers/visudo.c:614
+#: plugins/sudoers/visudo.c:617
#, c-format
msgid "%s and %s not on the same file system, using mv to rename"
msgstr "%s i %s nie są na tym samym systemie plików, użycie mv do zmiany nazwy"
-#: plugins/sudoers/visudo.c:628
+#: plugins/sudoers/visudo.c:631
#, c-format
msgid "command failed: '%s %s %s', %s unchanged"
msgstr "polecenie nie powiodło się: '%s %s %s', %s nie zmieniony"
-#: plugins/sudoers/visudo.c:638
+#: plugins/sudoers/visudo.c:641
#, c-format
msgid "error renaming %s, %s unchanged"
msgstr "błąd podczas zmiany nazwy %s, %s nie zmieniony"
-#: plugins/sudoers/visudo.c:701
+#: plugins/sudoers/visudo.c:704
msgid "What now? "
msgstr "Co teraz? "
-#: plugins/sudoers/visudo.c:715
+#: plugins/sudoers/visudo.c:718
msgid ""
"Options are:\n"
" (e)dit sudoers file again\n"
" (x) wyjście bez zapisu zmian do pliku sudoers\n"
" (Q) wyjście i zapisanie zmian w pliku sudoers (NIEBEZPIECZNE!)\n"
-#: plugins/sudoers/visudo.c:756
+#: plugins/sudoers/visudo.c:759
#, c-format
msgid "unable to execute %s"
msgstr "nie udało się wywołać %s"
-#: plugins/sudoers/visudo.c:763
+#: plugins/sudoers/visudo.c:766
#, c-format
msgid "unable to run %s"
msgstr "nie udało się uruchomić %s"
-#: plugins/sudoers/visudo.c:789
+#: plugins/sudoers/visudo.c:792
#, c-format
msgid "%s: wrong owner (uid, gid) should be (%u, %u)\n"
msgstr "%s: błędny właściciel, (uid, gid) powinny wynosić (%u, %u)\n"
-#: plugins/sudoers/visudo.c:796
+#: plugins/sudoers/visudo.c:799
#, c-format
msgid "%s: bad permissions, should be mode 0%o\n"
msgstr "%s: błędne uprawnienia, powinny być 0%o\n"
-#: plugins/sudoers/visudo.c:821
+#: plugins/sudoers/visudo.c:824
#, c-format
msgid "failed to parse %s file, unknown error"
msgstr "nie udało się przeanalizować pliku %s, nieznany błąd"
-#: plugins/sudoers/visudo.c:834
+#: plugins/sudoers/visudo.c:837
#, c-format
msgid "parse error in %s near line %d\n"
msgstr "błąd składni w %s w okolicy linii %d\n"
-#: plugins/sudoers/visudo.c:837
+#: plugins/sudoers/visudo.c:840
#, c-format
msgid "parse error in %s\n"
msgstr "błąd składni w %s\n"
-#: plugins/sudoers/visudo.c:844 plugins/sudoers/visudo.c:849
+#: plugins/sudoers/visudo.c:847 plugins/sudoers/visudo.c:852
#, c-format
msgid "%s: parsed OK\n"
msgstr "%s: składnia poprawna\n"
-#: plugins/sudoers/visudo.c:896
+#: plugins/sudoers/visudo.c:899
#, c-format
msgid "%s busy, try again later"
msgstr "%s zajęty, proszę spróbować później"
-#: plugins/sudoers/visudo.c:940
+#: plugins/sudoers/visudo.c:943
#, c-format
msgid "specified editor (%s) doesn't exist"
msgstr "podany edytor (%s) nie istnieje"
-#: plugins/sudoers/visudo.c:963
+#: plugins/sudoers/visudo.c:966
#, c-format
msgid "unable to stat editor (%s)"
msgstr "nie udało się wykonać stat na edytorze (%s)"
-#: plugins/sudoers/visudo.c:1011
+#: plugins/sudoers/visudo.c:1014
#, c-format
msgid "no editor found (editor path = %s)"
msgstr "nie znaleziono edytora (ścieżka = %s)"
-#: plugins/sudoers/visudo.c:1105
+#: plugins/sudoers/visudo.c:1108
#, c-format
msgid "Error: cycle in %s_Alias `%s'"
msgstr "Błąd: cykl w %s_Alias `%s'"
-#: plugins/sudoers/visudo.c:1106
+#: plugins/sudoers/visudo.c:1109
#, c-format
msgid "Warning: cycle in %s_Alias `%s'"
msgstr "Uwaga: cykl w %s_Alias `%s'"
-#: plugins/sudoers/visudo.c:1109
+#: plugins/sudoers/visudo.c:1112
#, c-format
msgid "Error: %s_Alias `%s' referenced but not defined"
msgstr "Błąd: %s_Alias `%s' użyty, ale nie zdefiniowany"
-#: plugins/sudoers/visudo.c:1110
+#: plugins/sudoers/visudo.c:1113
#, c-format
msgid "Warning: %s_Alias `%s' referenced but not defined"
msgstr "Uwaga: %s_Alias `%s' użyty, ale nie zdefiniowany"
-#: plugins/sudoers/visudo.c:1245
+#: plugins/sudoers/visudo.c:1248
#, c-format
msgid "%s: unused %s_Alias %s"
msgstr "%s: nie użyty %s_Alias %s"
-#: plugins/sudoers/visudo.c:1301
+#: plugins/sudoers/visudo.c:1304
#, c-format
msgid ""
"%s - safely edit the sudoers file\n"
"%s - bezpieczna edycja pliku sudoers\n"
"\n"
-#: plugins/sudoers/visudo.c:1303
+#: plugins/sudoers/visudo.c:1306
msgid ""
"\n"
"Options:\n"
" -s ścisłe sprawdzanie składni\n"
" -V wyświetlenie informacji o wersji i zakończenie"
-#: toke.l:805
+#: toke.l:820
msgid "too many levels of includes"
msgstr "za dużo poziomów include"
+
+#~ msgid "internal error, expand_prompt() overflow"
+#~ msgstr "błąd wewnętrzny, przepełnienie expand_prompt()"
+
+#~ msgid "internal error, sudo_setenv2() overflow"
+#~ msgstr "błąd wewnętrzny, przepełnienie sudo_setenv2()"
+
+#~ msgid "internal error, sudo_setenv() overflow"
+#~ msgstr "błąd wewnętrzny, przepełnienie sudo_setenv()"
+
+#~ msgid "internal error, linux_audit_command() overflow"
+#~ msgstr "błąd wewnętrzny, przepełnienie linux_audit_command()"
+
+#~ msgid "internal error, runas_groups overflow"
+#~ msgstr "błąd wewnętrzny, przepełnienie runas_groups"
+
+#~ msgid "internal error, init_vars() overflow"
+#~ msgstr "błąd wewnętrzny, przepełnienie init_vars()"
--- /dev/null
+# Slovenian translation of sudo.
+# This file is put in the public domain.
+# This file is distributed under the same license as the sudo package.
+#
+# Damir Jerovšek <damir.jerovsek@gmail.com>, 2012.
+# Klemen Košir <klemen.kosir@gmx.com>, 2012.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: sudoers 1.8.6b4\n"
+"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-13 22:12+0100\n"
+"Last-Translator: Klemen Košir <klemen.kosir@gmx.com>\n"
+"Language-Team: Slovenian <translation-team-sl@lists.sourceforge.net>\n"
+"Language: sl\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=4; plural=(n%100==1 ? 1 : n%100==2 ? 2 : n%100==3 || n%100==4 ? 3 : 0);\n"
+
+#: gram.y:112
+#, c-format
+msgid ">>> %s: %s near line %d <<<"
+msgstr ">>> %s: %s blizu vrstice %d <<<"
+
+#: plugins/sudoers/alias.c:125
+#, c-format
+msgid "Alias `%s' already defined"
+msgstr "Vzdevek `%s' je že določen"
+
+#: plugins/sudoers/auth/bsdauth.c:78
+#, c-format
+msgid "unable to get login class for user %s"
+msgstr "prijavnega razreda uporabnika %s ni mogoče pridobiti"
+
+#: plugins/sudoers/auth/bsdauth.c:84
+msgid "unable to begin bsd authentication"
+msgstr "ni mogoče začeti overitve bsd"
+
+#: plugins/sudoers/auth/bsdauth.c:92
+msgid "invalid authentication type"
+msgstr "neveljavna vrsta overitve"
+
+#: plugins/sudoers/auth/bsdauth.c:101
+msgid "unable to setup authentication"
+msgstr "ni mogoče nastaviti overitve"
+
+#: plugins/sudoers/auth/fwtk.c:60
+#, c-format
+msgid "unable to read fwtk config"
+msgstr "ni mogoče brati nastavitev fwtk"
+
+#: plugins/sudoers/auth/fwtk.c:65
+#, c-format
+msgid "unable to connect to authentication server"
+msgstr "ni se mogoče povezati s strežnikom overitve"
+
+#: plugins/sudoers/auth/fwtk.c:71 plugins/sudoers/auth/fwtk.c:95
+#: plugins/sudoers/auth/fwtk.c:128
+#, c-format
+msgid "lost connection to authentication server"
+msgstr "povezava s strežnikom overitve je bila izgubljena"
+
+#: plugins/sudoers/auth/fwtk.c:75
+#, c-format
+msgid ""
+"authentication server error:\n"
+"%s"
+msgstr ""
+"napaka strežnika overitve:\n"
+"%s"
+
+#: plugins/sudoers/auth/kerb5.c:117
+#, c-format
+msgid "%s: unable to unparse princ ('%s'): %s"
+msgstr "%s: ni mogoče odrazčleniti princ ('%s'): %s"
+
+#: plugins/sudoers/auth/kerb5.c:160
+#, c-format
+msgid "%s: unable to parse '%s': %s"
+msgstr "%s: ni mogoče razčleniti '%s': %s"
+
+#: plugins/sudoers/auth/kerb5.c:170
+#, c-format
+msgid "%s: unable to resolve ccache: %s"
+msgstr "%s: ni mogoče razrešiti ccache: %s"
+
+#: plugins/sudoers/auth/kerb5.c:218
+#, c-format
+msgid "%s: unable to allocate options: %s"
+msgstr "%s: ni mogoče dodeliti možnosti: %s"
+
+#: plugins/sudoers/auth/kerb5.c:234
+#, c-format
+msgid "%s: unable to get credentials: %s"
+msgstr "%s: ni mogoče dobiti poverila: %s"
+
+#: plugins/sudoers/auth/kerb5.c:247
+#, c-format
+msgid "%s: unable to initialize ccache: %s"
+msgstr "%s: ni mogoče začeti ccache: %s"
+
+#: plugins/sudoers/auth/kerb5.c:251
+#, c-format
+msgid "%s: unable to store cred in ccache: %s"
+msgstr "%s: ni mogoče shraniti cred v ccache: %s"
+
+#: plugins/sudoers/auth/kerb5.c:316
+#, c-format
+msgid "%s: unable to get host principal: %s"
+msgstr "%s: ni mogoče pridobiti predstojnika gostitve: %s"
+
+#: plugins/sudoers/auth/kerb5.c:331
+#, c-format
+msgid "%s: Cannot verify TGT! Possible attack!: %s"
+msgstr "%s: ni mogoče preveriti TGT! Možen napad!: %s"
+
+#: plugins/sudoers/auth/pam.c:100
+msgid "unable to initialize PAM"
+msgstr "ni mogoče začeti PAM"
+
+#: plugins/sudoers/auth/pam.c:144
+msgid "account validation failure, is your account locked?"
+msgstr "potrditev veljavnosti računa je spodletela, je vaš račun zaklenjen?"
+
+#: plugins/sudoers/auth/pam.c:148
+msgid "Account or password is expired, reset your password and try again"
+msgstr "Geslo ali račun je potekel, ponastavite svoje geslo in poskusite znova"
+
+#: plugins/sudoers/auth/pam.c:155
+#, c-format
+msgid "pam_chauthtok: %s"
+msgstr "pam_chauthtok: %s"
+
+#: plugins/sudoers/auth/pam.c:159
+msgid "Password expired, contact your system administrator"
+msgstr "Veljavnost gesla je potekla. Stopite v stik s svojim sistemskim skrbnikom"
+
+#: plugins/sudoers/auth/pam.c:163
+msgid "Account expired or PAM config lacks an \"account\" section for sudo, contact your system administrator"
+msgstr "Račun je potekel ali pa nastavitvam PAM primanjkuje odsek \"account\" za sudo, obrnite se na sistemskega skrbnika"
+
+#: plugins/sudoers/auth/pam.c:180
+#, c-format
+msgid "pam_authenticate: %s"
+msgstr "pam_authenticate: %s"
+
+#: plugins/sudoers/auth/pam.c:332
+msgid "Password: "
+msgstr "Geslo: "
+
+#: plugins/sudoers/auth/pam.c:333
+msgid "Password:"
+msgstr "Geslo:"
+
+#: plugins/sudoers/auth/rfc1938.c:104 plugins/sudoers/visudo.c:220
+#, c-format
+msgid "you do not exist in the %s database"
+msgstr "ne obstajate v podatkovni zbirki %s"
+
+#: plugins/sudoers/auth/securid5.c:81
+#, c-format
+msgid "failed to initialise the ACE API library"
+msgstr "začenjanje knjižnice ACE API je spodletelo"
+
+#: plugins/sudoers/auth/securid5.c:107
+#, c-format
+msgid "unable to contact the SecurID server"
+msgstr "ni mogoče navezati stika s strežnikom SecurID"
+
+#: plugins/sudoers/auth/securid5.c:116
+#, c-format
+msgid "User ID locked for SecurID Authentication"
+msgstr "ID uporabnika je zaklenjen zaradi overitve SecurID"
+
+#: plugins/sudoers/auth/securid5.c:120 plugins/sudoers/auth/securid5.c:171
+#, c-format
+msgid "invalid username length for SecurID"
+msgstr "neveljavna dolžina imena uporabnika za SecurID"
+
+#: plugins/sudoers/auth/securid5.c:124 plugins/sudoers/auth/securid5.c:176
+#, c-format
+msgid "invalid Authentication Handle for SecurID"
+msgstr "neveljavna ročica overitve za SecurID"
+
+#: plugins/sudoers/auth/securid5.c:128
+#, c-format
+msgid "SecurID communication failed"
+msgstr "sporazumevanje SecurID je spodletelo"
+
+#: plugins/sudoers/auth/securid5.c:132 plugins/sudoers/auth/securid5.c:215
+#, c-format
+msgid "unknown SecurID error"
+msgstr "neznana napaka SecurID"
+
+#: plugins/sudoers/auth/securid5.c:166
+#, c-format
+msgid "invalid passcode length for SecurID"
+msgstr "neveljavna dolžina gesla za SecurID"
+
+#: plugins/sudoers/auth/sia.c:109
+msgid "unable to initialize SIA session"
+msgstr "ni mogoče začeti seje SIA"
+
+#: plugins/sudoers/auth/sudo_auth.c:121
+msgid "Invalid authentication methods compiled into sudo! You may mix standalone and non-standalone authentication."
+msgstr "Neveljavni načini overitve so kodno prevedeni v sudo! Mešate lahko samostojno in nesamostojno overjanje."
+
+#: plugins/sudoers/auth/sudo_auth.c:206
+msgid "There are no authentication methods compiled into sudo! If you want to turn off authentication, use the --disable-authentication configure option."
+msgstr "Ni načinov overitve, kodno prevedenih v sudo! Če želite izklopiti overjanje, uporabite nastavitveno možnost --disable-authentication."
+
+#: plugins/sudoers/auth/sudo_auth.c:374
+msgid "Authentication methods:"
+msgstr "Načini overjanja:"
+
+#: plugins/sudoers/bsm_audit.c:60 plugins/sudoers/bsm_audit.c:63
+#: plugins/sudoers/bsm_audit.c:112 plugins/sudoers/bsm_audit.c:116
+#: plugins/sudoers/bsm_audit.c:168 plugins/sudoers/bsm_audit.c:172
+#, c-format
+msgid "getaudit: failed"
+msgstr "getaudit: spodletelo"
+
+#: plugins/sudoers/bsm_audit.c:90 plugins/sudoers/bsm_audit.c:153
+#, c-format
+msgid "Could not determine audit condition"
+msgstr "Pogoja presoje varnosti ni bilo mogoče določiti"
+
+#: plugins/sudoers/bsm_audit.c:101
+#, c-format
+msgid "getauid failed"
+msgstr "getauid je spodletel"
+
+#: plugins/sudoers/bsm_audit.c:103 plugins/sudoers/bsm_audit.c:162
+#, c-format
+msgid "au_open: failed"
+msgstr "au_open: spodletelo"
+
+#: plugins/sudoers/bsm_audit.c:118 plugins/sudoers/bsm_audit.c:174
+#, c-format
+msgid "au_to_subject: failed"
+msgstr "au_to_subject: spodletelo"
+
+#: plugins/sudoers/bsm_audit.c:122 plugins/sudoers/bsm_audit.c:178
+#, c-format
+msgid "au_to_exec_args: failed"
+msgstr "au_to_exec_args: spodletelo"
+
+#: plugins/sudoers/bsm_audit.c:126 plugins/sudoers/bsm_audit.c:187
+#, c-format
+msgid "au_to_return32: failed"
+msgstr "au_to_return32: spodletelo"
+
+#: plugins/sudoers/bsm_audit.c:129 plugins/sudoers/bsm_audit.c:190
+#, c-format
+msgid "unable to commit audit record"
+msgstr "ni bilo mogoče uveljaviti zapisa presoje varnosti"
+
+#: plugins/sudoers/bsm_audit.c:160
+#, c-format
+msgid "getauid: failed"
+msgstr "getauid: spodletelo"
+
+#: plugins/sudoers/bsm_audit.c:183
+#, c-format
+msgid "au_to_text: failed"
+msgstr "au_to_text: spodletelo"
+
+#: plugins/sudoers/check.c:252 plugins/sudoers/iolog.c:172
+#: plugins/sudoers/sudoers.c:988 plugins/sudoers/sudoreplay.c:355
+#: plugins/sudoers/sudoreplay.c:817 plugins/sudoers/sudoreplay.c:974
+#: plugins/sudoers/visudo.c:818
+#, c-format
+msgid "unable to open %s"
+msgstr "ni mogoče odpreti %s"
+
+#: plugins/sudoers/check.c:256 plugins/sudoers/iolog.c:229
+#, c-format
+msgid "unable to write to %s"
+msgstr "ni mogoče pisati v %s"
+
+#: plugins/sudoers/check.c:264 plugins/sudoers/check.c:512
+#: plugins/sudoers/check.c:562 plugins/sudoers/iolog.c:123
+#: plugins/sudoers/iolog.c:156
+#, c-format
+msgid "unable to mkdir %s"
+msgstr "ustvarjenje mape %s z mkdir ni mogoče"
+
+#: plugins/sudoers/check.c:399 plugins/sudoers/env.c:289
+#: plugins/sudoers/env.c:294 plugins/sudoers/env.c:395
+#: plugins/sudoers/env.c:447 plugins/sudoers/linux_audit.c:82
+#: plugins/sudoers/sudoers.c:670 plugins/sudoers/sudoers.c:677
+#: plugins/sudoers/sudoers.c:936 plugins/sudoers/testsudoers.c:253
+#, c-format
+msgid "internal error, %s overflow"
+msgstr "notranja napaka, prekoračitev funkcije %s"
+
+#: plugins/sudoers/check.c:460
+#, c-format
+msgid "timestamp path too long: %s"
+msgstr "pot časovnega žiga je predolga : %s"
+
+#: plugins/sudoers/check.c:491 plugins/sudoers/check.c:535
+#: plugins/sudoers/iolog.c:158
+#, c-format
+msgid "%s exists but is not a directory (0%o)"
+msgstr "%s že obstaja, toda ni mapa (0%o)"
+
+#: plugins/sudoers/check.c:494 plugins/sudoers/check.c:538
+#: plugins/sudoers/check.c:583
+#, c-format
+msgid "%s owned by uid %u, should be uid %u"
+msgstr "%s je v lasti ID-ja uporabnika %u, moral bi biti ID uporabnika %u"
+
+#: plugins/sudoers/check.c:499 plugins/sudoers/check.c:543
+#, c-format
+msgid "%s writable by non-owner (0%o), should be mode 0700"
+msgstr "%s je zapisljiv za ne-lastnika (0%o), moral bi biti način 0700"
+
+#: plugins/sudoers/check.c:507 plugins/sudoers/check.c:551
+#: plugins/sudoers/check.c:619 plugins/sudoers/sudoers.c:1003
+#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:584
+#, c-format
+msgid "unable to stat %s"
+msgstr "stanja %s ni mogoče dobiti"
+
+#: plugins/sudoers/check.c:577
+#, c-format
+msgid "%s exists but is not a regular file (0%o)"
+msgstr "%s obstaja, toda ni običajna datoteka (0%o)"
+
+#: plugins/sudoers/check.c:589
+#, c-format
+msgid "%s writable by non-owner (0%o), should be mode 0600"
+msgstr "%s je zapisljiv za ne-lastnika (0%o), moral bi biti način 0600"
+
+#: plugins/sudoers/check.c:643
+#, c-format
+msgid "timestamp too far in the future: %20.20s"
+msgstr "časovni žig je predaleč v prihodnosti: %20.20s"
+
+#: plugins/sudoers/check.c:690
+#, c-format
+msgid "unable to remove %s (%s), will reset to the epoch"
+msgstr "ni mogoče odstraniti %s (%s), ponastavitev na epoho"
+
+#: plugins/sudoers/check.c:698
+#, c-format
+msgid "unable to reset %s to the epoch"
+msgstr "%s ni mogoče ponastaviti na epoho"
+
+#: plugins/sudoers/check.c:758 plugins/sudoers/check.c:764
+#: plugins/sudoers/sudoers.c:851 plugins/sudoers/sudoers.c:855
+#, c-format
+msgid "unknown uid: %u"
+msgstr "neznan ID uporabnika: %u"
+
+#: plugins/sudoers/check.c:761 plugins/sudoers/sudoers.c:792
+#: plugins/sudoers/sudoers.c:1120 plugins/sudoers/testsudoers.c:225
+#: plugins/sudoers/testsudoers.c:369
+#, c-format
+msgid "unknown user: %s"
+msgstr "neznan uporabnik: %s"
+
+#: plugins/sudoers/def_data.c:27
+#, c-format
+msgid "Syslog facility if syslog is being used for logging: %s"
+msgstr "Pripomoček syslog, če se syslog uporablja za beleženje: %s"
+
+#: plugins/sudoers/def_data.c:31
+#, c-format
+msgid "Syslog priority to use when user authenticates successfully: %s"
+msgstr "Prednost syslog, ko se uporabnik uspešno overi: %s"
+
+#: plugins/sudoers/def_data.c:35
+#, c-format
+msgid "Syslog priority to use when user authenticates unsuccessfully: %s"
+msgstr "Prednost syslog, ko se uporabnik ne overi uspešno: %s"
+
+#: plugins/sudoers/def_data.c:39
+msgid "Put OTP prompt on its own line"
+msgstr "postavi poziv OTP v svojo vrstico"
+
+#: plugins/sudoers/def_data.c:43
+msgid "Ignore '.' in $PATH"
+msgstr "Prezri '.' v $PATH"
+
+#: plugins/sudoers/def_data.c:47
+msgid "Always send mail when sudo is run"
+msgstr "Vedno pošlji pošto, kadar se zažene sudo"
+
+#: plugins/sudoers/def_data.c:51
+msgid "Send mail if user authentication fails"
+msgstr "Pošlji pošto, če overitev uporabnika spodleti"
+
+#: plugins/sudoers/def_data.c:55
+msgid "Send mail if the user is not in sudoers"
+msgstr "Pošlji pošto, če uporabnik ni v sudoers"
+
+#: plugins/sudoers/def_data.c:59
+msgid "Send mail if the user is not in sudoers for this host"
+msgstr "Pošlji pošto, če uporabnik ni v sudoers za tega gostitelja"
+
+#: plugins/sudoers/def_data.c:63
+msgid "Send mail if the user is not allowed to run a command"
+msgstr "Pošlji pošto, če uporabniku ni dovoljeno zagnati ukaza"
+
+#: plugins/sudoers/def_data.c:67
+msgid "Use a separate timestamp for each user/tty combo"
+msgstr "Uporabi ločen časovni žig za vsako kombinacijo uporabnik/tty"
+
+#: plugins/sudoers/def_data.c:71
+msgid "Lecture user the first time they run sudo"
+msgstr "Poduči uporabnika, ko prvič zažene sudo"
+
+#: plugins/sudoers/def_data.c:75
+#, c-format
+msgid "File containing the sudo lecture: %s"
+msgstr "Datoteka, ki vsebuje poduk sudo: %s"
+
+#: plugins/sudoers/def_data.c:79
+msgid "Require users to authenticate by default"
+msgstr "Privzeto zahtevaj od uporabnikov, da se overijo"
+
+#: plugins/sudoers/def_data.c:83
+msgid "Root may run sudo"
+msgstr "Skrbnik lahko zažene sudo"
+
+#: plugins/sudoers/def_data.c:87
+msgid "Log the hostname in the (non-syslog) log file"
+msgstr "Beleži ime gostitelja v datoteko dnevnika (ne v sistemski dnevnik)"
+
+#: plugins/sudoers/def_data.c:91
+msgid "Log the year in the (non-syslog) log file"
+msgstr "Beleži leto v (ne-syslog) dnevniško datoteko"
+
+#: plugins/sudoers/def_data.c:95
+msgid "If sudo is invoked with no arguments, start a shell"
+msgstr "Če je sudo poklican brez argumentov, začni lupino"
+
+#: plugins/sudoers/def_data.c:99
+msgid "Set $HOME to the target user when starting a shell with -s"
+msgstr "Postavi $HOME ciljnemu uporabniku, kadar se začne lupina s -s"
+
+#: plugins/sudoers/def_data.c:103
+msgid "Always set $HOME to the target user's home directory"
+msgstr "Vedno postavi $HOME domači mapi ciljnega uporabnika"
+
+#: plugins/sudoers/def_data.c:107
+msgid "Allow some information gathering to give useful error messages"
+msgstr "Dovoli zbrati nekaj podrobnosti za uporabna sporočila napak"
+
+#: plugins/sudoers/def_data.c:111
+msgid "Require fully-qualified hostnames in the sudoers file"
+msgstr "Zahtevaj povsem uvrščena imena gostiteljev v datoteki sudoers"
+
+#: plugins/sudoers/def_data.c:115
+msgid "Insult the user when they enter an incorrect password"
+msgstr "Užali uporabnika, ko vnese nepravilno geslo"
+
+#: plugins/sudoers/def_data.c:119
+msgid "Only allow the user to run sudo if they have a tty"
+msgstr "Dovoli uporabniku zagnati sudo samo v primeru, če imajo tty"
+
+#: plugins/sudoers/def_data.c:123
+msgid "Visudo will honor the EDITOR environment variable"
+msgstr "Visudo bo spoštoval spremenljivko okolja UREJEVALNIKA"
+
+#: plugins/sudoers/def_data.c:127
+msgid "Prompt for root's password, not the users's"
+msgstr "Pozovi za geslo skrbnika, ne uporabnika"
+
+#: plugins/sudoers/def_data.c:131
+msgid "Prompt for the runas_default user's password, not the users's"
+msgstr "Pozovi za geslo uporabnika runas_default namesto uporabnikovega gesla"
+
+#: plugins/sudoers/def_data.c:135
+msgid "Prompt for the target user's password, not the users's"
+msgstr "Pozovi za geslo ciljnega uporabnika namesto uporabnikovega"
+
+#: plugins/sudoers/def_data.c:139
+msgid "Apply defaults in the target user's login class if there is one"
+msgstr "Uveljavi privzete vrednosti v ciljnem uporabniškem razredu prijave, če le ta obstaja"
+
+#: plugins/sudoers/def_data.c:143
+msgid "Set the LOGNAME and USER environment variables"
+msgstr "Nastavi spremenljivke okolja LOGNAME in USER"
+
+#: plugins/sudoers/def_data.c:147
+msgid "Only set the effective uid to the target user, not the real uid"
+msgstr "Nastavi samo dejanski ID uporabnika ciljnemu uporabniku, ne resničnega ID-ja"
+
+#: plugins/sudoers/def_data.c:151
+msgid "Don't initialize the group vector to that of the target user"
+msgstr "Ne začenjaj vektorja skupine ciljnega uporabnika"
+
+#: plugins/sudoers/def_data.c:155
+#, c-format
+msgid "Length at which to wrap log file lines (0 for no wrap): %d"
+msgstr "Dolžina, pri kateri se naj prelomijo vrstice datotek beleženja (0 za brez lomljenja):% d"
+
+#: plugins/sudoers/def_data.c:159
+#, c-format
+msgid "Authentication timestamp timeout: %.1f minutes"
+msgstr "Časovni potek overitve časovnega žiga: %.1f minut"
+
+#: plugins/sudoers/def_data.c:163
+#, c-format
+msgid "Password prompt timeout: %.1f minutes"
+msgstr "Zakasnitev poziva gesla: %.1f minut"
+
+#: plugins/sudoers/def_data.c:167
+#, c-format
+msgid "Number of tries to enter a password: %d"
+msgstr "Število poskusov vnosa gesla: %d"
+
+#: plugins/sudoers/def_data.c:171
+#, c-format
+msgid "Umask to use or 0777 to use user's: 0%o"
+msgstr "Uporabniška maska, ki bo uporabljena ali 0777 za uporabo uporabnikove: 0%o"
+
+#: plugins/sudoers/def_data.c:175
+#, c-format
+msgid "Path to log file: %s"
+msgstr "Pot do datoteke beleženja: %s"
+
+#: plugins/sudoers/def_data.c:179
+#, c-format
+msgid "Path to mail program: %s"
+msgstr "Pot do programa pošte: %s"
+
+#: plugins/sudoers/def_data.c:183
+#, c-format
+msgid "Flags for mail program: %s"
+msgstr "Zastavice za program pošte: %s"
+
+#: plugins/sudoers/def_data.c:187
+#, c-format
+msgid "Address to send mail to: %s"
+msgstr "Naslov prejemnika pošte: %s"
+
+#: plugins/sudoers/def_data.c:191
+#, c-format
+msgid "Address to send mail from: %s"
+msgstr "Naslov pošiljatelja pošte: %s"
+
+#: plugins/sudoers/def_data.c:195
+#, c-format
+msgid "Subject line for mail messages: %s"
+msgstr "Vrstica zadeve za poštna sporočila: %s"
+
+#: plugins/sudoers/def_data.c:199
+#, c-format
+msgid "Incorrect password message: %s"
+msgstr "Nepravilno sporočilo gesla: %s"
+
+#: plugins/sudoers/def_data.c:203
+#, c-format
+msgid "Path to authentication timestamp dir: %s"
+msgstr "Pot do mape časovnega žiga overitve: %s"
+
+#: plugins/sudoers/def_data.c:207
+#, c-format
+msgid "Owner of the authentication timestamp dir: %s"
+msgstr "Lastnik mape časovnega žiga overitve: %s"
+
+#: plugins/sudoers/def_data.c:211
+#, c-format
+msgid "Users in this group are exempt from password and PATH requirements: %s"
+msgstr "Uporabnikov v tej skupini zahteve gesla in PATH ne omejujejo: %s"
+
+#: plugins/sudoers/def_data.c:215
+#, c-format
+msgid "Default password prompt: %s"
+msgstr "Privzeti poziv gesla: %s"
+
+#: plugins/sudoers/def_data.c:219
+msgid "If set, passprompt will override system prompt in all cases."
+msgstr "Če je poziv gesla nastavljen, bo prepisal sistemski poziv v vseh primerih."
+
+#: plugins/sudoers/def_data.c:223
+#, c-format
+msgid "Default user to run commands as: %s"
+msgstr "Privzet uporabnik za izvajanje ukazov kot: %s"
+
+#: plugins/sudoers/def_data.c:227
+#, c-format
+msgid "Value to override user's $PATH with: %s"
+msgstr "Vrednost, s katerim se bo prepisal $PATH uporabnika: %s"
+
+#: plugins/sudoers/def_data.c:231
+#, c-format
+msgid "Path to the editor for use by visudo: %s"
+msgstr "Pot do urejevalnika za uporabo z visudo: %s"
+
+#: plugins/sudoers/def_data.c:235
+#, c-format
+msgid "When to require a password for 'list' pseudocommand: %s"
+msgstr "Kdaj naj bo zahtevano geslo za psevdoukaz 'list': %s"
+
+#: plugins/sudoers/def_data.c:239
+#, c-format
+msgid "When to require a password for 'verify' pseudocommand: %s"
+msgstr "Kdaj naj bo zahtevano geslo za psevdoukaz 'verify': %s"
+
+#: plugins/sudoers/def_data.c:243
+msgid "Preload the dummy exec functions contained in the sudo_noexec library"
+msgstr "Prednaloži preizkusne funkcije, shranjene v knjižnici sudo_noexec"
+
+#: plugins/sudoers/def_data.c:247
+msgid "If LDAP directory is up, do we ignore local sudoers file"
+msgstr "Če je mapa LDAP na voljo, bodo krajevne datoteke sudoers prezrte"
+
+#: plugins/sudoers/def_data.c:251
+#, c-format
+msgid "File descriptors >= %d will be closed before executing a command"
+msgstr "Opisniki datotek >= %d bodo končani pred izvedbo ukaza"
+
+#: plugins/sudoers/def_data.c:255
+msgid "If set, users may override the value of `closefrom' with the -C option"
+msgstr "Če je nastavljeno, lahko uporabniki prepišejo vrednost `closefrom' z možnostjo -C"
+
+#: plugins/sudoers/def_data.c:259
+msgid "Allow users to set arbitrary environment variables"
+msgstr "Dovoli uporabnikom nastavljanje poljubnih spremenljivk okolja"
+
+#: plugins/sudoers/def_data.c:263
+msgid "Reset the environment to a default set of variables"
+msgstr "Ponastavi okolje na privzet nabor spremenljivk"
+
+#: plugins/sudoers/def_data.c:267
+msgid "Environment variables to check for sanity:"
+msgstr "Spremenljivke okolja, ki bodo preverjene za smiselnost:"
+
+#: plugins/sudoers/def_data.c:271
+msgid "Environment variables to remove:"
+msgstr "Spremenljivke okolja za odstranitev:"
+
+#: plugins/sudoers/def_data.c:275
+msgid "Environment variables to preserve:"
+msgstr "Spremenljivke okolja za ohranitev:"
+
+#: plugins/sudoers/def_data.c:279
+#, c-format
+msgid "SELinux role to use in the new security context: %s"
+msgstr "Vloga SELinux za uporabo v novi vsebini varnosti: %s"
+
+#: plugins/sudoers/def_data.c:283
+#, c-format
+msgid "SELinux type to use in the new security context: %s"
+msgstr "Vrsta SELinux za uporabo v novi vsebini varnosti: %s"
+
+#: plugins/sudoers/def_data.c:287
+#, c-format
+msgid "Path to the sudo-specific environment file: %s"
+msgstr "Pot do določene sudo datoteke okolja: %s"
+
+#: plugins/sudoers/def_data.c:291
+#, c-format
+msgid "Locale to use while parsing sudoers: %s"
+msgstr "Jezikovna oznaka za uporabo pri razčlenjevanju sudoers: %s"
+
+#: plugins/sudoers/def_data.c:295
+msgid "Allow sudo to prompt for a password even if it would be visible"
+msgstr "Dovoli programu sudo, da vpraša za geslo, čeprav bi bilo le-to vidno"
+
+#: plugins/sudoers/def_data.c:299
+msgid "Provide visual feedback at the password prompt when there is user input"
+msgstr "Zagotovi viden odziv ob vnosu gesla ob vnosu uporabnika"
+
+#: plugins/sudoers/def_data.c:303
+msgid "Use faster globbing that is less accurate but does not access the filesystem"
+msgstr "Uporabi hitrejše razširjanje imen poti, ki je manj natančno, vendar ne dostopa do datotečnega sistema"
+
+#: plugins/sudoers/def_data.c:307
+msgid "The umask specified in sudoers will override the user's, even if it is more permissive"
+msgstr "Uporabniška maska v sudoers bo prepisala uporabnikovo tudi, če je bolj premisivna"
+
+#: plugins/sudoers/def_data.c:311
+msgid "Log user's input for the command being run"
+msgstr "Beleži vnos uporabnika za ukaz, ki se izvaja"
+
+#: plugins/sudoers/def_data.c:315
+msgid "Log the output of the command being run"
+msgstr "Beleži izpis ukaza, ki se izvaja"
+
+#: plugins/sudoers/def_data.c:319
+msgid "Compress I/O logs using zlib"
+msgstr "Stisni dnevnike I/O s pomočjo zlib"
+
+#: plugins/sudoers/def_data.c:323
+msgid "Always run commands in a pseudo-tty"
+msgstr "Vedno zaženi ukaze v psevdo-tty"
+
+#: plugins/sudoers/def_data.c:327
+#, c-format
+msgid "Plugin for non-Unix group support: %s"
+msgstr "Vstavek za podporo skupinam, ki niso del Unixa: %s"
+
+#: plugins/sudoers/def_data.c:331
+#, c-format
+msgid "Directory in which to store input/output logs: %s"
+msgstr "Mapa, v kateri bodo shranjeni dnevniki vnosov/izpisov: %s"
+
+#: plugins/sudoers/def_data.c:335
+#, c-format
+msgid "File in which to store the input/output log: %s"
+msgstr "Datoteka, v kateri bo shranjen dnevnik vnosov/izpisov: %s"
+
+#: plugins/sudoers/def_data.c:339
+msgid "Add an entry to the utmp/utmpx file when allocating a pty"
+msgstr "Dodaj vstop datoteki utmp/utmpx, kadar se dodeljuje pty"
+
+#: plugins/sudoers/def_data.c:343
+msgid "Set the user in utmp to the runas user, not the invoking user"
+msgstr "Nastavi uporabnika v utmp uporabniku runas, ne poklicanemu uporabniku"
+
+#: plugins/sudoers/def_data.c:347
+msgid "Set of permitted privileges"
+msgstr "Niz omogočenih dovoljenj"
+
+#: plugins/sudoers/def_data.c:351
+msgid "Set of limit privileges"
+msgstr "Niz omejenih dovoljenj"
+
+#: plugins/sudoers/defaults.c:208
+#, c-format
+msgid "unknown defaults entry `%s'"
+msgstr "neznan privzet vnos `%s'"
+
+#: plugins/sudoers/defaults.c:216 plugins/sudoers/defaults.c:226
+#: plugins/sudoers/defaults.c:246 plugins/sudoers/defaults.c:259
+#: plugins/sudoers/defaults.c:272 plugins/sudoers/defaults.c:285
+#: plugins/sudoers/defaults.c:298 plugins/sudoers/defaults.c:318
+#: plugins/sudoers/defaults.c:328
+#, c-format
+msgid "value `%s' is invalid for option `%s'"
+msgstr "vrednost `%s' je neveljavna za možnost `%s'"
+
+#: plugins/sudoers/defaults.c:219 plugins/sudoers/defaults.c:229
+#: plugins/sudoers/defaults.c:237 plugins/sudoers/defaults.c:254
+#: plugins/sudoers/defaults.c:267 plugins/sudoers/defaults.c:280
+#: plugins/sudoers/defaults.c:293 plugins/sudoers/defaults.c:313
+#: plugins/sudoers/defaults.c:324
+#, c-format
+msgid "no value specified for `%s'"
+msgstr "za `%s' ni določena nobena vrednost"
+
+#: plugins/sudoers/defaults.c:242
+#, c-format
+msgid "values for `%s' must start with a '/'"
+msgstr "vrednosti za `%s' se morajo začeti s '/'"
+
+#: plugins/sudoers/defaults.c:304
+#, c-format
+msgid "option `%s' does not take a value"
+msgstr "možnost `%s' ne sprejme vrednosti"
+
+#: plugins/sudoers/env.c:367
+#, c-format
+msgid "sudo_putenv: corrupted envp, length mismatch"
+msgstr "sudo_putenv: pokvarjen envp, neujemanje dolžine"
+
+#: plugins/sudoers/env.c:369 plugins/sudoers/env.c:448
+#: plugins/sudoers/toke_util.c:113 plugins/sudoers/toke_util.c:167
+#: plugins/sudoers/toke_util.c:207 toke.l:697 toke.l:827 toke.l:887 toke.l:983
+#, c-format
+msgid "unable to allocate memory"
+msgstr "ni mogoče dodeliti pomnilnika"
+
+#: plugins/sudoers/env.c:992
+#, c-format
+msgid "sorry, you are not allowed to set the following environment variables: %s"
+msgstr "nimate dovoljenj nastavljati naslednjih spremenljivk okolja: %s"
+
+#: plugins/sudoers/find_path.c:69 plugins/sudoers/find_path.c:108
+#: plugins/sudoers/find_path.c:123 plugins/sudoers/iolog.c:125
+#: plugins/sudoers/sudoers.c:945 toke.l:693 toke.l:883
+#, c-format
+msgid "%s: %s"
+msgstr "%s: %s"
+
+#: plugins/sudoers/group_plugin.c:91
+#, c-format
+msgid "%s%s: %s"
+msgstr "%s%s: %s"
+
+#: plugins/sudoers/group_plugin.c:103
+#, c-format
+msgid "%s must be owned by uid %d"
+msgstr "%s mora biti v lasti ID-ja uporabnika %d"
+
+#: plugins/sudoers/group_plugin.c:107
+#, c-format
+msgid "%s must only be writable by owner"
+msgstr "%s mora biti zapisljiv samo za lastnika"
+
+#: plugins/sudoers/group_plugin.c:114
+#, c-format
+msgid "unable to dlopen %s: %s"
+msgstr "ni mogoče uporabiti dlopen %s: %s"
+
+#: plugins/sudoers/group_plugin.c:119
+#, c-format
+msgid "unable to find symbol \"group_plugin\" in %s"
+msgstr "ni mogoče najti simbola \"group_plugin\" v %s"
+
+#: plugins/sudoers/group_plugin.c:124
+#, c-format
+msgid "%s: incompatible group plugin major version %d, expected %d"
+msgstr "%s: nezdružljiva večja različica vstavka skupin %d, pričakovana %d"
+
+#: plugins/sudoers/interfaces.c:112
+msgid "Local IP address and netmask pairs:\n"
+msgstr "Pari krajevnih naslovov IP in omrežnih mask:\n"
+
+#: plugins/sudoers/iolog.c:205 plugins/sudoers/sudoers.c:991
+#, c-format
+msgid "unable to read %s"
+msgstr "ni mogoče brati %s"
+
+#: plugins/sudoers/iolog.c:208
+#, c-format
+msgid "invalid sequence number %s"
+msgstr "neveljavna številka zaporedja %s"
+
+#: plugins/sudoers/iolog.c:258 plugins/sudoers/iolog.c:261
+#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:531
+#: plugins/sudoers/iolog.c:537 plugins/sudoers/iolog.c:545
+#: plugins/sudoers/iolog.c:553 plugins/sudoers/iolog.c:561
+#: plugins/sudoers/iolog.c:569
+#, c-format
+msgid "unable to create %s"
+msgstr "ni mogoče ustvariti %s"
+
+#: plugins/sudoers/iolog_path.c:263 plugins/sudoers/sudoers.c:382
+#, c-format
+msgid "unable to set locale to \"%s\", using \"C\""
+msgstr "ni mogoče nastaviti jezikovne oznake na \"%s\" z uporabo \"C\""
+
+#: plugins/sudoers/ldap.c:387
+#, c-format
+msgid "sudo_ldap_conf_add_ports: port too large"
+msgstr "sudo_ldap_conf_add_ports: vrednost vrat je prevelika"
+
+#: plugins/sudoers/ldap.c:410
+#, c-format
+msgid "sudo_ldap_conf_add_ports: out of space expanding hostbuf"
+msgstr "sudo_ldap_conf_add_ports: med razširjanjem hostbuf je zmanjkalo prostora"
+
+#: plugins/sudoers/ldap.c:440
+#, c-format
+msgid "unsupported LDAP uri type: %s"
+msgstr "nepodprta vrsta uri-ja LDAP: %s"
+
+#: plugins/sudoers/ldap.c:469
+#, c-format
+msgid "invalid uri: %s"
+msgstr "neveljaven uri: %s"
+
+#: plugins/sudoers/ldap.c:475
+#, c-format
+msgid "unable to mix ldap and ldaps URIs"
+msgstr "ni mogoče mešati URI-jev ldap in ldaps"
+
+#: plugins/sudoers/ldap.c:479
+#, c-format
+msgid "unable to mix ldaps and starttls"
+msgstr "ni mogoče mešati ldaps in starttls"
+
+#: plugins/sudoers/ldap.c:498
+#, c-format
+msgid "sudo_ldap_parse_uri: out of space building hostbuf"
+msgstr "sudo_ldap_parse_uri: med izgradnjo hostbuf je zmanjkalo prostora"
+
+#: plugins/sudoers/ldap.c:572
+#, c-format
+msgid "unable to initialize SSL cert and key db: %s"
+msgstr "ni mogoče začenjati potrdila SSL in ključa db: %s"
+
+#: plugins/sudoers/ldap.c:575
+#, c-format
+msgid "you must set TLS_CERT in %s to use SSL"
+msgstr "za uporabo SSL-ja morate nastaviti TSL_CERT v datoteki %s"
+
+#: plugins/sudoers/ldap.c:992
+#, c-format
+msgid "unable to get GMT time"
+msgstr "ni mogoče dobiti časa GMT"
+
+#: plugins/sudoers/ldap.c:998
+#, c-format
+msgid "unable to format timestamp"
+msgstr "ni mogoče oblikovati časovnega žiga"
+
+#: plugins/sudoers/ldap.c:1006
+#, c-format
+msgid "unable to build time filter"
+msgstr "ni mogoče izgraditi časovnega filtra"
+
+#: plugins/sudoers/ldap.c:1225
+#, c-format
+msgid "sudo_ldap_build_pass1 allocation mismatch"
+msgstr "sudo_ldap_build_pass1 neujemanje dodelitve"
+
+#: plugins/sudoers/ldap.c:1761
+#, c-format
+msgid ""
+"\n"
+"LDAP Role: %s\n"
+msgstr ""
+"\n"
+"Vloga LDAP: %s\n"
+
+#: plugins/sudoers/ldap.c:1763
+#, c-format
+msgid ""
+"\n"
+"LDAP Role: UNKNOWN\n"
+msgstr ""
+"\n"
+"Vloga LDAP: NEZNANA\n"
+
+#: plugins/sudoers/ldap.c:1810
+#, c-format
+msgid " Order: %s\n"
+msgstr " Vrstni red: %s\n"
+
+#: plugins/sudoers/ldap.c:1818 plugins/sudoers/sssd.c:1168
+#, c-format
+msgid " Commands:\n"
+msgstr " Ukazi:\n"
+
+#: plugins/sudoers/ldap.c:2240
+#, c-format
+msgid "unable to initialize LDAP: %s"
+msgstr "ni mogoče začeti LDAP: %s"
+
+#: plugins/sudoers/ldap.c:2274
+#, c-format
+msgid "start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()"
+msgstr "start_tls je določen, toda knjižnice LDAP ne podpirajo ldap_start_tls_s() ali ldap_start_tls_s_np()"
+
+#: plugins/sudoers/ldap.c:2510
+#, c-format
+msgid "invalid sudoOrder attribute: %s"
+msgstr "neveljaven atribut sudoOrder: %s"
+
+#: plugins/sudoers/linux_audit.c:57
+#, c-format
+msgid "unable to open audit system"
+msgstr "ni mogoče odpreti nadzornega sistema"
+
+#: plugins/sudoers/linux_audit.c:93
+#, c-format
+msgid "unable to send audit message"
+msgstr "ni mogoče poslati nadzornega sporočila"
+
+#: plugins/sudoers/logging.c:202
+#, c-format
+msgid "unable to open log file: %s: %s"
+msgstr "ni mogoče odpreti datoteke dnevnika: %s: %s"
+
+#: plugins/sudoers/logging.c:205
+#, c-format
+msgid "unable to lock log file: %s: %s"
+msgstr "ni mogoče zakleniti datoteke dnevnika: %s: %s"
+
+#: plugins/sudoers/logging.c:260
+msgid "user NOT in sudoers"
+msgstr "uporabnika NI v sudoers"
+
+#: plugins/sudoers/logging.c:262
+msgid "user NOT authorized on host"
+msgstr "uporabnik NI pooblaščen na gostitelju"
+
+#: plugins/sudoers/logging.c:264
+msgid "command not allowed"
+msgstr "ukaz ni dovoljen"
+
+#: plugins/sudoers/logging.c:274
+#, c-format
+msgid "%s is not in the sudoers file. This incident will be reported.\n"
+msgstr "%s ni v datoteki sudoers. Ta dogodek bo zabeležen.\n"
+
+#: plugins/sudoers/logging.c:277
+#, c-format
+msgid "%s is not allowed to run sudo on %s. This incident will be reported.\n"
+msgstr "%s nima dovoljenj za izvajanje sudo na %s. Ta dogodek bo zabeležen.\n"
+
+#: plugins/sudoers/logging.c:281
+#, c-format
+msgid "Sorry, user %s may not run sudo on %s.\n"
+msgstr "Uporabnik %s ne sme izvajati sudo na %s.\n"
+
+#: plugins/sudoers/logging.c:284
+#, c-format
+msgid "Sorry, user %s is not allowed to execute '%s%s%s' as %s%s%s on %s.\n"
+msgstr "Uporabnik %s ne sme zagnati '%s%s%s' kot %s%s%s na %s.\n"
+
+#: plugins/sudoers/logging.c:317
+msgid "No user or host"
+msgstr "Brez uporabnika ali gostitelja"
+
+#: plugins/sudoers/logging.c:319
+msgid "validation failure"
+msgstr "potrjevanje veljavnosti ni uspelo"
+
+#: plugins/sudoers/logging.c:336 plugins/sudoers/sudoers.c:502
+#: plugins/sudoers/sudoers.c:503 plugins/sudoers/sudoers.c:1539
+#: plugins/sudoers/sudoers.c:1540
+#, c-format
+msgid "%s: command not found"
+msgstr "%s: ukaza ni bilo mogoče najti"
+
+#: plugins/sudoers/logging.c:338 plugins/sudoers/sudoers.c:499
+#, c-format
+msgid ""
+"ignoring `%s' found in '.'\n"
+"Use `sudo ./%s' if this is the `%s' you wish to run."
+msgstr ""
+"prezrtje `%s', najdenega v '.'\n"
+"Uporabite `sudo ./%s', če je to `%s', ki ga želite zagnati."
+
+#: plugins/sudoers/logging.c:352
+msgid "authentication failure"
+msgstr "napaka overitve"
+
+#: plugins/sudoers/logging.c:376
+#, c-format
+msgid "%d incorrect password attempt"
+msgid_plural "%d incorrect password attempts"
+msgstr[0] "%d nepravilnih poskusov vnosa gesla"
+msgstr[1] "%d nepravilen poskus vnosa gesla"
+msgstr[2] "%d nepravilna poskusa vnosa gesla"
+msgstr[3] "%d nepravilni poskusi vnosa gesla"
+
+#: plugins/sudoers/logging.c:379
+msgid "a password is required"
+msgstr "zahtevano je geslo"
+
+#: plugins/sudoers/logging.c:530
+#, c-format
+msgid "unable to fork"
+msgstr "ni mogoče razvejiti"
+
+#: plugins/sudoers/logging.c:537 plugins/sudoers/logging.c:599
+#, c-format
+msgid "unable to fork: %m"
+msgstr "ni mogoče razvejiti: %m"
+
+#: plugins/sudoers/logging.c:589
+#, c-format
+msgid "unable to open pipe: %m"
+msgstr "ni mogoče odpreti cevi: %m"
+
+#: plugins/sudoers/logging.c:614
+#, c-format
+msgid "unable to dup stdin: %m"
+msgstr "ni mogoče podvojiti stdin: %m"
+
+#: plugins/sudoers/logging.c:650
+#, c-format
+msgid "unable to execute %s: %m"
+msgstr "ni mogoče izvesti %s: %m"
+
+#: plugins/sudoers/logging.c:865
+#, c-format
+msgid "internal error: insufficient space for log line"
+msgstr "notranja napaka: premalo prostora za vrstico dnevnika"
+
+#: plugins/sudoers/parse.c:123
+#, c-format
+msgid "parse error in %s near line %d"
+msgstr "napaka razčlenjevanja v %s blizu vrstice %d"
+
+#: plugins/sudoers/parse.c:126
+#, c-format
+msgid "parse error in %s"
+msgstr "napaka med razčlenjevanjem datoteke %s"
+
+#: plugins/sudoers/parse.c:414
+#, c-format
+msgid ""
+"\n"
+"Sudoers entry:\n"
+msgstr ""
+"\n"
+"Vnos sudoers:\n"
+
+#: plugins/sudoers/parse.c:416
+#, c-format
+msgid " RunAsUsers: "
+msgstr " ZaženiKotUporabniki: "
+
+#: plugins/sudoers/parse.c:431
+#, c-format
+msgid " RunAsGroups: "
+msgstr " ZaženiKotSkupine: "
+
+#: plugins/sudoers/parse.c:440
+#, c-format
+msgid ""
+" Commands:\n"
+"\t"
+msgstr ""
+" Ukazi:\n"
+"\t"
+
+#: plugins/sudoers/plugin_error.c:100 plugins/sudoers/plugin_error.c:105
+msgid ": "
+msgstr ": "
+
+#: plugins/sudoers/pwutil.c:278
+#, c-format
+msgid "unable to cache uid %u (%s), already exists"
+msgstr "ni mogoče predpomniti ID-ja uporabnika %u (%s), že obstaja"
+
+#: plugins/sudoers/pwutil.c:286
+#, c-format
+msgid "unable to cache uid %u, already exists"
+msgstr "ni mogoče predpomniti ID-ja uporabnika %u, že obstaja"
+
+#: plugins/sudoers/pwutil.c:322 plugins/sudoers/pwutil.c:331
+#, c-format
+msgid "unable to cache user %s, already exists"
+msgstr "ni mogoče predpomniti uporabnika %s, že obstaja"
+
+#: plugins/sudoers/pwutil.c:668
+#, c-format
+msgid "unable to cache gid %u (%s), already exists"
+msgstr "ni mogoče predpomniti ID-ja skupine %u (%s), že obstaja"
+
+#: plugins/sudoers/pwutil.c:676
+#, c-format
+msgid "unable to cache gid %u, already exists"
+msgstr "ni mogoče predpomniti ID-ja skupine %u, že obstaja"
+
+#: plugins/sudoers/pwutil.c:706 plugins/sudoers/pwutil.c:715
+#, c-format
+msgid "unable to cache group %s, already exists"
+msgstr "ni mogoče predpomniti skupine %s, že obstaja"
+
+#: plugins/sudoers/set_perms.c:122 plugins/sudoers/set_perms.c:436
+#: plugins/sudoers/set_perms.c:828 plugins/sudoers/set_perms.c:1114
+#: plugins/sudoers/set_perms.c:1396
+msgid "perm stack overflow"
+msgstr "prekoračitev trajnega sklada"
+
+#: plugins/sudoers/set_perms.c:130 plugins/sudoers/set_perms.c:444
+#: plugins/sudoers/set_perms.c:836 plugins/sudoers/set_perms.c:1122
+#: plugins/sudoers/set_perms.c:1404
+msgid "perm stack underflow"
+msgstr "prekoračitev spodnje meje trajnega sklada"
+
+#: plugins/sudoers/set_perms.c:270 plugins/sudoers/set_perms.c:580
+#: plugins/sudoers/set_perms.c:957 plugins/sudoers/set_perms.c:1243
+msgid "unable to change to runas gid"
+msgstr "ni mogoče spremeniti v ID-ja skupine runas"
+
+#: plugins/sudoers/set_perms.c:282 plugins/sudoers/set_perms.c:592
+#: plugins/sudoers/set_perms.c:967 plugins/sudoers/set_perms.c:1253
+msgid "unable to change to runas uid"
+msgstr "ni mogoče spremeniti v ID-ja uporabnika runas"
+
+#: plugins/sudoers/set_perms.c:300 plugins/sudoers/set_perms.c:610
+#: plugins/sudoers/set_perms.c:983 plugins/sudoers/set_perms.c:1269
+msgid "unable to change to sudoers gid"
+msgstr "ni mogoče spremeniti ID-ja skupine sudoers"
+
+#: plugins/sudoers/set_perms.c:353 plugins/sudoers/set_perms.c:681
+#: plugins/sudoers/set_perms.c:1029 plugins/sudoers/set_perms.c:1315
+#: plugins/sudoers/set_perms.c:1474
+msgid "too many processes"
+msgstr "preveč opravil"
+
+#: plugins/sudoers/set_perms.c:1542
+msgid "unable to set runas group vector"
+msgstr "ni mogoče nastaviti vektorja skupine runas"
+
+#: plugins/sudoers/sssd.c:251
+#, c-format
+msgid "Unable to dlopen %s: %s"
+msgstr "ni mogoče uporabiti dlopen %s: %s"
+
+#: plugins/sudoers/sssd.c:252
+#, c-format
+msgid "Unable to initialize SSS source. Is SSSD installed on your machine?"
+msgstr "Vira SSS ni mogoče zagnati. Ali je SSSD pravilno nameščen?"
+
+#: plugins/sudoers/sssd.c:258 plugins/sudoers/sssd.c:266
+#: plugins/sudoers/sssd.c:273 plugins/sudoers/sssd.c:280
+#: plugins/sudoers/sssd.c:287
+#, c-format
+msgid "unable to find symbol \"%s\" in %s"
+msgstr "simbola \"%s\" ni mogoče najti v %s"
+
+#: plugins/sudoers/sudo_nss.c:267
+#, c-format
+msgid "Matching Defaults entries for %s on this host:\n"
+msgstr "Ujemajoči vpisi privzetih vrednosti za %s na tem gostitelju:\n"
+
+#: plugins/sudoers/sudo_nss.c:280
+#, c-format
+msgid "Runas and Command-specific defaults for %s:\n"
+msgstr "Runas in ukazno določene privzete vrednosti za %s:\n"
+
+#: plugins/sudoers/sudo_nss.c:293
+#, c-format
+msgid "User %s may run the following commands on this host:\n"
+msgstr "Na tem gostitelju lahko uporabnik %s zažene naslednje ukaze:\n"
+
+#: plugins/sudoers/sudo_nss.c:302
+#, c-format
+msgid "User %s is not allowed to run sudo on %s.\n"
+msgstr "Uporabniku %s ni dovoljeno zagnati sudo na %s.\n"
+
+#: plugins/sudoers/sudoers.c:210 plugins/sudoers/sudoers.c:243
+#: plugins/sudoers/sudoers.c:953
+msgid "problem with defaults entries"
+msgstr "težave z vnosi privzetih vrednosti"
+
+#: plugins/sudoers/sudoers.c:216
+#, c-format
+msgid "no valid sudoers sources found, quitting"
+msgstr "najdenih niso bili nobeni veljavni viri sudoers, končanje"
+
+#: plugins/sudoers/sudoers.c:268
+#, c-format
+msgid "unable to execute %s: %s"
+msgstr "ni mogoče zagnati %s: %s"
+
+#: plugins/sudoers/sudoers.c:335
+#, c-format
+msgid "sudoers specifies that root is not allowed to sudo"
+msgstr "sudoers določa, da skrbniku ni dovoljeno uporabiti sudo"
+
+#: plugins/sudoers/sudoers.c:342
+#, c-format
+msgid "you are not permitted to use the -C option"
+msgstr "ni vam dovoljeno uporabiti možnosti -C"
+
+#: plugins/sudoers/sudoers.c:431
+#, c-format
+msgid "timestamp owner (%s): No such user"
+msgstr "lastnik časovnega žiga (%s): ni takšnega uporabnika"
+
+#: plugins/sudoers/sudoers.c:447
+msgid "no tty"
+msgstr "brez tty"
+
+#: plugins/sudoers/sudoers.c:448
+#, c-format
+msgid "sorry, you must have a tty to run sudo"
+msgstr "za izvajanje sudo morate imeti tty"
+
+#: plugins/sudoers/sudoers.c:498
+msgid "command in current directory"
+msgstr "ukaz v trenutni mapi"
+
+#: plugins/sudoers/sudoers.c:510
+#, c-format
+msgid "sorry, you are not allowed to preserve the environment"
+msgstr "nimate dovoljenj za ohranjanje okolja"
+
+#: plugins/sudoers/sudoers.c:1006
+#, c-format
+msgid "%s is not a regular file"
+msgstr "%s ni običajna datoteka"
+
+#: plugins/sudoers/sudoers.c:1009 toke.l:846
+#, c-format
+msgid "%s is owned by uid %u, should be %u"
+msgstr "%s je v lasti ID-ja uporabnika %u, moral bi biti %u"
+
+#: plugins/sudoers/sudoers.c:1013 toke.l:853
+#, c-format
+msgid "%s is world writable"
+msgstr "v datoteko %s lahko zapisujejo vsi uporabniki"
+
+#: plugins/sudoers/sudoers.c:1016 toke.l:858
+#, c-format
+msgid "%s is owned by gid %u, should be %u"
+msgstr "%s je v lasti ID-ja skupine %u, moral bi biti %u"
+
+#: plugins/sudoers/sudoers.c:1043
+#, c-format
+msgid "only root can use `-c %s'"
+msgstr "samo skrbnik lahko uporabi `-c %s'"
+
+#: plugins/sudoers/sudoers.c:1060 plugins/sudoers/sudoers.c:1062
+#, c-format
+msgid "unknown login class: %s"
+msgstr "neznan razred prijave: %s"
+
+#: plugins/sudoers/sudoers.c:1089
+#, c-format
+msgid "unable to resolve host %s"
+msgstr "ni mogoče razrešiti gostitelja %s"
+
+#: plugins/sudoers/sudoers.c:1141 plugins/sudoers/testsudoers.c:387
+#, c-format
+msgid "unknown group: %s"
+msgstr "neznana skupina: %s"
+
+#: plugins/sudoers/sudoers.c:1190
+#, c-format
+msgid "Sudoers policy plugin version %s\n"
+msgstr "Vstavek pravilnika sudoers različica %s\n"
+
+#: plugins/sudoers/sudoers.c:1192
+#, c-format
+msgid "Sudoers file grammar version %d\n"
+msgstr "Datoteka slovnice sudoers različica %d\n"
+
+#: plugins/sudoers/sudoers.c:1196
+#, c-format
+msgid ""
+"\n"
+"Sudoers path: %s\n"
+msgstr ""
+"\n"
+"Pot sudoers: %s\n"
+
+#: plugins/sudoers/sudoers.c:1199
+#, c-format
+msgid "nsswitch path: %s\n"
+msgstr "pot nsswitch: %s\n"
+
+#: plugins/sudoers/sudoers.c:1201
+#, c-format
+msgid "ldap.conf path: %s\n"
+msgstr "pot ldap.conf: %s\n"
+
+#: plugins/sudoers/sudoers.c:1202
+#, c-format
+msgid "ldap.secret path: %s\n"
+msgstr "pot ldap.secret: %s\n"
+
+#: plugins/sudoers/sudoreplay.c:293
+#, c-format
+msgid "invalid filter option: %s"
+msgstr "neveljavna možnost filtra: %s"
+
+#: plugins/sudoers/sudoreplay.c:306
+#, c-format
+msgid "invalid max wait: %s"
+msgstr "neveljavna zgornja meja čakanja: %s"
+
+#: plugins/sudoers/sudoreplay.c:312
+#, c-format
+msgid "invalid speed factor: %s"
+msgstr "neveljaven dejavnik hitrosti: %s"
+
+#: plugins/sudoers/sudoreplay.c:315 plugins/sudoers/visudo.c:187
+#, c-format
+msgid "%s version %s\n"
+msgstr "%s različica %s\n"
+
+#: plugins/sudoers/sudoreplay.c:340
+#, c-format
+msgid "%s/%.2s/%.2s/%.2s/timing: %s"
+msgstr "%s/%.2s/%.2s/%.2s/časovna uskladitev: %s"
+
+#: plugins/sudoers/sudoreplay.c:346
+#, c-format
+msgid "%s/%s/timing: %s"
+msgstr "%s/%s/časovna uskladitev: %s"
+
+#: plugins/sudoers/sudoreplay.c:364
+#, c-format
+msgid "Replaying sudo session: %s\n"
+msgstr "Izpisovanje dnevnika seje sudo: %s\n"
+
+#: plugins/sudoers/sudoreplay.c:370
+#, c-format
+msgid "Warning: your terminal is too small to properly replay the log.\n"
+msgstr "Opozorilo: terminal je premajhen za pravilno izpisovanje dnevnika.\n"
+
+#: plugins/sudoers/sudoreplay.c:371
+#, c-format
+msgid "Log geometry is %d x %d, your terminal's geometry is %d x %d."
+msgstr "Geometrija dnevnika je %d x %d, medtem ko je geometrija terminala %d x %d."
+
+#: plugins/sudoers/sudoreplay.c:401
+#, c-format
+msgid "unable to set tty to raw mode"
+msgstr "ni mogoče nastaviti tty na surov način"
+
+#: plugins/sudoers/sudoreplay.c:418
+#, c-format
+msgid "invalid timing file line: %s"
+msgstr "neveljavna vrstica datoteke časovne uskladitve: %s"
+
+#: plugins/sudoers/sudoreplay.c:501
+#, c-format
+msgid "writing to standard output"
+msgstr "pisanje na standardni izhod"
+
+#: plugins/sudoers/sudoreplay.c:530
+#, c-format
+msgid "nanosleep: tv_sec %ld, tv_nsec %ld"
+msgstr "nanosleep: tv_sec %ld, tv_nsec %ld"
+
+#: plugins/sudoers/sudoreplay.c:643 plugins/sudoers/sudoreplay.c:668
+#, c-format
+msgid "ambiguous expression \"%s\""
+msgstr "dvoumen izraz \"%s\""
+
+#: plugins/sudoers/sudoreplay.c:685
+#, c-format
+msgid "too many parenthesized expressions, max %d"
+msgstr "preveč izrazov z oklepaji, največje število %d"
+
+#: plugins/sudoers/sudoreplay.c:696
+#, c-format
+msgid "unmatched ')' in expression"
+msgstr "v izrazu je neujemajoč ')'"
+
+#: plugins/sudoers/sudoreplay.c:702
+#, c-format
+msgid "unknown search term \"%s\""
+msgstr "naznan iskalni izraz \"%s\""
+
+#: plugins/sudoers/sudoreplay.c:716
+#, c-format
+msgid "%s requires an argument"
+msgstr "%s zahteva argument"
+
+#: plugins/sudoers/sudoreplay.c:720
+#, c-format
+msgid "invalid regular expression: %s"
+msgstr "neveljaven logični izraz: %s"
+
+#: plugins/sudoers/sudoreplay.c:726
+#, c-format
+msgid "could not parse date \"%s\""
+msgstr "ni mogoče razčleniti datuma \"%s\""
+
+#: plugins/sudoers/sudoreplay.c:739
+#, c-format
+msgid "unmatched '(' in expression"
+msgstr "v izrazu je neujemajoč '('"
+
+#: plugins/sudoers/sudoreplay.c:741
+#, c-format
+msgid "illegal trailing \"or\""
+msgstr "neveljaven zaključni \"or\""
+
+#: plugins/sudoers/sudoreplay.c:743
+#, c-format
+msgid "illegal trailing \"!\""
+msgstr "neveljaven zaključni \"!\""
+
+#: plugins/sudoers/sudoreplay.c:1050
+#, c-format
+msgid "invalid regex: %s"
+msgstr "neveljavni logični izraz: %s"
+
+#: plugins/sudoers/sudoreplay.c:1174
+#, c-format
+msgid "usage: %s [-h] [-d directory] [-m max_wait] [-s speed_factor] ID\n"
+msgstr "uporaba: %s [-h] [-d mapa] [-m zg_meja_čakanja] [-s faktor_hitrosti] ID\n"
+
+#: plugins/sudoers/sudoreplay.c:1177
+#, c-format
+msgid "usage: %s [-h] [-d directory] -l [search expression]\n"
+msgstr "uporaba: %s [-h] [-d mapa] -l [iskalni izraz]\n"
+
+#: plugins/sudoers/sudoreplay.c:1186
+#, c-format
+msgid ""
+"%s - replay sudo session logs\n"
+"\n"
+msgstr ""
+"%s - ponovno predvajaj dnevnike sej sudo\n"
+"\n"
+
+#: plugins/sudoers/sudoreplay.c:1188
+msgid ""
+"\n"
+"Options:\n"
+" -d directory specify directory for session logs\n"
+" -f filter specify which I/O type to display\n"
+" -h display help message and exit\n"
+" -l [expression] list available session IDs that match expression\n"
+" -m max_wait max number of seconds to wait between events\n"
+" -s speed_factor speed up or slow down output\n"
+" -V display version information and exit"
+msgstr ""
+"\n"
+"Možnosti:\n"
+" -d mapa določi mapo za dnevnike sej\n"
+" -f filter navedi, katera vrsta I/O se naj prikaže \n"
+" -h prikaži sporočilo pomoči in končaj\n"
+" -l [izraz] navedi razpoložljive ID-je sej, ki se ujemajo z izrazom\n"
+" -m zg_meja_čakanja največje število sekund za čakanje med dogodki\n"
+" -s faktor_hitrosti pospeši ali upočasni izhod\n"
+" -V prikaži podrobnosti o različici in končaj"
+
+#: plugins/sudoers/testsudoers.c:338
+msgid "\thost unmatched"
+msgstr "\tgostitelj se ne ujema"
+
+#: plugins/sudoers/testsudoers.c:341
+msgid ""
+"\n"
+"Command allowed"
+msgstr ""
+"\n"
+"Ukaz je dovoljen"
+
+#: plugins/sudoers/testsudoers.c:342
+msgid ""
+"\n"
+"Command denied"
+msgstr ""
+"\n"
+"Ukaz je bil zavrnjen"
+
+#: plugins/sudoers/testsudoers.c:342
+msgid ""
+"\n"
+"Command unmatched"
+msgstr ""
+"\n"
+"Ukaz se ne ujema"
+
+#: plugins/sudoers/toke_util.c:218
+msgid "fill_args: buffer overflow"
+msgstr "fill_args: prekoračitev medpomnilnika"
+
+#: plugins/sudoers/visudo.c:188
+#, c-format
+msgid "%s grammar version %d\n"
+msgstr "%s različica slovnice %d\n"
+
+#: plugins/sudoers/visudo.c:252 plugins/sudoers/visudo.c:541
+#, c-format
+msgid "press return to edit %s: "
+msgstr "za urejanje %s pritisnite return: "
+
+#: plugins/sudoers/visudo.c:335 plugins/sudoers/visudo.c:341
+#, c-format
+msgid "write error"
+msgstr "napaka med pisanjem"
+
+#: plugins/sudoers/visudo.c:423
+#, c-format
+msgid "unable to stat temporary file (%s), %s unchanged"
+msgstr "ni mogoče začeti začasne datoteke (%s), %s nepsremenjeno"
+
+#: plugins/sudoers/visudo.c:428
+#, c-format
+msgid "zero length temporary file (%s), %s unchanged"
+msgstr "začasna datoteka brez dolžine (%s), %s nespremenjena"
+
+#: plugins/sudoers/visudo.c:434
+#, c-format
+msgid "editor (%s) failed, %s unchanged"
+msgstr "urejevalnik (%s) je spodletel, %s nespremenjen"
+
+#: plugins/sudoers/visudo.c:457
+#, c-format
+msgid "%s unchanged"
+msgstr "%s nespremenjeno"
+
+#: plugins/sudoers/visudo.c:486
+#, c-format
+msgid "unable to re-open temporary file (%s), %s unchanged."
+msgstr "ni mogoče ponovno odpreti začasne datoteke (%s), %s je nespremenjen."
+
+#: plugins/sudoers/visudo.c:496
+#, c-format
+msgid "unabled to parse temporary file (%s), unknown error"
+msgstr "ni mogoče razčleniti začasne datoteke (%s), neznana napaka"
+
+#: plugins/sudoers/visudo.c:534
+#, c-format
+msgid "internal error, unable to find %s in list!"
+msgstr "notranja napaka, na seznamu ni mogoče najti %s!"
+
+#: plugins/sudoers/visudo.c:586 plugins/sudoers/visudo.c:595
+#, c-format
+msgid "unable to set (uid, gid) of %s to (%u, %u)"
+msgstr "ni mogoče nastaviti (ID uporabnika, ID skupine) od %s do (%u, %u)"
+
+#: plugins/sudoers/visudo.c:590 plugins/sudoers/visudo.c:600
+#, c-format
+msgid "unable to change mode of %s to 0%o"
+msgstr "ni mogoče spremeniti načina iz %s na 0%o"
+
+#: plugins/sudoers/visudo.c:617
+#, c-format
+msgid "%s and %s not on the same file system, using mv to rename"
+msgstr "%s in %s nista na enakem datotečnem sistemu, uporaba mv za preimenovanje"
+
+#: plugins/sudoers/visudo.c:631
+#, c-format
+msgid "command failed: '%s %s %s', %s unchanged"
+msgstr "ukaz je spodletel: '%s %s %s', %s nespremenjen"
+
+#: plugins/sudoers/visudo.c:641
+#, c-format
+msgid "error renaming %s, %s unchanged"
+msgstr "napaka med preimenovanjem %s, %s nespremenjen"
+
+#: plugins/sudoers/visudo.c:704
+msgid "What now? "
+msgstr "Kaj pa zdaj? "
+
+#: plugins/sudoers/visudo.c:718
+msgid ""
+"Options are:\n"
+" (e)dit sudoers file again\n"
+" e(x)it without saving changes to sudoers file\n"
+" (Q)uit and save changes to sudoers file (DANGER!)\n"
+msgstr ""
+"Možnosti so:\n"
+" (e)ponovno uredi datoteko sudoers\n"
+" (x)končaj brez shranjevanja sprememb v datoteko sudoers\n"
+" (Q)končaj in shrani spremembe v datoteko sudoers (NEVARNOST!)\n"
+
+#: plugins/sudoers/visudo.c:759
+#, c-format
+msgid "unable to execute %s"
+msgstr "ni mogoče izvršiti %s"
+
+#: plugins/sudoers/visudo.c:766
+#, c-format
+msgid "unable to run %s"
+msgstr "ni mogoče zagnati %s"
+
+#: plugins/sudoers/visudo.c:792
+#, c-format
+msgid "%s: wrong owner (uid, gid) should be (%u, %u)\n"
+msgstr "%s: napačen lastnik (ID uporabnika, ID skupine) moralo bi biti (%u, %u)\n"
+
+#: plugins/sudoers/visudo.c:799
+#, c-format
+msgid "%s: bad permissions, should be mode 0%o\n"
+msgstr "%s: slaba dovoljenja, moral bi biti način 0%o\n"
+
+#: plugins/sudoers/visudo.c:824
+#, c-format
+msgid "failed to parse %s file, unknown error"
+msgstr "razčlenjevanje datoteke %s je spodletelo, neznana napaka"
+
+#: plugins/sudoers/visudo.c:837
+#, c-format
+msgid "parse error in %s near line %d\n"
+msgstr "napaka razčlenjevanja v %s blizu vrstice %d\n"
+
+#: plugins/sudoers/visudo.c:840
+#, c-format
+msgid "parse error in %s\n"
+msgstr "napaka razčlenjevanja v %s\n"
+
+#: plugins/sudoers/visudo.c:847 plugins/sudoers/visudo.c:852
+#, c-format
+msgid "%s: parsed OK\n"
+msgstr "%s: uspešno razčlenjeno\n"
+
+#: plugins/sudoers/visudo.c:899
+#, c-format
+msgid "%s busy, try again later"
+msgstr "%s zaseden, poskusite ponovno pozneje"
+
+#: plugins/sudoers/visudo.c:943
+#, c-format
+msgid "specified editor (%s) doesn't exist"
+msgstr "določen urejevalnik (%s) se ne konča"
+
+#: plugins/sudoers/visudo.c:966
+#, c-format
+msgid "unable to stat editor (%s)"
+msgstr "ni mogoče začeti urejevalnika (%s)"
+
+#: plugins/sudoers/visudo.c:1014
+#, c-format
+msgid "no editor found (editor path = %s)"
+msgstr "najdenega ni nobenega urejevalnika (pot urejevalnika = %s)"
+
+#: plugins/sudoers/visudo.c:1108
+#, c-format
+msgid "Error: cycle in %s_Alias `%s'"
+msgstr "Napaka: kroženje v %s_Alias `%s'"
+
+#: plugins/sudoers/visudo.c:1109
+#, c-format
+msgid "Warning: cycle in %s_Alias `%s'"
+msgstr "Opozorilo: kroženje v %s_Alias `%s'"
+
+#: plugins/sudoers/visudo.c:1112
+#, c-format
+msgid "Error: %s_Alias `%s' referenced but not defined"
+msgstr "Napaka: %s_Alias `%s' sklicevan, toda ne določen"
+
+#: plugins/sudoers/visudo.c:1113
+#, c-format
+msgid "Warning: %s_Alias `%s' referenced but not defined"
+msgstr "Warning: %s_Alias `%s' sklicevan, toda ne določen"
+
+#: plugins/sudoers/visudo.c:1248
+#, c-format
+msgid "%s: unused %s_Alias %s"
+msgstr "%s: neuporabljen %s_Alias %s"
+
+#: plugins/sudoers/visudo.c:1304
+#, c-format
+msgid ""
+"%s - safely edit the sudoers file\n"
+"\n"
+msgstr ""
+"%s - varno uredi datoteko sudoers\n"
+"\n"
+
+#: plugins/sudoers/visudo.c:1306
+msgid ""
+"\n"
+"Options:\n"
+" -c check-only mode\n"
+" -f sudoers specify sudoers file location\n"
+" -h display help message and exit\n"
+" -q less verbose (quiet) syntax error messages\n"
+" -s strict syntax checking\n"
+" -V display version information and exit"
+msgstr ""
+"\n"
+"Možnosti:\n"
+" -c način samo preverjanja\n"
+" -f sudoers določi mesto datoteke sudoers\n"
+" -h prikaži sporočilo pomoči in končaj\n"
+" -q manj podroben izpis (tih) sporočil skladenjskih napak\n"
+" -s strogo preverjanje skladnje\n"
+" -V prikaži podrobnosti različice in končaj"
+
+#: toke.l:820
+msgid "too many levels of includes"
+msgstr "preveč stopenj vključitev"
+
+#~ msgid "internal error, expand_prompt() overflow"
+#~ msgstr "notranja napaka, prekoračitev expand_prompt()"
+
+#~ msgid "internal error, sudo_setenv2() overflow"
+#~ msgstr "notranja napaka, prekoračitev v funkciji sudo_setenv2()"
+
+#~ msgid "internal error, sudo_setenv() overflow"
+#~ msgstr "notranja napaka, prekoračitev sudo_setenv()"
+
+#~ msgid "internal error, linux_audit_command() overflow"
+#~ msgstr "notranja napaka, prekoračitev linux_audit_command()"
+
+#~ msgid "internal error, runas_groups overflow"
+#~ msgstr "notranja napaka, prekoračitev v funkciji runas_groups()"
+
+#~ msgid "internal error, init_vars() overflow"
+#~ msgstr "notranja napaka, prekoračitev init_vars()"
#, fuzzy
msgid ""
msgstr ""
-"Project-Id-Version: sudo 1.8.5\n"
+"Project-Id-Version: sudo 1.8.6\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-04-24 13:41-0400\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=INTEGER; plural=EXPRESSION;\n"
-#: gram.y:110
+#: gram.y:112
#, c-format
msgid ">>> %s: %s near line %d <<<"
msgstr ""
msgid "unable to initialize SIA session"
msgstr ""
-#: plugins/sudoers/auth/sudo_auth.c:117
+#: plugins/sudoers/auth/sudo_auth.c:121
msgid ""
"Invalid authentication methods compiled into sudo! You may mix standalone "
"and non-standalone authentication."
msgstr ""
-#: plugins/sudoers/auth/sudo_auth.c:199
+#: plugins/sudoers/auth/sudo_auth.c:206
msgid ""
"There are no authentication methods compiled into sudo! If you want to turn "
"off authentication, use the --disable-authentication configure option."
msgstr ""
-#: plugins/sudoers/auth/sudo_auth.c:271
-#, c-format
-msgid "%d incorrect password attempt"
-msgid_plural "%d incorrect password attempts"
-msgstr[0] ""
-msgstr[1] ""
-
#: plugins/sudoers/auth/sudo_auth.c:374
msgid "Authentication methods:"
msgstr ""
msgid "au_to_text: failed"
msgstr ""
-#: plugins/sudoers/check.c:158
-#, c-format
-msgid "sorry, a password is required to run %s"
-msgstr ""
-
-#: plugins/sudoers/check.c:249 plugins/sudoers/iolog.c:172
-#: plugins/sudoers/sudoers.c:979 plugins/sudoers/sudoreplay.c:353
-#: plugins/sudoers/sudoreplay.c:709 plugins/sudoers/sudoreplay.c:866
-#: plugins/sudoers/visudo.c:815
+#: plugins/sudoers/check.c:252 plugins/sudoers/iolog.c:172
+#: plugins/sudoers/sudoers.c:988 plugins/sudoers/sudoreplay.c:355
+#: plugins/sudoers/sudoreplay.c:817 plugins/sudoers/sudoreplay.c:974
+#: plugins/sudoers/visudo.c:818
#, c-format
msgid "unable to open %s"
msgstr ""
-#: plugins/sudoers/check.c:253 plugins/sudoers/iolog.c:202
+#: plugins/sudoers/check.c:256 plugins/sudoers/iolog.c:229
#, c-format
msgid "unable to write to %s"
msgstr ""
-#: plugins/sudoers/check.c:261 plugins/sudoers/check.c:506
-#: plugins/sudoers/check.c:556 plugins/sudoers/iolog.c:123
+#: plugins/sudoers/check.c:264 plugins/sudoers/check.c:512
+#: plugins/sudoers/check.c:562 plugins/sudoers/iolog.c:123
#: plugins/sudoers/iolog.c:156
#, c-format
msgid "unable to mkdir %s"
msgstr ""
-#: plugins/sudoers/check.c:396
+#: plugins/sudoers/check.c:399 plugins/sudoers/env.c:289
+#: plugins/sudoers/env.c:294 plugins/sudoers/env.c:395
+#: plugins/sudoers/env.c:447 plugins/sudoers/linux_audit.c:82
+#: plugins/sudoers/sudoers.c:670 plugins/sudoers/sudoers.c:677
+#: plugins/sudoers/sudoers.c:936 plugins/sudoers/testsudoers.c:253
#, c-format
-msgid "internal error, expand_prompt() overflow"
+msgid "internal error, %s overflow"
msgstr ""
-#: plugins/sudoers/check.c:456
+#: plugins/sudoers/check.c:460
#, c-format
msgid "timestamp path too long: %s"
msgstr ""
-#: plugins/sudoers/check.c:485 plugins/sudoers/check.c:529
+#: plugins/sudoers/check.c:491 plugins/sudoers/check.c:535
#: plugins/sudoers/iolog.c:158
#, c-format
msgid "%s exists but is not a directory (0%o)"
msgstr ""
-#: plugins/sudoers/check.c:488 plugins/sudoers/check.c:532
-#: plugins/sudoers/check.c:577
+#: plugins/sudoers/check.c:494 plugins/sudoers/check.c:538
+#: plugins/sudoers/check.c:583
#, c-format
msgid "%s owned by uid %u, should be uid %u"
msgstr ""
-#: plugins/sudoers/check.c:493 plugins/sudoers/check.c:537
+#: plugins/sudoers/check.c:499 plugins/sudoers/check.c:543
#, c-format
msgid "%s writable by non-owner (0%o), should be mode 0700"
msgstr ""
-#: plugins/sudoers/check.c:501 plugins/sudoers/check.c:545
-#: plugins/sudoers/check.c:613 plugins/sudoers/sudoers.c:998
-#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:581
+#: plugins/sudoers/check.c:507 plugins/sudoers/check.c:551
+#: plugins/sudoers/check.c:619 plugins/sudoers/sudoers.c:1003
+#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:584
#, c-format
msgid "unable to stat %s"
msgstr ""
-#: plugins/sudoers/check.c:571
+#: plugins/sudoers/check.c:577
#, c-format
msgid "%s exists but is not a regular file (0%o)"
msgstr ""
-#: plugins/sudoers/check.c:583
+#: plugins/sudoers/check.c:589
#, c-format
msgid "%s writable by non-owner (0%o), should be mode 0600"
msgstr ""
-#: plugins/sudoers/check.c:637
+#: plugins/sudoers/check.c:643
#, c-format
msgid "timestamp too far in the future: %20.20s"
msgstr ""
-#: plugins/sudoers/check.c:684
+#: plugins/sudoers/check.c:690
#, c-format
msgid "unable to remove %s (%s), will reset to the epoch"
msgstr ""
-#: plugins/sudoers/check.c:692
+#: plugins/sudoers/check.c:698
#, c-format
msgid "unable to reset %s to the epoch"
msgstr ""
-#: plugins/sudoers/check.c:752 plugins/sudoers/check.c:758
-#: plugins/sudoers/sudoers.c:856 plugins/sudoers/sudoers.c:860
+#: plugins/sudoers/check.c:758 plugins/sudoers/check.c:764
+#: plugins/sudoers/sudoers.c:851 plugins/sudoers/sudoers.c:855
#, c-format
msgid "unknown uid: %u"
msgstr ""
-#: plugins/sudoers/check.c:755 plugins/sudoers/sudoers.c:797
-#: plugins/sudoers/sudoers.c:1115 plugins/sudoers/testsudoers.c:218
-#: plugins/sudoers/testsudoers.c:362
+#: plugins/sudoers/check.c:761 plugins/sudoers/sudoers.c:792
+#: plugins/sudoers/sudoers.c:1120 plugins/sudoers/testsudoers.c:225
+#: plugins/sudoers/testsudoers.c:369
#, c-format
msgid "unknown user: %s"
msgstr ""
msgid "Set the user in utmp to the runas user, not the invoking user"
msgstr ""
+#: plugins/sudoers/def_data.c:347
+msgid "Set of permitted privileges"
+msgstr ""
+
+#: plugins/sudoers/def_data.c:351
+msgid "Set of limit privileges"
+msgstr ""
+
#: plugins/sudoers/defaults.c:208
#, c-format
msgid "unknown defaults entry `%s'"
msgid "option `%s' does not take a value"
msgstr ""
-#: plugins/sudoers/env.c:339
+#: plugins/sudoers/env.c:367
#, c-format
msgid "sudo_putenv: corrupted envp, length mismatch"
msgstr ""
-#: plugins/sudoers/env.c:341 plugins/sudoers/env.c:411
+#: plugins/sudoers/env.c:369 plugins/sudoers/env.c:448
#: plugins/sudoers/toke_util.c:113 plugins/sudoers/toke_util.c:167
-#: plugins/sudoers/toke_util.c:207 toke.l:682 toke.l:812 toke.l:870 toke.l:966
+#: plugins/sudoers/toke_util.c:207 toke.l:697 toke.l:827 toke.l:887 toke.l:983
#, c-format
msgid "unable to allocate memory"
msgstr ""
-#: plugins/sudoers/env.c:366
-#, c-format
-msgid "internal error, sudo_setenv2() overflow"
-msgstr ""
-
-#: plugins/sudoers/env.c:410
-#, c-format
-msgid "internal error, sudo_setenv() overflow"
-msgstr ""
-
-#: plugins/sudoers/env.c:955
+#: plugins/sudoers/env.c:992
#, c-format
msgid ""
"sorry, you are not allowed to set the following environment variables: %s"
#: plugins/sudoers/find_path.c:69 plugins/sudoers/find_path.c:108
#: plugins/sudoers/find_path.c:123 plugins/sudoers/iolog.c:125
-#: plugins/sudoers/sudoers.c:950 toke.l:678 toke.l:866
+#: plugins/sudoers/sudoers.c:945 toke.l:693 toke.l:883
#, c-format
msgid "%s: %s"
msgstr ""
msgid "Local IP address and netmask pairs:\n"
msgstr ""
-#: plugins/sudoers/iolog.c:179 plugins/sudoers/sudoers.c:986
+#: plugins/sudoers/iolog.c:205 plugins/sudoers/sudoers.c:991
#, c-format
msgid "unable to read %s"
msgstr ""
-#: plugins/sudoers/iolog.c:182
+#: plugins/sudoers/iolog.c:208
#, c-format
msgid "invalid sequence number %s"
msgstr ""
-#: plugins/sudoers/iolog.c:231 plugins/sudoers/iolog.c:234
-#: plugins/sudoers/iolog.c:499 plugins/sudoers/iolog.c:504
-#: plugins/sudoers/iolog.c:510 plugins/sudoers/iolog.c:518
-#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:534
-#: plugins/sudoers/iolog.c:542
+#: plugins/sudoers/iolog.c:258 plugins/sudoers/iolog.c:261
+#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:531
+#: plugins/sudoers/iolog.c:537 plugins/sudoers/iolog.c:545
+#: plugins/sudoers/iolog.c:553 plugins/sudoers/iolog.c:561
+#: plugins/sudoers/iolog.c:569
#, c-format
msgid "unable to create %s"
msgstr ""
-#: plugins/sudoers/iolog_path.c:256 plugins/sudoers/sudoers.c:373
+#: plugins/sudoers/iolog_path.c:263 plugins/sudoers/sudoers.c:382
#, c-format
msgid "unable to set locale to \"%s\", using \"C\""
msgstr ""
-#: plugins/sudoers/ldap.c:378
+#: plugins/sudoers/ldap.c:387
#, c-format
msgid "sudo_ldap_conf_add_ports: port too large"
msgstr ""
-#: plugins/sudoers/ldap.c:401
+#: plugins/sudoers/ldap.c:410
#, c-format
msgid "sudo_ldap_conf_add_ports: out of space expanding hostbuf"
msgstr ""
-#: plugins/sudoers/ldap.c:431
+#: plugins/sudoers/ldap.c:440
#, c-format
msgid "unsupported LDAP uri type: %s"
msgstr ""
-#: plugins/sudoers/ldap.c:460
+#: plugins/sudoers/ldap.c:469
#, c-format
msgid "invalid uri: %s"
msgstr ""
-#: plugins/sudoers/ldap.c:466
+#: plugins/sudoers/ldap.c:475
#, c-format
msgid "unable to mix ldap and ldaps URIs"
msgstr ""
-#: plugins/sudoers/ldap.c:470
+#: plugins/sudoers/ldap.c:479
#, c-format
msgid "unable to mix ldaps and starttls"
msgstr ""
-#: plugins/sudoers/ldap.c:489
+#: plugins/sudoers/ldap.c:498
#, c-format
msgid "sudo_ldap_parse_uri: out of space building hostbuf"
msgstr ""
-#: plugins/sudoers/ldap.c:563
+#: plugins/sudoers/ldap.c:572
#, c-format
msgid "unable to initialize SSL cert and key db: %s"
msgstr ""
-#: plugins/sudoers/ldap.c:566
+#: plugins/sudoers/ldap.c:575
#, c-format
msgid "you must set TLS_CERT in %s to use SSL"
msgstr ""
-#: plugins/sudoers/ldap.c:973
+#: plugins/sudoers/ldap.c:992
#, c-format
msgid "unable to get GMT time"
msgstr ""
-#: plugins/sudoers/ldap.c:979
+#: plugins/sudoers/ldap.c:998
#, c-format
msgid "unable to format timestamp"
msgstr ""
-#: plugins/sudoers/ldap.c:987
+#: plugins/sudoers/ldap.c:1006
#, c-format
msgid "unable to build time filter"
msgstr ""
-#: plugins/sudoers/ldap.c:1202
+#: plugins/sudoers/ldap.c:1225
#, c-format
msgid "sudo_ldap_build_pass1 allocation mismatch"
msgstr ""
-#: plugins/sudoers/ldap.c:1738
+#: plugins/sudoers/ldap.c:1761
#, c-format
msgid ""
"\n"
"LDAP Role: %s\n"
msgstr ""
-#: plugins/sudoers/ldap.c:1740
+#: plugins/sudoers/ldap.c:1763
#, c-format
msgid ""
"\n"
"LDAP Role: UNKNOWN\n"
msgstr ""
-#: plugins/sudoers/ldap.c:1787
+#: plugins/sudoers/ldap.c:1810
#, c-format
msgid " Order: %s\n"
msgstr ""
-#: plugins/sudoers/ldap.c:1795
+#: plugins/sudoers/ldap.c:1818 plugins/sudoers/sssd.c:1168
#, c-format
msgid " Commands:\n"
msgstr ""
-#: plugins/sudoers/ldap.c:2216
+#: plugins/sudoers/ldap.c:2240
#, c-format
msgid "unable to initialize LDAP: %s"
msgstr ""
-#: plugins/sudoers/ldap.c:2250
+#: plugins/sudoers/ldap.c:2274
#, c-format
msgid ""
"start_tls specified but LDAP libs do not support ldap_start_tls_s() or "
"ldap_start_tls_s_np()"
msgstr ""
-#: plugins/sudoers/ldap.c:2486
+#: plugins/sudoers/ldap.c:2510
#, c-format
msgid "invalid sudoOrder attribute: %s"
msgstr ""
msgid "unable to open audit system"
msgstr ""
-#: plugins/sudoers/linux_audit.c:82
-#, c-format
-msgid "internal error, linux_audit_command() overflow"
-msgstr ""
-
-#: plugins/sudoers/linux_audit.c:91
+#: plugins/sudoers/linux_audit.c:93
#, c-format
msgid "unable to send audit message"
msgstr ""
-#: plugins/sudoers/logging.c:198
+#: plugins/sudoers/logging.c:202
#, c-format
msgid "unable to open log file: %s: %s"
msgstr ""
-#: plugins/sudoers/logging.c:201
+#: plugins/sudoers/logging.c:205
#, c-format
msgid "unable to lock log file: %s: %s"
msgstr ""
-#: plugins/sudoers/logging.c:256
+#: plugins/sudoers/logging.c:260
msgid "user NOT in sudoers"
msgstr ""
-#: plugins/sudoers/logging.c:258
+#: plugins/sudoers/logging.c:262
msgid "user NOT authorized on host"
msgstr ""
-#: plugins/sudoers/logging.c:260
+#: plugins/sudoers/logging.c:264
msgid "command not allowed"
msgstr ""
-#: plugins/sudoers/logging.c:270
+#: plugins/sudoers/logging.c:274
#, c-format
msgid "%s is not in the sudoers file. This incident will be reported.\n"
msgstr ""
-#: plugins/sudoers/logging.c:273
+#: plugins/sudoers/logging.c:277
#, c-format
msgid "%s is not allowed to run sudo on %s. This incident will be reported.\n"
msgstr ""
-#: plugins/sudoers/logging.c:277
+#: plugins/sudoers/logging.c:281
#, c-format
msgid "Sorry, user %s may not run sudo on %s.\n"
msgstr ""
-#: plugins/sudoers/logging.c:280
+#: plugins/sudoers/logging.c:284
#, c-format
msgid "Sorry, user %s is not allowed to execute '%s%s%s' as %s%s%s on %s.\n"
msgstr ""
-#: plugins/sudoers/logging.c:447
+#: plugins/sudoers/logging.c:317
+msgid "No user or host"
+msgstr ""
+
+#: plugins/sudoers/logging.c:319
+msgid "validation failure"
+msgstr ""
+
+#: plugins/sudoers/logging.c:336 plugins/sudoers/sudoers.c:502
+#: plugins/sudoers/sudoers.c:503 plugins/sudoers/sudoers.c:1539
+#: plugins/sudoers/sudoers.c:1540
+#, c-format
+msgid "%s: command not found"
+msgstr ""
+
+#: plugins/sudoers/logging.c:338 plugins/sudoers/sudoers.c:499
+#, c-format
+msgid ""
+"ignoring `%s' found in '.'\n"
+"Use `sudo ./%s' if this is the `%s' you wish to run."
+msgstr ""
+
+#: plugins/sudoers/logging.c:352
+msgid "authentication failure"
+msgstr ""
+
+#: plugins/sudoers/logging.c:376
+#, c-format
+msgid "%d incorrect password attempt"
+msgid_plural "%d incorrect password attempts"
+msgstr[0] ""
+msgstr[1] ""
+
+#: plugins/sudoers/logging.c:379
+msgid "a password is required"
+msgstr ""
+
+#: plugins/sudoers/logging.c:530
#, c-format
msgid "unable to fork"
msgstr ""
-#: plugins/sudoers/logging.c:454 plugins/sudoers/logging.c:516
+#: plugins/sudoers/logging.c:537 plugins/sudoers/logging.c:599
#, c-format
msgid "unable to fork: %m"
msgstr ""
-#: plugins/sudoers/logging.c:506
+#: plugins/sudoers/logging.c:589
#, c-format
msgid "unable to open pipe: %m"
msgstr ""
-#: plugins/sudoers/logging.c:531
+#: plugins/sudoers/logging.c:614
#, c-format
msgid "unable to dup stdin: %m"
msgstr ""
-#: plugins/sudoers/logging.c:567
+#: plugins/sudoers/logging.c:650
#, c-format
msgid "unable to execute %s: %m"
msgstr ""
-#: plugins/sudoers/logging.c:782
+#: plugins/sudoers/logging.c:865
#, c-format
msgid "internal error: insufficient space for log line"
msgstr ""
msgid "parse error in %s"
msgstr ""
-#: plugins/sudoers/parse.c:389
+#: plugins/sudoers/parse.c:414
#, c-format
msgid ""
"\n"
"Sudoers entry:\n"
msgstr ""
-#: plugins/sudoers/parse.c:391
+#: plugins/sudoers/parse.c:416
#, c-format
msgid " RunAsUsers: "
msgstr ""
-#: plugins/sudoers/parse.c:406
+#: plugins/sudoers/parse.c:431
#, c-format
msgid " RunAsGroups: "
msgstr ""
-#: plugins/sudoers/parse.c:415
+#: plugins/sudoers/parse.c:440
#, c-format
msgid ""
" Commands:\n"
msgid ": "
msgstr ""
-#: plugins/sudoers/pwutil.c:260
+#: plugins/sudoers/pwutil.c:278
#, c-format
msgid "unable to cache uid %u (%s), already exists"
msgstr ""
-#: plugins/sudoers/pwutil.c:268
+#: plugins/sudoers/pwutil.c:286
#, c-format
msgid "unable to cache uid %u, already exists"
msgstr ""
-#: plugins/sudoers/pwutil.c:305 plugins/sudoers/pwutil.c:314
+#: plugins/sudoers/pwutil.c:322 plugins/sudoers/pwutil.c:331
#, c-format
msgid "unable to cache user %s, already exists"
msgstr ""
-#: plugins/sudoers/pwutil.c:653
+#: plugins/sudoers/pwutil.c:668
#, c-format
msgid "unable to cache gid %u (%s), already exists"
msgstr ""
-#: plugins/sudoers/pwutil.c:661
+#: plugins/sudoers/pwutil.c:676
#, c-format
msgid "unable to cache gid %u, already exists"
msgstr ""
-#: plugins/sudoers/pwutil.c:691 plugins/sudoers/pwutil.c:700
+#: plugins/sudoers/pwutil.c:706 plugins/sudoers/pwutil.c:715
#, c-format
msgid "unable to cache group %s, already exists"
msgstr ""
msgid "unable to set runas group vector"
msgstr ""
-#: plugins/sudoers/sudo_nss.c:243
+#: plugins/sudoers/sssd.c:251
+#, c-format
+msgid "Unable to dlopen %s: %s"
+msgstr ""
+
+#: plugins/sudoers/sssd.c:252
+#, c-format
+msgid "Unable to initialize SSS source. Is SSSD installed on your machine?"
+msgstr ""
+
+#: plugins/sudoers/sssd.c:258 plugins/sudoers/sssd.c:266
+#: plugins/sudoers/sssd.c:273 plugins/sudoers/sssd.c:280
+#: plugins/sudoers/sssd.c:287
+#, c-format
+msgid "unable to find symbol \"%s\" in %s"
+msgstr ""
+
+#: plugins/sudoers/sudo_nss.c:267
#, c-format
msgid "Matching Defaults entries for %s on this host:\n"
msgstr ""
-#: plugins/sudoers/sudo_nss.c:256
+#: plugins/sudoers/sudo_nss.c:280
#, c-format
msgid "Runas and Command-specific defaults for %s:\n"
msgstr ""
-#: plugins/sudoers/sudo_nss.c:269
+#: plugins/sudoers/sudo_nss.c:293
#, c-format
msgid "User %s may run the following commands on this host:\n"
msgstr ""
-#: plugins/sudoers/sudo_nss.c:279
+#: plugins/sudoers/sudo_nss.c:302
#, c-format
msgid "User %s is not allowed to run sudo on %s.\n"
msgstr ""
-#: plugins/sudoers/sudoers.c:208 plugins/sudoers/sudoers.c:239
-#: plugins/sudoers/sudoers.c:958
+#: plugins/sudoers/sudoers.c:210 plugins/sudoers/sudoers.c:243
+#: plugins/sudoers/sudoers.c:953
msgid "problem with defaults entries"
msgstr ""
-#: plugins/sudoers/sudoers.c:212
+#: plugins/sudoers/sudoers.c:216
#, c-format
msgid "no valid sudoers sources found, quitting"
msgstr ""
-#: plugins/sudoers/sudoers.c:264
+#: plugins/sudoers/sudoers.c:268
#, c-format
msgid "unable to execute %s: %s"
msgstr ""
-#: plugins/sudoers/sudoers.c:322
+#: plugins/sudoers/sudoers.c:335
#, c-format
msgid "sudoers specifies that root is not allowed to sudo"
msgstr ""
-#: plugins/sudoers/sudoers.c:329
+#: plugins/sudoers/sudoers.c:342
#, c-format
msgid "you are not permitted to use the -C option"
msgstr ""
-#: plugins/sudoers/sudoers.c:422
+#: plugins/sudoers/sudoers.c:431
#, c-format
msgid "timestamp owner (%s): No such user"
msgstr ""
-#: plugins/sudoers/sudoers.c:438
+#: plugins/sudoers/sudoers.c:447
msgid "no tty"
msgstr ""
-#: plugins/sudoers/sudoers.c:439
+#: plugins/sudoers/sudoers.c:448
#, c-format
msgid "sorry, you must have a tty to run sudo"
msgstr ""
-#: plugins/sudoers/sudoers.c:478
-msgid "No user or host"
-msgstr ""
-
-#: plugins/sudoers/sudoers.c:492 plugins/sudoers/sudoers.c:513
-#: plugins/sudoers/sudoers.c:514 plugins/sudoers/sudoers.c:1522
-#: plugins/sudoers/sudoers.c:1523
-#, c-format
-msgid "%s: command not found"
-msgstr ""
-
-#: plugins/sudoers/sudoers.c:494 plugins/sudoers/sudoers.c:510
-#, c-format
-msgid ""
-"ignoring `%s' found in '.'\n"
-"Use `sudo ./%s' if this is the `%s' you wish to run."
-msgstr ""
-
-#: plugins/sudoers/sudoers.c:499
-msgid "validation failure"
-msgstr ""
-
-#: plugins/sudoers/sudoers.c:509
+#: plugins/sudoers/sudoers.c:498
msgid "command in current directory"
msgstr ""
-#: plugins/sudoers/sudoers.c:521
+#: plugins/sudoers/sudoers.c:510
#, c-format
msgid "sorry, you are not allowed to preserve the environment"
msgstr ""
-#: plugins/sudoers/sudoers.c:681 plugins/sudoers/sudoers.c:688
-#, c-format
-msgid "internal error, runas_groups overflow"
-msgstr ""
-
-#: plugins/sudoers/sudoers.c:941
-#, c-format
-msgid "internal error, set_cmnd() overflow"
-msgstr ""
-
-#: plugins/sudoers/sudoers.c:1001
+#: plugins/sudoers/sudoers.c:1006
#, c-format
msgid "%s is not a regular file"
msgstr ""
-#: plugins/sudoers/sudoers.c:1004 toke.l:829
+#: plugins/sudoers/sudoers.c:1009 toke.l:846
#, c-format
msgid "%s is owned by uid %u, should be %u"
msgstr ""
-#: plugins/sudoers/sudoers.c:1008 toke.l:836
+#: plugins/sudoers/sudoers.c:1013 toke.l:853
#, c-format
msgid "%s is world writable"
msgstr ""
-#: plugins/sudoers/sudoers.c:1011 toke.l:841
+#: plugins/sudoers/sudoers.c:1016 toke.l:858
#, c-format
msgid "%s is owned by gid %u, should be %u"
msgstr ""
-#: plugins/sudoers/sudoers.c:1038
+#: plugins/sudoers/sudoers.c:1043
#, c-format
msgid "only root can use `-c %s'"
msgstr ""
-#: plugins/sudoers/sudoers.c:1055 plugins/sudoers/sudoers.c:1057
+#: plugins/sudoers/sudoers.c:1060 plugins/sudoers/sudoers.c:1062
#, c-format
msgid "unknown login class: %s"
msgstr ""
-#: plugins/sudoers/sudoers.c:1084
+#: plugins/sudoers/sudoers.c:1089
#, c-format
msgid "unable to resolve host %s"
msgstr ""
-#: plugins/sudoers/sudoers.c:1136 plugins/sudoers/testsudoers.c:380
+#: plugins/sudoers/sudoers.c:1141 plugins/sudoers/testsudoers.c:387
#, c-format
msgid "unknown group: %s"
msgstr ""
-#: plugins/sudoers/sudoers.c:1185
+#: plugins/sudoers/sudoers.c:1190
#, c-format
msgid "Sudoers policy plugin version %s\n"
msgstr ""
-#: plugins/sudoers/sudoers.c:1187
+#: plugins/sudoers/sudoers.c:1192
#, c-format
msgid "Sudoers file grammar version %d\n"
msgstr ""
-#: plugins/sudoers/sudoers.c:1191
+#: plugins/sudoers/sudoers.c:1196
#, c-format
msgid ""
"\n"
"Sudoers path: %s\n"
msgstr ""
-#: plugins/sudoers/sudoers.c:1194
+#: plugins/sudoers/sudoers.c:1199
#, c-format
msgid "nsswitch path: %s\n"
msgstr ""
-#: plugins/sudoers/sudoers.c:1196
+#: plugins/sudoers/sudoers.c:1201
#, c-format
msgid "ldap.conf path: %s\n"
msgstr ""
-#: plugins/sudoers/sudoers.c:1197
+#: plugins/sudoers/sudoers.c:1202
#, c-format
msgid "ldap.secret path: %s\n"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:291
+#: plugins/sudoers/sudoreplay.c:293
#, c-format
msgid "invalid filter option: %s"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:304
+#: plugins/sudoers/sudoreplay.c:306
#, c-format
msgid "invalid max wait: %s"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:310
+#: plugins/sudoers/sudoreplay.c:312
#, c-format
msgid "invalid speed factor: %s"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:313 plugins/sudoers/visudo.c:187
+#: plugins/sudoers/sudoreplay.c:315 plugins/sudoers/visudo.c:187
#, c-format
msgid "%s version %s\n"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:338
+#: plugins/sudoers/sudoreplay.c:340
#, c-format
msgid "%s/%.2s/%.2s/%.2s/timing: %s"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:344
+#: plugins/sudoers/sudoreplay.c:346
#, c-format
msgid "%s/%s/timing: %s"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:362
+#: plugins/sudoers/sudoreplay.c:364
#, c-format
msgid "Replaying sudo session: %s\n"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:368
+#: plugins/sudoers/sudoreplay.c:370
#, c-format
msgid "Warning: your terminal is too small to properly replay the log.\n"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:369
+#: plugins/sudoers/sudoreplay.c:371
#, c-format
msgid "Log geometry is %d x %d, your terminal's geometry is %d x %d."
msgstr ""
-#: plugins/sudoers/sudoreplay.c:399
+#: plugins/sudoers/sudoreplay.c:401
#, c-format
msgid "unable to set tty to raw mode"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:412
+#: plugins/sudoers/sudoreplay.c:418
#, c-format
msgid "invalid timing file line: %s"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:454
+#: plugins/sudoers/sudoreplay.c:501
#, c-format
msgid "writing to standard output"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:486
+#: plugins/sudoers/sudoreplay.c:530
#, c-format
msgid "nanosleep: tv_sec %ld, tv_nsec %ld"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:535 plugins/sudoers/sudoreplay.c:560
+#: plugins/sudoers/sudoreplay.c:643 plugins/sudoers/sudoreplay.c:668
#, c-format
msgid "ambiguous expression \"%s\""
msgstr ""
-#: plugins/sudoers/sudoreplay.c:577
+#: plugins/sudoers/sudoreplay.c:685
#, c-format
msgid "too many parenthesized expressions, max %d"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:588
+#: plugins/sudoers/sudoreplay.c:696
#, c-format
msgid "unmatched ')' in expression"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:594
+#: plugins/sudoers/sudoreplay.c:702
#, c-format
msgid "unknown search term \"%s\""
msgstr ""
-#: plugins/sudoers/sudoreplay.c:608
+#: plugins/sudoers/sudoreplay.c:716
#, c-format
msgid "%s requires an argument"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:612
+#: plugins/sudoers/sudoreplay.c:720
#, c-format
msgid "invalid regular expression: %s"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:618
+#: plugins/sudoers/sudoreplay.c:726
#, c-format
msgid "could not parse date \"%s\""
msgstr ""
-#: plugins/sudoers/sudoreplay.c:631
+#: plugins/sudoers/sudoreplay.c:739
#, c-format
msgid "unmatched '(' in expression"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:633
+#: plugins/sudoers/sudoreplay.c:741
#, c-format
msgid "illegal trailing \"or\""
msgstr ""
-#: plugins/sudoers/sudoreplay.c:635
+#: plugins/sudoers/sudoreplay.c:743
#, c-format
msgid "illegal trailing \"!\""
msgstr ""
-#: plugins/sudoers/sudoreplay.c:942
+#: plugins/sudoers/sudoreplay.c:1050
#, c-format
msgid "invalid regex: %s"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:1066
+#: plugins/sudoers/sudoreplay.c:1174
#, c-format
msgid "usage: %s [-h] [-d directory] [-m max_wait] [-s speed_factor] ID\n"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:1069
+#: plugins/sudoers/sudoreplay.c:1177
#, c-format
msgid "usage: %s [-h] [-d directory] -l [search expression]\n"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:1078
+#: plugins/sudoers/sudoreplay.c:1186
#, c-format
msgid ""
"%s - replay sudo session logs\n"
"\n"
msgstr ""
-#: plugins/sudoers/sudoreplay.c:1080
+#: plugins/sudoers/sudoreplay.c:1188
msgid ""
"\n"
"Options:\n"
" -V display version information and exit"
msgstr ""
-#: plugins/sudoers/testsudoers.c:246
-#, c-format
-msgid "internal error, init_vars() overflow"
-msgstr ""
-
-#: plugins/sudoers/testsudoers.c:331
+#: plugins/sudoers/testsudoers.c:338
msgid "\thost unmatched"
msgstr ""
-#: plugins/sudoers/testsudoers.c:334
+#: plugins/sudoers/testsudoers.c:341
msgid ""
"\n"
"Command allowed"
msgstr ""
-#: plugins/sudoers/testsudoers.c:335
+#: plugins/sudoers/testsudoers.c:342
msgid ""
"\n"
"Command denied"
msgstr ""
-#: plugins/sudoers/testsudoers.c:335
+#: plugins/sudoers/testsudoers.c:342
msgid ""
"\n"
"Command unmatched"
msgid "%s grammar version %d\n"
msgstr ""
-#: plugins/sudoers/visudo.c:252 plugins/sudoers/visudo.c:538
+#: plugins/sudoers/visudo.c:252 plugins/sudoers/visudo.c:541
#, c-format
msgid "press return to edit %s: "
msgstr ""
msgid "%s unchanged"
msgstr ""
-#: plugins/sudoers/visudo.c:483
+#: plugins/sudoers/visudo.c:486
#, c-format
msgid "unable to re-open temporary file (%s), %s unchanged."
msgstr ""
-#: plugins/sudoers/visudo.c:493
+#: plugins/sudoers/visudo.c:496
#, c-format
msgid "unabled to parse temporary file (%s), unknown error"
msgstr ""
-#: plugins/sudoers/visudo.c:531
+#: plugins/sudoers/visudo.c:534
#, c-format
msgid "internal error, unable to find %s in list!"
msgstr ""
-#: plugins/sudoers/visudo.c:583 plugins/sudoers/visudo.c:592
+#: plugins/sudoers/visudo.c:586 plugins/sudoers/visudo.c:595
#, c-format
msgid "unable to set (uid, gid) of %s to (%u, %u)"
msgstr ""
-#: plugins/sudoers/visudo.c:587 plugins/sudoers/visudo.c:597
+#: plugins/sudoers/visudo.c:590 plugins/sudoers/visudo.c:600
#, c-format
msgid "unable to change mode of %s to 0%o"
msgstr ""
-#: plugins/sudoers/visudo.c:614
+#: plugins/sudoers/visudo.c:617
#, c-format
msgid "%s and %s not on the same file system, using mv to rename"
msgstr ""
-#: plugins/sudoers/visudo.c:628
+#: plugins/sudoers/visudo.c:631
#, c-format
msgid "command failed: '%s %s %s', %s unchanged"
msgstr ""
-#: plugins/sudoers/visudo.c:638
+#: plugins/sudoers/visudo.c:641
#, c-format
msgid "error renaming %s, %s unchanged"
msgstr ""
-#: plugins/sudoers/visudo.c:701
+#: plugins/sudoers/visudo.c:704
msgid "What now? "
msgstr ""
-#: plugins/sudoers/visudo.c:715
+#: plugins/sudoers/visudo.c:718
msgid ""
"Options are:\n"
" (e)dit sudoers file again\n"
" (Q)uit and save changes to sudoers file (DANGER!)\n"
msgstr ""
-#: plugins/sudoers/visudo.c:756
+#: plugins/sudoers/visudo.c:759
#, c-format
msgid "unable to execute %s"
msgstr ""
-#: plugins/sudoers/visudo.c:763
+#: plugins/sudoers/visudo.c:766
#, c-format
msgid "unable to run %s"
msgstr ""
-#: plugins/sudoers/visudo.c:789
+#: plugins/sudoers/visudo.c:792
#, c-format
msgid "%s: wrong owner (uid, gid) should be (%u, %u)\n"
msgstr ""
-#: plugins/sudoers/visudo.c:796
+#: plugins/sudoers/visudo.c:799
#, c-format
msgid "%s: bad permissions, should be mode 0%o\n"
msgstr ""
-#: plugins/sudoers/visudo.c:821
+#: plugins/sudoers/visudo.c:824
#, c-format
msgid "failed to parse %s file, unknown error"
msgstr ""
-#: plugins/sudoers/visudo.c:834
+#: plugins/sudoers/visudo.c:837
#, c-format
msgid "parse error in %s near line %d\n"
msgstr ""
-#: plugins/sudoers/visudo.c:837
+#: plugins/sudoers/visudo.c:840
#, c-format
msgid "parse error in %s\n"
msgstr ""
-#: plugins/sudoers/visudo.c:844 plugins/sudoers/visudo.c:849
+#: plugins/sudoers/visudo.c:847 plugins/sudoers/visudo.c:852
#, c-format
msgid "%s: parsed OK\n"
msgstr ""
-#: plugins/sudoers/visudo.c:896
+#: plugins/sudoers/visudo.c:899
#, c-format
msgid "%s busy, try again later"
msgstr ""
-#: plugins/sudoers/visudo.c:940
+#: plugins/sudoers/visudo.c:943
#, c-format
msgid "specified editor (%s) doesn't exist"
msgstr ""
-#: plugins/sudoers/visudo.c:963
+#: plugins/sudoers/visudo.c:966
#, c-format
msgid "unable to stat editor (%s)"
msgstr ""
-#: plugins/sudoers/visudo.c:1011
+#: plugins/sudoers/visudo.c:1014
#, c-format
msgid "no editor found (editor path = %s)"
msgstr ""
-#: plugins/sudoers/visudo.c:1105
+#: plugins/sudoers/visudo.c:1108
#, c-format
msgid "Error: cycle in %s_Alias `%s'"
msgstr ""
-#: plugins/sudoers/visudo.c:1106
+#: plugins/sudoers/visudo.c:1109
#, c-format
msgid "Warning: cycle in %s_Alias `%s'"
msgstr ""
-#: plugins/sudoers/visudo.c:1109
+#: plugins/sudoers/visudo.c:1112
#, c-format
msgid "Error: %s_Alias `%s' referenced but not defined"
msgstr ""
-#: plugins/sudoers/visudo.c:1110
+#: plugins/sudoers/visudo.c:1113
#, c-format
msgid "Warning: %s_Alias `%s' referenced but not defined"
msgstr ""
-#: plugins/sudoers/visudo.c:1245
+#: plugins/sudoers/visudo.c:1248
#, c-format
msgid "%s: unused %s_Alias %s"
msgstr ""
-#: plugins/sudoers/visudo.c:1301
+#: plugins/sudoers/visudo.c:1304
#, c-format
msgid ""
"%s - safely edit the sudoers file\n"
"\n"
msgstr ""
-#: plugins/sudoers/visudo.c:1303
+#: plugins/sudoers/visudo.c:1306
msgid ""
"\n"
"Options:\n"
" -V display version information and exit"
msgstr ""
-#: toke.l:805
+#: toke.l:820
msgid "too many levels of includes"
msgstr ""
# Yuri Chornoivan <yurchor@ukr.net>, 2011, 2012.
msgid ""
msgstr ""
-"Project-Id-Version: sudoers 1.8.5rc3\n"
+"Project-Id-Version: sudoers 1.8.6b4\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-04-24 13:41-0400\n"
-"PO-Revision-Date: 2012-04-29 12:00+0300\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-13 21:39+0300\n"
"Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
"Language-Team: Ukrainian <translation-team-uk@lists.sourceforge.net>\n"
"Language: uk\n"
"Plural-Forms: nplurals=4; plural=n==1 ? 3 : n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
"X-Generator: Lokalize 1.5\n"
-#: gram.y:110
+#: gram.y:112
#, c-format
msgid ">>> %s: %s near line %d <<<"
msgstr ">>> %s: %s поблизу рядка %d <<<"
msgid "unable to initialize SIA session"
msgstr "не вдалося ініціалізувати сеанс SIA"
-#: plugins/sudoers/auth/sudo_auth.c:117
+#: plugins/sudoers/auth/sudo_auth.c:121
msgid "Invalid authentication methods compiled into sudo! You may mix standalone and non-standalone authentication."
msgstr "sudo зібрано з підтримкою некоректних способів розпізнавання! Можливе змішування власних і зовнішніх способів розпізнавання."
-#: plugins/sudoers/auth/sudo_auth.c:199
+#: plugins/sudoers/auth/sudo_auth.c:206
msgid "There are no authentication methods compiled into sudo! If you want to turn off authentication, use the --disable-authentication configure option."
msgstr "sudo зібрано без можливостей з взаємодії з інструментами розпізнавання! Якщо ви хочете вимкнути розпізнавання, скористайтеся параметром налаштування --disable-authentication."
-#: plugins/sudoers/auth/sudo_auth.c:271
-#, c-format
-msgid "%d incorrect password attempt"
-msgid_plural "%d incorrect password attempts"
-msgstr[0] "%d невдала спроба введення пароля"
-msgstr[1] "%d невдалих спроби введення пароля"
-msgstr[2] "%d невдалих спроб введення пароля"
-msgstr[3] "одна невдала спроба введення пароля"
-
#: plugins/sudoers/auth/sudo_auth.c:374
msgid "Authentication methods:"
msgstr "Способи розпізнавання:"
msgid "au_to_text: failed"
msgstr "au_to_text: помилка"
-#: plugins/sudoers/check.c:158
-#, c-format
-msgid "sorry, a password is required to run %s"
-msgstr "вибачте, для виконання %s слід вказати пароль"
-
-#: plugins/sudoers/check.c:249 plugins/sudoers/iolog.c:172
-#: plugins/sudoers/sudoers.c:979 plugins/sudoers/sudoreplay.c:353
-#: plugins/sudoers/sudoreplay.c:709 plugins/sudoers/sudoreplay.c:866
-#: plugins/sudoers/visudo.c:815
+#: plugins/sudoers/check.c:252 plugins/sudoers/iolog.c:172
+#: plugins/sudoers/sudoers.c:988 plugins/sudoers/sudoreplay.c:355
+#: plugins/sudoers/sudoreplay.c:817 plugins/sudoers/sudoreplay.c:974
+#: plugins/sudoers/visudo.c:818
#, c-format
msgid "unable to open %s"
msgstr "не вдалося відкрити %s"
-#: plugins/sudoers/check.c:253 plugins/sudoers/iolog.c:202
+#: plugins/sudoers/check.c:256 plugins/sudoers/iolog.c:229
#, c-format
msgid "unable to write to %s"
msgstr "не вдалося виконати запис до %s"
-#: plugins/sudoers/check.c:261 plugins/sudoers/check.c:506
-#: plugins/sudoers/check.c:556 plugins/sudoers/iolog.c:123
+#: plugins/sudoers/check.c:264 plugins/sudoers/check.c:512
+#: plugins/sudoers/check.c:562 plugins/sudoers/iolog.c:123
#: plugins/sudoers/iolog.c:156
#, c-format
msgid "unable to mkdir %s"
msgstr "не вдалося створити каталог %s"
-#: plugins/sudoers/check.c:396
+#: plugins/sudoers/check.c:399 plugins/sudoers/env.c:289
+#: plugins/sudoers/env.c:294 plugins/sudoers/env.c:395
+#: plugins/sudoers/env.c:447 plugins/sudoers/linux_audit.c:82
+#: plugins/sudoers/sudoers.c:670 plugins/sudoers/sudoers.c:677
+#: plugins/sudoers/sudoers.c:936 plugins/sudoers/testsudoers.c:253
#, c-format
-msgid "internal error, expand_prompt() overflow"
-msgstr "внутрішня помилка, переповнення expand_prompt()"
+msgid "internal error, %s overflow"
+msgstr "внутрішня помилка, переповнення %s"
-#: plugins/sudoers/check.c:456
+#: plugins/sudoers/check.c:460
#, c-format
msgid "timestamp path too long: %s"
msgstr "шлях часового штампа є занадто довгим: %s"
-#: plugins/sudoers/check.c:485 plugins/sudoers/check.c:529
+#: plugins/sudoers/check.c:491 plugins/sudoers/check.c:535
#: plugins/sudoers/iolog.c:158
#, c-format
msgid "%s exists but is not a directory (0%o)"
msgstr "%s існує, але не є каталогом (0%o)"
-#: plugins/sudoers/check.c:488 plugins/sudoers/check.c:532
-#: plugins/sudoers/check.c:577
+#: plugins/sudoers/check.c:494 plugins/sudoers/check.c:538
+#: plugins/sudoers/check.c:583
#, c-format
msgid "%s owned by uid %u, should be uid %u"
msgstr "власником %s є uid %u, має бути uid %u"
-#: plugins/sudoers/check.c:493 plugins/sudoers/check.c:537
+#: plugins/sudoers/check.c:499 plugins/sudoers/check.c:543
#, c-format
msgid "%s writable by non-owner (0%o), should be mode 0700"
msgstr "%s доступний до запису невласником (0%o), має бути встановлено режим 0700"
-#: plugins/sudoers/check.c:501 plugins/sudoers/check.c:545
-#: plugins/sudoers/check.c:613 plugins/sudoers/sudoers.c:998
-#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:581
+#: plugins/sudoers/check.c:507 plugins/sudoers/check.c:551
+#: plugins/sudoers/check.c:619 plugins/sudoers/sudoers.c:1003
+#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:584
#, c-format
msgid "unable to stat %s"
msgstr "не вдалося виконати stat для %s"
-#: plugins/sudoers/check.c:571
+#: plugins/sudoers/check.c:577
#, c-format
msgid "%s exists but is not a regular file (0%o)"
msgstr "%s існує, але не є звичайним файлом (0%o)"
-#: plugins/sudoers/check.c:583
+#: plugins/sudoers/check.c:589
#, c-format
msgid "%s writable by non-owner (0%o), should be mode 0600"
msgstr "%s доступний до запису невласником (0%o), має бути встановлено режим 0600"
-#: plugins/sudoers/check.c:637
+#: plugins/sudoers/check.c:643
#, c-format
msgid "timestamp too far in the future: %20.20s"
msgstr "занадто далекий часовий штамп у майбутньому: %20.20s"
-#: plugins/sudoers/check.c:684
+#: plugins/sudoers/check.c:690
#, c-format
msgid "unable to remove %s (%s), will reset to the epoch"
msgstr "на вдалося вилучити %s (%s), час буде змінено відповідно до епохи"
-#: plugins/sudoers/check.c:692
+#: plugins/sudoers/check.c:698
#, c-format
msgid "unable to reset %s to the epoch"
msgstr "не вдалося встановити для %s час епохи"
-#: plugins/sudoers/check.c:752 plugins/sudoers/check.c:758
-#: plugins/sudoers/sudoers.c:856 plugins/sudoers/sudoers.c:860
+#: plugins/sudoers/check.c:758 plugins/sudoers/check.c:764
+#: plugins/sudoers/sudoers.c:851 plugins/sudoers/sudoers.c:855
#, c-format
msgid "unknown uid: %u"
msgstr "невідоме значення uid: %u"
-#: plugins/sudoers/check.c:755 plugins/sudoers/sudoers.c:797
-#: plugins/sudoers/sudoers.c:1115 plugins/sudoers/testsudoers.c:218
-#: plugins/sudoers/testsudoers.c:362
+#: plugins/sudoers/check.c:761 plugins/sudoers/sudoers.c:792
+#: plugins/sudoers/sudoers.c:1120 plugins/sudoers/testsudoers.c:225
+#: plugins/sudoers/testsudoers.c:369
#, c-format
msgid "unknown user: %s"
msgstr "невідомий користувач: %s"
msgid "Set the user in utmp to the runas user, not the invoking user"
msgstr "Встановити користувача у utmp у значення користувача, від імені якого виконується команда"
+#: plugins/sudoers/def_data.c:347
+msgid "Set of permitted privileges"
+msgstr "Набір дозвільних прав доступу"
+
+#: plugins/sudoers/def_data.c:351
+msgid "Set of limit privileges"
+msgstr "Набір обмежувальних прав доступу"
+
#: plugins/sudoers/defaults.c:208
#, c-format
msgid "unknown defaults entry `%s'"
msgid "option `%s' does not take a value"
msgstr "параметру «%s» не потрібно передавати значення"
-#: plugins/sudoers/env.c:339
+#: plugins/sudoers/env.c:367
#, c-format
msgid "sudo_putenv: corrupted envp, length mismatch"
msgstr "sudo_putenv: помилкове значення envp, невідповідність довжин"
-#: plugins/sudoers/env.c:341 plugins/sudoers/env.c:411
+#: plugins/sudoers/env.c:369 plugins/sudoers/env.c:448
#: plugins/sudoers/toke_util.c:113 plugins/sudoers/toke_util.c:167
-#: plugins/sudoers/toke_util.c:207 toke.l:682 toke.l:812 toke.l:870 toke.l:966
+#: plugins/sudoers/toke_util.c:207 toke.l:697 toke.l:827 toke.l:887 toke.l:983
#, c-format
msgid "unable to allocate memory"
msgstr "не вдалося отримати потрібний об’єм пам’яті"
-#: plugins/sudoers/env.c:366
-#, c-format
-msgid "internal error, sudo_setenv2() overflow"
-msgstr "внутрішня помилка, переповнення sudo_setenv2()"
-
-#: plugins/sudoers/env.c:410
-#, c-format
-msgid "internal error, sudo_setenv() overflow"
-msgstr "внутрішня помилка, переповнення sudo_setenv()"
-
-#: plugins/sudoers/env.c:955
+#: plugins/sudoers/env.c:992
#, c-format
msgid "sorry, you are not allowed to set the following environment variables: %s"
msgstr "вибачте, вам не дозволено встановлювати такі змінні середовища: %s"
#: plugins/sudoers/find_path.c:69 plugins/sudoers/find_path.c:108
#: plugins/sudoers/find_path.c:123 plugins/sudoers/iolog.c:125
-#: plugins/sudoers/sudoers.c:950 toke.l:678 toke.l:866
+#: plugins/sudoers/sudoers.c:945 toke.l:693 toke.l:883
#, c-format
msgid "%s: %s"
msgstr "%s: %s"
msgid "Local IP address and netmask pairs:\n"
msgstr "Пари локальних IP-адрес і масок мережі:\n"
-#: plugins/sudoers/iolog.c:179 plugins/sudoers/sudoers.c:986
+#: plugins/sudoers/iolog.c:205 plugins/sudoers/sudoers.c:991
#, c-format
msgid "unable to read %s"
msgstr "не вдалося прочитати %s"
-#: plugins/sudoers/iolog.c:182
+#: plugins/sudoers/iolog.c:208
#, c-format
msgid "invalid sequence number %s"
msgstr "некоректний номер у послідовності %s"
-#: plugins/sudoers/iolog.c:231 plugins/sudoers/iolog.c:234
-#: plugins/sudoers/iolog.c:499 plugins/sudoers/iolog.c:504
-#: plugins/sudoers/iolog.c:510 plugins/sudoers/iolog.c:518
-#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:534
-#: plugins/sudoers/iolog.c:542
+#: plugins/sudoers/iolog.c:258 plugins/sudoers/iolog.c:261
+#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:531
+#: plugins/sudoers/iolog.c:537 plugins/sudoers/iolog.c:545
+#: plugins/sudoers/iolog.c:553 plugins/sudoers/iolog.c:561
+#: plugins/sudoers/iolog.c:569
#, c-format
msgid "unable to create %s"
msgstr "не вдалося створити %s"
-#: plugins/sudoers/iolog_path.c:256 plugins/sudoers/sudoers.c:373
+#: plugins/sudoers/iolog_path.c:263 plugins/sudoers/sudoers.c:382
#, c-format
msgid "unable to set locale to \"%s\", using \"C\""
msgstr "не вдалося встановити локаль у значення «%s», використовуємо локаль «C»"
-#: plugins/sudoers/ldap.c:378
+#: plugins/sudoers/ldap.c:387
#, c-format
msgid "sudo_ldap_conf_add_ports: port too large"
msgstr "sudo_ldap_conf_add_ports: занадто великий номер порту"
-#: plugins/sudoers/ldap.c:401
+#: plugins/sudoers/ldap.c:410
#, c-format
msgid "sudo_ldap_conf_add_ports: out of space expanding hostbuf"
msgstr "sudo_ldap_conf_add_ports: вихід за межі розширеного буфера вузла"
-#: plugins/sudoers/ldap.c:431
+#: plugins/sudoers/ldap.c:440
#, c-format
msgid "unsupported LDAP uri type: %s"
msgstr "непідтримуваний тип адреси LDAP: %s"
-#: plugins/sudoers/ldap.c:460
+#: plugins/sudoers/ldap.c:469
#, c-format
msgid "invalid uri: %s"
msgstr "некоректна адреса: %s"
-#: plugins/sudoers/ldap.c:466
+#: plugins/sudoers/ldap.c:475
#, c-format
msgid "unable to mix ldap and ldaps URIs"
msgstr "не можна використовувати суміш з адрес ldap і ldaps"
-#: plugins/sudoers/ldap.c:470
+#: plugins/sudoers/ldap.c:479
#, c-format
msgid "unable to mix ldaps and starttls"
msgstr "не можна використовувати суміш з ldaps і starttls"
-#: plugins/sudoers/ldap.c:489
+#: plugins/sudoers/ldap.c:498
#, c-format
msgid "sudo_ldap_parse_uri: out of space building hostbuf"
msgstr "sudo_ldap_parse_uri: вихід за межі пам’яті під час побудови буфера вузла"
-#: plugins/sudoers/ldap.c:563
+#: plugins/sudoers/ldap.c:572
#, c-format
msgid "unable to initialize SSL cert and key db: %s"
msgstr "не вдалося ініціалізувати базу даних сертифікатів і ключів SSL: %s"
-#: plugins/sudoers/ldap.c:566
+#: plugins/sudoers/ldap.c:575
#, c-format
msgid "you must set TLS_CERT in %s to use SSL"
msgstr "щоб скористатися SSL, вам слід встановити для TLS_CERT значення %s"
-#: plugins/sudoers/ldap.c:973
+#: plugins/sudoers/ldap.c:992
#, c-format
msgid "unable to get GMT time"
msgstr "не вдалося отримати гринвіцький час"
-#: plugins/sudoers/ldap.c:979
+#: plugins/sudoers/ldap.c:998
#, c-format
msgid "unable to format timestamp"
msgstr "не вдалося виконати форматування часового штампа"
-#: plugins/sudoers/ldap.c:987
+#: plugins/sudoers/ldap.c:1006
#, c-format
msgid "unable to build time filter"
msgstr "не вдалося побудувати фільтр часу"
-#: plugins/sudoers/ldap.c:1202
+#: plugins/sudoers/ldap.c:1225
#, c-format
msgid "sudo_ldap_build_pass1 allocation mismatch"
msgstr "sudo_ldap_build_pass1: невідповідність розміщення"
-#: plugins/sudoers/ldap.c:1738
+#: plugins/sudoers/ldap.c:1761
#, c-format
msgid ""
"\n"
"\n"
"Роль LDAP: %s\n"
-#: plugins/sudoers/ldap.c:1740
+#: plugins/sudoers/ldap.c:1763
#, c-format
msgid ""
"\n"
"\n"
"Роль у LDAP: НЕВІДОМА\n"
-#: plugins/sudoers/ldap.c:1787
+#: plugins/sudoers/ldap.c:1810
#, c-format
msgid " Order: %s\n"
msgstr " Порядок: %s\n"
-#: plugins/sudoers/ldap.c:1795
+#: plugins/sudoers/ldap.c:1818 plugins/sudoers/sssd.c:1168
#, c-format
msgid " Commands:\n"
msgstr " Команди:\n"
-#: plugins/sudoers/ldap.c:2216
+#: plugins/sudoers/ldap.c:2240
#, c-format
msgid "unable to initialize LDAP: %s"
msgstr "не вдалося ініціалізувати LDAP: %s"
-#: plugins/sudoers/ldap.c:2250
+#: plugins/sudoers/ldap.c:2274
#, c-format
msgid "start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()"
msgstr "start_tls вказано, але у бібліотеках LDAP не передбачено підтримки ldap_start_tls_s() або ldap_start_tls_s_np()"
-#: plugins/sudoers/ldap.c:2486
+#: plugins/sudoers/ldap.c:2510
#, c-format
msgid "invalid sudoOrder attribute: %s"
msgstr "некоректний атрибут sudoOrder: %s"
msgid "unable to open audit system"
msgstr "не вдалося відкрити систему аудита"
-#: plugins/sudoers/linux_audit.c:82
-#, c-format
-msgid "internal error, linux_audit_command() overflow"
-msgstr "внутрішня помилка, переповнення linux_audit_command()"
-
-#: plugins/sudoers/linux_audit.c:91
+#: plugins/sudoers/linux_audit.c:93
#, c-format
msgid "unable to send audit message"
msgstr "не вдалося надіслати повідомлення аудита"
-#: plugins/sudoers/logging.c:198
+#: plugins/sudoers/logging.c:202
#, c-format
msgid "unable to open log file: %s: %s"
msgstr "не вдалося відкрити файл журналу: %s: %s"
-#: plugins/sudoers/logging.c:201
+#: plugins/sudoers/logging.c:205
#, c-format
msgid "unable to lock log file: %s: %s"
msgstr "не вдалося заблокувати файл журналу: %s: %s"
-#: plugins/sudoers/logging.c:256
+#: plugins/sudoers/logging.c:260
msgid "user NOT in sudoers"
msgstr "користувача немає у списку sudoers"
-#: plugins/sudoers/logging.c:258
+#: plugins/sudoers/logging.c:262
msgid "user NOT authorized on host"
msgstr "користувача не уповноважено на дії на вузлі"
-#: plugins/sudoers/logging.c:260
+#: plugins/sudoers/logging.c:264
msgid "command not allowed"
msgstr "виконання команди заборонено"
-#: plugins/sudoers/logging.c:270
+#: plugins/sudoers/logging.c:274
#, c-format
msgid "%s is not in the sudoers file. This incident will be reported.\n"
msgstr "%s немає у файлі sudoers. Запис про подію додано до звіту.\n"
-#: plugins/sudoers/logging.c:273
+#: plugins/sudoers/logging.c:277
#, c-format
msgid "%s is not allowed to run sudo on %s. This incident will be reported.\n"
msgstr "%s заборонено виконувати sudo на %s. Запис про подію додано до звіту.\n"
-#: plugins/sudoers/logging.c:277
+#: plugins/sudoers/logging.c:281
#, c-format
msgid "Sorry, user %s may not run sudo on %s.\n"
msgstr "Вибачте, користувач %s не має права виконувати sudo на %s.\n"
-#: plugins/sudoers/logging.c:280
+#: plugins/sudoers/logging.c:284
#, c-format
msgid "Sorry, user %s is not allowed to execute '%s%s%s' as %s%s%s on %s.\n"
msgstr "Вибачте, користувач %s не має права виконувати «%s%s%s» від імені %s%s%s на %s.\n"
-#: plugins/sudoers/logging.c:447
+#: plugins/sudoers/logging.c:317
+msgid "No user or host"
+msgstr "Немає користувача або вузла"
+
+#: plugins/sudoers/logging.c:319
+msgid "validation failure"
+msgstr "помилка під час спроби перевірки"
+
+#: plugins/sudoers/logging.c:336 plugins/sudoers/sudoers.c:502
+#: plugins/sudoers/sudoers.c:503 plugins/sudoers/sudoers.c:1539
+#: plugins/sudoers/sudoers.c:1540
+#, c-format
+msgid "%s: command not found"
+msgstr "%s: команду не знайдено"
+
+#: plugins/sudoers/logging.c:338 plugins/sudoers/sudoers.c:499
+#, c-format
+msgid ""
+"ignoring `%s' found in '.'\n"
+"Use `sudo ./%s' if this is the `%s' you wish to run."
+msgstr ""
+"пропущено «%s» знайдений у «.»\n"
+"Скористайтеся командою «sudo ./%s», якщо вам потрібно виконати саме «%s»."
+
+#: plugins/sudoers/logging.c:352
+msgid "authentication failure"
+msgstr "помилка під час спроби розпізнавання"
+
+#: plugins/sudoers/logging.c:376
+#, c-format
+msgid "%d incorrect password attempt"
+msgid_plural "%d incorrect password attempts"
+msgstr[0] "%d невдала спроба введення пароля"
+msgstr[1] "%d невдалих спроби введення пароля"
+msgstr[2] "%d невдалих спроб введення пароля"
+msgstr[3] "одна невдала спроба введення пароля"
+
+#: plugins/sudoers/logging.c:379
+msgid "a password is required"
+msgstr "слід вказати пароль"
+
+#: plugins/sudoers/logging.c:530
#, c-format
msgid "unable to fork"
msgstr "не вдалося створити відгалуження"
-#: plugins/sudoers/logging.c:454 plugins/sudoers/logging.c:516
+#: plugins/sudoers/logging.c:537 plugins/sudoers/logging.c:599
#, c-format
msgid "unable to fork: %m"
msgstr "не вдалося створити відгалуження: %m"
-#: plugins/sudoers/logging.c:506
+#: plugins/sudoers/logging.c:589
#, c-format
msgid "unable to open pipe: %m"
msgstr "не вдалося відкрити канал: %m"
-#: plugins/sudoers/logging.c:531
+#: plugins/sudoers/logging.c:614
#, c-format
msgid "unable to dup stdin: %m"
msgstr "не вдалося здублювати stdin: %m"
-#: plugins/sudoers/logging.c:567
+#: plugins/sudoers/logging.c:650
#, c-format
msgid "unable to execute %s: %m"
msgstr "не вдалося виконати %s: %m"
-#: plugins/sudoers/logging.c:782
+#: plugins/sudoers/logging.c:865
#, c-format
msgid "internal error: insufficient space for log line"
msgstr "внутрішня помилка: недостатньо місця для рядка журналу"
msgid "parse error in %s"
msgstr "помилка обробки у %s"
-#: plugins/sudoers/parse.c:389
+#: plugins/sudoers/parse.c:414
#, c-format
msgid ""
"\n"
"\n"
"Запис sudoers:\n"
-#: plugins/sudoers/parse.c:391
+#: plugins/sudoers/parse.c:416
#, c-format
msgid " RunAsUsers: "
msgstr " Користувачі для запуску: "
-#: plugins/sudoers/parse.c:406
+#: plugins/sudoers/parse.c:431
#, c-format
msgid " RunAsGroups: "
msgstr " Групи для запуску: "
-#: plugins/sudoers/parse.c:415
+#: plugins/sudoers/parse.c:440
#, c-format
msgid ""
" Commands:\n"
msgid ": "
msgstr ": "
-#: plugins/sudoers/pwutil.c:260
+#: plugins/sudoers/pwutil.c:278
#, c-format
msgid "unable to cache uid %u (%s), already exists"
msgstr "не вдалося кешувати uid %u (%s), запис вже існує"
-#: plugins/sudoers/pwutil.c:268
+#: plugins/sudoers/pwutil.c:286
#, c-format
msgid "unable to cache uid %u, already exists"
msgstr "не вдалося кешувати uid %u, запис вже існує"
-#: plugins/sudoers/pwutil.c:305 plugins/sudoers/pwutil.c:314
+#: plugins/sudoers/pwutil.c:322 plugins/sudoers/pwutil.c:331
#, c-format
msgid "unable to cache user %s, already exists"
msgstr "не вдалося кешувати користувача %s, запис вже існує"
-#: plugins/sudoers/pwutil.c:653
+#: plugins/sudoers/pwutil.c:668
#, c-format
msgid "unable to cache gid %u (%s), already exists"
msgstr "не вдалося кешувати gid %u (%s), запис вже існує"
-#: plugins/sudoers/pwutil.c:661
+#: plugins/sudoers/pwutil.c:676
#, c-format
msgid "unable to cache gid %u, already exists"
msgstr "не вдалося кешувати gid %u, запис вже існує"
-#: plugins/sudoers/pwutil.c:691 plugins/sudoers/pwutil.c:700
+#: plugins/sudoers/pwutil.c:706 plugins/sudoers/pwutil.c:715
#, c-format
msgid "unable to cache group %s, already exists"
msgstr "не вдалося кешувати групу %s, запис вже існує"
msgid "unable to set runas group vector"
msgstr "не вдалося встановити вектор групи виконання"
-#: plugins/sudoers/sudo_nss.c:243
+#: plugins/sudoers/sssd.c:251
+#, c-format
+msgid "Unable to dlopen %s: %s"
+msgstr "Не вдалося виконати dlopen для %s: %s"
+
+#: plugins/sudoers/sssd.c:252
+#, c-format
+msgid "Unable to initialize SSS source. Is SSSD installed on your machine?"
+msgstr "Не вдалося ініціалізувати джерело SSS. Чи встановлено у вашій системі SSSD?"
+
+#: plugins/sudoers/sssd.c:258 plugins/sudoers/sssd.c:266
+#: plugins/sudoers/sssd.c:273 plugins/sudoers/sssd.c:280
+#: plugins/sudoers/sssd.c:287
+#, c-format
+msgid "unable to find symbol \"%s\" in %s"
+msgstr "не вдалося знайти символ «%s» у %s"
+
+#: plugins/sudoers/sudo_nss.c:267
#, c-format
msgid "Matching Defaults entries for %s on this host:\n"
msgstr "Відповідність записів Defaults для %s на цьому вузлі:\n"
-#: plugins/sudoers/sudo_nss.c:256
+#: plugins/sudoers/sudo_nss.c:280
#, c-format
msgid "Runas and Command-specific defaults for %s:\n"
msgstr "Типові значення для запуску від імені і команд для %s:\n"
-#: plugins/sudoers/sudo_nss.c:269
+#: plugins/sudoers/sudo_nss.c:293
#, c-format
msgid "User %s may run the following commands on this host:\n"
msgstr "Користувач %s має право виконувати на цьому вузлі такі команди:\n"
-#: plugins/sudoers/sudo_nss.c:279
+#: plugins/sudoers/sudo_nss.c:302
#, c-format
msgid "User %s is not allowed to run sudo on %s.\n"
msgstr "Користувач %s не має права виконувати sudo на %s.\n"
-#: plugins/sudoers/sudoers.c:208 plugins/sudoers/sudoers.c:239
-#: plugins/sudoers/sudoers.c:958
+#: plugins/sudoers/sudoers.c:210 plugins/sudoers/sudoers.c:243
+#: plugins/sudoers/sudoers.c:953
msgid "problem with defaults entries"
msgstr "проблема з типовими записами"
-#: plugins/sudoers/sudoers.c:212
+#: plugins/sudoers/sudoers.c:216
#, c-format
msgid "no valid sudoers sources found, quitting"
msgstr "не знайдено коректних джерел даних sudoers, завершення роботи"
-#: plugins/sudoers/sudoers.c:264
+#: plugins/sudoers/sudoers.c:268
#, c-format
msgid "unable to execute %s: %s"
msgstr "не вдалося виконати %s: %s"
-#: plugins/sudoers/sudoers.c:322
+#: plugins/sudoers/sudoers.c:335
#, c-format
msgid "sudoers specifies that root is not allowed to sudo"
msgstr "sudoers вказує, що sudo не можна користуватися для виконання команд від root"
-#: plugins/sudoers/sudoers.c:329
+#: plugins/sudoers/sudoers.c:342
#, c-format
msgid "you are not permitted to use the -C option"
msgstr "вам не дозволено використовувати параметр -C"
-#: plugins/sudoers/sudoers.c:422
+#: plugins/sudoers/sudoers.c:431
#, c-format
msgid "timestamp owner (%s): No such user"
msgstr "власник часового штампа (%s): не знайдено користувача з таким іменем"
-#: plugins/sudoers/sudoers.c:438
+#: plugins/sudoers/sudoers.c:447
msgid "no tty"
msgstr "немає tty"
-#: plugins/sudoers/sudoers.c:439
+#: plugins/sudoers/sudoers.c:448
#, c-format
msgid "sorry, you must have a tty to run sudo"
msgstr "вибачте, для виконання sudo вашому користувачеві потрібен tty"
-#: plugins/sudoers/sudoers.c:478
-msgid "No user or host"
-msgstr "Немає користувача або вузла"
-
-#: plugins/sudoers/sudoers.c:492 plugins/sudoers/sudoers.c:513
-#: plugins/sudoers/sudoers.c:514 plugins/sudoers/sudoers.c:1522
-#: plugins/sudoers/sudoers.c:1523
-#, c-format
-msgid "%s: command not found"
-msgstr "%s: команду не знайдено"
-
-#: plugins/sudoers/sudoers.c:494 plugins/sudoers/sudoers.c:510
-#, c-format
-msgid ""
-"ignoring `%s' found in '.'\n"
-"Use `sudo ./%s' if this is the `%s' you wish to run."
-msgstr ""
-"пропущено «%s» знайдений у «.»\n"
-"Скористайтеся командою «sudo ./%s», якщо вам потрібно виконати саме «%s»."
-
-#: plugins/sudoers/sudoers.c:499
-msgid "validation failure"
-msgstr "помилка під час спроби перевірки"
-
-#: plugins/sudoers/sudoers.c:509
+#: plugins/sudoers/sudoers.c:498
msgid "command in current directory"
msgstr "команда у поточному каталозі"
-#: plugins/sudoers/sudoers.c:521
+#: plugins/sudoers/sudoers.c:510
#, c-format
msgid "sorry, you are not allowed to preserve the environment"
msgstr "вибачте, вам не дозволено зберігати середовище"
-#: plugins/sudoers/sudoers.c:681 plugins/sudoers/sudoers.c:688
-#, c-format
-msgid "internal error, runas_groups overflow"
-msgstr "внутрішня помилка, переповнення runas_groups"
-
-#: plugins/sudoers/sudoers.c:941
-#, c-format
-msgid "internal error, set_cmnd() overflow"
-msgstr "внутрішня помилка, переповнення set_cmnd()"
-
-#: plugins/sudoers/sudoers.c:1001
+#: plugins/sudoers/sudoers.c:1006
#, c-format
msgid "%s is not a regular file"
msgstr "%s не є звичайним файлом"
-#: plugins/sudoers/sudoers.c:1004 toke.l:829
+#: plugins/sudoers/sudoers.c:1009 toke.l:846
#, c-format
msgid "%s is owned by uid %u, should be %u"
msgstr "%s належить uid %u, має належати %u"
-#: plugins/sudoers/sudoers.c:1008 toke.l:836
+#: plugins/sudoers/sudoers.c:1013 toke.l:853
#, c-format
msgid "%s is world writable"
msgstr "Запис до «%s» можливий для довільного користувача"
-#: plugins/sudoers/sudoers.c:1011 toke.l:841
+#: plugins/sudoers/sudoers.c:1016 toke.l:858
#, c-format
msgid "%s is owned by gid %u, should be %u"
msgstr "%s належить gid %u, має належати %u"
-#: plugins/sudoers/sudoers.c:1038
+#: plugins/sudoers/sudoers.c:1043
#, c-format
msgid "only root can use `-c %s'"
msgstr "використовувати «-c %s» може лише root"
-#: plugins/sudoers/sudoers.c:1055 plugins/sudoers/sudoers.c:1057
+#: plugins/sudoers/sudoers.c:1060 plugins/sudoers/sudoers.c:1062
#, c-format
msgid "unknown login class: %s"
msgstr "невідомий клас входу: %s"
-#: plugins/sudoers/sudoers.c:1084
+#: plugins/sudoers/sudoers.c:1089
#, c-format
msgid "unable to resolve host %s"
msgstr "не вдалося визначити адресу вузла %s"
-#: plugins/sudoers/sudoers.c:1136 plugins/sudoers/testsudoers.c:380
+#: plugins/sudoers/sudoers.c:1141 plugins/sudoers/testsudoers.c:387
#, c-format
msgid "unknown group: %s"
msgstr "невідома група: %s"
-#: plugins/sudoers/sudoers.c:1185
+#: plugins/sudoers/sudoers.c:1190
#, c-format
msgid "Sudoers policy plugin version %s\n"
msgstr "Додаток правил sudoers версії %s\n"
-#: plugins/sudoers/sudoers.c:1187
+#: plugins/sudoers/sudoers.c:1192
#, c-format
msgid "Sudoers file grammar version %d\n"
msgstr "Граматична перевірка файла sudoers версії %d\n"
-#: plugins/sudoers/sudoers.c:1191
+#: plugins/sudoers/sudoers.c:1196
#, c-format
msgid ""
"\n"
"\n"
"Шлях до sudoers: %s\n"
-#: plugins/sudoers/sudoers.c:1194
+#: plugins/sudoers/sudoers.c:1199
#, c-format
msgid "nsswitch path: %s\n"
msgstr "Шлях до nsswitch: %s\n"
-#: plugins/sudoers/sudoers.c:1196
+#: plugins/sudoers/sudoers.c:1201
#, c-format
msgid "ldap.conf path: %s\n"
msgstr "Шлях до ldap.conf: %s\n"
-#: plugins/sudoers/sudoers.c:1197
+#: plugins/sudoers/sudoers.c:1202
#, c-format
msgid "ldap.secret path: %s\n"
msgstr "Шлях до ldap.secret: %s\n"
-#: plugins/sudoers/sudoreplay.c:291
+#: plugins/sudoers/sudoreplay.c:293
#, c-format
msgid "invalid filter option: %s"
msgstr "некоректний параметр фільтрування: %s"
-#: plugins/sudoers/sudoreplay.c:304
+#: plugins/sudoers/sudoreplay.c:306
#, c-format
msgid "invalid max wait: %s"
msgstr "некоректне значення макс. очікування: %s"
-#: plugins/sudoers/sudoreplay.c:310
+#: plugins/sudoers/sudoreplay.c:312
#, c-format
msgid "invalid speed factor: %s"
msgstr "некоректний коефіцієнт швидкості: %s"
-#: plugins/sudoers/sudoreplay.c:313 plugins/sudoers/visudo.c:187
+#: plugins/sudoers/sudoreplay.c:315 plugins/sudoers/visudo.c:187
#, c-format
msgid "%s version %s\n"
msgstr "%s, версія %s\n"
-#: plugins/sudoers/sudoreplay.c:338
+#: plugins/sudoers/sudoreplay.c:340
#, c-format
msgid "%s/%.2s/%.2s/%.2s/timing: %s"
msgstr "%s/%.2s/%.2s/%.2s/timing: %s"
-#: plugins/sudoers/sudoreplay.c:344
+#: plugins/sudoers/sudoreplay.c:346
#, c-format
msgid "%s/%s/timing: %s"
msgstr "%s/%s/timing: %s"
-#: plugins/sudoers/sudoreplay.c:362
+#: plugins/sudoers/sudoreplay.c:364
#, c-format
msgid "Replaying sudo session: %s\n"
msgstr "Відтворення сеансу sudo: %s\n"
-#: plugins/sudoers/sudoreplay.c:368
+#: plugins/sudoers/sudoreplay.c:370
#, c-format
msgid "Warning: your terminal is too small to properly replay the log.\n"
msgstr "Попередження: розміри вашого термінала є замалими для належного показу журналу.\n"
-#: plugins/sudoers/sudoreplay.c:369
+#: plugins/sudoers/sudoreplay.c:371
#, c-format
msgid "Log geometry is %d x %d, your terminal's geometry is %d x %d."
msgstr "Встановлено формат журналу %d x %d, тоді як формат термінала — %d x %d."
-#: plugins/sudoers/sudoreplay.c:399
+#: plugins/sudoers/sudoreplay.c:401
#, c-format
msgid "unable to set tty to raw mode"
msgstr "не вдалося перевести tty у режим без обробки даних"
-#: plugins/sudoers/sudoreplay.c:412
+#: plugins/sudoers/sudoreplay.c:418
#, c-format
msgid "invalid timing file line: %s"
msgstr "некоректний рядок у файлі timing: %s"
-#: plugins/sudoers/sudoreplay.c:454
+#: plugins/sudoers/sudoreplay.c:501
#, c-format
msgid "writing to standard output"
msgstr "запис до стандартного виводу даних"
-#: plugins/sudoers/sudoreplay.c:486
+#: plugins/sudoers/sudoreplay.c:530
#, c-format
msgid "nanosleep: tv_sec %ld, tv_nsec %ld"
msgstr "nanosleep: tv_sec %ld, tv_nsec %ld"
-#: plugins/sudoers/sudoreplay.c:535 plugins/sudoers/sudoreplay.c:560
+#: plugins/sudoers/sudoreplay.c:643 plugins/sudoers/sudoreplay.c:668
#, c-format
msgid "ambiguous expression \"%s\""
msgstr "неоднозначний вираз «%s»"
-#: plugins/sudoers/sudoreplay.c:577
+#: plugins/sudoers/sudoreplay.c:685
#, c-format
msgid "too many parenthesized expressions, max %d"
msgstr "забагато виразів у дужках, максимальна можлива кількість — %d"
-#: plugins/sudoers/sudoreplay.c:588
+#: plugins/sudoers/sudoreplay.c:696
#, c-format
msgid "unmatched ')' in expression"
msgstr "зайва дужка, «)», у виразі"
-#: plugins/sudoers/sudoreplay.c:594
+#: plugins/sudoers/sudoreplay.c:702
#, c-format
msgid "unknown search term \"%s\""
msgstr "невідомий ключ пошуку «%s»"
-#: plugins/sudoers/sudoreplay.c:608
+#: plugins/sudoers/sudoreplay.c:716
#, c-format
msgid "%s requires an argument"
msgstr "%s потребує визначення аргументу"
-#: plugins/sudoers/sudoreplay.c:612
+#: plugins/sudoers/sudoreplay.c:720
#, c-format
msgid "invalid regular expression: %s"
msgstr "некоректний формальний вираз: %s"
-#: plugins/sudoers/sudoreplay.c:618
+#: plugins/sudoers/sudoreplay.c:726
#, c-format
msgid "could not parse date \"%s\""
msgstr "не вдалося обробити дату «%s»"
-#: plugins/sudoers/sudoreplay.c:631
+#: plugins/sudoers/sudoreplay.c:739
#, c-format
msgid "unmatched '(' in expression"
msgstr "зайва дужка, «(», у виразі"
-#: plugins/sudoers/sudoreplay.c:633
+#: plugins/sudoers/sudoreplay.c:741
#, c-format
msgid "illegal trailing \"or\""
msgstr "помилкове завершальне «or»"
-#: plugins/sudoers/sudoreplay.c:635
+#: plugins/sudoers/sudoreplay.c:743
#, c-format
msgid "illegal trailing \"!\""
msgstr "помилкове завершальне «!»"
-#: plugins/sudoers/sudoreplay.c:942
+#: plugins/sudoers/sudoreplay.c:1050
#, c-format
msgid "invalid regex: %s"
msgstr "некоректний формальний вираз: %s"
-#: plugins/sudoers/sudoreplay.c:1066
+#: plugins/sudoers/sudoreplay.c:1174
#, c-format
msgid "usage: %s [-h] [-d directory] [-m max_wait] [-s speed_factor] ID\n"
msgstr "використання: %s [-h] [-d каталог] [-m макс_очік] [-s коеф_швидкості] ідентифікатор\n"
-#: plugins/sudoers/sudoreplay.c:1069
+#: plugins/sudoers/sudoreplay.c:1177
#, c-format
msgid "usage: %s [-h] [-d directory] -l [search expression]\n"
msgstr "використання: %s [-h] [-d каталог] -l [вираз для пошуку]\n"
-#: plugins/sudoers/sudoreplay.c:1078
+#: plugins/sudoers/sudoreplay.c:1186
#, c-format
msgid ""
"%s - replay sudo session logs\n"
"%s — відтворення журналів сеансів sudo\n"
"\n"
-#: plugins/sudoers/sudoreplay.c:1080
+#: plugins/sudoers/sudoreplay.c:1188
msgid ""
"\n"
"Options:\n"
" -s коеф_швидк коефіцієнт прискорення або сповільнення виводу даних\n"
" -V показати дані щодо версії і завершити роботу"
-#: plugins/sudoers/testsudoers.c:246
-#, c-format
-msgid "internal error, init_vars() overflow"
-msgstr "внутрішня помилка, переповнення init_vars()"
-
-#: plugins/sudoers/testsudoers.c:331
+#: plugins/sudoers/testsudoers.c:338
msgid "\thost unmatched"
msgstr "\tвідповідника вузла не знайдено"
-#: plugins/sudoers/testsudoers.c:334
+#: plugins/sudoers/testsudoers.c:341
msgid ""
"\n"
"Command allowed"
"\n"
"Команду дозволено"
-#: plugins/sudoers/testsudoers.c:335
+#: plugins/sudoers/testsudoers.c:342
msgid ""
"\n"
"Command denied"
"\n"
"Команду заборонено"
-#: plugins/sudoers/testsudoers.c:335
+#: plugins/sudoers/testsudoers.c:342
msgid ""
"\n"
"Command unmatched"
msgid "%s grammar version %d\n"
msgstr "Граматична перевірка %s, версія %d\n"
-#: plugins/sudoers/visudo.c:252 plugins/sudoers/visudo.c:538
+#: plugins/sudoers/visudo.c:252 plugins/sudoers/visudo.c:541
#, c-format
msgid "press return to edit %s: "
msgstr "натисніть Enter для редагування %s: "
msgid "%s unchanged"
msgstr "%s не змінено"
-#: plugins/sudoers/visudo.c:483
+#: plugins/sudoers/visudo.c:486
#, c-format
msgid "unable to re-open temporary file (%s), %s unchanged."
msgstr "не вдалося повторно відкрити файл тимчасових даних (%s), %s не змінено."
-#: plugins/sudoers/visudo.c:493
+#: plugins/sudoers/visudo.c:496
#, c-format
msgid "unabled to parse temporary file (%s), unknown error"
msgstr "не вдалося обробити файл тимчасових даних (%s), невідома помилка"
-#: plugins/sudoers/visudo.c:531
+#: plugins/sudoers/visudo.c:534
#, c-format
msgid "internal error, unable to find %s in list!"
msgstr "внутрішня помилка, не вдалося знайти %s у списку!"
-#: plugins/sudoers/visudo.c:583 plugins/sudoers/visudo.c:592
+#: plugins/sudoers/visudo.c:586 plugins/sudoers/visudo.c:595
#, c-format
msgid "unable to set (uid, gid) of %s to (%u, %u)"
msgstr "не вдалося встановити (uid, gid) %s у значення (%u, %u)"
-#: plugins/sudoers/visudo.c:587 plugins/sudoers/visudo.c:597
+#: plugins/sudoers/visudo.c:590 plugins/sudoers/visudo.c:600
#, c-format
msgid "unable to change mode of %s to 0%o"
msgstr "не вдалося змінити режим доступу до %s на значення 0%o"
-#: plugins/sudoers/visudo.c:614
+#: plugins/sudoers/visudo.c:617
#, c-format
msgid "%s and %s not on the same file system, using mv to rename"
msgstr "%s і %s не перебувають у одній файловій системі, використовуємо mv для перейменування"
-#: plugins/sudoers/visudo.c:628
+#: plugins/sudoers/visudo.c:631
#, c-format
msgid "command failed: '%s %s %s', %s unchanged"
msgstr "помилка команди: «%s %s %s», %s не змінено"
-#: plugins/sudoers/visudo.c:638
+#: plugins/sudoers/visudo.c:641
#, c-format
msgid "error renaming %s, %s unchanged"
msgstr "помилка перейменування %s, %s не змінено"
-#: plugins/sudoers/visudo.c:701
+#: plugins/sudoers/visudo.c:704
msgid "What now? "
msgstr "А зараз що? "
-#: plugins/sudoers/visudo.c:715
+#: plugins/sudoers/visudo.c:718
msgid ""
"Options are:\n"
" (e)dit sudoers file again\n"
" (x) — вийти без внесення змін до файла sudoers\n"
" (Q) — вийти зі збереженням файла sudoers (НЕБЕЗПЕЧНО!)\n"
-#: plugins/sudoers/visudo.c:756
+#: plugins/sudoers/visudo.c:759
#, c-format
msgid "unable to execute %s"
msgstr "не вдалося виконати %s"
-#: plugins/sudoers/visudo.c:763
+#: plugins/sudoers/visudo.c:766
#, c-format
msgid "unable to run %s"
msgstr "не вдалося виконати %s"
-#: plugins/sudoers/visudo.c:789
+#: plugins/sudoers/visudo.c:792
#, c-format
msgid "%s: wrong owner (uid, gid) should be (%u, %u)\n"
msgstr "%s: помилковий власник (uid, gid), має бути (%u, %u)\n"
-#: plugins/sudoers/visudo.c:796
+#: plugins/sudoers/visudo.c:799
#, c-format
msgid "%s: bad permissions, should be mode 0%o\n"
msgstr "%s: помилкові права доступу, режим доступу має бути 0%o\n"
-#: plugins/sudoers/visudo.c:821
+#: plugins/sudoers/visudo.c:824
#, c-format
msgid "failed to parse %s file, unknown error"
msgstr "не вдалося обробити файл %s, невідома помилка"
-#: plugins/sudoers/visudo.c:834
+#: plugins/sudoers/visudo.c:837
#, c-format
msgid "parse error in %s near line %d\n"
msgstr "помилка обробки у %s поблизу рядка %d\n"
-#: plugins/sudoers/visudo.c:837
+#: plugins/sudoers/visudo.c:840
#, c-format
msgid "parse error in %s\n"
msgstr "помилка обробки у %s\n"
-#: plugins/sudoers/visudo.c:844 plugins/sudoers/visudo.c:849
+#: plugins/sudoers/visudo.c:847 plugins/sudoers/visudo.c:852
#, c-format
msgid "%s: parsed OK\n"
msgstr "%s: вдала обробка\n"
-#: plugins/sudoers/visudo.c:896
+#: plugins/sudoers/visudo.c:899
#, c-format
msgid "%s busy, try again later"
msgstr "%s зайнято, повторіть спробу пізніше"
-#: plugins/sudoers/visudo.c:940
+#: plugins/sudoers/visudo.c:943
#, c-format
msgid "specified editor (%s) doesn't exist"
msgstr "вказаного редактора (%s) не існує"
-#: plugins/sudoers/visudo.c:963
+#: plugins/sudoers/visudo.c:966
#, c-format
msgid "unable to stat editor (%s)"
msgstr "не вдалося виконати stat для редактора (%s)"
-#: plugins/sudoers/visudo.c:1011
+#: plugins/sudoers/visudo.c:1014
#, c-format
msgid "no editor found (editor path = %s)"
msgstr "не знайдено жодного редактора (шлях до редактора = %s)"
-#: plugins/sudoers/visudo.c:1105
+#: plugins/sudoers/visudo.c:1108
#, c-format
msgid "Error: cycle in %s_Alias `%s'"
msgstr "Помилка: цикл у %s_Alias «%s»"
-#: plugins/sudoers/visudo.c:1106
+#: plugins/sudoers/visudo.c:1109
#, c-format
msgid "Warning: cycle in %s_Alias `%s'"
msgstr "Попередження: цикл у %s_Alias «%s»"
-#: plugins/sudoers/visudo.c:1109
+#: plugins/sudoers/visudo.c:1112
#, c-format
msgid "Error: %s_Alias `%s' referenced but not defined"
msgstr "Помилка: виявлено посилання %s_Alias «%s», яке не визначено"
-#: plugins/sudoers/visudo.c:1110
+#: plugins/sudoers/visudo.c:1113
#, c-format
msgid "Warning: %s_Alias `%s' referenced but not defined"
msgstr "Попередження: виявлено посилання %s_Alias «%s», яке не визначено"
-#: plugins/sudoers/visudo.c:1245
+#: plugins/sudoers/visudo.c:1248
#, c-format
msgid "%s: unused %s_Alias %s"
msgstr "%s: невикористаний %s_Alias %s"
-#: plugins/sudoers/visudo.c:1301
+#: plugins/sudoers/visudo.c:1304
#, c-format
msgid ""
"%s - safely edit the sudoers file\n"
"%s — безпечне редагування файла sudoers\n"
"\n"
-#: plugins/sudoers/visudo.c:1303
+#: plugins/sudoers/visudo.c:1306
msgid ""
"\n"
"Options:\n"
" -s строга перевірка синтаксису\n"
" -V показати дані щодо версії і завершити роботу"
-#: toke.l:805
+#: toke.l:820
msgid "too many levels of includes"
msgstr "занадто високий рівень вкладеності"
+#~ msgid "internal error, expand_prompt() overflow"
+#~ msgstr "внутрішня помилка, переповнення expand_prompt()"
+
+#~ msgid "internal error, sudo_setenv2() overflow"
+#~ msgstr "внутрішня помилка, переповнення sudo_setenv2()"
+
+#~ msgid "internal error, sudo_setenv() overflow"
+#~ msgstr "внутрішня помилка, переповнення sudo_setenv()"
+
+#~ msgid "internal error, linux_audit_command() overflow"
+#~ msgstr "внутрішня помилка, переповнення linux_audit_command()"
+
+#~ msgid "internal error, runas_groups overflow"
+#~ msgstr "внутрішня помилка, переповнення runas_groups"
+
+#~ msgid "internal error, init_vars() overflow"
+#~ msgstr "внутрішня помилка, переповнення init_vars()"
+
#~ msgid "invalid log file %s"
#~ msgstr "некоректний файл журналу %s"
--- /dev/null
+# Vietnamese translation for sudo.
+# Copyright © 2012 Free Software Foundation, Inc.
+# This file is distributed under the same license as the sudo package.
+# Trần Ngọc Quân <vnwildman@gmail.com>, 2012.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: sudoers-1.8.6b4\n"
+"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-09-01 15:08+0700\n"
+"Last-Translator: Trần Ngọc Quân <vnwildman@gmail.com>\n"
+"Language-Team: Vietnamese <translation-team-vi@lists.sourceforge.net>\n"
+"Language: vi\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=1;\n"
+"X-Poedit-SourceCharset: UTF-8\n"
+
+#: gram.y:112
+#, c-format
+msgid ">>> %s: %s near line %d <<<"
+msgstr ">>> %s: %s gần dòng %d <<<"
+
+#: plugins/sudoers/alias.c:125
+#, c-format
+msgid "Alias `%s' already defined"
+msgstr "Bí danh `%s' đã được định nghĩa rồi"
+
+#: plugins/sudoers/auth/bsdauth.c:78
+#, c-format
+msgid "unable to get login class for user %s"
+msgstr "không thể lấy lớp đăng nhập cho tài khoản %s"
+
+#: plugins/sudoers/auth/bsdauth.c:84
+msgid "unable to begin bsd authentication"
+msgstr "không thể khởi chạy xác thực kiểu bsd"
+
+#: plugins/sudoers/auth/bsdauth.c:92
+msgid "invalid authentication type"
+msgstr "kiểu xác thực sai"
+
+#: plugins/sudoers/auth/bsdauth.c:101
+msgid "unable to setup authentication"
+msgstr "không thể cài đặt xác thực"
+
+#: plugins/sudoers/auth/fwtk.c:60
+#, c-format
+msgid "unable to read fwtk config"
+msgstr "không thể đọc cấu hình fwtk"
+
+#: plugins/sudoers/auth/fwtk.c:65
+#, c-format
+msgid "unable to connect to authentication server"
+msgstr "không thể kết nối tới máy chủ xác thực"
+
+#: plugins/sudoers/auth/fwtk.c:71 plugins/sudoers/auth/fwtk.c:95
+#: plugins/sudoers/auth/fwtk.c:128
+#, c-format
+msgid "lost connection to authentication server"
+msgstr "mất kết nối đến máy phục vụ xác thực"
+
+#: plugins/sudoers/auth/fwtk.c:75
+#, c-format
+msgid ""
+"authentication server error:\n"
+"%s"
+msgstr ""
+"lỗi máy phục vụ xác thực:\n"
+"%s"
+
+#: plugins/sudoers/auth/kerb5.c:117
+#, c-format
+msgid "%s: unable to unparse princ ('%s'): %s"
+msgstr "%s: không thể bỏ phân tích cú pháp princ ('%s'): %s"
+
+#: plugins/sudoers/auth/kerb5.c:160
+#, c-format
+msgid "%s: unable to parse '%s': %s"
+msgstr "%s: không thể phân tích '%s': %s"
+
+#: plugins/sudoers/auth/kerb5.c:170
+#, c-format
+msgid "%s: unable to resolve ccache: %s"
+msgstr "%s: không thể giải quyết ccache: %s"
+
+#: plugins/sudoers/auth/kerb5.c:218
+#, c-format
+msgid "%s: unable to allocate options: %s"
+msgstr "%s: không thể phân bổ các tùy chọn: %s"
+
+#: plugins/sudoers/auth/kerb5.c:234
+#, c-format
+msgid "%s: unable to get credentials: %s"
+msgstr "%s: không thể lấy giấy ủy nhiệm: %s"
+
+#: plugins/sudoers/auth/kerb5.c:247
+#, c-format
+msgid "%s: unable to initialize ccache: %s"
+msgstr "%s: không thể khởi tạo ccache: %s"
+
+#: plugins/sudoers/auth/kerb5.c:251
+#, c-format
+msgid "%s: unable to store cred in ccache: %s"
+msgstr "%s: không thể lưu cred trong ccache: %s"
+
+#: plugins/sudoers/auth/kerb5.c:316
+#, c-format
+msgid "%s: unable to get host principal: %s"
+msgstr "%s: không thể lấy tên máy chủ chính: %s"
+
+#: plugins/sudoers/auth/kerb5.c:331
+#, c-format
+msgid "%s: Cannot verify TGT! Possible attack!: %s"
+msgstr "%s: Không thể thẩm tra TGT! Có lẽ bị tấn công!: %s"
+
+#: plugins/sudoers/auth/pam.c:100
+msgid "unable to initialize PAM"
+msgstr "không thể khởi tạo PAM"
+
+#: plugins/sudoers/auth/pam.c:144
+msgid "account validation failure, is your account locked?"
+msgstr "xác thực tài khoản gặp lỗi nghiêm trọng, có phải tài khoản của bạn đã bị khóa?"
+
+#: plugins/sudoers/auth/pam.c:148
+msgid "Account or password is expired, reset your password and try again"
+msgstr "Mật khẩu hay tài khoản đã hết hạn sử dụng, đặt lại mật khẩu của bạn và thử lại"
+
+#: plugins/sudoers/auth/pam.c:155
+#, c-format
+msgid "pam_chauthtok: %s"
+msgstr "pam_chauthtok: %s"
+
+#: plugins/sudoers/auth/pam.c:159
+msgid "Password expired, contact your system administrator"
+msgstr "Mật khẩu đã hết hạn dùng, hãy liên lạc với quản trị hệ thống"
+
+#: plugins/sudoers/auth/pam.c:163
+msgid "Account expired or PAM config lacks an \"account\" section for sudo, contact your system administrator"
+msgstr "Tài khoản hết hạn hoặc cấu hình PAM không có phiên \"tài khoản\" cho sudo, hãy liên hệ với người quản trị"
+
+#: plugins/sudoers/auth/pam.c:180
+#, c-format
+msgid "pam_authenticate: %s"
+msgstr "pam_authenticate: %s"
+
+#: plugins/sudoers/auth/pam.c:332
+msgid "Password: "
+msgstr "Mật khẩu: "
+
+#: plugins/sudoers/auth/pam.c:333
+msgid "Password:"
+msgstr "Mật khẩu:"
+
+#: plugins/sudoers/auth/rfc1938.c:104 plugins/sudoers/visudo.c:220
+#, c-format
+msgid "you do not exist in the %s database"
+msgstr "bạn không tồn tại trong cơ sở dữ liệu %s"
+
+#: plugins/sudoers/auth/securid5.c:81
+#, c-format
+msgid "failed to initialise the ACE API library"
+msgstr "gặp lỗi khi khởi tạo thư viện \"ACE API\""
+
+#: plugins/sudoers/auth/securid5.c:107
+#, c-format
+msgid "unable to contact the SecurID server"
+msgstr "không thể liên lạc được với máy chủ SecurID"
+
+#: plugins/sudoers/auth/securid5.c:116
+#, c-format
+msgid "User ID locked for SecurID Authentication"
+msgstr "ID người dùng bị khóa với \"SecurID Authentication\""
+
+#: plugins/sudoers/auth/securid5.c:120 plugins/sudoers/auth/securid5.c:171
+#, c-format
+msgid "invalid username length for SecurID"
+msgstr "sai chiều dài tên tài khoản cho SecurID"
+
+#: plugins/sudoers/auth/securid5.c:124 plugins/sudoers/auth/securid5.c:176
+#, c-format
+msgid "invalid Authentication Handle for SecurID"
+msgstr "sai Bộ Tiếp Hợp Xác Thực cho SecurID"
+
+#: plugins/sudoers/auth/securid5.c:128
+#, c-format
+msgid "SecurID communication failed"
+msgstr "Truyền thông với SecurID gặp lỗi"
+
+#: plugins/sudoers/auth/securid5.c:132 plugins/sudoers/auth/securid5.c:215
+#, c-format
+msgid "unknown SecurID error"
+msgstr "không hiểu lỗi SecurID"
+
+#: plugins/sudoers/auth/securid5.c:166
+#, c-format
+msgid "invalid passcode length for SecurID"
+msgstr "sai chiều dài passcode cho SecurID"
+
+#: plugins/sudoers/auth/sia.c:109
+msgid "unable to initialize SIA session"
+msgstr "không thể khởi tạo phiên SIA"
+
+#: plugins/sudoers/auth/sudo_auth.c:121
+msgid "Invalid authentication methods compiled into sudo! You may mix standalone and non-standalone authentication."
+msgstr "Sai phương thức xác thực được dịch vào trong sudo! Bạn có thể pha trộn kiểu xác thực giữa standalone và non-standalone"
+
+#: plugins/sudoers/auth/sudo_auth.c:206
+msgid "There are no authentication methods compiled into sudo! If you want to turn off authentication, use the --disable-authentication configure option."
+msgstr "Ở đây không có phương thức xác thực nào được dịch vào trong sudo! Nếu bạn muốn tắt xác thực, sử dụng tùy chọn cấu hình --disable-authentication"
+
+#: plugins/sudoers/auth/sudo_auth.c:374
+msgid "Authentication methods:"
+msgstr "Phương thức xác thực:"
+
+#: plugins/sudoers/bsm_audit.c:60 plugins/sudoers/bsm_audit.c:63
+#: plugins/sudoers/bsm_audit.c:112 plugins/sudoers/bsm_audit.c:116
+#: plugins/sudoers/bsm_audit.c:168 plugins/sudoers/bsm_audit.c:172
+#, c-format
+msgid "getaudit: failed"
+msgstr "getaudit: gặp lỗi"
+
+#: plugins/sudoers/bsm_audit.c:90 plugins/sudoers/bsm_audit.c:153
+#, c-format
+msgid "Could not determine audit condition"
+msgstr "Không thể xác định điều kiện audit"
+
+#: plugins/sudoers/bsm_audit.c:101
+#, c-format
+msgid "getauid failed"
+msgstr "getauid gặp lỗi"
+
+#: plugins/sudoers/bsm_audit.c:103 plugins/sudoers/bsm_audit.c:162
+#, c-format
+msgid "au_open: failed"
+msgstr "au_open: gặp lỗi"
+
+#: plugins/sudoers/bsm_audit.c:118 plugins/sudoers/bsm_audit.c:174
+#, c-format
+msgid "au_to_subject: failed"
+msgstr "au_to_subject: gặp lỗi"
+
+#: plugins/sudoers/bsm_audit.c:122 plugins/sudoers/bsm_audit.c:178
+#, c-format
+msgid "au_to_exec_args: failed"
+msgstr "au_to_exec_args: gặp lỗi"
+
+#: plugins/sudoers/bsm_audit.c:126 plugins/sudoers/bsm_audit.c:187
+#, c-format
+msgid "au_to_return32: failed"
+msgstr "au_to_return32: gặp lỗi"
+
+#: plugins/sudoers/bsm_audit.c:129 plugins/sudoers/bsm_audit.c:190
+#, c-format
+msgid "unable to commit audit record"
+msgstr "không thể chuyển giao bản ghi audit"
+
+#: plugins/sudoers/bsm_audit.c:160
+#, c-format
+msgid "getauid: failed"
+msgstr "getauid: gặp lỗi"
+
+#: plugins/sudoers/bsm_audit.c:183
+#, c-format
+msgid "au_to_text: failed"
+msgstr "au_to_text: gặp lỗi"
+
+#: plugins/sudoers/check.c:252 plugins/sudoers/iolog.c:172
+#: plugins/sudoers/sudoers.c:988 plugins/sudoers/sudoreplay.c:355
+#: plugins/sudoers/sudoreplay.c:817 plugins/sudoers/sudoreplay.c:974
+#: plugins/sudoers/visudo.c:818
+#, c-format
+msgid "unable to open %s"
+msgstr "không mở được %s"
+
+#: plugins/sudoers/check.c:256 plugins/sudoers/iolog.c:229
+#, c-format
+msgid "unable to write to %s"
+msgstr "không thể ghi vào %s"
+
+#: plugins/sudoers/check.c:264 plugins/sudoers/check.c:512
+#: plugins/sudoers/check.c:562 plugins/sudoers/iolog.c:123
+#: plugins/sudoers/iolog.c:156
+#, c-format
+msgid "unable to mkdir %s"
+msgstr "không thể tạo thư mục mkdir '%s'"
+
+#: plugins/sudoers/check.c:399 plugins/sudoers/env.c:289
+#: plugins/sudoers/env.c:294 plugins/sudoers/env.c:395
+#: plugins/sudoers/env.c:447 plugins/sudoers/linux_audit.c:82
+#: plugins/sudoers/sudoers.c:670 plugins/sudoers/sudoers.c:677
+#: plugins/sudoers/sudoers.c:936 plugins/sudoers/testsudoers.c:253
+#, c-format
+msgid "internal error, %s overflow"
+msgstr "lỗi nội bộ, %s bị tràn"
+
+#: plugins/sudoers/check.c:460
+#, c-format
+msgid "timestamp path too long: %s"
+msgstr "đường dẫn timestamp quá dài: %s"
+
+#: plugins/sudoers/check.c:491 plugins/sudoers/check.c:535
+#: plugins/sudoers/iolog.c:158
+#, c-format
+msgid "%s exists but is not a directory (0%o)"
+msgstr "%s tồn tại nhưng không phải là một thư mục (0%o)"
+
+#: plugins/sudoers/check.c:494 plugins/sudoers/check.c:538
+#: plugins/sudoers/check.c:583
+#, c-format
+msgid "%s owned by uid %u, should be uid %u"
+msgstr "%s được sở hữu bởi uid %u, nên là %u"
+
+#: plugins/sudoers/check.c:499 plugins/sudoers/check.c:543
+#, c-format
+msgid "%s writable by non-owner (0%o), should be mode 0700"
+msgstr "%s có thể được ghi bởi người không sở hữu nó (0%o), cần đặt chế độ 0700"
+
+#: plugins/sudoers/check.c:507 plugins/sudoers/check.c:551
+#: plugins/sudoers/check.c:619 plugins/sudoers/sudoers.c:1003
+#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:584
+#, c-format
+msgid "unable to stat %s"
+msgstr "không thể lấy trạng thái về %s"
+
+#: plugins/sudoers/check.c:577
+#, c-format
+msgid "%s exists but is not a regular file (0%o)"
+msgstr "%s đã sẵn có nhưng không phải là một tập tin bình thường (0%o)"
+
+#: plugins/sudoers/check.c:589
+#, c-format
+msgid "%s writable by non-owner (0%o), should be mode 0600"
+msgstr "%s có thể được ghi bởi người không sở hữu nó (0%o), cần đặt chế độ 0600"
+
+#: plugins/sudoers/check.c:643
+#, c-format
+msgid "timestamp too far in the future: %20.20s"
+msgstr "timestamp nằm quá xa ở tương lai: %20.20s"
+
+#: plugins/sudoers/check.c:690
+#, c-format
+msgid "unable to remove %s (%s), will reset to the epoch"
+msgstr "không thể gỡ bỏ %s (%s), sẽ đặt lại thành epoch"
+
+#: plugins/sudoers/check.c:698
+#, c-format
+msgid "unable to reset %s to the epoch"
+msgstr "không thể đặt lại %s thành epoch"
+
+#: plugins/sudoers/check.c:758 plugins/sudoers/check.c:764
+#: plugins/sudoers/sudoers.c:851 plugins/sudoers/sudoers.c:855
+#, c-format
+msgid "unknown uid: %u"
+msgstr "không biết UID: %u"
+
+#: plugins/sudoers/check.c:761 plugins/sudoers/sudoers.c:792
+#: plugins/sudoers/sudoers.c:1120 plugins/sudoers/testsudoers.c:225
+#: plugins/sudoers/testsudoers.c:369
+#, c-format
+msgid "unknown user: %s"
+msgstr "không hiểu người dùng: %s"
+
+#: plugins/sudoers/def_data.c:27
+#, c-format
+msgid "Syslog facility if syslog is being used for logging: %s"
+msgstr "Trang bị Syslog nếu syslog được sử dụng cho việc ghi nhật ký: %s"
+
+#: plugins/sudoers/def_data.c:31
+#, c-format
+msgid "Syslog priority to use when user authenticates successfully: %s"
+msgstr "Mức ưu tiên Syslog sẽ sử dụng khi người dùng đăng nhập thành công: %s"
+
+#: plugins/sudoers/def_data.c:35
+#, c-format
+msgid "Syslog priority to use when user authenticates unsuccessfully: %s"
+msgstr "Mức ưu tiên Syslog sẽ sử dụng khi người dùng đăng nhập không thành công: %s"
+
+#: plugins/sudoers/def_data.c:39
+msgid "Put OTP prompt on its own line"
+msgstr "Đặt nhắc OTP (mật khẩu dùng một lần) tại dòng nó sở hữu"
+
+#: plugins/sudoers/def_data.c:43
+msgid "Ignore '.' in $PATH"
+msgstr "Lờ đi '.' trong $PATH"
+
+#: plugins/sudoers/def_data.c:47
+msgid "Always send mail when sudo is run"
+msgstr "Luôn gửi thư mỗi khi chạy lệnh sudo"
+
+#: plugins/sudoers/def_data.c:51
+msgid "Send mail if user authentication fails"
+msgstr "Gửi thư nếu xác thực người dùng gặp lỗi"
+
+#: plugins/sudoers/def_data.c:55
+msgid "Send mail if the user is not in sudoers"
+msgstr "Gửi thư nếu người dùng không ở trong sudoers"
+
+#: plugins/sudoers/def_data.c:59
+msgid "Send mail if the user is not in sudoers for this host"
+msgstr "Gửi thư nếu người dùng không có trong sudoers cho máy chủ này"
+
+#: plugins/sudoers/def_data.c:63
+msgid "Send mail if the user is not allowed to run a command"
+msgstr "Gửi thư nếu người dùng không được phép chạy lệnh nào đó"
+
+#: plugins/sudoers/def_data.c:67
+msgid "Use a separate timestamp for each user/tty combo"
+msgstr "Sử dụng timestamp riêng rẽ cho từng cặp tkhoản/tty"
+
+#: plugins/sudoers/def_data.c:71
+msgid "Lecture user the first time they run sudo"
+msgstr "Hướng dẫn người dùng lần đầu tiên họ chạy lệnh sudo"
+
+#: plugins/sudoers/def_data.c:75
+#, c-format
+msgid "File containing the sudo lecture: %s"
+msgstr "TẬP-TIN chứa thuyết trình về sudo: %s"
+
+#: plugins/sudoers/def_data.c:79
+msgid "Require users to authenticate by default"
+msgstr "Yêu cầu người dùng chứng thực theo mặc định"
+
+#: plugins/sudoers/def_data.c:83
+msgid "Root may run sudo"
+msgstr "Siêu người dùng (root) có thể chạy lệnh sudo"
+
+#: plugins/sudoers/def_data.c:87
+msgid "Log the hostname in the (non-syslog) log file"
+msgstr "Ghi nhật ký tên-máy-chủ vào tập tin nhật ký (không dùng syslog)"
+
+#: plugins/sudoers/def_data.c:91
+msgid "Log the year in the (non-syslog) log file"
+msgstr "Ghi nhật ký năm vào tập tin nhật ký (không dùng syslog)"
+
+#: plugins/sudoers/def_data.c:95
+msgid "If sudo is invoked with no arguments, start a shell"
+msgstr "Nếu lệnh sudo được triệu gọi mà không đưa ra tham số thì khởi chạy shell (hệ vỏ)"
+
+#: plugins/sudoers/def_data.c:99
+msgid "Set $HOME to the target user when starting a shell with -s"
+msgstr "Đặt biến $HOME cho người dùng đích khi sử dụng hệ vỏ (shell) với tùy chọn -s"
+
+#: plugins/sudoers/def_data.c:103
+msgid "Always set $HOME to the target user's home directory"
+msgstr "Luôn đặt biến $HOME cho thư mục home của người dùng đích"
+
+#: plugins/sudoers/def_data.c:107
+msgid "Allow some information gathering to give useful error messages"
+msgstr "Cho phép một số thông tin được thu thập để đưa ra các thông tin về lỗi hữu dụng"
+
+#: plugins/sudoers/def_data.c:111
+msgid "Require fully-qualified hostnames in the sudoers file"
+msgstr "Yêu cầu tên máy chủ dạng đầy đủ trong tập tin sudoers"
+
+#: plugins/sudoers/def_data.c:115
+msgid "Insult the user when they enter an incorrect password"
+msgstr "Lăng mạ người dùng khi họ nhập vào mật khẩu sai"
+
+#: plugins/sudoers/def_data.c:119
+msgid "Only allow the user to run sudo if they have a tty"
+msgstr "Chỉ cho phép người dùng chạy lệnh sudo nếu họ có tty"
+
+#: plugins/sudoers/def_data.c:123
+msgid "Visudo will honor the EDITOR environment variable"
+msgstr "Visudo sẽ tôn trọng biến môi trường EDITOR"
+
+#: plugins/sudoers/def_data.c:127
+msgid "Prompt for root's password, not the users's"
+msgstr "Hỏi mật khẩu của siêu người dùng, chứ không phải của người dùng"
+
+#: plugins/sudoers/def_data.c:131
+msgid "Prompt for the runas_default user's password, not the users's"
+msgstr "Nhắc mật khẩu của người dùng runas_mặc_định, không phải của người dùng"
+
+#: plugins/sudoers/def_data.c:135
+msgid "Prompt for the target user's password, not the users's"
+msgstr "Nhắc mật khẩu của người dùng đích, không phải cái hiện tại"
+
+#: plugins/sudoers/def_data.c:139
+msgid "Apply defaults in the target user's login class if there is one"
+msgstr "Áp dụng mặc định trong lớp đăng nhập người dùng đích nếu ở đây có một"
+
+#: plugins/sudoers/def_data.c:143
+msgid "Set the LOGNAME and USER environment variables"
+msgstr "Đặt biến môi trường LOGNAME và USER"
+
+#: plugins/sudoers/def_data.c:147
+msgid "Only set the effective uid to the target user, not the real uid"
+msgstr "Chỉ đặt uid đang có hiệu lực cho người dùng đích, không sử dụng uid thật"
+
+#: plugins/sudoers/def_data.c:151
+msgid "Don't initialize the group vector to that of the target user"
+msgstr "Không khởi tạo véc-tơ nhóm cho người dùng đích"
+
+#: plugins/sudoers/def_data.c:155
+#, c-format
+msgid "Length at which to wrap log file lines (0 for no wrap): %d"
+msgstr "Độ dài mà tại đó các dòng trong tập tin nhật ký được ngắt dòng (0 là không ngắt dòng): %d"
+
+#: plugins/sudoers/def_data.c:159
+#, c-format
+msgid "Authentication timestamp timeout: %.1f minutes"
+msgstr "Thời gian chờ timestamp xác thực tối đa: %.1f phút"
+
+#: plugins/sudoers/def_data.c:163
+#, c-format
+msgid "Password prompt timeout: %.1f minutes"
+msgstr "Thời gian chờ nhắc mật khẩu tối đa: %.1f phút"
+
+#: plugins/sudoers/def_data.c:167
+#, c-format
+msgid "Number of tries to enter a password: %d"
+msgstr "Số lần nhập mật khẩu: %d"
+
+#: plugins/sudoers/def_data.c:171
+#, c-format
+msgid "Umask to use or 0777 to use user's: 0%o"
+msgstr "Umask để sử dụng hoặc 0777 để sử dụng của người dùng: 0%o"
+
+#: plugins/sudoers/def_data.c:175
+#, c-format
+msgid "Path to log file: %s"
+msgstr "Đường dẫn tới tập tin nhật ký: '%s'"
+
+#: plugins/sudoers/def_data.c:179
+#, c-format
+msgid "Path to mail program: %s"
+msgstr "Đường dẫn tới chương trình gửi thư (mail) %s"
+
+#: plugins/sudoers/def_data.c:183
+#, c-format
+msgid "Flags for mail program: %s"
+msgstr "Các cờ dành cho chương trình gửi thư (mail): %s"
+
+#: plugins/sudoers/def_data.c:187
+#, c-format
+msgid "Address to send mail to: %s"
+msgstr "Địa chỉ để gửi thư đến: %s"
+
+#: plugins/sudoers/def_data.c:191
+#, c-format
+msgid "Address to send mail from: %s"
+msgstr "Địa chỉ dùng để gửi thư: %s"
+
+#: plugins/sudoers/def_data.c:195
+#, c-format
+msgid "Subject line for mail messages: %s"
+msgstr "Chủ đề cho thư: %s"
+
+#: plugins/sudoers/def_data.c:199
+#, c-format
+msgid "Incorrect password message: %s"
+msgstr "Sai mật khẩu: %s"
+
+#: plugins/sudoers/def_data.c:203
+#, c-format
+msgid "Path to authentication timestamp dir: %s"
+msgstr "Đường dẫn thư mục timestamp xác thực: %s"
+
+#: plugins/sudoers/def_data.c:207
+#, c-format
+msgid "Owner of the authentication timestamp dir: %s"
+msgstr "Chủ sở hữu đường dẫn thư mục timestamp xác thực: %s"
+
+#: plugins/sudoers/def_data.c:211
+#, c-format
+msgid "Users in this group are exempt from password and PATH requirements: %s"
+msgstr "Những tài khoản trong nhóm này được miễn mật khẩu và yêu cầu PATH: %s"
+
+#: plugins/sudoers/def_data.c:215
+#, c-format
+msgid "Default password prompt: %s"
+msgstr "Lời nhắc nhập mật khẩu mặc định: %s"
+
+#: plugins/sudoers/def_data.c:219
+msgid "If set, passprompt will override system prompt in all cases."
+msgstr "Nếu được đặt, lời nhắc mật khẩu sẽ dè lên dấu nhắc hệ thống trong mọi trường hợp."
+
+#: plugins/sudoers/def_data.c:223
+#, c-format
+msgid "Default user to run commands as: %s"
+msgstr "Tài khoản mặc định chạy lệnh như là: %s"
+
+#: plugins/sudoers/def_data.c:227
+#, c-format
+msgid "Value to override user's $PATH with: %s"
+msgstr "Giá trị dùng để ghi đè lên $PATH của người dùng: %s"
+
+#: plugins/sudoers/def_data.c:231
+#, c-format
+msgid "Path to the editor for use by visudo: %s"
+msgstr "Đường dẫn tới trình biên soạn để sử dụng cho lệnh visudo: %s"
+
+#: plugins/sudoers/def_data.c:235
+#, c-format
+msgid "When to require a password for 'list' pseudocommand: %s"
+msgstr "Khi được yêu cầu mật khẩu cho 'liệt kê' lệnh-giả: %s"
+
+#: plugins/sudoers/def_data.c:239
+#, c-format
+msgid "When to require a password for 'verify' pseudocommand: %s"
+msgstr "Khi được yêu cầu mật khẩu cho 'thẩm tra' lệnh-giả: %s"
+
+#: plugins/sudoers/def_data.c:243
+msgid "Preload the dummy exec functions contained in the sudo_noexec library"
+msgstr "Tải trước các hàm thi hành giả được chứa trong thư viện sudo_noexec"
+
+#: plugins/sudoers/def_data.c:247
+msgid "If LDAP directory is up, do we ignore local sudoers file"
+msgstr "Nếu thư mục LDAP đã bật, chúng tôi sẽ lờ đi tập tin sudoers phải không"
+
+#: plugins/sudoers/def_data.c:251
+#, c-format
+msgid "File descriptors >= %d will be closed before executing a command"
+msgstr "Các mô tả tập tin >= %d sẽ bị đóng trước khi chạy một lệnh"
+
+#: plugins/sudoers/def_data.c:255
+msgid "If set, users may override the value of `closefrom' with the -C option"
+msgstr "Nếu được đặt, người dùng có thể ghi đè lên giá trị của `closefrom' bằng tùy chọn -C"
+
+#: plugins/sudoers/def_data.c:259
+msgid "Allow users to set arbitrary environment variables"
+msgstr "Cho phép người dùng đặt biến môi trường tùy ý"
+
+#: plugins/sudoers/def_data.c:263
+msgid "Reset the environment to a default set of variables"
+msgstr "Đặt lại biến môi trường thành giá trị mặc định của chúng"
+
+#: plugins/sudoers/def_data.c:267
+msgid "Environment variables to check for sanity:"
+msgstr "Các biến môi trường được kiểm tra xem có đúng mực không:"
+
+#: plugins/sudoers/def_data.c:271
+msgid "Environment variables to remove:"
+msgstr "Các biến môi trường gỡ bỏ:"
+
+#: plugins/sudoers/def_data.c:275
+msgid "Environment variables to preserve:"
+msgstr "Các biến môi trường được giữ lại:"
+
+#: plugins/sudoers/def_data.c:279
+#, c-format
+msgid "SELinux role to use in the new security context: %s"
+msgstr "Vai trò SELinux được dùng trong ngữ cảnh an ninh mới: %s"
+
+#: plugins/sudoers/def_data.c:283
+#, c-format
+msgid "SELinux type to use in the new security context: %s"
+msgstr "Kiểu SELinux được dùng trong ngữ cảnh an ninh mới: %s"
+
+#: plugins/sudoers/def_data.c:287
+#, c-format
+msgid "Path to the sudo-specific environment file: %s"
+msgstr "Đường dẫn tới tập tin môi trường đặc-tả-sudo: %s"
+
+#: plugins/sudoers/def_data.c:291
+#, c-format
+msgid "Locale to use while parsing sudoers: %s"
+msgstr "Miền địa phương sẽ sử dụng khi phân tích sudoers: %s"
+
+#: plugins/sudoers/def_data.c:295
+msgid "Allow sudo to prompt for a password even if it would be visible"
+msgstr "Cho phép sudo hỏi mật khẩu thậm chí ngay cả khi nó đã rõ ràng"
+
+#: plugins/sudoers/def_data.c:299
+msgid "Provide visual feedback at the password prompt when there is user input"
+msgstr "Cung cấp phản hồi ảo lúc nhắc mật khẩu khi đây là đầu nhập người dùng"
+
+#: plugins/sudoers/def_data.c:303
+msgid "Use faster globbing that is less accurate but does not access the filesystem"
+msgstr "Sử dụng globbing kiểu nhanh hơn mà nó thì kém chính xác hơn nhưng lại không cần truy cập hệ thống tập tin"
+
+#: plugins/sudoers/def_data.c:307
+msgid "The umask specified in sudoers will override the user's, even if it is more permissive"
+msgstr "Giá trị umask được chỉ định trong sudoers sẽ ghi đè lên giá trị này của người dùng, thậm chí nó còn dễ dãi hơn"
+
+#: plugins/sudoers/def_data.c:311
+msgid "Log user's input for the command being run"
+msgstr "Ghi nhật ký kết xuất từ người dùng cho lệnh đang chạy"
+
+#: plugins/sudoers/def_data.c:315
+msgid "Log the output of the command being run"
+msgstr "Ghi lại nhật ký kết xuất của lệnh đang chạy"
+
+#: plugins/sudoers/def_data.c:319
+msgid "Compress I/O logs using zlib"
+msgstr "Nén nhật ký V/R sử dụng định dạng zlib"
+
+#: plugins/sudoers/def_data.c:323
+msgid "Always run commands in a pseudo-tty"
+msgstr "Luôn chạy lệnh ở tty-giả"
+
+#: plugins/sudoers/def_data.c:327
+#, c-format
+msgid "Plugin for non-Unix group support: %s"
+msgstr "Phần bổ xung cho hỗ trợ nhóm không-Unix: %s"
+
+#: plugins/sudoers/def_data.c:331
+#, c-format
+msgid "Directory in which to store input/output logs: %s"
+msgstr "Thư mục mà nó sẽ lưu nhật ký vào/ra: %s"
+
+#: plugins/sudoers/def_data.c:335
+#, c-format
+msgid "File in which to store the input/output log: %s"
+msgstr "Tập tin mà nó sẽ lưu nhật ký vào/ra: %s"
+
+#: plugins/sudoers/def_data.c:339
+msgid "Add an entry to the utmp/utmpx file when allocating a pty"
+msgstr "Thêm một mục vào tập tin utmp/utmpx khi phân bổ một pty"
+
+#: plugins/sudoers/def_data.c:343
+msgid "Set the user in utmp to the runas user, not the invoking user"
+msgstr "Đặt người dùng trong utmp thành người dùng runasr, không phải người dùng gọi"
+
+#: plugins/sudoers/def_data.c:347
+msgid "Set of permitted privileges"
+msgstr "Đặt đặc quyền"
+
+#: plugins/sudoers/def_data.c:351
+msgid "Set of limit privileges"
+msgstr "Đặt các quyền bị giới hạn"
+
+#: plugins/sudoers/defaults.c:208
+#, c-format
+msgid "unknown defaults entry `%s'"
+msgstr "không hiểu mục mặc định `%s'"
+
+#: plugins/sudoers/defaults.c:216 plugins/sudoers/defaults.c:226
+#: plugins/sudoers/defaults.c:246 plugins/sudoers/defaults.c:259
+#: plugins/sudoers/defaults.c:272 plugins/sudoers/defaults.c:285
+#: plugins/sudoers/defaults.c:298 plugins/sudoers/defaults.c:318
+#: plugins/sudoers/defaults.c:328
+#, c-format
+msgid "value `%s' is invalid for option `%s'"
+msgstr "giá trị `%s' là không hợp lệ cho tùy chọn `%s'"
+
+#: plugins/sudoers/defaults.c:219 plugins/sudoers/defaults.c:229
+#: plugins/sudoers/defaults.c:237 plugins/sudoers/defaults.c:254
+#: plugins/sudoers/defaults.c:267 plugins/sudoers/defaults.c:280
+#: plugins/sudoers/defaults.c:293 plugins/sudoers/defaults.c:313
+#: plugins/sudoers/defaults.c:324
+#, c-format
+msgid "no value specified for `%s'"
+msgstr "chưa chỉ ra giá trị cho \"%s\""
+
+#: plugins/sudoers/defaults.c:242
+#, c-format
+msgid "values for `%s' must start with a '/'"
+msgstr "giá trị cho `%s' phải bắt đầu bằng một '/'"
+
+#: plugins/sudoers/defaults.c:304
+#, c-format
+msgid "option `%s' does not take a value"
+msgstr "tùy chọn `%s' không chấp nhận giá trị"
+
+#: plugins/sudoers/env.c:367
+#, c-format
+msgid "sudo_putenv: corrupted envp, length mismatch"
+msgstr "sudo_putenv: envp sai hỏng, chiều dài không khớp"
+
+#: plugins/sudoers/env.c:369 plugins/sudoers/env.c:448
+#: plugins/sudoers/toke_util.c:113 plugins/sudoers/toke_util.c:167
+#: plugins/sudoers/toke_util.c:207 toke.l:697 toke.l:827 toke.l:887 toke.l:983
+#, c-format
+msgid "unable to allocate memory"
+msgstr "không thể cấp phát vùng nhớ"
+
+#: plugins/sudoers/env.c:992
+#, c-format
+msgid "sorry, you are not allowed to set the following environment variables: %s"
+msgstr "rất tiếc, bạn không được phép đặt các biến môi trường sau đây: %1s"
+
+#: plugins/sudoers/find_path.c:69 plugins/sudoers/find_path.c:108
+#: plugins/sudoers/find_path.c:123 plugins/sudoers/iolog.c:125
+#: plugins/sudoers/sudoers.c:945 toke.l:693 toke.l:883
+#, c-format
+msgid "%s: %s"
+msgstr "%s: %s"
+
+#: plugins/sudoers/group_plugin.c:91
+#, c-format
+msgid "%s%s: %s"
+msgstr "%s%s: %s"
+
+#: plugins/sudoers/group_plugin.c:103
+#, c-format
+msgid "%s must be owned by uid %d"
+msgstr "%s phải được sở hữu bởi uid %d"
+
+#: plugins/sudoers/group_plugin.c:107
+#, c-format
+msgid "%s must only be writable by owner"
+msgstr "%s phải là những thứ chỉ có thể ghi bởi chủ sở hữu"
+
+#: plugins/sudoers/group_plugin.c:114
+#, c-format
+msgid "unable to dlopen %s: %s"
+msgstr "không thể dlopen %s: %s"
+
+#: plugins/sudoers/group_plugin.c:119
+#, c-format
+msgid "unable to find symbol \"group_plugin\" in %s"
+msgstr "không tìm thấy ký hiệu \"group_plugin\" trong %s"
+
+#: plugins/sudoers/group_plugin.c:124
+#, c-format
+msgid "%s: incompatible group plugin major version %d, expected %d"
+msgstr "%s: phiên bản số lớn phần bổ xung nhóm không tương thích %d, mong đợi %d"
+
+#: plugins/sudoers/interfaces.c:112
+msgid "Local IP address and netmask pairs:\n"
+msgstr "Cặp địa chỉ IP và mặt nạ cục bộ:\n"
+
+#: plugins/sudoers/iolog.c:205 plugins/sudoers/sudoers.c:991
+#, c-format
+msgid "unable to read %s"
+msgstr "không thể đọc %s"
+
+#: plugins/sudoers/iolog.c:208
+#, c-format
+msgid "invalid sequence number %s"
+msgstr "sai số tạo dãy %s"
+
+#: plugins/sudoers/iolog.c:258 plugins/sudoers/iolog.c:261
+#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:531
+#: plugins/sudoers/iolog.c:537 plugins/sudoers/iolog.c:545
+#: plugins/sudoers/iolog.c:553 plugins/sudoers/iolog.c:561
+#: plugins/sudoers/iolog.c:569
+#, c-format
+msgid "unable to create %s"
+msgstr "không thể tạo '%s'"
+
+#: plugins/sudoers/iolog_path.c:263 plugins/sudoers/sudoers.c:382
+#, c-format
+msgid "unable to set locale to \"%s\", using \"C\""
+msgstr "không thể đặt địa phương thành \"%s\", sẽ dùng \"C\""
+
+#: plugins/sudoers/ldap.c:387
+#, c-format
+msgid "sudo_ldap_conf_add_ports: port too large"
+msgstr "sudo_ldap_conf_add_ports: cổng quá lớn"
+
+#: plugins/sudoers/ldap.c:410
+#, c-format
+msgid "sudo_ldap_conf_add_ports: out of space expanding hostbuf"
+msgstr "sudo_ldap_conf_add_ports: hết bộ nhớ để mở rộng hostbuf"
+
+#: plugins/sudoers/ldap.c:440
+#, c-format
+msgid "unsupported LDAP uri type: %s"
+msgstr "không hỗ trợ kiểu \"LDAP uri\": %s"
+
+#: plugins/sudoers/ldap.c:469
+#, c-format
+msgid "invalid uri: %s"
+msgstr "URI không hợp lệ: %s"
+
+#: plugins/sudoers/ldap.c:475
+#, c-format
+msgid "unable to mix ldap and ldaps URIs"
+msgstr "không thể trộn ldap và ldaps URIs"
+
+#: plugins/sudoers/ldap.c:479
+#, c-format
+msgid "unable to mix ldaps and starttls"
+msgstr "không thể trộn ldaps và starttls"
+
+#: plugins/sudoers/ldap.c:498
+#, c-format
+msgid "sudo_ldap_parse_uri: out of space building hostbuf"
+msgstr "sudo_ldap_parse_uri: hết bộ nhớ để xây dựng hostbuf"
+
+#: plugins/sudoers/ldap.c:572
+#, c-format
+msgid "unable to initialize SSL cert and key db: %s"
+msgstr "không thể khởi tạo chứng nhận SSL và csdl khóa: %s"
+
+#: plugins/sudoers/ldap.c:575
+#, c-format
+msgid "you must set TLS_CERT in %s to use SSL"
+msgstr "bạn phải đặt TLS_CERT trong %s để sử dụng SSL"
+
+#: plugins/sudoers/ldap.c:992
+#, c-format
+msgid "unable to get GMT time"
+msgstr "không thể lấy giờ quốc tế (GMT)"
+
+#: plugins/sudoers/ldap.c:998
+#, c-format
+msgid "unable to format timestamp"
+msgstr "không thể định dạng dấu-vết-thời-gian"
+
+#: plugins/sudoers/ldap.c:1006
+#, c-format
+msgid "unable to build time filter"
+msgstr "không thể xây dựng bộ lọc thời gian"
+
+#: plugins/sudoers/ldap.c:1225
+#, c-format
+msgid "sudo_ldap_build_pass1 allocation mismatch"
+msgstr "sudo_ldap_build_pass1 phân bổ không khớp"
+
+#: plugins/sudoers/ldap.c:1761
+#, c-format
+msgid ""
+"\n"
+"LDAP Role: %s\n"
+msgstr ""
+"\n"
+"LDAP Role: %s\n"
+
+#: plugins/sudoers/ldap.c:1763
+#, c-format
+msgid ""
+"\n"
+"LDAP Role: UNKNOWN\n"
+msgstr ""
+"\n"
+"LDAP Role: KHÔNG HIỂU\n"
+
+#: plugins/sudoers/ldap.c:1810
+#, c-format
+msgid " Order: %s\n"
+msgstr " Thứ tự: %s\n"
+
+#: plugins/sudoers/ldap.c:1818 plugins/sudoers/sssd.c:1168
+#, c-format
+msgid " Commands:\n"
+msgstr " Lệnh:\n"
+
+#: plugins/sudoers/ldap.c:2240
+#, c-format
+msgid "unable to initialize LDAP: %s"
+msgstr "không thể khởi tạo LDAP: %s"
+
+#: plugins/sudoers/ldap.c:2274
+#, c-format
+msgid "start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()"
+msgstr "start_tls được chỉ ra nhưng thư viện LDAP không hỗ trợ ldap_start_tls_s() hoặc ldap_start_tls_s_np()"
+
+#: plugins/sudoers/ldap.c:2510
+#, c-format
+msgid "invalid sudoOrder attribute: %s"
+msgstr "thuộc tính sudoOrder không hợp lệ: %s"
+
+#: plugins/sudoers/linux_audit.c:57
+#, c-format
+msgid "unable to open audit system"
+msgstr "không thể mở hệ thống audit"
+
+#: plugins/sudoers/linux_audit.c:93
+#, c-format
+msgid "unable to send audit message"
+msgstr "không thể gửi thông tin audit"
+
+#: plugins/sudoers/logging.c:202
+#, c-format
+msgid "unable to open log file: %s: %s"
+msgstr "không thể mở tập tin nhật ký: %s: %s"
+
+#: plugins/sudoers/logging.c:205
+#, c-format
+msgid "unable to lock log file: %s: %s"
+msgstr "không thể khóa tập tin nhật ký: %s: %s"
+
+#: plugins/sudoers/logging.c:260
+msgid "user NOT in sudoers"
+msgstr "tài khoản KHÔNG có trong sudoers"
+
+#: plugins/sudoers/logging.c:262
+msgid "user NOT authorized on host"
+msgstr "tài khoản KHÔNG được cho phép sử dụng trên máy chủ"
+
+#: plugins/sudoers/logging.c:264
+msgid "command not allowed"
+msgstr "lệnh không được phép"
+
+#: plugins/sudoers/logging.c:274
+#, c-format
+msgid "%s is not in the sudoers file. This incident will be reported.\n"
+msgstr "%s không trong tập tin sudoers. Sự việc này sẽ được báo cáo.\n"
+
+#: plugins/sudoers/logging.c:277
+#, c-format
+msgid "%s is not allowed to run sudo on %s. This incident will be reported.\n"
+msgstr "%s không được phép chạy lệnh sudo trên %s. Sự việc này sẽ được báo cáo.\n"
+
+#: plugins/sudoers/logging.c:281
+#, c-format
+msgid "Sorry, user %s may not run sudo on %s.\n"
+msgstr "Rất tiếc, tài khoảnr %s không được chạy lệnh sudo trên %s.\n"
+
+#: plugins/sudoers/logging.c:284
+#, c-format
+msgid "Sorry, user %s is not allowed to execute '%s%s%s' as %s%s%s on %s.\n"
+msgstr "Rất tiếc, tài khoản %s không được phép thi hành '%s%s%s' như là %s%s%s trên %s.\n"
+
+#: plugins/sudoers/logging.c:317
+msgid "No user or host"
+msgstr "Không có tài khoản hay tên máy chủ"
+
+#: plugins/sudoers/logging.c:319
+msgid "validation failure"
+msgstr "việc phê chuẩn thất bại"
+
+#: plugins/sudoers/logging.c:336 plugins/sudoers/sudoers.c:502
+#: plugins/sudoers/sudoers.c:503 plugins/sudoers/sudoers.c:1539
+#: plugins/sudoers/sudoers.c:1540
+#, c-format
+msgid "%s: command not found"
+msgstr "%s: không tìm thấy lệnh"
+
+#: plugins/sudoers/logging.c:338 plugins/sudoers/sudoers.c:499
+#, c-format
+msgid ""
+"ignoring `%s' found in '.'\n"
+"Use `sudo ./%s' if this is the `%s' you wish to run."
+msgstr ""
+"đang bỏ qua `%s' được tìm thấy trong '.'\n"
+"Sử dụng `sudo ./%s' nếu đây là `%s' bạn muốn chạy."
+
+#: plugins/sudoers/logging.c:352
+msgid "authentication failure"
+msgstr "lỗi xác thực"
+
+#: plugins/sudoers/logging.c:376
+#, c-format
+msgid "%d incorrect password attempt"
+msgid_plural "%d incorrect password attempts"
+msgstr[0] "đã sai mật khẩu %d lần"
+msgstr[1] "đã sai mật khẩu %d lần"
+
+#: plugins/sudoers/logging.c:379
+msgid "a password is required"
+msgstr "bắt buộc phải có mật khẩu"
+
+#: plugins/sudoers/logging.c:530
+#, c-format
+msgid "unable to fork"
+msgstr "không thể tạo tiến trình con"
+
+#: plugins/sudoers/logging.c:537 plugins/sudoers/logging.c:599
+#, c-format
+msgid "unable to fork: %m"
+msgstr "không thể tạo tiến trình con: %m"
+
+#: plugins/sudoers/logging.c:589
+#, c-format
+msgid "unable to open pipe: %m"
+msgstr "không thể mở ống: %m"
+
+#: plugins/sudoers/logging.c:614
+#, c-format
+msgid "unable to dup stdin: %m"
+msgstr "không thể dup stdin: %m"
+
+#: plugins/sudoers/logging.c:650
+#, c-format
+msgid "unable to execute %s: %m"
+msgstr "không thể thực thi %s: %m"
+
+#: plugins/sudoers/logging.c:865
+#, c-format
+msgid "internal error: insufficient space for log line"
+msgstr "lỗi nội bộ: thiếu khoảng trống cho dòng ghi nhật ký"
+
+#: plugins/sudoers/parse.c:123
+#, c-format
+msgid "parse error in %s near line %d"
+msgstr "lỗi phân tích trong %s gần dòng %d"
+
+#: plugins/sudoers/parse.c:126
+#, c-format
+msgid "parse error in %s"
+msgstr "gặp lỗi phân tích trong %s"
+
+#: plugins/sudoers/parse.c:414
+#, c-format
+msgid ""
+"\n"
+"Sudoers entry:\n"
+msgstr ""
+"\n"
+"Mục Sudoers:\n"
+
+#: plugins/sudoers/parse.c:416
+#, c-format
+msgid " RunAsUsers: "
+msgstr " ChạyVớiTưCách: "
+
+#: plugins/sudoers/parse.c:431
+#, c-format
+msgid " RunAsGroups: "
+msgstr " ChạyNhưMìnhỞNhóm: "
+
+#: plugins/sudoers/parse.c:440
+#, c-format
+msgid ""
+" Commands:\n"
+"\t"
+msgstr ""
+" Lệnh:\n"
+"\t"
+
+#: plugins/sudoers/plugin_error.c:100 plugins/sudoers/plugin_error.c:105
+msgid ": "
+msgstr ": "
+
+#: plugins/sudoers/pwutil.c:278
+#, c-format
+msgid "unable to cache uid %u (%s), already exists"
+msgstr "không thể lưu nhớ tạm uid %u (%s), đã có sẵn rồi"
+
+#: plugins/sudoers/pwutil.c:286
+#, c-format
+msgid "unable to cache uid %u, already exists"
+msgstr "không thể lưu nhớ tạm uid %u, đã có sẵn rồi"
+
+#: plugins/sudoers/pwutil.c:322 plugins/sudoers/pwutil.c:331
+#, c-format
+msgid "unable to cache user %s, already exists"
+msgstr "không thể lưu nhớ tạm tài khoản %s, đã có sẵn rồi"
+
+#: plugins/sudoers/pwutil.c:668
+#, c-format
+msgid "unable to cache gid %u (%s), already exists"
+msgstr "không thể lưu nhớ tạm gid %u (%s), đã có sẵn rồi"
+
+#: plugins/sudoers/pwutil.c:676
+#, c-format
+msgid "unable to cache gid %u, already exists"
+msgstr "không thể lưu nhớ tạm gid %u, đã có sẵn rồi"
+
+#: plugins/sudoers/pwutil.c:706 plugins/sudoers/pwutil.c:715
+#, c-format
+msgid "unable to cache group %s, already exists"
+msgstr "không thể lưu nhớ tạm nhóm %s, đã có sẵn rồi"
+
+#: plugins/sudoers/set_perms.c:122 plugins/sudoers/set_perms.c:436
+#: plugins/sudoers/set_perms.c:828 plugins/sudoers/set_perms.c:1114
+#: plugins/sudoers/set_perms.c:1396
+msgid "perm stack overflow"
+msgstr "perm stack bị tràn"
+
+#: plugins/sudoers/set_perms.c:130 plugins/sudoers/set_perms.c:444
+#: plugins/sudoers/set_perms.c:836 plugins/sudoers/set_perms.c:1122
+#: plugins/sudoers/set_perms.c:1404
+msgid "perm stack underflow"
+msgstr "perm stack tràn ngầm"
+
+#: plugins/sudoers/set_perms.c:270 plugins/sudoers/set_perms.c:580
+#: plugins/sudoers/set_perms.c:957 plugins/sudoers/set_perms.c:1243
+msgid "unable to change to runas gid"
+msgstr "không thể thay đổi thành runas gid"
+
+#: plugins/sudoers/set_perms.c:282 plugins/sudoers/set_perms.c:592
+#: plugins/sudoers/set_perms.c:967 plugins/sudoers/set_perms.c:1253
+msgid "unable to change to runas uid"
+msgstr "không thể thay đổi thành runas uid"
+
+#: plugins/sudoers/set_perms.c:300 plugins/sudoers/set_perms.c:610
+#: plugins/sudoers/set_perms.c:983 plugins/sudoers/set_perms.c:1269
+msgid "unable to change to sudoers gid"
+msgstr "không thể thay đổi thành gid sudoers"
+
+#: plugins/sudoers/set_perms.c:353 plugins/sudoers/set_perms.c:681
+#: plugins/sudoers/set_perms.c:1029 plugins/sudoers/set_perms.c:1315
+#: plugins/sudoers/set_perms.c:1474
+msgid "too many processes"
+msgstr "quá nhiều tiến trình"
+
+#: plugins/sudoers/set_perms.c:1542
+msgid "unable to set runas group vector"
+msgstr "không thể đặt véc-tơ nhóm runas"
+
+#: plugins/sudoers/sssd.c:251
+#, c-format
+msgid "Unable to dlopen %s: %s"
+msgstr "Không thể dlopen %s: %s"
+
+#: plugins/sudoers/sssd.c:252
+#, c-format
+msgid "Unable to initialize SSS source. Is SSSD installed on your machine?"
+msgstr "Không thể khởi tạo nguồn SSS. SSSD đã được cài đặt trên máy của bạn chưa vậy?"
+
+#: plugins/sudoers/sssd.c:258 plugins/sudoers/sssd.c:266
+#: plugins/sudoers/sssd.c:273 plugins/sudoers/sssd.c:280
+#: plugins/sudoers/sssd.c:287
+#, c-format
+msgid "unable to find symbol \"%s\" in %s"
+msgstr "không thể tìm thấy ký hiệu \"%s\" trong %s"
+
+#: plugins/sudoers/sudo_nss.c:267
+#, c-format
+msgid "Matching Defaults entries for %s on this host:\n"
+msgstr "Các mục mặc định khớp cho %s trên máy này:\n"
+
+#: plugins/sudoers/sudo_nss.c:280
+#, c-format
+msgid "Runas and Command-specific defaults for %s:\n"
+msgstr "Runas và Đặc-tả-lệnh mặc định cho %s:\n"
+
+#: plugins/sudoers/sudo_nss.c:293
+#, c-format
+msgid "User %s may run the following commands on this host:\n"
+msgstr "Người dùng %s có thể chạy những lệnh sau trên máy này:\n"
+
+#: plugins/sudoers/sudo_nss.c:302
+#, c-format
+msgid "User %s is not allowed to run sudo on %s.\n"
+msgstr "Tài khoản %s không được phép thi hành sudo trên %s.\n"
+
+#: plugins/sudoers/sudoers.c:210 plugins/sudoers/sudoers.c:243
+#: plugins/sudoers/sudoers.c:953
+msgid "problem with defaults entries"
+msgstr "trục trặc với các mục mặc định"
+
+#: plugins/sudoers/sudoers.c:216
+#, c-format
+msgid "no valid sudoers sources found, quitting"
+msgstr "không có người dùng hợp lệ nào được tìm thấy, đang thoát ra"
+
+#: plugins/sudoers/sudoers.c:268
+#, c-format
+msgid "unable to execute %s: %s"
+msgstr "không thể thực thi %s: %s"
+
+#: plugins/sudoers/sudoers.c:335
+#, c-format
+msgid "sudoers specifies that root is not allowed to sudo"
+msgstr "sudoers đã ghi rõ là siêu người dùng (root) không được phép chạy sudo"
+
+#: plugins/sudoers/sudoers.c:342
+#, c-format
+msgid "you are not permitted to use the -C option"
+msgstr "bạn không được phép sử dụng tùy chọn -C"
+
+#: plugins/sudoers/sudoers.c:431
+#, c-format
+msgid "timestamp owner (%s): No such user"
+msgstr "người sở hữu timestamp (%s): Không có người dùng nào như vậy"
+
+#: plugins/sudoers/sudoers.c:447
+msgid "no tty"
+msgstr "không có tty"
+
+#: plugins/sudoers/sudoers.c:448
+#, c-format
+msgid "sorry, you must have a tty to run sudo"
+msgstr "rất tiếc, bạn phải có tty mới có thể chạy sudo"
+
+#: plugins/sudoers/sudoers.c:498
+msgid "command in current directory"
+msgstr "lệnh trong thư mục hiện hành"
+
+#: plugins/sudoers/sudoers.c:510
+#, c-format
+msgid "sorry, you are not allowed to preserve the environment"
+msgstr "rất tiếc, bạn không được phép giữ lại môi trường"
+
+#: plugins/sudoers/sudoers.c:1006
+#, c-format
+msgid "%s is not a regular file"
+msgstr "%s không phải tập tin thường"
+
+#: plugins/sudoers/sudoers.c:1009 toke.l:846
+#, c-format
+msgid "%s is owned by uid %u, should be %u"
+msgstr "%s được sở hữu bởi uid %u, nên là %u"
+
+#: plugins/sudoers/sudoers.c:1013 toke.l:853
+#, c-format
+msgid "%s is world writable"
+msgstr "%s ai ghi cũng được"
+
+#: plugins/sudoers/sudoers.c:1016 toke.l:858
+#, c-format
+msgid "%s is owned by gid %u, should be %u"
+msgstr "%s được sở hữu bởi gid %u, nên là %u"
+
+#: plugins/sudoers/sudoers.c:1043
+#, c-format
+msgid "only root can use `-c %s'"
+msgstr "chỉ có siêu người dùng (root) mới có thể sử dụng tùy chọn `-c %s'"
+
+#: plugins/sudoers/sudoers.c:1060 plugins/sudoers/sudoers.c:1062
+#, c-format
+msgid "unknown login class: %s"
+msgstr "không rõ lớp đăng nhập: %s"
+
+#: plugins/sudoers/sudoers.c:1089
+#, c-format
+msgid "unable to resolve host %s"
+msgstr "không thể phân giải địa chỉ của máy %s"
+
+#: plugins/sudoers/sudoers.c:1141 plugins/sudoers/testsudoers.c:387
+#, c-format
+msgid "unknown group: %s"
+msgstr "không nhận ra nhóm: %s"
+
+#: plugins/sudoers/sudoers.c:1190
+#, c-format
+msgid "Sudoers policy plugin version %s\n"
+msgstr "Phiên bạn phần bổ xung chính sách Sudoers %s\n"
+
+#: plugins/sudoers/sudoers.c:1192
+#, c-format
+msgid "Sudoers file grammar version %d\n"
+msgstr "Phiên bản ngữ pháp tập tin Sudoers %d\n"
+
+#: plugins/sudoers/sudoers.c:1196
+#, c-format
+msgid ""
+"\n"
+"Sudoers path: %s\n"
+msgstr ""
+"\n"
+"Đường dẫn Sudoers: %s\n"
+
+#: plugins/sudoers/sudoers.c:1199
+#, c-format
+msgid "nsswitch path: %s\n"
+msgstr "đường dẫn nsswitch: %s\n"
+
+#: plugins/sudoers/sudoers.c:1201
+#, c-format
+msgid "ldap.conf path: %s\n"
+msgstr "đường dẫn ldap.conf: %s\n"
+
+#: plugins/sudoers/sudoers.c:1202
+#, c-format
+msgid "ldap.secret path: %s\n"
+msgstr "đường dẫn ldap.secret: %s\n"
+
+#: plugins/sudoers/sudoreplay.c:293
+#, c-format
+msgid "invalid filter option: %s"
+msgstr "tùy chọn lọc không hợp lệ: %s"
+
+#: plugins/sudoers/sudoreplay.c:306
+#, c-format
+msgid "invalid max wait: %s"
+msgstr "thời gian chờ tối đa không hợp lệ: %s"
+
+#: plugins/sudoers/sudoreplay.c:312
+#, c-format
+msgid "invalid speed factor: %s"
+msgstr "sai hệ số nhân tốc độ: %s"
+
+#: plugins/sudoers/sudoreplay.c:315 plugins/sudoers/visudo.c:187
+#, c-format
+msgid "%s version %s\n"
+msgstr "%s phiên bản %s\n"
+
+#: plugins/sudoers/sudoreplay.c:340
+#, c-format
+msgid "%s/%.2s/%.2s/%.2s/timing: %s"
+msgstr "%s/%.2s/%.2s/%.2s/thời-gian: %s"
+
+#: plugins/sudoers/sudoreplay.c:346
+#, c-format
+msgid "%s/%s/timing: %s"
+msgstr "%s/%s/thời-gian: %s"
+
+#: plugins/sudoers/sudoreplay.c:364
+#, c-format
+msgid "Replaying sudo session: %s\n"
+msgstr "Đang chạy lại phiên sudo: %s\n"
+
+#: plugins/sudoers/sudoreplay.c:370
+#, c-format
+msgid "Warning: your terminal is too small to properly replay the log.\n"
+msgstr "Cảnh báo: thiết bị cuối quá nhỏ để có thể chạy nhật ký một cách đúng đắn.\n"
+
+#: plugins/sudoers/sudoreplay.c:371
+#, c-format
+msgid "Log geometry is %d x %d, your terminal's geometry is %d x %d."
+msgstr "Định dạng của nhật ký là %d x %d, định dạng của thiết bị cuối là %d x %d."
+
+#: plugins/sudoers/sudoreplay.c:401
+#, c-format
+msgid "unable to set tty to raw mode"
+msgstr "không thể đặt thiết bị tty chế độ raw (thô)"
+
+#: plugins/sudoers/sudoreplay.c:418
+#, c-format
+msgid "invalid timing file line: %s"
+msgstr "sai dòng ghi thời gian trong tập tin: %s"
+
+#: plugins/sudoers/sudoreplay.c:501
+#, c-format
+msgid "writing to standard output"
+msgstr "ghi vào đầu ra tiêu chuẩn"
+
+#: plugins/sudoers/sudoreplay.c:530
+#, c-format
+msgid "nanosleep: tv_sec %ld, tv_nsec %ld"
+msgstr "nanosleep: tv_sec %ld, tv_nsec %ld"
+
+#: plugins/sudoers/sudoreplay.c:643 plugins/sudoers/sudoreplay.c:668
+#, c-format
+msgid "ambiguous expression \"%s\""
+msgstr "biểu thức không rõ ràng \"%s\""
+
+#: plugins/sudoers/sudoreplay.c:685
+#, c-format
+msgid "too many parenthesized expressions, max %d"
+msgstr "có quá nhiều biểu thức trong dấu ngoặc đơn, tối đa là %d"
+
+#: plugins/sudoers/sudoreplay.c:696
+#, c-format
+msgid "unmatched ')' in expression"
+msgstr "thiếu ')' trong biểu thức"
+
+#: plugins/sudoers/sudoreplay.c:702
+#, c-format
+msgid "unknown search term \"%s\""
+msgstr "không hiểu giới hạn tìm kiếm \"%s\""
+
+#: plugins/sudoers/sudoreplay.c:716
+#, c-format
+msgid "%s requires an argument"
+msgstr "%s yêu cầu một đối số"
+
+#: plugins/sudoers/sudoreplay.c:720
+#, c-format
+msgid "invalid regular expression: %s"
+msgstr "biểu thức chính quy không hợp lệ: %s"
+
+#: plugins/sudoers/sudoreplay.c:726
+#, c-format
+msgid "could not parse date \"%s\""
+msgstr "không thể phân tích ngày tháng \"%s\""
+
+#: plugins/sudoers/sudoreplay.c:739
+#, c-format
+msgid "unmatched '(' in expression"
+msgstr "thiếu '(' trong biểu thức"
+
+#: plugins/sudoers/sudoreplay.c:741
+#, c-format
+msgid "illegal trailing \"or\""
+msgstr "sai đuôi \"or\""
+
+#: plugins/sudoers/sudoreplay.c:743
+#, c-format
+msgid "illegal trailing \"!\""
+msgstr "sai đuôi \"!\""
+
+#: plugins/sudoers/sudoreplay.c:1050
+#, c-format
+msgid "invalid regex: %s"
+msgstr "biểu thức chính quy không hợp lệ: %s"
+
+#: plugins/sudoers/sudoreplay.c:1174
+#, c-format
+msgid "usage: %s [-h] [-d directory] [-m max_wait] [-s speed_factor] ID\n"
+msgstr "cách dùng: %s [-h] [-d thư-mục] [-m chờ-tối-đa] [-s hệ-số-tốc-độ] ID\n"
+
+#: plugins/sudoers/sudoreplay.c:1177
+#, c-format
+msgid "usage: %s [-h] [-d directory] -l [search expression]\n"
+msgstr "usage: %s [-h] [-d thư-mục] -l [biểu thức tìm kiếm]\n"
+
+#: plugins/sudoers/sudoreplay.c:1186
+#, c-format
+msgid ""
+"%s - replay sudo session logs\n"
+"\n"
+msgstr ""
+"%s - chạy lại nhật ký phiên sudo\n"
+"\n"
+
+#: plugins/sudoers/sudoreplay.c:1188
+msgid ""
+"\n"
+"Options:\n"
+" -d directory specify directory for session logs\n"
+" -f filter specify which I/O type to display\n"
+" -h display help message and exit\n"
+" -l [expression] list available session IDs that match expression\n"
+" -m max_wait max number of seconds to wait between events\n"
+" -s speed_factor speed up or slow down output\n"
+" -V display version information and exit"
+msgstr ""
+"\n"
+"Tùy chọn:\n"
+" -d thư-mục chỉ định thư mục cho nhật ký phiên\n"
+" -f filter chỉ định kiểu V/R để hiển thị\n"
+" -h hiển thị thông tin trợ giúp rồi thoát\n"
+" -l [biểu thức] liệt kê ID phiên mà nó khớp với biểu thức\n"
+" -m max_wait số giây tối đa sẽ chờ giữa hai sự kiện\n"
+" -s speed_factor tăng hoặc giảm tốc kết xuất\n"
+" -V hiển thị thông tin về phiên bản rồi thoát"
+
+#: plugins/sudoers/testsudoers.c:338
+msgid "\thost unmatched"
+msgstr "\tmáy chủ không khớp"
+
+#: plugins/sudoers/testsudoers.c:341
+msgid ""
+"\n"
+"Command allowed"
+msgstr ""
+"\n"
+"Lệnh được phép"
+
+#: plugins/sudoers/testsudoers.c:342
+msgid ""
+"\n"
+"Command denied"
+msgstr ""
+"\n"
+"Lệnh không được phép"
+
+#: plugins/sudoers/testsudoers.c:342
+msgid ""
+"\n"
+"Command unmatched"
+msgstr ""
+"\n"
+"Lệnh không khớp"
+
+#: plugins/sudoers/toke_util.c:218
+msgid "fill_args: buffer overflow"
+msgstr "fill_args: bộ đệm bị tràn"
+
+#: plugins/sudoers/visudo.c:188
+#, c-format
+msgid "%s grammar version %d\n"
+msgstr "%s phiên bản ngữ pháp %d\n"
+
+#: plugins/sudoers/visudo.c:252 plugins/sudoers/visudo.c:541
+#, c-format
+msgid "press return to edit %s: "
+msgstr "bấm phím <Enter> để trở về chỉnh sửa %s:"
+
+#: plugins/sudoers/visudo.c:335 plugins/sudoers/visudo.c:341
+#, c-format
+msgid "write error"
+msgstr "lỗi ghi"
+
+#: plugins/sudoers/visudo.c:423
+#, c-format
+msgid "unable to stat temporary file (%s), %s unchanged"
+msgstr "không thể lấy thống kê tập tin tạm (%s), %s không thay đổi."
+
+#: plugins/sudoers/visudo.c:428
+#, c-format
+msgid "zero length temporary file (%s), %s unchanged"
+msgstr "tệp tin (%s) có chiều dài bằng không, %s không thay đổi"
+
+#: plugins/sudoers/visudo.c:434
+#, c-format
+msgid "editor (%s) failed, %s unchanged"
+msgstr "trình biên soạn (%s) gặp lỗi, %s không thay đổi"
+
+#: plugins/sudoers/visudo.c:457
+#, c-format
+msgid "%s unchanged"
+msgstr "%s không thay đổi"
+
+#: plugins/sudoers/visudo.c:486
+#, c-format
+msgid "unable to re-open temporary file (%s), %s unchanged."
+msgstr "không thể mở lại tập tin tạm (%s), %s không thay đổi."
+
+#: plugins/sudoers/visudo.c:496
+#, c-format
+msgid "unabled to parse temporary file (%s), unknown error"
+msgstr "không thể phân tích tập tin tạm (%s), lỗi chưa được biết"
+
+#: plugins/sudoers/visudo.c:534
+#, c-format
+msgid "internal error, unable to find %s in list!"
+msgstr "lỗi hệ thống, không thể tìm thấy %s trong danh sách!"
+
+#: plugins/sudoers/visudo.c:586 plugins/sudoers/visudo.c:595
+#, c-format
+msgid "unable to set (uid, gid) of %s to (%u, %u)"
+msgstr "không thể đặt (uid, gid) của %s thành (%u, %u)"
+
+#: plugins/sudoers/visudo.c:590 plugins/sudoers/visudo.c:600
+#, c-format
+msgid "unable to change mode of %s to 0%o"
+msgstr "không thể chuyển đổi chế độ của %s thành 0%o"
+
+#: plugins/sudoers/visudo.c:617
+#, c-format
+msgid "%s and %s not on the same file system, using mv to rename"
+msgstr "%s và %s không ở trên cùng một hệ thống tập tin, sử dụng lệnh mv để đổi tên"
+
+#: plugins/sudoers/visudo.c:631
+#, c-format
+msgid "command failed: '%s %s %s', %s unchanged"
+msgstr "thực hiện lệnh gặp lỗi: '%s %s %s', %s không thay đổi"
+
+#: plugins/sudoers/visudo.c:641
+#, c-format
+msgid "error renaming %s, %s unchanged"
+msgstr "gặp lỗi khi đổi tên %s, %s không thay đổi"
+
+#: plugins/sudoers/visudo.c:704
+msgid "What now? "
+msgstr "Vậy làm gì?"
+
+#: plugins/sudoers/visudo.c:718
+msgid ""
+"Options are:\n"
+" (e)dit sudoers file again\n"
+" e(x)it without saving changes to sudoers file\n"
+" (Q)uit and save changes to sudoers file (DANGER!)\n"
+msgstr ""
+"Các tùy chọn là:\n"
+" (e) lại sửa tập tin sudoers\n"
+" e(x) thoát ra mà không ghi lại tập tin sudoerse\n"
+" (Q)Thoát ra và ghi lại tập tin sudoers (NGUY HIỂM!)\n"
+
+#: plugins/sudoers/visudo.c:759
+#, c-format
+msgid "unable to execute %s"
+msgstr "không thể thực thi %s"
+
+#: plugins/sudoers/visudo.c:766
+#, c-format
+msgid "unable to run %s"
+msgstr "không thể chạy %s"
+
+#: plugins/sudoers/visudo.c:792
+#, c-format
+msgid "%s: wrong owner (uid, gid) should be (%u, %u)\n"
+msgstr "%s: sai sở hữu (uid, gid) đáng lẽ là (%u, %u)\n"
+
+#: plugins/sudoers/visudo.c:799
+#, c-format
+msgid "%s: bad permissions, should be mode 0%o\n"
+msgstr "%s: phân quyền sai, phải ở chế độ 0%o\n"
+
+#: plugins/sudoers/visudo.c:824
+#, c-format
+msgid "failed to parse %s file, unknown error"
+msgstr "gặp lỗi khi phân tích tập tin %s, không rõ bị lỗi gì"
+
+#: plugins/sudoers/visudo.c:837
+#, c-format
+msgid "parse error in %s near line %d\n"
+msgstr "lỗi phân tích trong %s gần dòng %d\n"
+
+#: plugins/sudoers/visudo.c:840
+#, c-format
+msgid "parse error in %s\n"
+msgstr "gặp lỗi phân tích trong %s\n"
+
+#: plugins/sudoers/visudo.c:847 plugins/sudoers/visudo.c:852
+#, c-format
+msgid "%s: parsed OK\n"
+msgstr "%s: kiểm duyệt OK\n"
+
+#: plugins/sudoers/visudo.c:899
+#, c-format
+msgid "%s busy, try again later"
+msgstr "%s đang bận, hãy thử lại sau"
+
+#: plugins/sudoers/visudo.c:943
+#, c-format
+msgid "specified editor (%s) doesn't exist"
+msgstr "trình biên soạn đã chỉ ra (%s) không tồn tại"
+
+#: plugins/sudoers/visudo.c:966
+#, c-format
+msgid "unable to stat editor (%s)"
+msgstr "không thể lấy thống kê trình biên soạn (%s)"
+
+#: plugins/sudoers/visudo.c:1014
+#, c-format
+msgid "no editor found (editor path = %s)"
+msgstr "không tìm thấy trình biên soạn (đường dẫn của nó = %s)"
+
+#: plugins/sudoers/visudo.c:1108
+#, c-format
+msgid "Error: cycle in %s_Alias `%s'"
+msgstr "Lỗi: cycle (vòng tròn) trong %s_Alias `%s'"
+
+#: plugins/sudoers/visudo.c:1109
+#, c-format
+msgid "Warning: cycle in %s_Alias `%s'"
+msgstr "Cảnh báo: cycle (vòng tròn) trong %s_Alias `%s'"
+
+#: plugins/sudoers/visudo.c:1112
+#, c-format
+msgid "Error: %s_Alias `%s' referenced but not defined"
+msgstr "Lỗi: %s_Bí_danh `%s' được tham chiếu nhưng chưa được định nghĩa"
+
+#: plugins/sudoers/visudo.c:1113
+#, c-format
+msgid "Warning: %s_Alias `%s' referenced but not defined"
+msgstr "Cảnh báo: %s_Bí_danh `%s' được tham chiếu nhưng chưa được định nghĩa"
+
+#: plugins/sudoers/visudo.c:1248
+#, c-format
+msgid "%s: unused %s_Alias %s"
+msgstr "%s: không dùng %s_Bí_danh %s"
+
+#: plugins/sudoers/visudo.c:1304
+#, c-format
+msgid ""
+"%s - safely edit the sudoers file\n"
+"\n"
+msgstr ""
+"%s - sửa tập tin sudoers một cách an toàn\n"
+"\n"
+
+#: plugins/sudoers/visudo.c:1306
+msgid ""
+"\n"
+"Options:\n"
+" -c check-only mode\n"
+" -f sudoers specify sudoers file location\n"
+" -h display help message and exit\n"
+" -q less verbose (quiet) syntax error messages\n"
+" -s strict syntax checking\n"
+" -V display version information and exit"
+msgstr ""
+"\n"
+"Tùy chọn:\n"
+" -c chế độ chỉ kiểm tra\n"
+" -f sudoers chỉ định vị trí tập tin sudoers\n"
+" -h hiển thị thông tin trợ giúp rồi thoát\n"
+" -q tối thiểu hóa các thông tin (quiet: im lặng)\n"
+" -s kiểm tra cú pháp ngặt nghèo\n"
+" -V hiển thị thông tin về phiên bản rổi thoát"
+
+#: toke.l:820
+msgid "too many levels of includes"
+msgstr "quá nhiều cấp bao gồm (include)"
#
msgid ""
msgstr ""
-"Project-Id-Version: sudoers 1.8.5rc3\n"
+"Project-Id-Version: sudoers 1.8.6b4\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-04-24 13:41-0400\n"
-"PO-Revision-Date: 2012-04-29 17:01+0800\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-21 18:27+0800\n"
"Last-Translator: Wylmer Wang <wantinghard@gmail.com>\n"
"Language-Team: Chinese (simplified) <i18n-zh@googlegroups.com>\n"
"Language: zh_CN\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=1; plural=0;\n"
-#: gram.y:110
+#: gram.y:112
#, c-format
msgid ">>> %s: %s near line %d <<<"
msgstr ">>> %s:%s 在行 %d 附近<<<"
msgid "unable to initialize SIA session"
msgstr "无法初始化 SIA 会话"
-#: plugins/sudoers/auth/sudo_auth.c:117
+#: plugins/sudoers/auth/sudo_auth.c:121
msgid "Invalid authentication methods compiled into sudo! You may mix standalone and non-standalone authentication."
msgstr "编译进 sudo 的认证方法无效!您可能混用了独立和非独立认证。"
-#: plugins/sudoers/auth/sudo_auth.c:199
+#: plugins/sudoers/auth/sudo_auth.c:206
msgid "There are no authentication methods compiled into sudo! If you want to turn off authentication, use the --disable-authentication configure option."
msgstr "sudo 编译时没有加入任何认证方法!如果您想关闭认证,使用 --disable-authentication 配置选项。"
-#: plugins/sudoers/auth/sudo_auth.c:271
-#, c-format
-msgid "%d incorrect password attempt"
-msgid_plural "%d incorrect password attempts"
-msgstr[0] "%d 次错误密码尝试"
-
#: plugins/sudoers/auth/sudo_auth.c:374
msgid "Authentication methods:"
msgstr "认证方法:"
msgid "au_to_text: failed"
msgstr "au_to_text:失败"
-#: plugins/sudoers/check.c:158
-#, c-format
-msgid "sorry, a password is required to run %s"
-msgstr "抱歉,执行 %s 需要密码"
-
-#: plugins/sudoers/check.c:249 plugins/sudoers/iolog.c:172
-#: plugins/sudoers/sudoers.c:979 plugins/sudoers/sudoreplay.c:353
-#: plugins/sudoers/sudoreplay.c:709 plugins/sudoers/sudoreplay.c:866
-#: plugins/sudoers/visudo.c:815
+#: plugins/sudoers/check.c:252 plugins/sudoers/iolog.c:172
+#: plugins/sudoers/sudoers.c:988 plugins/sudoers/sudoreplay.c:355
+#: plugins/sudoers/sudoreplay.c:817 plugins/sudoers/sudoreplay.c:974
+#: plugins/sudoers/visudo.c:818
#, c-format
msgid "unable to open %s"
msgstr "无法打开 %s"
-#: plugins/sudoers/check.c:253 plugins/sudoers/iolog.c:202
+#: plugins/sudoers/check.c:256 plugins/sudoers/iolog.c:229
#, c-format
msgid "unable to write to %s"
msgstr "无法写入 %s"
-#: plugins/sudoers/check.c:261 plugins/sudoers/check.c:506
-#: plugins/sudoers/check.c:556 plugins/sudoers/iolog.c:123
+#: plugins/sudoers/check.c:264 plugins/sudoers/check.c:512
+#: plugins/sudoers/check.c:562 plugins/sudoers/iolog.c:123
#: plugins/sudoers/iolog.c:156
#, c-format
msgid "unable to mkdir %s"
msgstr "无法创建目录 %s"
-#: plugins/sudoers/check.c:396
+#: plugins/sudoers/check.c:399 plugins/sudoers/env.c:289
+#: plugins/sudoers/env.c:294 plugins/sudoers/env.c:395
+#: plugins/sudoers/env.c:447 plugins/sudoers/linux_audit.c:82
+#: plugins/sudoers/sudoers.c:670 plugins/sudoers/sudoers.c:677
+#: plugins/sudoers/sudoers.c:936 plugins/sudoers/testsudoers.c:253
#, c-format
-msgid "internal error, expand_prompt() overflow"
-msgstr "内部错误,expand_prompt() 溢出"
+msgid "internal error, %s overflow"
+msgstr "内部错误,%s 溢出"
-#: plugins/sudoers/check.c:456
+#: plugins/sudoers/check.c:460
#, c-format
msgid "timestamp path too long: %s"
msgstr "时间戳路径过长:%s"
-#: plugins/sudoers/check.c:485 plugins/sudoers/check.c:529
+#: plugins/sudoers/check.c:491 plugins/sudoers/check.c:535
#: plugins/sudoers/iolog.c:158
#, c-format
msgid "%s exists but is not a directory (0%o)"
msgstr "%s 存在,但不是目录(0%o)"
-#: plugins/sudoers/check.c:488 plugins/sudoers/check.c:532
-#: plugins/sudoers/check.c:577
+#: plugins/sudoers/check.c:494 plugins/sudoers/check.c:538
+#: plugins/sudoers/check.c:583
#, c-format
msgid "%s owned by uid %u, should be uid %u"
msgstr "%s 属于用户 ID %u,应为用户 ID %u"
-#: plugins/sudoers/check.c:493 plugins/sudoers/check.c:537
+#: plugins/sudoers/check.c:499 plugins/sudoers/check.c:543
#, c-format
msgid "%s writable by non-owner (0%o), should be mode 0700"
msgstr "%s 对非所有者可写(0%o),模式应该为 0700"
-#: plugins/sudoers/check.c:501 plugins/sudoers/check.c:545
-#: plugins/sudoers/check.c:613 plugins/sudoers/sudoers.c:998
-#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:581
+#: plugins/sudoers/check.c:507 plugins/sudoers/check.c:551
+#: plugins/sudoers/check.c:619 plugins/sudoers/sudoers.c:1003
+#: plugins/sudoers/visudo.c:319 plugins/sudoers/visudo.c:584
#, c-format
msgid "unable to stat %s"
msgstr "无法 stat %s"
-#: plugins/sudoers/check.c:571
+#: plugins/sudoers/check.c:577
#, c-format
msgid "%s exists but is not a regular file (0%o)"
msgstr "%s 存在,但不是常规文件(0%o)"
-#: plugins/sudoers/check.c:583
+#: plugins/sudoers/check.c:589
#, c-format
msgid "%s writable by non-owner (0%o), should be mode 0600"
msgstr "%s 对非所有者可写(0%o),模式应该为 0600"
-#: plugins/sudoers/check.c:637
+#: plugins/sudoers/check.c:643
#, c-format
msgid "timestamp too far in the future: %20.20s"
msgstr "时间戳太超前:%20.20s"
-#: plugins/sudoers/check.c:684
+#: plugins/sudoers/check.c:690
#, c-format
msgid "unable to remove %s (%s), will reset to the epoch"
msgstr "无法移除 %s (%s),将重设为戳记"
-#: plugins/sudoers/check.c:692
+#: plugins/sudoers/check.c:698
#, c-format
msgid "unable to reset %s to the epoch"
msgstr "无法将 %s 重设为戳记"
-#: plugins/sudoers/check.c:752 plugins/sudoers/check.c:758
-#: plugins/sudoers/sudoers.c:856 plugins/sudoers/sudoers.c:860
+#: plugins/sudoers/check.c:758 plugins/sudoers/check.c:764
+#: plugins/sudoers/sudoers.c:851 plugins/sudoers/sudoers.c:855
#, c-format
msgid "unknown uid: %u"
msgstr "未知的用户 ID:%u"
-#: plugins/sudoers/check.c:755 plugins/sudoers/sudoers.c:797
-#: plugins/sudoers/sudoers.c:1115 plugins/sudoers/testsudoers.c:218
-#: plugins/sudoers/testsudoers.c:362
+#: plugins/sudoers/check.c:761 plugins/sudoers/sudoers.c:792
+#: plugins/sudoers/sudoers.c:1120 plugins/sudoers/testsudoers.c:225
+#: plugins/sudoers/testsudoers.c:369
#, c-format
msgid "unknown user: %s"
msgstr "未知用户:%s"
msgid "Set the user in utmp to the runas user, not the invoking user"
msgstr "将 utmp 中的用户设为 runas 用户,而不是调用用户"
+#: plugins/sudoers/def_data.c:347
+msgid "Set of permitted privileges"
+msgstr "允许权限的集合"
+
+#: plugins/sudoers/def_data.c:351
+msgid "Set of limit privileges"
+msgstr "限制权限的集合"
+
#: plugins/sudoers/defaults.c:208
#, c-format
msgid "unknown defaults entry `%s'"
msgid "option `%s' does not take a value"
msgstr "“%s”选项不带值"
-#: plugins/sudoers/env.c:339
+#: plugins/sudoers/env.c:367
#, c-format
msgid "sudo_putenv: corrupted envp, length mismatch"
msgstr "sudo_putenv:envp 损坏,长度不符"
-#: plugins/sudoers/env.c:341 plugins/sudoers/env.c:411
+#: plugins/sudoers/env.c:369 plugins/sudoers/env.c:448
#: plugins/sudoers/toke_util.c:113 plugins/sudoers/toke_util.c:167
-#: plugins/sudoers/toke_util.c:207 toke.l:682 toke.l:812 toke.l:870 toke.l:966
+#: plugins/sudoers/toke_util.c:207 toke.l:697 toke.l:827 toke.l:887 toke.l:983
#, c-format
msgid "unable to allocate memory"
msgstr "无法分配内存"
-#: plugins/sudoers/env.c:366
-#, c-format
-msgid "internal error, sudo_setenv2() overflow"
-msgstr "内部错误,sudo_setenv2() 溢出"
-
-#: plugins/sudoers/env.c:410
-#, c-format
-msgid "internal error, sudo_setenv() overflow"
-msgstr "内部错误,sudo_setenv()溢出"
-
-#: plugins/sudoers/env.c:955
+#: plugins/sudoers/env.c:992
#, c-format
msgid "sorry, you are not allowed to set the following environment variables: %s"
msgstr "对不起,您无权设置以下环境变量:%s"
#: plugins/sudoers/find_path.c:69 plugins/sudoers/find_path.c:108
#: plugins/sudoers/find_path.c:123 plugins/sudoers/iolog.c:125
-#: plugins/sudoers/sudoers.c:950 toke.l:678 toke.l:866
+#: plugins/sudoers/sudoers.c:945 toke.l:693 toke.l:883
#, c-format
msgid "%s: %s"
msgstr "%s:%s"
msgid "Local IP address and netmask pairs:\n"
msgstr "本地 IP 地址和网络掩码对:\n"
-#: plugins/sudoers/iolog.c:179 plugins/sudoers/sudoers.c:986
+#: plugins/sudoers/iolog.c:205 plugins/sudoers/sudoers.c:991
#, c-format
msgid "unable to read %s"
msgstr "无法读取 %s"
-#: plugins/sudoers/iolog.c:182
+#: plugins/sudoers/iolog.c:208
#, c-format
msgid "invalid sequence number %s"
msgstr "无效的序列号:%s"
-#: plugins/sudoers/iolog.c:231 plugins/sudoers/iolog.c:234
-#: plugins/sudoers/iolog.c:499 plugins/sudoers/iolog.c:504
-#: plugins/sudoers/iolog.c:510 plugins/sudoers/iolog.c:518
-#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:534
-#: plugins/sudoers/iolog.c:542
+#: plugins/sudoers/iolog.c:258 plugins/sudoers/iolog.c:261
+#: plugins/sudoers/iolog.c:526 plugins/sudoers/iolog.c:531
+#: plugins/sudoers/iolog.c:537 plugins/sudoers/iolog.c:545
+#: plugins/sudoers/iolog.c:553 plugins/sudoers/iolog.c:561
+#: plugins/sudoers/iolog.c:569
#, c-format
msgid "unable to create %s"
msgstr "无法创建 %s"
-#: plugins/sudoers/iolog_path.c:256 plugins/sudoers/sudoers.c:373
+#: plugins/sudoers/iolog_path.c:263 plugins/sudoers/sudoers.c:382
#, c-format
msgid "unable to set locale to \"%s\", using \"C\""
msgstr "无法将区域设置为“%s”,将使用“C”"
-#: plugins/sudoers/ldap.c:378
+#: plugins/sudoers/ldap.c:387
#, c-format
msgid "sudo_ldap_conf_add_ports: port too large"
msgstr "sudo_ldap_conf_add_ports:端口太大"
-#: plugins/sudoers/ldap.c:401
+#: plugins/sudoers/ldap.c:410
#, c-format
msgid "sudo_ldap_conf_add_ports: out of space expanding hostbuf"
msgstr "sudo_ldap_conf_add_ports:扩展主机缓存时空间不足"
-#: plugins/sudoers/ldap.c:431
+#: plugins/sudoers/ldap.c:440
#, c-format
msgid "unsupported LDAP uri type: %s"
msgstr "不支持的 LDAP URI 类型:%s"
-#: plugins/sudoers/ldap.c:460
+#: plugins/sudoers/ldap.c:469
#, c-format
msgid "invalid uri: %s"
msgstr "无效的 URI:%s"
-#: plugins/sudoers/ldap.c:466
+#: plugins/sudoers/ldap.c:475
#, c-format
msgid "unable to mix ldap and ldaps URIs"
msgstr "无法混合 ldap 和 ldaps URI"
-#: plugins/sudoers/ldap.c:470
+#: plugins/sudoers/ldap.c:479
#, c-format
msgid "unable to mix ldaps and starttls"
msgstr "无法混合 ldaps 和 starttls"
-#: plugins/sudoers/ldap.c:489
+#: plugins/sudoers/ldap.c:498
#, c-format
msgid "sudo_ldap_parse_uri: out of space building hostbuf"
msgstr "sudo_ldap_parse_uri:构建主机缓存时空间不足"
-#: plugins/sudoers/ldap.c:563
+#: plugins/sudoers/ldap.c:572
#, c-format
msgid "unable to initialize SSL cert and key db: %s"
msgstr "无法初始化 SSL 证书和密钥数据库:%s"
-#: plugins/sudoers/ldap.c:566
+#: plugins/sudoers/ldap.c:575
#, c-format
msgid "you must set TLS_CERT in %s to use SSL"
msgstr "要使用 SSL,您必须在 %s 中设置 TLS_CERT"
-#: plugins/sudoers/ldap.c:973
+#: plugins/sudoers/ldap.c:992
#, c-format
msgid "unable to get GMT time"
msgstr "无法获取 GMT 时间"
-#: plugins/sudoers/ldap.c:979
+#: plugins/sudoers/ldap.c:998
#, c-format
msgid "unable to format timestamp"
msgstr "无法格式化时间戳"
-#: plugins/sudoers/ldap.c:987
+#: plugins/sudoers/ldap.c:1006
#, c-format
msgid "unable to build time filter"
msgstr "无法构建时间过滤器"
-#: plugins/sudoers/ldap.c:1202
+#: plugins/sudoers/ldap.c:1225
#, c-format
msgid "sudo_ldap_build_pass1 allocation mismatch"
msgstr "sudo_ldap_build_pass1 分配不匹配"
-#: plugins/sudoers/ldap.c:1738
+#: plugins/sudoers/ldap.c:1761
#, c-format
msgid ""
"\n"
"\n"
"LDAP 角色:%s\n"
-#: plugins/sudoers/ldap.c:1740
+#: plugins/sudoers/ldap.c:1763
#, c-format
msgid ""
"\n"
"\n"
"LDAP 角色:未知\n"
-#: plugins/sudoers/ldap.c:1787
+#: plugins/sudoers/ldap.c:1810
#, c-format
msgid " Order: %s\n"
msgstr " 顺序:%s\n"
-#: plugins/sudoers/ldap.c:1795
+#: plugins/sudoers/ldap.c:1818 plugins/sudoers/sssd.c:1168
#, c-format
msgid " Commands:\n"
msgstr " 命令:\n"
-#: plugins/sudoers/ldap.c:2216
+#: plugins/sudoers/ldap.c:2240
#, c-format
msgid "unable to initialize LDAP: %s"
msgstr "无法初始化 LDAP:%s"
-#: plugins/sudoers/ldap.c:2250
+#: plugins/sudoers/ldap.c:2274
#, c-format
msgid "start_tls specified but LDAP libs do not support ldap_start_tls_s() or ldap_start_tls_s_np()"
msgstr "指定了 start_tls,但 LDAP 库不支持 ldap_start_tls_s() 或 ldap_start_tls_s_np()"
-#: plugins/sudoers/ldap.c:2486
+#: plugins/sudoers/ldap.c:2510
#, c-format
msgid "invalid sudoOrder attribute: %s"
msgstr "无效的 sudoOrder 属性:%s"
msgid "unable to open audit system"
msgstr "无法打开审核系统"
-#: plugins/sudoers/linux_audit.c:82
-#, c-format
-msgid "internal error, linux_audit_command() overflow"
-msgstr "内部错误,linux_audit_command() 溢出"
-
-#: plugins/sudoers/linux_audit.c:91
+#: plugins/sudoers/linux_audit.c:93
#, c-format
msgid "unable to send audit message"
msgstr "无法发送审核消息"
-#: plugins/sudoers/logging.c:198
+#: plugins/sudoers/logging.c:202
#, c-format
msgid "unable to open log file: %s: %s"
msgstr "无法打开日志文件:%s:%s"
-#: plugins/sudoers/logging.c:201
+#: plugins/sudoers/logging.c:205
#, c-format
msgid "unable to lock log file: %s: %s"
msgstr "无法锁定日志文件:%s:%s"
-#: plugins/sudoers/logging.c:256
+#: plugins/sudoers/logging.c:260
msgid "user NOT in sudoers"
msgstr "用户不在 sudoers 中"
-#: plugins/sudoers/logging.c:258
+#: plugins/sudoers/logging.c:262
msgid "user NOT authorized on host"
msgstr "用户未获得此主机上的授权"
-#: plugins/sudoers/logging.c:260
+#: plugins/sudoers/logging.c:264
msgid "command not allowed"
msgstr "命令禁止使用"
-#: plugins/sudoers/logging.c:270
+#: plugins/sudoers/logging.c:274
#, c-format
msgid "%s is not in the sudoers file. This incident will be reported.\n"
msgstr "%s 不在 sudoers 文件中。此事将被报告。\n"
-#: plugins/sudoers/logging.c:273
+#: plugins/sudoers/logging.c:277
#, c-format
msgid "%s is not allowed to run sudo on %s. This incident will be reported.\n"
msgstr "%s 无权在 %s 上运行 sudo。此事将被报告。\n"
-#: plugins/sudoers/logging.c:277
+#: plugins/sudoers/logging.c:281
#, c-format
msgid "Sorry, user %s may not run sudo on %s.\n"
msgstr "对不起,用户 %s 不能在 %s 上运行 sudo。\n"
-#: plugins/sudoers/logging.c:280
+#: plugins/sudoers/logging.c:284
#, c-format
msgid "Sorry, user %s is not allowed to execute '%s%s%s' as %s%s%s on %s.\n"
msgstr "对不起,用户 %1$s 无权以 %5$s%6$s%7$s 的身份在 %8$s 上执行 %2$s%3$s%4$s。\n"
-#: plugins/sudoers/logging.c:447
+#: plugins/sudoers/logging.c:317
+msgid "No user or host"
+msgstr "无用户或主机"
+
+#: plugins/sudoers/logging.c:319
+msgid "validation failure"
+msgstr "校验失败"
+
+#: plugins/sudoers/logging.c:336 plugins/sudoers/sudoers.c:502
+#: plugins/sudoers/sudoers.c:503 plugins/sudoers/sudoers.c:1539
+#: plugins/sudoers/sudoers.c:1540
+#, c-format
+msgid "%s: command not found"
+msgstr "%s:找不到命令"
+
+#: plugins/sudoers/logging.c:338 plugins/sudoers/sudoers.c:499
+#, c-format
+msgid ""
+"ignoring `%s' found in '.'\n"
+"Use `sudo ./%s' if this is the `%s' you wish to run."
+msgstr ""
+"忽略在“.”中找到的“%s”\n"
+"请使用“sudo ./%s”,如果这是您想运行的“%s”。"
+
+#: plugins/sudoers/logging.c:352
+msgid "authentication failure"
+msgstr "认证失败"
+
+#: plugins/sudoers/logging.c:376
+#, c-format
+msgid "%d incorrect password attempt"
+msgid_plural "%d incorrect password attempts"
+msgstr[0] "%d 次错误密码尝试"
+
+#: plugins/sudoers/logging.c:379
+msgid "a password is required"
+msgstr "需要密码"
+
+#: plugins/sudoers/logging.c:530
#, c-format
msgid "unable to fork"
msgstr "无法执行 fork"
-#: plugins/sudoers/logging.c:454 plugins/sudoers/logging.c:516
+#: plugins/sudoers/logging.c:537 plugins/sudoers/logging.c:599
#, c-format
msgid "unable to fork: %m"
msgstr "无法执行 fork:%m"
-#: plugins/sudoers/logging.c:506
+#: plugins/sudoers/logging.c:589
#, c-format
msgid "unable to open pipe: %m"
msgstr "无法打开管道:%m"
-#: plugins/sudoers/logging.c:531
+#: plugins/sudoers/logging.c:614
#, c-format
msgid "unable to dup stdin: %m"
msgstr "无法 dup stdin:%m"
-#: plugins/sudoers/logging.c:567
+#: plugins/sudoers/logging.c:650
#, c-format
msgid "unable to execute %s: %m"
msgstr "无法执行 %s:%m"
-#: plugins/sudoers/logging.c:782
+#: plugins/sudoers/logging.c:865
#, c-format
msgid "internal error: insufficient space for log line"
msgstr "内部错误:没有足够的空间存放日志行"
msgid "parse error in %s"
msgstr "%s 中出现解析错误"
-#: plugins/sudoers/parse.c:389
+#: plugins/sudoers/parse.c:414
#, c-format
msgid ""
"\n"
"\n"
"Sudoers 条目:\n"
-#: plugins/sudoers/parse.c:391
+#: plugins/sudoers/parse.c:416
#, c-format
msgid " RunAsUsers: "
msgstr " RunAs 用户:"
-#: plugins/sudoers/parse.c:406
+#: plugins/sudoers/parse.c:431
#, c-format
msgid " RunAsGroups: "
msgstr " RunAs 组:"
-#: plugins/sudoers/parse.c:415
+#: plugins/sudoers/parse.c:440
#, c-format
msgid ""
" Commands:\n"
msgid ": "
msgstr ":"
-#: plugins/sudoers/pwutil.c:260
+#: plugins/sudoers/pwutil.c:278
#, c-format
msgid "unable to cache uid %u (%s), already exists"
msgstr "无法缓存用户 ID %u(%s),已存在"
-#: plugins/sudoers/pwutil.c:268
+#: plugins/sudoers/pwutil.c:286
#, c-format
msgid "unable to cache uid %u, already exists"
msgstr "无法缓存用户 ID %u,已存在"
-#: plugins/sudoers/pwutil.c:305 plugins/sudoers/pwutil.c:314
+#: plugins/sudoers/pwutil.c:322 plugins/sudoers/pwutil.c:331
#, c-format
msgid "unable to cache user %s, already exists"
msgstr "无法缓存用户 %s,已存在"
-#: plugins/sudoers/pwutil.c:653
+#: plugins/sudoers/pwutil.c:668
#, c-format
msgid "unable to cache gid %u (%s), already exists"
msgstr "无法缓存组 ID %u(%s),已存在"
-#: plugins/sudoers/pwutil.c:661
+#: plugins/sudoers/pwutil.c:676
#, c-format
msgid "unable to cache gid %u, already exists"
msgstr "无法缓存组 ID %u,已存在"
-#: plugins/sudoers/pwutil.c:691 plugins/sudoers/pwutil.c:700
+#: plugins/sudoers/pwutil.c:706 plugins/sudoers/pwutil.c:715
#, c-format
msgid "unable to cache group %s, already exists"
msgstr "无法缓存组 %s,已存在"
msgid "unable to set runas group vector"
msgstr "无法设置 runas 组向量"
-#: plugins/sudoers/sudo_nss.c:243
+#: plugins/sudoers/sssd.c:251
+#, c-format
+msgid "Unable to dlopen %s: %s"
+msgstr "无法执行 dlopen %s:%s"
+
+#: plugins/sudoers/sssd.c:252
+#, c-format
+msgid "Unable to initialize SSS source. Is SSSD installed on your machine?"
+msgstr "无法初始化 SSS 资源。您的计算机上安装 SSSD 了吗?"
+
+#: plugins/sudoers/sssd.c:258 plugins/sudoers/sssd.c:266
+#: plugins/sudoers/sssd.c:273 plugins/sudoers/sssd.c:280
+#: plugins/sudoers/sssd.c:287
+#, c-format
+msgid "unable to find symbol \"%s\" in %s"
+msgstr "无法在 %s 中找到符号“%s”"
+
+#: plugins/sudoers/sudo_nss.c:267
#, c-format
msgid "Matching Defaults entries for %s on this host:\n"
msgstr "匹配此主机上 %s 的默认条目:\n"
-#: plugins/sudoers/sudo_nss.c:256
+#: plugins/sudoers/sudo_nss.c:280
#, c-format
msgid "Runas and Command-specific defaults for %s:\n"
msgstr "%s Runas 和命令特定的默认值:\n"
-#: plugins/sudoers/sudo_nss.c:269
+#: plugins/sudoers/sudo_nss.c:293
#, c-format
msgid "User %s may run the following commands on this host:\n"
msgstr "用户 %s 可以在该主机上运行以下命令:\n"
-#: plugins/sudoers/sudo_nss.c:279
+#: plugins/sudoers/sudo_nss.c:302
#, c-format
msgid "User %s is not allowed to run sudo on %s.\n"
msgstr "用户 %s 无权在 %s 上运行 sudo。\n"
-#: plugins/sudoers/sudoers.c:208 plugins/sudoers/sudoers.c:239
-#: plugins/sudoers/sudoers.c:958
+#: plugins/sudoers/sudoers.c:210 plugins/sudoers/sudoers.c:243
+#: plugins/sudoers/sudoers.c:953
msgid "problem with defaults entries"
msgstr "默认条目有问题"
-#: plugins/sudoers/sudoers.c:212
+#: plugins/sudoers/sudoers.c:216
#, c-format
msgid "no valid sudoers sources found, quitting"
msgstr "没有找到有效的 sudoers 资源,退出"
-#: plugins/sudoers/sudoers.c:264
+#: plugins/sudoers/sudoers.c:268
#, c-format
msgid "unable to execute %s: %s"
msgstr "无法执行 %s:%s"
-#: plugins/sudoers/sudoers.c:322
+#: plugins/sudoers/sudoers.c:335
#, c-format
msgid "sudoers specifies that root is not allowed to sudo"
msgstr "sudoers 指定 root 不允许执行 sudo"
-#: plugins/sudoers/sudoers.c:329
+#: plugins/sudoers/sudoers.c:342
#, c-format
msgid "you are not permitted to use the -C option"
msgstr "您无权使用 -C 选项"
-#: plugins/sudoers/sudoers.c:422
+#: plugins/sudoers/sudoers.c:431
#, c-format
msgid "timestamp owner (%s): No such user"
msgstr "时间戳所有者(%s):无此用户"
-#: plugins/sudoers/sudoers.c:438
+#: plugins/sudoers/sudoers.c:447
msgid "no tty"
msgstr "无终端"
-#: plugins/sudoers/sudoers.c:439
+#: plugins/sudoers/sudoers.c:448
#, c-format
msgid "sorry, you must have a tty to run sudo"
msgstr "抱歉,您必须拥有一个终端来执行 sudo"
-#: plugins/sudoers/sudoers.c:478
-msgid "No user or host"
-msgstr "无用户或主机"
-
-#: plugins/sudoers/sudoers.c:492 plugins/sudoers/sudoers.c:513
-#: plugins/sudoers/sudoers.c:514 plugins/sudoers/sudoers.c:1522
-#: plugins/sudoers/sudoers.c:1523
-#, c-format
-msgid "%s: command not found"
-msgstr "%s:找不到命令"
-
-#: plugins/sudoers/sudoers.c:494 plugins/sudoers/sudoers.c:510
-#, c-format
-msgid ""
-"ignoring `%s' found in '.'\n"
-"Use `sudo ./%s' if this is the `%s' you wish to run."
-msgstr ""
-"忽略在“.”中找到的“%s”\n"
-"请使用“sudo ./%s”,如果这是您想运行的“%s”。"
-
-#: plugins/sudoers/sudoers.c:499
-msgid "validation failure"
-msgstr "校验失败"
-
-#: plugins/sudoers/sudoers.c:509
+#: plugins/sudoers/sudoers.c:498
msgid "command in current directory"
msgstr "当前目录中的命令"
-#: plugins/sudoers/sudoers.c:521
+#: plugins/sudoers/sudoers.c:510
#, c-format
msgid "sorry, you are not allowed to preserve the environment"
msgstr "抱歉,您无权保留环境"
-#: plugins/sudoers/sudoers.c:681 plugins/sudoers/sudoers.c:688
-#, c-format
-msgid "internal error, runas_groups overflow"
-msgstr "内部错误,runas_groups 溢出"
-
-#: plugins/sudoers/sudoers.c:941
-#, c-format
-msgid "internal error, set_cmnd() overflow"
-msgstr "内部错误:set_cmnd() 溢出"
-
-#: plugins/sudoers/sudoers.c:1001
+#: plugins/sudoers/sudoers.c:1006
#, c-format
msgid "%s is not a regular file"
msgstr "%s 不是常规文件"
-#: plugins/sudoers/sudoers.c:1004 toke.l:829
+#: plugins/sudoers/sudoers.c:1009 toke.l:846
#, c-format
msgid "%s is owned by uid %u, should be %u"
msgstr "%s 属于用户 ID %u,应为 %u"
-#: plugins/sudoers/sudoers.c:1008 toke.l:836
+#: plugins/sudoers/sudoers.c:1013 toke.l:853
#, c-format
msgid "%s is world writable"
msgstr "%s 可被任何人写"
-#: plugins/sudoers/sudoers.c:1011 toke.l:841
+#: plugins/sudoers/sudoers.c:1016 toke.l:858
#, c-format
msgid "%s is owned by gid %u, should be %u"
msgstr "%s 属于组 ID %u,应为 %u"
-#: plugins/sudoers/sudoers.c:1038
+#: plugins/sudoers/sudoers.c:1043
#, c-format
msgid "only root can use `-c %s'"
msgstr "只有 root 才能使用“-c %s”"
-#: plugins/sudoers/sudoers.c:1055 plugins/sudoers/sudoers.c:1057
+#: plugins/sudoers/sudoers.c:1060 plugins/sudoers/sudoers.c:1062
#, c-format
msgid "unknown login class: %s"
msgstr "未知的登录类别:%s"
-#: plugins/sudoers/sudoers.c:1084
+#: plugins/sudoers/sudoers.c:1089
#, c-format
msgid "unable to resolve host %s"
msgstr "无法解析主机:%s"
-#: plugins/sudoers/sudoers.c:1136 plugins/sudoers/testsudoers.c:380
+#: plugins/sudoers/sudoers.c:1141 plugins/sudoers/testsudoers.c:387
#, c-format
msgid "unknown group: %s"
msgstr "未知组:%s"
-#: plugins/sudoers/sudoers.c:1185
+#: plugins/sudoers/sudoers.c:1190
#, c-format
msgid "Sudoers policy plugin version %s\n"
msgstr "Sudoers 策略插件版本 %s\n"
-#: plugins/sudoers/sudoers.c:1187
+#: plugins/sudoers/sudoers.c:1192
#, c-format
msgid "Sudoers file grammar version %d\n"
msgstr "Sudoers 文件语法版本 %d\n"
-#: plugins/sudoers/sudoers.c:1191
+#: plugins/sudoers/sudoers.c:1196
#, c-format
msgid ""
"\n"
"\n"
"Sudoers 路径:%s\n"
-#: plugins/sudoers/sudoers.c:1194
+#: plugins/sudoers/sudoers.c:1199
#, c-format
msgid "nsswitch path: %s\n"
msgstr "nsswitch 路径:%s\n"
-#: plugins/sudoers/sudoers.c:1196
+#: plugins/sudoers/sudoers.c:1201
#, c-format
msgid "ldap.conf path: %s\n"
msgstr "ldap.conf 路径:%s\n"
-#: plugins/sudoers/sudoers.c:1197
+#: plugins/sudoers/sudoers.c:1202
#, c-format
msgid "ldap.secret path: %s\n"
msgstr "ldap.secret 路径:%s\n"
-#: plugins/sudoers/sudoreplay.c:291
+#: plugins/sudoers/sudoreplay.c:293
#, c-format
msgid "invalid filter option: %s"
msgstr "无效的过滤器选项:%s"
-#: plugins/sudoers/sudoreplay.c:304
+#: plugins/sudoers/sudoreplay.c:306
#, c-format
msgid "invalid max wait: %s"
msgstr "无效的最大等待:%s"
-#: plugins/sudoers/sudoreplay.c:310
+#: plugins/sudoers/sudoreplay.c:312
#, c-format
msgid "invalid speed factor: %s"
msgstr "无法的速度系数:%s"
-#: plugins/sudoers/sudoreplay.c:313 plugins/sudoers/visudo.c:187
+#: plugins/sudoers/sudoreplay.c:315 plugins/sudoers/visudo.c:187
#, c-format
msgid "%s version %s\n"
msgstr "%s 版本 %s\n"
-#: plugins/sudoers/sudoreplay.c:338
+#: plugins/sudoers/sudoreplay.c:340
#, c-format
msgid "%s/%.2s/%.2s/%.2s/timing: %s"
msgstr "%s/%.2s/%.2s/%.2s/时序:%s"
-#: plugins/sudoers/sudoreplay.c:344
+#: plugins/sudoers/sudoreplay.c:346
#, c-format
msgid "%s/%s/timing: %s"
msgstr "%s/%s/时序:%s"
-#: plugins/sudoers/sudoreplay.c:362
+#: plugins/sudoers/sudoreplay.c:364
#, c-format
msgid "Replaying sudo session: %s\n"
msgstr "回放 sudo 会话:%s\n"
-#: plugins/sudoers/sudoreplay.c:368
+#: plugins/sudoers/sudoreplay.c:370
#, c-format
msgid "Warning: your terminal is too small to properly replay the log.\n"
msgstr "警告:您的终端尺寸太小,不能正常地回放日志。\n"
-#: plugins/sudoers/sudoreplay.c:369
+#: plugins/sudoers/sudoreplay.c:371
#, c-format
msgid "Log geometry is %d x %d, your terminal's geometry is %d x %d."
msgstr "日志的几何尺寸为 %dx%d,您终端的几何尺寸为 %dx%d。"
-#: plugins/sudoers/sudoreplay.c:399
+#: plugins/sudoers/sudoreplay.c:401
#, c-format
msgid "unable to set tty to raw mode"
msgstr "无法将终端设为原始模式"
-#: plugins/sudoers/sudoreplay.c:412
+#: plugins/sudoers/sudoreplay.c:418
#, c-format
msgid "invalid timing file line: %s"
msgstr "无效的时序文件行:%s"
-#: plugins/sudoers/sudoreplay.c:454
+#: plugins/sudoers/sudoreplay.c:501
#, c-format
msgid "writing to standard output"
msgstr "写入标准输出"
-#: plugins/sudoers/sudoreplay.c:486
+#: plugins/sudoers/sudoreplay.c:530
#, c-format
msgid "nanosleep: tv_sec %ld, tv_nsec %ld"
msgstr "nanosleep:tv_sec %ld,tv_nsec %ld"
-#: plugins/sudoers/sudoreplay.c:535 plugins/sudoers/sudoreplay.c:560
+#: plugins/sudoers/sudoreplay.c:643 plugins/sudoers/sudoreplay.c:668
#, c-format
msgid "ambiguous expression \"%s\""
msgstr "有歧义的表达式“%s”"
-#: plugins/sudoers/sudoreplay.c:577
+#: plugins/sudoers/sudoreplay.c:685
#, c-format
msgid "too many parenthesized expressions, max %d"
msgstr "括号表达式过多,最多 %d"
-#: plugins/sudoers/sudoreplay.c:588
+#: plugins/sudoers/sudoreplay.c:696
#, c-format
msgid "unmatched ')' in expression"
msgstr "表达式中的“)”不匹配"
-#: plugins/sudoers/sudoreplay.c:594
+#: plugins/sudoers/sudoreplay.c:702
#, c-format
msgid "unknown search term \"%s\""
msgstr "未知的搜索词“%s”"
-#: plugins/sudoers/sudoreplay.c:608
+#: plugins/sudoers/sudoreplay.c:716
#, c-format
msgid "%s requires an argument"
msgstr "%s 需要参数"
-#: plugins/sudoers/sudoreplay.c:612
+#: plugins/sudoers/sudoreplay.c:720
#, c-format
msgid "invalid regular expression: %s"
msgstr "无效的正则表达式:%s"
-#: plugins/sudoers/sudoreplay.c:618
+#: plugins/sudoers/sudoreplay.c:726
#, c-format
msgid "could not parse date \"%s\""
msgstr "无法解析日期“%s”"
-#: plugins/sudoers/sudoreplay.c:631
+#: plugins/sudoers/sudoreplay.c:739
#, c-format
msgid "unmatched '(' in expression"
msgstr "表达式中的“(”不匹配"
-#: plugins/sudoers/sudoreplay.c:633
+#: plugins/sudoers/sudoreplay.c:741
#, c-format
msgid "illegal trailing \"or\""
msgstr "非法的结尾字符“or”"
-#: plugins/sudoers/sudoreplay.c:635
+#: plugins/sudoers/sudoreplay.c:743
#, c-format
msgid "illegal trailing \"!\""
msgstr "非法的结尾字符“!”"
-#: plugins/sudoers/sudoreplay.c:942
+#: plugins/sudoers/sudoreplay.c:1050
#, c-format
msgid "invalid regex: %s"
msgstr "无效的正则表达式:%s"
-#: plugins/sudoers/sudoreplay.c:1066
+#: plugins/sudoers/sudoreplay.c:1174
#, c-format
msgid "usage: %s [-h] [-d directory] [-m max_wait] [-s speed_factor] ID\n"
msgstr "用法:%s [-h] [-d 目录] [-m 最长等待] [-s 速度系数] ID\n"
-#: plugins/sudoers/sudoreplay.c:1069
+#: plugins/sudoers/sudoreplay.c:1177
#, c-format
msgid "usage: %s [-h] [-d directory] -l [search expression]\n"
msgstr "用法:%s [-h] [-d 目录] -l [搜索表达式]\n"
-#: plugins/sudoers/sudoreplay.c:1078
+#: plugins/sudoers/sudoreplay.c:1186
#, c-format
msgid ""
"%s - replay sudo session logs\n"
"%s - 回放 sudo 会话记录\n"
"\n"
-#: plugins/sudoers/sudoreplay.c:1080
+#: plugins/sudoers/sudoreplay.c:1188
msgid ""
"\n"
"Options:\n"
" -s 速度系数 加速或减慢输出\n"
" -V 显示版本信息并退出"
-#: plugins/sudoers/testsudoers.c:246
-#, c-format
-msgid "internal error, init_vars() overflow"
-msgstr "内部错误,init_vars() 溢出"
-
-#: plugins/sudoers/testsudoers.c:331
+#: plugins/sudoers/testsudoers.c:338
msgid "\thost unmatched"
msgstr "\t主机不匹配"
-#: plugins/sudoers/testsudoers.c:334
+#: plugins/sudoers/testsudoers.c:341
msgid ""
"\n"
"Command allowed"
"\n"
"命令允许"
-#: plugins/sudoers/testsudoers.c:335
+#: plugins/sudoers/testsudoers.c:342
msgid ""
"\n"
"Command denied"
"\n"
"命令被拒"
-#: plugins/sudoers/testsudoers.c:335
+#: plugins/sudoers/testsudoers.c:342
msgid ""
"\n"
"Command unmatched"
msgid "%s grammar version %d\n"
msgstr "%s 语法版本 %d\n"
-#: plugins/sudoers/visudo.c:252 plugins/sudoers/visudo.c:538
+#: plugins/sudoers/visudo.c:252 plugins/sudoers/visudo.c:541
#, c-format
msgid "press return to edit %s: "
msgstr "按回车键编辑 %s:"
msgid "%s unchanged"
msgstr "%s 未更改"
-#: plugins/sudoers/visudo.c:483
+#: plugins/sudoers/visudo.c:486
#, c-format
msgid "unable to re-open temporary file (%s), %s unchanged."
msgstr "无法重新打开临时文件(%s),%s 未更改"
-#: plugins/sudoers/visudo.c:493
+#: plugins/sudoers/visudo.c:496
#, c-format
msgid "unabled to parse temporary file (%s), unknown error"
msgstr "无法解析临时文件(%s),未知错误"
-#: plugins/sudoers/visudo.c:531
+#: plugins/sudoers/visudo.c:534
#, c-format
msgid "internal error, unable to find %s in list!"
msgstr "内部错误,在列表中找不到 %s!"
-#: plugins/sudoers/visudo.c:583 plugins/sudoers/visudo.c:592
+#: plugins/sudoers/visudo.c:586 plugins/sudoers/visudo.c:595
#, c-format
msgid "unable to set (uid, gid) of %s to (%u, %u)"
msgstr "无法将 %s 的 (uid, gid) 设为 (%u, %u)"
-#: plugins/sudoers/visudo.c:587 plugins/sudoers/visudo.c:597
+#: plugins/sudoers/visudo.c:590 plugins/sudoers/visudo.c:600
#, c-format
msgid "unable to change mode of %s to 0%o"
msgstr "无法将 %s 的模式更改为 0%o"
-#: plugins/sudoers/visudo.c:614
+#: plugins/sudoers/visudo.c:617
#, c-format
msgid "%s and %s not on the same file system, using mv to rename"
msgstr "%s 和 %s 不在同一个文件系统,使用 mv 进行重命名"
-#: plugins/sudoers/visudo.c:628
+#: plugins/sudoers/visudo.c:631
#, c-format
msgid "command failed: '%s %s %s', %s unchanged"
msgstr "命令失败:“%s %s %s”,%s 未更改"
-#: plugins/sudoers/visudo.c:638
+#: plugins/sudoers/visudo.c:641
#, c-format
msgid "error renaming %s, %s unchanged"
msgstr "重命名 %s 出错,%s 未更改"
-#: plugins/sudoers/visudo.c:701
+#: plugins/sudoers/visudo.c:704
msgid "What now? "
msgstr "现在做什么?"
-#: plugins/sudoers/visudo.c:715
+#: plugins/sudoers/visudo.c:718
msgid ""
"Options are:\n"
" (e)dit sudoers file again\n"
" 退出,不保存对 sudoers 文件的更改(x)\n"
" 退出并将更改保存到 sudoers 文件(危险!)(Q)\n"
-#: plugins/sudoers/visudo.c:756
+#: plugins/sudoers/visudo.c:759
#, c-format
msgid "unable to execute %s"
msgstr "无法执行 %s"
-#: plugins/sudoers/visudo.c:763
+#: plugins/sudoers/visudo.c:766
#, c-format
msgid "unable to run %s"
msgstr "无法运行 %s"
-#: plugins/sudoers/visudo.c:789
+#: plugins/sudoers/visudo.c:792
#, c-format
msgid "%s: wrong owner (uid, gid) should be (%u, %u)\n"
msgstr "%s:错误的所有者(uid, gid),应为 (%u, %u)\n"
-#: plugins/sudoers/visudo.c:796
+#: plugins/sudoers/visudo.c:799
#, c-format
msgid "%s: bad permissions, should be mode 0%o\n"
msgstr "%s:权限不正确,模式应该是 0%o\n"
-#: plugins/sudoers/visudo.c:821
+#: plugins/sudoers/visudo.c:824
#, c-format
msgid "failed to parse %s file, unknown error"
msgstr "解析 %s 文件失败,未知错误"
-#: plugins/sudoers/visudo.c:834
+#: plugins/sudoers/visudo.c:837
#, c-format
msgid "parse error in %s near line %d\n"
msgstr "%s 中第 %d 行附近出现解析错误\n"
-#: plugins/sudoers/visudo.c:837
+#: plugins/sudoers/visudo.c:840
#, c-format
msgid "parse error in %s\n"
msgstr "%s 中出现解析错误\n"
-#: plugins/sudoers/visudo.c:844 plugins/sudoers/visudo.c:849
+#: plugins/sudoers/visudo.c:847 plugins/sudoers/visudo.c:852
#, c-format
msgid "%s: parsed OK\n"
msgstr "%s:解析正确\n"
-#: plugins/sudoers/visudo.c:896
+#: plugins/sudoers/visudo.c:899
#, c-format
msgid "%s busy, try again later"
msgstr "%s 忙,请稍后重试"
-#: plugins/sudoers/visudo.c:940
+#: plugins/sudoers/visudo.c:943
#, c-format
msgid "specified editor (%s) doesn't exist"
msgstr "指定的编辑器(%s)不存在"
-#: plugins/sudoers/visudo.c:963
+#: plugins/sudoers/visudo.c:966
#, c-format
msgid "unable to stat editor (%s)"
msgstr "无法 stat 编辑器(%s)"
-#: plugins/sudoers/visudo.c:1011
+#: plugins/sudoers/visudo.c:1014
#, c-format
msgid "no editor found (editor path = %s)"
msgstr "未找到编辑器(编辑器路径 = %s)"
-#: plugins/sudoers/visudo.c:1105
+#: plugins/sudoers/visudo.c:1108
#, c-format
msgid "Error: cycle in %s_Alias `%s'"
msgstr "错误:在 %s_Alias “%s”中循环"
-#: plugins/sudoers/visudo.c:1106
+#: plugins/sudoers/visudo.c:1109
#, c-format
msgid "Warning: cycle in %s_Alias `%s'"
msgstr "警告:在 %s_Alias “%s”中循环"
-#: plugins/sudoers/visudo.c:1109
+#: plugins/sudoers/visudo.c:1112
#, c-format
msgid "Error: %s_Alias `%s' referenced but not defined"
msgstr "错误:引用了 %s_Alias “%s”但尚未定义"
-#: plugins/sudoers/visudo.c:1110
+#: plugins/sudoers/visudo.c:1113
#, c-format
msgid "Warning: %s_Alias `%s' referenced but not defined"
msgstr "警告:引用了 %s_Alias “%s”但尚未定义"
-#: plugins/sudoers/visudo.c:1245
+#: plugins/sudoers/visudo.c:1248
#, c-format
msgid "%s: unused %s_Alias %s"
msgstr "%s:未使用的 %s_Alias %s"
-#: plugins/sudoers/visudo.c:1301
+#: plugins/sudoers/visudo.c:1304
#, c-format
msgid ""
"%s - safely edit the sudoers file\n"
"%s - 安全地编辑 sudoers 文件\n"
"\n"
-#: plugins/sudoers/visudo.c:1303
+#: plugins/sudoers/visudo.c:1306
msgid ""
"\n"
"Options:\n"
" -s 严格语法检查\n"
" -V 显示版本信息并退出"
-#: toke.l:805
+#: toke.l:820
msgid "too many levels of includes"
msgstr "include 嵌套层数过多"
+#~ msgid "internal error, expand_prompt() overflow"
+#~ msgstr "内部错误,expand_prompt() 溢出"
+
+#~ msgid "internal error, sudo_setenv2() overflow"
+#~ msgstr "内部错误,sudo_setenv2() 溢出"
+
+#~ msgid "internal error, sudo_setenv() overflow"
+#~ msgstr "内部错误,sudo_setenv()溢出"
+
+#~ msgid "internal error, linux_audit_command() overflow"
+#~ msgstr "内部错误,linux_audit_command() 溢出"
+
+#~ msgid "internal error, runas_groups overflow"
+#~ msgstr "内部错误,runas_groups 溢出"
+
+#~ msgid "internal error, init_vars() overflow"
+#~ msgstr "内部错误,init_vars() 溢出"
+
#~ msgid "invalid log file %s"
#~ msgstr "无效的日志文件 %s"
/*
- * Copyright (c) 1996, 1998-2005, 2007-2011
+ * Copyright (c) 1996, 1998-2005, 2007-2012
* Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
}
void
-pw_addref(struct passwd *pw)
+sudo_pw_addref(struct passwd *pw)
{
- debug_decl(pw_addref, SUDO_DEBUG_NSS)
+ debug_decl(sudo_pw_addref, SUDO_DEBUG_NSS)
ptr_to_item(pw)->refcnt++;
debug_return;
}
static void
-pw_delref_item(void *v)
+sudo_pw_delref_item(void *v)
{
struct cache_item *item = v;
- debug_decl(pw_delref_item, SUDO_DEBUG_NSS)
+ debug_decl(sudo_pw_delref_item, SUDO_DEBUG_NSS)
if (--item->refcnt == 0)
efree(item);
}
void
-pw_delref(struct passwd *pw)
+sudo_pw_delref(struct passwd *pw)
{
- debug_decl(pw_delref, SUDO_DEBUG_NSS)
- pw_delref_item(ptr_to_item(pw));
+ debug_decl(sudo_pw_delref, SUDO_DEBUG_NSS)
+ sudo_pw_delref_item(ptr_to_item(pw));
debug_return;
}
/* Store by uid, overwriting cached version. */
pwitem->cache.k.uid = pw->pw_uid;
if ((node = rbinsert(pwcache_byuid, &pwitem->cache)) != NULL) {
- pw_delref_item(node->data);
+ sudo_pw_delref_item(node->data);
node->data = &pwitem->cache;
}
} else {
/* Store by name, overwriting cached version. */
pwitem->cache.k.name = pw->pw_name;
if ((node = rbinsert(pwcache_byname, &pwitem->cache)) != NULL) {
- pw_delref_item(node->data);
+ sudo_pw_delref_item(node->data);
node->data = &pwitem->cache;
}
}
debug_decl(sudo_freepwcache, SUDO_DEBUG_NSS)
if (pwcache_byuid != NULL) {
- rbdestroy(pwcache_byuid, pw_delref_item);
+ rbdestroy(pwcache_byuid, sudo_pw_delref_item);
pwcache_byuid = NULL;
}
if (pwcache_byname != NULL) {
- rbdestroy(pwcache_byname, pw_delref_item);
+ rbdestroy(pwcache_byname, sudo_pw_delref_item);
pwcache_byname = NULL;
}
if (cp - (char *)grlitem + len > total) {
total += len + GROUPNAME_LEN;
efree(grlitem);
- gr_delref(grp);
+ sudo_gr_delref(grp);
goto again;
}
memcpy(cp, grp->gr_name, len);
grlist->groups[ngroups++] = cp;
cp += len;
- gr_delref(grp);
+ sudo_gr_delref(grp);
}
}
grlist->ngroups = ngroups;
}
void
-gr_addref(struct group *gr)
+sudo_gr_addref(struct group *gr)
{
- debug_decl(gr_addref, SUDO_DEBUG_NSS)
+ debug_decl(sudo_gr_addref, SUDO_DEBUG_NSS)
ptr_to_item(gr)->refcnt++;
debug_return;
}
static void
-gr_delref_item(void *v)
+sudo_gr_delref_item(void *v)
{
struct cache_item *item = v;
- debug_decl(gr_delref_item, SUDO_DEBUG_NSS)
+ debug_decl(sudo_gr_delref_item, SUDO_DEBUG_NSS)
if (--item->refcnt == 0)
efree(item);
}
void
-gr_delref(struct group *gr)
+sudo_gr_delref(struct group *gr)
{
- debug_decl(gr_delref, SUDO_DEBUG_NSS)
- gr_delref_item(ptr_to_item(gr));
+ debug_decl(sudo_gr_delref, SUDO_DEBUG_NSS)
+ sudo_gr_delref_item(ptr_to_item(gr));
debug_return;
}
/* Store by gid, overwriting cached version. */
gritem->cache.k.gid = gr->gr_gid;
if ((node = rbinsert(grcache_bygid, &gritem->cache)) != NULL) {
- gr_delref_item(node->data);
+ sudo_gr_delref_item(node->data);
node->data = &gritem->cache;
}
} else {
/* Store by name, overwriting cached version. */
gritem->cache.k.name = gr->gr_name;
if ((node = rbinsert(grcache_byname, &gritem->cache)) != NULL) {
- gr_delref_item(node->data);
+ sudo_gr_delref_item(node->data);
node->data = &gritem->cache;
}
}
}
void
-grlist_addref(struct group_list *grlist)
+sudo_grlist_addref(struct group_list *grlist)
{
- debug_decl(gr_addref, SUDO_DEBUG_NSS)
+ debug_decl(sudo_gr_addref, SUDO_DEBUG_NSS)
ptr_to_item(grlist)->refcnt++;
debug_return;
}
static void
-grlist_delref_item(void *v)
+sudo_grlist_delref_item(void *v)
{
struct cache_item *item = v;
- debug_decl(gr_delref_item, SUDO_DEBUG_NSS)
+ debug_decl(sudo_gr_delref_item, SUDO_DEBUG_NSS)
if (--item->refcnt == 0)
efree(item);
}
void
-grlist_delref(struct group_list *grlist)
+sudo_grlist_delref(struct group_list *grlist)
{
- debug_decl(gr_delref, SUDO_DEBUG_NSS)
- grlist_delref_item(ptr_to_item(grlist));
+ debug_decl(sudo_gr_delref, SUDO_DEBUG_NSS)
+ sudo_grlist_delref_item(ptr_to_item(grlist));
debug_return;
}
debug_decl(sudo_freegrcache, SUDO_DEBUG_NSS)
if (grcache_bygid != NULL) {
- rbdestroy(grcache_bygid, gr_delref_item);
+ rbdestroy(grcache_bygid, sudo_gr_delref_item);
grcache_bygid = NULL;
}
if (grcache_byname != NULL) {
- rbdestroy(grcache_byname, gr_delref_item);
+ rbdestroy(grcache_byname, sudo_gr_delref_item);
grcache_byname = NULL;
}
if (grlist_cache != NULL) {
- rbdestroy(grlist_cache, grlist_delref_item);
+ rbdestroy(grlist_cache, sudo_grlist_delref_item);
grlist_cache = NULL;
}
}
struct group_list *
-get_group_list(struct passwd *pw)
+sudo_get_grlist(struct passwd *pw)
{
struct cache_item key, *item;
struct rbnode *node;
size_t len;
GETGROUPS_T *gids;
int ngids;
- debug_decl(get_group_list, SUDO_DEBUG_NSS)
+ debug_decl(sudo_get_grlist, SUDO_DEBUG_NSS)
key.k.name = pw->pw_name;
if ((node = rbfind(grlist_cache, &key)) != NULL) {
}
/*
* Cache group db entry if it exists or a negative response if not.
+ * Use gids list from front-end if possible, otherwise getgrouplist().
*/
+ if (pw == sudo_user.pw && sudo_user.gids != NULL) {
+ gids = user_gids;
+ ngids = user_ngids;
+ user_gids = NULL;
+ user_ngids = 0;
+ } else {
#if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX)
- ngids = (int)sysconf(_SC_NGROUPS_MAX) * 2;
- if (ngids < 0)
+ ngids = (int)sysconf(_SC_NGROUPS_MAX) * 2;
+ if (ngids < 0)
#endif
- ngids = NGROUPS_MAX * 2;
- gids = emalloc2(ngids, sizeof(GETGROUPS_T));
- if (getgrouplist(pw->pw_name, pw->pw_gid, gids, &ngids) == -1) {
- efree(gids);
+ ngids = NGROUPS_MAX * 2;
gids = emalloc2(ngids, sizeof(GETGROUPS_T));
if (getgrouplist(pw->pw_name, pw->pw_gid, gids, &ngids) == -1) {
efree(gids);
- debug_return_ptr(NULL);
+ gids = emalloc2(ngids, sizeof(GETGROUPS_T));
+ if (getgrouplist(pw->pw_name, pw->pw_gid, gids, &ngids) == -1) {
+ efree(gids);
+ debug_return_ptr(NULL);
+ }
}
}
if (ngids > 0) {
debug_return_ptr(item->d.grlist);
}
-void
-set_group_list(const char *user, GETGROUPS_T *gids, int ngids)
-{
- struct cache_item key, *item;
- struct rbnode *node;
- debug_decl(set_group_list, SUDO_DEBUG_NSS)
-
- /*
- * Cache group db entry if it doesn't already exist
- */
- key.k.name = (char *) user;
- if ((node = rbfind(grlist_cache, &key)) == NULL) {
- if ((item = make_grlist_item(user, gids, ngids)) == NULL)
- errorx(1, "unable to parse group list for %s", user);
- if (rbinsert(grlist_cache, item) != NULL)
- errorx(1, "unable to cache group list for %s, already exists",
- user);
- }
- debug_return;
-}
-
bool
user_in_group(struct passwd *pw, const char *group)
{
bool matched = false;
debug_decl(user_in_group, SUDO_DEBUG_NSS)
- if ((grlist = get_group_list(pw)) != NULL) {
+ if ((grlist = sudo_get_grlist(pw)) != NULL) {
/*
* If it could be a sudo-style group ID check gids first.
*/
}
done:
if (grp != NULL)
- gr_delref(grp);
- grlist_delref(grlist);
+ sudo_gr_delref(grp);
+ sudo_grlist_delref(grlist);
}
debug_return_bool(matched);
}
struct rbnode *sibling;
debug_decl(rbrepair, SUDO_DEBUG_RBTREE)
- while (node->color == black && node != rbroot(tree)) {
+ while (node->color == black && node != rbfirst(tree)) {
if (node == node->parent->left) {
sibling = node->parent->right;
if (sibling->color == red) {
node->parent->color = black;
sibling->right->color = black;
rotate_left(tree, node->parent);
- node = rbroot(tree); /* exit loop */
+ node = rbfirst(tree); /* exit loop */
}
} else { /* if (node == node->parent->right) */
sibling = node->parent->left;
node->parent->color = black;
sibling->left->color = black;
rotate_right(tree, node->parent);
- node = rbroot(tree); /* exit loop */
+ node = rbfirst(tree); /* exit loop */
}
}
}
--- /dev/null
+/*
+ * Copyright (c) 2012 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <stdio.h>
+#ifdef STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# ifdef HAVE_STDLIB_H
+# include <stdlib.h>
+# endif
+#endif /* STDC_HEADERS */
+#ifdef HAVE_STRING_H
+# if defined(HAVE_MEMORY_H) && !defined(STDC_HEADERS)
+# include <memory.h>
+# endif
+# include <string.h>
+#endif /* HAVE_STRING_H */
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif /* HAVE_STRINGS_H */
+#ifdef HAVE_DLOPEN
+# include <dlfcn.h>
+#else
+# include "compat/dlfcn.h"
+#endif
+#include <errno.h>
+#include <limits.h>
+
+#include "missing.h"
+#include "error.h"
+
+#ifndef LINE_MAX
+# define LINE_MAX 2048
+#endif
+
+static void
+usage(void)
+{
+ fprintf(stderr, "usage: load_symbols plugin.so symbols_file\n");
+ exit(1);
+}
+
+int
+main(int argc, char *argv[])
+{
+ void *handle, *sym;
+ const char *plugin_path;
+ const char *symbols_file;
+ char *cp, line[LINE_MAX];
+ FILE *fp;
+ int ntests = 0, errors = 0;
+
+#if !defined(HAVE_GETPROGNAME) && !defined(HAVE___PROGNAME)
+ setprogname(argc > 0 ? argv[0] : "check_symbols");
+#endif
+
+ if (argc != 3)
+ usage();
+ plugin_path = argv[1];
+ symbols_file = argv[2];
+
+ handle = dlopen(plugin_path, RTLD_LAZY|RTLD_GLOBAL);
+ if (handle == NULL)
+ errorx2(1, "unable to dlopen %s: %s", plugin_path, dlerror());
+
+ fp = fopen(symbols_file, "r");
+ if (fp == NULL)
+ error2(1, "unable to open %s", symbols_file);
+
+ while (fgets(line, sizeof(line), fp) != NULL) {
+ ntests++;
+ if ((cp = strchr(line, '\n')) != NULL)
+ *cp = '\0';
+ sym = dlsym(handle, line);
+ if (sym == NULL) {
+ warningx2("unable to resolve symbol %s: %s", line, dlerror());
+ errors++;
+ }
+ }
+
+ /*
+ * Make sure unexported symbols are not available.
+ */
+ sym = dlsym(handle, "user_in_group");
+ if (sym != NULL) {
+ warningx2("able to resolve local symbol user_in_group");
+ errors++;
+ }
+ ntests++;
+
+ dlclose(handle);
+
+ printf("check_symbols: %d tests run, %d errors, %d%% success rate\n",
+ ntests, errors, (ntests - errors) * 100 / ntests);
+
+ exit(errors);
+}
+
+void
+cleanup(int gotsig)
+{
+ return;
+}
exit(errors);
}
-void io_nextid(char *iolog_dir, char id[7])
+void io_nextid(char *iolog_dir, char *fallback, char id[7])
{
memcpy(id, sessid, sizeof(sessid));
}
# This is RedHat bug Bug 667103.
#
+exec 2>&1
./testsudoers -g bin root id <<EOF
root ALL = ALL
EOF
while (perm_stack_depth > 1)
restore_perms();
- grlist_delref(perm_stack[0].grlist);
+ sudo_grlist_delref(perm_stack[0].grlist);
debug_return;
}
state->sgid = state->egid; /* in case we are setgid */
#endif
state->grlist = user_group_list;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_INITIAL: "
"ruid: %d, euid: %d, suid: %d, rgid: %d, egid: %d, sgid: %d",
__func__, (int)state->ruid, (int)state->euid, (int)state->suid,
state->egid = ostate->egid;
state->sgid = ostate->sgid;
state->grlist = ostate->grlist;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
break;
case PERM_USER:
goto bad;
}
state->grlist = user_group_list;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
if (state->grlist != ostate->grlist) {
if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
strlcpy(errbuf, "PERM_USER: setgroups", sizeof(errbuf));
goto bad;
}
state->grlist = user_group_list;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
if (state->grlist != ostate->grlist) {
if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
strlcpy(errbuf, "PERM_FULL_USER: setgroups", sizeof(errbuf));
case PERM_SUDOERS:
state->grlist = ostate->grlist;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
/* assumes euid == ROOT_UID, ruid == user */
state->rgid = ostate->rgid;
case PERM_TIMESTAMP:
state->grlist = ostate->grlist;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
state->rgid = ostate->rgid;
state->egid = ostate->egid;
state->sgid = ostate->sgid;
goto bad;
}
}
- grlist_delref(state->grlist);
+ sudo_grlist_delref(state->grlist);
debug_return;
bad:
state->egid = getgidx(ID_EFFECTIVE);
state->sgid = getgidx(ID_SAVED);
state->grlist = user_group_list;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_INITIAL: "
"ruid: %d, euid: %d, suid: %d, rgid: %d, egid: %d, sgid: %d",
__func__, (unsigned int)state->ruid, (unsigned int)state->euid,
state->egid = ostate->egid;
state->sgid = ostate->sgid;
state->grlist = ostate->grlist;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
break;
case PERM_USER:
goto bad;
}
state->grlist = user_group_list;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
if (state->grlist != ostate->grlist) {
if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
strlcpy(errbuf, "PERM_USER: setgroups", sizeof(errbuf));
goto bad;
}
state->grlist = user_group_list;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
if (state->grlist != ostate->grlist) {
if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
strlcpy(errbuf, "PERM_FULL_USER: setgroups", sizeof(errbuf));
case PERM_SUDOERS:
state->grlist = ostate->grlist;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
/* assume euid == ROOT_UID, ruid == user */
state->rgid = ostate->rgid;
case PERM_TIMESTAMP:
state->grlist = ostate->grlist;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
state->rgid = ostate->rgid;
state->egid = ostate->egid;
state->sgid = ostate->sgid;
goto bad;
}
}
- grlist_delref(state->grlist);
+ sudo_grlist_delref(state->grlist);
debug_return;
bad:
state->rgid = getgid();
state->egid = getegid();
state->grlist = user_group_list;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_INITIAL: "
"ruid: %d, euid: %d, rgid: %d, egid: %d", __func__,
(int)state->ruid, (int)state->euid,
state->rgid = ostate->rgid;
state->egid = ostate->rgid;
state->grlist = ostate->grlist;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
break;
case PERM_USER:
goto bad;
}
state->grlist = user_group_list;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
if (state->grlist != ostate->grlist) {
if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
strlcpy(errbuf, "PERM_USER: setgroups", sizeof(errbuf));
goto bad;
}
state->grlist = user_group_list;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
if (state->grlist != ostate->grlist) {
if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
strlcpy(errbuf, "PERM_FULL_USER: setgroups", sizeof(errbuf));
case PERM_SUDOERS:
state->grlist = ostate->grlist;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
/* assume euid == ROOT_UID, ruid == user */
state->rgid = ostate->rgid;
case PERM_TIMESTAMP:
state->grlist = ostate->grlist;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
state->rgid = ostate->rgid;
state->egid = ostate->egid;
state->ruid = ROOT_UID;
goto bad;
}
}
- grlist_delref(state->grlist);
+ sudo_grlist_delref(state->grlist);
debug_return;
bad:
state->rgid = getgid();
state->egid = getegid();
state->grlist = user_group_list;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_INITIAL: "
"ruid: %d, euid: %d, rgid: %d, egid: %d", __func__,
(int)state->ruid, (int)state->euid,
state->rgid = ostate->rgid;
state->egid = ostate->egid;
state->grlist = ostate->grlist;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
break;
case PERM_USER:
goto bad;
}
state->grlist = user_group_list;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
if (state->grlist != ostate->grlist) {
if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
strlcpy(errbuf, "PERM_USER: setgroups", sizeof(errbuf));
goto bad;
}
state->grlist = user_group_list;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
if (state->grlist != ostate->grlist) {
if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
strlcpy(errbuf, "PERM_FULL_USER: setgroups", sizeof(errbuf));
case PERM_SUDOERS:
state->grlist = ostate->grlist;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
/* assume euid == ROOT_UID, ruid == user */
state->rgid = ostate->rgid;
case PERM_TIMESTAMP:
state->grlist = ostate->grlist;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
state->rgid = ostate->rgid;
state->egid = ostate->egid;
state->ruid = ROOT_UID;
warning("seteuid(%d)", ostate->euid);
goto bad;
}
- grlist_delref(state->grlist);
+ sudo_grlist_delref(state->grlist);
debug_return;
bad:
state->ruid = geteuid() == ROOT_UID ? ROOT_UID : getuid();
state->rgid = getgid();
state->grlist = user_group_list;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_INITIAL: "
"ruid: %d, rgid: %d", __func__, (int)state->ruid, (int)state->rgid);
break;
state->ruid = ROOT_UID;
state->rgid = ostate->rgid;
state->grlist = ostate->grlist;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: uid: "
"[%d] -> [%d]", __func__, (int)ostate->ruid, (int)state->ruid);
if (setuid(ROOT_UID)) {
"[%d] -> [%d]", __func__, (int)ostate->rgid, (int)state->rgid);
(void) setgid(user_gid);
state->grlist = user_group_list;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
if (state->grlist != ostate->grlist) {
if (sudo_setgroups(state->grlist->ngids, state->grlist->gids)) {
strlcpy(errbuf, "PERM_FULL_USER: setgroups", sizeof(errbuf));
state->ruid = ostate->ruid;
state->rgid = ostate->rgid;
state->grlist = ostate->grlist;
- grlist_addref(state->grlist);
+ sudo_grlist_addref(state->grlist);
break;
}
goto bad;
}
}
- grlist_delref(state->grlist);
+ sudo_grlist_delref(state->grlist);
if (OID(ruid) != -1 && setuid(ostate->ruid)) {
warning("setuid(%d)", (int)ostate->ruid);
goto bad;
debug_decl(runas_setgroups, SUDO_DEBUG_PERMS)
if (def_preserve_groups) {
- grlist_addref(user_group_list);
+ sudo_grlist_addref(user_group_list);
debug_return_ptr(user_group_list);
}
#ifdef HAVE_SETAUTHDB
aix_setauthdb(pw->pw_name);
#endif
- grlist = get_group_list(pw);
+ grlist = sudo_get_grlist(pw);
#ifdef HAVE_SETAUTHDB
aix_restoreauthdb();
#endif
--- /dev/null
+/*
+ * Copyright (c) 2003-2012 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2011 Daniel Kopecek <dkopecek@redhat.com>
+ *
+ * This code is derived from software contributed by Aaron Spangler.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/param.h>
+#include <sys/stat.h>
+#include <stdio.h>
+#ifdef STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# ifdef HAVE_STDLIB_H
+# include <stdlib.h>
+# endif
+#endif /* STDC_HEADERS */
+#ifdef HAVE_STRING_H
+# include <string.h>
+#endif /* HAVE_STRING_H */
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif /* HAVE_STRINGS_H */
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>
+#endif /* HAVE_UNISTD_H */
+#if TIME_WITH_SYS_TIME
+# include <time.h>
+#endif
+#ifdef HAVE_DLOPEN
+# include <dlfcn.h>
+#else
+# include "compat/dlfcn.h"
+#endif
+#include <ctype.h>
+#include <pwd.h>
+#include <grp.h>
+
+#include <errno.h>
+#include <stdint.h>
+
+#include "sudoers.h"
+#include "parse.h"
+#include "lbuf.h"
+#include "sudo_debug.h"
+
+/* SSSD <--> SUDO interface - do not change */
+struct sss_sudo_attr {
+ char *name;
+ char **values;
+ unsigned int num_values;
+};
+
+struct sss_sudo_rule {
+ unsigned int num_attrs;
+ struct sss_sudo_attr *attrs;
+};
+
+struct sss_sudo_result {
+ unsigned int num_rules;
+ struct sss_sudo_rule *rules;
+};
+
+typedef int (*sss_sudo_send_recv_t)(uid_t, const char*, const char*,
+ uint32_t*, struct sss_sudo_result**);
+
+typedef int (*sss_sudo_send_recv_defaults_t)(uid_t, const char*, uint32_t*,
+ char**, struct sss_sudo_result**);
+
+typedef void (*sss_sudo_free_result_t)(struct sss_sudo_result*);
+
+typedef int (*sss_sudo_get_values_t)(struct sss_sudo_rule*, const char*,
+ char***);
+
+typedef void (*sss_sudo_free_values_t)(char**);
+
+/* sudo_nss implementation */
+
+struct sudo_sss_handle {
+ char *domainname;
+ struct passwd *pw;
+ void *ssslib;
+ sss_sudo_send_recv_t fn_send_recv;
+ sss_sudo_send_recv_defaults_t fn_send_recv_defaults;
+ sss_sudo_free_result_t fn_free_result;
+ sss_sudo_get_values_t fn_get_values;
+ sss_sudo_free_values_t fn_free_values;
+};
+
+static int sudo_sss_open(struct sudo_nss *nss);
+static int sudo_sss_close(struct sudo_nss *nss);
+static int sudo_sss_parse(struct sudo_nss *nss);
+static void sudo_sss_parse_options(struct sudo_sss_handle *handle,
+ struct sss_sudo_rule *rule);
+static int sudo_sss_setdefs(struct sudo_nss *nss);
+static int sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag);
+static int sudo_sss_display_cmnd(struct sudo_nss *nss, struct passwd *pw);
+static int sudo_sss_display_defaults(struct sudo_nss *nss, struct passwd *pw,
+ struct lbuf *lbuf);
+
+static int sudo_sss_display_bound_defaults(struct sudo_nss *nss,
+ struct passwd *pw, struct lbuf *lbuf);
+
+static int sudo_sss_display_privs(struct sudo_nss *nss, struct passwd *pw,
+ struct lbuf *lbuf);
+
+
+static struct sss_sudo_result *sudo_sss_result_get(struct sudo_nss *nss,
+ struct passwd *pw,
+ uint32_t *state);
+
+static void
+sudo_sss_attrcpy(struct sss_sudo_attr *dst, const struct sss_sudo_attr *src)
+{
+ int i;
+ debug_decl(sudo_sss_attrcpy, SUDO_DEBUG_SSSD)
+
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "dst=%p, src=%p", dst, src);
+ sudo_debug_printf(SUDO_DEBUG_INFO, "emalloc: cnt=%d", src->num_values);
+
+ dst->name = estrdup(src->name);
+ dst->num_values = src->num_values;
+ dst->values = emalloc2(dst->num_values, sizeof(char *));
+
+ for (i = 0; i < dst->num_values; ++i)
+ dst->values[i] = estrdup(src->values[i]);
+
+ debug_return;
+}
+
+static void
+sudo_sss_rulecpy(struct sss_sudo_rule *dst, const struct sss_sudo_rule *src)
+{
+ int i;
+ debug_decl(sudo_sss_rulecpy, SUDO_DEBUG_SSSD)
+
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "dst=%p, src=%p", dst, src);
+ sudo_debug_printf(SUDO_DEBUG_INFO, "emalloc: cnt=%d", src->num_attrs);
+
+ dst->num_attrs = src->num_attrs;
+ dst->attrs = emalloc2(dst->num_attrs, sizeof(struct sss_sudo_attr));
+
+ for (i = 0; i < dst->num_attrs; ++i)
+ sudo_sss_attrcpy(dst->attrs + i, src->attrs + i);
+
+ debug_return;
+}
+
+#define _SUDO_SSS_FILTER_INCLUDE 0
+#define _SUDO_SSS_FILTER_EXCLUDE 1
+
+#define _SUDO_SSS_STATE_HOSTMATCH 0x01
+#define _SUDO_SSS_STATE_USERMATCH 0x02
+
+static struct sss_sudo_result *
+sudo_sss_filter_result(struct sudo_sss_handle *handle,
+ struct sss_sudo_result *in_res,
+ int (*filterp)(struct sudo_sss_handle *, struct sss_sudo_rule *, void *),
+ int act, void *filterp_arg)
+{
+ struct sss_sudo_result *out_res;
+ int i, l, r;
+ debug_decl(sudo_sss_filter_result, SUDO_DEBUG_SSSD)
+
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "in_res=%p, count=%u, act=%s",
+ in_res, in_res->num_rules,
+ act == _SUDO_SSS_FILTER_EXCLUDE ? "EXCLUDE" : "INCLUDE");
+
+ if (in_res == NULL)
+ debug_return_ptr(NULL);
+
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "emalloc: cnt=%d", in_res->num_rules);
+
+ out_res = emalloc(sizeof(struct sss_sudo_result));
+ out_res->rules = in_res->num_rules > 0 ?
+ emalloc2(in_res->num_rules, sizeof(struct sss_sudo_rule)) : NULL;
+ out_res->num_rules = 0;
+
+ for (i = l = 0; i < in_res->num_rules; ++i) {
+ r = filterp(handle, in_res->rules + i, filterp_arg);
+
+ if (( r && act == _SUDO_SSS_FILTER_INCLUDE) ||
+ (!r && act == _SUDO_SSS_FILTER_EXCLUDE)) {
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "COPY (%s): %p[%u] => %p[%u] (= %p)",
+ act == _SUDO_SSS_FILTER_EXCLUDE ? "not excluded" : "included",
+ in_res->rules, i, out_res->rules, l, in_res->rules + i);
+
+ sudo_sss_rulecpy(out_res->rules + l, in_res->rules + i);
+ ++l;
+ }
+ }
+
+ if (l < in_res->num_rules) {
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "reallocating result: %p (count: %u -> %u)", out_res->rules,
+ in_res->num_rules, l);
+ out_res->rules = erealloc3(out_res->rules, l, sizeof(struct sss_sudo_rule));
+ }
+
+ out_res->num_rules = l;
+
+ debug_return_ptr(out_res);
+}
+
+struct sudo_nss sudo_nss_sss = {
+ &sudo_nss_sss,
+ NULL,
+ sudo_sss_open,
+ sudo_sss_close,
+ sudo_sss_parse,
+ sudo_sss_setdefs,
+ sudo_sss_lookup,
+ sudo_sss_display_cmnd,
+ sudo_sss_display_defaults,
+ sudo_sss_display_bound_defaults,
+ sudo_sss_display_privs
+};
+
+/* sudo_nss implementation */
+// ok
+static int sudo_sss_open(struct sudo_nss *nss)
+{
+ struct sudo_sss_handle *handle;
+ static const char path[] = _PATH_SSSD_LIB"/libsss_sudo.so";
+ debug_decl(sudo_sss_open, SUDO_DEBUG_SSSD);
+
+ /* Create a handle container. */
+ handle = emalloc(sizeof(struct sudo_sss_handle));
+
+ /* Load symbols */
+ handle->ssslib = dlopen(path, RTLD_LAZY);
+ if (handle->ssslib == NULL) {
+ warningx(_("Unable to dlopen %s: %s"), path, dlerror());
+ warningx(_("Unable to initialize SSS source. Is SSSD installed on your machine?"));
+ debug_return_int(EFAULT);
+ }
+
+ handle->fn_send_recv = dlsym(handle->ssslib, "sss_sudo_send_recv");
+ if (handle->fn_send_recv == NULL) {
+ warningx(_("unable to find symbol \"%s\" in %s"), path,
+ "sss_sudo_send_recv");
+ debug_return_int(EFAULT);
+ }
+
+ handle->fn_send_recv_defaults =
+ dlsym(handle->ssslib, "sss_sudo_send_recv_defaults");
+ if (handle->fn_send_recv_defaults == NULL) {
+ warningx(_("unable to find symbol \"%s\" in %s"), path,
+ "sss_sudo_send_recv_defaults");
+ debug_return_int(EFAULT);
+ }
+
+ handle->fn_free_result = dlsym(handle->ssslib, "sss_sudo_free_result");
+ if (handle->fn_free_result == NULL) {
+ warningx(_("unable to find symbol \"%s\" in %s"), path,
+ "sss_sudo_free_result");
+ debug_return_int(EFAULT);
+ }
+
+ handle->fn_get_values = dlsym(handle->ssslib, "sss_sudo_get_values");
+ if (handle->fn_get_values == NULL) {
+ warningx(_("unable to find symbol \"%s\" in %s"), path,
+ "sss_sudo_get_values");
+ debug_return_int(EFAULT);
+ }
+
+ handle->fn_free_values = dlsym(handle->ssslib, "sss_sudo_free_values");
+ if (handle->fn_free_values == NULL) {
+ warningx(_("unable to find symbol \"%s\" in %s"), path,
+ "sss_sudo_free_values");
+ debug_return_int(EFAULT);
+ }
+
+ handle->domainname = NULL;
+ handle->pw = sudo_user.pw;
+ nss->handle = handle;
+
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "handle=%p", handle);
+
+ debug_return_int(0);
+}
+
+// ok
+static int sudo_sss_close(struct sudo_nss *nss)
+{
+ struct sudo_sss_handle *handle;
+ debug_decl(sudo_sss_close, SUDO_DEBUG_SSSD);
+
+ if (nss && nss->handle) {
+ handle = nss->handle;
+ dlclose(handle->ssslib);
+ }
+
+ efree(nss->handle);
+ debug_return_int(0);
+}
+
+// ok
+static int sudo_sss_parse(struct sudo_nss *nss)
+{
+ debug_decl(sudo_sss_parse, SUDO_DEBUG_SSSD);
+ debug_return_int(0);
+}
+
+static int sudo_sss_setdefs(struct sudo_nss *nss)
+{
+ struct sudo_sss_handle *handle = nss->handle;
+
+ struct sss_sudo_result *sss_result;
+ struct sss_sudo_rule *sss_rule;
+ uint32_t sss_error;
+ int i;
+ debug_decl(sudo_sss_setdefs, SUDO_DEBUG_SSSD);
+
+ if (handle == NULL)
+ debug_return_int(-1);
+
+ sudo_debug_printf(SUDO_DEBUG_DIAG, "Looking for cn=defaults");
+
+ if (handle->fn_send_recv_defaults(handle->pw->pw_uid, handle->pw->pw_name,
+ &sss_error, &handle->domainname,
+ &sss_result) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "handle->fn_send_recv_defaults: != 0, sss_error=%u", sss_error);
+ debug_return_int(-1);
+ }
+
+ if (sss_error == ENOENT) {
+ sudo_debug_printf(SUDO_DEBUG_INFO, "The user was not found in SSSD.");
+ debug_return_int(-1);
+ } else if(sss_error != 0) {
+ sudo_debug_printf(SUDO_DEBUG_INFO, "sss_error=%u\n", sss_error);
+ debug_return_int(-1);
+ }
+
+ for (i = 0; i < sss_result->num_rules; ++i) {
+ sudo_debug_printf(SUDO_DEBUG_DIAG,
+ "Parsing cn=defaults, %d/%d", i, sss_result->num_rules);
+ sss_rule = sss_result->rules + i;
+ sudo_sss_parse_options(handle, sss_rule);
+ }
+
+ handle->fn_free_result(sss_result);
+ debug_return_int(0);
+}
+
+static int sudo_sss_checkpw(struct sudo_nss *nss, struct passwd *pw)
+{
+ struct sudo_sss_handle *handle = nss->handle;
+ debug_decl(sudo_sss_checkpw, SUDO_DEBUG_SSSD);
+
+ if (pw->pw_name != handle->pw->pw_name ||
+ pw->pw_uid != handle->pw->pw_uid) {
+ sudo_debug_printf(SUDO_DEBUG_DIAG,
+ "Requested name or uid don't match the initial once, reinitializing...");
+ handle->pw = pw;
+
+ if (sudo_sss_setdefs(nss) != 0)
+ debug_return_int(-1);
+ }
+
+ debug_return_int(0);
+}
+
+static int
+sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *sss_rule)
+{
+ char **val_array = NULL;
+ char *val;
+ int ret = false, i;
+ debug_decl(sudo_sss_check_runas_user, SUDO_DEBUG_SSSD);
+
+ if (!runas_pw)
+ debug_return_int(UNSPEC);
+
+ /* get the runas user from the entry */
+ switch (handle->fn_get_values(sss_rule, "sudoRunAsUser", &val_array)) {
+ case 0:
+ break;
+ case ENOENT:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result. Trying old style (sudoRunAs)");
+
+ /* try old style */
+ switch (handle->fn_get_values(sss_rule, "sudoRunAs", &val_array)) {
+ case 0:
+ break;
+ case ENOENT:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result. Matching against runas_default");
+ /*
+ * If there are no runas entries, match runas_default against
+ * what the user specified on the command line.
+ */
+ return !strcasecmp(runas_pw->pw_name, def_runas_default);
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoRunAs): != 0");
+ debug_return_int(UNSPEC);
+ }
+ break;
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoRunAsUser): != 0");
+ debug_return_int(UNSPEC);
+ }
+
+ /*
+ * BUG:
+ *
+ * if runas is not specified on the command line, the only information
+ * as to which user to run as is in the runas_default option. We should
+ * check to see if we have the local option present. Unfortunately we
+ * don't parse these options until after this routine says yes or no.
+ * The query has already returned, so we could peek at the attribute
+ * values here though.
+ *
+ * For now just require users to always use -u option unless its set
+ * in the global defaults. This behaviour is no different than the global
+ * /etc/sudoers.
+ *
+ * Sigh - maybe add this feature later
+ */
+
+ /* walk through values returned, looking for a match */
+ for (i = 0; val_array[i] != NULL && !ret; ++i) {
+ val = val_array[i];
+
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
+
+ switch (val[0]) {
+ case '+':
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "netgr_");
+ if (netgr_matches(val, NULL, NULL, runas_pw->pw_name)) {
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "=> match");
+ ret = true;
+ }
+ break;
+ case '%':
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "usergr_");
+ if (usergr_matches(val, runas_pw->pw_name, runas_pw)) {
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "=> match");
+ ret = true;
+ }
+ break;
+ case 'A':
+ if (strcmp(val, "ALL") == 0) {
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "ALL => match");
+ ret = true;
+ break;
+ }
+ /* FALLTHROUGH */
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "FALLTHROUGH");
+ default:
+ if (strcasecmp(val, runas_pw->pw_name) == 0) {
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "%s == %s (pw_name) => match", val, runas_pw->pw_name);
+ ret = true;
+ }
+ break;
+ }
+
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "sssd/ldap sudoRunAsUser '%s' ... %s", val, ret ? "MATCH!" : "not");
+ }
+
+ handle->fn_free_values(val_array); /* cleanup */
+
+ debug_return_int(ret);
+}
+
+static int
+sudo_sss_check_runas_group(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+{
+ char **val_array = NULL;
+ char *val;
+ int ret = false, i;
+ debug_decl(sudo_sss_check_runas_group, SUDO_DEBUG_SSSD);
+
+ /* runas_gr is only set if the user specified the -g flag */
+ if (!runas_gr)
+ debug_return_int(UNSPEC);
+
+ /* get the values from the entry */
+ switch (handle->fn_get_values(rule, "sudoRunAsGroup", &val_array)) {
+ case 0:
+ break;
+ case ENOENT:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+ debug_return_int(false);
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "handle->fn_get_values(sudoRunAsGroup): != 0");
+ debug_return_int(UNSPEC);
+ }
+
+ /* walk through values returned, looking for a match */
+ for (i = 0; val_array[i] != NULL; ++i) {
+ val = val_array[i];
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
+
+ if (strcmp(val, "ALL") == 0 || group_matches(val, runas_gr))
+ ret = true;
+
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "sssd/ldap sudoRunAsGroup '%s' ... %s", val, ret ? "MATCH!" : "not");
+ }
+
+ handle->fn_free_values(val_array);
+
+ debug_return_int(ret);
+}
+
+/*
+ * Walk through search results and return true if we have a runas match,
+ * else false. RunAs info is optional.
+ */
+static int
+sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+{
+ int ret;
+ debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD);
+
+ if (rule == NULL)
+ debug_return_int(false);
+
+ ret = sudo_sss_check_runas_user(handle, rule) != false &&
+ sudo_sss_check_runas_group(handle, rule) != false;
+
+ debug_return_int(ret);
+}
+
+static int
+sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+{
+ char **val_array, *val;
+ int ret = false, i;
+ debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD);
+
+ if (rule == NULL)
+ debug_return_int(ret);
+
+ /* get the values from the rule */
+ switch (handle->fn_get_values(rule, "sudoHost", &val_array))
+ {
+ case 0:
+ break;
+ case ENOENT:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+ debug_return_int(false);
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0");
+ debug_return_int(ret);
+ }
+
+ /* walk through values */
+ for (i = 0; val_array[i] != NULL; ++i) {
+ val = val_array[i];
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
+
+ /* match any or address or netgroup or hostname */
+ if (!strcmp(val, "ALL") || addr_matches(val) ||
+ netgr_matches(val, user_host, user_shost, NULL) ||
+ hostname_matches(user_shost, user_host, val))
+ ret = true;
+
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not");
+ }
+
+ handle->fn_free_values(val_array);
+
+ debug_return_int(ret);
+}
+
+static int
+sudo_sss_result_filterp(struct sudo_sss_handle *handle,
+ struct sss_sudo_rule *rule, void *unused)
+{
+ (void)unused;
+ debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
+
+ if (sudo_sss_check_host(handle, rule))
+ debug_return_int(1);
+ else
+ debug_return_int(0);
+}
+
+static struct sss_sudo_result *
+sudo_sss_result_get(struct sudo_nss *nss, struct passwd *pw, uint32_t *state)
+{
+ struct sudo_sss_handle *handle = nss->handle;
+ struct sss_sudo_result *u_sss_result, *f_sss_result;
+ uint32_t sss_error = 0, ret;
+ debug_decl(sudo_sss_result_get, SUDO_DEBUG_SSSD);
+
+ if (sudo_sss_checkpw(nss, pw) != 0)
+ debug_return_ptr(NULL);
+
+ sudo_debug_printf(SUDO_DEBUG_DIAG, " username=%s", handle->pw->pw_name);
+ sudo_debug_printf(SUDO_DEBUG_DIAG, "domainname=%s", handle->domainname);
+
+ u_sss_result = f_sss_result = NULL;
+
+ ret = handle->fn_send_recv(handle->pw->pw_uid, handle->pw->pw_name,
+ handle->domainname, &sss_error, &u_sss_result);
+
+ switch (ret) {
+ case 0:
+ switch (sss_error) {
+ case 0:
+ if (u_sss_result != NULL) {
+ if (state != NULL) {
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "state |= USERMATCH");
+ *state |= _SUDO_SSS_STATE_USERMATCH;
+ }
+ sudo_debug_printf(SUDO_DEBUG_INFO, "Received %u rule(s)",
+ u_sss_result->num_rules);
+ } else {
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "Internal error: u_sss_result == NULL && sss_error == 0");
+ debug_return_ptr(NULL);
+ }
+ break;
+ case ENOENT:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "The user was not found in SSSD.");
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "sss_error=%u\n", sss_error);
+ debug_return_ptr(NULL);
+ }
+ break;
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "handle->fn_send_recv: != 0: ret=%d", ret);
+ debug_return_ptr(NULL);
+ }
+
+ f_sss_result = sudo_sss_filter_result(handle, u_sss_result,
+ sudo_sss_result_filterp, _SUDO_SSS_FILTER_INCLUDE, NULL);
+
+ if (f_sss_result != NULL) {
+ if (f_sss_result->num_rules > 0) {
+ if (state != NULL) {
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "state |= HOSTMATCH");
+ *state |= _SUDO_SSS_STATE_HOSTMATCH;
+ }
+ }
+ }
+
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result,
+ u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules);
+
+ handle->fn_free_result(u_sss_result);
+
+ debug_return_ptr(f_sss_result);
+}
+
+/*
+ * Search for boolean "option" in sudoOption.
+ * Returns true if found and allowed, false if negated, else UNSPEC.
+ */
+static int
+sudo_sss_check_bool(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule,
+ char *option)
+{
+ char ch, *var, **val_array = NULL;
+ int i, ret = UNSPEC;
+ debug_decl(sudo_sss_check_bool, SUDO_DEBUG_SSSD);
+
+ if (rule == NULL)
+ debug_return_int(ret);
+
+ switch (handle->fn_get_values(rule, "sudoOption", &val_array)) {
+ case 0:
+ break;
+ case ENOENT:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+ debug_return_int(ret);
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values: != 0");
+ debug_return_int(ret);
+ }
+
+ /* walk through options */
+ for (i = 0; val_array[i] != NULL; ++i) {
+ var = val_array[i];
+ sudo_debug_printf(SUDO_DEBUG_INFO, "sssd/ldap sudoOption: '%s'", var);
+
+ if ((ch = *var) == '!')
+ var++;
+ if (strcmp(var, option) == 0)
+ ret = (ch != '!');
+ }
+
+ handle->fn_free_values(val_array);
+
+ debug_return_int(ret);
+}
+
+/*
+ * Walk through search results and return true if we have a command match,
+ * false if disallowed and UNSPEC if not matched.
+ */
+static int
+sudo_sss_check_command(struct sudo_sss_handle *handle,
+ struct sss_sudo_rule *rule, int *setenv_implied)
+{
+ char **val_array = NULL, *val;
+ char *allowed_cmnd, *allowed_args;
+ int i, foundbang, ret = UNSPEC;
+ debug_decl(sudo_sss_check_command, SUDO_DEBUG_SSSD);
+
+ if (rule == NULL)
+ debug_return_int(ret);
+
+ switch (handle->fn_get_values(rule, "sudoCommand", &val_array)) {
+ case 0:
+ break;
+ case ENOENT:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+ debug_return_int(ret);
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values: != 0");
+ debug_return_int(ret);
+ }
+
+ for (i = 0; val_array[i] != NULL && ret != false; ++i) {
+ val = val_array[i];
+
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
+
+ /* Match against ALL ? */
+ if (!strcmp(val, "ALL")) {
+ ret = true;
+ if (setenv_implied != NULL)
+ *setenv_implied = true;
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "sssd/ldap sudoCommand '%s' ... MATCH!", val);
+ continue;
+ }
+
+ /* check for !command */
+ if (*val == '!') {
+ foundbang = true;
+ allowed_cmnd = estrdup(1 + val); /* !command */
+ } else {
+ foundbang = false;
+ allowed_cmnd = estrdup(val); /* command */
+ }
+
+ /* split optional args away from command */
+ allowed_args = strchr(allowed_cmnd, ' ');
+ if (allowed_args)
+ *allowed_args++ = '\0';
+
+ /* check the command like normal */
+ if (command_matches(allowed_cmnd, allowed_args)) {
+ /*
+ * If allowed (no bang) set ret but keep on checking.
+ * If disallowed (bang), exit loop.
+ */
+ ret = foundbang ? false : true;
+ }
+
+ sudo_debug_printf(SUDO_DEBUG_INFO, "sssd/ldap sudoCommand '%s' ... %s",
+ val, ret == true ? "MATCH!" : "not");
+ efree(allowed_cmnd); /* cleanup */
+ }
+
+ handle->fn_free_values(val_array); /* more cleanup */
+
+ debug_return_int(ret);
+}
+
+static void
+sudo_sss_parse_options(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+{
+ int i;
+ char op, *v, *val;
+ char **val_array = NULL;
+ debug_decl(sudo_sss_parse_options, SUDO_DEBUG_SSSD);
+
+ if (rule == NULL)
+ debug_return;
+
+ switch (handle->fn_get_values(rule, "sudoOption", &val_array)) {
+ case 0:
+ break;
+ case ENOENT:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+ debug_return;
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoOption): != 0");
+ debug_return;
+ }
+
+ /* walk through options */
+ for (i = 0; val_array[i] != NULL; i++) {
+ sudo_debug_printf(SUDO_DEBUG_INFO, "sssd/ldap sudoOption: '%s'",
+ val_array[i]);
+ v = estrdup(val_array[i]);
+
+ /* check for equals sign past first char */
+ val = strchr(v, '=');
+ if (val > v) {
+ *val++ = '\0'; /* split on = and truncate var */
+ op = *(val - 2); /* peek for += or -= cases */
+ if (op == '+' || op == '-') {
+ *(val - 2) = '\0'; /* found, remove extra char */
+ /* case var+=val or var-=val */
+ set_default(v, val, (int) op);
+ } else {
+ /* case var=val */
+ set_default(v, val, true);
+ }
+ } else if (*v == '!') {
+ /* case !var Boolean False */
+ set_default(v + 1, NULL, false);
+ } else {
+ /* case var Boolean True */
+ set_default(v, NULL, true);
+ }
+ efree(v);
+ }
+
+ handle->fn_free_values(val_array);
+ debug_return;
+}
+
+static int
+sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag)
+{
+ int rc, setenv_implied;
+
+ struct sudo_sss_handle *handle = nss->handle;
+ struct sss_sudo_result *sss_result = NULL;
+ struct sss_sudo_rule *rule;
+ uint32_t i, state = 0;
+ debug_decl(sudo_sss_lookup, SUDO_DEBUG_SSSD);
+
+ /* Fetch list of sudoRole entries that match user and host. */
+ sss_result = sudo_sss_result_get(nss, sudo_user.pw, &state);
+
+ /*
+ * The following queries are only determine whether or not a
+ * password is required, so the order of the entries doesn't matter.
+ */
+ if (pwflag) {
+ int doauth = UNSPEC;
+ int matched = UNSPEC;
+ enum def_tuple pwcheck =
+ (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
+
+ sudo_debug_printf(SUDO_DEBUG_INFO, "perform search for pwflag %d", pwflag);
+ if (sss_result != NULL) {
+ for (i = 0; i < sss_result->num_rules; i++) {
+ rule = sss_result->rules + i;
+ if ((pwcheck == any && doauth != false) ||
+ (pwcheck == all && doauth == false)) {
+ doauth = sudo_sss_check_bool(handle, rule, "authenticate");
+ }
+ /* Only check the command when listing another user. */
+ if (user_uid == 0 || list_pw == NULL ||
+ user_uid == list_pw->pw_uid ||
+ sudo_sss_check_command(handle, rule, NULL)) {
+ matched = true;
+ break;
+ }
+ }
+ }
+ if (matched || user_uid == 0) {
+ SET(ret, VALIDATE_OK);
+ CLR(ret, VALIDATE_NOT_OK);
+ if (def_authenticate) {
+ switch (pwcheck) {
+ case always:
+ SET(ret, FLAG_CHECK_USER);
+ break;
+ case all:
+ case any:
+ if (doauth == false)
+ def_authenticate = false;
+ break;
+ case never:
+ def_authenticate = false;
+ break;
+ default:
+ break;
+ }
+ }
+ }
+ goto done;
+ }
+
+ sudo_debug_printf(SUDO_DEBUG_DIAG,
+ "searching SSSD/LDAP for sudoers entries");
+
+ setenv_implied = false;
+ if (sss_result != NULL) {
+ for (i = 0; i < sss_result->num_rules; i++) {
+ rule = sss_result->rules + i;
+ if (!sudo_sss_check_runas(handle, rule))
+ continue;
+ rc = sudo_sss_check_command(handle, rule, &setenv_implied);
+ if (rc != UNSPEC) {
+ /* We have a match. */
+ sudo_debug_printf(SUDO_DEBUG_DIAG, "Command %sallowed",
+ rc == true ? "" : "NOT ");
+ if (rc == true) {
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "SSSD rule: %p", rule);
+ /* Apply entry-specific options. */
+ if (setenv_implied)
+ def_setenv = true;
+ sudo_sss_parse_options(handle, rule);
+#ifdef HAVE_SELINUX
+ /* Set role and type if not specified on command line. */
+ if (user_role == NULL)
+ user_role = def_role;
+ if (user_type == NULL)
+ user_type = def_type;
+#endif /* HAVE_SELINUX */
+ SET(ret, VALIDATE_OK);
+ CLR(ret, VALIDATE_NOT_OK);
+ } else {
+ SET(ret, VALIDATE_NOT_OK);
+ CLR(ret, VALIDATE_OK);
+ }
+ break;
+ }
+ }
+ }
+done:
+ sudo_debug_printf(SUDO_DEBUG_DIAG, "Done with LDAP searches");
+
+ if (!ISSET(ret, VALIDATE_OK)) {
+ /* No matching entries. */
+ if (pwflag && list_pw == NULL)
+ SET(ret, FLAG_NO_CHECK);
+ }
+
+ if (state & _SUDO_SSS_STATE_USERMATCH)
+ CLR(ret, FLAG_NO_USER);
+ if (state & _SUDO_SSS_STATE_HOSTMATCH)
+ CLR(ret, FLAG_NO_HOST);
+
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "sudo_sss_lookup(%d)=0x%02x",
+ pwflag, ret);
+
+ debug_return_int(ret);
+}
+
+static int
+sudo_sss_display_cmnd(struct sudo_nss *nss, struct passwd *pw)
+{
+ struct sudo_sss_handle *handle = nss->handle;
+ struct sss_sudo_result *sss_result = NULL;
+ struct sss_sudo_rule *rule;
+ int i, found = false;
+ debug_decl(sudo_sss_display_cmnd, SUDO_DEBUG_SSSD);
+
+ if (handle == NULL)
+ goto done;
+
+ if (sudo_sss_checkpw(nss, pw) != 0)
+ debug_return_int(-1);
+
+ /*
+ * The sudo_sss_result_get() function returns all nodes that match
+ * the user and the host.
+ */
+ sudo_debug_printf(SUDO_DEBUG_DIAG, "sssd/ldap search for command list");
+ sss_result = sudo_sss_result_get(nss, pw, NULL);
+
+ if (sss_result == NULL)
+ goto done;
+
+ for (i = 0; i < sss_result->num_rules; i++) {
+ rule = sss_result->rules + i;
+ if (sudo_sss_check_command(handle, rule, NULL) &&
+ sudo_sss_check_runas(handle, rule)) {
+ found = true;
+ goto done;
+ }
+ }
+
+done:
+ if (found)
+ printf("%s%s%s\n", safe_cmnd ? safe_cmnd : user_cmnd,
+ user_args ? " " : "", user_args ? user_args : "");
+
+ if (sss_result != NULL)
+ handle->fn_free_result(sss_result);
+
+ debug_return_int(!found);
+}
+
+static int
+sudo_sss_display_defaults(struct sudo_nss *nss, struct passwd *pw,
+ struct lbuf *lbuf)
+{
+ struct sudo_sss_handle *handle = nss->handle;
+
+ struct sss_sudo_rule *rule;
+ struct sss_sudo_result *sss_result = NULL;
+
+ uint32_t sss_error = 0;
+
+ char *prefix, *val, **val_array = NULL;
+ int count = 0, i, j;
+
+ debug_decl(sudo_sss_display_defaults, SUDO_DEBUG_SSSD);
+
+ if (handle == NULL)
+ goto done;
+
+ if (handle->fn_send_recv_defaults(pw->pw_uid, pw->pw_name,
+ &sss_error, &handle->domainname,
+ &sss_result) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_send_recv_defaults: !=0, sss_error=%u", sss_error);
+ goto done;
+ }
+
+ if (sss_error == ENOENT) {
+ sudo_debug_printf(SUDO_DEBUG_INFO, "The user was not found in SSSD.");
+ goto done;
+ } else if(sss_error != 0) {
+ sudo_debug_printf(SUDO_DEBUG_INFO, "sss_error=%u\n", sss_error);
+ goto done;
+ }
+
+ handle->pw = pw;
+
+ for (i = 0; i < sss_result->num_rules; ++i) {
+ rule = sss_result->rules + i;
+
+ switch (handle->fn_get_values(rule, "sudoOption", &val_array)) {
+ case 0:
+ break;
+ case ENOENT:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+ continue;
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values: != 0");
+ continue;
+ }
+
+ if (lbuf->len == 0 || isspace((unsigned char)lbuf->buf[lbuf->len - 1]))
+ prefix = " ";
+ else
+ prefix = ", ";
+
+ for (j = 0; val_array[j] != NULL; ++j) {
+ val = val_array[j];
+ lbuf_append(lbuf, "%s%s", prefix, val);
+ prefix = ", ";
+ count++;
+ }
+
+ handle->fn_free_values(val_array);
+ val_array = NULL;
+ }
+
+ handle->fn_free_result(sss_result);
+done:
+ debug_return_int(count);
+}
+
+// ok
+static int
+sudo_sss_display_bound_defaults(struct sudo_nss *nss,
+ struct passwd *pw, struct lbuf *lbuf)
+{
+ debug_decl(sudo_sss_display_bound_defaults, SUDO_DEBUG_SSSD);
+ debug_return_int(0);
+}
+
+static int
+sudo_sss_display_entry_long(struct sudo_sss_handle *handle,
+ struct sss_sudo_rule *rule, struct lbuf *lbuf)
+{
+ char **val_array = NULL;
+ int count = 0, i;
+ debug_decl(sudo_sss_display_entry_long, SUDO_DEBUG_SSSD);
+
+ /* get the RunAsUser Values from the entry */
+ lbuf_append(lbuf, " RunAsUsers: ");
+ switch (handle->fn_get_values(rule, "sudoRunAsUser", &val_array)) {
+ case 0:
+ for (i = 0; val_array[i] != NULL; ++i)
+ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]);
+ handle->fn_free_values(val_array);
+ break;
+ case ENOENT:
+ switch (handle->fn_get_values(rule, "sudoRunAs", &val_array)) {
+ case 0:
+ for (i = 0; val_array[i] != NULL; ++i)
+ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]);
+ handle->fn_free_values(val_array);
+ break;
+ case ENOENT:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+ lbuf_append(lbuf, "%s", def_runas_default);
+ break;
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoRunAs): != 0");
+ debug_return_int(count);
+ }
+ break;
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoRunAsUser): != 0");
+ debug_return_int(count);
+ }
+ lbuf_append(lbuf, "\n");
+
+ /* get the RunAsGroup Values from the entry */
+ switch (handle->fn_get_values(rule, "sudoRunAsGroup", &val_array)) {
+ case 0:
+ lbuf_append(lbuf, " RunAsGroups: ");
+ for (i = 0; val_array[i] != NULL; ++i)
+ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]);
+ handle->fn_free_values(val_array);
+ lbuf_append(lbuf, "\n");
+ break;
+ case ENOENT:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+ break;
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "handle->fn_get_values(sudoRunAsGroup): != 0");
+ debug_return_int(count);
+ }
+
+ /* get the Option Values from the entry */
+ switch (handle->fn_get_values(rule, "sudoOption", &val_array)) {
+ case 0:
+ lbuf_append(lbuf, " Options: ");
+ for (i = 0; val_array[i] != NULL; ++i)
+ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]);
+ handle->fn_free_values(val_array);
+ lbuf_append(lbuf, "\n");
+ break;
+ case ENOENT:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+ break;
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoOption): != 0");
+ debug_return_int(count);
+ }
+
+ /* Get the command values from the entry. */
+ switch (handle->fn_get_values(rule, "sudoCommand", &val_array)) {
+ case 0:
+ lbuf_append(lbuf, _(" Commands:\n"));
+ for (i = 0; val_array[i] != NULL; ++i) {
+ lbuf_append(lbuf, "\t%s\n", val_array[i]);
+ count++;
+ }
+ handle->fn_free_values(val_array);
+ break;
+ case ENOENT:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+ break;
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "handle->fn_get_values(sudoCommand): != 0");
+ debug_return_int(count);
+ }
+
+ debug_return_int(count);
+}
+
+static int
+sudo_sss_display_entry_short(struct sudo_sss_handle *handle,
+ struct sss_sudo_rule *rule, struct lbuf *lbuf)
+{
+ char **val_array = NULL;
+ int count = 0, i;
+ debug_decl(sudo_sss_display_entry_short, SUDO_DEBUG_SSSD);
+
+ lbuf_append(lbuf, " (");
+
+ /* get the RunAsUser Values from the entry */
+ switch (handle->fn_get_values(rule, "sudoRunAsUser", &val_array)) {
+ case 0:
+ for (i = 0; val_array[i] != NULL; ++i)
+ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]);
+ handle->fn_free_values(val_array);
+ break;
+ case ENOENT:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result. Trying old style (sudoRunAs).");
+ /* try old style */
+ switch (handle->fn_get_values(rule, "sudoRunAs", &val_array)) {
+ case 0:
+ for (i = 0; val_array[i] != NULL; ++i)
+ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]);
+ handle->fn_free_values(val_array);
+ break;
+ case ENOENT:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+ lbuf_append(lbuf, "%s", def_runas_default);
+ break;
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "handle->fn_get_values(sudoRunAs): != 0");
+ debug_return_int(count);
+ }
+ break;
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "handle->fn_get_values(sudoRunAsUser): != 0");
+ debug_return_int(count);
+ }
+
+ /* get the RunAsGroup Values from the entry */
+ switch (handle->fn_get_values(rule, "sudoRunAsGroup", &val_array)) {
+ case 0:
+ lbuf_append(lbuf, " : ");
+ for (i = 0; val_array[i] != NULL; ++i)
+ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]);
+ handle->fn_free_values(val_array);
+ break;
+ case ENOENT:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+ break;
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoRunAsGroup): != 0");
+ debug_return_int(count);
+ }
+
+ lbuf_append(lbuf, ") ");
+
+ /* get the Option Values from the entry */
+ switch (handle->fn_get_values(rule, "sudoOption", &val_array)) {
+ case 0:
+ for (i = 0; val_array[i] != NULL; ++i) {
+ char *cp = val_array[i];
+ if (*cp == '!')
+ cp++;
+ if (strcmp(cp, "authenticate") == 0)
+ lbuf_append(lbuf, val_array[i][0] == '!' ?
+ "NOPASSWD: " : "PASSWD: ");
+ else if (strcmp(cp, "noexec") == 0)
+ lbuf_append(lbuf, val_array[i][0] == '!' ?
+ "EXEC: " : "NOEXEC: ");
+ else if (strcmp(cp, "setenv") == 0)
+ lbuf_append(lbuf, val_array[i][0] == '!' ?
+ "NOSETENV: " : "SETENV: ");
+ }
+ handle->fn_free_values(val_array);
+ break;
+ case ENOENT:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+ break;
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "handle->fn_get_values(sudoOption): != 0");
+ debug_return_int(count);
+ }
+
+ /* get the Command Values from the entry */
+ switch (handle->fn_get_values(rule, "sudoCommand", &val_array)) {
+ case 0:
+ for (i = 0; val_array[i] != NULL; ++i) {
+ lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]);
+ count++;
+ }
+ handle->fn_free_values(val_array);
+ break;
+ case ENOENT:
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+ break;
+ default:
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "handle->fn_get_values(sudoCommand): != 0");
+ debug_return_int(count);
+ }
+ lbuf_append(lbuf, "\n");
+
+ debug_return_int(count);
+}
+
+static int
+sudo_sss_display_privs(struct sudo_nss *nss, struct passwd *pw,
+ struct lbuf *lbuf)
+{
+ struct sudo_sss_handle *handle = nss->handle;
+
+ struct sss_sudo_result *sss_result = NULL;
+ struct sss_sudo_rule *rule;
+ unsigned int i, count = 0;
+ debug_decl(sudo_sss_display_privs, SUDO_DEBUG_SSSD);
+
+ if (handle == NULL)
+ debug_return_int(-1);
+ if (sudo_sss_checkpw(nss, pw) != 0)
+ debug_return_int(-1);
+
+ sudo_debug_printf(SUDO_DEBUG_INFO, "sssd/ldap search for command list");
+
+ sss_result = sudo_sss_result_get(nss, pw, NULL);
+
+ if (sss_result == NULL)
+ debug_return_int(count);
+
+ /* Display all matching entries. */
+ for (i = 0; i < sss_result->num_rules; ++i) {
+ rule = sss_result->rules + i;
+ if (long_list)
+ count += sudo_sss_display_entry_long(handle, rule, lbuf);
+ else
+ count += sudo_sss_display_entry_short(handle, rule, lbuf);
+ }
+
+ if (sss_result != NULL)
+ handle->fn_free_result(sss_result);
+
+ debug_return_int(count);
+}
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/stat.h>
+
#include <stdio.h>
#ifdef STDC_HEADERS
# include <stdlib.h>
#ifdef HAVE_LDAP
extern struct sudo_nss sudo_nss_ldap;
#endif
+#ifdef HAVE_SSSD
+extern struct sudo_nss sudo_nss_sss;
+#endif
-#if defined(HAVE_LDAP) && defined(_PATH_NSSWITCH_CONF)
+#if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NSSWITCH_CONF)
/*
* Read in /etc/nsswitch.conf
* Returns a tail queue of matches.
{
FILE *fp;
char *cp;
+#ifdef HAVE_SSSD
+ bool saw_sss = false;
+#endif
bool saw_files = false;
bool saw_ldap = false;
bool got_match = false;
if (strcasecmp(cp, "files") == 0 && !saw_files) {
tq_append(&snl, &sudo_nss_file);
got_match = true;
+#ifdef HAVE_LDAP
} else if (strcasecmp(cp, "ldap") == 0 && !saw_ldap) {
tq_append(&snl, &sudo_nss_ldap);
got_match = true;
+#endif
+#ifdef HAVE_SSSD
+ } else if (strcasecmp(cp, "sss") == 0 && !saw_sss) {
+ tq_append(&snl, &sudo_nss_sss);
+ got_match = true;
+#endif
} else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) {
/* NOTFOUND affects the most recent entry */
tq_last(&snl)->ret_if_notfound = true;
got_match = false;
+ } else if (strcasecmp(cp, "[SUCCESS=return]") == 0 && got_match) {
+ /* SUCCESS affects the most recent entry */
+ tq_last(&snl)->ret_if_found = true;
+ got_match = false;
} else
got_match = false;
}
debug_return_ptr(&snl);
}
-#else /* HAVE_LDAP && _PATH_NSSWITCH_CONF */
+#else /* (HAVE_LDAP || HAVE_SSSD) && _PATH_NSSWITCH_CONF */
-# if defined(HAVE_LDAP) && defined(_PATH_NETSVC_CONF)
+# if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NETSVC_CONF)
/*
* Read in /etc/netsvc.conf (like nsswitch.conf on AIX)
{
FILE *fp;
char *cp, *ep;
+#ifdef HAVE_SSSD
+ bool saw_sss = false;
+#endif
bool saw_files = false;
bool saw_ldap = false;
bool got_match = false;
tq_append(&snl, &sudo_nss_file);
got_match = true;
ep = &cp[5];
+#ifdef HAVE_LDAP
} else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 &&
(isspace((unsigned char)cp[4]) || cp[4] == '\0')) {
tq_append(&snl, &sudo_nss_ldap);
got_match = true;
ep = &cp[4];
+#endif
+#ifdef HAVE_SSSD
+ } else if (!saw_sss && strncasecmp(cp, "sss", 3) == 0 &&
+ (isspace((unsigned char)cp[3]) || cp[3] == '\0')) {
+ tq_append(&snl, &sudo_nss_sss);
+ got_match = true;
+ ep = &cp[3];
+#endif
} else {
got_match = false;
}
static struct sudo_nss_list snl;
debug_decl(sudo_read_nss, SUDO_DEBUG_NSS)
+# ifdef HAVE_SSSD
+ tq_append(&snl, &sudo_nss_sss);
+# endif
# ifdef HAVE_LDAP
tq_append(&snl, &sudo_nss_ldap);
# endif
{
struct sudo_nss *nss;
struct lbuf defs, privs;
- int count, olen;
+ struct stat sb;
+ int cols, count, olen;
debug_decl(display_privs, SUDO_DEBUG_NSS)
- lbuf_init(&defs, output, 4, NULL, sudo_user.cols);
- lbuf_init(&privs, output, 4, NULL, sudo_user.cols);
+ cols = sudo_user.cols;
+ if (fstat(STDOUT_FILENO, &sb) == 0 && S_ISFIFO(sb.st_mode))
+ cols = 0;
+ lbuf_init(&defs, output, 4, NULL, cols);
+ lbuf_init(&privs, output, 4, NULL, cols);
/* Display defaults from all sources. */
lbuf_append(&defs, _("Matching Defaults entries for %s on this host:\n"),
tq_foreach_fwd(snl, nss) {
count += nss->display_privs(nss, pw, &privs);
}
- if (count) {
- lbuf_print(&defs);
- lbuf_print(&privs);
- } else {
- printf(_("User %s is not allowed to run sudo on %s.\n"), pw->pw_name,
- user_shost);
+ if (count == 0) {
+ defs.len = 0;
+ privs.len = 0;
+ lbuf_append(&privs, _("User %s is not allowed to run sudo on %s.\n"),
+ pw->pw_name, user_shost);
}
+ lbuf_print(&defs);
+ lbuf_print(&privs);
lbuf_destroy(&defs);
lbuf_destroy(&privs);
volatile int sources = 0;
sigaction_t sa;
struct sudo_nss *nss;
+ struct sudo_nss *nss_next;
debug_decl(sudoers_policy_open, SUDO_DEBUG_PLUGIN)
sudo_version = version;
set_perms(PERM_ROOT);
/* Open and parse sudoers, set global defaults */
- tq_foreach_fwd(snl, nss) {
- if (nss->open(nss) == 0 && nss->parse(nss) == 0) {
- sources++;
- if (nss->setdefs(nss) != 0)
- log_error(NO_STDERR, _("problem with defaults entries"));
- }
+ for (nss = snl->first; nss != NULL; nss = nss_next) {
+ nss_next = nss->next;
+ if (nss->open(nss) == 0 && nss->parse(nss) == 0) {
+ sources++;
+ if (nss->setdefs(nss) != 0)
+ log_error(NO_STDERR, _("problem with defaults entries"));
+ } else {
+ tq_remove(snl, nss);
+ }
}
if (sources == 0) {
warningx(_("no valid sudoers sources found, quitting"));
(void)sudo_auth_end_session(runas_pw);
/* Free remaining references to password and group entries. */
- pw_delref(sudo_user.pw);
- pw_delref(runas_pw);
- if (runas_gr != NULL)
- gr_delref(runas_gr);
- if (user_group_list != NULL)
- grlist_delref(user_group_list);
+ sudo_pw_delref(sudo_user.pw);
+ sudo_user.pw = NULL;
+ sudo_pw_delref(runas_pw);
+ runas_pw = NULL;
+ if (runas_gr != NULL) {
+ sudo_gr_delref(runas_gr);
+ runas_gr = NULL;
+ }
+ if (user_group_list != NULL) {
+ sudo_grlist_delref(user_group_list);
+ user_group_list = NULL;
+ }
+ efree(user_gids);
+ user_gids = NULL;
debug_return;
}
/*
* The init_session function is called before executing the command
* and before uid/gid changes occur.
+ * Returns 1 on success, 0 on failure and -1 on error.
*/
static int
sudoers_policy_init_session(struct passwd *pwd, char **user_env[])
if (sigsetjmp(error_jmp, 1)) {
/* called via error(), errorx() or log_fatal() */
- return -1;
+ debug_return_bool(-1);
}
debug_return_bool(sudo_auth_begin_session(pwd, user_env));
/* Find command in path */
cmnd_status = set_cmnd();
- if (cmnd_status == -1) {
- rval = -1;
- goto done;
- }
#ifdef HAVE_SETLOCALE
if (!setlocale(LC_ALL, def_sudoers_locale)) {
validated = nss->lookup(nss, validated, pwflag);
if (ISSET(validated, VALIDATE_OK)) {
- /* Handle "= auth" in netsvc.conf */
+ /* Handle [SUCCESS=return] */
if (nss->ret_if_found)
break;
} else {
pw = sudo_getpwnam(def_timestampowner);
if (pw != NULL) {
timestamp_uid = pw->pw_uid;
- pw_delref(pw);
+ sudo_pw_delref(pw);
} else {
log_error(0, _("timestamp owner (%s): No such user"),
def_timestampowner);
/* Require a password if sudoers says so. */
rval = check_user(validated, sudo_mode);
- if (rval != true)
+ if (rval != true) {
+ if (!ISSET(validated, VALIDATE_OK))
+ log_denial(validated, false);
goto done;
+ }
/* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
/* XXX - causes confusion when root is not listed in sudoers */
if ((pw = sudo_getpwnam(prev_user)) != NULL) {
if (sudo_user.pw != NULL)
- pw_delref(sudo_user.pw);
+ sudo_pw_delref(sudo_user.pw);
sudo_user.pw = pw;
}
}
/* If the user was not allowed to run the command we are done. */
if (!ISSET(validated, VALIDATE_OK)) {
- if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) {
- audit_failure(NewArgv, _("No user or host"));
- log_denial(validated, 1);
- } else {
- if (def_path_info) {
- /*
- * We'd like to not leak path info at all here, but that can
- * *really* confuse the users. To really close the leak we'd
- * have to say "not allowed to run foo" even when the problem
- * is just "no foo in path" since the user can trivially set
- * their path to just contain a single dir.
- */
- log_denial(validated,
- !(cmnd_status == NOT_FOUND_DOT || cmnd_status == NOT_FOUND));
- if (cmnd_status == NOT_FOUND)
- warningx(_("%s: command not found"), user_cmnd);
- else if (cmnd_status == NOT_FOUND_DOT)
- warningx(_("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run."), user_cmnd, user_cmnd, user_cmnd);
- } else {
- /* Just tell the user they are not allowed to run foo. */
- log_denial(validated, 1);
- }
- audit_failure(NewArgv, _("validation failure"));
- }
+ log_failure(validated, cmnd_status);
goto bad;
}
gid_t egid;
size_t glsize;
char *cp, *gid_list;
- struct group_list *grlist = get_group_list(runas_pw);
+ struct group_list *grlist = sudo_get_grlist(runas_pw);
/* We reserve an extra spot in the list for the effective gid. */
glsize = sizeof("runas_groups=") - 1 +
(unsigned int)runas_pw->pw_gid;
len = snprintf(cp, glsize - (cp - gid_list), "%u", egid);
if (len < 0 || len >= glsize - (cp - gid_list))
- errorx(1, _("internal error, runas_groups overflow"));
+ errorx(1, _("internal error, %s overflow"), "runas_groups");
cp += len;
for (i = 0; i < grlist->ngids; i++) {
if (grlist->gids[i] != egid) {
len = snprintf(cp, glsize - (cp - gid_list), ",%u",
(unsigned int) grlist->gids[i]);
if (len < 0 || len >= glsize - (cp - gid_list))
- errorx(1, _("internal error, runas_groups overflow"));
+ errorx(1, _("internal error, %s overflow"), "runas_groups");
cp += len;
}
}
command_info[info_len++] = gid_list;
- grlist_delref(grlist);
+ sudo_grlist_delref(grlist);
}
if (def_closefrom >= 0)
easprintf(&command_info[info_len++], "closefrom=%d", def_closefrom);
if (user_type != NULL)
command_info[info_len++] = fmt_string("selinux_type", user_type);
#endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+ if (runas_privs != NULL)
+ command_info[info_len++] = fmt_string("runas_privs", runas_privs);
+ if (runas_limitprivs != NULL)
+ command_info[info_len++] = fmt_string("runas_limitprivs", runas_limitprivs);
+#endif /* HAVE_SELINUX */
/* Must audit before uid change. */
audit_success(NewArgv);
}
rval = sudoers_policy_main(argc, argv, I_LISTPW, NULL, NULL, NULL, NULL);
if (list_user) {
- pw_delref(list_pw);
+ sudo_pw_delref(list_pw);
list_pw = NULL;
}
* Get group list.
*/
if (user_group_list == NULL)
- user_group_list = get_group_list(sudo_user.pw);
+ user_group_list = sudo_get_grlist(sudo_user.pw);
/* Set runas callback. */
sudo_defs_table[I_RUNAS_DEFAULT].callback = cb_runas_default;
for (to = user_args, av = NewArgv + 1; *av; av++) {
n = strlcpy(to, *av, size - (to - user_args));
if (n >= size - (to - user_args))
- errorx(1, _("internal error, set_cmnd() overflow"));
+ errorx(1, _("internal error, %s overflow"), "set_cmnd()");
to += n;
*to++ = ' ';
}
}
#endif /* HAVE_LOGIN_CAP_H */
+#ifndef AI_FQDN
+# define AI_FQDN AI_CANONNAME
+#endif
+
/*
* Look up the fully qualified domain name and set user_host and user_shost.
+ * Use AI_FQDN if available since "canonical" is not always the same as fqdn.
*/
void
set_fqdn(void)
zero_bytes(&hint, sizeof(hint));
hint.ai_family = PF_UNSPEC;
- hint.ai_flags = AI_CANONNAME;
+ hint.ai_flags = AI_FQDN;
if (getaddrinfo(user_host, NULL, &hint, &res0) != 0) {
log_error(MSG_ONLY, _("unable to resolve host %s"), user_host);
} else {
efree(user_host);
user_host = estrdup(res0->ai_canonname);
freeaddrinfo(res0);
+ if ((p = strchr(user_host, '.')) != NULL)
+ user_shost = estrndup(user_host, (size_t)(p - user_host));
+ else
+ user_shost = user_host;
}
- if ((p = strchr(user_host, '.')) != NULL)
- user_shost = estrndup(user_host, (size_t)(p - user_host));
- else
- user_shost = user_host;
debug_return;
}
debug_decl(set_runaspw, SUDO_DEBUG_PLUGIN)
if (runas_pw != NULL)
- pw_delref(runas_pw);
+ sudo_pw_delref(runas_pw);
if (*user == '#') {
if ((runas_pw = sudo_getpwuid(atoi(user + 1))) == NULL)
runas_pw = sudo_fakepwnam(user, runas_gr ? runas_gr->gr_gid : 0);
debug_decl(set_runasgr, SUDO_DEBUG_PLUGIN)
if (runas_gr != NULL)
- gr_delref(runas_gr);
+ sudo_gr_delref(runas_gr);
if (*group == '#') {
if ((runas_gr = sudo_getgrgid(atoi(group + 1))) == NULL)
runas_gr = sudo_fakegrnam(group);
}
if (MATCHES(*cur, "runas_user=")) {
runas_user = *cur + sizeof("runas_user=") - 1;
+ sudo_user.flags |= RUNAS_USER_SPECIFIED;
continue;
}
if (MATCHES(*cur, "runas_group=")) {
runas_group = *cur + sizeof("runas_group=") - 1;
+ sudo_user.flags |= RUNAS_GROUP_SPECIFIED;
continue;
}
if (MATCHES(*cur, "prompt=")) {
def_use_loginclass = true;
continue;
}
+#ifdef HAVE_PRIV_SET
+ if (MATCHES(*cur, "runas_privs=")) {
+ def_privs = *cur + sizeof("runas_privs=") - 1;
+ continue;
+ }
+ if (MATCHES(*cur, "runas_limitprivs=")) {
+ def_limitprivs = *cur + sizeof("runas_limitprivs=") - 1;
+ continue;
+ }
+#endif /* HAVE_PRIV_SET */
#ifdef HAVE_SELINUX
if (MATCHES(*cur, "selinux_role=")) {
user_role = *cur + sizeof("selinux_role=") - 1;
sudo_user.cols = atoi(*cur + sizeof("cols=") - 1);
continue;
}
+ if (MATCHES(*cur, "sid=")) {
+ sudo_user.sid = atoi(*cur + sizeof("sid=") - 1);
+ continue;
+ }
}
if (user_cwd == NULL)
user_cwd = "unknown";
break;
cp++; /* skip over comma */
}
- set_group_list(user_name, gids, ngids);
- efree(gids);
+ user_gids = gids;
+ user_ngids = ngids;
}
/* Setup debugging if indicated. */
register_hook(&hook);
}
-struct policy_plugin sudoers_policy = {
+__dso_public struct policy_plugin sudoers_policy = {
SUDO_POLICY_PLUGIN,
SUDO_API_VERSION,
sudoers_policy_open,
--- /dev/null
+sudoers_policy
+sudoers_io
+sudo_getgrgid
+sudo_getgrnam
+sudo_gr_addref
+sudo_gr_delref
#ifdef HAVE_SELINUX
char *role;
char *type;
+#endif
+#ifdef HAVE_PRIV_SET
+ char *privs;
+ char *limitprivs;
#endif
char *cwd;
char *iolog_file;
+ GETGROUPS_T *gids;
+ int ngids;
int closefrom;
int lines;
int cols;
+ int flags;
uid_t uid;
uid_t gid;
+ pid_t sid;
};
+/*
+ * sudo_user flag values
+ */
+#define RUNAS_USER_SPECIFIED 0x01
+#define RUNAS_GROUP_SPECIFIED 0x02
+
/*
* Return values for sudoers_lookup(), also used as arguments for log_auth()
* Note: cannot use '0' as a value here.
#define FLAG_NO_USER 0x020
#define FLAG_NO_HOST 0x040
#define FLAG_NO_CHECK 0x080
+#define FLAG_NON_INTERACTIVE 0x100
+#define FLAG_BAD_PASSWORD 0x200
+#define FLAG_AUTH_ERROR 0x400
/*
* find_path()/load_cmnd() return values
#define user_name (sudo_user.name)
#define user_uid (sudo_user.uid)
#define user_gid (sudo_user.gid)
+#define user_sid (sudo_user.sid)
#define user_passwd (sudo_user.pw->pw_passwd)
-#define user_uuid (sudo_user.uuid)
#define user_dir (sudo_user.pw->pw_dir)
+#define user_gids (sudo_user.gids)
+#define user_ngids (sudo_user.ngids)
#define user_group_list (sudo_user.group_list)
#define user_tty (sudo_user.tty)
#define user_ttypath (sudo_user.ttypath)
#define user_role (sudo_user.role)
#define user_type (sudo_user.type)
#define user_closefrom (sudo_user.closefrom)
+#define runas_privs (sudo_user.privs)
+#define runas_limitprivs (sudo_user.limitprivs)
#ifdef __TANDEM
# define ROOT_UID 65535
bool user_is_exempt(void);
/* sudo_auth.c */
-int verify_user(struct passwd *pw, char *prompt);
+int verify_user(struct passwd *pw, char *prompt, int validated);
int sudo_auth_begin_session(struct passwd *pw, char **user_env[]);
int sudo_auth_end_session(struct passwd *pw);
int sudo_auth_init(struct passwd *pw);
bool display_cmnd(struct sudo_nss_list *, struct passwd *);
/* pwutil.c */
-void sudo_setgrent(void);
+__dso_public struct group *sudo_getgrgid(gid_t);
+__dso_public struct group *sudo_getgrnam(const char *);
+__dso_public void sudo_gr_addref(struct group *);
+__dso_public void sudo_gr_delref(struct group *);
+bool user_in_group(struct passwd *, const char *);
+struct group *sudo_fakegrnam(const char *);
+struct group_list *sudo_get_grlist(struct passwd *pw);
+struct passwd *sudo_fakepwnam(const char *, gid_t);
+struct passwd *sudo_fakepwnamid(const char *user, uid_t uid, gid_t gid);
+struct passwd *sudo_getpwnam(const char *);
+struct passwd *sudo_getpwuid(uid_t);
void sudo_endgrent(void);
-void sudo_setpwent(void);
void sudo_endpwent(void);
-void sudo_setspent(void);
void sudo_endspent(void);
-struct group_list *get_group_list(struct passwd *pw);
-void set_group_list(const char *, GETGROUPS_T *gids, int ngids);
-struct passwd *sudo_getpwnam(const char *);
-struct passwd *sudo_fakepwnamid(const char *user, uid_t uid, gid_t gid);
-struct passwd *sudo_fakepwnam(const char *, gid_t);
-struct passwd *sudo_getpwuid(uid_t);
-struct group *sudo_getgrnam(const char *);
-struct group *sudo_fakegrnam(const char *);
-struct group *sudo_getgrgid(gid_t);
-void grlist_addref(struct group_list *);
-void grlist_delref(struct group_list *);
-void gr_addref(struct group *);
-void gr_delref(struct group *);
-void pw_addref(struct passwd *);
-void pw_delref(struct passwd *);
-bool user_in_group(struct passwd *, const char *);
+void sudo_grlist_addref(struct group_list *);
+void sudo_grlist_delref(struct group_list *);
+void sudo_pw_addref(struct passwd *);
+void sudo_pw_delref(struct passwd *);
+void sudo_setgrent(void);
+void sudo_setpwent(void);
+void sudo_setspent(void);
/* timestr.c */
char *get_timestr(time_t, int);
int get_boottime(struct timeval *);
/* iolog.c */
-void io_nextid(char *iolog_dir, char sessid[7]);
+void io_nextid(char *iolog_dir, char *iolog_dir_fallback, char sessid[7]);
/* iolog_path.c */
char *expand_iolog_path(const char *prefix, const char *dir, const char *file,
+++ /dev/null
-sudoers_policy
-sudoers_io
* 39 sudo 1.7.6/1.8.1, White space is now permitted within a User_List in a per-user Defaults definition.
* 40 sudo 1.7.6/1.8.1, A group ID is now allowed in a User_List or Runas_List.
* 41 sudo 1.7.6/1.8.4, Support for relative paths in #include and #includedir
+ * 42 sudo 1.8.6, Support for empty Runas_List (with or without a colon) to mean the invoking user. Support for Solaris Privilege Sets (PRIVS= and LIMITPRIVS=).
*/
#ifndef _SUDOERS_VERSION_H
#define _SUDOERS_VERSION_H
-#define SUDOERS_GRAMMAR_VERSION 41
+#define SUDOERS_GRAMMAR_VERSION 42
#endif /* _SUDOERS_VERSION_H */
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/uio.h>
#ifdef HAVE_SYS_SYSMACROS_H
# include <sys/sysmacros.h>
#endif
static int parse_timing(const char *buf, const char *decimal, int *idx, double *seconds, size_t *nbytes);
static struct log_info *parse_logfile(char *logfile);
static void free_log_info(struct log_info *li);
+static size_t atomic_writev(int fd, struct iovec *iov, int iovcnt);
#ifdef HAVE_REGCOMP
# define REGEX_T regex_t
int
main(int argc, char *argv[])
{
- int ch, idx, plen, nready, exitcode = 0, rows = 0, cols = 0;
- bool interactive = false, listonly = false;
+ int ch, idx, plen, exitcode = 0, rows = 0, cols = 0;
+ bool interactive = false, listonly = false, need_nlcr = false;
const char *id, *user = NULL, *pattern = NULL, *tty = NULL, *decimal = ".";
char path[PATH_MAX], buf[LINE_MAX], *cp, *ep;
double seconds, to_wait, speed = 1.0, max_wait = 0;
- fd_set *fdsw;
sigaction_t sa;
- size_t len, nbytes, nread, off;
- ssize_t nwritten;
+ size_t len, nbytes, nread;
struct log_info *li;
+ struct iovec *iov = NULL;
+ int iovcnt = 0, iovmax = 0;
debug_decl(main, SUDO_DEBUG_MAIN)
#if defined(SUDO_DEVEL) && defined(__OpenBSD__)
(void) fcntl(STDIN_FILENO, F_SETFL, ch | O_NONBLOCK);
if (!term_raw(STDIN_FILENO, 1))
error(1, _("unable to set tty to raw mode"));
+ iovcnt = 0;
+ iovmax = 32;
+ iov = ecalloc(iovmax, sizeof(*iov));
}
- fdsw = ecalloc(howmany(STDOUT_FILENO + 1, NFDBITS), sizeof(fd_mask));
/*
* Timing file consists of line of the format: "%f %d\n"
#else
while (fgets(buf, sizeof(buf), io_fds[IOFD_TIMING].f) != NULL) {
#endif
+ char last_char = '\0';
+
if (!parse_timing(buf, decimal, &idx, &seconds, &nbytes))
errorx(1, _("invalid timing file line: %s"), buf);
if (io_fds[idx].v == NULL)
continue;
+ /* Check whether we need to convert newline to CR LF pairs. */
+ if (interactive)
+ need_nlcr = (idx == IOFD_STDOUT || idx == IOFD_STDERR);
+
/* All output is sent to stdout. */
while (nbytes != 0) {
if (nbytes > sizeof(buf))
nread = fread(buf, 1, len, io_fds[idx].f);
#endif
nbytes -= nread;
- off = 0;
- do {
- /* no stdio, must be unbuffered */
- nwritten = write(STDOUT_FILENO, buf + off, nread - off);
- if (nwritten == -1) {
- if (errno == EINTR)
- continue;
- if (errno == EAGAIN) {
- FD_SET(STDOUT_FILENO, fdsw);
- do {
- nready = select(STDOUT_FILENO + 1, NULL, fdsw, NULL, NULL);
- } while (nready == -1 && errno == EINTR);
- if (nready == 1)
- continue;
+
+ /* Convert newline to carriage return + linefeed if needed. */
+ if (need_nlcr) {
+ size_t remainder = nread;
+ size_t linelen;
+ iovcnt = 0;
+ cp = buf;
+ ep = cp - 1;
+ /* Handle a "\r\n" pair that spans a buffer. */
+ if (last_char == '\r' && buf[0] == '\n') {
+ ep++;
+ remainder--;
+ }
+ while ((ep = memchr(ep + 1, '\n', remainder)) != NULL) {
+ /* Is there already a carriage return? */
+ if (cp != ep && ep[-1] == '\r') {
+ remainder = (size_t)(&buf[nread - 1] - ep);
+ continue;
}
- error(1, _("writing to standard output"));
+
+ /* Store the line in iov followed by \r\n pair. */
+ if (iovcnt + 3 > iovmax) {
+ iovmax <<= 1;
+ iov = erealloc3(iov, iovmax, sizeof(*iov));
+ }
+ linelen = (size_t)(ep - cp) + 1;
+ iov[iovcnt].iov_base = cp;
+ iov[iovcnt].iov_len = linelen - 1; /* not including \n */
+ iovcnt++;
+ iov[iovcnt].iov_base = "\r\n";
+ iov[iovcnt].iov_len = 2;
+ iovcnt++;
+ cp = ep + 1;
+ remainder -= linelen;
+ }
+ if (cp - buf != nread) {
+ /*
+ * Partial line without a linefeed or multiple lines
+ * with \r\n pairs.
+ */
+ iov[iovcnt].iov_base = cp;
+ iov[iovcnt].iov_len = nread - (cp - buf);
+ iovcnt++;
}
- off += nwritten;
- } while (nread > off);
+ last_char = buf[nread - 1]; /* stash last char of old buffer */
+ } else {
+ /* No conversion needed. */
+ iov[0].iov_base = buf;
+ iov[0].iov_len = nread;
+ iovcnt = 1;
+ }
+ if (atomic_writev(STDOUT_FILENO, iov, iovcnt) == -1)
+ error(1, _("writing to standard output"));
}
}
term_restore(STDIN_FILENO, 1);
static int
open_io_fd(char *path, int len, const char *suffix, union io_fd *fdp)
{
+ debug_decl(open_io_fd, SUDO_DEBUG_UTIL)
+
path[len] = '\0';
strlcat(path, suffix, PATH_MAX);
- debug_decl(open_io_fd, SUDO_DEBUG_UTIL)
#ifdef HAVE_ZLIB_H
fdp->g = gzopen(path, "r");
debug_return_int(fdp->v ? 0 : -1);
}
+/*
+ * Call writev(), restarting as needed and handling EAGAIN since
+ * fd may be in non-blocking mode.
+ */
+static size_t
+atomic_writev(int fd, struct iovec *iov, int iovcnt)
+{
+ ssize_t n, nwritten = 0;
+ size_t count, remainder, nbytes = 0;
+ int i;
+ debug_decl(atomic_writev, SUDO_DEBUG_UTIL)
+
+ for (i = 0; i < iovcnt; i++)
+ nbytes += iov[i].iov_len;
+
+ for (;;) {
+ n = writev(STDOUT_FILENO, iov, iovcnt);
+ if (n > 0) {
+ nwritten += n;
+ remainder = nbytes - nwritten;
+ if (remainder == 0)
+ break;
+ /* short writev, adjust iov and do the rest. */
+ count = 0;
+ i = iovcnt;
+ while (i--) {
+ count += iov[i].iov_len;
+ if (count == remainder) {
+ iov += i;
+ iovcnt -= i;
+ break;
+ }
+ if (count > remainder) {
+ size_t off = (count - remainder);
+ /* XXX - side effect prevents iov from being const */
+ iov[i].iov_base = (char *)iov[i].iov_base + off;
+ iov[i].iov_len -= off;
+ iov += i;
+ iovcnt -= i;
+ break;
+ }
+ }
+ continue;
+ }
+ if (n == 0 || errno == EAGAIN) {
+ int nready;
+ fd_set fdsw;
+ FD_ZERO(&fdsw);
+ FD_SET(STDOUT_FILENO, &fdsw);
+ do {
+ nready = select(STDOUT_FILENO + 1, NULL, &fdsw, NULL, NULL);
+ } while (nready == -1 && errno == EINTR);
+ if (nready == 1)
+ continue;
+ }
+ if (errno == EINTR)
+ continue;
+ nwritten = -1;
+ break;
+ }
+ debug_return_size_t(nwritten);
+}
+
/*
* Build expression list from search args
*/
debug_return_ptr(li);
bad:
- fclose(fp);
+ if (fp != NULL)
+ fclose(fp);
efree(buf);
free_log_info(li);
debug_return_ptr(NULL);
size_t sdlen, sessions_len = 0, sessions_size = 36*36;
int i, len;
char pathbuf[PATH_MAX], **sessions = NULL;
+#ifdef HAVE_STRUCT_DIRENT_D_TYPE
+ bool checked_type = true;
+#else
+ const bool checked_type = false;
+#endif
debug_decl(find_sessions, SUDO_DEBUG_UTIL)
d = opendir(dir);
(dp->d_name[1] == '.' && dp->d_name[2] == '\0')))
continue;
#ifdef HAVE_STRUCT_DIRENT_D_TYPE
- if (dp->d_type != DT_DIR)
- continue;
+ if (checked_type) {
+ if (dp->d_type != DT_DIR) {
+ /* Not all file systems support d_type. */
+ if (dp->d_type != DT_UNKNOWN)
+ continue;
+ checked_type = false;
+ }
+ }
#endif
/* Add name to session list. */
} else {
/* Strip off "/log" and recurse if a dir. */
pathbuf[sdlen + len - 4] = '\0';
-#ifndef HAVE_STRUCT_DIRENT_D_TYPE
- if (lstat(pathbuf, &sb) == 0 && S_ISDIR(sb.st_mode))
-#endif
+ if (checked_type || (lstat(pathbuf, &sb) == 0 && S_ISDIR(sb.st_mode)))
find_sessions(pathbuf, re, user, tty);
}
}
#include "interfaces.h"
#include "parse.h"
#include "sudo_conf.h"
+#include "secure_path.h"
#include <gram.h>
/*
dflag = 0;
grfile = pwfile = NULL;
- while ((ch = getopt(argc, argv, "dg:G:h:p:tu:")) != -1) {
+ while ((ch = getopt(argc, argv, "dg:G:h:P:p:tu:U:")) != -1) {
switch (ch) {
case 'd':
dflag = 1;
user_host = optarg;
break;
case 'G':
- grfile = optarg;
+ sudoers_gid = (gid_t)atoi(optarg);
break;
case 'g':
runas_group = optarg;
case 'p':
pwfile = optarg;
break;
+ case 'P':
+ grfile = optarg;
+ break;
case 't':
trace_print = testsudoers_print;
break;
+ case 'U':
+ sudoers_uid = (uid_t)atoi(optarg);
+ break;
case 'u':
runas_user = optarg;
break;
for (to = user_args, from = argv; *from; from++) {
n = strlcpy(to, *from, size - (to - user_args));
if (n >= size - (to - user_args))
- errorx(1, _("internal error, init_vars() overflow"));
+ errorx(1, _("internal error, %s overflow"), "init_vars()");
to += n;
*to++ = ' ';
}
set_interfaces(p);
/* Allocate space for data structures in the parser. */
- init_parser("sudoers", 0);
+ init_parser("sudoers", false);
if (yyparse() != 0 || parse_error) {
parse_error = true;
puts("\thost matched");
tq_foreach_rev(&priv->cmndlist, cs) {
runas_match = runaslist_matches(&cs->runasuserlist,
- &cs->runasgrouplist);
+ &cs->runasgrouplist, NULL, NULL);
if (runas_match == ALLOW) {
puts("\trunas matched");
cmnd_match = cmnd_matches(cs->cmnd);
debug_decl(main, SUDO_DEBUG_UTIL)
if (runas_pw != NULL)
- pw_delref(runas_pw);
+ sudo_pw_delref(runas_pw);
if (*user == '#') {
if ((runas_pw = sudo_getpwuid(atoi(user + 1))) == NULL)
runas_pw = sudo_fakepwnam(user, runas_gr ? runas_gr->gr_gid : 0);
debug_decl(main, SUDO_DEBUG_UTIL)
if (runas_gr != NULL)
- gr_delref(runas_gr);
+ sudo_gr_delref(runas_gr);
if (*group == '#') {
if ((runas_gr = sudo_getgrgid(atoi(group + 1))) == NULL)
runas_gr = sudo_fakegrnam(group);
}
FILE *
-open_sudoers(const char *path, bool doedit, bool *keepopen)
+open_sudoers(const char *sudoers, bool doedit, bool *keepopen)
{
+ struct stat sb;
+ FILE *fp = NULL;
+ char *sudoers_base;
debug_decl(open_sudoers, SUDO_DEBUG_UTIL)
- debug_return_ptr(fopen(path, "r"));
+ sudoers_base = strrchr(sudoers, '/');
+ if (sudoers_base != NULL)
+ sudoers_base++;
+
+ switch (sudo_secure_file(sudoers, sudoers_uid, sudoers_gid, &sb)) {
+ case SUDO_PATH_SECURE:
+ fp = fopen(sudoers, "r");
+ break;
+ case SUDO_PATH_MISSING:
+ warning("unable to stat %s", sudoers_base);
+ break;
+ case SUDO_PATH_BAD_TYPE:
+ warningx("%s is not a regular file", sudoers_base);
+ break;
+ case SUDO_PATH_WRONG_OWNER:
+ warningx("%s should be owned by uid %u",
+ sudoers_base, (unsigned int) sudoers_uid);
+ break;
+ case SUDO_PATH_WORLD_WRITABLE:
+ warningx("%s is world writable", sudoers_base);
+ break;
+ case SUDO_PATH_GROUP_WRITABLE:
+ warningx("%s should be owned by gid %u",
+ sudoers_base, (unsigned int) sudoers_gid);
+ break;
+ default:
+ /* NOTREACHED */
+ break;
+ }
+
+ debug_return_ptr(fp);
}
void
if (cs->type)
printf("TYPE=%s ", cs->type);
#endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+ if (cs->privs)
+ printf("PRIVS=%s ", cs->privs);
+ if (cs->limitprivs)
+ printf("LIMITPRIVS=%s ", cs->limitprivs);
+#endif /* HAVE_PRIV_SET */
if (cs->tags.nopasswd != UNSPEC && cs->tags.nopasswd != tags.nopasswd)
printf("%sPASSWD: ", cs->tags.nopasswd ? "NO" : "");
if (cs->tags.noexec != UNSPEC && cs->tags.noexec != tags.noexec)
void
usage(void)
{
- (void) fprintf(stderr, "usage: %s [-dt] [-G grfile] [-g group] [-h host] [-p pwfile] [-u user] <user> <command> [args]\n", getprogname());
+ (void) fprintf(stderr, "usage: %s [-dt] [-G sudoers_gid] [-g group] [-h host] [-p grfile] [-p pwfile] [-U sudoers_uid] [-u user] <user> <command> [args]\n", getprogname());
exit(1);
}
/* A lexical scanner generated by flex */
/* Scanner skeleton version:
- * $Header: /cvs/src/usr.bin/lex/flex.skl,v 1.11 2010/08/04 18:24:50 millert Exp $
+ * $Header: /home/cvs/openbsd/src/usr.bin/lex/flex.skl,v 1.11 2010/08/04 18:24:50 millert Exp $
*/
#define FLEX_SCANNER
*yy_cp = '\0'; \
yy_c_buf_p = yy_cp;
-#define YY_NUM_RULES 59
-#define YY_END_OF_BUFFER 60
-static yyconst short int yy_accept[607] =
+#define YY_NUM_RULES 61
+#define YY_END_OF_BUFFER 62
+static yyconst short int yy_accept[622] =
{ 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 60, 47, 55, 54, 53, 46, 58, 32,
- 48, 49, 32, 50, 47, 47, 47, 47, 52, 51,
- 58, 42, 42, 42, 42, 42, 42, 42, 42, 42,
- 42, 58, 47, 47, 55, 58, 42, 42, 42, 42,
- 42, 2, 58, 1, 47, 47, 17, 16, 17, 16,
- 16, 58, 58, 58, 3, 9, 8, 9, 4, 9,
- 5, 58, 13, 13, 13, 11, 12, 47, 0, 55,
- 53, 0, 57, 0, 47, 34, 0, 32, 0, 33,
- 0, 45, 45, 0, 47, 47, 0, 47, 47, 47,
-
- 47, 0, 37, 42, 42, 42, 42, 42, 42, 42,
- 42, 42, 42, 47, 56, 47, 55, 0, 0, 0,
- 0, 0, 0, 47, 47, 47, 47, 47, 2, 1,
- 0, 1, 43, 43, 0, 47, 17, 17, 15, 14,
- 15, 0, 0, 3, 9, 0, 6, 7, 9, 9,
- 13, 0, 13, 13, 0, 10, 0, 0, 0, 34,
- 34, 0, 0, 47, 47, 47, 47, 47, 0, 0,
- 37, 37, 42, 39, 42, 42, 42, 42, 42, 42,
- 42, 42, 42, 42, 47, 0, 0, 0, 0, 0,
- 0, 47, 47, 47, 47, 47, 0, 47, 10, 0,
-
- 47, 47, 47, 47, 47, 47, 0, 38, 38, 38,
- 0, 0, 37, 37, 37, 37, 37, 37, 37, 42,
- 42, 42, 42, 42, 42, 42, 42, 40, 42, 41,
- 47, 0, 0, 0, 0, 0, 0, 47, 47, 47,
- 47, 47, 47, 47, 0, 0, 38, 38, 38, 0,
- 37, 37, 0, 37, 37, 37, 37, 37, 37, 37,
- 37, 37, 37, 37, 0, 25, 42, 42, 42, 42,
- 42, 42, 42, 42, 47, 0, 0, 0, 0, 47,
- 47, 47, 47, 47, 47, 47, 47, 0, 38, 0,
- 37, 37, 37, 0, 0, 0, 37, 37, 37, 37,
-
- 37, 37, 37, 37, 37, 37, 37, 37, 37, 42,
- 42, 42, 42, 42, 42, 42, 42, 47, 0, 0,
- 0, 47, 47, 47, 35, 35, 35, 0, 0, 37,
- 37, 37, 37, 37, 37, 37, 0, 0, 0, 0,
+ 0, 0, 62, 49, 57, 56, 55, 48, 60, 32,
+ 50, 51, 32, 52, 49, 49, 49, 49, 54, 53,
+ 60, 44, 44, 44, 44, 44, 44, 44, 44, 44,
+ 44, 60, 49, 49, 57, 60, 44, 44, 44, 44,
+ 44, 2, 60, 1, 49, 44, 44, 49, 17, 16,
+ 17, 16, 16, 60, 60, 60, 3, 9, 8, 9,
+ 4, 9, 5, 60, 13, 13, 13, 11, 12, 49,
+ 0, 57, 55, 0, 59, 0, 49, 34, 0, 32,
+ 0, 33, 0, 47, 47, 0, 49, 49, 0, 49,
+
+ 49, 49, 49, 0, 37, 44, 44, 44, 44, 44,
+ 44, 44, 44, 44, 44, 44, 44, 49, 58, 49,
+ 57, 0, 0, 0, 0, 0, 0, 49, 49, 49,
+ 49, 49, 2, 1, 0, 1, 45, 45, 0, 49,
+ 17, 17, 15, 14, 15, 0, 0, 3, 9, 0,
+ 6, 7, 9, 9, 13, 0, 13, 13, 0, 10,
+ 0, 0, 0, 34, 34, 0, 0, 49, 49, 49,
+ 49, 49, 0, 0, 37, 37, 44, 39, 44, 44,
+ 44, 44, 44, 44, 44, 44, 44, 44, 44, 44,
+ 49, 0, 0, 0, 0, 0, 0, 49, 49, 49,
+
+ 49, 49, 0, 49, 10, 0, 49, 49, 49, 49,
+ 49, 49, 0, 38, 38, 38, 0, 0, 37, 37,
+ 37, 37, 37, 37, 37, 44, 44, 44, 44, 44,
+ 44, 44, 44, 44, 44, 40, 44, 41, 49, 0,
+ 0, 0, 0, 0, 0, 49, 49, 49, 49, 49,
+ 49, 49, 0, 0, 38, 38, 38, 0, 37, 37,
0, 37, 37, 37, 37, 37, 37, 37, 37, 37,
- 37, 37, 37, 37, 37, 42, 42, 0, 24, 42,
- 42, 42, 42, 0, 23, 0, 26, 47, 0, 0,
- 0, 47, 47, 47, 47, 35, 35, 35, 35, 0,
- 37, 0, 37, 37, 37, 37, 37, 37, 37, 37,
- 37, 37, 37, 0, 0, 0, 37, 37, 37, 37,
+ 37, 37, 0, 25, 44, 44, 44, 44, 44, 44,
+ 44, 44, 42, 44, 49, 0, 0, 0, 0, 49,
+ 49, 49, 49, 49, 49, 49, 49, 0, 38, 0,
- 37, 37, 37, 37, 37, 37, 37, 37, 37, 42,
- 42, 42, 42, 42, 42, 44, 0, 0, 0, 47,
- 20, 43, 36, 36, 36, 36, 37, 0, 0, 0,
- 37, 37, 37, 37, 37, 37, 37, 37, 37, 37,
- 37, 37, 37, 0, 0, 0, 0, 0, 37, 37,
- 37, 37, 37, 37, 37, 37, 42, 42, 42, 42,
- 0, 22, 0, 27, 0, 20, 0, 0, 47, 0,
- 47, 47, 47, 36, 36, 36, 36, 0, 0, 0,
+ 37, 37, 37, 0, 0, 0, 37, 37, 37, 37,
+ 37, 37, 37, 37, 37, 37, 37, 37, 37, 44,
+ 44, 44, 44, 44, 44, 44, 44, 44, 49, 0,
+ 0, 0, 49, 49, 49, 35, 35, 35, 0, 0,
+ 37, 37, 37, 37, 37, 37, 37, 0, 0, 0,
0, 0, 37, 37, 37, 37, 37, 37, 37, 37,
- 37, 37, 37, 37, 37, 37, 37, 37, 37, 37,
+ 37, 37, 37, 37, 37, 37, 44, 44, 44, 0,
+ 24, 44, 44, 44, 44, 0, 23, 0, 26, 49,
+ 0, 0, 0, 49, 49, 49, 49, 35, 35, 35,
+ 35, 0, 37, 0, 37, 37, 37, 37, 37, 37,
- 37, 37, 0, 30, 42, 42, 42, 0, 0, 0,
- 18, 0, 21, 20, 0, 0, 0, 0, 0, 20,
- 0, 47, 47, 47, 0, 0, 0, 37, 37, 37,
+ 37, 37, 37, 37, 37, 0, 0, 0, 37, 37,
37, 37, 37, 37, 37, 37, 37, 37, 37, 37,
- 37, 37, 37, 37, 37, 0, 28, 42, 42, 21,
- 0, 0, 20, 47, 47, 47, 47, 47, 0, 0,
+ 37, 44, 44, 44, 44, 44, 44, 44, 46, 0,
+ 0, 0, 49, 20, 45, 36, 36, 36, 36, 37,
0, 0, 0, 37, 37, 37, 37, 37, 37, 37,
- 37, 0, 31, 42, 0, 47, 47, 47, 37, 37,
- 37, 37, 37, 37, 0, 29, 0, 0, 19, 47,
- 47, 47, 47, 47, 37, 37, 37, 37, 37, 35,
+ 37, 37, 37, 37, 37, 37, 0, 0, 0, 0,
+ 0, 37, 37, 37, 37, 37, 37, 37, 37, 44,
+ 44, 44, 44, 44, 0, 22, 0, 27, 0, 20,
+ 0, 0, 49, 0, 49, 49, 49, 36, 36, 36,
+ 36, 0, 0, 0, 0, 0, 37, 37, 37, 37,
- 35, 35, 35, 35, 35, 0
+ 37, 37, 37, 37, 37, 37, 37, 37, 37, 37,
+ 37, 37, 37, 37, 37, 37, 43, 0, 30, 44,
+ 44, 44, 0, 0, 0, 18, 0, 21, 20, 0,
+ 0, 0, 0, 0, 20, 0, 49, 49, 49, 0,
+ 0, 0, 37, 37, 37, 37, 37, 37, 37, 37,
+ 37, 37, 37, 37, 37, 37, 37, 37, 37, 37,
+ 0, 28, 44, 44, 21, 0, 0, 20, 49, 49,
+ 49, 49, 49, 0, 0, 0, 0, 0, 37, 37,
+ 37, 37, 37, 37, 37, 37, 0, 31, 44, 0,
+ 49, 49, 49, 37, 37, 37, 37, 37, 37, 0,
+
+ 29, 0, 0, 19, 49, 49, 49, 49, 49, 37,
+ 37, 37, 37, 37, 35, 35, 35, 35, 35, 35,
+ 0
} ;
static yyconst int yy_ec[256] =
9, 10, 11, 12, 13, 14, 15, 16, 17, 18,
19, 20, 21, 22, 22, 22, 23, 24, 1, 1,
25, 26, 10, 27, 28, 29, 30, 31, 32, 29,
- 33, 34, 35, 36, 36, 37, 36, 38, 39, 40,
- 36, 41, 42, 43, 44, 45, 46, 47, 48, 36,
- 10, 49, 10, 1, 50, 1, 51, 52, 53, 54,
+ 33, 34, 35, 36, 36, 37, 38, 39, 40, 41,
+ 36, 42, 43, 44, 45, 46, 47, 48, 49, 36,
+ 10, 50, 10, 1, 51, 1, 52, 53, 54, 55,
- 55, 56, 57, 57, 58, 57, 57, 59, 60, 61,
- 62, 57, 57, 63, 64, 65, 66, 57, 57, 57,
- 57, 57, 1, 1, 1, 1, 1, 1, 1, 1,
+ 56, 57, 58, 58, 59, 58, 58, 60, 61, 62,
+ 63, 58, 58, 64, 65, 66, 67, 58, 58, 58,
+ 58, 58, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1
} ;
-static yyconst int yy_meta[67] =
+static yyconst int yy_meta[68] =
{ 0,
1, 2, 3, 4, 5, 6, 1, 7, 7, 1,
1, 8, 1, 9, 10, 11, 11, 11, 11, 11,
11, 11, 11, 12, 13, 7, 1, 11, 11, 11,
11, 11, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 14, 15,
- 16, 16, 16, 16, 16, 16, 15, 15, 15, 15,
- 15, 15, 15, 15, 15, 15
+ 1, 1, 1, 1, 1, 1, 1, 1, 1, 14,
+ 15, 16, 16, 16, 16, 16, 16, 15, 15, 15,
+ 15, 15, 15, 15, 15, 15, 15
} ;
-static yyconst short int yy_base[671] =
+static yyconst short int yy_base[686] =
{ 0,
- 0, 65, 67, 72, 99, 114, 162, 227, 292, 340,
- 86, 125, 2840, 2790, 2836, 3665, 2833, 3665, 387, 70,
- 3665, 3665, 2771, 3665, 136, 397, 133, 159, 2795, 3665,
- 3665, 453, 2781, 33, 504, 2770, 2767, 2777, 2765, 2771,
- 2754, 559, 170, 19, 165, 583, 38, 49, 2739, 68,
- 2727, 81, 219, 2771, 305, 48, 0, 3665, 2761, 3665,
- 0, 250, 639, 119, 0, 2709, 3665, 108, 3665, 112,
- 3665, 140, 2699, 98, 121, 3665, 195, 2693, 661, 2739,
- 2736, 2736, 3665, 227, 247, 300, 316, 152, 354, 2681,
- 686, 373, 2670, 711, 352, 722, 2692, 2669, 375, 414,
-
- 302, 2656, 57, 763, 0, 2628, 2625, 2614, 505, 2602,
- 2606, 2599, 2601, 202, 3665, 153, 546, 2572, 2565, 2549,
- 2537, 2524, 200, 110, 244, 28, 111, 252, 171, 2578,
- 422, 2577, 565, 2529, 818, 262, 0, 2573, 179, 3665,
- 3665, 599, 269, 0, 2513, 453, 3665, 3665, 2512, 548,
- 2490, 2533, 206, 253, 323, 2535, 2524, 2513, 607, 615,
- 306, 722, 586, 831, 867, 903, 939, 2499, 2456, 980,
- 333, 1022, 1063, 0, 2430, 2394, 2363, 2364, 2374, 2369,
- 2327, 2330, 2329, 2328, 266, 2289, 2283, 2272, 2274, 2279,
- 409, 334, 2279, 145, 335, 83, 672, 278, 2327, 2325,
-
- 627, 259, 1106, 1142, 741, 210, 2293, 2279, 683, 513,
- 2275, 2271, 352, 747, 1178, 780, 788, 1220, 815, 2270,
- 400, 325, 2261, 2258, 2248, 2246, 2242, 0, 2240, 0,
- 489, 2223, 2213, 2198, 2211, 2198, 420, 407, 529, 490,
- 491, 1263, 1299, 1335, 2235, 2234, 839, 2234, 2232, 2228,
- 2226, 528, 848, 657, 856, 665, 1371, 0, 877, 1382,
- 886, 894, 1424, 913, 570, 3665, 2208, 2197, 2201, 2178,
- 2185, 2194, 2194, 2176, 558, 2169, 2152, 2150, 648, 626,
- 530, 559, 923, 336, 1467, 1503, 964, 2171, 2140, 2139,
- 2138, 1537, 551, 1000, 1041, 1082, 653, 694, 797, 1049,
-
- 923, 1580, 0, 1116, 1591, 1090, 1008, 1633, 1125, 2121,
- 2082, 747, 686, 2064, 2071, 786, 926, 905, 2080, 2033,
- 679, 634, 544, 915, 1675, 1710, 1745, 2052, 2043, 2033,
- 1150, 1781, 1158, 1133, 1822, 1197, 1166, 2028, 1239, 1273,
- 1207, 950, 951, 962, 991, 1247, 1073, 1865, 0, 1283,
- 1876, 1307, 1315, 1918, 1323, 1987, 1968, 1188, 3665, 1967,
- 1951, 1929, 1913, 1286, 3665, 1336, 3665, 707, 1897, 1889,
- 786, 930, 764, 1298, 1358, 1041, 1960, 1995, 1400, 1927,
- 1879, 1348, 708, 1406, 1348, 2031, 0, 559, 2042, 1441,
- 1449, 2083, 1477, 1487, 1513, 1523, 1230, 1290, 1458, 1548,
-
- 1557, 1602, 2126, 0, 1613, 2137, 1650, 1565, 1660, 1806,
- 1779, 1680, 1675, 1359, 1406, 1626, 1601, 1577, 897, 938,
- 1695, 1589, 2180, 2216, 2252, 2288, 1611, 1686, 1720, 1731,
- 1563, 1478, 1504, 1694, 1524, 2324, 0, 617, 2335, 1753,
- 1761, 2376, 1769, 1798, 1550, 1808, 1841, 1851, 1335, 1358,
- 1887, 714, 825, 2419, 0, 926, 1407, 1468, 1430, 1431,
- 1547, 3665, 1616, 3665, 1381, 1731, 1045, 1512, 1575, 1908,
- 1913, 1970, 1498, 2429, 2465, 1947, 1611, 1981, 1264, 2006,
- 2016, 2061, 1198, 1181, 1732, 1782, 2067, 1842, 2501, 0,
- 1181, 2512, 2100, 1904, 2553, 2110, 2155, 2164, 2189, 1769,
-
- 1142, 1232, 1634, 3665, 1699, 1095, 1077, 1025, 1046, 1306,
- 3665, 384, 981, 2211, 2218, 2238, 2243, 2263, 2288, 2249,
- 2307, 2596, 2632, 2668, 2304, 2354, 2395, 983, 894, 1902,
- 1928, 2362, 1929, 2704, 0, 1428, 2715, 2403, 2437, 2445,
- 867, 2454, 2474, 2483, 831, 1982, 3665, 1983, 782, 3665,
- 1511, 2489, 2529, 2537, 1895, 2758, 2794, 2573, 2579, 650,
- 2607, 2617, 2642, 629, 525, 1931, 447, 347, 2650, 0,
- 1528, 2019, 3665, 2044, 1805, 2830, 2866, 2902, 2676, 2684,
- 2692, 323, 0, 316, 2067, 3665, 166, 1845, 3665, 2733,
- 1945, 2938, 2974, 2743, 3665, 2767, 2777, 2658, 3665, 2805,
-
- 2813, 2847, 63, 2855, 2881, 3665, 3023, 3039, 3055, 3071,
- 3087, 3103, 3119, 3135, 3151, 3157, 3173, 3189, 2025, 3205,
- 3221, 3237, 3253, 3269, 3285, 3301, 3307, 3314, 3330, 3346,
- 3352, 3359, 3365, 3371, 3377, 3384, 3390, 3396, 3402, 3409,
- 3417, 3423, 3429, 3435, 3442, 3450, 3456, 3462, 3469, 3477,
- 3483, 3491, 3498, 3506, 3512, 3520, 3527, 3535, 3551, 3567,
- 3583, 3589, 3597, 3604, 3610, 3618, 3624, 3632, 3648, 1295
+ 0, 66, 68, 76, 119, 124, 173, 239, 148, 197,
+ 82, 90, 2937, 2886, 2933, 3595, 2929, 3595, 165, 65,
+ 3595, 3595, 2882, 3595, 130, 293, 173, 146, 2907, 3595,
+ 3595, 350, 2893, 42, 402, 41, 2889, 74, 2888, 2895,
+ 2876, 458, 197, 57, 219, 482, 38, 207, 2854, 37,
+ 2851, 117, 249, 2880, 326, 2841, 2852, 105, 0, 3595,
+ 2875, 3595, 0, 469, 424, 143, 0, 2828, 3595, 48,
+ 3595, 223, 3595, 155, 2827, 202, 97, 3595, 252, 2817,
+ 504, 2855, 2852, 2852, 3595, 258, 504, 312, 526, 201,
+ 548, 2796, 557, 528, 2795, 582, 579, 614, 2820, 2829,
+
+ 593, 601, 266, 2818, 182, 656, 0, 2796, 2791, 2766,
+ 2761, 296, 2727, 2725, 2713, 2696, 2691, 426, 3595, 87,
+ 659, 2659, 2663, 2655, 2650, 2651, 257, 196, 318, 276,
+ 258, 288, 436, 2694, 631, 2693, 655, 2644, 690, 303,
+ 0, 2681, 168, 3595, 3595, 701, 352, 0, 2634, 723,
+ 3595, 3595, 2633, 447, 2632, 2676, 467, 461, 433, 2670,
+ 2659, 2600, 720, 733, 206, 755, 759, 771, 781, 791,
+ 828, 2581, 2570, 870, 453, 913, 955, 0, 2563, 2557,
+ 2540, 2523, 2530, 2541, 2536, 2516, 2502, 2496, 2475, 2473,
+ 277, 2442, 2436, 2402, 2404, 2407, 477, 436, 2405, 424,
+
+ 401, 292, 813, 488, 2454, 2450, 845, 438, 855, 890,
+ 756, 465, 2428, 2418, 930, 554, 2409, 2408, 463, 898,
+ 999, 939, 972, 1042, 980, 2403, 490, 2378, 500, 2380,
+ 2338, 2327, 2325, 2321, 2310, 0, 2305, 0, 508, 2274,
+ 2238, 2212, 2211, 2176, 515, 517, 615, 527, 529, 1018,
+ 1061, 1086, 2212, 2210, 1026, 2209, 2203, 2171, 2166, 565,
+ 1069, 754, 1096, 802, 1123, 0, 1106, 1134, 1151, 1159,
+ 1177, 1196, 601, 3595, 2136, 2137, 2127, 2131, 2090, 2090,
+ 2084, 2078, 0, 2062, 607, 2056, 2024, 2025, 573, 576,
+ 578, 676, 1204, 591, 1221, 1239, 1231, 2064, 2031, 2006,
+
+ 2004, 1274, 676, 1256, 1293, 1318, 682, 808, 815, 1301,
+ 819, 1328, 0, 1339, 1350, 1367, 1247, 1393, 1377, 1955,
+ 1915, 1888, 742, 692, 1884, 1891, 794, 980, 777, 1889,
+ 1856, 652, 945, 680, 820, 1411, 1420, 1436, 1842, 1824,
+ 1800, 1446, 1473, 1455, 1266, 1515, 1492, 1500, 1809, 1534,
+ 1559, 1544, 1009, 1052, 1569, 1571, 1580, 1590, 1601, 0,
+ 1612, 1623, 1590, 1463, 1666, 1642, 1762, 1737, 1740, 1108,
+ 3595, 1696, 1672, 1662, 1628, 1157, 3595, 1158, 3595, 774,
+ 1514, 1500, 730, 1152, 697, 913, 1650, 805, 1686, 1709,
+ 1695, 1516, 1500, 1721, 1222, 1730, 1474, 1744, 0, 830,
+
+ 1755, 1772, 1571, 1797, 1782, 1816, 1841, 1851, 1284, 1377,
+ 1832, 1861, 1861, 1872, 1883, 0, 1894, 1905, 1872, 1824,
+ 1924, 1414, 1400, 1375, 1336, 1331, 1159, 1483, 1312, 1274,
+ 1260, 1539, 606, 1730, 1238, 1949, 1959, 1969, 1984, 1256,
+ 1994, 2004, 2019, 1245, 1535, 1915, 1932, 1950, 2029, 0,
+ 874, 2040, 2057, 2065, 2082, 2101, 2109, 1214, 2126, 2136,
+ 2146, 1633, 1675, 2154, 924, 966, 2165, 0, 1003, 1092,
+ 1731, 1087, 1056, 1052, 2042, 3595, 2063, 3595, 1017, 2147,
+ 1126, 624, 1311, 2187, 2192, 2183, 1756, 2193, 2203, 2230,
+ 1979, 2238, 992, 2248, 2265, 2275, 830, 811, 1970, 2194,
+
+ 2281, 2214, 2291, 0, 1111, 2302, 2319, 2256, 2344, 2329,
+ 2362, 2371, 2387, 1807, 813, 1170, 0, 2065, 3595, 2228,
+ 738, 713, 680, 731, 1201, 3595, 900, 653, 2409, 2414,
+ 2419, 2424, 2418, 2436, 2445, 2446, 2459, 2469, 2480, 2494,
+ 2504, 2515, 569, 531, 2215, 2217, 2523, 2221, 2533, 0,
+ 1278, 2544, 2561, 2569, 2588, 519, 2597, 2606, 2615, 492,
+ 2304, 3595, 2393, 452, 3595, 1416, 2621, 2629, 2637, 1981,
+ 2647, 2657, 2672, 2682, 345, 2692, 2707, 2717, 305, 264,
+ 2303, 245, 191, 2725, 0, 1477, 2441, 3595, 2444, 1632,
+ 2735, 2745, 2755, 2770, 2780, 2790, 90, 0, 92, 2482,
+
+ 3595, 100, 1647, 3595, 2798, 1982, 2808, 2818, 2833, 3595,
+ 2843, 2853, 2763, 3595, 2868, 2876, 2884, 19, 2892, 2903,
+ 3595, 2953, 2969, 2985, 3001, 3017, 3033, 3049, 3065, 3081,
+ 3087, 3103, 3119, 1676, 3135, 3151, 3167, 3183, 3199, 3215,
+ 3231, 3237, 3244, 3260, 3276, 3282, 3289, 3295, 3301, 3307,
+ 3314, 3320, 3326, 3332, 3339, 3347, 3353, 3359, 3365, 3372,
+ 3380, 3386, 3392, 3399, 3407, 3413, 3421, 3428, 3436, 3442,
+ 3450, 3457, 3465, 3481, 3497, 3513, 3519, 3527, 3534, 3540,
+ 3548, 3554, 3562, 3578, 2159
} ;
-static yyconst short int yy_def[671] =
+static yyconst short int yy_def[686] =
{ 0,
- 606, 1, 1, 1, 607, 607, 608, 608, 609, 609,
- 610, 610, 606, 611, 606, 606, 606, 606, 612, 613,
- 606, 606, 614, 606, 615, 611, 26, 26, 616, 606,
- 606, 606, 32, 32, 32, 35, 35, 35, 35, 35,
- 35, 611, 26, 611, 606, 612, 32, 32, 35, 35,
- 35, 606, 606, 606, 617, 611, 618, 606, 618, 606,
- 618, 606, 612, 606, 619, 620, 606, 620, 606, 620,
- 606, 621, 622, 622, 622, 606, 606, 611, 611, 606,
- 606, 623, 606, 624, 606, 613, 606, 625, 613, 614,
- 614, 615, 626, 611, 611, 26, 616, 96, 96, 96,
-
- 96, 627, 628, 35, 35, 35, 35, 35, 35, 35,
- 35, 35, 35, 611, 606, 611, 606, 606, 606, 606,
- 606, 606, 623, 611, 96, 611, 611, 611, 606, 606,
- 606, 606, 617, 629, 611, 611, 618, 618, 606, 606,
- 606, 624, 606, 619, 620, 620, 606, 606, 620, 620,
- 622, 606, 622, 622, 606, 606, 623, 630, 606, 606,
- 625, 625, 606, 611, 611, 611, 96, 167, 631, 606,
- 632, 606, 104, 35, 35, 35, 35, 35, 35, 35,
- 35, 35, 35, 35, 611, 606, 606, 606, 606, 606,
- 623, 611, 167, 611, 611, 611, 606, 611, 606, 630,
-
- 611, 611, 611, 611, 611, 611, 633, 634, 634, 209,
- 635, 634, 636, 172, 606, 215, 215, 606, 215, 35,
+ 621, 1, 1, 1, 622, 622, 623, 623, 624, 624,
+ 625, 625, 621, 626, 621, 621, 621, 621, 627, 628,
+ 621, 621, 629, 621, 630, 626, 26, 26, 631, 621,
+ 621, 621, 32, 32, 32, 35, 35, 35, 35, 35,
+ 35, 626, 26, 626, 621, 627, 32, 32, 35, 35,
+ 35, 621, 621, 621, 632, 35, 35, 626, 633, 621,
+ 633, 621, 633, 621, 627, 621, 634, 635, 621, 635,
+ 621, 635, 621, 636, 637, 637, 637, 621, 621, 626,
+ 626, 621, 621, 638, 621, 639, 621, 628, 621, 640,
+ 628, 629, 629, 630, 641, 626, 626, 26, 631, 98,
+
+ 98, 98, 98, 642, 643, 35, 35, 35, 35, 35,
+ 35, 35, 35, 35, 35, 35, 35, 626, 621, 626,
+ 621, 621, 621, 621, 621, 621, 638, 626, 98, 626,
+ 626, 626, 621, 621, 621, 621, 632, 644, 626, 626,
+ 633, 633, 621, 621, 621, 639, 621, 634, 635, 635,
+ 621, 621, 635, 635, 637, 621, 637, 637, 621, 621,
+ 638, 645, 621, 621, 640, 640, 621, 626, 626, 626,
+ 98, 171, 646, 621, 647, 621, 106, 35, 35, 35,
35, 35, 35, 35, 35, 35, 35, 35, 35, 35,
- 611, 606, 606, 606, 606, 606, 623, 611, 611, 611,
- 611, 611, 611, 611, 606, 637, 637, 247, 637, 638,
- 639, 640, 606, 641, 218, 641, 641, 257, 641, 606,
- 260, 260, 606, 260, 606, 606, 35, 35, 35, 35,
- 35, 35, 35, 35, 611, 606, 606, 606, 623, 611,
- 611, 611, 611, 611, 611, 611, 611, 642, 642, 643,
- 644, 606, 606, 606, 606, 606, 645, 645, 646, 263,
-
- 646, 646, 302, 646, 606, 305, 305, 606, 305, 35,
- 35, 35, 35, 35, 35, 35, 35, 611, 606, 606,
- 623, 611, 611, 611, 611, 611, 611, 606, 647, 648,
- 292, 606, 332, 332, 606, 332, 606, 606, 606, 606,
- 606, 606, 649, 649, 650, 308, 650, 650, 348, 650,
- 606, 351, 351, 606, 351, 35, 35, 606, 606, 35,
- 35, 35, 35, 606, 606, 606, 606, 611, 606, 606,
- 623, 611, 611, 611, 611, 611, 611, 611, 611, 606,
- 651, 606, 652, 335, 652, 652, 386, 386, 606, 389,
- 389, 606, 389, 606, 606, 606, 606, 653, 653, 654,
-
- 354, 654, 654, 403, 654, 606, 406, 406, 406, 35,
- 35, 35, 35, 35, 35, 611, 606, 606, 623, 611,
- 611, 611, 611, 611, 611, 611, 606, 606, 606, 606,
- 655, 655, 656, 392, 656, 656, 436, 436, 606, 439,
- 439, 606, 439, 606, 606, 606, 606, 606, 606, 657,
- 657, 658, 658, 658, 454, 454, 35, 35, 35, 35,
- 606, 606, 606, 606, 606, 606, 659, 623, 611, 660,
- 661, 611, 611, 611, 611, 611, 611, 606, 606, 606,
- 606, 606, 606, 662, 662, 663, 442, 663, 663, 489,
- 489, 606, 492, 492, 606, 492, 606, 606, 606, 606,
-
- 664, 664, 606, 606, 35, 35, 35, 606, 659, 659,
- 606, 623, 611, 660, 660, 660, 660, 606, 660, 661,
- 661, 611, 611, 611, 606, 606, 606, 606, 665, 665,
- 666, 495, 666, 666, 534, 534, 606, 537, 537, 537,
- 606, 606, 606, 606, 606, 606, 606, 35, 35, 606,
- 623, 606, 606, 611, 611, 611, 611, 611, 606, 606,
- 606, 606, 606, 606, 667, 667, 668, 668, 668, 569,
- 569, 606, 606, 35, 669, 611, 611, 611, 606, 606,
- 606, 606, 670, 670, 606, 606, 669, 669, 606, 611,
- 611, 611, 611, 611, 606, 606, 606, 606, 606, 611,
-
- 611, 611, 611, 611, 611, 0, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606
+ 626, 621, 621, 621, 621, 621, 638, 626, 171, 626,
+
+ 626, 626, 621, 626, 621, 645, 626, 626, 626, 626,
+ 626, 626, 648, 649, 649, 215, 650, 649, 651, 176,
+ 621, 221, 221, 621, 221, 35, 35, 35, 35, 35,
+ 35, 35, 35, 35, 35, 35, 35, 35, 626, 621,
+ 621, 621, 621, 621, 638, 626, 626, 626, 626, 626,
+ 626, 626, 621, 652, 652, 255, 652, 653, 654, 655,
+ 621, 656, 224, 656, 656, 265, 656, 621, 268, 268,
+ 621, 268, 621, 621, 35, 35, 35, 35, 35, 35,
+ 35, 35, 35, 35, 626, 621, 621, 621, 638, 626,
+ 626, 626, 626, 626, 626, 626, 626, 657, 657, 658,
+
+ 659, 621, 621, 621, 621, 621, 660, 660, 661, 271,
+ 661, 661, 312, 661, 621, 315, 315, 621, 315, 35,
+ 35, 35, 35, 35, 35, 35, 35, 35, 626, 621,
+ 621, 638, 626, 626, 626, 626, 626, 626, 621, 662,
+ 663, 302, 621, 343, 343, 621, 343, 621, 621, 621,
+ 621, 621, 621, 664, 664, 665, 318, 665, 665, 359,
+ 665, 621, 362, 362, 621, 362, 35, 35, 35, 621,
+ 621, 35, 35, 35, 35, 621, 621, 621, 621, 626,
+ 621, 621, 638, 626, 626, 626, 626, 626, 626, 626,
+ 626, 621, 666, 621, 667, 346, 667, 667, 398, 398,
+
+ 621, 401, 401, 621, 401, 621, 621, 621, 621, 668,
+ 668, 669, 365, 669, 669, 415, 669, 621, 418, 418,
+ 418, 35, 35, 35, 35, 35, 35, 35, 626, 621,
+ 621, 638, 626, 626, 626, 626, 626, 626, 626, 621,
+ 621, 621, 621, 670, 670, 671, 404, 671, 671, 449,
+ 449, 621, 452, 452, 621, 452, 621, 621, 621, 621,
+ 621, 621, 672, 672, 673, 673, 673, 467, 467, 35,
+ 35, 35, 35, 35, 621, 621, 621, 621, 621, 621,
+ 674, 638, 626, 675, 676, 626, 626, 626, 626, 626,
+ 626, 621, 621, 621, 621, 621, 621, 677, 677, 678,
+
+ 455, 678, 678, 503, 503, 621, 506, 506, 621, 506,
+ 621, 621, 621, 621, 679, 679, 35, 621, 621, 35,
+ 35, 35, 621, 674, 674, 621, 638, 626, 675, 675,
+ 675, 675, 621, 675, 676, 676, 626, 626, 626, 621,
+ 621, 621, 621, 680, 680, 681, 509, 681, 681, 549,
+ 549, 621, 552, 552, 552, 621, 621, 621, 621, 621,
+ 621, 621, 35, 35, 621, 638, 621, 621, 626, 626,
+ 626, 626, 626, 621, 621, 621, 621, 621, 621, 682,
+ 682, 683, 683, 683, 584, 584, 621, 621, 35, 684,
+ 626, 626, 626, 621, 621, 621, 621, 685, 685, 621,
+
+ 621, 684, 684, 621, 626, 626, 626, 626, 626, 621,
+ 621, 621, 621, 621, 626, 626, 626, 626, 626, 626,
+ 0, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621, 621, 621, 621
} ;
-static yyconst short int yy_nxt[3732] =
+static yyconst short int yy_nxt[3663] =
{ 0,
14, 15, 16, 17, 18, 19, 20, 21, 22, 14,
23, 24, 14, 14, 25, 26, 27, 28, 26, 26,
26, 26, 26, 29, 30, 31, 14, 32, 33, 33,
- 33, 34, 35, 35, 35, 35, 36, 37, 35, 38,
- 39, 40, 41, 35, 35, 35, 35, 35, 42, 14,
- 43, 43, 43, 43, 43, 43, 14, 14, 14, 14,
- 14, 14, 14, 44, 14, 14, 45, 79, 52, 105,
- 46, 170, 53, 52, 105, 87, 79, 53, 54, 107,
- 172, 55, 129, 54, 116, 105, 55, 74, 16, 75,
- 76, 194, 130, 88, 47, 48, 79, 124, 49, 153,
-
- 15, 58, 59, 125, 60, 50, 111, 35, 51, 35,
- 60, 79, 35, 136, 35, 15, 58, 59, 89, 60,
- 143, 115, 60, 61, 154, 60, 74, 16, 75, 76,
- 56, 79, 147, 127, 77, 56, 148, 60, 61, 93,
- 93, 150, 115, 93, 93, 238, 152, 62, 99, 99,
- 99, 99, 99, 99, 99, 99, 146, 87, 79, 79,
- 146, 93, 62, 15, 16, 17, 117, 63, 589, 152,
- 192, 195, 129, 77, 100, 100, 100, 100, 100, 101,
- 143, 115, 130, 78, 94, 98, 98, 98, 98, 98,
- 98, 98, 98, 79, 118, 119, 155, 156, 120, 151,
-
- 162, 79, 83, 143, 115, 121, 185, 153, 122, 238,
- 64, 65, 65, 65, 65, 65, 65, 65, 65, 65,
- 65, 65, 65, 65, 65, 65, 65, 65, 15, 16,
- 17, 131, 63, 97, 85, 85, 85, 85, 85, 85,
- 85, 85, 85, 85, 85, 85, 85, 85, 85, 85,
- 79, 139, 115, 140, 152, 141, 154, 78, 79, 140,
- 191, 141, 85, 85, 85, 85, 85, 85, 85, 85,
- 143, 115, 201, 141, 141, 64, 65, 65, 65, 65,
- 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
- 65, 65, 65, 15, 16, 17, 67, 63, 141, 193,
-
- 79, 152, 68, 69, 70, 606, 196, 79, 134, 134,
- 79, 606, 134, 134, 79, 198, 71, 168, 168, 168,
- 168, 168, 168, 606, 155, 156, 79, 231, 159, 382,
- 134, 160, 160, 160, 160, 160, 160, 160, 160, 241,
- 72, 15, 16, 17, 67, 63, 532, 170, 89, 283,
- 68, 69, 70, 135, 162, 86, 214, 86, 86, 267,
- 606, 86, 86, 268, 71, 86, 170, 164, 165, 166,
- 164, 164, 164, 164, 164, 214, 93, 93, 86, 86,
- 93, 93, 79, 79, 79, 240, 83, 238, 72, 83,
- 168, 168, 168, 168, 168, 168, 168, 168, 93, 84,
-
- 79, 265, 85, 85, 85, 85, 85, 85, 85, 85,
- 95, 83, 96, 96, 96, 96, 96, 96, 96, 96,
- 97, 94, 83, 266, 98, 98, 98, 98, 98, 168,
- 168, 168, 168, 168, 168, 168, 168, 85, 85, 85,
- 85, 85, 85, 85, 85, 79, 551, 98, 98, 98,
- 98, 98, 98, 78, 145, 79, 280, 145, 145, 78,
- 382, 237, 78, 78, 145, 78, 78, 78, 104, 104,
- 104, 104, 104, 104, 104, 104, 97, 145, 279, 78,
- 104, 104, 104, 104, 104, 105, 105, 105, 105, 106,
- 105, 105, 105, 105, 105, 105, 105, 105, 105, 105,
-
- 105, 79, 105, 98, 98, 98, 98, 98, 98, 78,
- 78, 78, 78, 78, 78, 78, 78, 78, 78, 105,
- 105, 105, 105, 105, 105, 105, 105, 606, 249, 249,
- 249, 105, 105, 105, 105, 105, 177, 79, 79, 79,
- 105, 178, 170, 275, 179, 282, 180, 117, 532, 143,
- 115, 214, 97, 238, 78, 78, 78, 78, 78, 78,
- 114, 115, 78, 78, 78, 170, 78, 78, 134, 134,
- 78, 265, 134, 134, 214, 118, 119, 79, 79, 120,
- 431, 431, 78, 78, 78, 83, 121, 93, 323, 122,
- 134, 93, 79, 266, 281, 84, 146, 93, 85, 85,
-
- 85, 85, 85, 85, 85, 85, 79, 79, 373, 93,
- 93, 318, 324, 135, 606, 606, 606, 606, 606, 606,
- 606, 606, 160, 160, 160, 160, 160, 160, 160, 160,
- 160, 160, 160, 160, 160, 160, 160, 160, 484, 484,
- 123, 83, 242, 243, 244, 242, 242, 242, 242, 242,
- 83, 142, 487, 322, 606, 606, 606, 606, 606, 606,
- 606, 606, 78, 559, 78, 78, 78, 170, 78, 78,
- 253, 170, 78, 134, 79, 79, 255, 134, 606, 170,
- 255, 83, 79, 134, 78, 78, 78, 90, 255, 90,
- 90, 90, 372, 90, 90, 134, 134, 90, 247, 247,
-
- 248, 249, 249, 249, 249, 249, 211, 253, 170, 90,
- 90, 90, 92, 321, 78, 78, 92, 255, 78, 78,
- 360, 382, 92, 161, 361, 161, 161, 253, 170, 161,
- 161, 384, 371, 161, 92, 92, 78, 167, 167, 167,
- 167, 167, 167, 167, 167, 161, 161, 161, 358, 167,
- 167, 167, 167, 167, 201, 79, 202, 202, 202, 202,
- 202, 202, 219, 219, 219, 219, 219, 219, 219, 219,
- 359, 416, 167, 167, 167, 167, 167, 167, 173, 173,
- 173, 173, 173, 173, 173, 173, 97, 364, 83, 79,
- 173, 173, 173, 173, 173, 257, 257, 257, 257, 257,
-
- 257, 257, 257, 258, 258, 258, 258, 258, 259, 365,
- 253, 170, 79, 167, 167, 167, 167, 167, 167, 133,
- 300, 78, 78, 133, 574, 78, 78, 421, 606, 133,
- 256, 256, 256, 256, 256, 256, 256, 256, 606, 170,
- 419, 133, 133, 78, 201, 170, 202, 202, 202, 202,
- 202, 202, 202, 202, 289, 289, 289, 289, 289, 289,
- 289, 289, 211, 294, 295, 296, 294, 294, 294, 294,
- 294, 264, 264, 264, 264, 264, 264, 264, 264, 79,
- 201, 170, 203, 203, 203, 203, 203, 203, 203, 203,
- 253, 170, 298, 298, 298, 298, 298, 298, 467, 83,
-
- 255, 302, 302, 302, 302, 302, 302, 302, 302, 303,
- 303, 303, 303, 303, 304, 79, 201, 487, 204, 204,
- 204, 204, 204, 205, 202, 202, 606, 366, 301, 301,
- 301, 301, 301, 301, 301, 301, 606, 170, 325, 326,
- 327, 325, 325, 325, 325, 325, 300, 501, 501, 367,
- 468, 79, 78, 79, 206, 206, 206, 206, 206, 206,
- 206, 206, 368, 79, 170, 170, 206, 206, 206, 206,
- 206, 79, 374, 255, 300, 253, 170, 283, 79, 284,
- 284, 284, 284, 284, 284, 300, 79, 420, 469, 206,
- 206, 206, 206, 206, 206, 208, 209, 210, 210, 210,
-
- 210, 210, 210, 211, 253, 170, 434, 212, 212, 212,
- 212, 212, 79, 337, 346, 338, 338, 338, 338, 338,
- 338, 338, 338, 349, 349, 349, 349, 349, 350, 79,
- 212, 212, 212, 212, 212, 212, 170, 215, 216, 217,
- 215, 215, 215, 215, 215, 218, 510, 511, 511, 219,
- 219, 219, 219, 219, 337, 375, 339, 339, 339, 339,
- 339, 339, 339, 339, 309, 309, 309, 309, 309, 309,
- 309, 309, 219, 219, 219, 219, 219, 219, 220, 220,
- 220, 220, 220, 220, 220, 220, 606, 170, 550, 79,
- 220, 220, 220, 220, 220, 337, 346, 340, 340, 340,
-
- 340, 340, 341, 338, 338, 348, 348, 348, 348, 348,
- 348, 348, 348, 206, 206, 206, 206, 206, 206, 201,
- 549, 202, 202, 202, 202, 202, 202, 202, 202, 253,
- 170, 344, 344, 344, 344, 344, 344, 548, 606, 300,
- 347, 347, 347, 347, 347, 347, 347, 347, 387, 387,
- 387, 387, 387, 388, 79, 201, 170, 202, 202, 202,
- 202, 202, 202, 202, 202, 336, 336, 336, 336, 336,
- 336, 336, 336, 386, 386, 386, 386, 386, 386, 386,
- 386, 394, 395, 396, 394, 394, 394, 394, 394, 358,
- 79, 253, 170, 254, 254, 254, 254, 254, 254, 254,
-
- 254, 255, 529, 529, 434, 256, 256, 256, 256, 256,
- 606, 359, 385, 385, 385, 385, 385, 385, 385, 385,
- 337, 384, 338, 338, 338, 338, 338, 338, 256, 256,
- 256, 256, 256, 256, 170, 260, 261, 262, 260, 260,
- 260, 260, 260, 263, 170, 253, 170, 264, 264, 264,
- 264, 264, 337, 300, 338, 338, 338, 338, 338, 338,
- 338, 338, 355, 355, 355, 355, 355, 355, 355, 355,
- 264, 264, 264, 264, 264, 264, 283, 478, 284, 284,
- 284, 284, 284, 284, 284, 284, 337, 364, 338, 338,
- 338, 338, 338, 338, 338, 338, 253, 170, 399, 399,
-
- 399, 399, 399, 399, 170, 599, 346, 510, 511, 365,
- 599, 79, 283, 346, 285, 285, 285, 285, 285, 285,
- 285, 285, 403, 403, 403, 403, 403, 403, 403, 403,
- 404, 404, 404, 404, 404, 405, 606, 366, 402, 402,
- 402, 402, 402, 402, 402, 402, 79, 79, 283, 170,
- 286, 286, 286, 286, 286, 287, 284, 284, 346, 367,
- 461, 606, 422, 428, 429, 430, 428, 428, 428, 428,
- 428, 384, 170, 423, 424, 425, 426, 423, 423, 423,
- 423, 401, 462, 79, 253, 170, 298, 298, 298, 298,
- 298, 298, 298, 298, 255, 253, 170, 299, 299, 299,
-
- 299, 299, 299, 299, 299, 300, 79, 463, 503, 301,
- 301, 301, 301, 301, 375, 376, 376, 376, 376, 376,
- 376, 393, 393, 393, 393, 393, 393, 393, 393, 464,
- 504, 508, 301, 301, 301, 301, 301, 301, 170, 305,
- 306, 307, 305, 305, 305, 305, 305, 308, 79, 565,
- 565, 309, 309, 309, 309, 309, 436, 436, 436, 436,
- 436, 436, 436, 436, 437, 437, 437, 437, 437, 438,
- 507, 253, 170, 506, 309, 309, 309, 309, 309, 309,
- 283, 346, 284, 284, 284, 284, 284, 284, 284, 284,
- 606, 382, 435, 435, 435, 435, 435, 435, 435, 435,
-
- 444, 384, 445, 445, 445, 445, 445, 445, 445, 445,
- 505, 472, 575, 83, 83, 79, 283, 382, 284, 284,
- 284, 284, 284, 284, 284, 284, 444, 434, 446, 446,
- 446, 446, 446, 446, 446, 446, 444, 606, 447, 447,
- 447, 447, 447, 448, 445, 445, 79, 434, 461, 583,
- 583, 79, 332, 333, 334, 332, 332, 332, 332, 332,
- 335, 253, 170, 444, 336, 336, 336, 336, 336, 512,
- 462, 401, 409, 409, 409, 409, 409, 409, 409, 409,
- 455, 455, 455, 455, 455, 456, 384, 336, 336, 336,
- 336, 336, 336, 253, 170, 344, 344, 344, 344, 344,
-
- 344, 344, 344, 300, 253, 170, 345, 345, 345, 345,
- 345, 345, 345, 345, 346, 606, 170, 463, 347, 347,
- 347, 347, 347, 79, 472, 401, 253, 170, 451, 451,
- 451, 451, 451, 451, 331, 503, 401, 79, 513, 464,
- 466, 347, 347, 347, 347, 347, 347, 170, 351, 352,
- 353, 351, 351, 351, 351, 351, 354, 504, 465, 79,
- 355, 355, 355, 355, 355, 454, 454, 454, 454, 454,
- 454, 454, 454, 606, 79, 453, 453, 453, 453, 453,
- 453, 453, 453, 355, 355, 355, 355, 355, 355, 375,
- 376, 376, 376, 376, 376, 376, 376, 376, 470, 478,
-
- 546, 479, 479, 479, 479, 479, 479, 479, 479, 443,
- 443, 443, 443, 443, 443, 443, 443, 460, 470, 459,
- 470, 471, 547, 79, 375, 377, 377, 377, 377, 377,
- 377, 377, 377, 478, 470, 480, 480, 480, 480, 480,
- 480, 480, 480, 79, 478, 382, 481, 481, 481, 481,
- 481, 482, 479, 479, 470, 434, 470, 470, 79, 375,
- 378, 378, 378, 378, 378, 379, 376, 376, 489, 489,
- 489, 489, 489, 489, 489, 489, 490, 490, 490, 490,
- 490, 491, 606, 170, 488, 488, 488, 488, 488, 488,
- 488, 488, 401, 79, 382, 382, 383, 383, 383, 383,
-
- 383, 383, 383, 383, 384, 487, 588, 589, 385, 385,
- 385, 385, 385, 497, 498, 499, 497, 497, 497, 497,
- 497, 444, 458, 445, 445, 445, 445, 445, 445, 445,
- 445, 385, 385, 385, 385, 385, 385, 389, 390, 391,
- 389, 389, 389, 389, 389, 392, 588, 589, 457, 393,
- 393, 393, 393, 393, 444, 606, 445, 445, 445, 445,
- 445, 445, 445, 445, 444, 487, 445, 445, 445, 445,
- 445, 445, 393, 393, 393, 393, 393, 393, 253, 170,
- 399, 399, 399, 399, 399, 399, 399, 399, 346, 253,
- 170, 400, 400, 400, 400, 400, 400, 400, 400, 401,
-
- 253, 170, 331, 402, 402, 402, 402, 402, 554, 515,
- 401, 516, 517, 518, 515, 382, 516, 517, 518, 535,
- 535, 535, 535, 535, 536, 487, 402, 402, 402, 402,
- 402, 402, 170, 406, 407, 408, 406, 406, 406, 406,
- 406, 382, 606, 79, 382, 409, 409, 409, 409, 409,
- 251, 532, 532, 418, 532, 417, 519, 415, 590, 414,
- 472, 521, 473, 473, 473, 473, 473, 473, 409, 409,
- 409, 409, 409, 409, 375, 376, 376, 376, 376, 376,
- 376, 376, 376, 546, 572, 522, 523, 524, 522, 522,
- 522, 522, 522, 79, 413, 79, 525, 526, 527, 525,
-
- 525, 525, 525, 525, 412, 547, 573, 411, 79, 375,
- 376, 376, 376, 376, 376, 376, 376, 376, 79, 478,
- 572, 479, 479, 479, 479, 479, 479, 479, 479, 478,
- 410, 479, 479, 479, 479, 479, 479, 479, 479, 144,
- 144, 337, 573, 79, 382, 585, 432, 432, 432, 432,
- 432, 432, 432, 432, 384, 382, 331, 433, 433, 433,
- 433, 433, 433, 433, 433, 434, 251, 586, 585, 435,
- 435, 435, 435, 435, 478, 211, 479, 479, 479, 479,
- 479, 479, 496, 496, 496, 496, 496, 496, 496, 496,
- 586, 370, 435, 435, 435, 435, 435, 435, 439, 440,
-
- 441, 439, 439, 439, 439, 439, 442, 369, 363, 362,
- 443, 443, 443, 443, 443, 534, 534, 534, 534, 534,
- 534, 534, 534, 606, 357, 533, 533, 533, 533, 533,
- 533, 533, 533, 443, 443, 443, 443, 443, 443, 253,
- 170, 451, 451, 451, 451, 451, 451, 451, 451, 401,
- 253, 170, 452, 452, 452, 452, 452, 452, 452, 452,
- 356, 331, 251, 211, 453, 453, 453, 453, 453, 170,
- 541, 541, 541, 541, 541, 541, 541, 541, 170, 542,
- 542, 542, 542, 542, 542, 542, 542, 453, 453, 453,
- 453, 453, 453, 472, 211, 473, 473, 473, 473, 473,
-
- 473, 473, 473, 170, 543, 543, 543, 543, 543, 544,
- 541, 541, 606, 276, 606, 606, 606, 320, 319, 515,
- 317, 516, 517, 518, 316, 315, 314, 313, 79, 472,
- 312, 474, 474, 474, 474, 474, 474, 474, 474, 606,
- 311, 516, 517, 518, 606, 310, 606, 606, 518, 292,
- 606, 251, 606, 606, 606, 211, 288, 211, 103, 519,
- 276, 278, 276, 277, 79, 472, 519, 475, 475, 475,
- 475, 475, 476, 477, 477, 552, 276, 274, 553, 553,
- 553, 553, 553, 553, 553, 553, 519, 273, 272, 271,
- 270, 519, 269, 97, 211, 514, 514, 521, 251, 514,
-
- 79, 472, 211, 477, 477, 477, 473, 473, 473, 473,
- 473, 514, 514, 514, 520, 520, 103, 559, 520, 560,
- 560, 560, 560, 560, 560, 560, 560, 83, 199, 239,
- 520, 520, 520, 236, 235, 234, 79, 382, 233, 485,
- 485, 485, 485, 485, 485, 485, 485, 434, 382, 232,
- 486, 486, 486, 486, 486, 486, 486, 486, 487, 230,
- 229, 228, 488, 488, 488, 488, 488, 559, 227, 561,
- 561, 561, 561, 561, 561, 561, 561, 540, 540, 540,
- 540, 540, 540, 540, 540, 488, 488, 488, 488, 488,
- 488, 492, 493, 494, 492, 492, 492, 492, 492, 495,
-
- 226, 225, 224, 496, 496, 496, 496, 496, 559, 223,
- 562, 562, 562, 562, 562, 563, 560, 560, 569, 569,
- 569, 569, 569, 569, 569, 569, 496, 496, 496, 496,
- 496, 496, 253, 170, 502, 502, 502, 502, 502, 502,
- 502, 502, 472, 222, 473, 473, 473, 473, 473, 473,
- 473, 473, 570, 570, 570, 570, 570, 571, 606, 221,
- 568, 568, 568, 568, 568, 568, 568, 568, 170, 541,
- 541, 541, 541, 541, 541, 541, 541, 79, 472, 103,
- 473, 473, 473, 473, 473, 473, 473, 473, 170, 541,
- 541, 541, 541, 541, 541, 541, 541, 170, 541, 541,
-
- 541, 541, 541, 541, 553, 553, 553, 553, 553, 553,
- 553, 553, 95, 79, 382, 83, 530, 530, 530, 530,
- 530, 530, 530, 530, 487, 382, 83, 531, 531, 531,
- 531, 531, 531, 531, 531, 532, 199, 151, 152, 533,
- 533, 533, 533, 533, 553, 553, 553, 553, 553, 553,
- 553, 553, 576, 577, 578, 576, 576, 576, 576, 576,
- 146, 146, 533, 533, 533, 533, 533, 533, 537, 538,
- 539, 537, 537, 537, 537, 537, 138, 197, 132, 132,
- 540, 540, 540, 540, 540, 79, 554, 190, 555, 555,
- 555, 555, 555, 555, 579, 580, 581, 579, 579, 579,
-
- 579, 579, 189, 540, 540, 540, 540, 540, 540, 554,
- 188, 555, 555, 555, 555, 555, 555, 555, 555, 187,
- 559, 79, 560, 560, 560, 560, 560, 560, 560, 560,
- 559, 186, 560, 560, 560, 560, 560, 560, 560, 560,
- 184, 183, 182, 181, 79, 554, 176, 556, 556, 556,
- 556, 556, 556, 556, 556, 559, 175, 560, 560, 560,
- 560, 560, 560, 382, 174, 584, 584, 584, 584, 584,
- 584, 584, 584, 595, 595, 595, 595, 595, 595, 103,
- 79, 554, 78, 557, 557, 557, 557, 557, 558, 555,
- 555, 595, 595, 595, 595, 595, 595, 595, 595, 596,
-
- 596, 596, 596, 596, 596, 596, 596, 597, 597, 597,
- 597, 597, 598, 595, 595, 103, 79, 382, 163, 566,
- 566, 566, 566, 566, 566, 566, 566, 532, 382, 91,
- 567, 567, 567, 567, 567, 567, 567, 567, 83, 81,
- 80, 79, 568, 568, 568, 568, 568, 152, 600, 601,
- 602, 600, 600, 600, 600, 600, 590, 146, 591, 591,
- 591, 591, 591, 591, 138, 568, 568, 568, 568, 568,
- 568, 554, 132, 555, 555, 555, 555, 555, 555, 555,
- 555, 79, 595, 595, 595, 595, 595, 595, 595, 595,
- 128, 79, 595, 595, 595, 595, 595, 595, 595, 595,
-
- 126, 113, 112, 111, 110, 109, 79, 554, 108, 555,
- 555, 555, 555, 555, 555, 555, 555, 105, 103, 91,
- 603, 603, 603, 603, 603, 603, 603, 603, 600, 600,
- 600, 600, 600, 600, 600, 600, 81, 80, 79, 606,
- 606, 606, 79, 590, 606, 591, 591, 591, 591, 591,
- 591, 591, 591, 79, 606, 606, 606, 606, 606, 606,
- 606, 79, 604, 604, 604, 604, 604, 605, 603, 603,
- 603, 603, 603, 603, 603, 603, 603, 603, 79, 590,
- 606, 592, 592, 592, 592, 592, 592, 592, 592, 606,
- 606, 606, 606, 606, 606, 79, 603, 603, 603, 603,
-
- 603, 603, 606, 79, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 79, 590, 606, 593, 593, 593,
- 593, 593, 594, 591, 591, 606, 606, 606, 606, 79,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 79, 590, 606, 591, 591, 591, 591, 591, 591, 591,
- 591, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 79, 590, 606, 591,
- 591, 591, 591, 591, 591, 591, 591, 606, 606, 606,
-
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606, 606, 79, 57, 57, 57, 57, 57, 57, 57,
- 57, 57, 57, 57, 57, 57, 57, 57, 57, 31,
+ 33, 34, 35, 35, 35, 35, 36, 35, 37, 35,
+ 38, 39, 40, 41, 35, 35, 35, 35, 35, 42,
+ 14, 43, 43, 43, 43, 43, 43, 14, 14, 14,
+ 14, 14, 14, 14, 44, 14, 14, 45, 81, 52,
+ 89, 46, 151, 53, 107, 110, 115, 52, 107, 54,
+ 111, 53, 55, 76, 16, 77, 78, 54, 90, 109,
+ 55, 76, 16, 77, 78, 47, 48, 150, 128, 49,
+
+ 158, 113, 604, 131, 56, 394, 81, 50, 57, 35,
+ 51, 35, 56, 547, 91, 114, 57, 35, 133, 35,
+ 15, 60, 61, 120, 62, 15, 60, 61, 134, 62,
+ 62, 79, 58, 95, 95, 62, 81, 95, 95, 79,
+ 58, 191, 62, 63, 147, 119, 156, 62, 63, 15,
+ 16, 17, 69, 65, 81, 95, 154, 119, 70, 71,
+ 72, 102, 102, 102, 102, 102, 103, 85, 64, 147,
+ 119, 140, 73, 64, 15, 16, 17, 86, 65, 96,
+ 87, 87, 87, 87, 87, 87, 87, 87, 101, 101,
+ 101, 101, 101, 101, 101, 101, 174, 74, 15, 16,
+
+ 17, 69, 65, 157, 621, 176, 89, 70, 71, 72,
+ 80, 621, 100, 100, 100, 100, 100, 100, 100, 100,
+ 121, 73, 66, 67, 67, 67, 67, 67, 67, 67,
+ 67, 67, 67, 67, 67, 67, 67, 67, 67, 67,
+ 15, 16, 17, 107, 65, 81, 74, 152, 122, 123,
+ 166, 156, 124, 159, 160, 166, 155, 198, 394, 85,
+ 125, 135, 129, 126, 87, 87, 87, 87, 87, 87,
+ 87, 87, 150, 87, 87, 87, 87, 87, 87, 87,
+ 87, 172, 172, 172, 172, 172, 172, 547, 66, 67,
+ 67, 67, 67, 67, 67, 67, 67, 67, 67, 67,
+
+ 67, 67, 67, 67, 67, 67, 97, 81, 98, 98,
+ 98, 98, 98, 98, 98, 98, 99, 621, 197, 201,
+ 100, 100, 100, 100, 100, 81, 81, 182, 501, 138,
+ 138, 80, 183, 138, 138, 621, 184, 81, 185, 239,
+ 200, 81, 81, 202, 100, 100, 100, 100, 100, 100,
+ 80, 138, 81, 147, 119, 246, 80, 204, 574, 80,
+ 80, 91, 80, 80, 80, 106, 106, 106, 106, 106,
+ 106, 106, 106, 99, 199, 139, 80, 106, 106, 106,
+ 106, 106, 107, 107, 107, 107, 108, 107, 107, 107,
+ 107, 107, 107, 107, 107, 107, 107, 107, 107, 81,
+
+ 107, 100, 100, 100, 100, 100, 100, 80, 80, 80,
+ 80, 80, 80, 80, 80, 80, 80, 107, 107, 107,
+ 107, 107, 107, 107, 107, 621, 85, 147, 119, 107,
+ 107, 107, 107, 107, 159, 160, 146, 133, 107, 621,
+ 621, 621, 621, 621, 621, 621, 621, 134, 147, 119,
+ 81, 207, 248, 80, 80, 80, 80, 80, 80, 118,
+ 119, 80, 80, 80, 158, 80, 80, 174, 157, 80,
+ 143, 119, 144, 81, 145, 81, 220, 174, 144, 85,
+ 145, 80, 80, 80, 85, 81, 220, 81, 99, 246,
+ 246, 273, 145, 145, 86, 589, 150, 87, 87, 87,
+
+ 87, 87, 87, 87, 87, 80, 174, 80, 80, 80,
+ 156, 80, 80, 274, 81, 80, 156, 85, 145, 87,
+ 87, 87, 87, 87, 87, 87, 87, 80, 80, 80,
+ 245, 95, 95, 174, 276, 95, 95, 81, 163, 277,
+ 127, 164, 164, 164, 164, 164, 164, 164, 164, 88,
+ 249, 88, 88, 95, 501, 88, 88, 81, 92, 88,
+ 92, 92, 92, 285, 92, 92, 81, 290, 92, 257,
+ 257, 257, 88, 88, 289, 85, 81, 96, 81, 174,
+ 92, 92, 92, 94, 292, 80, 80, 94, 220, 80,
+ 80, 246, 447, 94, 168, 169, 170, 168, 168, 168,
+
+ 168, 168, 273, 333, 293, 94, 94, 80, 172, 172,
+ 172, 172, 172, 172, 172, 172, 172, 172, 172, 172,
+ 172, 172, 172, 172, 274, 81, 85, 81, 81, 171,
+ 171, 171, 171, 171, 171, 171, 171, 334, 99, 332,
+ 81, 171, 171, 171, 171, 171, 87, 87, 87, 87,
+ 87, 87, 87, 87, 85, 81, 81, 483, 138, 138,
+ 121, 329, 138, 138, 81, 171, 171, 171, 171, 171,
+ 171, 177, 177, 177, 177, 177, 177, 177, 177, 99,
+ 138, 291, 527, 177, 177, 177, 177, 177, 122, 123,
+ 174, 137, 124, 80, 80, 137, 174, 80, 80, 220,
+
+ 125, 137, 81, 126, 139, 263, 383, 171, 171, 171,
+ 171, 171, 171, 137, 137, 80, 621, 621, 621, 621,
+ 621, 621, 621, 621, 149, 81, 372, 149, 149, 81,
+ 335, 373, 85, 526, 149, 164, 164, 164, 164, 164,
+ 164, 164, 164, 370, 565, 385, 81, 149, 164, 164,
+ 164, 164, 164, 164, 164, 164, 165, 564, 165, 165,
+ 95, 434, 165, 165, 95, 371, 165, 261, 174, 207,
+ 95, 208, 208, 208, 208, 208, 208, 263, 165, 165,
+ 165, 563, 95, 95, 207, 432, 208, 208, 208, 208,
+ 208, 208, 208, 208, 207, 376, 209, 209, 209, 209,
+
+ 209, 209, 209, 209, 207, 81, 210, 210, 210, 210,
+ 210, 211, 208, 208, 138, 621, 174, 377, 138, 387,
+ 81, 261, 174, 81, 138, 263, 81, 174, 261, 174,
+ 81, 263, 621, 174, 447, 380, 138, 138, 310, 429,
+ 81, 80, 310, 212, 212, 212, 212, 212, 212, 212,
+ 212, 444, 444, 396, 81, 212, 212, 212, 212, 212,
+ 250, 251, 252, 250, 250, 250, 250, 250, 207, 81,
+ 208, 208, 208, 208, 208, 208, 208, 208, 386, 212,
+ 212, 212, 212, 212, 212, 214, 215, 216, 216, 216,
+ 216, 216, 216, 217, 81, 498, 498, 218, 218, 218,
+
+ 218, 218, 85, 207, 81, 208, 208, 208, 208, 208,
+ 208, 208, 208, 225, 225, 225, 225, 225, 225, 225,
+ 225, 218, 218, 218, 218, 218, 218, 174, 221, 222,
+ 223, 221, 221, 221, 221, 221, 224, 261, 174, 81,
+ 225, 225, 225, 225, 225, 255, 255, 256, 257, 257,
+ 257, 257, 257, 217, 265, 265, 265, 265, 265, 265,
+ 265, 265, 81, 566, 225, 225, 225, 225, 225, 225,
+ 226, 226, 226, 226, 226, 226, 226, 226, 435, 621,
+ 174, 378, 226, 226, 226, 226, 226, 266, 266, 266,
+ 266, 266, 267, 621, 81, 264, 264, 264, 264, 264,
+
+ 264, 264, 264, 379, 384, 492, 212, 212, 212, 212,
+ 212, 212, 261, 174, 262, 262, 262, 262, 262, 262,
+ 262, 262, 263, 174, 515, 515, 264, 264, 264, 264,
+ 264, 293, 263, 294, 294, 294, 294, 294, 294, 294,
+ 294, 299, 299, 299, 299, 299, 299, 299, 299, 217,
+ 264, 264, 264, 264, 264, 264, 174, 268, 269, 270,
+ 268, 268, 268, 268, 268, 271, 174, 81, 523, 272,
+ 272, 272, 272, 272, 293, 310, 295, 295, 295, 295,
+ 295, 295, 295, 295, 304, 305, 306, 304, 304, 304,
+ 304, 304, 522, 272, 272, 272, 272, 272, 272, 293,
+
+ 521, 296, 296, 296, 296, 296, 297, 294, 294, 370,
+ 81, 272, 272, 272, 272, 272, 272, 272, 272, 261,
+ 174, 308, 308, 308, 308, 308, 308, 525, 526, 263,
+ 520, 371, 544, 544, 517, 81, 261, 174, 308, 308,
+ 308, 308, 308, 308, 308, 308, 263, 261, 174, 309,
+ 309, 309, 309, 309, 309, 309, 309, 310, 376, 378,
+ 475, 311, 311, 311, 311, 311, 312, 312, 312, 312,
+ 312, 312, 312, 312, 313, 313, 313, 313, 313, 314,
+ 377, 379, 476, 261, 174, 311, 311, 311, 311, 311,
+ 311, 174, 315, 316, 317, 315, 315, 315, 315, 315,
+
+ 318, 81, 525, 526, 319, 319, 319, 319, 319, 621,
+ 433, 311, 311, 311, 311, 311, 311, 311, 311, 336,
+ 337, 338, 336, 336, 336, 336, 336, 457, 319, 319,
+ 319, 319, 319, 319, 293, 394, 294, 294, 294, 294,
+ 294, 294, 294, 294, 293, 396, 294, 294, 294, 294,
+ 294, 294, 293, 81, 294, 294, 294, 294, 294, 294,
+ 294, 294, 360, 360, 360, 360, 360, 361, 396, 348,
+ 81, 349, 349, 349, 349, 349, 349, 349, 349, 342,
+ 81, 399, 399, 399, 399, 399, 400, 81, 81, 343,
+ 344, 345, 343, 343, 343, 343, 343, 346, 174, 580,
+
+ 580, 347, 347, 347, 347, 347, 348, 310, 350, 350,
+ 350, 350, 350, 350, 350, 350, 319, 319, 319, 319,
+ 319, 319, 319, 319, 480, 347, 347, 347, 347, 347,
+ 347, 348, 479, 351, 351, 351, 351, 351, 352, 349,
+ 349, 261, 174, 355, 355, 355, 355, 355, 355, 355,
+ 355, 310, 261, 174, 355, 355, 355, 355, 355, 355,
+ 81, 81, 310, 261, 174, 356, 356, 356, 356, 356,
+ 356, 356, 356, 357, 474, 528, 473, 358, 358, 358,
+ 358, 358, 359, 359, 359, 359, 359, 359, 359, 359,
+ 621, 174, 358, 358, 358, 358, 358, 358, 358, 358,
+
+ 357, 358, 358, 358, 358, 358, 358, 174, 362, 363,
+ 364, 362, 362, 362, 362, 362, 365, 590, 85, 472,
+ 366, 366, 366, 366, 366, 387, 388, 388, 388, 388,
+ 388, 388, 388, 388, 387, 389, 389, 389, 389, 389,
+ 389, 389, 389, 471, 366, 366, 366, 366, 366, 366,
+ 387, 390, 390, 390, 390, 390, 391, 388, 388, 470,
+ 81, 347, 347, 347, 347, 347, 347, 347, 347, 81,
+ 398, 398, 398, 398, 398, 398, 398, 398, 416, 416,
+ 416, 416, 416, 417, 477, 81, 394, 621, 395, 395,
+ 395, 395, 395, 395, 395, 395, 396, 396, 598, 598,
+
+ 397, 397, 397, 397, 397, 621, 478, 397, 397, 397,
+ 397, 397, 397, 397, 397, 406, 407, 408, 406, 406,
+ 406, 406, 406, 342, 397, 397, 397, 397, 397, 397,
+ 401, 402, 403, 401, 401, 401, 401, 401, 404, 259,
+ 481, 85, 405, 405, 405, 405, 405, 348, 394, 349,
+ 349, 349, 349, 349, 349, 349, 349, 348, 396, 349,
+ 349, 349, 349, 349, 349, 431, 405, 405, 405, 405,
+ 405, 405, 348, 430, 349, 349, 349, 349, 349, 349,
+ 349, 349, 261, 174, 261, 174, 450, 450, 450, 450,
+ 450, 451, 310, 482, 357, 366, 366, 366, 366, 366,
+
+ 366, 366, 366, 621, 174, 415, 415, 415, 415, 415,
+ 415, 415, 415, 357, 261, 174, 411, 411, 411, 411,
+ 411, 411, 411, 411, 357, 261, 174, 411, 411, 411,
+ 411, 411, 411, 603, 604, 357, 261, 174, 412, 412,
+ 412, 412, 412, 412, 412, 412, 413, 174, 603, 604,
+ 414, 414, 414, 414, 414, 621, 357, 414, 414, 414,
+ 414, 414, 414, 414, 414, 436, 437, 438, 439, 436,
+ 436, 436, 436, 428, 414, 414, 414, 414, 414, 414,
+ 174, 418, 419, 420, 418, 418, 418, 418, 418, 174,
+ 148, 148, 427, 421, 421, 421, 421, 421, 413, 81,
+
+ 387, 388, 388, 388, 388, 388, 388, 388, 388, 387,
+ 388, 388, 388, 388, 388, 388, 426, 421, 421, 421,
+ 421, 421, 421, 387, 388, 388, 388, 388, 388, 388,
+ 388, 388, 518, 484, 425, 81, 441, 442, 443, 441,
+ 441, 441, 441, 441, 81, 405, 405, 405, 405, 405,
+ 405, 405, 405, 484, 519, 484, 485, 394, 81, 445,
+ 445, 445, 445, 445, 445, 445, 445, 396, 394, 486,
+ 446, 446, 446, 446, 446, 446, 446, 446, 447, 81,
+ 424, 423, 448, 448, 448, 448, 448, 449, 449, 449,
+ 449, 449, 449, 449, 449, 621, 422, 448, 448, 448,
+
+ 448, 448, 448, 448, 448, 81, 448, 448, 448, 448,
+ 448, 448, 452, 453, 454, 452, 452, 452, 452, 452,
+ 455, 174, 348, 342, 456, 456, 456, 456, 456, 457,
+ 413, 458, 458, 458, 458, 458, 458, 458, 458, 468,
+ 468, 468, 468, 468, 469, 261, 174, 259, 456, 456,
+ 456, 456, 456, 456, 457, 357, 459, 459, 459, 459,
+ 459, 459, 459, 459, 457, 217, 460, 460, 460, 460,
+ 460, 461, 458, 458, 261, 174, 421, 421, 421, 421,
+ 421, 421, 421, 421, 413, 621, 174, 467, 467, 467,
+ 467, 467, 467, 467, 467, 413, 261, 174, 464, 464,
+
+ 464, 464, 464, 464, 464, 464, 413, 261, 174, 464,
+ 464, 464, 464, 464, 464, 382, 381, 413, 261, 174,
+ 465, 465, 465, 465, 465, 465, 465, 465, 394, 375,
+ 374, 369, 466, 466, 466, 466, 466, 621, 447, 466,
+ 466, 466, 466, 466, 466, 466, 466, 456, 456, 456,
+ 456, 456, 456, 456, 456, 368, 466, 466, 466, 466,
+ 466, 466, 486, 621, 487, 487, 487, 487, 487, 487,
+ 487, 487, 486, 447, 488, 488, 488, 488, 488, 488,
+ 488, 488, 486, 394, 489, 489, 489, 489, 489, 490,
+ 491, 491, 486, 447, 569, 605, 367, 486, 81, 491,
+
+ 491, 491, 487, 487, 487, 487, 487, 492, 81, 493,
+ 493, 493, 493, 493, 493, 493, 493, 492, 81, 494,
+ 494, 494, 494, 494, 494, 494, 494, 342, 81, 259,
+ 81, 81, 492, 81, 495, 495, 495, 495, 495, 496,
+ 493, 493, 394, 475, 499, 499, 499, 499, 499, 499,
+ 499, 499, 447, 394, 217, 500, 500, 500, 500, 500,
+ 500, 500, 500, 501, 477, 476, 518, 502, 502, 502,
+ 502, 502, 503, 503, 503, 503, 503, 503, 503, 503,
+ 504, 504, 504, 504, 504, 505, 478, 217, 519, 286,
+ 331, 502, 502, 502, 502, 502, 502, 506, 507, 508,
+
+ 506, 506, 506, 506, 506, 509, 330, 328, 327, 510,
+ 510, 510, 510, 510, 621, 326, 502, 502, 502, 502,
+ 502, 502, 502, 502, 511, 512, 513, 511, 511, 511,
+ 511, 511, 325, 510, 510, 510, 510, 510, 510, 457,
+ 324, 458, 458, 458, 458, 458, 458, 458, 458, 457,
+ 484, 458, 458, 458, 458, 458, 458, 458, 458, 457,
+ 323, 458, 458, 458, 458, 458, 458, 261, 174, 614,
+ 484, 322, 484, 484, 614, 321, 320, 413, 261, 174,
+ 516, 516, 516, 516, 516, 516, 516, 516, 530, 302,
+ 531, 532, 533, 530, 259, 531, 532, 533, 537, 538,
+
+ 539, 537, 537, 537, 537, 537, 486, 394, 487, 487,
+ 487, 487, 487, 487, 487, 487, 486, 501, 487, 487,
+ 487, 487, 487, 487, 487, 487, 217, 621, 394, 561,
+ 394, 298, 81, 217, 621, 105, 534, 501, 501, 286,
+ 547, 536, 81, 486, 547, 487, 487, 487, 487, 487,
+ 487, 562, 81, 540, 541, 542, 540, 540, 540, 540,
+ 540, 492, 288, 493, 493, 493, 493, 493, 493, 493,
+ 493, 550, 550, 550, 550, 550, 551, 286, 492, 81,
+ 493, 493, 493, 493, 493, 493, 493, 493, 492, 287,
+ 493, 493, 493, 493, 493, 493, 510, 510, 510, 510,
+
+ 510, 510, 510, 510, 394, 561, 545, 545, 545, 545,
+ 545, 545, 545, 545, 501, 394, 394, 546, 546, 546,
+ 546, 546, 546, 546, 546, 547, 547, 562, 286, 548,
+ 548, 548, 548, 548, 549, 549, 549, 549, 549, 549,
+ 549, 549, 621, 284, 548, 548, 548, 548, 548, 548,
+ 548, 548, 283, 548, 548, 548, 548, 548, 548, 552,
+ 553, 554, 552, 552, 552, 552, 552, 282, 281, 280,
+ 279, 555, 555, 555, 555, 555, 174, 556, 556, 556,
+ 556, 556, 556, 556, 556, 174, 557, 557, 557, 557,
+ 557, 557, 557, 557, 587, 555, 555, 555, 555, 555,
+
+ 555, 174, 558, 558, 558, 558, 558, 559, 556, 556,
+ 621, 278, 621, 621, 621, 530, 588, 531, 532, 533,
+ 621, 275, 531, 532, 533, 621, 99, 621, 621, 533,
+ 567, 217, 259, 568, 568, 568, 568, 568, 568, 568,
+ 568, 217, 587, 529, 529, 600, 621, 529, 621, 621,
+ 621, 105, 85, 535, 535, 205, 247, 535, 534, 529,
+ 529, 529, 244, 534, 588, 243, 242, 601, 534, 535,
+ 535, 535, 569, 534, 570, 570, 570, 570, 570, 570,
+ 570, 570, 569, 600, 571, 571, 571, 571, 571, 571,
+ 571, 571, 241, 569, 536, 572, 572, 572, 572, 572,
+
+ 573, 570, 570, 240, 238, 601, 237, 574, 81, 575,
+ 575, 575, 575, 575, 575, 575, 575, 574, 81, 576,
+ 576, 576, 576, 576, 576, 576, 576, 236, 574, 81,
+ 577, 577, 577, 577, 577, 578, 575, 575, 555, 555,
+ 555, 555, 555, 555, 555, 555, 394, 235, 581, 581,
+ 581, 581, 581, 581, 581, 581, 547, 394, 234, 582,
+ 582, 582, 582, 582, 582, 582, 582, 233, 232, 231,
+ 230, 583, 583, 583, 583, 583, 584, 584, 584, 584,
+ 584, 584, 584, 584, 585, 585, 585, 585, 585, 586,
+ 229, 228, 227, 105, 97, 583, 583, 583, 583, 583,
+
+ 583, 621, 85, 583, 583, 583, 583, 583, 583, 583,
+ 583, 174, 556, 556, 556, 556, 556, 556, 556, 556,
+ 174, 556, 556, 556, 556, 556, 556, 556, 556, 174,
+ 556, 556, 556, 556, 556, 556, 568, 568, 568, 568,
+ 568, 568, 568, 568, 568, 568, 568, 568, 568, 568,
+ 568, 568, 591, 592, 593, 591, 591, 591, 591, 591,
+ 569, 85, 570, 570, 570, 570, 570, 570, 570, 570,
+ 569, 205, 570, 570, 570, 570, 570, 570, 570, 570,
+ 155, 156, 150, 150, 142, 569, 81, 570, 570, 570,
+ 570, 570, 570, 203, 136, 136, 81, 594, 595, 596,
+
+ 594, 594, 594, 594, 594, 574, 81, 575, 575, 575,
+ 575, 575, 575, 575, 575, 196, 195, 194, 193, 192,
+ 574, 81, 575, 575, 575, 575, 575, 575, 575, 575,
+ 574, 190, 575, 575, 575, 575, 575, 575, 394, 189,
+ 599, 599, 599, 599, 599, 599, 599, 599, 605, 188,
+ 606, 606, 606, 606, 606, 606, 606, 606, 605, 187,
+ 607, 607, 607, 607, 607, 607, 607, 607, 605, 186,
+ 608, 608, 608, 608, 608, 609, 606, 606, 610, 610,
+ 610, 610, 610, 610, 81, 610, 610, 610, 610, 610,
+ 610, 610, 610, 181, 81, 611, 611, 611, 611, 611,
+
+ 611, 611, 611, 180, 81, 612, 612, 612, 612, 612,
+ 613, 610, 610, 615, 616, 617, 615, 615, 615, 615,
+ 615, 605, 179, 606, 606, 606, 606, 606, 606, 606,
+ 606, 605, 178, 606, 606, 606, 606, 606, 606, 606,
+ 606, 105, 80, 105, 167, 93, 605, 81, 606, 606,
+ 606, 606, 606, 606, 85, 83, 82, 81, 610, 610,
+ 610, 610, 610, 610, 610, 610, 81, 81, 610, 610,
+ 610, 610, 610, 610, 610, 610, 156, 150, 142, 113,
+ 111, 136, 81, 618, 618, 618, 618, 618, 618, 618,
+ 618, 615, 615, 615, 615, 615, 615, 615, 615, 619,
+
+ 619, 619, 619, 619, 620, 618, 618, 618, 618, 618,
+ 618, 618, 618, 618, 618, 132, 130, 81, 618, 618,
+ 618, 618, 618, 618, 117, 81, 116, 115, 112, 107,
+ 105, 93, 83, 81, 82, 81, 621, 621, 621, 621,
+ 621, 81, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621, 81, 59, 59, 59, 59, 59, 59, 59,
+ 59, 59, 59, 59, 59, 59, 59, 59, 59, 31,
31, 31, 31, 31, 31, 31, 31, 31, 31, 31,
- 31, 31, 31, 31, 31, 66, 66, 66, 66, 66,
- 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
- 66, 73, 73, 73, 73, 73, 73, 73, 73, 73,
- 73, 73, 73, 73, 73, 73, 73, 78, 606, 606,
- 606, 606, 606, 606, 606, 78, 78, 78, 606, 606,
-
- 78, 78, 78, 82, 82, 82, 82, 82, 82, 82,
- 82, 82, 82, 82, 82, 82, 82, 82, 82, 86,
- 606, 606, 606, 606, 86, 606, 606, 86, 86, 86,
- 86, 606, 86, 86, 86, 90, 606, 606, 606, 606,
- 606, 606, 606, 90, 90, 90, 606, 606, 90, 90,
- 90, 92, 606, 606, 92, 92, 606, 92, 606, 92,
- 92, 92, 606, 606, 92, 92, 92, 102, 102, 606,
- 606, 606, 102, 133, 606, 606, 133, 133, 606, 133,
- 606, 133, 133, 133, 606, 606, 133, 133, 133, 137,
- 606, 606, 137, 137, 606, 137, 606, 137, 137, 137,
-
- 606, 137, 606, 137, 137, 145, 606, 606, 145, 606,
- 606, 145, 606, 145, 145, 145, 145, 606, 145, 145,
- 145, 149, 149, 149, 149, 149, 149, 149, 149, 149,
- 149, 149, 149, 149, 149, 149, 149, 151, 151, 606,
- 151, 606, 151, 151, 151, 151, 151, 151, 151, 151,
- 151, 151, 151, 157, 157, 157, 157, 157, 157, 157,
- 157, 157, 157, 157, 157, 157, 157, 157, 157, 158,
- 158, 606, 158, 158, 158, 158, 158, 158, 158, 158,
- 158, 158, 158, 158, 158, 161, 606, 606, 606, 606,
- 161, 606, 606, 161, 161, 161, 606, 606, 161, 161,
-
- 161, 93, 606, 606, 93, 93, 606, 93, 606, 93,
- 93, 93, 606, 606, 93, 93, 93, 169, 169, 606,
- 606, 606, 169, 171, 171, 171, 606, 606, 606, 171,
- 134, 606, 606, 134, 134, 606, 134, 606, 134, 134,
- 134, 606, 606, 134, 134, 134, 200, 200, 200, 200,
- 200, 200, 200, 200, 200, 200, 200, 200, 200, 200,
- 200, 200, 207, 207, 606, 606, 606, 207, 213, 213,
- 213, 606, 606, 606, 213, 245, 245, 606, 606, 606,
- 245, 246, 246, 606, 606, 606, 246, 250, 250, 606,
- 606, 606, 250, 252, 252, 252, 606, 606, 606, 252,
-
- 288, 288, 606, 606, 606, 288, 290, 290, 606, 606,
- 606, 290, 291, 291, 606, 606, 606, 291, 293, 293,
- 293, 606, 606, 606, 293, 297, 297, 297, 297, 606,
- 606, 606, 297, 328, 328, 606, 606, 606, 328, 329,
- 329, 606, 606, 606, 329, 330, 330, 606, 606, 606,
- 330, 342, 342, 342, 606, 606, 606, 342, 343, 343,
- 343, 343, 606, 606, 606, 343, 380, 380, 606, 606,
- 606, 380, 381, 381, 606, 606, 606, 381, 397, 397,
- 397, 606, 606, 606, 397, 398, 398, 398, 398, 606,
- 606, 606, 398, 427, 427, 606, 606, 606, 427, 431,
-
- 606, 431, 431, 606, 606, 606, 431, 449, 449, 449,
- 606, 606, 606, 449, 450, 450, 450, 450, 606, 606,
- 606, 450, 483, 483, 606, 606, 606, 483, 484, 606,
- 484, 484, 606, 606, 606, 484, 500, 500, 500, 606,
- 606, 606, 500, 501, 501, 501, 606, 606, 606, 606,
- 501, 509, 509, 509, 509, 509, 509, 509, 509, 509,
- 509, 509, 509, 509, 509, 509, 509, 514, 514, 606,
- 514, 514, 514, 606, 606, 514, 514, 514, 606, 606,
- 514, 514, 514, 520, 520, 606, 520, 520, 520, 606,
- 606, 520, 520, 520, 606, 606, 520, 520, 520, 528,
-
- 528, 606, 606, 606, 528, 529, 606, 529, 529, 606,
- 606, 606, 529, 545, 545, 606, 606, 606, 606, 545,
- 564, 564, 606, 606, 606, 564, 565, 606, 565, 565,
- 606, 606, 606, 565, 582, 582, 606, 606, 606, 582,
- 583, 606, 583, 606, 606, 606, 606, 583, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 13, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
-
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606
+ 31, 31, 31, 31, 31, 68, 68, 68, 68, 68,
+ 68, 68, 68, 68, 68, 68, 68, 68, 68, 68,
+
+ 68, 75, 75, 75, 75, 75, 75, 75, 75, 75,
+ 75, 75, 75, 75, 75, 75, 75, 80, 621, 621,
+ 621, 621, 621, 621, 621, 80, 80, 80, 621, 621,
+ 80, 80, 80, 84, 84, 84, 84, 84, 84, 84,
+ 84, 84, 84, 84, 84, 84, 84, 84, 84, 88,
+ 621, 621, 621, 621, 88, 621, 621, 88, 88, 88,
+ 88, 621, 88, 88, 88, 92, 621, 621, 621, 621,
+ 621, 621, 621, 92, 92, 92, 621, 621, 92, 92,
+ 92, 94, 621, 621, 94, 94, 621, 94, 621, 94,
+ 94, 94, 621, 621, 94, 94, 94, 104, 104, 621,
+
+ 621, 621, 104, 137, 621, 621, 137, 137, 621, 137,
+ 621, 137, 137, 137, 621, 621, 137, 137, 137, 141,
+ 621, 621, 141, 141, 621, 141, 621, 141, 141, 141,
+ 621, 141, 621, 141, 141, 149, 621, 621, 149, 621,
+ 621, 149, 621, 149, 149, 149, 149, 621, 149, 149,
+ 149, 153, 153, 153, 153, 153, 153, 153, 153, 153,
+ 153, 153, 153, 153, 153, 153, 153, 155, 155, 621,
+ 155, 621, 155, 155, 155, 155, 155, 155, 155, 155,
+ 155, 155, 155, 161, 161, 161, 161, 161, 161, 161,
+ 161, 161, 161, 161, 161, 161, 161, 161, 161, 162,
+
+ 162, 621, 162, 162, 162, 162, 162, 162, 162, 162,
+ 162, 162, 162, 162, 162, 165, 621, 621, 621, 621,
+ 165, 621, 621, 165, 165, 165, 621, 621, 165, 165,
+ 165, 95, 621, 621, 95, 95, 621, 95, 621, 95,
+ 95, 95, 621, 621, 95, 95, 95, 173, 173, 621,
+ 621, 621, 173, 175, 175, 175, 621, 621, 621, 175,
+ 138, 621, 621, 138, 138, 621, 138, 621, 138, 138,
+ 138, 621, 621, 138, 138, 138, 206, 206, 206, 206,
+ 206, 206, 206, 206, 206, 206, 206, 206, 206, 206,
+ 206, 206, 213, 213, 621, 621, 621, 213, 219, 219,
+
+ 219, 621, 621, 621, 219, 253, 253, 621, 621, 621,
+ 253, 254, 254, 621, 621, 621, 254, 258, 258, 621,
+ 621, 621, 258, 260, 260, 260, 621, 621, 621, 260,
+ 298, 298, 621, 621, 621, 298, 300, 300, 621, 621,
+ 621, 300, 301, 301, 621, 621, 621, 301, 303, 303,
+ 303, 621, 621, 621, 303, 307, 307, 307, 307, 621,
+ 621, 621, 307, 339, 339, 621, 621, 621, 339, 340,
+ 340, 621, 621, 621, 340, 341, 341, 621, 621, 621,
+ 341, 353, 353, 353, 621, 621, 621, 353, 354, 354,
+ 354, 354, 621, 621, 621, 354, 392, 392, 621, 621,
+
+ 621, 392, 393, 393, 621, 621, 621, 393, 409, 409,
+ 409, 621, 621, 621, 409, 410, 410, 410, 410, 621,
+ 621, 621, 410, 440, 440, 621, 621, 621, 440, 444,
+ 621, 444, 444, 621, 621, 621, 444, 462, 462, 462,
+ 621, 621, 621, 462, 463, 463, 463, 463, 621, 621,
+ 621, 463, 497, 497, 621, 621, 621, 497, 498, 621,
+ 498, 498, 621, 621, 621, 498, 514, 514, 514, 621,
+ 621, 621, 514, 515, 515, 515, 621, 621, 621, 621,
+ 515, 524, 524, 524, 524, 524, 524, 524, 524, 524,
+ 524, 524, 524, 524, 524, 524, 524, 529, 529, 621,
+
+ 529, 529, 529, 621, 621, 529, 529, 529, 621, 621,
+ 529, 529, 529, 535, 535, 621, 535, 535, 535, 621,
+ 621, 535, 535, 535, 621, 621, 535, 535, 535, 543,
+ 543, 621, 621, 621, 543, 544, 621, 544, 544, 621,
+ 621, 621, 544, 560, 560, 621, 621, 621, 621, 560,
+ 579, 579, 621, 621, 621, 579, 580, 621, 580, 580,
+ 621, 621, 621, 580, 597, 597, 621, 621, 621, 597,
+ 598, 621, 598, 621, 621, 621, 621, 598, 602, 602,
+ 602, 602, 602, 602, 602, 602, 602, 602, 602, 602,
+ 602, 602, 602, 602, 13, 621, 621, 621, 621, 621,
+
+ 621, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621
} ;
-static yyconst short int yy_chk[3732] =
+static yyconst short int yy_chk[3663] =
{ 0,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 2, 44, 3, 34,
- 2, 103, 3, 4, 47, 20, 126, 4, 3, 34,
- 103, 3, 52, 4, 44, 48, 4, 11, 11, 11,
- 11, 126, 52, 20, 2, 2, 56, 47, 2, 74,
-
- 5, 5, 5, 48, 5, 2, 50, 3, 2, 3,
- 5, 603, 4, 56, 4, 6, 6, 6, 20, 6,
- 64, 64, 5, 5, 75, 6, 12, 12, 12, 12,
- 3, 196, 68, 50, 11, 4, 70, 6, 6, 25,
- 25, 72, 72, 25, 25, 196, 74, 5, 27, 27,
- 27, 27, 27, 27, 27, 27, 68, 88, 124, 127,
- 70, 25, 6, 7, 7, 7, 45, 7, 587, 75,
- 124, 127, 129, 12, 28, 28, 28, 28, 28, 28,
- 139, 139, 129, 43, 25, 43, 43, 43, 43, 43,
- 43, 43, 43, 194, 45, 45, 77, 77, 45, 77,
-
- 88, 116, 123, 114, 114, 45, 116, 153, 45, 194,
+ 1, 1, 1, 1, 1, 1, 1, 2, 618, 3,
+ 20, 2, 70, 3, 47, 36, 50, 4, 34, 3,
+ 36, 4, 3, 11, 11, 11, 11, 4, 20, 34,
+ 4, 12, 12, 12, 12, 2, 2, 70, 47, 2,
+
+ 77, 38, 602, 50, 3, 599, 44, 2, 3, 3,
+ 2, 3, 4, 597, 20, 38, 4, 4, 52, 4,
+ 5, 5, 5, 44, 5, 6, 6, 6, 52, 6,
+ 5, 11, 3, 25, 25, 6, 120, 25, 25, 12,
+ 4, 120, 5, 5, 66, 66, 77, 6, 6, 9,
+ 9, 9, 9, 9, 58, 25, 74, 74, 9, 9,
+ 9, 28, 28, 28, 28, 28, 28, 19, 5, 143,
+ 143, 58, 9, 6, 7, 7, 7, 19, 7, 25,
+ 19, 19, 19, 19, 19, 19, 19, 19, 27, 27,
+ 27, 27, 27, 27, 27, 27, 105, 9, 10, 10,
+
+ 10, 10, 10, 76, 583, 105, 90, 10, 10, 10,
+ 43, 165, 43, 43, 43, 43, 43, 43, 43, 43,
+ 45, 10, 7, 7, 7, 7, 7, 7, 7, 7,
7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
- 7, 7, 7, 7, 7, 7, 7, 7, 8, 8,
- 8, 53, 8, 206, 53, 53, 53, 53, 53, 53,
- 53, 53, 84, 84, 84, 84, 84, 84, 84, 84,
- 114, 62, 62, 62, 153, 62, 154, 125, 206, 62,
- 123, 62, 85, 85, 85, 85, 85, 85, 85, 85,
- 143, 143, 202, 62, 62, 8, 8, 8, 8, 8,
+ 8, 8, 8, 48, 8, 128, 10, 72, 45, 45,
+ 90, 76, 45, 79, 79, 165, 79, 128, 582, 127,
+ 45, 53, 48, 45, 53, 53, 53, 53, 53, 53,
+ 53, 53, 72, 86, 86, 86, 86, 86, 86, 86,
+ 86, 103, 103, 103, 103, 103, 103, 580, 8, 8,
8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
- 8, 8, 8, 9, 9, 9, 9, 9, 62, 125,
-
- 128, 154, 9, 9, 9, 86, 128, 202, 55, 55,
- 136, 161, 55, 55, 185, 136, 9, 101, 101, 101,
- 101, 101, 101, 86, 155, 155, 198, 185, 87, 584,
- 55, 87, 87, 87, 87, 87, 87, 87, 87, 198,
- 9, 10, 10, 10, 10, 10, 582, 171, 86, 284,
- 10, 10, 10, 55, 161, 89, 171, 89, 89, 222,
- 568, 89, 89, 222, 10, 89, 213, 95, 95, 95,
- 95, 95, 95, 95, 95, 213, 92, 92, 89, 89,
- 92, 92, 192, 195, 284, 195, 512, 192, 10, 19,
- 99, 99, 99, 99, 99, 99, 99, 99, 92, 19,
-
- 95, 221, 19, 19, 19, 19, 19, 19, 19, 19,
- 26, 191, 26, 26, 26, 26, 26, 26, 26, 26,
- 26, 92, 237, 221, 26, 26, 26, 26, 26, 100,
- 100, 100, 100, 100, 100, 100, 100, 131, 131, 131,
- 131, 131, 131, 131, 131, 26, 512, 26, 26, 26,
- 26, 26, 26, 32, 146, 238, 238, 146, 146, 32,
- 567, 191, 32, 32, 146, 32, 32, 32, 32, 32,
- 32, 32, 32, 32, 32, 32, 32, 146, 237, 32,
+
+ 8, 8, 8, 8, 8, 8, 26, 131, 26, 26,
+ 26, 26, 26, 26, 26, 26, 26, 88, 127, 131,
+ 26, 26, 26, 26, 26, 130, 191, 112, 579, 55,
+ 55, 129, 112, 55, 55, 88, 112, 132, 112, 191,
+ 130, 202, 26, 132, 26, 26, 26, 26, 26, 26,
+ 32, 55, 140, 147, 147, 202, 32, 140, 575, 32,
+ 32, 88, 32, 32, 32, 32, 32, 32, 32, 32,
+ 32, 32, 32, 32, 129, 55, 32, 32, 32, 32,
32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
- 32, 32, 32, 32, 32, 32, 32, 32, 32, 35,
- 35, 35, 35, 35, 35, 35, 35, 35, 210, 210,
- 210, 35, 35, 35, 35, 35, 109, 231, 240, 241,
- 35, 109, 252, 231, 109, 241, 109, 117, 565, 150,
- 150, 252, 239, 240, 35, 35, 35, 35, 35, 35,
- 42, 42, 42, 42, 42, 293, 42, 42, 133, 133,
- 42, 265, 133, 133, 293, 117, 117, 239, 281, 117,
- 388, 388, 42, 42, 42, 46, 117, 163, 281, 117,
- 133, 163, 323, 265, 239, 46, 150, 163, 46, 46,
-
- 46, 46, 46, 46, 46, 46, 275, 282, 323, 163,
- 163, 275, 282, 133, 142, 142, 142, 142, 142, 142,
- 142, 142, 159, 159, 159, 159, 159, 159, 159, 159,
- 160, 160, 160, 160, 160, 160, 160, 160, 438, 438,
- 46, 63, 201, 201, 201, 201, 201, 201, 201, 201,
- 279, 63, 564, 280, 63, 63, 63, 63, 63, 63,
- 63, 63, 79, 560, 79, 79, 79, 297, 79, 79,
- 254, 254, 79, 197, 280, 201, 297, 197, 256, 256,
- 254, 321, 322, 197, 79, 79, 79, 91, 256, 91,
- 91, 91, 322, 91, 91, 197, 197, 91, 209, 209,
-
- 209, 209, 209, 209, 209, 209, 209, 298, 298, 91,
- 91, 91, 94, 279, 94, 94, 94, 298, 94, 94,
- 313, 383, 94, 162, 313, 162, 162, 452, 452, 162,
- 162, 383, 321, 162, 94, 94, 94, 96, 96, 96,
- 96, 96, 96, 96, 96, 162, 162, 162, 312, 96,
- 96, 96, 96, 96, 205, 368, 205, 205, 205, 205,
- 205, 205, 214, 214, 214, 214, 214, 214, 214, 214,
- 312, 368, 96, 96, 96, 96, 96, 96, 104, 104,
- 104, 104, 104, 104, 104, 104, 104, 316, 371, 205,
- 104, 104, 104, 104, 104, 216, 216, 216, 216, 216,
-
- 216, 216, 216, 217, 217, 217, 217, 217, 217, 316,
- 299, 299, 373, 104, 104, 104, 104, 104, 104, 135,
- 299, 135, 135, 135, 549, 135, 135, 373, 219, 135,
- 219, 219, 219, 219, 219, 219, 219, 219, 453, 453,
- 371, 135, 135, 135, 164, 545, 164, 164, 164, 164,
- 164, 164, 164, 164, 247, 247, 247, 247, 247, 247,
- 247, 247, 247, 253, 253, 253, 253, 253, 253, 253,
- 253, 255, 255, 255, 255, 255, 255, 255, 255, 164,
- 165, 541, 165, 165, 165, 165, 165, 165, 165, 165,
- 259, 259, 259, 259, 259, 259, 259, 259, 419, 419,
-
- 259, 261, 261, 261, 261, 261, 261, 261, 261, 262,
- 262, 262, 262, 262, 262, 165, 166, 529, 166, 166,
- 166, 166, 166, 166, 166, 166, 264, 317, 264, 264,
- 264, 264, 264, 264, 264, 264, 301, 301, 283, 283,
- 283, 283, 283, 283, 283, 283, 301, 456, 456, 317,
- 419, 166, 167, 318, 167, 167, 167, 167, 167, 167,
- 167, 167, 318, 324, 342, 343, 167, 167, 167, 167,
- 167, 283, 324, 342, 343, 344, 344, 287, 372, 287,
- 287, 287, 287, 287, 287, 344, 420, 372, 420, 167,
- 167, 167, 167, 167, 167, 170, 170, 170, 170, 170,
-
- 170, 170, 170, 170, 345, 345, 528, 170, 170, 170,
- 170, 170, 287, 294, 345, 294, 294, 294, 294, 294,
- 294, 294, 294, 307, 307, 307, 307, 307, 307, 513,
- 170, 170, 170, 170, 170, 170, 172, 172, 172, 172,
- 172, 172, 172, 172, 172, 172, 467, 467, 509, 172,
- 172, 172, 172, 172, 295, 376, 295, 295, 295, 295,
- 295, 295, 295, 295, 300, 300, 300, 300, 300, 300,
- 300, 300, 172, 172, 172, 172, 172, 172, 173, 173,
- 173, 173, 173, 173, 173, 173, 347, 347, 508, 376,
- 173, 173, 173, 173, 173, 296, 347, 296, 296, 296,
-
- 296, 296, 296, 296, 296, 306, 306, 306, 306, 306,
- 306, 306, 306, 173, 173, 173, 173, 173, 173, 203,
- 507, 203, 203, 203, 203, 203, 203, 203, 203, 304,
- 304, 304, 304, 304, 304, 304, 304, 506, 309, 304,
- 309, 309, 309, 309, 309, 309, 309, 309, 334, 334,
- 334, 334, 334, 334, 203, 204, 501, 204, 204, 204,
- 204, 204, 204, 204, 204, 331, 331, 331, 331, 331,
- 331, 331, 331, 333, 333, 333, 333, 333, 333, 333,
- 333, 337, 337, 337, 337, 337, 337, 337, 337, 358,
- 204, 215, 215, 215, 215, 215, 215, 215, 215, 215,
-
- 215, 215, 491, 491, 484, 215, 215, 215, 215, 215,
- 336, 358, 336, 336, 336, 336, 336, 336, 336, 336,
- 341, 483, 341, 341, 341, 341, 341, 341, 215, 215,
- 215, 215, 215, 215, 218, 218, 218, 218, 218, 218,
- 218, 218, 218, 218, 397, 502, 502, 218, 218, 218,
- 218, 218, 339, 397, 339, 339, 339, 339, 339, 339,
- 339, 339, 346, 346, 346, 346, 346, 346, 346, 346,
- 218, 218, 218, 218, 218, 218, 242, 479, 242, 242,
- 242, 242, 242, 242, 242, 242, 340, 364, 340, 340,
- 340, 340, 340, 340, 340, 340, 350, 350, 350, 350,
-
- 350, 350, 350, 350, 398, 670, 350, 510, 510, 364,
- 670, 242, 243, 398, 243, 243, 243, 243, 243, 243,
- 243, 243, 352, 352, 352, 352, 352, 352, 352, 352,
- 353, 353, 353, 353, 353, 353, 355, 366, 355, 355,
- 355, 355, 355, 355, 355, 355, 374, 243, 244, 449,
- 244, 244, 244, 244, 244, 244, 244, 244, 449, 366,
- 414, 385, 374, 382, 382, 382, 382, 382, 382, 382,
- 382, 385, 450, 375, 375, 375, 375, 375, 375, 375,
- 375, 450, 414, 244, 257, 257, 257, 257, 257, 257,
- 257, 257, 257, 257, 257, 260, 260, 260, 260, 260,
-
- 260, 260, 260, 260, 260, 260, 375, 415, 457, 260,
- 260, 260, 260, 260, 379, 379, 379, 379, 379, 379,
- 379, 384, 384, 384, 384, 384, 384, 384, 384, 415,
- 457, 465, 260, 260, 260, 260, 260, 260, 263, 263,
- 263, 263, 263, 263, 263, 263, 263, 263, 379, 536,
- 536, 263, 263, 263, 263, 263, 390, 390, 390, 390,
- 390, 390, 390, 390, 391, 391, 391, 391, 391, 391,
- 460, 399, 399, 459, 263, 263, 263, 263, 263, 263,
- 285, 399, 285, 285, 285, 285, 285, 285, 285, 285,
- 393, 432, 393, 393, 393, 393, 393, 393, 393, 393,
-
- 394, 432, 394, 394, 394, 394, 394, 394, 394, 394,
- 458, 473, 551, 551, 468, 285, 286, 433, 286, 286,
- 286, 286, 286, 286, 286, 286, 395, 433, 395, 395,
- 395, 395, 395, 395, 395, 395, 396, 435, 396, 396,
- 396, 396, 396, 396, 396, 396, 473, 435, 461, 571,
- 571, 286, 292, 292, 292, 292, 292, 292, 292, 292,
- 292, 400, 400, 445, 292, 292, 292, 292, 292, 468,
- 461, 400, 401, 401, 401, 401, 401, 401, 401, 401,
- 408, 408, 408, 408, 408, 408, 431, 292, 292, 292,
- 292, 292, 292, 302, 302, 302, 302, 302, 302, 302,
-
- 302, 302, 302, 302, 305, 305, 305, 305, 305, 305,
- 305, 305, 305, 305, 305, 402, 402, 463, 305, 305,
- 305, 305, 305, 469, 477, 402, 405, 405, 405, 405,
- 405, 405, 405, 405, 427, 503, 405, 422, 469, 463,
- 418, 305, 305, 305, 305, 305, 305, 308, 308, 308,
- 308, 308, 308, 308, 308, 308, 308, 503, 417, 477,
- 308, 308, 308, 308, 308, 407, 407, 407, 407, 407,
- 407, 407, 407, 409, 416, 409, 409, 409, 409, 409,
- 409, 409, 409, 308, 308, 308, 308, 308, 308, 325,
- 325, 325, 325, 325, 325, 325, 325, 325, 421, 428,
-
- 505, 428, 428, 428, 428, 428, 428, 428, 428, 434,
- 434, 434, 434, 434, 434, 434, 434, 413, 421, 412,
- 421, 421, 505, 325, 326, 326, 326, 326, 326, 326,
- 326, 326, 326, 429, 466, 429, 429, 429, 429, 429,
- 429, 429, 429, 421, 430, 485, 430, 430, 430, 430,
- 430, 430, 430, 430, 466, 485, 466, 466, 326, 327,
- 327, 327, 327, 327, 327, 327, 327, 327, 440, 440,
- 440, 440, 440, 440, 440, 440, 441, 441, 441, 441,
- 441, 441, 443, 500, 443, 443, 443, 443, 443, 443,
- 443, 443, 500, 327, 332, 486, 332, 332, 332, 332,
-
- 332, 332, 332, 332, 332, 486, 575, 575, 332, 332,
- 332, 332, 332, 444, 444, 444, 444, 444, 444, 444,
- 444, 446, 411, 446, 446, 446, 446, 446, 446, 446,
- 446, 332, 332, 332, 332, 332, 332, 335, 335, 335,
- 335, 335, 335, 335, 335, 335, 588, 588, 410, 335,
- 335, 335, 335, 335, 447, 488, 447, 447, 447, 447,
- 447, 447, 447, 447, 448, 488, 448, 448, 448, 448,
- 448, 448, 335, 335, 335, 335, 335, 335, 348, 348,
- 348, 348, 348, 348, 348, 348, 348, 348, 348, 351,
- 351, 351, 351, 351, 351, 351, 351, 351, 351, 351,
-
- 451, 451, 381, 351, 351, 351, 351, 351, 555, 470,
- 451, 470, 470, 470, 471, 530, 471, 471, 471, 494,
- 494, 494, 494, 494, 494, 530, 351, 351, 351, 351,
- 351, 351, 354, 354, 354, 354, 354, 354, 354, 354,
- 354, 531, 533, 555, 566, 354, 354, 354, 354, 354,
- 380, 531, 533, 370, 566, 369, 470, 363, 591, 362,
- 476, 471, 476, 476, 476, 476, 476, 476, 354, 354,
- 354, 354, 354, 354, 377, 377, 377, 377, 377, 377,
- 377, 377, 377, 546, 548, 472, 472, 472, 472, 472,
- 472, 472, 472, 591, 361, 476, 478, 478, 478, 478,
-
- 478, 478, 478, 478, 360, 546, 548, 357, 377, 378,
- 378, 378, 378, 378, 378, 378, 378, 378, 472, 480,
- 572, 480, 480, 480, 480, 480, 480, 480, 480, 481,
- 356, 481, 481, 481, 481, 481, 481, 481, 481, 619,
- 619, 338, 572, 378, 386, 574, 386, 386, 386, 386,
- 386, 386, 386, 386, 386, 389, 330, 389, 389, 389,
- 389, 389, 389, 389, 389, 389, 329, 574, 585, 389,
- 389, 389, 389, 389, 482, 328, 482, 482, 482, 482,
- 482, 482, 487, 487, 487, 487, 487, 487, 487, 487,
- 585, 320, 389, 389, 389, 389, 389, 389, 392, 392,
-
- 392, 392, 392, 392, 392, 392, 392, 319, 315, 314,
- 392, 392, 392, 392, 392, 493, 493, 493, 493, 493,
- 493, 493, 493, 496, 311, 496, 496, 496, 496, 496,
- 496, 496, 496, 392, 392, 392, 392, 392, 392, 403,
- 403, 403, 403, 403, 403, 403, 403, 403, 403, 403,
- 406, 406, 406, 406, 406, 406, 406, 406, 406, 406,
- 310, 291, 290, 289, 406, 406, 406, 406, 406, 497,
- 497, 497, 497, 497, 497, 497, 497, 497, 498, 498,
- 498, 498, 498, 498, 498, 498, 498, 406, 406, 406,
- 406, 406, 406, 423, 288, 423, 423, 423, 423, 423,
-
- 423, 423, 423, 499, 499, 499, 499, 499, 499, 499,
- 499, 499, 514, 278, 514, 514, 514, 277, 276, 515,
- 274, 515, 515, 515, 273, 272, 271, 270, 423, 424,
- 269, 424, 424, 424, 424, 424, 424, 424, 424, 516,
- 268, 516, 516, 516, 517, 267, 517, 517, 517, 251,
- 520, 250, 520, 520, 520, 249, 248, 246, 245, 514,
- 236, 235, 234, 233, 424, 425, 515, 425, 425, 425,
- 425, 425, 425, 425, 425, 518, 232, 229, 518, 518,
- 518, 518, 518, 518, 518, 518, 516, 227, 226, 225,
- 224, 517, 223, 220, 212, 519, 519, 520, 211, 519,
-
- 425, 426, 208, 426, 426, 426, 426, 426, 426, 426,
- 426, 519, 519, 519, 521, 521, 207, 525, 521, 525,
- 525, 525, 525, 525, 525, 525, 525, 200, 199, 193,
- 521, 521, 521, 190, 189, 188, 426, 436, 187, 436,
- 436, 436, 436, 436, 436, 436, 436, 436, 439, 186,
- 439, 439, 439, 439, 439, 439, 439, 439, 439, 184,
- 183, 182, 439, 439, 439, 439, 439, 526, 181, 526,
- 526, 526, 526, 526, 526, 526, 526, 532, 532, 532,
- 532, 532, 532, 532, 532, 439, 439, 439, 439, 439,
- 439, 442, 442, 442, 442, 442, 442, 442, 442, 442,
-
- 180, 179, 178, 442, 442, 442, 442, 442, 527, 177,
- 527, 527, 527, 527, 527, 527, 527, 527, 538, 538,
- 538, 538, 538, 538, 538, 538, 442, 442, 442, 442,
- 442, 442, 454, 454, 454, 454, 454, 454, 454, 454,
- 454, 454, 474, 176, 474, 474, 474, 474, 474, 474,
- 474, 474, 539, 539, 539, 539, 539, 539, 540, 175,
- 540, 540, 540, 540, 540, 540, 540, 540, 542, 542,
- 542, 542, 542, 542, 542, 542, 542, 474, 475, 169,
- 475, 475, 475, 475, 475, 475, 475, 475, 543, 543,
- 543, 543, 543, 543, 543, 543, 543, 544, 544, 544,
-
- 544, 544, 544, 544, 552, 552, 552, 552, 552, 552,
- 552, 552, 168, 475, 489, 158, 489, 489, 489, 489,
- 489, 489, 489, 489, 489, 492, 157, 492, 492, 492,
- 492, 492, 492, 492, 492, 492, 156, 152, 151, 492,
- 492, 492, 492, 492, 553, 553, 553, 553, 553, 553,
- 553, 553, 554, 554, 554, 554, 554, 554, 554, 554,
- 149, 145, 492, 492, 492, 492, 492, 492, 495, 495,
- 495, 495, 495, 495, 495, 495, 138, 134, 132, 130,
- 495, 495, 495, 495, 495, 554, 558, 122, 558, 558,
- 558, 558, 558, 558, 559, 559, 559, 559, 559, 559,
-
- 559, 559, 121, 495, 495, 495, 495, 495, 495, 522,
- 120, 522, 522, 522, 522, 522, 522, 522, 522, 119,
- 561, 558, 561, 561, 561, 561, 561, 561, 561, 561,
- 562, 118, 562, 562, 562, 562, 562, 562, 562, 562,
- 113, 112, 111, 110, 522, 523, 108, 523, 523, 523,
- 523, 523, 523, 523, 523, 563, 107, 563, 563, 563,
- 563, 563, 563, 569, 106, 569, 569, 569, 569, 569,
- 569, 569, 569, 598, 598, 598, 598, 598, 598, 102,
- 523, 524, 98, 524, 524, 524, 524, 524, 524, 524,
- 524, 579, 579, 579, 579, 579, 579, 579, 579, 580,
-
- 580, 580, 580, 580, 580, 580, 580, 581, 581, 581,
- 581, 581, 581, 581, 581, 97, 524, 534, 93, 534,
- 534, 534, 534, 534, 534, 534, 534, 534, 537, 90,
- 537, 537, 537, 537, 537, 537, 537, 537, 82, 81,
- 80, 78, 537, 537, 537, 537, 537, 73, 590, 590,
- 590, 590, 590, 590, 590, 590, 594, 66, 594, 594,
- 594, 594, 594, 594, 59, 537, 537, 537, 537, 537,
- 537, 556, 54, 556, 556, 556, 556, 556, 556, 556,
- 556, 590, 596, 596, 596, 596, 596, 596, 596, 596,
- 51, 594, 597, 597, 597, 597, 597, 597, 597, 597,
-
- 49, 41, 40, 39, 38, 37, 556, 557, 36, 557,
- 557, 557, 557, 557, 557, 557, 557, 33, 29, 23,
- 600, 600, 600, 600, 600, 600, 600, 600, 601, 601,
- 601, 601, 601, 601, 601, 601, 17, 15, 14, 13,
- 0, 0, 557, 576, 0, 576, 576, 576, 576, 576,
- 576, 576, 576, 600, 0, 0, 0, 0, 0, 0,
- 0, 601, 602, 602, 602, 602, 602, 602, 602, 602,
- 604, 604, 604, 604, 604, 604, 604, 604, 576, 577,
- 0, 577, 577, 577, 577, 577, 577, 577, 577, 0,
- 0, 0, 0, 0, 0, 602, 605, 605, 605, 605,
-
- 605, 605, 0, 604, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 577, 578, 0, 578, 578, 578,
- 578, 578, 578, 578, 578, 0, 0, 0, 0, 605,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 578, 592, 0, 592, 592, 592, 592, 592, 592, 592,
- 592, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 592, 593, 0, 593,
- 593, 593, 593, 593, 593, 593, 593, 0, 0, 0,
-
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 593, 607, 607, 607, 607, 607, 607, 607,
- 607, 607, 607, 607, 607, 607, 607, 607, 607, 608,
- 608, 608, 608, 608, 608, 608, 608, 608, 608, 608,
- 608, 608, 608, 608, 608, 609, 609, 609, 609, 609,
- 609, 609, 609, 609, 609, 609, 609, 609, 609, 609,
- 609, 610, 610, 610, 610, 610, 610, 610, 610, 610,
- 610, 610, 610, 610, 610, 610, 610, 611, 0, 0,
- 0, 0, 0, 0, 0, 611, 611, 611, 0, 0,
-
- 611, 611, 611, 612, 612, 612, 612, 612, 612, 612,
- 612, 612, 612, 612, 612, 612, 612, 612, 612, 613,
- 0, 0, 0, 0, 613, 0, 0, 613, 613, 613,
- 613, 0, 613, 613, 613, 614, 0, 0, 0, 0,
- 0, 0, 0, 614, 614, 614, 0, 0, 614, 614,
- 614, 615, 0, 0, 615, 615, 0, 615, 0, 615,
- 615, 615, 0, 0, 615, 615, 615, 616, 616, 0,
- 0, 0, 616, 617, 0, 0, 617, 617, 0, 617,
- 0, 617, 617, 617, 0, 0, 617, 617, 617, 618,
- 0, 0, 618, 618, 0, 618, 0, 618, 618, 618,
-
- 0, 618, 0, 618, 618, 620, 0, 0, 620, 0,
- 0, 620, 0, 620, 620, 620, 620, 0, 620, 620,
- 620, 621, 621, 621, 621, 621, 621, 621, 621, 621,
- 621, 621, 621, 621, 621, 621, 621, 622, 622, 0,
- 622, 0, 622, 622, 622, 622, 622, 622, 622, 622,
- 622, 622, 622, 623, 623, 623, 623, 623, 623, 623,
- 623, 623, 623, 623, 623, 623, 623, 623, 623, 624,
- 624, 0, 624, 624, 624, 624, 624, 624, 624, 624,
- 624, 624, 624, 624, 624, 625, 0, 0, 0, 0,
- 625, 0, 0, 625, 625, 625, 0, 0, 625, 625,
-
- 625, 626, 0, 0, 626, 626, 0, 626, 0, 626,
- 626, 626, 0, 0, 626, 626, 626, 627, 627, 0,
- 0, 0, 627, 628, 628, 628, 0, 0, 0, 628,
- 629, 0, 0, 629, 629, 0, 629, 0, 629, 629,
- 629, 0, 0, 629, 629, 629, 630, 630, 630, 630,
- 630, 630, 630, 630, 630, 630, 630, 630, 630, 630,
- 630, 630, 631, 631, 0, 0, 0, 631, 632, 632,
- 632, 0, 0, 0, 632, 633, 633, 0, 0, 0,
- 633, 634, 634, 0, 0, 0, 634, 635, 635, 0,
- 0, 0, 635, 636, 636, 636, 0, 0, 0, 636,
-
- 637, 637, 0, 0, 0, 637, 638, 638, 0, 0,
- 0, 638, 639, 639, 0, 0, 0, 639, 640, 640,
- 640, 0, 0, 0, 640, 641, 641, 641, 641, 0,
- 0, 0, 641, 642, 642, 0, 0, 0, 642, 643,
- 643, 0, 0, 0, 643, 644, 644, 0, 0, 0,
- 644, 645, 645, 645, 0, 0, 0, 645, 646, 646,
- 646, 646, 0, 0, 0, 646, 647, 647, 0, 0,
- 0, 647, 648, 648, 0, 0, 0, 648, 649, 649,
- 649, 0, 0, 0, 649, 650, 650, 650, 650, 0,
- 0, 0, 650, 651, 651, 0, 0, 0, 651, 652,
-
- 0, 652, 652, 0, 0, 0, 652, 653, 653, 653,
- 0, 0, 0, 653, 654, 654, 654, 654, 0, 0,
- 0, 654, 655, 655, 0, 0, 0, 655, 656, 0,
- 656, 656, 0, 0, 0, 656, 657, 657, 657, 0,
- 0, 0, 657, 658, 658, 658, 0, 0, 0, 0,
- 658, 659, 659, 659, 659, 659, 659, 659, 659, 659,
- 659, 659, 659, 659, 659, 659, 659, 660, 660, 0,
- 660, 660, 660, 0, 0, 660, 660, 660, 0, 0,
- 660, 660, 660, 661, 661, 0, 661, 661, 661, 0,
- 0, 661, 661, 661, 0, 0, 661, 661, 661, 662,
-
- 662, 0, 0, 0, 662, 663, 0, 663, 663, 0,
- 0, 0, 663, 664, 664, 0, 0, 0, 0, 664,
- 665, 665, 0, 0, 0, 665, 666, 0, 666, 666,
- 0, 0, 0, 666, 667, 667, 0, 0, 0, 667,
- 668, 0, 668, 0, 0, 0, 0, 668, 669, 669,
- 669, 669, 669, 669, 669, 669, 669, 669, 669, 669,
- 669, 669, 669, 669, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
-
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 606
+ 32, 32, 32, 32, 32, 32, 32, 35, 35, 35,
+ 35, 35, 35, 35, 35, 35, 65, 118, 118, 35,
+ 35, 35, 35, 35, 159, 159, 65, 133, 35, 65,
+ 65, 65, 65, 65, 65, 65, 65, 133, 154, 154,
+ 201, 208, 201, 35, 35, 35, 35, 35, 35, 42,
+ 42, 42, 42, 42, 158, 42, 42, 175, 157, 42,
+ 64, 64, 64, 200, 64, 118, 175, 219, 64, 197,
+ 64, 42, 42, 42, 46, 198, 219, 208, 212, 200,
+ 198, 227, 64, 64, 46, 564, 154, 46, 46, 46,
+
+ 46, 46, 46, 46, 46, 81, 560, 81, 81, 81,
+ 158, 81, 81, 227, 212, 81, 157, 245, 64, 87,
+ 87, 87, 87, 87, 87, 87, 87, 81, 81, 81,
+ 197, 94, 94, 556, 229, 94, 94, 204, 89, 229,
+ 46, 89, 89, 89, 89, 89, 89, 89, 89, 91,
+ 204, 91, 91, 94, 544, 91, 91, 239, 93, 91,
+ 93, 93, 93, 239, 93, 93, 246, 246, 93, 216,
+ 216, 216, 91, 91, 245, 289, 248, 94, 249, 260,
+ 93, 93, 93, 96, 249, 96, 96, 96, 260, 96,
+ 96, 248, 543, 96, 97, 97, 97, 97, 97, 97,
+
+ 97, 97, 273, 290, 294, 96, 96, 96, 101, 101,
+ 101, 101, 101, 101, 101, 101, 102, 102, 102, 102,
+ 102, 102, 102, 102, 273, 290, 482, 291, 97, 98,
+ 98, 98, 98, 98, 98, 98, 98, 291, 247, 289,
+ 294, 98, 98, 98, 98, 98, 135, 135, 135, 135,
+ 135, 135, 135, 135, 332, 433, 285, 433, 137, 137,
+ 121, 285, 137, 137, 247, 98, 98, 98, 98, 98,
+ 98, 106, 106, 106, 106, 106, 106, 106, 106, 106,
+ 137, 247, 482, 106, 106, 106, 106, 106, 121, 121,
+ 303, 139, 121, 139, 139, 139, 307, 139, 139, 303,
+
+ 121, 139, 528, 121, 137, 307, 332, 106, 106, 106,
+ 106, 106, 106, 139, 139, 139, 146, 146, 146, 146,
+ 146, 146, 146, 146, 150, 292, 324, 150, 150, 334,
+ 292, 324, 383, 524, 150, 163, 163, 163, 163, 163,
+ 163, 163, 163, 323, 523, 334, 385, 150, 164, 164,
+ 164, 164, 164, 164, 164, 164, 166, 522, 166, 166,
+ 167, 385, 166, 166, 167, 323, 166, 262, 262, 211,
+ 167, 211, 211, 211, 211, 211, 211, 262, 166, 166,
+ 166, 521, 167, 167, 168, 383, 168, 168, 168, 168,
+ 168, 168, 168, 168, 169, 327, 169, 169, 169, 169,
+
+ 169, 169, 169, 169, 170, 211, 170, 170, 170, 170,
+ 170, 170, 170, 170, 203, 264, 264, 327, 203, 388,
+ 168, 308, 308, 380, 203, 264, 329, 515, 309, 309,
+ 169, 308, 311, 311, 498, 329, 203, 203, 309, 380,
+ 170, 171, 311, 171, 171, 171, 171, 171, 171, 171,
+ 171, 400, 400, 497, 388, 171, 171, 171, 171, 171,
+ 207, 207, 207, 207, 207, 207, 207, 207, 209, 335,
+ 209, 209, 209, 209, 209, 209, 209, 209, 335, 171,
+ 171, 171, 171, 171, 171, 174, 174, 174, 174, 174,
+ 174, 174, 174, 174, 207, 451, 451, 174, 174, 174,
+
+ 174, 174, 527, 210, 209, 210, 210, 210, 210, 210,
+ 210, 210, 210, 220, 220, 220, 220, 220, 220, 220,
+ 220, 174, 174, 174, 174, 174, 174, 176, 176, 176,
+ 176, 176, 176, 176, 176, 176, 176, 465, 465, 210,
+ 176, 176, 176, 176, 176, 215, 215, 215, 215, 215,
+ 215, 215, 215, 215, 222, 222, 222, 222, 222, 222,
+ 222, 222, 386, 527, 176, 176, 176, 176, 176, 176,
+ 177, 177, 177, 177, 177, 177, 177, 177, 386, 466,
+ 466, 328, 177, 177, 177, 177, 177, 223, 223, 223,
+ 223, 223, 223, 225, 333, 225, 225, 225, 225, 225,
+
+ 225, 225, 225, 328, 333, 493, 177, 177, 177, 177,
+ 177, 177, 221, 221, 221, 221, 221, 221, 221, 221,
+ 221, 221, 221, 353, 469, 469, 221, 221, 221, 221,
+ 221, 250, 353, 250, 250, 250, 250, 250, 250, 250,
+ 250, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+ 221, 221, 221, 221, 221, 221, 224, 224, 224, 224,
+ 224, 224, 224, 224, 224, 224, 354, 250, 479, 224,
+ 224, 224, 224, 224, 251, 354, 251, 251, 251, 251,
+ 251, 251, 251, 251, 261, 261, 261, 261, 261, 261,
+ 261, 261, 474, 224, 224, 224, 224, 224, 224, 252,
+
+ 473, 252, 252, 252, 252, 252, 252, 252, 252, 370,
+ 251, 263, 263, 263, 263, 263, 263, 263, 263, 267,
+ 267, 267, 267, 267, 267, 267, 267, 481, 481, 267,
+ 472, 370, 505, 505, 470, 252, 265, 265, 265, 265,
+ 265, 265, 265, 265, 265, 265, 265, 268, 268, 268,
+ 268, 268, 268, 268, 268, 268, 268, 268, 376, 378,
+ 427, 268, 268, 268, 268, 268, 269, 269, 269, 269,
+ 269, 269, 269, 269, 270, 270, 270, 270, 270, 270,
+ 376, 378, 427, 516, 516, 268, 268, 268, 268, 268,
+ 268, 271, 271, 271, 271, 271, 271, 271, 271, 271,
+
+ 271, 384, 525, 525, 271, 271, 271, 271, 271, 272,
+ 384, 272, 272, 272, 272, 272, 272, 272, 272, 293,
+ 293, 293, 293, 293, 293, 293, 293, 458, 271, 271,
+ 271, 271, 271, 271, 295, 395, 295, 295, 295, 295,
+ 295, 295, 295, 295, 297, 395, 297, 297, 297, 297,
+ 297, 297, 296, 293, 296, 296, 296, 296, 296, 296,
+ 296, 296, 317, 317, 317, 317, 317, 317, 444, 304,
+ 295, 304, 304, 304, 304, 304, 304, 304, 304, 440,
+ 297, 345, 345, 345, 345, 345, 345, 435, 296, 302,
+ 302, 302, 302, 302, 302, 302, 302, 302, 409, 551,
+
+ 551, 302, 302, 302, 302, 302, 305, 409, 305, 305,
+ 305, 305, 305, 305, 305, 305, 310, 310, 310, 310,
+ 310, 310, 310, 310, 431, 302, 302, 302, 302, 302,
+ 302, 306, 430, 306, 306, 306, 306, 306, 306, 306,
+ 306, 312, 312, 312, 312, 312, 312, 312, 312, 312,
+ 312, 312, 314, 314, 314, 314, 314, 314, 314, 314,
+ 483, 429, 314, 315, 315, 315, 315, 315, 315, 315,
+ 315, 315, 315, 315, 426, 483, 425, 315, 315, 315,
+ 315, 315, 316, 316, 316, 316, 316, 316, 316, 316,
+ 319, 410, 319, 319, 319, 319, 319, 319, 319, 319,
+
+ 410, 315, 315, 315, 315, 315, 315, 318, 318, 318,
+ 318, 318, 318, 318, 318, 318, 318, 566, 566, 424,
+ 318, 318, 318, 318, 318, 336, 336, 336, 336, 336,
+ 336, 336, 336, 336, 337, 337, 337, 337, 337, 337,
+ 337, 337, 337, 423, 318, 318, 318, 318, 318, 318,
+ 338, 338, 338, 338, 338, 338, 338, 338, 338, 422,
+ 336, 342, 342, 342, 342, 342, 342, 342, 342, 337,
+ 344, 344, 344, 344, 344, 344, 344, 344, 364, 364,
+ 364, 364, 364, 364, 428, 338, 343, 397, 343, 343,
+ 343, 343, 343, 343, 343, 343, 343, 397, 586, 586,
+
+ 343, 343, 343, 343, 343, 347, 428, 347, 347, 347,
+ 347, 347, 347, 347, 347, 348, 348, 348, 348, 348,
+ 348, 348, 348, 393, 343, 343, 343, 343, 343, 343,
+ 346, 346, 346, 346, 346, 346, 346, 346, 346, 392,
+ 432, 432, 346, 346, 346, 346, 346, 350, 445, 350,
+ 350, 350, 350, 350, 350, 350, 350, 352, 445, 352,
+ 352, 352, 352, 352, 352, 382, 346, 346, 346, 346,
+ 346, 346, 351, 381, 351, 351, 351, 351, 351, 351,
+ 351, 351, 355, 355, 356, 356, 403, 403, 403, 403,
+ 403, 403, 355, 432, 356, 357, 357, 357, 357, 357,
+
+ 357, 357, 357, 358, 358, 363, 363, 363, 363, 363,
+ 363, 363, 363, 358, 359, 359, 359, 359, 359, 359,
+ 359, 359, 359, 359, 359, 361, 361, 361, 361, 361,
+ 361, 361, 361, 590, 590, 361, 362, 362, 362, 362,
+ 362, 362, 362, 362, 362, 362, 362, 462, 603, 603,
+ 362, 362, 362, 362, 362, 366, 462, 366, 366, 366,
+ 366, 366, 366, 366, 366, 387, 387, 387, 387, 387,
+ 387, 387, 387, 375, 362, 362, 362, 362, 362, 362,
+ 365, 365, 365, 365, 365, 365, 365, 365, 365, 463,
+ 634, 634, 374, 365, 365, 365, 365, 365, 463, 387,
+
+ 389, 389, 389, 389, 389, 389, 389, 389, 389, 391,
+ 391, 391, 391, 391, 391, 391, 373, 365, 365, 365,
+ 365, 365, 365, 390, 390, 390, 390, 390, 390, 390,
+ 390, 390, 471, 434, 372, 389, 394, 394, 394, 394,
+ 394, 394, 394, 394, 391, 396, 396, 396, 396, 396,
+ 396, 396, 396, 434, 471, 434, 434, 398, 390, 398,
+ 398, 398, 398, 398, 398, 398, 398, 398, 401, 487,
+ 401, 401, 401, 401, 401, 401, 401, 401, 401, 434,
+ 369, 368, 401, 401, 401, 401, 401, 402, 402, 402,
+ 402, 402, 402, 402, 402, 405, 367, 405, 405, 405,
+
+ 405, 405, 405, 405, 405, 487, 401, 401, 401, 401,
+ 401, 401, 404, 404, 404, 404, 404, 404, 404, 404,
+ 404, 514, 349, 341, 404, 404, 404, 404, 404, 406,
+ 514, 406, 406, 406, 406, 406, 406, 406, 406, 420,
+ 420, 420, 420, 420, 420, 411, 411, 340, 404, 404,
+ 404, 404, 404, 404, 407, 411, 407, 407, 407, 407,
+ 407, 407, 407, 407, 408, 339, 408, 408, 408, 408,
+ 408, 408, 408, 408, 412, 412, 413, 413, 413, 413,
+ 413, 413, 413, 413, 412, 414, 414, 419, 419, 419,
+ 419, 419, 419, 419, 419, 414, 415, 415, 415, 415,
+
+ 415, 415, 415, 415, 415, 415, 415, 417, 417, 417,
+ 417, 417, 417, 417, 417, 331, 330, 417, 418, 418,
+ 418, 418, 418, 418, 418, 418, 418, 418, 446, 326,
+ 325, 322, 418, 418, 418, 418, 418, 421, 446, 421,
+ 421, 421, 421, 421, 421, 421, 421, 447, 447, 447,
+ 447, 447, 447, 447, 447, 321, 418, 418, 418, 418,
+ 418, 418, 436, 448, 436, 436, 436, 436, 436, 436,
+ 436, 436, 437, 448, 437, 437, 437, 437, 437, 437,
+ 437, 437, 438, 499, 438, 438, 438, 438, 438, 438,
+ 438, 438, 491, 499, 570, 606, 320, 439, 436, 439,
+
+ 439, 439, 439, 439, 439, 439, 439, 441, 437, 441,
+ 441, 441, 441, 441, 441, 441, 441, 442, 438, 442,
+ 442, 442, 442, 442, 442, 442, 442, 301, 491, 300,
+ 570, 606, 443, 439, 443, 443, 443, 443, 443, 443,
+ 443, 443, 449, 475, 449, 449, 449, 449, 449, 449,
+ 449, 449, 449, 452, 299, 452, 452, 452, 452, 452,
+ 452, 452, 452, 452, 477, 475, 518, 452, 452, 452,
+ 452, 452, 453, 453, 453, 453, 453, 453, 453, 453,
+ 454, 454, 454, 454, 454, 454, 477, 298, 518, 288,
+ 287, 452, 452, 452, 452, 452, 452, 455, 455, 455,
+
+ 455, 455, 455, 455, 455, 455, 286, 284, 282, 455,
+ 455, 455, 455, 455, 456, 281, 456, 456, 456, 456,
+ 456, 456, 456, 456, 457, 457, 457, 457, 457, 457,
+ 457, 457, 280, 455, 455, 455, 455, 455, 455, 459,
+ 279, 459, 459, 459, 459, 459, 459, 459, 459, 460,
+ 480, 460, 460, 460, 460, 460, 460, 460, 460, 461,
+ 278, 461, 461, 461, 461, 461, 461, 464, 464, 685,
+ 480, 277, 480, 480, 685, 276, 275, 464, 467, 467,
+ 467, 467, 467, 467, 467, 467, 467, 467, 484, 259,
+ 484, 484, 484, 485, 258, 485, 485, 485, 486, 486,
+
+ 486, 486, 486, 486, 486, 486, 488, 500, 488, 488,
+ 488, 488, 488, 488, 488, 488, 489, 500, 489, 489,
+ 489, 489, 489, 489, 489, 489, 257, 502, 545, 520,
+ 546, 256, 486, 254, 548, 253, 484, 502, 545, 244,
+ 546, 485, 488, 490, 548, 490, 490, 490, 490, 490,
+ 490, 520, 489, 492, 492, 492, 492, 492, 492, 492,
+ 492, 494, 243, 494, 494, 494, 494, 494, 494, 494,
+ 494, 508, 508, 508, 508, 508, 508, 242, 495, 490,
+ 495, 495, 495, 495, 495, 495, 495, 495, 496, 241,
+ 496, 496, 496, 496, 496, 496, 501, 501, 501, 501,
+
+ 501, 501, 501, 501, 503, 561, 503, 503, 503, 503,
+ 503, 503, 503, 503, 503, 506, 581, 506, 506, 506,
+ 506, 506, 506, 506, 506, 506, 581, 561, 240, 506,
+ 506, 506, 506, 506, 507, 507, 507, 507, 507, 507,
+ 507, 507, 510, 237, 510, 510, 510, 510, 510, 510,
+ 510, 510, 235, 506, 506, 506, 506, 506, 506, 509,
+ 509, 509, 509, 509, 509, 509, 509, 234, 233, 232,
+ 231, 509, 509, 509, 509, 509, 511, 511, 511, 511,
+ 511, 511, 511, 511, 511, 512, 512, 512, 512, 512,
+ 512, 512, 512, 512, 563, 509, 509, 509, 509, 509,
+
+ 509, 513, 513, 513, 513, 513, 513, 513, 513, 513,
+ 529, 230, 529, 529, 529, 530, 563, 530, 530, 530,
+ 531, 228, 531, 531, 531, 532, 226, 532, 532, 532,
+ 533, 218, 217, 533, 533, 533, 533, 533, 533, 533,
+ 533, 214, 587, 534, 534, 589, 535, 534, 535, 535,
+ 535, 213, 206, 536, 536, 205, 199, 536, 529, 534,
+ 534, 534, 196, 530, 587, 195, 194, 589, 531, 536,
+ 536, 536, 537, 532, 537, 537, 537, 537, 537, 537,
+ 537, 537, 538, 600, 538, 538, 538, 538, 538, 538,
+ 538, 538, 193, 539, 535, 539, 539, 539, 539, 539,
+
+ 539, 539, 539, 192, 190, 600, 189, 540, 537, 540,
+ 540, 540, 540, 540, 540, 540, 540, 541, 538, 541,
+ 541, 541, 541, 541, 541, 541, 541, 188, 542, 539,
+ 542, 542, 542, 542, 542, 542, 542, 542, 547, 547,
+ 547, 547, 547, 547, 547, 547, 549, 187, 549, 549,
+ 549, 549, 549, 549, 549, 549, 549, 552, 186, 552,
+ 552, 552, 552, 552, 552, 552, 552, 185, 184, 183,
+ 182, 552, 552, 552, 552, 552, 553, 553, 553, 553,
+ 553, 553, 553, 553, 554, 554, 554, 554, 554, 554,
+ 181, 180, 179, 173, 172, 552, 552, 552, 552, 552,
+
+ 552, 555, 162, 555, 555, 555, 555, 555, 555, 555,
+ 555, 557, 557, 557, 557, 557, 557, 557, 557, 557,
+ 558, 558, 558, 558, 558, 558, 558, 558, 558, 559,
+ 559, 559, 559, 559, 559, 559, 567, 567, 567, 567,
+ 567, 567, 567, 567, 568, 568, 568, 568, 568, 568,
+ 568, 568, 569, 569, 569, 569, 569, 569, 569, 569,
+ 571, 161, 571, 571, 571, 571, 571, 571, 571, 571,
+ 572, 160, 572, 572, 572, 572, 572, 572, 572, 572,
+ 156, 155, 153, 149, 142, 573, 569, 573, 573, 573,
+ 573, 573, 573, 138, 136, 134, 571, 574, 574, 574,
+
+ 574, 574, 574, 574, 574, 576, 572, 576, 576, 576,
+ 576, 576, 576, 576, 576, 126, 125, 124, 123, 122,
+ 577, 573, 577, 577, 577, 577, 577, 577, 577, 577,
+ 578, 117, 578, 578, 578, 578, 578, 578, 584, 116,
+ 584, 584, 584, 584, 584, 584, 584, 584, 591, 115,
+ 591, 591, 591, 591, 591, 591, 591, 591, 592, 114,
+ 592, 592, 592, 592, 592, 592, 592, 592, 593, 113,
+ 593, 593, 593, 593, 593, 593, 593, 593, 613, 613,
+ 613, 613, 613, 613, 591, 594, 594, 594, 594, 594,
+ 594, 594, 594, 111, 592, 595, 595, 595, 595, 595,
+
+ 595, 595, 595, 110, 593, 596, 596, 596, 596, 596,
+ 596, 596, 596, 605, 605, 605, 605, 605, 605, 605,
+ 605, 607, 109, 607, 607, 607, 607, 607, 607, 607,
+ 607, 608, 108, 608, 608, 608, 608, 608, 608, 608,
+ 608, 104, 100, 99, 95, 92, 609, 605, 609, 609,
+ 609, 609, 609, 609, 84, 83, 82, 607, 611, 611,
+ 611, 611, 611, 611, 611, 611, 80, 608, 612, 612,
+ 612, 612, 612, 612, 612, 612, 75, 68, 61, 57,
+ 56, 54, 609, 615, 615, 615, 615, 615, 615, 615,
+ 615, 616, 616, 616, 616, 616, 616, 616, 616, 617,
+
+ 617, 617, 617, 617, 617, 617, 617, 619, 619, 619,
+ 619, 619, 619, 619, 619, 51, 49, 615, 620, 620,
+ 620, 620, 620, 620, 41, 616, 40, 39, 37, 33,
+ 29, 23, 17, 617, 15, 14, 13, 0, 0, 0,
+ 0, 619, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 620, 622, 622, 622, 622, 622, 622, 622,
+ 622, 622, 622, 622, 622, 622, 622, 622, 622, 623,
+ 623, 623, 623, 623, 623, 623, 623, 623, 623, 623,
+ 623, 623, 623, 623, 623, 624, 624, 624, 624, 624,
+ 624, 624, 624, 624, 624, 624, 624, 624, 624, 624,
+
+ 624, 625, 625, 625, 625, 625, 625, 625, 625, 625,
+ 625, 625, 625, 625, 625, 625, 625, 626, 0, 0,
+ 0, 0, 0, 0, 0, 626, 626, 626, 0, 0,
+ 626, 626, 626, 627, 627, 627, 627, 627, 627, 627,
+ 627, 627, 627, 627, 627, 627, 627, 627, 627, 628,
+ 0, 0, 0, 0, 628, 0, 0, 628, 628, 628,
+ 628, 0, 628, 628, 628, 629, 0, 0, 0, 0,
+ 0, 0, 0, 629, 629, 629, 0, 0, 629, 629,
+ 629, 630, 0, 0, 630, 630, 0, 630, 0, 630,
+ 630, 630, 0, 0, 630, 630, 630, 631, 631, 0,
+
+ 0, 0, 631, 632, 0, 0, 632, 632, 0, 632,
+ 0, 632, 632, 632, 0, 0, 632, 632, 632, 633,
+ 0, 0, 633, 633, 0, 633, 0, 633, 633, 633,
+ 0, 633, 0, 633, 633, 635, 0, 0, 635, 0,
+ 0, 635, 0, 635, 635, 635, 635, 0, 635, 635,
+ 635, 636, 636, 636, 636, 636, 636, 636, 636, 636,
+ 636, 636, 636, 636, 636, 636, 636, 637, 637, 0,
+ 637, 0, 637, 637, 637, 637, 637, 637, 637, 637,
+ 637, 637, 637, 638, 638, 638, 638, 638, 638, 638,
+ 638, 638, 638, 638, 638, 638, 638, 638, 638, 639,
+
+ 639, 0, 639, 639, 639, 639, 639, 639, 639, 639,
+ 639, 639, 639, 639, 639, 640, 0, 0, 0, 0,
+ 640, 0, 0, 640, 640, 640, 0, 0, 640, 640,
+ 640, 641, 0, 0, 641, 641, 0, 641, 0, 641,
+ 641, 641, 0, 0, 641, 641, 641, 642, 642, 0,
+ 0, 0, 642, 643, 643, 643, 0, 0, 0, 643,
+ 644, 0, 0, 644, 644, 0, 644, 0, 644, 644,
+ 644, 0, 0, 644, 644, 644, 645, 645, 645, 645,
+ 645, 645, 645, 645, 645, 645, 645, 645, 645, 645,
+ 645, 645, 646, 646, 0, 0, 0, 646, 647, 647,
+
+ 647, 0, 0, 0, 647, 648, 648, 0, 0, 0,
+ 648, 649, 649, 0, 0, 0, 649, 650, 650, 0,
+ 0, 0, 650, 651, 651, 651, 0, 0, 0, 651,
+ 652, 652, 0, 0, 0, 652, 653, 653, 0, 0,
+ 0, 653, 654, 654, 0, 0, 0, 654, 655, 655,
+ 655, 0, 0, 0, 655, 656, 656, 656, 656, 0,
+ 0, 0, 656, 657, 657, 0, 0, 0, 657, 658,
+ 658, 0, 0, 0, 658, 659, 659, 0, 0, 0,
+ 659, 660, 660, 660, 0, 0, 0, 660, 661, 661,
+ 661, 661, 0, 0, 0, 661, 662, 662, 0, 0,
+
+ 0, 662, 663, 663, 0, 0, 0, 663, 664, 664,
+ 664, 0, 0, 0, 664, 665, 665, 665, 665, 0,
+ 0, 0, 665, 666, 666, 0, 0, 0, 666, 667,
+ 0, 667, 667, 0, 0, 0, 667, 668, 668, 668,
+ 0, 0, 0, 668, 669, 669, 669, 669, 0, 0,
+ 0, 669, 670, 670, 0, 0, 0, 670, 671, 0,
+ 671, 671, 0, 0, 0, 671, 672, 672, 672, 0,
+ 0, 0, 672, 673, 673, 673, 0, 0, 0, 0,
+ 673, 674, 674, 674, 674, 674, 674, 674, 674, 674,
+ 674, 674, 674, 674, 674, 674, 674, 675, 675, 0,
+
+ 675, 675, 675, 0, 0, 675, 675, 675, 0, 0,
+ 675, 675, 675, 676, 676, 0, 676, 676, 676, 0,
+ 0, 676, 676, 676, 0, 0, 676, 676, 676, 677,
+ 677, 0, 0, 0, 677, 678, 0, 678, 678, 0,
+ 0, 0, 678, 679, 679, 0, 0, 0, 0, 679,
+ 680, 680, 0, 0, 0, 680, 681, 0, 681, 681,
+ 0, 0, 0, 681, 682, 682, 0, 0, 0, 682,
+ 683, 0, 683, 0, 0, 0, 0, 683, 684, 684,
+ 684, 684, 684, 684, 684, 684, 684, 684, 684, 684,
+ 684, 684, 684, 684, 621, 621, 621, 621, 621, 621,
+
+ 621, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621
} ;
static yy_state_type yy_last_accepting_state;
static bool pop_include(void);
static char *parse_include(char *);
-static int sudoers_trace_print(const char *msg);
int (*trace_print)(const char *msg) = sudoers_trace_print;
#define LEXRETURN(n) do { \
#define INSTR 5
-#line 1525 "lex.yy.c"
+#line 1514 "lex.yy.c"
/* Macros after this point can all be overridden by user definitions in
* section 1.
register char *yy_cp, *yy_bp;
register int yy_act;
-#line 133 "toke.l"
+#line 132 "toke.l"
-#line 1681 "lex.yy.c"
+#line 1670 "lex.yy.c"
if ( yy_init )
{
while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
{
yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 607 )
+ if ( yy_current_state >= 622 )
yy_c = yy_meta[(unsigned int) yy_c];
}
yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
++yy_cp;
}
- while ( yy_base[yy_current_state] != 3665 );
+ while ( yy_base[yy_current_state] != 3595 );
yy_find_action:
yy_act = yy_accept[yy_current_state];
case 1:
YY_RULE_SETUP
-#line 134 "toke.l"
+#line 133 "toke.l"
{
LEXTRACE(", ");
LEXRETURN(',');
YY_BREAK
case 2:
YY_RULE_SETUP
-#line 139 "toke.l"
+#line 138 "toke.l"
BEGIN STARTDEFS;
YY_BREAK
case 3:
YY_RULE_SETUP
-#line 141 "toke.l"
+#line 140 "toke.l"
{
BEGIN INDEFS;
LEXTRACE("DEFVAR ");
case 4:
YY_RULE_SETUP
-#line 150 "toke.l"
+#line 149 "toke.l"
{
BEGIN STARTDEFS;
LEXTRACE(", ");
YY_BREAK
case 5:
YY_RULE_SETUP
-#line 156 "toke.l"
+#line 155 "toke.l"
{
LEXTRACE("= ");
LEXRETURN('=');
YY_BREAK
case 6:
YY_RULE_SETUP
-#line 161 "toke.l"
+#line 160 "toke.l"
{
LEXTRACE("+= ");
LEXRETURN('+');
YY_BREAK
case 7:
YY_RULE_SETUP
-#line 166 "toke.l"
+#line 165 "toke.l"
{
LEXTRACE("-= ");
LEXRETURN('-');
YY_BREAK
case 8:
YY_RULE_SETUP
-#line 171 "toke.l"
+#line 170 "toke.l"
{
LEXTRACE("BEGINSTR ");
yylval.string = NULL;
YY_BREAK
case 9:
YY_RULE_SETUP
-#line 178 "toke.l"
+#line 177 "toke.l"
{
LEXTRACE("WORD(2) ");
if (!fill(yytext, yyleng))
case 10:
YY_RULE_SETUP
-#line 187 "toke.l"
+#line 186 "toke.l"
{
/* Line continuation char followed by newline. */
sudolineno++;
YY_BREAK
case 11:
YY_RULE_SETUP
-#line 193 "toke.l"
+#line 192 "toke.l"
{
LEXTRACE("ENDSTR ");
BEGIN prev_state;
YY_BREAK
case 12:
YY_RULE_SETUP
-#line 225 "toke.l"
+#line 224 "toke.l"
{
LEXTRACE("BACKSLASH ");
if (!append(yytext, yyleng))
YY_BREAK
case 13:
YY_RULE_SETUP
-#line 231 "toke.l"
+#line 230 "toke.l"
{
LEXTRACE("STRBODY ");
if (!append(yytext, yyleng))
case 14:
YY_RULE_SETUP
-#line 239 "toke.l"
+#line 238 "toke.l"
{
/* quoted fnmatch glob char, pass verbatim */
LEXTRACE("QUOTEDCHAR ");
YY_BREAK
case 15:
YY_RULE_SETUP
-#line 247 "toke.l"
+#line 246 "toke.l"
{
/* quoted sudoers special char, strip backslash */
LEXTRACE("QUOTEDCHAR ");
YY_BREAK
case 16:
YY_RULE_SETUP
-#line 255 "toke.l"
+#line 254 "toke.l"
{
BEGIN INITIAL;
yyless(0);
YY_BREAK
case 17:
YY_RULE_SETUP
-#line 261 "toke.l"
+#line 260 "toke.l"
{
LEXTRACE("ARG ");
if (!fill_args(yytext, yyleng, sawspace))
case 18:
YY_RULE_SETUP
-#line 269 "toke.l"
+#line 268 "toke.l"
{
char *path;
YY_BREAK
case 19:
YY_RULE_SETUP
-#line 287 "toke.l"
+#line 286 "toke.l"
{
char *path;
YY_BREAK
case 20:
YY_RULE_SETUP
-#line 308 "toke.l"
+#line 307 "toke.l"
{
char deftype;
int n;
YY_BREAK
case 21:
YY_RULE_SETUP
-#line 348 "toke.l"
+#line 347 "toke.l"
{
int n;
YY_BREAK
case 22:
YY_RULE_SETUP
-#line 374 "toke.l"
+#line 373 "toke.l"
{
/* cmnd does not require passwd for this user */
LEXTRACE("NOPASSWD ");
YY_BREAK
case 23:
YY_RULE_SETUP
-#line 380 "toke.l"
+#line 379 "toke.l"
{
/* cmnd requires passwd for this user */
LEXTRACE("PASSWD ");
YY_BREAK
case 24:
YY_RULE_SETUP
-#line 386 "toke.l"
+#line 385 "toke.l"
{
LEXTRACE("NOEXEC ");
LEXRETURN(NOEXEC);
YY_BREAK
case 25:
YY_RULE_SETUP
-#line 391 "toke.l"
+#line 390 "toke.l"
{
LEXTRACE("EXEC ");
LEXRETURN(EXEC);
YY_BREAK
case 26:
YY_RULE_SETUP
-#line 396 "toke.l"
+#line 395 "toke.l"
{
LEXTRACE("SETENV ");
LEXRETURN(SETENV);
YY_BREAK
case 27:
YY_RULE_SETUP
-#line 401 "toke.l"
+#line 400 "toke.l"
{
LEXTRACE("NOSETENV ");
LEXRETURN(NOSETENV);
YY_BREAK
case 28:
YY_RULE_SETUP
-#line 406 "toke.l"
+#line 405 "toke.l"
{
LEXTRACE("LOG_OUTPUT ");
LEXRETURN(LOG_OUTPUT);
YY_BREAK
case 29:
YY_RULE_SETUP
-#line 411 "toke.l"
+#line 410 "toke.l"
{
LEXTRACE("NOLOG_OUTPUT ");
LEXRETURN(NOLOG_OUTPUT);
YY_BREAK
case 30:
YY_RULE_SETUP
-#line 416 "toke.l"
+#line 415 "toke.l"
{
LEXTRACE("LOG_INPUT ");
LEXRETURN(LOG_INPUT);
YY_BREAK
case 31:
YY_RULE_SETUP
-#line 421 "toke.l"
+#line 420 "toke.l"
{
LEXTRACE("NOLOG_INPUT ");
LEXRETURN(NOLOG_INPUT);
YY_BREAK
case 32:
YY_RULE_SETUP
-#line 426 "toke.l"
+#line 425 "toke.l"
{
/* empty group or netgroup */
LEXTRACE("ERROR ");
YY_BREAK
case 33:
YY_RULE_SETUP
-#line 432 "toke.l"
+#line 431 "toke.l"
{
/* netgroup */
if (!fill(yytext, yyleng))
YY_BREAK
case 34:
YY_RULE_SETUP
-#line 440 "toke.l"
+#line 439 "toke.l"
{
/* group */
if (!fill(yytext, yyleng))
YY_BREAK
case 35:
YY_RULE_SETUP
-#line 448 "toke.l"
+#line 447 "toke.l"
{
if (!fill(yytext, yyleng))
yyterminate();
YY_BREAK
case 36:
YY_RULE_SETUP
-#line 455 "toke.l"
+#line 454 "toke.l"
{
if (!fill(yytext, yyleng))
yyterminate();
YY_BREAK
case 37:
YY_RULE_SETUP
-#line 462 "toke.l"
+#line 461 "toke.l"
{
if (!ipv6_valid(yytext)) {
LEXTRACE("ERROR ");
YY_BREAK
case 38:
YY_RULE_SETUP
-#line 473 "toke.l"
+#line 472 "toke.l"
{
if (!ipv6_valid(yytext)) {
LEXTRACE("ERROR ");
YY_BREAK
case 39:
YY_RULE_SETUP
-#line 484 "toke.l"
+#line 483 "toke.l"
{
LEXTRACE("ALL ");
LEXRETURN(ALL);
YY_BREAK
case 40:
YY_RULE_SETUP
-#line 490 "toke.l"
+#line 489 "toke.l"
{
#ifdef HAVE_SELINUX
LEXTRACE("ROLE ");
YY_BREAK
case 41:
YY_RULE_SETUP
-#line 499 "toke.l"
+#line 498 "toke.l"
{
#ifdef HAVE_SELINUX
LEXTRACE("TYPE ");
YY_BREAK
case 42:
YY_RULE_SETUP
-#line 508 "toke.l"
+#line 506 "toke.l"
{
-#ifndef HAVE_SELINUX
- got_alias:
+#ifdef HAVE_PRIV_SET
+ LEXTRACE("PRIVS ");
+ LEXRETURN(PRIVS);
+#else
+ goto got_alias;
+#endif
+ }
+ YY_BREAK
+case 43:
+YY_RULE_SETUP
+#line 515 "toke.l"
+{
+#ifdef HAVE_PRIV_SET
+ LEXTRACE("LIMITPRIVS ");
+ LEXRETURN(LIMITPRIVS);
+#else
+ goto got_alias;
#endif
+ }
+ YY_BREAK
+case 44:
+YY_RULE_SETUP
+#line 524 "toke.l"
+{
+ got_alias:
if (!fill(yytext, yyleng))
yyterminate();
LEXTRACE("ALIAS ");
LEXRETURN(ALIAS);
}
YY_BREAK
-case 43:
+case 45:
YY_RULE_SETUP
-#line 518 "toke.l"
+#line 532 "toke.l"
{
/* no command args allowed for Defaults!/path */
if (!fill_cmnd(yytext, yyleng))
LEXRETURN(COMMAND);
}
YY_BREAK
-case 44:
+case 46:
YY_RULE_SETUP
-#line 526 "toke.l"
+#line 540 "toke.l"
{
BEGIN GOTCMND;
LEXTRACE("COMMAND ");
yyterminate();
} /* sudo -e */
YY_BREAK
-case 45:
+case 47:
YY_RULE_SETUP
-#line 533 "toke.l"
+#line 547 "toke.l"
{
/* directories can't have args... */
if (yytext[yyleng - 1] == '/') {
}
} /* a pathname */
YY_BREAK
-case 46:
+case 48:
YY_RULE_SETUP
-#line 548 "toke.l"
+#line 562 "toke.l"
{
LEXTRACE("BEGINSTR ");
yylval.string = NULL;
BEGIN INSTR;
}
YY_BREAK
-case 47:
+case 49:
YY_RULE_SETUP
-#line 555 "toke.l"
+#line 569 "toke.l"
{
/* a word */
if (!fill(yytext, yyleng))
LEXRETURN(WORD);
}
YY_BREAK
-case 48:
+case 50:
YY_RULE_SETUP
-#line 563 "toke.l"
+#line 577 "toke.l"
{
LEXTRACE("( ");
LEXRETURN('(');
}
YY_BREAK
-case 49:
+case 51:
YY_RULE_SETUP
-#line 568 "toke.l"
+#line 582 "toke.l"
{
LEXTRACE(") ");
LEXRETURN(')');
}
YY_BREAK
-case 50:
+case 52:
YY_RULE_SETUP
-#line 573 "toke.l"
+#line 587 "toke.l"
{
LEXTRACE(", ");
LEXRETURN(',');
} /* return ',' */
YY_BREAK
-case 51:
+case 53:
YY_RULE_SETUP
-#line 578 "toke.l"
+#line 592 "toke.l"
{
LEXTRACE("= ");
LEXRETURN('=');
} /* return '=' */
YY_BREAK
-case 52:
+case 54:
YY_RULE_SETUP
-#line 583 "toke.l"
+#line 597 "toke.l"
{
LEXTRACE(": ");
LEXRETURN(':');
} /* return ':' */
YY_BREAK
-case 53:
+case 55:
YY_RULE_SETUP
-#line 588 "toke.l"
+#line 602 "toke.l"
{
if (yyleng & 1) {
LEXTRACE("!");
}
}
YY_BREAK
-case 54:
+case 56:
YY_RULE_SETUP
-#line 595 "toke.l"
+#line 609 "toke.l"
{
if (YY_START == INSTR) {
LEXTRACE("ERROR ");
LEXRETURN(COMMENT);
} /* return newline */
YY_BREAK
-case 55:
+case 57:
YY_RULE_SETUP
-#line 607 "toke.l"
+#line 621 "toke.l"
{ /* throw away space/tabs */
sawspace = true; /* but remember for fill_args */
}
YY_BREAK
-case 56:
+case 58:
YY_RULE_SETUP
-#line 611 "toke.l"
+#line 625 "toke.l"
{
sawspace = true; /* remember for fill_args */
sudolineno++;
continued = true;
} /* throw away EOL after \ */
YY_BREAK
-case 57:
+case 59:
YY_RULE_SETUP
-#line 617 "toke.l"
+#line 631 "toke.l"
{
BEGIN INITIAL;
sudolineno++;
LEXRETURN(COMMENT);
} /* comment, not uid/gid */
YY_BREAK
-case 58:
+case 60:
YY_RULE_SETUP
-#line 625 "toke.l"
+#line 639 "toke.l"
{
LEXTRACE("ERROR ");
LEXRETURN(ERROR);
case YY_STATE_EOF(STARTDEFS):
case YY_STATE_EOF(INDEFS):
case YY_STATE_EOF(INSTR):
-#line 630 "toke.l"
+#line 644 "toke.l"
{
if (YY_START != INITIAL) {
BEGIN INITIAL;
yyterminate();
}
YY_BREAK
-case 59:
+case 61:
YY_RULE_SETUP
-#line 640 "toke.l"
+#line 654 "toke.l"
ECHO;
YY_BREAK
-#line 2457 "lex.yy.c"
+#line 2468 "lex.yy.c"
case YY_END_OF_BUFFER:
{
while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
{
yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 607 )
+ if ( yy_current_state >= 622 )
yy_c = yy_meta[(unsigned int) yy_c];
}
yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
{
yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 607 )
+ if ( yy_current_state >= 622 )
yy_c = yy_meta[(unsigned int) yy_c];
}
yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
- yy_is_jam = (yy_current_state == 606);
+ yy_is_jam = (yy_current_state == 621);
return yy_is_jam ? 0 : yy_current_state;
}
return 0;
}
#endif
-#line 640 "toke.l"
+#line 654 "toke.l"
struct path_list {
char *path;
}
} else {
if ((fp = open_sudoers(path, true, &keepopen)) == NULL) {
- char *errbuf;
- if (asprintf(&errbuf, _("%s: %s"), path, strerror(errno)) != -1) {
- yyerror(errbuf);
- free(errbuf);
- } else {
- yyerror(_("unable to allocate memory"));
- }
+ /* The error was already printed by open_sudoers() */
+ yyerror(NULL);
debug_return_bool(false);
}
istack[idepth].more = NULL;
}
#ifdef TRACELEXER
-static int
+int
sudoers_trace_print(const char *msg)
{
return fputs(msg, stderr);
}
#else
-static int
+int
sudoers_trace_print(const char *msg)
{
static bool initialized;
bool fill_cmnd(const char *, int);
bool fill_txt(const char *, int, int);
bool ipv6_valid(const char *s);
+int sudoers_trace_print(const char *msg);
void yyerror(const char *);
#ifndef FLEX_SCANNER
static bool pop_include(void);
static char *parse_include(char *);
-static int sudoers_trace_print(const char *msg);
int (*trace_print)(const char *msg) = sudoers_trace_print;
#define LEXRETURN(n) do { \
goto got_alias;
#endif
}
+<INITIAL>PRIVS {
+#ifdef HAVE_PRIV_SET
+ LEXTRACE("PRIVS ");
+ LEXRETURN(PRIVS);
+#else
+ goto got_alias;
+#endif
+ }
+
+<INITIAL>LIMITPRIVS {
+#ifdef HAVE_PRIV_SET
+ LEXTRACE("LIMITPRIVS ");
+ LEXRETURN(LIMITPRIVS);
+#else
+ goto got_alias;
+#endif
+ }
[[:upper:]][[:upper:][:digit:]_]* {
-#ifndef HAVE_SELINUX
got_alias:
-#endif
if (!fill(yytext, yyleng))
yyterminate();
LEXTRACE("ALIAS ");
}
} else {
if ((fp = open_sudoers(path, true, &keepopen)) == NULL) {
- char *errbuf;
- if (asprintf(&errbuf, _("%s: %s"), path, strerror(errno)) != -1) {
- yyerror(errbuf);
- free(errbuf);
- } else {
- yyerror(_("unable to allocate memory"));
- }
+ /* The error was already printed by open_sudoers() */
+ yyerror(NULL);
debug_return_bool(false);
}
istack[idepth].more = NULL;
}
#ifdef TRACELEXER
-static int
+int
sudoers_trace_print(const char *msg)
{
return fputs(msg, stderr);
}
#else
-static int
+int
sudoers_trace_print(const char *msg)
{
static bool initialized;
(void) printf(_("%s grammar version %d\n"), getprogname(), SUDOERS_GRAMMAR_VERSION);
goto done;
case 'c':
- checkonly++; /* check mode */
+ checkonly = true; /* check mode */
break;
case 'f':
sudoers_path = optarg; /* sudoers file path */
help();
break;
case 's':
- strict++; /* strict mode */
+ strict = true; /* strict mode */
break;
case 'q':
- quiet++; /* quiet mode */
+ quiet = false; /* quiet mode */
break;
default:
usage(1);
if ((yyin = open_sudoers(sudoers_path, true, NULL)) == NULL) {
error(1, "%s", sudoers_path);
}
- init_parser(sudoers_path, 0);
+ init_parser(sudoers_path, false);
yyparse();
(void) update_defaults(SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER);
int ch;
debug_decl(reparse_sudoers, SUDO_DEBUG_UTIL)
+ if (tq_empty(&sudoerslist))
+ debug_return;
+
/*
* Parse the edited sudoers files and do sanity checking
*/
}
fclose(yyin);
if (!parse_error) {
- if (!update_defaults(SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER) ||
+ if (!check_defaults(SETDEF_ALL, quiet) ||
check_aliases(strict, quiet) != 0) {
parse_error = true;
- errorfile = sp->path;
+ errorfile = NULL;
}
}
tq_foreach_fwd(&sudoerslist, sp) {
if (errorfile == NULL || strcmp(sp->path, errorfile) == 0) {
edit_sudoers(sp, editor, args, errorlineno);
- break;
+ if (errorfile != NULL)
+ break;
}
}
- if (sp == NULL) {
+ if (errorfile != NULL && sp == NULL) {
errorx(1, _("internal error, unable to find %s in list!"),
sudoers);
}
parse_error = true;
errorfile = sudoers_path;
}
- if (!parse_error && check_aliases(strict, quiet) != 0) {
- parse_error = true;
- errorfile = sudoers_path;
+ if (!parse_error) {
+ if (!check_defaults(SETDEF_ALL, quiet) ||
+ check_aliases(strict, quiet) != 0) {
+ parse_error = true;
+ errorfile = NULL;
+ }
}
ok = !parse_error;
if (errorlineno != -1)
(void) printf(_("parse error in %s near line %d\n"),
errorfile, errorlineno);
- else
+ else if (errorfile != NULL)
(void) printf(_("parse error in %s\n"), errorfile);
}
} else {
bool rval = true;
debug_decl(alias_remove_recursive, SUDO_DEBUG_ALIAS)
- if ((a = alias_find(name, type)) != NULL) {
+ if ((a = alias_remove(name, type)) != NULL) {
tq_foreach_fwd(&a->members, m) {
if (m->type == ALIAS) {
if (!alias_remove_recursive(m->name, type))
rval = false;
}
}
+ rbinsert(alias_freelist, a);
}
alias_seqno++;
- a = alias_remove(name, type);
- if (a)
- rbinsert(alias_freelist, a);
debug_return_bool(rval);
}
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
incdir = $(top_srcdir)/include
+cross_compiling = @CROSS_COMPILING@
# Compiler & tools to use
CC = @CC@
# Flags to pass to the link stage
LDFLAGS = @LDFLAGS@
-LTLDFLAGS = @LTLDFLAGS@
+LT_LDFLAGS = @LT_LDFLAGS@ @LT_LDMAP@ @LT_LDOPT@ @LT_LDEXPORTS@
+
+# PIE flags
+PIE_CFLAGS = @PIE_CFLAGS@
+PIE_LDFLAGS = @PIE_LDFLAGS@
+
+# Stack smashing protection flags
+SSP_CFLAGS = @SSP_CFLAGS@
+SSP_LDFLAGS = @SSP_LDFLAGS@
# Where to install things...
prefix = @prefix@
datarootdir = @datarootdir@
localstatedir = @localstatedir@
plugindir = @PLUGINDIR@
+
+# File extension, mode and map file to use for shared libraries/objects
soext = @SOEXT@
+shlib_mode = @SHLIB_MODE@
+shlib_exp = $(srcdir)/system_group.exp
+shlib_map = system_group.map
+shlib_opt = system_group.opt
# OS dependent defines
DEFS = @OSDEFS@
.SUFFIXES: .o .c .h .lo
.c.lo:
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $<
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $<
+
+$(shlib_map): $(shlib_exp)
+ @awk 'BEGIN { print "{\n\tglobal:" } { print "\t\t"$$0";" } END { print "\tlocal:\n\t\t*;\n};" }' $(shlib_exp) > $@
+
+$(shlib_opt): $(shlib_exp)
+ @sed 's/^/+e /' $(shlib_exp) > $@
-system_group.la: $(OBJS) $(LT_LIBS)
- $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LTLDFLAGS) -o $@ $(OBJS) $(LIBS) -module -export-symbols $(srcdir)/system_group.sym -avoid-version -rpath $(plugindir)
+system_group.la: $(OBJS) $(LT_LIBS) @LT_LDDEP@
+ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o $@ $(OBJS) $(LIBS) -module -avoid-version -rpath $(plugindir)
pre-install:
install-doc:
install-plugin: install-dirs system_group.la
- $(INSTALL) -b~ -m 0755 .libs/system_group$(soext) $(DESTDIR)$(plugindir)
+ $(INSTALL) -b~ -m $(shlib_mode) .libs/system_group$(soext) $(DESTDIR)$(plugindir)
uninstall:
-rm -f $(DESTDIR)$(plugindir)/system_group$(soext)
system_group.lo: $(srcdir)/system_group.c $(top_builddir)/config.h \
$(top_srcdir)/compat/stdbool.h $(top_srcdir)/compat/dlfcn.h \
$(incdir)/sudo_plugin.h $(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/system_group.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/system_group.c
need_setent = true;
}
- handle = dlsym(RTLD_DEFAULT, "gr_delref");
+ handle = dlsym(RTLD_DEFAULT, "sudo_gr_delref");
if (handle != NULL)
sysgroup_gr_delref = (sysgroup_gr_delref_t)handle;
--- /dev/null
+group_plugin
+++ /dev/null
-group_plugin
#!/bin/sh
# Copyright 2012 Quest Software, Inc. ALL RIGHTS RESERVED
-pp_revision="355"
+pp_revision="368"
# Copyright 2012 Quest Software, Inc. ALL RIGHTS RESERVED.
#
# Redistribution and use in source and binary forms, with or without
# current working (source) directory, not the destination;
# we need to qualify them to prevent this.
case "$st" in
- /*) echo "$line $st $p";;
- *) echo "$line `dirname $p`/$st $p";;
+ [!/]*) st="`dirname \"$p\"`/$st";;
esac
+ echo "$line -o $o -g $g -m $m $st $p"
;;
*)
echo "$line -o $o -g $g -m $m $pp_destdir$p $p"
pp_deb_release=
pp_deb_arch=
pp_deb_arch_std=
- pp_deb_maintainer=support@quest.com
+ pp_deb_maintainer="Quest Software, Inc <support@quest.com>"
pp_deb_copyright=
pp_deb_distro=
pp_deb_control_description=
# Make sure any programs we require are installed
pp_deb_check_required_programs
-
- # Set generated/interrogated platforms variables
- pp_deb_munge_description
}
pp_deb_check_required_programs () {
pp_deb_munge_description () {
# Insert a leading space on each line, replace blank lines with a
#space followed by a full-stop.
- pp_deb_control_description=`echo ${pp_deb_description:-$description} | \
- sed "s,^\(.*\)$, \1, " \
- | sed "s,^[ \t]*$, .,g"`
-
+ pp_deb_control_description="`echo ${pp_deb_description:-$description} | \
+ sed 's,^\(.*\)$, \1, ' | sed 's,^[ \t]*$, .,g' | fmt -w 80`"
}
pp_deb_detect_arch () {
}
pp_deb_make_control() {
- package_name=`pp_deb_cmp_full_name "$1"`
+ local cmp="$1"
+ local installed_size
+
+ # compute the installed size
+ installed_size=`pp_deb_files_size < $pp_wrkdir/%files.$cmp`
+
+ package_name=`pp_deb_cmp_full_name "$cmp"`
cat <<-.
Package: ${package_name}
Version: `pp_deb_version_final`-${pp_deb_release:-1}
Maintainer: ${pp_deb_maintainer:-$maintainer}
Description: ${pp_deb_summary:-$summary}
${pp_deb_control_description}
+ Installed-Size: ${installed_size}
.
- if test -s $pp_wrkdir/%depend."$1"; then
+ if test -s $pp_wrkdir/%depend."$cmp"; then
sed -ne '/^[ ]*$/!s/^[ ]*/Depends: /p' \
- < $pp_wrkdir/%depend."$1"
+ < $pp_wrkdir/%depend."$cmp"
fi
- if test -s $pp_wrkdir/%conflict."$1"; then
- pp_deb_conflict < $pp_wrkdir/%conflict."$1"
+ if test -s $pp_wrkdir/%conflict."$cmp"; then
+ pp_deb_conflict < $pp_wrkdir/%conflict."$cmp"
fi
}
#-- append %post code to install the svc
test x"yes" = x"$enable" &&
cat<<-. >> $pp_wrkdir/%post.run
- # Install the service links
- /usr/sbin/update-rc.d $svc defaults
+ case "\$1" in
+ configure)
+ # Install the service links
+ update-rc.d $svc defaults
+ ;;
+ esac
.
#-- prepend %preun code to stop svc
cat<<-. | pp_prepend $pp_wrkdir/%preun.run
- # Stop the $svc service
- if test -x /usr/sbin/invoke-rc.d; then
- /usr/sbin/invoke-rc.d $svc stop
- else
- /etc/init.d/$svc stop
- fi
- # Remove the service links
- /usr/sbin/update-rc.d -f $svc remove
+ case "\$1" in
+ remove|deconfigure|upgrade)
+ # Stop the $svc service
+ invoke-rc.d $svc stop
+ ;;
+ esac
+.
+
+ #-- prepend %postun code to remove service
+ cat<<-. | pp_prepend $pp_wrkdir/%postun.run
+ case "\$1" in
+ purge)
+ # Remove the service links
+ update-rc.d $svc remove
+ ;;
+ esac
.
done
#pp_deb_service_remove_common | pp_prepend $pp_wrkdir/%preun.run
fi
}
+pp_deb_files_size () {
+ local t m o g f p st
+ while read t m o g f p st; do
+ case $t in
+ f|s) du -k "${pp_destdir}$p";;
+ d) echo 4;;
+ esac
+ done | awk '{n+=$1} END {print n}'
+}
+
pp_deb_make_DEBIAN() {
local cmp="${1:-run}"
local data cmp_full_name
cp $pp_wrkdir/%conffiles.$cmp $data/DEBIAN/conffiles
fi
+ # Create preinst
+ pp_deb_make_package_maintainer_script "$data/DEBIAN/preinst" \
+ "$pp_wrkdir/%pre.$cmp" "Pre-install script for $cmp_full_name"\
+ || exit $?
+
# Create postinst
pp_deb_make_package_maintainer_script "$data/DEBIAN/postinst" \
- "$pp_wrkdir/%post.$cmp" "Post install script for $cmp_full_name"\
+ "$pp_wrkdir/%post.$cmp" "Post-install script for $cmp_full_name"\
|| exit $?
# Create prerm
# Create md5sums
pp_deb_make_md5sums $cmp `(cd $package_build_dir;
- find . -type f -a -not -name DEBIAN | sed "s,^\./,,")` ||
+ find . -name DEBIAN -prune -o -type f -print | sed "s,^\./,,")` ||
pp_die "Could not make DEBIAN md5sums for $cmp"
}
pp_backend_deb () {
local debname
+ # Munge description for control file inclusion
+ pp_deb_munge_description
+
# Handle services
pp_deb_handle_services $cmp
lsb_required_start='$local_fs $network'
lsb_should_start=
- lsb_required_stop=
+ lsb_required_stop='$local_fs'
lsb_description=
start_priority=50
local out=$pp_destdir$script
local _process _cmd
- pp_add_file_if_missing $script run 755 || return 0
+ pp_add_file_if_missing $script run 755 v || return 0
#-- start out as an empty shell script
cat <<-'.' >$out
sub chk { my $d=shift;
&chk(&dirname($d)) if $d =~ m,/,;
unless ($seen{$d}++) {
+ # Make sure we do not override system directories
+ if ($d =~ m:^\./(etc|var)$:) {
+ my $tgt = "private/$1";
+ my $_ = `/usr/bin/printf "$tgt" | /usr/bin/cksum /dev/stdin`;
+ my ($sum, $len) = split;
+ print "$d\t120755\t0/0\t$len\t$sum\t$tgt\n";
+ } elsif ($d eq "." || $d eq "./Library") {
+ print "$d\t41775\t0/80\n";
+ } elsif ($d eq "./Applications" || $d eq "./Developer") {
+ print "$d\t40775\t0/80\n";
+ } else {
print "$d\t40755\t0/0\n";
+ }
}
}
m/^(\S+)\s+(\d+)/;
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
incdir = $(top_srcdir)/include
+cross_compiling = @CROSS_COMPILING@
# Compiler & tools to use
CC = @CC@
# Flags to pass to the link stage
LDFLAGS = @LDFLAGS@
-LTLDFLAGS = @LTLDFLAGS@
+LT_LDFLAGS = @LT_LDFLAGS@
+
+# PIE flags
+PIE_CFLAGS = @PIE_CFLAGS@
+PIE_LDFLAGS = @PIE_LDFLAGS@
+
+# Stack smashing protection flags
+SSP_CFLAGS = @SSP_CFLAGS@
+SSP_LDFLAGS = @SSP_LDFLAGS@
# Where to install things...
prefix = @prefix@
install_uid = 0
install_gid = 0
+# File mode to use for shared libraries/objects
+shlib_mode = @SHLIB_MODE@
+
# OS dependent defines
DEFS = @OSDEFS@ -DLOCALEDIR=\"$(localedir)\"
.SUFFIXES: .c .h .lo .o
.c.o:
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $<
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $<
.c.lo:
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $<
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $<
sudo: $(OBJS) $(LT_LIBS)
- $(LIBTOOL) --mode=link $(CC) -o $@ $(OBJS) $(LDFLAGS) $(LIBS)
+ $(LIBTOOL) --mode=link $(CC) -o $@ $(OBJS) $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)
libsudo_noexec.la: sudo_noexec.lo
- $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LTLDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
+ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
sesh: sesh.o error.o exec_common.o @LIBINTL@ $(LT_LIBS)
- $(LIBTOOL) --mode=link $(CC) -o $@ sesh.o error.o exec_common.o $(LDFLAGS) @LIBINTL@ $(LIBS)
+ $(LIBTOOL) --mode=link $(CC) -o $@ sesh.o error.o exec_common.o $(LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) @LIBINTL@ $(LIBS)
pre-install:
$(DESTDIR)$(noexecdir)
install-binaries: install-dirs $(PROGS)
- $(INSTALL) -b~ -O $(install_uid) -G $(install_gid) -M 04111 sudo $(DESTDIR)$(bindir)/sudo
+ $(INSTALL) -b~ -O $(install_uid) -G $(install_gid) -m 04755 sudo $(DESTDIR)$(bindir)/sudo
rm -f $(DESTDIR)$(bindir)/sudoedit
- ln $(DESTDIR)$(bindir)/sudo $(DESTDIR)$(bindir)/sudoedit
- if [ -f sesh ]; then $(INSTALL) -b~ -O $(install_uid) -G $(install_gid) -M 0111 sesh $(DESTDIR)$(libexecdir)/sesh; fi
+ ln -s sudo $(DESTDIR)$(bindir)/sudoedit
+ if [ -f sesh ]; then $(INSTALL) -b~ -O $(install_uid) -G $(install_gid) -M 0755 sesh $(DESTDIR)$(libexecdir)/sesh; fi
install-doc:
# We install sudo_noexec by hand so we can avoid a "lib" prefix
# and a version number. Since we use LD_PRELOAD, neither is needed.
install-noexec: install-dirs libsudo_noexec.la
- if [ -f .libs/lib$(noexecfile) ]; then $(INSTALL) -b~ -O $(install_uid) -G $(install_gid) -m 0755 .libs/lib$(noexecfile) $(DESTDIR)$(noexecdir)/$(noexecfile); fi
+ if [ -f .libs/lib$(noexecfile) ]; then $(INSTALL) -b~ -O $(install_uid) -G $(install_gid) -m $(shlib_mode) .libs/lib$(noexecfile) $(DESTDIR)$(noexecdir)/$(noexecfile); fi
install-plugin:
uninstall:
-rm -f $(DESTDIR)$(bindir)/sudo $(DESTDIR)$(bindir)/sudoedit \
$(DESTDIR)$(libexecdir)/sesh \
- $(DESTDIR)$(noexecdir)/$(noexecfile) \
+ $(DESTDIR)$(noexecdir)/$(noexecfile)
check:
$(incdir)/list.h $(incdir)/sudo_conf.h $(incdir)/list.h \
$(incdir)/sudo_debug.h $(incdir)/gettext.h \
$(incdir)/sudo_plugin.h $(srcdir)/sudo_plugin_int.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/conversation.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/conversation.c
env_hooks.o: $(srcdir)/env_hooks.c $(top_builddir)/config.h \
$(top_srcdir)/compat/dlfcn.h $(srcdir)/sudo.h \
$(top_builddir)/pathnames.h $(top_srcdir)/compat/stdbool.h \
$(incdir)/fileops.h $(incdir)/list.h $(incdir)/sudo_conf.h \
$(incdir)/list.h $(incdir)/sudo_debug.h $(incdir)/gettext.h \
$(incdir)/sudo_plugin.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/env_hooks.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/env_hooks.c
error.o: $(srcdir)/error.c $(top_builddir)/config.h $(incdir)/missing.h \
$(incdir)/error.h $(incdir)/gettext.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/error.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/error.c
exec.o: $(srcdir)/exec.c $(top_builddir)/config.h $(srcdir)/sudo.h \
$(top_builddir)/pathnames.h $(top_srcdir)/compat/stdbool.h \
$(incdir)/missing.h $(incdir)/alloc.h $(incdir)/error.h \
$(incdir)/list.h $(incdir)/sudo_debug.h $(incdir)/gettext.h \
$(srcdir)/sudo_exec.h $(incdir)/sudo_plugin.h \
$(srcdir)/sudo_plugin_int.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/exec.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/exec.c
exec_common.o: $(srcdir)/exec_common.c $(top_builddir)/config.h \
$(srcdir)/sudo.h $(top_builddir)/pathnames.h \
$(top_srcdir)/compat/stdbool.h $(incdir)/missing.h \
$(incdir)/alloc.h $(incdir)/error.h $(incdir)/fileops.h \
$(incdir)/list.h $(incdir)/sudo_conf.h $(incdir)/list.h \
$(incdir)/sudo_debug.h $(incdir)/gettext.h $(srcdir)/sudo_exec.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/exec_common.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/exec_common.c
exec_pty.o: $(srcdir)/exec_pty.c $(top_builddir)/config.h $(srcdir)/sudo.h \
$(top_builddir)/pathnames.h $(top_srcdir)/compat/stdbool.h \
$(incdir)/missing.h $(incdir)/alloc.h $(incdir)/error.h \
$(incdir)/list.h $(incdir)/sudo_debug.h $(incdir)/gettext.h \
$(srcdir)/sudo_exec.h $(incdir)/sudo_plugin.h \
$(srcdir)/sudo_plugin_int.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/exec_pty.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/exec_pty.c
get_pty.o: $(srcdir)/get_pty.c $(top_builddir)/config.h $(srcdir)/sudo.h \
$(top_builddir)/pathnames.h $(top_srcdir)/compat/stdbool.h \
$(incdir)/missing.h $(incdir)/alloc.h $(incdir)/error.h \
$(incdir)/fileops.h $(incdir)/list.h $(incdir)/sudo_conf.h \
$(incdir)/list.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/get_pty.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/get_pty.c
hooks.o: $(srcdir)/hooks.c $(top_builddir)/config.h $(srcdir)/sudo.h \
$(top_builddir)/pathnames.h $(top_srcdir)/compat/stdbool.h \
$(incdir)/missing.h $(incdir)/alloc.h $(incdir)/error.h \
$(incdir)/list.h $(incdir)/sudo_debug.h $(incdir)/gettext.h \
$(incdir)/sudo_plugin.h $(srcdir)/sudo_plugin_int.h \
$(incdir)/sudo_debug.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/hooks.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/hooks.c
load_plugins.o: $(srcdir)/load_plugins.c $(top_builddir)/config.h \
$(top_srcdir)/compat/dlfcn.h $(srcdir)/sudo.h \
$(top_builddir)/pathnames.h $(top_srcdir)/compat/stdbool.h \
$(incdir)/list.h $(incdir)/sudo_debug.h $(incdir)/gettext.h \
$(incdir)/sudo_plugin.h $(srcdir)/sudo_plugin_int.h \
$(incdir)/sudo_conf.h $(incdir)/list.h $(incdir)/sudo_debug.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/load_plugins.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/load_plugins.c
net_ifs.o: $(srcdir)/net_ifs.c $(top_builddir)/config.h $(incdir)/missing.h \
$(incdir)/alloc.h $(incdir)/error.h $(incdir)/sudo_debug.h \
$(incdir)/gettext.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/net_ifs.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/net_ifs.c
parse_args.o: $(srcdir)/parse_args.c $(top_builddir)/config.h ./sudo_usage.h \
$(srcdir)/sudo.h $(top_builddir)/pathnames.h \
$(top_srcdir)/compat/stdbool.h $(incdir)/missing.h \
$(incdir)/alloc.h $(incdir)/error.h $(incdir)/fileops.h \
$(incdir)/list.h $(incdir)/sudo_conf.h $(incdir)/list.h \
$(incdir)/sudo_debug.h $(incdir)/gettext.h $(incdir)/lbuf.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/parse_args.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/parse_args.c
preload.o: $(srcdir)/preload.c $(top_builddir)/config.h $(incdir)/sudo_plugin.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/preload.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/preload.c
selinux.o: $(srcdir)/selinux.c $(top_builddir)/config.h $(srcdir)/sudo.h \
$(top_builddir)/pathnames.h $(top_srcdir)/compat/stdbool.h \
$(incdir)/missing.h $(incdir)/alloc.h $(incdir)/error.h \
$(incdir)/fileops.h $(incdir)/list.h $(incdir)/sudo_conf.h \
$(incdir)/list.h $(incdir)/sudo_debug.h $(incdir)/gettext.h \
$(srcdir)/sudo_exec.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/selinux.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/selinux.c
sesh.o: $(srcdir)/sesh.c $(top_builddir)/config.h \
$(top_srcdir)/compat/stdbool.h $(incdir)/missing.h $(incdir)/alloc.h \
$(incdir)/error.h $(incdir)/gettext.h $(incdir)/sudo_conf.h \
$(incdir)/list.h $(incdir)/sudo_debug.h $(srcdir)/sudo_exec.h \
$(incdir)/sudo_plugin.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/sesh.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/sesh.c
sudo.o: $(srcdir)/sudo.c $(top_builddir)/config.h $(srcdir)/sudo.h \
$(top_builddir)/pathnames.h $(top_srcdir)/compat/stdbool.h \
$(incdir)/missing.h $(incdir)/alloc.h $(incdir)/error.h \
$(incdir)/fileops.h $(incdir)/list.h $(incdir)/sudo_conf.h \
$(incdir)/list.h $(incdir)/sudo_debug.h $(incdir)/gettext.h \
$(incdir)/sudo_plugin.h $(srcdir)/sudo_plugin_int.h ./sudo_usage.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/sudo.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/sudo.c
sudo_edit.o: $(srcdir)/sudo_edit.c $(top_builddir)/config.h $(srcdir)/sudo.h \
$(top_builddir)/pathnames.h $(top_srcdir)/compat/stdbool.h \
$(incdir)/missing.h $(incdir)/alloc.h $(incdir)/error.h \
$(incdir)/fileops.h $(incdir)/list.h $(incdir)/sudo_conf.h \
$(incdir)/list.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/sudo_edit.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/sudo_edit.c
sudo_noexec.lo: $(srcdir)/sudo_noexec.c $(top_builddir)/config.h \
$(incdir)/missing.h
- $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/sudo_noexec.c
+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/sudo_noexec.c
tgetpass.o: $(srcdir)/tgetpass.c $(top_builddir)/config.h $(srcdir)/sudo.h \
$(top_builddir)/pathnames.h $(top_srcdir)/compat/stdbool.h \
$(incdir)/missing.h $(incdir)/alloc.h $(incdir)/error.h \
$(incdir)/fileops.h $(incdir)/list.h $(incdir)/sudo_conf.h \
$(incdir)/list.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/tgetpass.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/tgetpass.c
ttyname.o: $(srcdir)/ttyname.c $(top_builddir)/config.h $(srcdir)/sudo.h \
$(top_builddir)/pathnames.h $(top_srcdir)/compat/stdbool.h \
$(incdir)/missing.h $(incdir)/alloc.h $(incdir)/error.h \
$(incdir)/fileops.h $(incdir)/list.h $(incdir)/sudo_conf.h \
$(incdir)/list.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/ttyname.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/ttyname.c
utmp.o: $(srcdir)/utmp.c $(top_builddir)/config.h $(srcdir)/sudo.h \
$(top_builddir)/pathnames.h $(top_srcdir)/compat/stdbool.h \
$(incdir)/missing.h $(incdir)/alloc.h $(incdir)/error.h \
$(incdir)/fileops.h $(incdir)/list.h $(incdir)/sudo_conf.h \
$(incdir)/list.h $(incdir)/sudo_debug.h $(incdir)/gettext.h \
$(srcdir)/sudo_exec.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/utmp.c
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/utmp.c
};
TQ_DECLARE(sigforward)
static struct sigforward_list sigfwd_list;
+static pid_t ppgrp = -1;
+
+volatile pid_t cmnd_pid = -1;
static int handle_signals(int sv[2], pid_t child, int log_io,
struct command_status *cstat);
static void forward_signals(int fd);
static void schedule_signal(int signo);
#ifdef SA_SIGINFO
-static void handler_nofwd(int s, siginfo_t *info, void *context);
+static void handler_user_only(int s, siginfo_t *info, void *context);
#endif
/*
{
struct command_status cstat;
sigaction_t sa;
- pid_t child;
debug_decl(fork_cmnd, SUDO_DEBUG_EXEC)
+ ppgrp = getpgrp(); /* parent's process group */
+
+ /*
+ * Handle suspend/restore of sudo and the command.
+ * In most cases, the command will be in the same process group as
+ * sudo and job control will "just work". However, if the command
+ * changes its process group ID and does not change it back (or is
+ * kill by SIGSTOP which is not catchable), we need to resume the
+ * command manually. Also, if SIGTSTP is sent directly to sudo,
+ * we need to suspend the command, and then suspend ourself, restoring
+ * the default SIGTSTP handler temporarily.
+ *
+ * XXX - currently we send SIGCONT upon resume in some cases where
+ * we don't need to (e.g. command pgrp == parent pgrp).
+ */
zero_bytes(&sa, sizeof(sa));
sigemptyset(&sa.sa_mask);
sa.sa_flags = SA_INTERRUPT; /* do not restart syscalls */
+#ifdef SA_SIGINFO
+ sa.sa_flags |= SA_SIGINFO;
+ sa.sa_sigaction = handler;
+#else
sa.sa_handler = handler;
+#endif
sigaction(SIGCONT, &sa, NULL);
+#ifdef SA_SIGINFO
+ sa.sa_sigaction = handler_user_only;
+#endif
+ sigaction(SIGTSTP, &sa, NULL);
/*
* The policy plugin's session init must be run before we fork
if (policy_init_session(details) != true)
errorx(1, _("policy plugin failed session initialization"));
- child = sudo_debug_fork();
- switch (child) {
+ cmnd_pid = sudo_debug_fork();
+ switch (cmnd_pid) {
case -1:
error(1, _("unable to fork"));
break;
sudo_debug_exit_int(__func__, __FILE__, __LINE__, sudo_debug_subsys, 1);
_exit(1);
}
- debug_return_int(child);
+ sudo_debug_printf(SUDO_DEBUG_INFO, "executed %s, pid %d", details->command,
+ (int)cmnd_pid);
+ debug_return_int(cmnd_pid);
}
static struct signal_state {
bool log_io = false;
fd_set *fdsr, *fdsw;
sigaction_t sa;
+ sigset_t omask;
pid_t child;
debug_decl(sudo_execute, SUDO_DEBUG_EXEC)
* Note: HP-UX select() will not be interrupted if SA_RESTART set.
*/
sa.sa_flags = SA_INTERRUPT; /* do not restart syscalls */
+#ifdef SA_SIGINFO
+ sa.sa_flags |= SA_SIGINFO;
+ sa.sa_sigaction = handler;
+#else
sa.sa_handler = handler;
+#endif
sigaction(SIGALRM, &sa, NULL);
sigaction(SIGCHLD, &sa, NULL);
sigaction(SIGPIPE, &sa, NULL);
#ifdef SA_SIGINFO
if (!log_io) {
sa.sa_flags |= SA_SIGINFO;
- sa.sa_sigaction = handler_nofwd;
+ sa.sa_sigaction = handler_user_only;
}
#endif
sigaction(SIGHUP, &sa, NULL);
* to and from pty. Adjusts maxfd as needed.
*/
if (log_io)
- child = fork_pty(details, sv, &maxfd);
+ child = fork_pty(details, sv, &maxfd, &omask);
else
child = fork_cmnd(details, sv);
close(sv[1]);
break;
}
}
- if (cstat->type == CMD_WSTATUS) {
+ if (cstat->type == CMD_PID) {
+ /*
+ * Once we know the command's pid we can unblock
+ * signals which ere blocked in fork_pty(). This
+ * avoids a race between exec of the command and
+ * receipt of a fatal signal from it.
+ */
+ cmnd_pid = cstat->val;
+ sudo_debug_printf(SUDO_DEBUG_INFO, "executed %s, pid %d",
+ details->command, (int)cmnd_pid);
+ if (log_io)
+ sigprocmask(SIG_SETMASK, &omask, NULL);
+ } else if (cstat->type == CMD_WSTATUS) {
if (WIFSTOPPED(cstat->val)) {
/* Suspend parent and tell child how to resume on return. */
sudo_debug_printf(SUDO_DEBUG_INFO,
static int
handle_signals(int sv[2], pid_t child, int log_io, struct command_status *cstat)
{
+ char signame[SIG2STR_MAX];
unsigned char signo;
ssize_t nread;
int status;
cstat->val = errno;
debug_return_int(-1);
}
- sudo_debug_printf(SUDO_DEBUG_DIAG, "received signal %d", signo);
+ if (sig2str(signo, signame) == -1)
+ snprintf(signame, sizeof(signame), "%d", signo);
+ sudo_debug_printf(SUDO_DEBUG_DIAG, "received SIG%s", signame);
if (signo == SIGCHLD) {
/*
* If logging I/O, child is the intermediate process,
if (WIFSTOPPED(status)) {
/*
* Save the controlling terminal's process group
- * so we can restore it after we resume.
+ * so we can restore it after we resume, if needed.
+ * Most well-behaved shells change the pgrp back to
+ * its original value before suspending so we must
+ * not try to restore in that case, lest we race with
+ * the child upon resume, potentially stopping sudo
+ * with SIGTTOU while the command continues to run.
*/
+ sigaction_t sa, osa;
pid_t saved_pgrp = (pid_t)-1;
+ int signo = WSTOPSIG(status);
int fd = open(_PATH_TTY, O_RDWR|O_NOCTTY, 0);
- if (fd != -1)
- saved_pgrp = tcgetpgrp(fd);
- if (kill(getpid(), WSTOPSIG(status)) != 0) {
- warning("kill(%d, %d)", (int)getpid(),
- WSTOPSIG(status));
+ if (fd != -1) {
+ if ((saved_pgrp = tcgetpgrp(fd)) == ppgrp)
+ saved_pgrp = -1;
}
+ if (signo == SIGTSTP) {
+ zero_bytes(&sa, sizeof(sa));
+ sigemptyset(&sa.sa_mask);
+ sa.sa_handler = SIG_DFL;
+ sigaction(SIGTSTP, &sa, &osa);
+ }
+ if (kill(getpid(), signo) != 0)
+ warning("kill(%d, SIG%s)", (int)getpid(), signame);
+ if (signo == SIGTSTP)
+ sigaction(SIGTSTP, &osa, NULL);
if (fd != -1) {
+ /*
+ * Restore command's process group if different.
+ * Otherwise, we cannot resume some shells.
+ */
if (saved_pgrp != (pid_t)-1)
(void)tcsetpgrp(fd, saved_pgrp);
close(fd);
} else {
/* Nothing listening on sv[0], send directly. */
if (signo == SIGALRM)
- terminate_child(child, false);
+ terminate_command(child, false);
else if (kill(child, signo) != 0)
- warning("kill(%d, %d)", (int)child, signo);
+ warning("kill(%d, SIG%s)", (int)child, signame);
}
}
}
static void
forward_signals(int sock)
{
+ char signame[SIG2STR_MAX];
struct sigforward *sigfwd;
struct command_status cstat;
ssize_t nsent;
while (!tq_empty(&sigfwd_list)) {
sigfwd = tq_first(&sigfwd_list);
+ if (sig2str(sigfwd->signo, signame) == -1)
+ snprintf(signame, sizeof(signame), "%d", sigfwd->signo);
sudo_debug_printf(SUDO_DEBUG_INFO,
- "sending signal %d to child over backchannel", sigfwd->signo);
+ "sending SIG%s to child over backchannel", signame);
cstat.type = CMD_SIGNO;
cstat.val = sigfwd->signo;
do {
schedule_signal(int signo)
{
struct sigforward *sigfwd;
+ char signame[SIG2STR_MAX];
debug_decl(schedule_signal, SUDO_DEBUG_EXEC)
- sudo_debug_printf(SUDO_DEBUG_DIAG, "forwarding signal %d to child", signo);
+ if (sig2str(signo, signame) == -1)
+ snprintf(signame, sizeof(signame), "%d", signo);
+ sudo_debug_printf(SUDO_DEBUG_DIAG, "forwarding SIG%s to child", signame);
sigfwd = ecalloc(1, sizeof(*sigfwd));
sigfwd->prev = sigfwd;
* Generic handler for signals passed from parent -> child.
* The other end of signal_pipe is checked in the main event loop.
*/
+#ifdef SA_SIGINFO
+void
+handler(int s, siginfo_t *info, void *context)
+{
+ unsigned char signo = (unsigned char)s;
+
+ /*
+ * If the signal came from the command we ran, just ignore
+ * it since we don't want the child to indirectly kill itself.
+ * This can happen with, e.g. BSD-derived versions of reboot
+ * that call kill(-1, SIGTERM) to kill all other processes.
+ */
+ if (info != NULL && info->si_code == SI_USER && info->si_pid == cmnd_pid)
+ return;
+
+ /*
+ * The pipe is non-blocking, if we overflow the kernel's pipe
+ * buffer we drop the signal. This is not a problem in practice.
+ */
+ ignore_result(write(signal_pipe[1], &signo, sizeof(signo)));
+}
+#else
void
handler(int s)
{
*/
ignore_result(write(signal_pipe[1], &signo, sizeof(signo)));
}
+#endif
#ifdef SA_SIGINFO
/*
* signals that are generated by the kernel.
*/
static void
-handler_nofwd(int s, siginfo_t *info, void *context)
+handler_user_only(int s, siginfo_t *info, void *context)
{
unsigned char signo = (unsigned char)s;
/* Only forward user-generated signals. */
- if (info == NULL || info->si_code <= 0) {
+ if (info != NULL && info->si_code == SI_USER) {
/*
* The pipe is non-blocking, if we overflow the kernel's pipe
* buffer we drop the signal. This is not a problem in practice.
# include <priv.h>
#endif
#include <errno.h>
+#include <signal.h>
#include "sudo.h"
#include "sudo_exec.h"
static bool foreground, pipeline, tty_initialized;
static int io_fds[6] = { -1, -1, -1, -1, -1, -1};
static int ttymode = TERM_COOKED;
-static pid_t ppgrp, child, child_pgrp;
+static pid_t ppgrp, cmnd_pgrp, mon_pgrp;
static sigset_t ttyblock;
static struct io_buffer *iobufs;
debug_return;
}
+/*
+ * Generic handler for signals recieved by the monitor process.
+ * The other end of signal_pipe is checked in the monitor event loop.
+ */
+#ifdef SA_SIGINFO
+void
+mon_handler(int s, siginfo_t *info, void *context)
+{
+ unsigned char signo = (unsigned char)s;
+
+ /*
+ * If the signal came from the command we ran, just ignore
+ * it since we don't want the command to indirectly kill itself.
+ * This can happen with, e.g. BSD-derived versions of reboot
+ * that call kill(-1, SIGTERM) to kill all other processes.
+ */
+ if (info != NULL && info->si_code == SI_USER && info->si_pid == cmnd_pid)
+ return;
+
+ /*
+ * The pipe is non-blocking, if we overflow the kernel's pipe
+ * buffer we drop the signal. This is not a problem in practice.
+ */
+ ignore_result(write(signal_pipe[1], &signo, sizeof(signo)));
+}
+#else
+void
+mon_handler(int s)
+{
+ unsigned char signo = (unsigned char)s;
+
+ /*
+ * The pipe is non-blocking, if we overflow the kernel's pipe
+ * buffer we drop the signal. This is not a problem in practice.
+ */
+ ignore_result(write(signal_pipe[1], &signo, sizeof(signo)));
+}
+#endif
+
/*
* Allocate a pty if /dev/tty is a tty.
* Fills in io_fds[SFD_USERTTY], io_fds[SFD_MASTER], io_fds[SFD_SLAVE]
/*
* Suspend sudo if the underlying command is suspended.
- * Returns SIGCONT_FG if the child should be resume in the
+ * Returns SIGCONT_FG if the command should be resumed in the
* foreground or SIGCONT_BG if it is a background process.
*/
int
suspend_parent(int signo)
{
+ char signame[SIG2STR_MAX];
sigaction_t sa, osa;
int n, oldmode = ttymode, rval = 0;
debug_decl(suspend_parent, SUDO_DEBUG_EXEC);
case SIGTTOU:
case SIGTTIN:
/*
- * If we are the foreground process, just resume the child.
+ * If we are the foreground process, just resume the command.
* Otherwise, re-send the signal with the handler disabled.
*/
if (!foreground)
} while (!n && errno == EINTR);
ttymode = TERM_RAW;
}
- rval = SIGCONT_FG; /* resume child in foreground */
+ rval = SIGCONT_FG; /* resume command in foreground */
break;
}
ttymode = TERM_RAW;
} while (!n && errno == EINTR);
}
- /* Suspend self and continue child when we resume. */
+ if (sig2str(signo, signame) == -1)
+ snprintf(signame, sizeof(signame), "%d", signo);
+
+ /* Suspend self and continue command when we resume. */
zero_bytes(&sa, sizeof(sa));
sigemptyset(&sa.sa_mask);
sa.sa_flags = SA_INTERRUPT; /* do not restart syscalls */
sa.sa_handler = SIG_DFL;
sigaction(signo, &sa, &osa);
- sudo_debug_printf(SUDO_DEBUG_INFO, "kill parent %d", signo);
+ sudo_debug_printf(SUDO_DEBUG_INFO, "kill parent SIG%s", signame);
if (killpg(ppgrp, signo) != 0)
- warning("killpg(%d, %d)", (int)ppgrp, signo);
+ warning("killpg(%d, SIG%s)", (int)ppgrp, signame);
/* Check foreground/background status on resume. */
check_foreground();
/*
* Only modify term if we are foreground process and either
- * the old tty mode was not cooked or child got SIGTT{IN,OU}
+ * the old tty mode was not cooked or command got SIGTT{IN,OU}
*/
sudo_debug_printf(SUDO_DEBUG_INFO, "parent is in %s, ttymode %d -> %d",
foreground ? "foreground" : "background", oldmode, ttymode);
}
/*
- * Kill child with increasing urgency.
+ * Kill command with increasing urgency.
*/
void
-terminate_child(pid_t pid, bool use_pgrp)
+terminate_command(pid_t pid, bool use_pgrp)
{
- debug_decl(terminate_child, SUDO_DEBUG_EXEC);
+ debug_decl(terminate_command, SUDO_DEBUG_EXEC);
/*
* Note that SIGCHLD will interrupt the sleep()
sudo_debug_printf(SUDO_DEBUG_INFO,
"read %d bytes from fd %d", n, iob->rfd);
if (!iob->action(iob->buf + iob->len, n))
- terminate_child(child, true);
+ terminate_command(cmnd_pid, true);
iob->len += n;
break;
}
* Returns the child pid.
*/
int
-fork_pty(struct command_details *details, int sv[], int *maxfd)
+fork_pty(struct command_details *details, int sv[], int *maxfd, sigset_t *omask)
{
struct command_status cstat;
struct io_buffer *iob;
int io_pipe[3][2], n;
sigaction_t sa;
+ sigset_t mask;
+ pid_t child;
debug_decl(fork_pty, SUDO_DEBUG_EXEC);
ppgrp = getpgrp(); /* parent's pgrp, so child can signal us */
/* Job control signals to relay from parent to child. */
sa.sa_flags = SA_INTERRUPT; /* do not restart syscalls */
+#ifdef SA_SIGINFO
+ sa.sa_flags |= SA_SIGINFO;
+ sa.sa_sigaction = handler;
+#else
sa.sa_handler = handler;
+#endif
sigaction(SIGTSTP, &sa, NULL);
/* We don't want to receive SIGTTIN/SIGTTOU, getting EIO is preferable. */
if (policy_init_session(details) != true)
errorx(1, _("policy plugin failed session initialization"));
+ /*
+ * Block some signals until cmnd_pid is set in the parent to avoid a
+ * race between exec of the command and receipt of a fatal signal from it.
+ */
+ sigemptyset(&mask);
+ sigaddset(&mask, SIGTERM);
+ sigaddset(&mask, SIGHUP);
+ sigaddset(&mask, SIGINT);
+ sigaddset(&mask, SIGQUIT);
+ sigprocmask(SIG_BLOCK, &mask, omask);
+
child = sudo_debug_fork();
switch (child) {
case -1:
close(signal_pipe[0]);
close(signal_pipe[1]);
fcntl(sv[1], F_SETFD, FD_CLOEXEC);
+ sigprocmask(SIG_SETMASK, omask, NULL);
if (exec_setup(details, slavename, io_fds[SFD_SLAVE]) == true) {
/* Close the other end of the stdin/stdout/stderr pipes and exec. */
if (io_pipe[STDIN_FILENO][1])
}
cstat.type = CMD_ERRNO;
cstat.val = errno;
- send(sv[1], &cstat, sizeof(cstat), 0);
+ ignore_result(send(sv[1], &cstat, sizeof(cstat), 0));
_exit(1);
}
static void
deliver_signal(pid_t pid, int signo, bool from_parent)
{
+ char signame[SIG2STR_MAX];
int status;
debug_decl(deliver_signal, SUDO_DEBUG_EXEC);
+ if (sig2str(signo, signame) == -1)
+ snprintf(signame, sizeof(signame), "%d", signo);
+
/* Handle signal from parent. */
- sudo_debug_printf(SUDO_DEBUG_INFO, "received signal %d%s", signo,
- from_parent ? " from parent" : "");
+ sudo_debug_printf(SUDO_DEBUG_INFO, "received SIG%s%s",
+ signame, from_parent ? " from parent" : "");
switch (signo) {
case SIGALRM:
- terminate_child(pid, true);
+ terminate_command(pid, true);
break;
case SIGCONT_FG:
/* Continue in foreground, grant it controlling tty. */
do {
- status = tcsetpgrp(io_fds[SFD_SLAVE], child_pgrp);
+ status = tcsetpgrp(io_fds[SFD_SLAVE], cmnd_pgrp);
} while (status == -1 && errno == EINTR);
killpg(pid, SIGCONT);
break;
case SIGCONT_BG:
/* Continue in background, I take controlling tty. */
do {
- status = tcsetpgrp(io_fds[SFD_SLAVE], getpid());
+ status = tcsetpgrp(io_fds[SFD_SLAVE], mon_pgrp);
} while (status == -1 && errno == EINTR);
killpg(pid, SIGCONT);
break;
_exit(1); /* XXX */
/* NOTREACHED */
default:
- /* Relay signal to child. */
+ /* Relay signal to command. */
killpg(pid, signo);
break;
}
}
/*
- * Wait for child status after receiving SIGCHLD.
- * If the child was stopped, the status is send back to the parent.
+ * Wait for command status after receiving SIGCHLD.
+ * If the command was stopped, the status is send back to the parent.
* Otherwise, cstat is filled in but not sent.
- * Returns true if child is still alive, else false.
+ * Returns true if command is still alive, else false.
*/
static bool
handle_sigchld(int backchannel, struct command_status *cstat)
pid_t pid;
debug_decl(handle_sigchld, SUDO_DEBUG_EXEC);
- /* read child status */
+ /* read command status */
do {
- pid = waitpid(child, &status, WUNTRACED|WNOHANG);
+ pid = waitpid(cmnd_pid, &status, WUNTRACED|WNOHANG);
} while (pid == -1 && errno == EINTR);
- if (pid == child) {
+ if (pid == cmnd_pid) {
if (cstat->type != CMD_ERRNO) {
+ char signame[SIG2STR_MAX];
+
cstat->type = CMD_WSTATUS;
cstat->val = status;
if (WIFSTOPPED(status)) {
- sudo_debug_printf(SUDO_DEBUG_INFO, "command stopped, signal %d",
- WSTOPSIG(status));
+ if (sig2str(WSTOPSIG(status), signame) == -1)
+ snprintf(signame, sizeof(signame), "%d", WSTOPSIG(status));
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "command stopped, SIG%s", signame);
+ /* Saved the foreground pgid so we can restore it later. */
do {
- child_pgrp = tcgetpgrp(io_fds[SFD_SLAVE]);
- } while (child_pgrp == -1 && errno == EINTR);
+ pid = tcgetpgrp(io_fds[SFD_SLAVE]);
+ } while (pid == -1 && errno == EINTR);
+ if (pid != mon_pgrp)
+ cmnd_pgrp = pid;
if (send_status(backchannel, cstat) == -1)
return alive; /* XXX */
} else if (WIFSIGNALED(status)) {
- sudo_debug_printf(SUDO_DEBUG_INFO, "command killed, signal %d",
- WTERMSIG(status));
+ if (sig2str(WTERMSIG(status), signame) == -1)
+ snprintf(signame, sizeof(signame), "%d", WTERMSIG(status));
+ sudo_debug_printf(SUDO_DEBUG_INFO,
+ "command killed, SIG%s", signame);
} else {
sudo_debug_printf(SUDO_DEBUG_INFO, "command exited: %d",
WEXITSTATUS(status));
struct timeval tv;
fd_set *fdsr;
sigaction_t sa;
- int errpipe[2], maxfd, n, status;
+ int errpipe[2], maxfd, n;
bool alive = true;
unsigned char signo;
debug_decl(exec_monitor, SUDO_DEBUG_EXEC);
/* Note: HP-UX select() will not be interrupted if SA_RESTART set */
sa.sa_flags = SA_INTERRUPT;
- sa.sa_handler = handler;
+#ifdef SA_SIGINFO
+ sa.sa_flags |= SA_SIGINFO;
+ sa.sa_sigaction = mon_handler;
+#else
+ sa.sa_handler = mon_handler;
+#endif
sigaction(SIGCHLD, &sa, NULL);
/* Catch common signals so we can cleanup properly. */
sa.sa_flags = SA_RESTART;
- sa.sa_handler = handler;
+#ifdef SA_SIGINFO
+ sa.sa_flags |= SA_SIGINFO;
+ sa.sa_sigaction = mon_handler;
+#else
+ sa.sa_handler = mon_handler;
+#endif
sigaction(SIGHUP, &sa, NULL);
sigaction(SIGINT, &sa, NULL);
sigaction(SIGQUIT, &sa, NULL);
/*
* Start a new session with the parent as the session leader
* and the slave pty as the controlling terminal.
- * This allows us to be notified when the child has been suspended.
+ * This allows us to be notified when the command has been suspended.
*/
if (setsid() == -1) {
warning("setsid");
#endif
}
+ mon_pgrp = getpgrp(); /* save a copy of our process group */
+
/*
* If stdin/stdout is not a tty, start command in the background
* since it might be part of a pipeline that reads from /dev/tty.
/* Start command and wait for it to stop or exit */
if (pipe(errpipe) == -1)
error(1, _("unable to create pipe"));
- child = sudo_debug_fork();
- if (child == -1) {
+ cmnd_pid = sudo_debug_fork();
+ if (cmnd_pid == -1) {
warning(_("unable to fork"));
goto bad;
}
- if (child == 0) {
+ if (cmnd_pid == 0) {
/* We pass errno back to our parent via pipe on exec failure. */
close(backchannel);
close(signal_pipe[0]);
}
close(errpipe[1]);
+ /* Send the command's pid to main sudo process. */
+ cstat.type = CMD_PID;
+ cstat.val = cmnd_pid;
+ ignore_result(send(backchannel, &cstat, sizeof(cstat), 0));
+
/* If any of stdin/stdout/stderr are pipes, close them in parent. */
if (io_fds[SFD_STDIN] != io_fds[SFD_SLAVE])
close(io_fds[SFD_STDIN]);
close(io_fds[SFD_STDERR]);
/*
- * Put child in its own process group. If we are starting the command
+ * Put command in its own process group. If we are starting the command
* in the foreground, assign its pgrp to the tty.
*/
- child_pgrp = child;
- setpgid(child, child_pgrp);
+ cmnd_pgrp = cmnd_pid;
+ setpgid(cmnd_pid, cmnd_pgrp);
if (foreground) {
do {
- status = tcsetpgrp(io_fds[SFD_SLAVE], child_pgrp);
- } while (status == -1 && errno == EINTR);
+ n = tcsetpgrp(io_fds[SFD_SLAVE], cmnd_pgrp);
+ } while (n == -1 && errno == EINTR);
}
/* Wait for errno on pipe, signal on backchannel or for SIGCHLD */
}
/*
* Handle SIGCHLD specially and deliver other signals
- * directly to the child.
+ * directly to the command.
*/
if (signo == SIGCHLD) {
if (!handle_sigchld(backchannel, &cstat))
alive = false;
} else {
- deliver_signal(child, signo, false);
+ deliver_signal(cmnd_pid, signo, false);
}
continue;
}
cstmp.type);
continue;
}
- deliver_signal(child, cstmp.val, true);
+ deliver_signal(cmnd_pid, cstmp.val, true);
}
}
done:
if (alive) {
/* XXX An error occurred, should send an error back. */
- kill(child, SIGKILL);
+ kill(cmnd_pid, SIGKILL);
} else {
/* Send parent status. */
send_status(backchannel, &cstat);
pid_t self = getpid();
debug_decl(exec_pty, SUDO_DEBUG_EXEC);
- /* Set child process group here too to avoid a race. */
+ /* Set command process group here too to avoid a race. */
setpgid(0, self);
/* Wire up standard fds, note that stdout/stderr may be pipes. */
static struct sudo_hook_list *sudo_hook_getenv_list;
static struct sudo_hook_list *sudo_hook_putenv_list;
+/* NOTE: must not anything that might call setenv() */
int
process_hooks_setenv(const char *name, const char *value, int overwrite)
{
struct sudo_hook_list *hook;
int rc = SUDO_HOOK_RET_NEXT;
- debug_decl(process_hooks_setenv, SUDO_DEBUG_HOOKS)
/* First process the hooks. */
for (hook = sudo_hook_setenv_list; hook != NULL; hook = hook->next) {
case SUDO_HOOK_RET_STOP:
goto done;
default:
- warningx("invalid setenv hook return value: %d", rc);
+ warningx2("invalid setenv hook return value: %d", rc);
break;
}
}
done:
- debug_return_int(rc);
+ return rc;
}
+/* NOTE: must not anything that might call putenv() */
int
process_hooks_putenv(char *string)
{
struct sudo_hook_list *hook;
int rc = SUDO_HOOK_RET_NEXT;
- debug_decl(process_hooks_putenv, SUDO_DEBUG_HOOKS)
/* First process the hooks. */
for (hook = sudo_hook_putenv_list; hook != NULL; hook = hook->next) {
case SUDO_HOOK_RET_STOP:
goto done;
default:
- warningx("invalid putenv hook return value: %d", rc);
+ warningx2("invalid putenv hook return value: %d", rc);
break;
}
}
done:
- debug_return_int(rc);
+ return rc;
}
+/* NOTE: must not anything that might call getenv() */
int
process_hooks_getenv(const char *name, char **value)
{
struct sudo_hook_list *hook;
char *val = NULL;
int rc = SUDO_HOOK_RET_NEXT;
- debug_decl(process_hooks_getenv, SUDO_DEBUG_HOOKS)
/* First process the hooks. */
for (hook = sudo_hook_getenv_list; hook != NULL; hook = hook->next) {
case SUDO_HOOK_RET_STOP:
goto done;
default:
- warningx("invalid getenv hook return value: %d", rc);
+ warningx2("invalid getenv hook return value: %d", rc);
break;
}
}
done:
if (val != NULL)
*value = val;
- debug_return_int(rc);
+ return rc;
}
+/* NOTE: must not anything that might call unsetenv() */
int
process_hooks_unsetenv(const char *name)
{
struct sudo_hook_list *hook;
int rc = SUDO_HOOK_RET_NEXT;
- debug_decl(process_hooks_unsetenv, SUDO_DEBUG_HOOKS)
/* First process the hooks. */
for (hook = sudo_hook_unsetenv_list; hook != NULL; hook = hook->next) {
case SUDO_HOOK_RET_STOP:
goto done;
default:
- warningx("invalid unsetenv hook return value: %d", rc);
+ warningx2("invalid unsetenv hook return value: %d", rc);
break;
}
}
done:
- debug_return_int(rc);
+ return rc;
}
/* Hook registration internals. */
#endif
/*
- * Load the plugins listed in sudo.conf.
+ * Load the plugin specified by "info".
*/
-bool
-sudo_load_plugins(struct plugin_container *policy_plugin,
- struct plugin_container_list *io_plugins)
+static bool
+sudo_load_plugin(struct plugin_container *policy_plugin,
+ struct plugin_container_list *io_plugins, struct plugin_info *info)
{
- struct plugin_info_list *plugins;
- struct generic_plugin *plugin;
struct plugin_container *container;
- struct plugin_info *info;
+ struct generic_plugin *plugin;
struct stat sb;
void *handle;
char path[PATH_MAX];
bool rval = false;
- debug_decl(sudo_load_plugins, SUDO_DEBUG_PLUGIN)
+ debug_decl(sudo_load_plugin, SUDO_DEBUG_PLUGIN)
- /* Walk plugin list. */
- plugins = sudo_conf_plugins();
- tq_foreach_fwd(plugins, info) {
- if (info->path[0] == '/') {
- if (strlcpy(path, info->path, sizeof(path)) >= sizeof(path)) {
- warningx(_("%s: %s"), info->path, strerror(ENAMETOOLONG));
- goto done;
- }
- } else {
- if (snprintf(path, sizeof(path), "%s%s", _PATH_SUDO_PLUGIN_DIR,
- info->path) >= sizeof(path)) {
- warningx(_("%s%s: %s"), _PATH_SUDO_PLUGIN_DIR, info->path,
- strerror(ENAMETOOLONG));
- goto done;
- }
- }
- if (stat(path, &sb) != 0) {
- warning("%s", path);
- goto done;
- }
- if (sb.st_uid != ROOT_UID) {
- warningx(_("%s must be owned by uid %d"), path, ROOT_UID);
+ if (info->path[0] == '/') {
+ if (strlcpy(path, info->path, sizeof(path)) >= sizeof(path)) {
+ warningx(_("%s: %s"), info->path, strerror(ENAMETOOLONG));
goto done;
}
- if ((sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) {
- warningx(_("%s must be only be writable by owner"), path);
+ } else {
+ if (snprintf(path, sizeof(path), "%s%s", _PATH_SUDO_PLUGIN_DIR,
+ info->path) >= sizeof(path)) {
+ warningx(_("%s%s: %s"), _PATH_SUDO_PLUGIN_DIR, info->path,
+ strerror(ENAMETOOLONG));
goto done;
}
+ }
+ if (stat(path, &sb) != 0) {
+ warning("%s", path);
+ goto done;
+ }
+ if (sb.st_uid != ROOT_UID) {
+ warningx(_("%s must be owned by uid %d"), path, ROOT_UID);
+ goto done;
+ }
+ if ((sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) {
+ warningx(_("%s must be only be writable by owner"), path);
+ goto done;
+ }
- /* Open plugin and map in symbol */
- handle = dlopen(path, RTLD_LAZY|RTLD_GLOBAL);
- if (!handle) {
- warningx(_("unable to dlopen %s: %s"), path, dlerror());
- goto done;
- }
- plugin = dlsym(handle, info->symbol_name);
- if (!plugin) {
- warningx(_("%s: unable to find symbol %s"), path,
- info->symbol_name);
+ /* Open plugin and map in symbol */
+ handle = dlopen(path, RTLD_LAZY|RTLD_GLOBAL);
+ if (!handle) {
+ warningx(_("unable to dlopen %s: %s"), path, dlerror());
+ goto done;
+ }
+ plugin = dlsym(handle, info->symbol_name);
+ if (!plugin) {
+ warningx(_("%s: unable to find symbol %s"), path,
+ info->symbol_name);
+ goto done;
+ }
+
+ if (plugin->type != SUDO_POLICY_PLUGIN && plugin->type != SUDO_IO_PLUGIN) {
+ warningx(_("%s: unknown policy type %d"), path, plugin->type);
+ goto done;
+ }
+ if (SUDO_API_VERSION_GET_MAJOR(plugin->version) != SUDO_API_VERSION_MAJOR) {
+ warningx(_("%s: incompatible policy major version %d, expected %d"),
+ path, SUDO_API_VERSION_GET_MAJOR(plugin->version),
+ SUDO_API_VERSION_MAJOR);
+ goto done;
+ }
+ if (plugin->type == SUDO_POLICY_PLUGIN) {
+ if (policy_plugin->handle) {
+ warningx(_("%s: only a single policy plugin may be loaded"),
+ _PATH_SUDO_CONF);
goto done;
}
+ policy_plugin->handle = handle;
+ policy_plugin->name = info->symbol_name;
+ policy_plugin->options = info->options;
+ policy_plugin->u.generic = plugin;
+ } else if (plugin->type == SUDO_IO_PLUGIN) {
+ container = ecalloc(1, sizeof(*container));
+ container->prev = container;
+ /* container->next = NULL; */
+ container->handle = handle;
+ container->name = info->symbol_name;
+ container->options = info->options;
+ container->u.generic = plugin;
+ tq_append(io_plugins, container);
+ }
- if (plugin->type != SUDO_POLICY_PLUGIN && plugin->type != SUDO_IO_PLUGIN) {
- warningx(_("%s: unknown policy type %d"), path, plugin->type);
+ rval = true;
+done:
+ debug_return_bool(rval);
+}
+
+/*
+ * Load the plugins listed in sudo.conf.
+ */
+bool
+sudo_load_plugins(struct plugin_container *policy_plugin,
+ struct plugin_container_list *io_plugins)
+{
+ struct plugin_container *container;
+ struct plugin_info_list *plugins;
+ struct plugin_info *info;
+ bool rval = false;
+ debug_decl(sudo_load_plugins, SUDO_DEBUG_PLUGIN)
+
+ /* Walk the plugin list from sudo.conf, if any. */
+ plugins = sudo_conf_plugins();
+ tq_foreach_fwd(plugins, info) {
+ rval = sudo_load_plugin(policy_plugin, io_plugins, info);
+ if (!rval)
goto done;
- }
- if (SUDO_API_VERSION_GET_MAJOR(plugin->version) != SUDO_API_VERSION_MAJOR) {
- warningx(_("%s: incompatible policy major version %d, expected %d"),
- path, SUDO_API_VERSION_GET_MAJOR(plugin->version),
- SUDO_API_VERSION_MAJOR);
+ }
+
+ /*
+ * If no policy plugin, fall back to the default (sudoers).
+ * If there is also no I/O log plugin, sudoers for that too.
+ */
+ if (policy_plugin->handle == NULL) {
+ /* Default policy plugin */
+ info = ecalloc(1, sizeof(*info));
+ info->symbol_name = "sudoers_policy";
+ info->path = SUDOERS_PLUGIN;
+ /* info->options = NULL; */
+ info->prev = info;
+ /* info->next = NULL; */
+ rval = sudo_load_plugin(policy_plugin, io_plugins, info);
+ efree(info);
+ if (!rval)
goto done;
- }
- if (plugin->type == SUDO_POLICY_PLUGIN) {
- if (policy_plugin->handle) {
- warningx(_("%s: only a single policy plugin may be loaded"),
- _PATH_SUDO_CONF);
+
+ /* Default I/O plugin */
+ if (tq_empty(io_plugins)) {
+ info = ecalloc(1, sizeof(*info));
+ info->symbol_name = "sudoers_io";
+ info->path = SUDOERS_PLUGIN;
+ /* info->options = NULL; */
+ info->prev = info;
+ /* info->next = NULL; */
+ rval = sudo_load_plugin(policy_plugin, io_plugins, info);
+ efree(info);
+ if (!rval)
goto done;
- }
- policy_plugin->handle = handle;
- policy_plugin->name = info->symbol_name;
- policy_plugin->options = info->options;
- policy_plugin->u.generic = plugin;
- } else if (plugin->type == SUDO_IO_PLUGIN) {
- container = ecalloc(1, sizeof(*container));
- container->prev = container;
- /* container->next = NULL; */
- container->handle = handle;
- container->name = info->symbol_name;
- container->options = info->options;
- container->u.generic = plugin;
- tq_append(io_plugins, container);
}
}
- if (policy_plugin->handle == NULL) {
- warningx(_("%s: at least one policy plugin must be specified"),
- _PATH_SUDO_CONF);
- goto done;
- }
if (policy_plugin->u.policy->check_policy == NULL) {
warningx(_("policy plugin %s does not include a check_policy method"),
policy_plugin->name);
+ rval = false;
goto done;
}
if (policy_plugin->u.policy->version >= SUDO_API_MKVERSION(1, 2)) {
if (policy_plugin->u.policy->register_hooks != NULL)
policy_plugin->u.policy->register_hooks(SUDO_HOOK_VERSION, register_hook);
- tq_foreach_fwd(io_plugins, container) {
+ }
+ tq_foreach_fwd(io_plugins, container) {
+ if (container->u.io->version >= SUDO_API_MKVERSION(1, 2)) {
if (container->u.io->register_hooks != NULL)
container->u.io->register_hooks(SUDO_HOOK_VERSION, register_hook);
}
}
- rval = true;
-
done:
debug_return_bool(rval);
}
* For shell mode we need to rewrite argv
*/
if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) {
- char **av;
- int ac;
-
- if (argc == 0) {
- /* just the shell */
- ac = argc + 1;
- av = emalloc2(ac + 1, sizeof(char *));
- memcpy(av + 1, argv, argc * sizeof(char *));
- } else {
+ char **av, *cmnd = NULL;
+ int ac = 1;
+
+ if (argc != 0) {
/* shell -c "command" */
- char *cmnd, *src, *dst;
+ char *src, *dst;
size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) +
strlen(argv[argc - 1]) + 1;
dst--; /* replace last space with a NUL */
*dst = '\0';
- ac = 3;
- av = emalloc2(ac + 1, sizeof(char *));
+ ac += 2; /* -c cmnd */
+ }
+
+ av = emalloc2(ac + 1, sizeof(char *));
+ av[0] = (char *)user_details.shell; /* plugin may override shell */
+ if (cmnd != NULL) {
av[1] = "-c";
av[2] = cmnd;
}
- av[0] = (char *)user_details.shell; /* plugin may override shell */
av[ac] = NULL;
argv = av;
usage(0);
lbuf_append(&lbuf, _("\nOptions:\n"));
-#ifdef HAVE_BSD_AUTH_H
lbuf_append(&lbuf, " -A %s",
_("use helper program for password prompting\n"));
-#endif
+#ifdef HAVE_BSD_AUTH_H
lbuf_append(&lbuf, " -a type %s",
_("use specified BSD authentication type\n"));
+#endif
lbuf_append(&lbuf, " -b %s",
_("run command in the background\n"));
lbuf_append(&lbuf, " -C fd %s",
#
msgid ""
msgstr ""
-"Project-Id-Version: sudo 1.8.5-b4\n"
+"Project-Id-Version: sudo 1.8.6b3\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-03-28 14:06-0400\n"
-"PO-Revision-Date: 2012-04-08 23:06+0100\n"
+"POT-Creation-Date: 2012-04-24 13:41-0400\n"
+"PO-Revision-Date: 2012-08-06 23:06+0100\n"
"Last-Translator: Joe Hansen <joedalton2@yahoo.dk>\n"
"Language-Team: Danish <dansk@dansk-gruppen.dk>\n"
"Language: da\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
+#: common/aix.c:149
+#, c-format
+msgid "unable to open userdb"
+msgstr "kan ikke åbne userdb"
+
+#: common/aix.c:152
+#, c-format
+msgid "unable to switch to registry \"%s\" for %s"
+msgstr "kan ikke skifte til register »%s« for %s"
+
+#: common/aix.c:169
+#, c-format
+msgid "unable to restore registry"
+msgstr "kan ikke gendanne register"
+
+#: common/alloc.c:82
+msgid "internal error, tried to emalloc(0)"
+msgstr "intern fejl, forsøgte at emalloc(0)"
+
+#: common/alloc.c:85 common/alloc.c:105 common/alloc.c:127 common/alloc.c:146
+#: common/alloc.c:168 common/alloc.c:192 common/alloc.c:256 common/alloc.c:270
+#: src/exec_common.c:111 src/parse_args.c:432 src/sudo.c:456 src/sudo.c:482
+#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:737
+#, c-format
+msgid "unable to allocate memory"
+msgstr "kunne ikke allokere hukommelse"
+
+#: common/alloc.c:99
+msgid "internal error, tried to emalloc2(0)"
+msgstr "intern fejl, forsøgte at emalloc2(0)"
+
+#: common/alloc.c:101
+msgid "internal error, emalloc2() overflow"
+msgstr "intern fejl, emalloc2()-overløb"
+
+#: common/alloc.c:120
+msgid "internal error, tried to ecalloc(0)"
+msgstr "intern fejl, forsøgte at ecalloc(0)"
+
+#: common/alloc.c:123
+msgid "internal error, ecalloc() overflow"
+msgstr "intern fejl, ecalloc()-overløb"
+
+#: common/alloc.c:142
+msgid "internal error, tried to erealloc(0)"
+msgstr "intern fejl, forsøgte at erealloc(0)"
+
+#: common/alloc.c:161 common/alloc.c:185
+msgid "internal error, tried to erealloc3(0)"
+msgstr "intern fejl, forsøgte at erealloc3(0)"
+
+#: common/alloc.c:163 common/alloc.c:187
+msgid "internal error, erealloc3() overflow"
+msgstr "intern fejl, erealloc3()-overløb"
+
+#: common/sudo_conf.c:306
+#, c-format
+msgid "unable to stat %s"
+msgstr "kan ikke køre stat %s"
+
+#: common/sudo_conf.c:309
+#, c-format
+msgid "%s is not a regular file"
+msgstr "%s er ikke en regulær fil"
+
+#: common/sudo_conf.c:312
+#, c-format
+msgid "%s is owned by uid %u, should be %u"
+msgstr "%s er ejet af uid %u, burde være %u"
+
+#: common/sudo_conf.c:316
+#, c-format
+msgid "%s is world writable"
+msgstr "%s er skrivbar for alle"
+
+#: common/sudo_conf.c:319
+#, c-format
+msgid "%s is group writable"
+msgstr "%s er skrivbar for gruppe"
+
+#: common/sudo_conf.c:328 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
+#, c-format
+msgid "unable to open %s"
+msgstr "kan ikke åbne %s"
+
+#: compat/strsignal.c:47
+msgid "Unknown signal"
+msgstr "ukendt signal"
+
#: src/error.c:82 src/error.c:86
msgid ": "
msgstr ": "
-#: src/exec.c:105 src/exec_pty.c:616 src/exec_pty.c:948 src/tgetpass.c:221
+#: src/exec.c:107 src/exec_pty.c:628
+#, c-format
+msgid "policy plugin failed session initialization"
+msgstr "udvidelsesmodul for politik mislykkedes i sessionsinitialisering"
+
+#: src/exec.c:112 src/exec_pty.c:633 src/exec_pty.c:967 src/tgetpass.c:221
#, c-format
msgid "unable to fork"
msgstr "kunne ikke forgrene"
-#: src/exec.c:252
+#: src/exec.c:259
#, c-format
msgid "unable to create sockets"
msgstr "kunne ikke oprette sokler"
-#: src/exec.c:259 src/exec_pty.c:567 src/exec_pty.c:576 src/exec_pty.c:584
-#: src/exec_pty.c:883 src/exec_pty.c:945 src/tgetpass.c:218
+#: src/exec.c:266 src/exec_pty.c:572 src/exec_pty.c:581 src/exec_pty.c:589
+#: src/exec_pty.c:902 src/exec_pty.c:964 src/tgetpass.c:218
#, c-format
msgid "unable to create pipe"
msgstr "kunne ikke oprette datakanal (pipe)"
-#: src/exec.c:340 src/exec_pty.c:1011 src/exec_pty.c:1146
+#: src/exec.c:351 src/exec_pty.c:1029 src/exec_pty.c:1167
#, c-format
msgid "select failed"
msgstr "select fejlede"
-#: src/exec.c:425
+#: src/exec.c:441
#, c-format
msgid "unable to restore tty label"
msgstr "kunne ikke gendanne tty-etiket"
msgid "unable to remove PRIV_PROC_EXEC from PRIV_LIMIT"
msgstr "kan ikke fjerne PRIV_PROC_EXEC fra PRIV_LIMIT"
-#: src/exec_common.c:111 src/parse_args.c:432 src/sudo.c:447 src/sudo.c:467
-#: src/sudo.c:474 src/sudo.c:485 src/sudo.c:871 common/alloc.c:85
-#: common/alloc.c:105 common/alloc.c:127 common/alloc.c:146 common/alloc.c:168
-#: common/alloc.c:192 common/alloc.c:256 common/alloc.c:270
-#, c-format
-msgid "unable to allocate memory"
-msgstr "kunne ikke allokere hukommelse"
-
-#: src/exec_pty.c:140
+#: src/exec_pty.c:144
#, c-format
msgid "unable to allocate pty"
msgstr "kunne ikke allokere pty"
-#: src/exec_pty.c:609
+#: src/exec_pty.c:619
#, c-format
msgid "unable to set terminal to raw mode"
msgstr "kunne ikke angive terminal til tilstanden rå (raw)"
-#: src/exec_pty.c:926
+#: src/exec_pty.c:945
#, c-format
msgid "unable to set controlling tty"
msgstr "kunne ikke angive kontrollerende tty"
-#: src/exec_pty.c:1019
+#: src/exec_pty.c:1038
#, c-format
msgid "error reading from signal pipe"
msgstr "fejl under læsning fra signaldatakanal"
-#: src/exec_pty.c:1038
+#: src/exec_pty.c:1059
#, c-format
msgid "error reading from pipe"
msgstr "fejl ved læsning fra datakanal"
-#: src/exec_pty.c:1054
+#: src/exec_pty.c:1075
#, c-format
msgid "error reading from socketpair"
msgstr "fejl ved læsning fra socketpair"
-#: src/exec_pty.c:1058
+#: src/exec_pty.c:1079
#, c-format
msgid "unexpected reply type on backchannel: %d"
msgstr "uventet svartype på bagkanal (backchannel): %d"
msgid "unable to set new tty context"
msgstr "kan ikke angive ny tty-kontekst"
-#: src/selinux.c:196 src/selinux.c:209 src/sudo.c:333 common/sudo_conf.c:328
-#, c-format
-msgid "unable to open %s"
-msgstr "kan ikke åbne %s"
-
#: src/selinux.c:252
#, c-format
msgid "you must specify a role for type %s"
msgid "unable to execute %s"
msgstr "kan ikke køre %s"
-#: src/sudo.c:213
+#: src/sudo.c:211
#, c-format
msgid "Sudo version %s\n"
msgstr "Sudo version %s\n"
-#: src/sudo.c:215
+#: src/sudo.c:213
#, c-format
msgid "Configure options: %s\n"
msgstr "Konfigurationsindstillinger: %s\n"
-#: src/sudo.c:220
+#: src/sudo.c:218
#, c-format
msgid "fatal error, unable to load plugins"
msgstr "fatal fejl, kan ikke indlæse udvidelsesmoduler"
-#: src/sudo.c:228
+#: src/sudo.c:226
#, c-format
msgid "unable to initialize policy plugin"
msgstr "kan ikke initialisere udvidelsesmodul for politik"
-#: src/sudo.c:283
+#: src/sudo.c:281
#, c-format
msgid "error initializing I/O plugin %s"
msgstr "fejl under initialisering af I/O-udvidelsesmodulet %s"
-#: src/sudo.c:308
+#: src/sudo.c:306
#, c-format
msgid "unexpected sudo mode 0x%x"
msgstr "uventet sudo-tilstand 0x%x"
-#: src/sudo.c:402
+#: src/sudo.c:400
#, c-format
msgid "unable to get group vector"
msgstr "kan ikke indhente gruppevektor"
-#: src/sudo.c:443
+#: src/sudo.c:452
#, c-format
msgid "unknown uid %u: who are you?"
msgstr "ukendt uid %u: hvem er du?"
-#: src/sudo.c:735
+#: src/sudo.c:760
#, c-format
msgid "%s must be owned by uid %d and have the setuid bit set"
msgstr "%s skal være ejet af uid %d og have setuid bit angivet"
-#: src/sudo.c:738
+#: src/sudo.c:763
#, c-format
msgid "effective uid is not %d, is %s on a file system with the 'nosuid' option set or an NFS file system without root privileges?"
msgstr "effektiv uid er ikke %d, er %s på et filsystem med indstillingen »nosuid« angivet eller et NFS-filsytsem uden administratorprivilegier (root)?"
-#: src/sudo.c:744
+#: src/sudo.c:769
#, c-format
msgid "effective uid is not %d, is sudo installed setuid root?"
msgstr "effektiv uid er ikke %d, er sudo installeret setuid root?"
-#: src/sudo.c:813
+#: src/sudo.c:838
#, c-format
msgid "resource control limit has been reached"
msgstr "grænse for ressourcekontrol er nået"
-#: src/sudo.c:816
+#: src/sudo.c:841
#, c-format
msgid "user \"%s\" is not a member of project \"%s\""
msgstr "bruger »%s« er ikke medlem af projektet »%s«"
-#: src/sudo.c:820
+#: src/sudo.c:845
#, c-format
msgid "the invoking task is final"
msgstr "start af opgave er færdig"
-#: src/sudo.c:823
+#: src/sudo.c:848
#, c-format
msgid "could not join project \"%s\""
msgstr "kunne ikke slutte til projekt »%s«"
-#: src/sudo.c:828
+#: src/sudo.c:853
#, c-format
msgid "no resource pool accepting default bindings exists for project \"%s\""
msgstr "ingen ressourcekø som accepterer standardbindinger findes for projekt »%s«"
-#: src/sudo.c:832
+#: src/sudo.c:857
#, c-format
msgid "specified resource pool does not exist for project \"%s\""
msgstr "angivet ressourcekø findes ikke for projekt »%s«"
-#: src/sudo.c:836
+#: src/sudo.c:861
#, c-format
msgid "could not bind to default resource pool for project \"%s\""
msgstr "kunne ikke binde til standardressourcekø for projekt »%s«"
-#: src/sudo.c:842
+#: src/sudo.c:867
#, c-format
msgid "setproject failed for project \"%s\""
msgstr "setproject fejlede for projekt »%s«"
-#: src/sudo.c:844
+#: src/sudo.c:869
#, c-format
msgid "warning, resource control assignment failed for project \"%s\""
msgstr "advarsel, ressourcekontroltildeling fejlede for projekt »%s«"
-#: src/sudo.c:909
+#: src/sudo.c:917
#, c-format
msgid "unknown login class %s"
msgstr "ukendt logindklasse %s"
-#: src/sudo.c:923 src/sudo.c:926
+#: src/sudo.c:931 src/sudo.c:934
#, c-format
msgid "unable to set user context"
msgstr "kan ikke angive brugerkontekst"
-#: src/sudo.c:938
+#: src/sudo.c:946
#, c-format
msgid "unable to set supplementary group IDs"
msgstr "kunne ikke angive supplerende gruppe-id'er"
-#: src/sudo.c:945
+#: src/sudo.c:953
#, c-format
msgid "unable to set effective gid to runas gid %u"
msgstr "kan ikke angive effektiv gid til runas gid %u"
-#: src/sudo.c:951
+#: src/sudo.c:959
#, c-format
msgid "unable to set gid to runas gid %u"
msgstr "kunne ikke angive gid til runas gid %u"
-#: src/sudo.c:958
+#: src/sudo.c:966
#, c-format
msgid "unable to set process priority"
msgstr "kunne ikke angive procesprioritet"
-#: src/sudo.c:966
+#: src/sudo.c:974
#, c-format
msgid "unable to change root to %s"
msgstr "kunne ikke ændre administrator (root) til %s"
-#: src/sudo.c:973 src/sudo.c:979 src/sudo.c:985
+#: src/sudo.c:981 src/sudo.c:987 src/sudo.c:993
#, c-format
msgid "unable to change to runas uid (%u, %u)"
msgstr "kunne ikke ændre til runas uid (%u, %u)"
-#: src/sudo.c:999
+#: src/sudo.c:1007
#, c-format
msgid "unable to change directory to %s"
msgstr "kunne ikke ændre mappe til %s"
-#: src/sudo.c:1072
+#: src/sudo.c:1079
#, c-format
msgid "unexpected child termination condition: %d"
msgstr "uventet underbetingelse for terminering: %d"
-#: src/sudo.c:1133
+#: src/sudo.c:1140
#, c-format
msgid "policy plugin %s does not support listing privileges"
msgstr "politikudvidelsesmodul %s understøter ikke listning af privilegier"
-#: src/sudo.c:1145
+#: src/sudo.c:1152
#, c-format
msgid "policy plugin %s does not support the -v option"
msgstr "politikudvidelsesmodul %s understøtter ikke tilvalget -v"
-#: src/sudo.c:1157
+#: src/sudo.c:1164
#, c-format
msgid "policy plugin %s does not support the -k/-K options"
msgstr "politikudvidelsesmodul %s understøtter ikke tilvalget -k/-K"
msgid "unable to restore stdin"
msgstr "kan ikke gendanne stdin"
-#: common/aix.c:149
-#, c-format
-msgid "unable to open userdb"
-msgstr "kan ikke åbne userdb"
-
-#: common/aix.c:152
-#, c-format
-msgid "unable to switch to registry \"%s\" for %s"
-msgstr "kan ikke skifte til register »%s« for %s"
-
-#: common/aix.c:169
-#, c-format
-msgid "unable to restore registry"
-msgstr "kan ikke gendanne register"
-
-#: common/alloc.c:82
-msgid "internal error, tried to emalloc(0)"
-msgstr "intern fejl, forsøgte at emalloc(0)"
-
-#: common/alloc.c:99
-msgid "internal error, tried to emalloc2(0)"
-msgstr "intern fejl, forsøgte at emalloc2(0)"
-
-#: common/alloc.c:101
-msgid "internal error, emalloc2() overflow"
-msgstr "intern fejl, emalloc2()-overløb"
-
-#: common/alloc.c:120
-msgid "internal error, tried to ecalloc(0)"
-msgstr "intern fejl, forsøgte at ecalloc(0)"
-
-#: common/alloc.c:123
-msgid "internal error, ecalloc() overflow"
-msgstr "intern fejl, ecalloc()-overløb"
-
-#: common/alloc.c:142
-msgid "internal error, tried to erealloc(0)"
-msgstr "intern fejl, forsøgte at erealloc(0)"
-
-#: common/alloc.c:161 common/alloc.c:185
-msgid "internal error, tried to erealloc3(0)"
-msgstr "intern fejl, forsøgte at erealloc3(0)"
-
-#: common/alloc.c:163 common/alloc.c:187
-msgid "internal error, erealloc3() overflow"
-msgstr "intern fejl, erealloc3()-overløb"
-
-#: common/sudo_conf.c:306
-#, c-format
-msgid "unable to stat %s"
-msgstr "kan ikke køre stat %s"
-
-#: common/sudo_conf.c:309
-#, c-format
-msgid "%s is not a regular file"
-msgstr "%s er ikke en regulær fil"
-
-#: common/sudo_conf.c:312
-#, c-format
-msgid "%s is owned by uid %u, should be %u"
-msgstr "%s er ejet af uid %u, burde være %u"
-
-#: common/sudo_conf.c:316
-#, c-format
-msgid "%s is world writable"
-msgstr "%s er skrivbar for alle"
-
-#: common/sudo_conf.c:319
-#, c-format
-msgid "%s is group writable"
-msgstr "%s er skrivbar for gruppe"
-
-#: compat/strsignal.c:47
-msgid "Unknown signal"
-msgstr "ukendt signal"
-
#~ msgid "must be setuid root"
#~ msgstr "skal være setuid root"
# German translation for sudo.
# This file is distributed under the same license as the sudo package.
-# Mario Blättermann <mario.blaettermann@gmail.com>, 2012.
# Jakob Kramer <jakob.kramer@gmx.de>, 2012.
+# Mario Blättermann <mario.blaettermann@gmail.com>, 2012.
#
msgid ""
msgstr ""
-"Project-Id-Version: sudo 1.8.5rc3\n"
+"Project-Id-Version: sudo 1.8.6b4\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-04-24 13:41-0400\n"
-"PO-Revision-Date: 2012-04-29 14:32+0200\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-15 18:42+0200\n"
"Last-Translator: Jakob Kramer <jakob.kramer@gmx.de>\n"
"Language-Team: German <translation-team-de@lists.sourceforge.net>\n"
-"Language: \n"
+"Language: de\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=utf-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Poedit-Language: German\n"
-"X-Poedit-Country: GERMANY\n"
-#: common/aix.c:149
+#: common/aix.c:150
#, c-format
msgid "unable to open userdb"
msgstr "Nutzerdatenbank konnte nicht geöffnet werden"
-#: common/aix.c:152
+#: common/aix.c:153
#, c-format
msgid "unable to switch to registry \"%s\" for %s"
msgstr "Es konnte nicht zur Registrierungsdatenbank »%s« von %s gewechselt werden"
-#: common/aix.c:169
+#: common/aix.c:170
#, c-format
msgid "unable to restore registry"
msgstr "Registrierungsdatenbank konnte nicht wiederhergestellt werden"
#: common/alloc.c:85 common/alloc.c:105 common/alloc.c:127 common/alloc.c:146
#: common/alloc.c:168 common/alloc.c:192 common/alloc.c:256 common/alloc.c:270
-#: src/exec_common.c:111 src/parse_args.c:432 src/sudo.c:456 src/sudo.c:482
-#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:737
+#: src/exec_common.c:111 src/parse_args.c:430 src/sudo.c:456 src/sudo.c:482
+#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:759
#, c-format
msgid "unable to allocate memory"
msgstr "Speicher konnte nicht zugewiesen werden"
msgid "internal error, tried to emalloc2(0)"
msgstr "Interner Fehler: Es wurde versucht, emalloc2(0) auszuführen"
-#: common/alloc.c:101
-msgid "internal error, emalloc2() overflow"
-msgstr "Interner Fehler: Überlauf bei emalloc2()"
+#: common/alloc.c:101 common/alloc.c:123 common/alloc.c:163 common/alloc.c:187
+#, c-format
+msgid "internal error, %s overflow"
+msgstr "Interner Fehler: %s-Überlauf"
#: common/alloc.c:120
msgid "internal error, tried to ecalloc(0)"
msgstr "Interner Fehler: Es wurde versucht, ecalloc(0) auszuführen"
-#: common/alloc.c:123
-msgid "internal error, ecalloc() overflow"
-msgstr "Interner Fehler: Überlauf bei ecalloc()"
-
#: common/alloc.c:142
msgid "internal error, tried to erealloc(0)"
msgstr "Interner Fehler: Es wurde versucht, erealloc(0) auszuführen"
-#: common/alloc.c:161 common/alloc.c:185
+#: common/alloc.c:161
msgid "internal error, tried to erealloc3(0)"
msgstr "Interner Fehler: Es wurde versucht, erealloc3(0) auszuführen"
-#: common/alloc.c:163 common/alloc.c:187
-msgid "internal error, erealloc3() overflow"
-msgstr "Interner Fehler, Überlauf bei erealloc3()"
+#: common/alloc.c:185
+msgid "internal error, tried to erecalloc(0)"
+msgstr "Interner Fehler: Es wurde versucht, erecalloc(0) auszuführen"
-#: common/sudo_conf.c:306
+#: common/sudo_conf.c:305
#, c-format
msgid "unable to stat %s"
msgstr "stat konnte nicht auf %s angewandt werden"
-#: common/sudo_conf.c:309
+#: common/sudo_conf.c:308
#, c-format
msgid "%s is not a regular file"
msgstr "%s ist keine reguläre Datei"
-#: common/sudo_conf.c:312
+#: common/sudo_conf.c:311
#, c-format
msgid "%s is owned by uid %u, should be %u"
msgstr "%s gehört Benutzer mit UID %u, sollte allerdings %u gehören"
-#: common/sudo_conf.c:316
+#: common/sudo_conf.c:315
#, c-format
msgid "%s is world writable"
msgstr "%s kann von allen verändert werden"
-#: common/sudo_conf.c:319
+#: common/sudo_conf.c:318
#, c-format
msgid "%s is group writable"
msgstr "%s kann von der Gruppe verändert werden"
-#: common/sudo_conf.c:328 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
+#: common/sudo_conf.c:327 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
#, c-format
msgid "unable to open %s"
msgstr "%s konnte nicht geöffnet werden"
msgid ": "
msgstr ": "
-#: src/exec.c:107 src/exec_pty.c:628
+#: src/exec.c:113 src/exec_pty.c:674
#, c-format
msgid "policy plugin failed session initialization"
msgstr "Regelwerks-Plugin konnte Sitzung nicht initialisieren"
-#: src/exec.c:112 src/exec_pty.c:633 src/exec_pty.c:967 src/tgetpass.c:221
+#: src/exec.c:118 src/exec_pty.c:690 src/exec_pty.c:1035 src/tgetpass.c:221
#, c-format
msgid "unable to fork"
msgstr "Es konnte nicht geforkt werden"
-#: src/exec.c:259
+#: src/exec.c:268
#, c-format
msgid "unable to create sockets"
msgstr "Sockets konnten nicht hergestellt werden"
-#: src/exec.c:266 src/exec_pty.c:572 src/exec_pty.c:581 src/exec_pty.c:589
-#: src/exec_pty.c:902 src/exec_pty.c:964 src/tgetpass.c:218
+#: src/exec.c:275 src/exec_pty.c:613 src/exec_pty.c:622 src/exec_pty.c:630
+#: src/exec_pty.c:960 src/exec_pty.c:1032 src/tgetpass.c:218
#, c-format
msgid "unable to create pipe"
msgstr "Weiterleitung konnte nicht erstellt werden"
-#: src/exec.c:351 src/exec_pty.c:1029 src/exec_pty.c:1167
+#: src/exec.c:365 src/exec_pty.c:1102 src/exec_pty.c:1240
#, c-format
msgid "select failed"
msgstr "»select« schlug fehl"
-#: src/exec.c:441
+#: src/exec.c:467
#, c-format
msgid "unable to restore tty label"
msgstr "TTY-Kennzeichnung konnte nicht wiederhergestellt werden"
msgid "unable to remove PRIV_PROC_EXEC from PRIV_LIMIT"
msgstr "PRIV_PROC_EXEC konnte nicht von PRIV_LIMIT entfernt werden"
-#: src/exec_pty.c:144
+#: src/exec_pty.c:183
#, c-format
msgid "unable to allocate pty"
msgstr "PTY konnte nicht vergeben werden"
-#: src/exec_pty.c:619
+#: src/exec_pty.c:665
#, c-format
msgid "unable to set terminal to raw mode"
msgstr "Terminal konnte nicht in den Rohmodus gesetzt werden"
-#: src/exec_pty.c:945
+#: src/exec_pty.c:1013
#, c-format
msgid "unable to set controlling tty"
msgstr "Kontrollierendes TTY konnte nicht gesetzt werden"
-#: src/exec_pty.c:1038
+#: src/exec_pty.c:1111
#, c-format
msgid "error reading from signal pipe"
msgstr "Fehler beim Lesen der Signal-Pipe"
-#: src/exec_pty.c:1059
+#: src/exec_pty.c:1132
#, c-format
msgid "error reading from pipe"
msgstr "Fehler beim Lesen der Pipe"
-#: src/exec_pty.c:1075
+#: src/exec_pty.c:1148
#, c-format
msgid "error reading from socketpair"
msgstr "Fehler beim Lesen des Socket-Paars"
-#: src/exec_pty.c:1079
+#: src/exec_pty.c:1152
#, c-format
msgid "unexpected reply type on backchannel: %d"
msgstr "Unerwarteter Antworttyp auf Rückmeldungskanal: %d"
-#: src/load_plugins.c:79
+#: src/load_plugins.c:74
#, c-format
msgid "%s: %s"
msgstr "%s: %s"
-#: src/load_plugins.c:85
+#: src/load_plugins.c:80
#, c-format
msgid "%s%s: %s"
msgstr "%s%s: %s"
-#: src/load_plugins.c:95
+#: src/load_plugins.c:90
#, c-format
msgid "%s must be owned by uid %d"
msgstr "%s muss Benutzer mit UID %d gehören"
-#: src/load_plugins.c:99
+#: src/load_plugins.c:94
#, c-format
msgid "%s must be only be writable by owner"
msgstr "%s darf nur vom Besitzer beschreibbar sein"
-#: src/load_plugins.c:106
+#: src/load_plugins.c:101
#, c-format
msgid "unable to dlopen %s: %s"
msgstr "dlopen konnte nicht auf %s ausgeführt werden: %s"
-#: src/load_plugins.c:111
+#: src/load_plugins.c:106
#, c-format
msgid "%s: unable to find symbol %s"
msgstr "%s: Symbol %s konnte nicht gefunden werden"
-#: src/load_plugins.c:117
+#: src/load_plugins.c:112
#, c-format
msgid "%s: unknown policy type %d"
msgstr "%s: Unbekannter Regelwerktyp %d"
-#: src/load_plugins.c:121
+#: src/load_plugins.c:116
#, c-format
msgid "%s: incompatible policy major version %d, expected %d"
msgstr "%s: Inkompatible Hauptversion %d des Regelwerks, %d erwartet"
-#: src/load_plugins.c:128
+#: src/load_plugins.c:123
#, c-format
msgid "%s: only a single policy plugin may be loaded"
msgstr "%s: Nur ein einziges Regelwerks-Plugin kann geladen werden"
-#: src/load_plugins.c:148
-#, c-format
-msgid "%s: at least one policy plugin must be specified"
-msgstr "%s: Mindestens ein Regelwerks-Plugin muss festgelegt werden"
-
-#: src/load_plugins.c:153
+#: src/load_plugins.c:200
#, c-format
msgid "policy plugin %s does not include a check_policy method"
msgstr "Das Regelwerks-Plugin %s enthält keine check_policy-Methode"
msgid "the `-A' and `-S' options may not be used together"
msgstr "Die Optionen »-A« und »-S« können nicht gemeinsam benutzt werden"
-#: src/parse_args.c:445
+#: src/parse_args.c:443
#, c-format
msgid "sudoedit is not supported on this platform"
msgstr "sudoedit ist auf dieser Plattform nicht verfügbar"
-#: src/parse_args.c:518
+#: src/parse_args.c:516
#, c-format
msgid "Only one of the -e, -h, -i, -K, -l, -s, -v or -V options may be specified"
msgstr "Nur eine der Optionen -e, -h, -i, -K, -l, -s, -v oder -V darf angegeben werden"
-#: src/parse_args.c:532
+#: src/parse_args.c:530
#, c-format
msgid ""
"%s - edit files as another user\n"
"%s - Dateien als anderer Benutzer verändern\n"
"\n"
-#: src/parse_args.c:534
+#: src/parse_args.c:532
#, c-format
msgid ""
"%s - execute a command as another user\n"
"%s - Einen Befehl als anderer Benutzer ausführen\n"
"\n"
-#: src/parse_args.c:539
+#: src/parse_args.c:537
#, c-format
msgid ""
"\n"
"\n"
"Optionen:\n"
-#: src/parse_args.c:542
+#: src/parse_args.c:540
msgid "use helper program for password prompting\n"
msgstr "Hilfsprogramm zum Eingeben des Passworts verwenden\n"
-#: src/parse_args.c:545
+#: src/parse_args.c:543
msgid "use specified BSD authentication type\n"
msgstr "Angegebenen BSD-Legitimierungstypen verwenden\n"
-#: src/parse_args.c:547
+#: src/parse_args.c:545
msgid "run command in the background\n"
msgstr "Befehl im Hintergrund ausführen\n"
-#: src/parse_args.c:549
+#: src/parse_args.c:547
msgid "close all file descriptors >= fd\n"
msgstr "Alle Dateideskriptoren >= fd schließen\n"
-#: src/parse_args.c:552
+#: src/parse_args.c:550
msgid "run command with specified login class\n"
msgstr "Befehl unter angegebener Login-Klasse ausführen\n"
-#: src/parse_args.c:555
+#: src/parse_args.c:553
msgid "preserve user environment when executing command\n"
msgstr "Benutzerumgebung beim Starten des Befehls beibehalten\n"
-#: src/parse_args.c:557
+#: src/parse_args.c:555
msgid "edit files instead of running a command\n"
msgstr "Dateien bearbeiten statt einen Befehl ausführen\n"
-#: src/parse_args.c:559
+#: src/parse_args.c:557
msgid "execute command as the specified group\n"
msgstr "Befehl unter angegebener Gruppe ausführen\n"
-#: src/parse_args.c:561
+#: src/parse_args.c:559
msgid "set HOME variable to target user's home dir.\n"
msgstr "HOME-Variable als Home-Ordner des Zielnutzers setzen.\n"
-#: src/parse_args.c:563
+#: src/parse_args.c:561
msgid "display help message and exit\n"
msgstr "Hilfe ausgeben und beenden\n"
-#: src/parse_args.c:565
+#: src/parse_args.c:563
msgid "run a login shell as target user\n"
msgstr "Eine Anmeldeshell als Zielnutzer starten\n"
-#: src/parse_args.c:567
+#: src/parse_args.c:565
msgid "remove timestamp file completely\n"
msgstr "Zeitstempeldateien komplett entfernen\n"
-#: src/parse_args.c:569
+#: src/parse_args.c:567
msgid "invalidate timestamp file\n"
msgstr "Zeitstempeldatei ungültig machen\n"
-#: src/parse_args.c:571
+#: src/parse_args.c:569
msgid "list user's available commands\n"
msgstr "Für den Benutzer verfügbare Befehle auflisten\n"
-#: src/parse_args.c:573
+#: src/parse_args.c:571
msgid "non-interactive mode, will not prompt user\n"
msgstr "Nicht-interaktiver Modus, der Benutzer wird zu nichts aufgefordert werden\n"
-#: src/parse_args.c:575
+#: src/parse_args.c:573
msgid "preserve group vector instead of setting to target's\n"
msgstr "Gruppen-Vektor beibehalten, statt zu dem des Zielnutzers zu setzen\n"
-#: src/parse_args.c:577
+#: src/parse_args.c:575
msgid "use specified password prompt\n"
msgstr "Angegebenen Passwort-Prompt benutzen\n"
-#: src/parse_args.c:580 src/parse_args.c:588
+#: src/parse_args.c:578 src/parse_args.c:586
msgid "create SELinux security context with specified role\n"
msgstr "SELinux-Sicherheitskontext mit angegebener Funktion erstellen\n"
-#: src/parse_args.c:583
+#: src/parse_args.c:581
msgid "read password from standard input\n"
msgstr "Passwort von der Standardeingabe lesen\n"
-#: src/parse_args.c:585
+#: src/parse_args.c:583
msgid "run a shell as target user\n"
msgstr "Eine Shell als Zielnutzer ausführen\n"
-#: src/parse_args.c:591
+#: src/parse_args.c:589
msgid "when listing, list specified user's privileges\n"
msgstr "Wenn aufgelistet wird, Berechtigungen des angegebenen Benutzers auflisten\n"
-#: src/parse_args.c:593
+#: src/parse_args.c:591
msgid "run command (or edit file) as specified user\n"
msgstr "Befehl oder Datei als angegebener Benutzer ausführen bzw. ändern\n"
-#: src/parse_args.c:595
+#: src/parse_args.c:593
msgid "display version information and exit\n"
msgstr "Versionsinformation anzeigen und beenden\n"
-#: src/parse_args.c:597
+#: src/parse_args.c:595
msgid "update user's timestamp without running a command\n"
msgstr "Den Zeitstempel des Benutzers erneuern, ohne einen Befehl auszuführen\n"
-#: src/parse_args.c:599
+#: src/parse_args.c:597
msgid "stop processing command line arguments\n"
msgstr "Aufhören, die Befehlszeilenargumente zu verarbeiten\n"
#: src/selinux.c:330
#, c-format
msgid "unable to determine enforcing mode."
-msgstr ""
+msgstr "»Enforcing«-Modus konnte nicht bestimmt werden."
#: src/selinux.c:342
#, c-format
#: src/selinux.c:380
#, c-format
msgid "unable to set key creation context to %s"
-msgstr ""
+msgstr "Kontext der Schüsselerstellung konnte nicht auf %s festgelegt werden."
#: src/sesh.c:70
#, c-format
#: src/sudo.c:306
#, c-format
msgid "unexpected sudo mode 0x%x"
-msgstr "Unerwarteter Sudo-Modus 0x%x"
+msgstr "Unerwarteter sudo-Modus 0x%x"
#: src/sudo.c:400
#, c-format
msgid "unable to get group vector"
-msgstr ""
+msgstr "Gruppenvektor konnte nicht geholt werden"
#: src/sudo.c:452
#, c-format
msgid "unknown uid %u: who are you?"
msgstr "Unbekannte UID %u: Wer sind Sie?"
-#: src/sudo.c:760
+#: src/sudo.c:782
#, c-format
msgid "%s must be owned by uid %d and have the setuid bit set"
msgstr "%s muss dem Benutzer mit UID %d gehören und das »setuid«-Bit gesetzt haben"
-#: src/sudo.c:763
+#: src/sudo.c:785
#, c-format
msgid "effective uid is not %d, is %s on a file system with the 'nosuid' option set or an NFS file system without root privileges?"
msgstr "Effektive UID ist nicht %d. Liegt %s auf einem Dateisystem mit gesetzter »nosuid«-Option oder auf einem NFS-Dateisystem ohne Root-Rechte?"
-#: src/sudo.c:769
+#: src/sudo.c:791
#, c-format
msgid "effective uid is not %d, is sudo installed setuid root?"
msgstr "Effektive UID ist nicht %d. Wurde sudo mit »setuid root« installiert?"
-#: src/sudo.c:838
+#: src/sudo.c:860
#, c-format
msgid "resource control limit has been reached"
-msgstr ""
+msgstr "Limit der Ressourcenkontrolle wurde erreicht"
-#: src/sudo.c:841
+#: src/sudo.c:863
#, c-format
msgid "user \"%s\" is not a member of project \"%s\""
msgstr "Benutzer »%s« ist kein Mitglied des Projekts »%s«"
-#: src/sudo.c:845
+#: src/sudo.c:867
#, c-format
msgid "the invoking task is final"
-msgstr ""
+msgstr "Der aufrufende Prozess ist fertig"
-#: src/sudo.c:848
+#: src/sudo.c:870
#, c-format
msgid "could not join project \"%s\""
msgstr "Projekt »%s« konnte nicht beigetreten werden"
-#: src/sudo.c:853
+#: src/sudo.c:875
#, c-format
msgid "no resource pool accepting default bindings exists for project \"%s\""
-msgstr ""
+msgstr "Für Projekt »%s« gibt es keinen Ressourcen-Pool, der die Standardanbindungen unterstützt."
-#: src/sudo.c:857
+#: src/sudo.c:879
#, c-format
msgid "specified resource pool does not exist for project \"%s\""
msgstr "Den angegebenen Ressourcen-Pool gibt es für das Projekt »%s« nicht"
-#: src/sudo.c:861
+#: src/sudo.c:883
#, c-format
msgid "could not bind to default resource pool for project \"%s\""
msgstr "Es konnte nicht zum Standard-Ressourcen-Pool für Projekt »%s« verbunden werden."
-#: src/sudo.c:867
+#: src/sudo.c:889
#, c-format
msgid "setproject failed for project \"%s\""
msgstr "»setproject« schlug für Projekt »%s« fehl"
-#: src/sudo.c:869
+#: src/sudo.c:891
#, c-format
msgid "warning, resource control assignment failed for project \"%s\""
-msgstr ""
+msgstr "Warnung: Ressourcenkontrolle von Projekt »%s« konnte nicht zugewiesen werden"
-#: src/sudo.c:917
+#: src/sudo.c:959
#, c-format
msgid "unknown login class %s"
msgstr "Unbekannte Anmeldungsklasse %s"
-#: src/sudo.c:931 src/sudo.c:934
+#: src/sudo.c:973 src/sudo.c:976
#, c-format
msgid "unable to set user context"
msgstr "Nutzerkontext konnte nicht gesetzt werden"
-#: src/sudo.c:946
+#: src/sudo.c:988
#, c-format
msgid "unable to set supplementary group IDs"
msgstr "Zusätzliche Gruppenkennungen konnten nicht gesetzt werden"
-#: src/sudo.c:953
+#: src/sudo.c:995
#, c-format
msgid "unable to set effective gid to runas gid %u"
msgstr "Effektive GID konnte nicht zu »runas«-GID %u gesetzt werden"
-#: src/sudo.c:959
+#: src/sudo.c:1001
#, c-format
msgid "unable to set gid to runas gid %u"
msgstr "GID konnte nicht zu »runas«-GID %u gesetzt werden"
-#: src/sudo.c:966
+#: src/sudo.c:1008
#, c-format
msgid "unable to set process priority"
msgstr "Prozesspriorität konnte nicht gesetzt werden"
-#: src/sudo.c:974
+#: src/sudo.c:1016
#, c-format
msgid "unable to change root to %s"
msgstr "Wurzelordner konnte nicht zu %s geändert werden"
-#: src/sudo.c:981 src/sudo.c:987 src/sudo.c:993
+#: src/sudo.c:1023 src/sudo.c:1029 src/sudo.c:1035
#, c-format
msgid "unable to change to runas uid (%u, %u)"
msgstr "Es konnte nicht zu »runas«-GID gewechselt werden (%u, %u)"
-#: src/sudo.c:1007
+#: src/sudo.c:1049
#, c-format
msgid "unable to change directory to %s"
msgstr "In Ordner »%s« konnte nicht gewechselt werden"
-#: src/sudo.c:1079
+#: src/sudo.c:1133
#, c-format
msgid "unexpected child termination condition: %d"
msgstr "Unerwartete Abbruchsbedingung eines Unterprozesses: %d"
-#: src/sudo.c:1140
+#: src/sudo.c:1194
#, c-format
msgid "policy plugin %s does not support listing privileges"
msgstr "Regelwerks-Plugin %s unterstützt das Auflisten von Privilegien nicht"
-#: src/sudo.c:1152
+#: src/sudo.c:1206
#, c-format
msgid "policy plugin %s does not support the -v option"
msgstr "Regelwerks-Plugin %s unterstützt die Option -v nicht"
-#: src/sudo.c:1164
+#: src/sudo.c:1218
#, c-format
msgid "policy plugin %s does not support the -k/-K options"
msgstr "Regelwerks-Plugin %s unterstützt die Optionen -k und -K nicht"
#, c-format
msgid "unable to restore stdin"
msgstr "Standardeingabe konnte nicht wiederhergestellt werden"
+
+#~ msgid "internal error, emalloc2() overflow"
+#~ msgstr "Interner Fehler: Überlauf bei emalloc2()"
+
+#~ msgid "internal error, erealloc3() overflow"
+#~ msgstr "Interner Fehler, Überlauf bei erealloc3()"
+
+#~ msgid "%s: at least one policy plugin must be specified"
+#~ msgstr "%s: Mindestens ein Regelwerks-Plugin muss festgelegt werden"
#
msgid ""
msgstr ""
-"Project-Id-Version: sudo 1.8.5rc3\n"
+"Project-Id-Version: sudo 1.8.6b4\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-04-24 13:41-0400\n"
-"PO-Revision-Date: 2012-04-29 11:02+0200\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-14 09:07+0200\n"
"Last-Translator: Jorma Karvonen <karvonen.jorma@gmail.com>\n"
"Language-Team: Finnish <translation-team-fi@lists.sourceforge.net>\n"
"Language: fi\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=n != 1;\n"
-#: common/aix.c:149
+#: common/aix.c:150
#, c-format
msgid "unable to open userdb"
msgstr "ei kyetä avaamaan userdb-käyttäjätietokantaa"
-#: common/aix.c:152
+#: common/aix.c:153
#, c-format
msgid "unable to switch to registry \"%s\" for %s"
msgstr "ei kyetä vaihtamaan registeriä ”%s” käyttäjälle %s"
-#: common/aix.c:169
+#: common/aix.c:170
#, c-format
msgid "unable to restore registry"
msgstr "ei kyetä palauttamaan rekisteriä"
#: common/alloc.c:85 common/alloc.c:105 common/alloc.c:127 common/alloc.c:146
#: common/alloc.c:168 common/alloc.c:192 common/alloc.c:256 common/alloc.c:270
-#: src/exec_common.c:111 src/parse_args.c:432 src/sudo.c:456 src/sudo.c:482
-#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:737
+#: src/exec_common.c:111 src/parse_args.c:430 src/sudo.c:456 src/sudo.c:482
+#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:759
#, c-format
msgid "unable to allocate memory"
msgstr "ei kyetä varaamaan muistia"
msgid "internal error, tried to emalloc2(0)"
msgstr "sisäinen virhe, yritettiin suorittaa emalloc2(0)"
-#: common/alloc.c:101
-msgid "internal error, emalloc2() overflow"
-msgstr "sisäinen virhe, emalloc2() -ylivuoto"
+#: common/alloc.c:101 common/alloc.c:123 common/alloc.c:163 common/alloc.c:187
+#, c-format
+msgid "internal error, %s overflow"
+msgstr "sisäinen virhe, %s-ylivuoto"
#: common/alloc.c:120
msgid "internal error, tried to ecalloc(0)"
msgstr "sisäinen virhe, yritettiin suorittaa ecalloc(0)"
-#: common/alloc.c:123
-msgid "internal error, ecalloc() overflow"
-msgstr "sisäinen virhe, ecalloc() -ylivuoto"
-
#: common/alloc.c:142
msgid "internal error, tried to erealloc(0)"
msgstr "sisäinen virhe, yritettiin suorittaa erealloc(0)"
-#: common/alloc.c:161 common/alloc.c:185
+#: common/alloc.c:161
msgid "internal error, tried to erealloc3(0)"
msgstr "sisäinen virhe, yritettiin suorittaa erealloc3(0)"
-#: common/alloc.c:163 common/alloc.c:187
-msgid "internal error, erealloc3() overflow"
-msgstr "sisäinen virhe, erealloc3() -ylivuoto"
+#: common/alloc.c:185
+msgid "internal error, tried to erecalloc(0)"
+msgstr "sisäinen virhe, yritettiin suorittaa erecalloc(0)"
-#: common/sudo_conf.c:306
+#: common/sudo_conf.c:305
#, c-format
msgid "unable to stat %s"
msgstr "ei kyetä suorittamaan käskyä stat %s"
-#: common/sudo_conf.c:309
+#: common/sudo_conf.c:308
#, c-format
msgid "%s is not a regular file"
msgstr "%s ei ole tavallinen tiedosto"
# ensimmäinen parametri on path
-#: common/sudo_conf.c:312
+#: common/sudo_conf.c:311
#, c-format
msgid "%s is owned by uid %u, should be %u"
msgstr "polun %s omistaja on %u, pitäisi olla %u"
-#: common/sudo_conf.c:316
+#: common/sudo_conf.c:315
#, c-format
msgid "%s is world writable"
msgstr "%s on yleiskirjoitettava"
-#: common/sudo_conf.c:319
+#: common/sudo_conf.c:318
#, c-format
msgid "%s is group writable"
msgstr "%s on ryhmäkirjoitettava"
-#: common/sudo_conf.c:328 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
+#: common/sudo_conf.c:327 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
#, c-format
msgid "unable to open %s"
msgstr "ei kyetä avaamaan kohdetta %s"
msgid ": "
msgstr ": "
-#: src/exec.c:107 src/exec_pty.c:628
+#: src/exec.c:113 src/exec_pty.c:674
#, c-format
msgid "policy plugin failed session initialization"
msgstr "Menettelytapalisäosa epäonnistui istunnon alustamisessa"
-#: src/exec.c:112 src/exec_pty.c:633 src/exec_pty.c:967 src/tgetpass.c:221
+#: src/exec.c:118 src/exec_pty.c:690 src/exec_pty.c:1035 src/tgetpass.c:221
#, c-format
msgid "unable to fork"
msgstr "ei kyetä kutsumaan fork-kutsua"
-#: src/exec.c:259
+#: src/exec.c:268
#, c-format
msgid "unable to create sockets"
msgstr "ei kyetä luomaan pistokkeita"
-#: src/exec.c:266 src/exec_pty.c:572 src/exec_pty.c:581 src/exec_pty.c:589
-#: src/exec_pty.c:902 src/exec_pty.c:964 src/tgetpass.c:218
+#: src/exec.c:275 src/exec_pty.c:613 src/exec_pty.c:622 src/exec_pty.c:630
+#: src/exec_pty.c:960 src/exec_pty.c:1032 src/tgetpass.c:218
#, c-format
msgid "unable to create pipe"
msgstr "ei kyetä luomaan putkea"
-#: src/exec.c:351 src/exec_pty.c:1029 src/exec_pty.c:1167
+#: src/exec.c:365 src/exec_pty.c:1102 src/exec_pty.c:1240
#, c-format
msgid "select failed"
msgstr "select-funktio epäonnistui"
-#: src/exec.c:441
+#: src/exec.c:467
#, c-format
msgid "unable to restore tty label"
msgstr "ei kyetä palauttamaan tty-nimiötä"
msgid "unable to remove PRIV_PROC_EXEC from PRIV_LIMIT"
msgstr "ei kyetä poistamaan PRIV_PROC_EXEC kohteesta PRIV_LIMIT"
-#: src/exec_pty.c:144
+#: src/exec_pty.c:183
#, c-format
msgid "unable to allocate pty"
msgstr "ei kyetä varaamaan pty:tä"
-#: src/exec_pty.c:619
+#: src/exec_pty.c:665
#, c-format
msgid "unable to set terminal to raw mode"
msgstr "ei kyetä asettamaan päätettä raakatilaan"
# Istunnolla voi olla ohjaava tty. Istunnon yksi prosessiryhmä voi olla edustaprosessiryhmä ja toimia siten ohjaavana tty:nä, joka vastaanottaa tty-syötteen ja -signaalit.
-#: src/exec_pty.c:945
+#: src/exec_pty.c:1013
#, c-format
msgid "unable to set controlling tty"
msgstr "ei kyetä asettamaan ohjaavaa tty:tä"
-#: src/exec_pty.c:1038
+#: src/exec_pty.c:1111
#, c-format
msgid "error reading from signal pipe"
msgstr "virhe luettaessa signaaliputkesta"
-#: src/exec_pty.c:1059
+#: src/exec_pty.c:1132
#, c-format
msgid "error reading from pipe"
msgstr "virhe luettaessa putkesta"
-#: src/exec_pty.c:1075
+#: src/exec_pty.c:1148
#, c-format
msgid "error reading from socketpair"
msgstr "virhe luettaessa pistokeparista"
-#: src/exec_pty.c:1079
+#: src/exec_pty.c:1152
#, c-format
msgid "unexpected reply type on backchannel: %d"
msgstr "odottamaton vastaustyyppi paluukanavalla: %d"
-#: src/load_plugins.c:79
+#: src/load_plugins.c:74
#, c-format
msgid "%s: %s"
msgstr "%s: %s"
-#: src/load_plugins.c:85
+#: src/load_plugins.c:80
#, c-format
msgid "%s%s: %s"
msgstr "%s%s: %s"
# ensimmäinen parametri on path
-#: src/load_plugins.c:95
+#: src/load_plugins.c:90
#, c-format
msgid "%s must be owned by uid %d"
msgstr "polun %s omistajan on oltava uid %d"
# parametri on path
-#: src/load_plugins.c:99
+#: src/load_plugins.c:94
#, c-format
msgid "%s must be only be writable by owner"
msgstr "polun %s on oltava vain omistajan kirjoitettava"
-#: src/load_plugins.c:106
+#: src/load_plugins.c:101
#, c-format
msgid "unable to dlopen %s: %s"
msgstr "lisäosan avaaminen epäonnistui funktiolla dlopen %s: %s"
-#: src/load_plugins.c:111
+#: src/load_plugins.c:106
#, c-format
msgid "%s: unable to find symbol %s"
msgstr "%s: ei kyetä löytämään symbolia %s"
-#: src/load_plugins.c:117
+#: src/load_plugins.c:112
#, c-format
msgid "%s: unknown policy type %d"
msgstr "%s: tuntematon menettelytapatyyppi %d"
-#: src/load_plugins.c:121
+#: src/load_plugins.c:116
#, c-format
msgid "%s: incompatible policy major version %d, expected %d"
msgstr "%s: yhteensopimaton menettelytavan major-versio %d, odotettiin %d"
-#: src/load_plugins.c:128
+#: src/load_plugins.c:123
#, c-format
msgid "%s: only a single policy plugin may be loaded"
msgstr "%s: vain yksi menettelytapalisäosa voidaan ladata"
-#: src/load_plugins.c:148
-#, c-format
-msgid "%s: at least one policy plugin must be specified"
-msgstr "%s: vähintään yksi menettelytapalisäosa on määriteltävä"
-
-#: src/load_plugins.c:153
+#: src/load_plugins.c:200
#, c-format
msgid "policy plugin %s does not include a check_policy method"
msgstr "menettelytapalisäosa %s ei sisällä check_policy-metodia"
msgid "the `-A' and `-S' options may not be used together"
msgstr "valitsimia ”-A” ja ”-S” ei voi käyttää yhdessä"
-#: src/parse_args.c:445
+#: src/parse_args.c:443
#, c-format
msgid "sudoedit is not supported on this platform"
msgstr "sudoedit ei ole tuettu tällä alustalla"
-#: src/parse_args.c:518
+#: src/parse_args.c:516
#, c-format
msgid "Only one of the -e, -h, -i, -K, -l, -s, -v or -V options may be specified"
msgstr "Vain yksi valitsimista -e, -h, -i, -K, -l, -s, -v tai -V voidaan määritellä"
-#: src/parse_args.c:532
+#: src/parse_args.c:530
#, c-format
msgid ""
"%s - edit files as another user\n"
"%s - muokkaa tiedostoja toisena käyttäjänä\n"
"\n"
-#: src/parse_args.c:534
+#: src/parse_args.c:532
#, c-format
msgid ""
"%s - execute a command as another user\n"
"%s - suorita komentoja toisena käyttäjänä\n"
"\n"
-#: src/parse_args.c:539
+#: src/parse_args.c:537
#, c-format
msgid ""
"\n"
"\n"
"Valitsimet:\n"
-#: src/parse_args.c:542
+#: src/parse_args.c:540
msgid "use helper program for password prompting\n"
msgstr "käytä apuohjelmaa salasanakyselyyn\n"
-#: src/parse_args.c:545
+#: src/parse_args.c:543
msgid "use specified BSD authentication type\n"
msgstr "käytä määriteltyä BSD-todennustyyppiä\n"
-#: src/parse_args.c:547
+#: src/parse_args.c:545
msgid "run command in the background\n"
msgstr "suorita komento taustalla\n"
-#: src/parse_args.c:549
+#: src/parse_args.c:547
msgid "close all file descriptors >= fd\n"
msgstr "sulje kaikki tiedostokuvaajat >= fd\n"
-#: src/parse_args.c:552
+#: src/parse_args.c:550
msgid "run command with specified login class\n"
msgstr "suorita komento määritellyllä kirjautumisluokalla\n"
-#: src/parse_args.c:555
+#: src/parse_args.c:553
msgid "preserve user environment when executing command\n"
msgstr "säilytä käyttäjäympäristö komentoa suoritettaessa\n"
-#: src/parse_args.c:557
+#: src/parse_args.c:555
msgid "edit files instead of running a command\n"
msgstr "muokkaa tiedostoja komennon suorittamisen sijasta\n"
# tämä viittaa runas_group-määritelyyn
-#: src/parse_args.c:559
+#: src/parse_args.c:557
msgid "execute command as the specified group\n"
msgstr "suorita komento määriteltynä ryhmänä\n"
-#: src/parse_args.c:561
+#: src/parse_args.c:559
msgid "set HOME variable to target user's home dir.\n"
msgstr "aseta HOME-muuttuja osoittamaan kohdekäyttäjän kotihakemistoon.\n"
-#: src/parse_args.c:563
+#: src/parse_args.c:561
msgid "display help message and exit\n"
msgstr "näytä opasteviesti ja poistu\n"
-#: src/parse_args.c:565
+#: src/parse_args.c:563
msgid "run a login shell as target user\n"
msgstr "suorita kirjautumiskomentoikkuna kohdekäyttäjänä\n"
-#: src/parse_args.c:567
+#: src/parse_args.c:565
msgid "remove timestamp file completely\n"
msgstr "poista aikaleimatiedosto kokonaan\n"
-#: src/parse_args.c:569
+#: src/parse_args.c:567
msgid "invalidate timestamp file\n"
msgstr "mitätöi aikaleimatiedosto\n"
-#: src/parse_args.c:571
+#: src/parse_args.c:569
msgid "list user's available commands\n"
msgstr "luettele käyttäjän käytettävissä olevat komennot\n"
-#: src/parse_args.c:573
+#: src/parse_args.c:571
msgid "non-interactive mode, will not prompt user\n"
msgstr "ei-interaktiivinen tila, ei kysy käyttäjältä\n"
-#: src/parse_args.c:575
+#: src/parse_args.c:573
msgid "preserve group vector instead of setting to target's\n"
msgstr "säilytä ryhmävektori kohteen vektorin asettamisen sijasta\n"
-#: src/parse_args.c:577
+#: src/parse_args.c:575
msgid "use specified password prompt\n"
msgstr "käytä määriteltyä salasanakehotetta\n"
-#: src/parse_args.c:580 src/parse_args.c:588
+#: src/parse_args.c:578 src/parse_args.c:586
msgid "create SELinux security context with specified role\n"
msgstr "luo SELinux-turva-asiayhteys määritellyllä roolilla\n"
-#: src/parse_args.c:583
+#: src/parse_args.c:581
msgid "read password from standard input\n"
msgstr "lue salasana vakiosyötteestä\n"
-#: src/parse_args.c:585
+#: src/parse_args.c:583
msgid "run a shell as target user\n"
msgstr "suorita komentotulkki kohdekäyttäjänä\n"
-#: src/parse_args.c:591
+#: src/parse_args.c:589
msgid "when listing, list specified user's privileges\n"
msgstr "luetteloitaessa luettele määritellyn käyttäjän käyttöoikeudet\n"
-#: src/parse_args.c:593
+#: src/parse_args.c:591
msgid "run command (or edit file) as specified user\n"
msgstr "suorita komento (tai muokkaa tiedostoa) määriteltynä käyttäjänä\n"
-#: src/parse_args.c:595
+#: src/parse_args.c:593
msgid "display version information and exit\n"
msgstr "näytä versiotiedot ja poistu\n"
-#: src/parse_args.c:597
+#: src/parse_args.c:595
msgid "update user's timestamp without running a command\n"
msgstr "päivitä käyttäjän aikaleima suorittamatta komentoa\n"
-#: src/parse_args.c:599
+#: src/parse_args.c:597
msgid "stop processing command line arguments\n"
msgstr "lopeta komentoriviargumenttien käsittely\n"
msgstr "tuntematon uid-käyttäjätunniste %u: kuka olet?"
# ensimmäinen parametri on path
-#: src/sudo.c:760
+#: src/sudo.c:782
#, c-format
msgid "%s must be owned by uid %d and have the setuid bit set"
msgstr "polun %s omistajan on oltava uid %d ja setuid-bitin on oltava asetettu"
-#: src/sudo.c:763
+#: src/sudo.c:785
#, c-format
msgid "effective uid is not %d, is %s on a file system with the 'nosuid' option set or an NFS file system without root privileges?"
msgstr "todellinen käyttäjätunniste ei ole %d, onko %s asetettu tiedostojärjestelmässä, jossa on ’nosuid’-valitsin vai onko tämä NFS-tiedostojärjestelmä ilman root-käyttäjäoikeuksia?"
-#: src/sudo.c:769
+#: src/sudo.c:791
#, c-format
msgid "effective uid is not %d, is sudo installed setuid root?"
msgstr "todellinen käyttäjätunniste ei ole %d, onko sudo asennettu setuid root -käyttöoikeuksilla?"
-#: src/sudo.c:838
+#: src/sudo.c:860
#, c-format
msgid "resource control limit has been reached"
msgstr "resurssivalvontaraja saavutettu"
-#: src/sudo.c:841
+#: src/sudo.c:863
#, c-format
msgid "user \"%s\" is not a member of project \"%s\""
msgstr "käyttäjä ”%s” ei ole hankkeen ”%s” jäsen"
-#: src/sudo.c:845
+#: src/sudo.c:867
#, c-format
msgid "the invoking task is final"
msgstr "kutsuttu tehtävä on final-tyyppinen"
-#: src/sudo.c:848
+#: src/sudo.c:870
#, c-format
msgid "could not join project \"%s\""
msgstr "ei voitu liittyä hankkeeseen ”%s”"
-#: src/sudo.c:853
+#: src/sudo.c:875
#, c-format
msgid "no resource pool accepting default bindings exists for project \"%s\""
msgstr "hankkeelle ”%s” ei ole oletusyhteydet hyväksyvää resurssivarantoa"
-#: src/sudo.c:857
+#: src/sudo.c:879
#, c-format
msgid "specified resource pool does not exist for project \"%s\""
msgstr "hankkeelle ”%s” ei ole määriteltyä resurssivarantoa"
-#: src/sudo.c:861
+#: src/sudo.c:883
#, c-format
msgid "could not bind to default resource pool for project \"%s\""
msgstr "hankkeelle ”%s” ei voitu sitoa oletusresurssivarantoa"
-#: src/sudo.c:867
+#: src/sudo.c:889
#, c-format
msgid "setproject failed for project \"%s\""
msgstr "setproject hankkeelle ”%s” epäonnistui"
-#: src/sudo.c:869
+#: src/sudo.c:891
#, c-format
msgid "warning, resource control assignment failed for project \"%s\""
msgstr "varoitus, hankkeen ”%s” resurssiohjausosoitus epäonnistui"
-#: src/sudo.c:917
+#: src/sudo.c:959
#, c-format
msgid "unknown login class %s"
msgstr "tuntematon kirjautumisluokka %s"
-#: src/sudo.c:931 src/sudo.c:934
+#: src/sudo.c:973 src/sudo.c:976
#, c-format
msgid "unable to set user context"
msgstr "ei kyetä asettamaan käyttäjäasiayhteyttä"
-#: src/sudo.c:946
+#: src/sudo.c:988
#, c-format
msgid "unable to set supplementary group IDs"
msgstr "ei kyetä asettamaan lisäryhmätunnisteita"
# tämän ymmärrän niin, että käyttäjärjestelmäydin luo tiedoston ja antaa tälle tavallaan tilapäisen effective gid-tunnisteen, joka vaihdetaan suorittamisen yhteydessä prosessin omistajan suoritettavaksi ryhmätunnisteeksi.
-#: src/sudo.c:953
+#: src/sudo.c:995
#, c-format
msgid "unable to set effective gid to runas gid %u"
msgstr "ei kyetä asettamaan voimassaolevaa gid-ryhmätunnistetta suoritettavaksi gid-ryhmätunnisteeksi %u"
-#: src/sudo.c:959
+#: src/sudo.c:1001
#, c-format
msgid "unable to set gid to runas gid %u"
msgstr "ei kyetä asettamaan gid-ryhmätunnistetta suoritettavaksi gid-ryhmätunnisteeksi %u"
-#: src/sudo.c:966
+#: src/sudo.c:1008
#, c-format
msgid "unable to set process priority"
msgstr "ei kyetä asettamaan prosessiprioriteettia"
-#: src/sudo.c:974
+#: src/sudo.c:1016
#, c-format
msgid "unable to change root to %s"
msgstr "ei kyetä vaihtamaan root-käyttäjää käyttäjäksi %s"
-#: src/sudo.c:981 src/sudo.c:987 src/sudo.c:993
+#: src/sudo.c:1023 src/sudo.c:1029 src/sudo.c:1035
#, c-format
msgid "unable to change to runas uid (%u, %u)"
msgstr "ei kyetä vaihtamaan suoritettavaksi uid-käyttäjätunnisteeksi (%u, %u)"
# parametrina on CWD- eli Change Working Directory- komennolla palautettava hakemisto
-#: src/sudo.c:1007
+#: src/sudo.c:1049
#, c-format
msgid "unable to change directory to %s"
msgstr "ei kyetä vaihtamaan hakemistoksi %s"
-#: src/sudo.c:1079
+#: src/sudo.c:1133
#, c-format
msgid "unexpected child termination condition: %d"
msgstr "lapsiprosessin odottamaton päättymisehto: %d"
-#: src/sudo.c:1140
+#: src/sudo.c:1194
#, c-format
msgid "policy plugin %s does not support listing privileges"
msgstr "menettelytapalisäosa %s ei tue luettelointikäyttöoikeuksia"
-#: src/sudo.c:1152
+#: src/sudo.c:1206
#, c-format
msgid "policy plugin %s does not support the -v option"
msgstr "menettelytapalisäosa %s ei tue valitsinta -v"
-#: src/sudo.c:1164
+#: src/sudo.c:1218
#, c-format
msgid "policy plugin %s does not support the -k/-K options"
msgstr "menettelytapalisäosa %s ei tue valitsimia -k/-K"
msgid "unable to restore stdin"
msgstr "ei kyetä palauttamaan vakiosyötettä"
+#~ msgid "internal error, emalloc2() overflow"
+#~ msgstr "sisäinen virhe, emalloc2() -ylivuoto"
+
+#~ msgid "internal error, erealloc3() overflow"
+#~ msgstr "sisäinen virhe, erealloc3() -ylivuoto"
+
+#~ msgid "%s: at least one policy plugin must be specified"
+#~ msgstr "%s: vähintään yksi menettelytapalisäosa on määriteltävä"
+
#~ msgid "must be setuid root"
#~ msgstr "on oltava setuid root"
# Translation of sudo to Croatian.
# This file is put in the public domain.
-# Tomislav Krznar <tomislav.krznar@gmail.com>, 2012.
#
+# Tomislav Krznar <tomislav.krznar@gmail.com>, 2012.
msgid ""
msgstr ""
-"Project-Id-Version: sudo 1.8.5rc1\n"
+"Project-Id-Version: sudo 1.8.6b4\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-03-28 14:06-0400\n"
-"PO-Revision-Date: 2012-04-17 22:01+0200\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-13 22:54+0200\n"
"Last-Translator: Tomislav Krznar <tomislav.krznar@gmail.com>\n"
"Language-Team: Croatian <lokalizacija@linux.hr>\n"
-"Language: \n"
+"Language: hr\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2)\n"
+"X-Generator: Lokalize 1.4\n"
+
+#: common/aix.c:150
+#, c-format
+msgid "unable to open userdb"
+msgstr "ne mogu otvoriti korisničku bazu podataka"
+
+#: common/aix.c:153
+#, c-format
+msgid "unable to switch to registry \"%s\" for %s"
+msgstr "ne mogu promijeniti u registar „%s” za %s"
+
+#: common/aix.c:170
+#, c-format
+msgid "unable to restore registry"
+msgstr "ne mogu vratiti registar"
+
+#: common/alloc.c:82
+msgid "internal error, tried to emalloc(0)"
+msgstr "interna greška, pokušao sam emalloc(0)"
+
+#: common/alloc.c:85 common/alloc.c:105 common/alloc.c:127 common/alloc.c:146
+#: common/alloc.c:168 common/alloc.c:192 common/alloc.c:256 common/alloc.c:270
+#: src/exec_common.c:111 src/parse_args.c:430 src/sudo.c:456 src/sudo.c:482
+#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:759
+#, c-format
+msgid "unable to allocate memory"
+msgstr "ne mogu alocirati memoriju"
+
+#: common/alloc.c:99
+msgid "internal error, tried to emalloc2(0)"
+msgstr "interna greška, pokušao sam emalloc2(0)"
+
+#: common/alloc.c:101 common/alloc.c:123 common/alloc.c:163 common/alloc.c:187
+#, c-format
+msgid "internal error, %s overflow"
+msgstr "interna greška, %s preljev"
+
+#: common/alloc.c:120
+msgid "internal error, tried to ecalloc(0)"
+msgstr "interna greška, pokušao sam ecalloc(0)"
+
+#: common/alloc.c:142
+msgid "internal error, tried to erealloc(0)"
+msgstr "interna greška, pokušao sam erealloc(0)"
+
+#: common/alloc.c:161
+msgid "internal error, tried to erealloc3(0)"
+msgstr "interna greška, pokušao sam erealloc3(0)"
+
+#: common/alloc.c:185
+msgid "internal error, tried to erecalloc(0)"
+msgstr "interna greška, pokušao sam erecalloc(0)"
+
+#: common/sudo_conf.c:305
+#, c-format
+msgid "unable to stat %s"
+msgstr "ne mogu izvršiti stat %s"
+
+#: common/sudo_conf.c:308
+#, c-format
+msgid "%s is not a regular file"
+msgstr "%s nije obična datoteka"
+
+#: common/sudo_conf.c:311
+#, c-format
+msgid "%s is owned by uid %u, should be %u"
+msgstr "vlasnik %s je uid %u, treba biti %u"
+
+#: common/sudo_conf.c:315
+#, c-format
+msgid "%s is world writable"
+msgstr "%s ima dozvole za pisanje svih korisnika"
+
+#: common/sudo_conf.c:318
+#, c-format
+msgid "%s is group writable"
+msgstr "%s ima dozvole za pisanje svih grupa"
+
+#: common/sudo_conf.c:327 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
+#, c-format
+msgid "unable to open %s"
+msgstr "ne mogu otvoriti %s"
+
+#: compat/strsignal.c:47
+msgid "Unknown signal"
+msgstr "Nepoznat signal"
#: src/error.c:82 src/error.c:86
msgid ": "
msgstr ": "
-#: src/exec.c:105 src/exec_pty.c:616 src/exec_pty.c:948 src/tgetpass.c:221
+#: src/exec.c:113 src/exec_pty.c:674
+#, c-format
+msgid "policy plugin failed session initialization"
+msgstr "priključak police nije uspio inicijalizirati sjednicu"
+
+#: src/exec.c:118 src/exec_pty.c:690 src/exec_pty.c:1035 src/tgetpass.c:221
#, c-format
msgid "unable to fork"
msgstr "ne mogu razdvojiti"
-#: src/exec.c:252
+#: src/exec.c:268
#, c-format
msgid "unable to create sockets"
msgstr "ne mogu napraviti utičnice"
-#: src/exec.c:259 src/exec_pty.c:567 src/exec_pty.c:576 src/exec_pty.c:584
-#: src/exec_pty.c:883 src/exec_pty.c:945 src/tgetpass.c:218
+#: src/exec.c:275 src/exec_pty.c:613 src/exec_pty.c:622 src/exec_pty.c:630
+#: src/exec_pty.c:960 src/exec_pty.c:1032 src/tgetpass.c:218
#, c-format
msgid "unable to create pipe"
msgstr "ne mogu napraviti cjevovod"
-#: src/exec.c:340 src/exec_pty.c:1011 src/exec_pty.c:1146
+#: src/exec.c:365 src/exec_pty.c:1102 src/exec_pty.c:1240
#, c-format
msgid "select failed"
msgstr "odabir nije uspio"
-#: src/exec.c:425
+#: src/exec.c:467
#, c-format
msgid "unable to restore tty label"
msgstr "ne mogu vratiti tty oznaku"
msgid "unable to remove PRIV_PROC_EXEC from PRIV_LIMIT"
msgstr "ne mogu ukloniti PRIV_PROC_EXEC iz PRIV_LIMIT"
-#: src/exec_common.c:111 src/parse_args.c:432 src/sudo.c:447 src/sudo.c:467
-#: src/sudo.c:474 src/sudo.c:485 src/sudo.c:871 common/alloc.c:85
-#: common/alloc.c:105 common/alloc.c:127 common/alloc.c:146 common/alloc.c:168
-#: common/alloc.c:192 common/alloc.c:256 common/alloc.c:270
-#, c-format
-msgid "unable to allocate memory"
-msgstr "ne mogu alocirati memoriju"
-
-#: src/exec_pty.c:140
+#: src/exec_pty.c:183
#, c-format
msgid "unable to allocate pty"
msgstr "ne mogu alocirati pty"
-#: src/exec_pty.c:609
+#: src/exec_pty.c:665
#, c-format
msgid "unable to set terminal to raw mode"
msgstr "ne mogu postaviti terminal u sirovi način"
-#: src/exec_pty.c:926
+#: src/exec_pty.c:1013
#, c-format
msgid "unable to set controlling tty"
msgstr "ne mogu postaviti kontrolni tty"
-#: src/exec_pty.c:1019
+#: src/exec_pty.c:1111
#, c-format
msgid "error reading from signal pipe"
msgstr "greška čitanja iz cjevovoda signala"
-#: src/exec_pty.c:1038
+#: src/exec_pty.c:1132
#, c-format
msgid "error reading from pipe"
msgstr "greška čitanja iz cjevovoda"
-#: src/exec_pty.c:1054
+#: src/exec_pty.c:1148
#, c-format
msgid "error reading from socketpair"
msgstr "greška čitanja iz para utičnica"
-#: src/exec_pty.c:1058
+#: src/exec_pty.c:1152
#, c-format
msgid "unexpected reply type on backchannel: %d"
msgstr "neočekivana vrsta odgovora na povratnom kanalu: %d"
-#: src/load_plugins.c:79
+#: src/load_plugins.c:74
#, c-format
msgid "%s: %s"
msgstr "%s: %s"
-#: src/load_plugins.c:85
+#: src/load_plugins.c:80
#, c-format
msgid "%s%s: %s"
msgstr "%s%s: %s"
-#: src/load_plugins.c:95
+#: src/load_plugins.c:90
#, c-format
msgid "%s must be owned by uid %d"
msgstr "vlasnik %s mora biti uid %d"
-#: src/load_plugins.c:99
+#: src/load_plugins.c:94
#, c-format
msgid "%s must be only be writable by owner"
msgstr "samo vlasnik smije imati dozvole za pisanje %s"
-#: src/load_plugins.c:106
+#: src/load_plugins.c:101
#, c-format
msgid "unable to dlopen %s: %s"
msgstr "ne mogu izvršiti dlopen %s: %s"
-#: src/load_plugins.c:111
+#: src/load_plugins.c:106
#, c-format
msgid "%s: unable to find symbol %s"
msgstr "%s: ne mogu pronaći simbol %s"
-#: src/load_plugins.c:117
+#: src/load_plugins.c:112
#, c-format
msgid "%s: unknown policy type %d"
msgstr "%s: nepoznata vrsta police %d"
-#: src/load_plugins.c:121
+#: src/load_plugins.c:116
#, c-format
msgid "%s: incompatible policy major version %d, expected %d"
msgstr "%s: nekompatibilna glavna inačica police %d, očekujem %d"
-#: src/load_plugins.c:128
+#: src/load_plugins.c:123
#, c-format
msgid "%s: only a single policy plugin may be loaded"
msgstr "%s: može se učitati samo jedan priključak police"
-#: src/load_plugins.c:148
-#, c-format
-msgid "%s: at least one policy plugin must be specified"
-msgstr "%s: mora biti naveden barem jedan priključak police"
-
-#: src/load_plugins.c:153
+#: src/load_plugins.c:200
#, c-format
msgid "policy plugin %s does not include a check_policy method"
msgstr "priključak police %s ne uključuje metodu check_policy"
msgid "the `-A' and `-S' options may not be used together"
msgstr "ne možete koristiti opcije „-A” i „-S” zajedno"
-#: src/parse_args.c:445
+#: src/parse_args.c:443
#, c-format
msgid "sudoedit is not supported on this platform"
msgstr "sudoedit nije podržan na ovoj platformi"
-#: src/parse_args.c:518
+#: src/parse_args.c:516
#, c-format
msgid "Only one of the -e, -h, -i, -K, -l, -s, -v or -V options may be specified"
msgstr "Smijete navesti samo jednu od opcija -e, -h, -i, -K, -l, -s, -v i -V "
-#: src/parse_args.c:532
+#: src/parse_args.c:530
#, c-format
msgid ""
"%s - edit files as another user\n"
"%s - uredi datoteke kao drugi korisnik\n"
"\n"
-#: src/parse_args.c:534
+#: src/parse_args.c:532
#, c-format
msgid ""
"%s - execute a command as another user\n"
"%s - izvrši naredbu kao drugi korisnik\n"
"\n"
-#: src/parse_args.c:539
+#: src/parse_args.c:537
#, c-format
msgid ""
"\n"
"\n"
"Opcije:\n"
-#: src/parse_args.c:542
+#: src/parse_args.c:540
msgid "use helper program for password prompting\n"
msgstr "koristi pomoćni program za traženje lozinke\n"
-#: src/parse_args.c:545
+#: src/parse_args.c:543
msgid "use specified BSD authentication type\n"
-msgstr "koristi navedenu vrstu BSD autentifikacije\n"
+msgstr "koristi navedenu vrstu BSD provjere\n"
-#: src/parse_args.c:547
+#: src/parse_args.c:545
msgid "run command in the background\n"
msgstr "pokreni naredbu u pozadini\n"
-#: src/parse_args.c:549
+#: src/parse_args.c:547
msgid "close all file descriptors >= fd\n"
msgstr "zatvori sve opisnike datoteka >= fd\n"
-#: src/parse_args.c:552
+#: src/parse_args.c:550
msgid "run command with specified login class\n"
msgstr "pokreni naredbu s navedenim razredom prijave\n"
-#: src/parse_args.c:555
+#: src/parse_args.c:553
msgid "preserve user environment when executing command\n"
msgstr "očuvaj korisničku okolinu pri izvršavanju naredbe\n"
-#: src/parse_args.c:557
+#: src/parse_args.c:555
msgid "edit files instead of running a command\n"
msgstr "uredi datoteke umjesto pokretanja naredbe\n"
-#: src/parse_args.c:559
+#: src/parse_args.c:557
msgid "execute command as the specified group\n"
msgstr "izvrši naredbu kao navedena grupa\n"
-#: src/parse_args.c:561
+#: src/parse_args.c:559
msgid "set HOME variable to target user's home dir.\n"
msgstr "postavi HOME varijablu na početni direktorij odredišnog korisnika.\n"
-#: src/parse_args.c:563
+#: src/parse_args.c:561
msgid "display help message and exit\n"
msgstr "prikaži ovu pomoć i izađi\n"
-#: src/parse_args.c:565
+#: src/parse_args.c:563
msgid "run a login shell as target user\n"
msgstr "pokreni ljusku prijave kao odredišni korisnik\n"
-#: src/parse_args.c:567
+#: src/parse_args.c:565
msgid "remove timestamp file completely\n"
msgstr "potpuno ukloni datoteku vremenskih oznaka\n"
-#: src/parse_args.c:569
+#: src/parse_args.c:567
msgid "invalidate timestamp file\n"
msgstr "učini datoteku vremenskih oznaka nevažećom\n"
-#: src/parse_args.c:571
+#: src/parse_args.c:569
msgid "list user's available commands\n"
msgstr "ispiši dostupne korisničke naredbe\n"
-#: src/parse_args.c:573
+#: src/parse_args.c:571
msgid "non-interactive mode, will not prompt user\n"
msgstr "neinteraktivni način, neće ispitivati korisnika\n"
-#: src/parse_args.c:575
+#: src/parse_args.c:573
msgid "preserve group vector instead of setting to target's\n"
msgstr "očuvaj grupni vektor umjesto postavljanja na odredišni\n"
-#: src/parse_args.c:577
+#: src/parse_args.c:575
msgid "use specified password prompt\n"
msgstr "koristi navedeno traženje lozinke\n"
-#: src/parse_args.c:580 src/parse_args.c:588
+#: src/parse_args.c:578 src/parse_args.c:586
msgid "create SELinux security context with specified role\n"
msgstr "stvori SELinux sigurnosni kontekst s navedenom ulogom\n"
-#: src/parse_args.c:583
+#: src/parse_args.c:581
msgid "read password from standard input\n"
msgstr "čitaj lozinku sa standardnog ulaza\n"
-#: src/parse_args.c:585
+#: src/parse_args.c:583
msgid "run a shell as target user\n"
msgstr "pokreni ljusku kao odredišni korisnik\n"
-#: src/parse_args.c:591
+#: src/parse_args.c:589
msgid "when listing, list specified user's privileges\n"
msgstr "pri ispisu, ispiši navedene korisničke ovlasti\n"
-#: src/parse_args.c:593
+#: src/parse_args.c:591
msgid "run command (or edit file) as specified user\n"
msgstr "pokreni naredbu (ili uredi datoteku) kao navedeni korisnik\n"
-#: src/parse_args.c:595
+#: src/parse_args.c:593
msgid "display version information and exit\n"
msgstr "prikaži informacije o inačici i izađi\n"
-#: src/parse_args.c:597
+#: src/parse_args.c:595
msgid "update user's timestamp without running a command\n"
msgstr "ažuriraj korisničku vremensku oznaku bez pokretanja naredbe\n"
-#: src/parse_args.c:599
+#: src/parse_args.c:597
msgid "stop processing command line arguments\n"
msgstr "zaustavi obradu argumenata naredbenog retka\n"
msgid "unable to set new tty context"
msgstr "ne mogu postaviti novi tty kontekst"
-#: src/selinux.c:196 src/selinux.c:209 src/sudo.c:333 common/sudo_conf.c:328
-#, c-format
-msgid "unable to open %s"
-msgstr "ne mogu otvoriti %s"
-
#: src/selinux.c:252
#, c-format
msgid "you must specify a role for type %s"
msgid "unable to execute %s"
msgstr "ne mogu izvršiti %s"
-#: src/sudo.c:213
+#: src/sudo.c:211
#, c-format
msgid "Sudo version %s\n"
msgstr "Sudo inačica %s\n"
-#: src/sudo.c:215
+#: src/sudo.c:213
#, c-format
msgid "Configure options: %s\n"
msgstr "Konfiguracijske opcije: %s\n"
-#: src/sudo.c:220
+#: src/sudo.c:218
#, c-format
msgid "fatal error, unable to load plugins"
msgstr "fatalna greška, ne mogu učitati priključke"
-#: src/sudo.c:228
+#: src/sudo.c:226
#, c-format
msgid "unable to initialize policy plugin"
msgstr "ne mogu inicijalizirati priključak police"
-#: src/sudo.c:283
+#: src/sudo.c:281
#, c-format
msgid "error initializing I/O plugin %s"
msgstr "greška inicijalizacije U/I priključka %s"
-#: src/sudo.c:308
+#: src/sudo.c:306
#, c-format
msgid "unexpected sudo mode 0x%x"
msgstr "neočekivani sudo mod 0x%x"
-#: src/sudo.c:402
+#: src/sudo.c:400
#, c-format
msgid "unable to get group vector"
msgstr "ne mogu dohvatiti grupni vektor"
-#: src/sudo.c:443
+#: src/sudo.c:452
#, c-format
msgid "unknown uid %u: who are you?"
msgstr "nepoznat uid %u: tko ste vi?"
-#: src/sudo.c:735
+#: src/sudo.c:782
#, c-format
msgid "%s must be owned by uid %d and have the setuid bit set"
msgstr "vlasnik %s mora biti uid %d i mora imati postavljen setuid bit"
-#: src/sudo.c:738
+#: src/sudo.c:785
#, c-format
msgid "effective uid is not %d, is %s on a file system with the 'nosuid' option set or an NFS file system without root privileges?"
msgstr "efektivni uid nije %d, je li %s na datotečnom sustavu s postavljenom opcijom „nosuid” ili NFS datotečnom sustavu bez administratorskih ovlasti?"
-#: src/sudo.c:744
+#: src/sudo.c:791
#, c-format
msgid "effective uid is not %d, is sudo installed setuid root?"
msgstr "efektivni uid nije %d, je li sudo instaliran uz setuid root?"
-#: src/sudo.c:813
+#: src/sudo.c:860
#, c-format
msgid "resource control limit has been reached"
msgstr "dosegnuta je granica upravljanja resursima"
-#: src/sudo.c:816
+#: src/sudo.c:863
#, c-format
msgid "user \"%s\" is not a member of project \"%s\""
msgstr "korisnik „%s” nije član projekta „%s”"
-#: src/sudo.c:820
+#: src/sudo.c:867
#, c-format
msgid "the invoking task is final"
msgstr "pozivanje zadatka je konačno"
-#: src/sudo.c:823
+#: src/sudo.c:870
#, c-format
msgid "could not join project \"%s\""
msgstr "ne mogu pridružiti projektu „%s”"
-#: src/sudo.c:828
+#: src/sudo.c:875
#, c-format
msgid "no resource pool accepting default bindings exists for project \"%s\""
msgstr "ne postoji skladište resursa koje prihvaća zadane poveznice za projekt „%s”"
-#: src/sudo.c:832
+#: src/sudo.c:879
#, c-format
msgid "specified resource pool does not exist for project \"%s\""
msgstr "ne postoji navedeno skladište resursa za projekt „%s”"
-#: src/sudo.c:836
+#: src/sudo.c:883
#, c-format
msgid "could not bind to default resource pool for project \"%s\""
msgstr "ne mogu povezati na zadano skladište resursa za projekt „%s”"
-#: src/sudo.c:842
+#: src/sudo.c:889
#, c-format
msgid "setproject failed for project \"%s\""
msgstr "setproject nije uspio za projekt „%s”"
-#: src/sudo.c:844
+#: src/sudo.c:891
#, c-format
msgid "warning, resource control assignment failed for project \"%s\""
msgstr "upozorenje, zadatak upravljanja resursima nije uspio za projekt „%s”"
-#: src/sudo.c:909
+#: src/sudo.c:959
#, c-format
msgid "unknown login class %s"
msgstr "nepoznat razred prijave %s"
-#: src/sudo.c:923 src/sudo.c:926
+#: src/sudo.c:973 src/sudo.c:976
#, c-format
msgid "unable to set user context"
msgstr "ne mogu postaviti korisnički kontekst"
-#: src/sudo.c:938
+#: src/sudo.c:988
#, c-format
msgid "unable to set supplementary group IDs"
msgstr "ne mogu postaviti dopunske grupne identifikatore"
-#: src/sudo.c:945
+#: src/sudo.c:995
#, c-format
msgid "unable to set effective gid to runas gid %u"
msgstr "ne mogu postaviti efektivni gid u runas gid %u"
-#: src/sudo.c:951
+#: src/sudo.c:1001
#, c-format
msgid "unable to set gid to runas gid %u"
msgstr "ne mogu postaviti gid u runas (pokreni kao) gid %u"
-#: src/sudo.c:958
+#: src/sudo.c:1008
#, c-format
msgid "unable to set process priority"
msgstr "ne mogu postaviti prioritet procesa"
-#: src/sudo.c:966
+#: src/sudo.c:1016
#, c-format
msgid "unable to change root to %s"
msgstr "ne mogu promijeniti korijen u %s"
-#: src/sudo.c:973 src/sudo.c:979 src/sudo.c:985
+#: src/sudo.c:1023 src/sudo.c:1029 src/sudo.c:1035
#, c-format
msgid "unable to change to runas uid (%u, %u)"
msgstr "ne mogu promijeniti u runas (pokreni kao) uid (%u, %u)"
-#: src/sudo.c:999
+#: src/sudo.c:1049
#, c-format
msgid "unable to change directory to %s"
msgstr "ne mogu promijeniti direktorij u %s"
-#: src/sudo.c:1072
+#: src/sudo.c:1133
#, c-format
msgid "unexpected child termination condition: %d"
msgstr "neočekivani uvjet završavanja djeteta: %d"
-#: src/sudo.c:1133
+#: src/sudo.c:1194
#, c-format
msgid "policy plugin %s does not support listing privileges"
msgstr "priključak police %s ne podržava ispis ovlasti"
-#: src/sudo.c:1145
+#: src/sudo.c:1206
#, c-format
msgid "policy plugin %s does not support the -v option"
msgstr "priključak police %s ne podržava opciju -v"
-#: src/sudo.c:1157
+#: src/sudo.c:1218
#, c-format
msgid "policy plugin %s does not support the -k/-K options"
msgstr "priključak police %s ne podržava opcije -k/-K"
msgid "unable to restore stdin"
msgstr "ne mogu vratiti stdin"
-#: common/aix.c:149
-#, c-format
-msgid "unable to open userdb"
-msgstr "ne mogu otvoriti korisničku bazu podataka"
+#~ msgid "internal error, emalloc2() overflow"
+#~ msgstr "interna greška, emalloc2() preljev"
-#: common/aix.c:152
-#, c-format
-msgid "unable to switch to registry \"%s\" for %s"
-msgstr "ne mogu promijeniti u registar „%s” za %s"
+#~ msgid "internal error, erealloc3() overflow"
+#~ msgstr "interna greška, erealloc3() preljev"
-#: common/aix.c:169
-#, c-format
-msgid "unable to restore registry"
-msgstr "ne mogu vratiti registar"
-
-#: common/alloc.c:82
-msgid "internal error, tried to emalloc(0)"
-msgstr "interna greška, pokušao sam emalloc(0)"
-
-#: common/alloc.c:99
-msgid "internal error, tried to emalloc2(0)"
-msgstr "interna greška, pokušao sam emalloc2(0)"
-
-#: common/alloc.c:101
-msgid "internal error, emalloc2() overflow"
-msgstr "interna greška, emalloc2() preljev"
-
-#: common/alloc.c:120
-msgid "internal error, tried to ecalloc(0)"
-msgstr "interna greška, pokušao sam ecalloc(0)"
-
-#: common/alloc.c:123
-msgid "internal error, ecalloc() overflow"
-msgstr "interna greška, ecalloc() preljev"
-
-#: common/alloc.c:142
-msgid "internal error, tried to erealloc(0)"
-msgstr "interna greška, pokušao sam erealloc(0)"
-
-#: common/alloc.c:161 common/alloc.c:185
-msgid "internal error, tried to erealloc3(0)"
-msgstr "interna greška, pokušao sam erealloc3(0)"
-
-#: common/alloc.c:163 common/alloc.c:187
-msgid "internal error, erealloc3() overflow"
-msgstr "interna greška, erealloc3() preljev"
-
-#: common/sudo_conf.c:306
-#, c-format
-msgid "unable to stat %s"
-msgstr "ne mogu izvršiti stat %s"
-
-#: common/sudo_conf.c:309
-#, c-format
-msgid "%s is not a regular file"
-msgstr "%s nije obična datoteka"
-
-#: common/sudo_conf.c:312
-#, c-format
-msgid "%s is owned by uid %u, should be %u"
-msgstr "vlasnik %s je uid %u, treba biti %u"
-
-#: common/sudo_conf.c:316
-#, c-format
-msgid "%s is world writable"
-msgstr "%s ima dozvole za pisanje svih korisnika"
-
-#: common/sudo_conf.c:319
-#, c-format
-msgid "%s is group writable"
-msgstr "%s ima dozvole za pisanje svih grupa"
-
-#: compat/strsignal.c:47
-msgid "Unknown signal"
-msgstr "Nepoznat signal"
+#~ msgid "%s: at least one policy plugin must be specified"
+#~ msgstr "%s: mora biti naveden barem jedan priključak police"
#
msgid ""
msgstr ""
-"Project-Id-Version: sudo-1.8.5-b4\n"
+"Project-Id-Version: sudo-1.8.6b4\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-03-28 14:06-0400\n"
-"PO-Revision-Date: 2012-04-05 13:56+0200\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-13 21:25+0200\n"
"Last-Translator: Milo Casagrande <milo@casagrande.name>\n"
"Language-Team: Italian <tp@lists.linux.it>\n"
"Language: it\n"
"Content-Transfer-Encoding: 8-bit\n"
"Plural-Forms: nplurals=2; plural=(n!=1);\n"
+#: common/aix.c:150
+#, c-format
+msgid "unable to open userdb"
+msgstr "impossibile aprire lo userdb"
+
+#: common/aix.c:153
+#, c-format
+msgid "unable to switch to registry \"%s\" for %s"
+msgstr "impossibile passare al registro \"%s\" per %s"
+
+#: common/aix.c:170
+#, c-format
+msgid "unable to restore registry"
+msgstr "impossibile ripristinare il registro"
+
+#: common/alloc.c:82
+msgid "internal error, tried to emalloc(0)"
+msgstr "errore interno, tentativo di chiamare emalloc(0)"
+
+#: common/alloc.c:85 common/alloc.c:105 common/alloc.c:127 common/alloc.c:146
+#: common/alloc.c:168 common/alloc.c:192 common/alloc.c:256 common/alloc.c:270
+#: src/exec_common.c:111 src/parse_args.c:430 src/sudo.c:456 src/sudo.c:482
+#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:759
+#, c-format
+msgid "unable to allocate memory"
+msgstr "impossibile allocare la memoria"
+
+#: common/alloc.c:99
+msgid "internal error, tried to emalloc2(0)"
+msgstr "errore interno, tentativo di chiamare emalloc2(0)"
+
+#: common/alloc.c:101 common/alloc.c:123 common/alloc.c:163 common/alloc.c:187
+#, c-format
+msgid "internal error, %s overflow"
+msgstr "errore interno, overflow di %s"
+
+#: common/alloc.c:120
+msgid "internal error, tried to ecalloc(0)"
+msgstr "errore interno, tentativo di chiamare ecalloc(0)"
+
+#: common/alloc.c:142
+msgid "internal error, tried to erealloc(0)"
+msgstr "errore interno, tentativo di chiamare erealloc(0)"
+
+#: common/alloc.c:161
+msgid "internal error, tried to erealloc3(0)"
+msgstr "errore interno, tentativo di chiamare erealloc3(0)"
+
+#: common/alloc.c:185
+msgid "internal error, tried to erecalloc(0)"
+msgstr "errore interno, tentativo di chiamare erecalloc(0)"
+
+#: common/sudo_conf.c:305
+#, c-format
+msgid "unable to stat %s"
+msgstr "impossibile eseguire stat su %s"
+
+#: common/sudo_conf.c:308
+#, c-format
+msgid "%s is not a regular file"
+msgstr "%s non è un file regolare"
+
+#: common/sudo_conf.c:311
+#, c-format
+msgid "%s is owned by uid %u, should be %u"
+msgstr "%s è di proprietà dello uid %u, dovrebbe essere di %u"
+
+#: common/sudo_conf.c:315
+#, c-format
+msgid "%s is world writable"
+msgstr "%s è scrivibile da tutti"
+
+#: common/sudo_conf.c:318
+#, c-format
+msgid "%s is group writable"
+msgstr "%s è scrivibile dal gruppo"
+
+#: common/sudo_conf.c:327 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
+#, c-format
+msgid "unable to open %s"
+msgstr "impossibile aprire %s"
+
+#: compat/strsignal.c:47
+msgid "Unknown signal"
+msgstr "Segnale sconosciuto"
+
#: src/error.c:82 src/error.c:86
msgid ": "
msgstr ": "
-#: src/exec.c:105 src/exec_pty.c:616 src/exec_pty.c:948 src/tgetpass.c:221
+#: src/exec.c:113 src/exec_pty.c:674
+#, c-format
+msgid "policy plugin failed session initialization"
+msgstr "inizializzazione della sessione non riuscita da parte del plugin della politica"
+
+#: src/exec.c:118 src/exec_pty.c:690 src/exec_pty.c:1035 src/tgetpass.c:221
#, c-format
msgid "unable to fork"
msgstr "impossibile eseguire fork"
-#: src/exec.c:252
+#: src/exec.c:268
#, c-format
msgid "unable to create sockets"
msgstr "impossibile creare socket"
-#: src/exec.c:259 src/exec_pty.c:567 src/exec_pty.c:576 src/exec_pty.c:584
-#: src/exec_pty.c:883 src/exec_pty.c:945 src/tgetpass.c:218
+#: src/exec.c:275 src/exec_pty.c:613 src/exec_pty.c:622 src/exec_pty.c:630
+#: src/exec_pty.c:960 src/exec_pty.c:1032 src/tgetpass.c:218
#, c-format
msgid "unable to create pipe"
msgstr "impossibile creare una pipe"
-#: src/exec.c:340 src/exec_pty.c:1011 src/exec_pty.c:1146
+#: src/exec.c:365 src/exec_pty.c:1102 src/exec_pty.c:1240
#, c-format
msgid "select failed"
msgstr "select non riuscita"
-#: src/exec.c:425
+#: src/exec.c:467
#, c-format
msgid "unable to restore tty label"
msgstr "impossibile ripristinare l'etichetta tty"
msgid "unable to remove PRIV_PROC_EXEC from PRIV_LIMIT"
msgstr "impossibile rimuovere PRIV_PROC_EXEC da PRIV_LIMIT"
-#: src/exec_common.c:111 src/parse_args.c:432 src/sudo.c:447 src/sudo.c:467
-#: src/sudo.c:474 src/sudo.c:485 src/sudo.c:871 common/alloc.c:85
-#: common/alloc.c:105 common/alloc.c:127 common/alloc.c:146 common/alloc.c:168
-#: common/alloc.c:192 common/alloc.c:256 common/alloc.c:270
-#, c-format
-msgid "unable to allocate memory"
-msgstr "impossibile allocare la memoria"
-
-#: src/exec_pty.c:140
+#: src/exec_pty.c:183
#, c-format
msgid "unable to allocate pty"
msgstr "impossibile allocare pty"
-#: src/exec_pty.c:609
+#: src/exec_pty.c:665
#, c-format
msgid "unable to set terminal to raw mode"
msgstr "impossibile impostare il terminale in modalità raw"
-#: src/exec_pty.c:926
+#: src/exec_pty.c:1013
#, c-format
msgid "unable to set controlling tty"
msgstr "impossibile impostare il tty di controllo"
-#: src/exec_pty.c:1019
+#: src/exec_pty.c:1111
#, c-format
msgid "error reading from signal pipe"
msgstr "errore nel leggere dalla pipe di segnale"
-#: src/exec_pty.c:1038
+#: src/exec_pty.c:1132
#, c-format
msgid "error reading from pipe"
msgstr "errore nel leggere dalla pipe"
-#: src/exec_pty.c:1054
+#: src/exec_pty.c:1148
#, c-format
msgid "error reading from socketpair"
msgstr "errore nel leggere dal socketpair"
-#: src/exec_pty.c:1058
+#: src/exec_pty.c:1152
#, c-format
msgid "unexpected reply type on backchannel: %d"
msgstr "tipologia di risposta inattesa sul backchannel: %d"
-#: src/load_plugins.c:79
+#: src/load_plugins.c:74
#, c-format
msgid "%s: %s"
msgstr "%s: %s"
-#: src/load_plugins.c:85
+#: src/load_plugins.c:80
#, c-format
msgid "%s%s: %s"
msgstr "%s%s: %s"
-#: src/load_plugins.c:95
+#: src/load_plugins.c:90
#, c-format
msgid "%s must be owned by uid %d"
msgstr "%s deve essere di proprietà dello uid %d"
-#: src/load_plugins.c:99
+#: src/load_plugins.c:94
#, c-format
msgid "%s must be only be writable by owner"
msgstr "%s deve essere scrivibile solo dal proprietario"
-#: src/load_plugins.c:106
+#: src/load_plugins.c:101
#, c-format
msgid "unable to dlopen %s: %s"
msgstr "impossibile eseguire dlopen su %s: %s"
-#: src/load_plugins.c:111
+#: src/load_plugins.c:106
#, c-format
msgid "%s: unable to find symbol %s"
msgstr "%s: impossibile trovare il simbolo %s"
-#: src/load_plugins.c:117
+#: src/load_plugins.c:112
#, c-format
msgid "%s: unknown policy type %d"
msgstr "%s: politica di tipo %d sconosciuta"
-#: src/load_plugins.c:121
+#: src/load_plugins.c:116
#, c-format
msgid "%s: incompatible policy major version %d, expected %d"
msgstr "%s: numero principale di versione %d non compatibile, atteso %d"
-#: src/load_plugins.c:128
+#: src/load_plugins.c:123
#, c-format
msgid "%s: only a single policy plugin may be loaded"
msgstr "%s: solo un plugin di politica può essere caricato"
-#: src/load_plugins.c:148
-#, c-format
-msgid "%s: at least one policy plugin must be specified"
-msgstr "%s: almeno un plugin di politica deve essere specificato"
-
-#: src/load_plugins.c:153
+#: src/load_plugins.c:200
#, c-format
msgid "policy plugin %s does not include a check_policy method"
msgstr "il plugin di politica %s non include un metodo check_policy"
msgid "the `-A' and `-S' options may not be used together"
msgstr "non è possibile usare assieme le opzioni \"-A\" e \"-S\""
-#: src/parse_args.c:445
+#: src/parse_args.c:443
#, c-format
msgid "sudoedit is not supported on this platform"
msgstr "sudoedit non è supportato su questa piattaforma"
-#: src/parse_args.c:518
+#: src/parse_args.c:516
#, c-format
msgid "Only one of the -e, -h, -i, -K, -l, -s, -v or -V options may be specified"
msgstr "Solo una delle opzioni -e, -h, -i, -K, -l, -s, -v o -V può essere specificata"
-#: src/parse_args.c:532
+#: src/parse_args.c:530
#, c-format
msgid ""
"%s - edit files as another user\n"
"%s - modifica file come un altro utente\n"
"\n"
-#: src/parse_args.c:534
+#: src/parse_args.c:532
#, c-format
msgid ""
"%s - execute a command as another user\n"
"%s - esegue un comando come un altro utente\n"
"\n"
-#: src/parse_args.c:539
+#: src/parse_args.c:537
#, c-format
msgid ""
"\n"
"\n"
"Opzioni:\n"
-#: src/parse_args.c:542
+#: src/parse_args.c:540
msgid "use helper program for password prompting\n"
msgstr "Utilizza un programma d'aiuto per richiedere la password\n"
-#: src/parse_args.c:545
+#: src/parse_args.c:543
msgid "use specified BSD authentication type\n"
msgstr "Utilizza la tipologia di autenticazione BSD specificata\n"
-#: src/parse_args.c:547
+#: src/parse_args.c:545
msgid "run command in the background\n"
msgstr "Esegue il comando in background\n"
-#: src/parse_args.c:549
+#: src/parse_args.c:547
msgid "close all file descriptors >= fd\n"
msgstr "Chiude tutti i descrittori di file >= fd\n"
-#: src/parse_args.c:552
+#: src/parse_args.c:550
msgid "run command with specified login class\n"
msgstr "Esegue il comando con la classe di accesso specificata\n"
-#: src/parse_args.c:555
+#: src/parse_args.c:553
msgid "preserve user environment when executing command\n"
msgstr "Mantiene l'ambiente dell'utente quando viene eseguito il comando\n"
-#: src/parse_args.c:557
+#: src/parse_args.c:555
msgid "edit files instead of running a command\n"
msgstr "Modifica i file invece di eseguire un comando\n"
-#: src/parse_args.c:559
+#: src/parse_args.c:557
msgid "execute command as the specified group\n"
msgstr "Esegue il comando come il gruppo specificato\n"
-#: src/parse_args.c:561
+#: src/parse_args.c:559
msgid "set HOME variable to target user's home dir.\n"
msgstr "Imposta la variabile HOME alla directory dell'utente finale\n"
-#: src/parse_args.c:563
+#: src/parse_args.c:561
msgid "display help message and exit\n"
msgstr "Visualizza il messaggio di aiuto ed esce\n"
-#: src/parse_args.c:565
+#: src/parse_args.c:563
msgid "run a login shell as target user\n"
msgstr "Esegue una shell di login come l'utente finale\n"
-#: src/parse_args.c:567
+#: src/parse_args.c:565
msgid "remove timestamp file completely\n"
msgstr "Rimuove completamente il file temporale\n"
-#: src/parse_args.c:569
+#: src/parse_args.c:567
msgid "invalidate timestamp file\n"
msgstr "Invalida il file temporale\n"
-#: src/parse_args.c:571
+#: src/parse_args.c:569
msgid "list user's available commands\n"
msgstr "Elenca i comandi utente disponibili\n"
-#: src/parse_args.c:573
+#: src/parse_args.c:571
msgid "non-interactive mode, will not prompt user\n"
msgstr "Modalità non interattiva, non richiede nulla all'utente\n"
-#: src/parse_args.c:575
+#: src/parse_args.c:573
msgid "preserve group vector instead of setting to target's\n"
msgstr "Mantiene il vettore di gruppo invece di impostarlo a quello dell'obiettivo\n"
-#: src/parse_args.c:577
+#: src/parse_args.c:575
msgid "use specified password prompt\n"
msgstr "Utilizza la richiesta della password specificata\n"
-#: src/parse_args.c:580 src/parse_args.c:588
+#: src/parse_args.c:578 src/parse_args.c:586
msgid "create SELinux security context with specified role\n"
msgstr "Crea il contesto di sicurezza SELinux con il ruolo specificato\n"
-#: src/parse_args.c:583
+#: src/parse_args.c:581
msgid "read password from standard input\n"
msgstr "Legge la password dallo standard input\n"
-#: src/parse_args.c:585
+#: src/parse_args.c:583
msgid "run a shell as target user\n"
msgstr "Esegue una shell come l'utente finale\n"
-#: src/parse_args.c:591
+#: src/parse_args.c:589
msgid "when listing, list specified user's privileges\n"
msgstr "Durante l'elencazione, visualizza i privilegi dell'utente specificato\n"
-#: src/parse_args.c:593
+#: src/parse_args.c:591
msgid "run command (or edit file) as specified user\n"
msgstr "Esegue un comando (o modifica un file) come l'utente specificato\n"
-#: src/parse_args.c:595
+#: src/parse_args.c:593
msgid "display version information and exit\n"
msgstr "Visualizza le informazioni sulla versione ed esce\n"
-#: src/parse_args.c:597
+#: src/parse_args.c:595
msgid "update user's timestamp without running a command\n"
msgstr "Aggiorna il timestamp dell'utente senza eseguire un comando\n"
-#: src/parse_args.c:599
+#: src/parse_args.c:597
msgid "stop processing command line arguments\n"
msgstr "Ferma l'elaborazione degli argomenti a riga di comando\n"
msgid "unable to set new tty context"
msgstr "impossibile impostare il nuovo contesto tty"
-#: src/selinux.c:196 src/selinux.c:209 src/sudo.c:333 common/sudo_conf.c:328
-#, c-format
-msgid "unable to open %s"
-msgstr "impossibile aprire %s"
-
#: src/selinux.c:252
#, c-format
msgid "you must specify a role for type %s"
msgid "unable to execute %s"
msgstr "impossibile eseguire %s"
-#: src/sudo.c:213
+#: src/sudo.c:211
#, c-format
msgid "Sudo version %s\n"
msgstr "Versione di sudo: %s\n"
-#: src/sudo.c:215
+#: src/sudo.c:213
#, c-format
msgid "Configure options: %s\n"
msgstr "Opzioni di configurazione: %s\n"
-#: src/sudo.c:220
+#: src/sudo.c:218
#, c-format
msgid "fatal error, unable to load plugins"
msgstr "errore irreversibile, impossibile caricare i plugin"
-#: src/sudo.c:228
+#: src/sudo.c:226
#, c-format
msgid "unable to initialize policy plugin"
msgstr "impossibile inizializzare il plugin delle politiche"
-#: src/sudo.c:283
+#: src/sudo.c:281
#, c-format
msgid "error initializing I/O plugin %s"
msgstr "errore nell'inizializzare il plugin di I/O %s"
-#: src/sudo.c:308
+#: src/sudo.c:306
#, c-format
msgid "unexpected sudo mode 0x%x"
msgstr "modalità 0x%x di sudo non attesa"
-#: src/sudo.c:402
+#: src/sudo.c:400
#, c-format
msgid "unable to get group vector"
msgstr "impossibile ottenere il vettore di gruppo"
# (ndt) mah... andrebbe resa meglio...
-#: src/sudo.c:443
+#: src/sudo.c:452
#, c-format
msgid "unknown uid %u: who are you?"
msgstr "uid %u sconosciuto: identificarsi."
-#: src/sudo.c:735
+#: src/sudo.c:782
#, c-format
msgid "%s must be owned by uid %d and have the setuid bit set"
msgstr "%s deve essere di proprietà dello uid %d e avere il bit setuid impostato"
-#: src/sudo.c:738
+#: src/sudo.c:785
#, c-format
msgid "effective uid is not %d, is %s on a file system with the 'nosuid' option set or an NFS file system without root privileges?"
msgstr "lo uid effettivo non è %d. %s si trova su un file system con l'opzione \"nosuid\" impostata o su un file system NFS senza privilegi di root?"
-#: src/sudo.c:744
+#: src/sudo.c:791
#, c-format
msgid "effective uid is not %d, is sudo installed setuid root?"
msgstr "lo uid effettivo non è %d. Il programma sudo è installato con setuid root?"
-#: src/sudo.c:813
+#: src/sudo.c:860
#, c-format
msgid "resource control limit has been reached"
msgstr "raggiunto il limite di controllo delle risorse"
-#: src/sudo.c:816
+#: src/sudo.c:863
#, c-format
msgid "user \"%s\" is not a member of project \"%s\""
msgstr "l'utente \"%s\" non fa parte del progetto \"%s\""
-#: src/sudo.c:820
+#: src/sudo.c:867
#, c-format
msgid "the invoking task is final"
msgstr "il task chiamante è definitivo"
-#: src/sudo.c:823
+#: src/sudo.c:870
#, c-format
msgid "could not join project \"%s\""
msgstr "impossibile unirsi al progetto \"%s\""
-#: src/sudo.c:828
+#: src/sudo.c:875
#, c-format
msgid "no resource pool accepting default bindings exists for project \"%s\""
msgstr "non esiste alcun pool di risorse per il progetto \"%s\" che accetti binding predefiniti"
-#: src/sudo.c:832
+#: src/sudo.c:879
#, c-format
msgid "specified resource pool does not exist for project \"%s\""
msgstr "il pool di risorse specificato non esiste per il progetto \"%s\""
-#: src/sudo.c:836
+#: src/sudo.c:883
#, c-format
msgid "could not bind to default resource pool for project \"%s\""
msgstr "impossibile unirsi al pool di risorse predefinito per il progetto \"%s\""
-#: src/sudo.c:842
+#: src/sudo.c:889
#, c-format
msgid "setproject failed for project \"%s\""
msgstr "setproject per il progetto \"%s\" non riuscita"
-#: src/sudo.c:844
+#: src/sudo.c:891
#, c-format
msgid "warning, resource control assignment failed for project \"%s\""
msgstr "attenzione, assegnazione della risorsa di controllo per il progetto \"%s\" non riuscita"
-#: src/sudo.c:909
+#: src/sudo.c:959
#, c-format
msgid "unknown login class %s"
msgstr "classe di accesso %s sconosciuta"
-#: src/sudo.c:923 src/sudo.c:926
+#: src/sudo.c:973 src/sudo.c:976
#, c-format
msgid "unable to set user context"
msgstr "impossibile impostare il contesto utente"
-#: src/sudo.c:938
+#: src/sudo.c:988
#, c-format
msgid "unable to set supplementary group IDs"
msgstr "impossibile impostare ID di gruppo supplementari"
-#: src/sudo.c:945
+#: src/sudo.c:995
#, c-format
msgid "unable to set effective gid to runas gid %u"
msgstr "impossibile impostare il gid effettivo per eseguire come %u"
-#: src/sudo.c:951
+#: src/sudo.c:1001
#, c-format
msgid "unable to set gid to runas gid %u"
msgstr "impossibile impostare il gid per eseguire come gid %u"
-#: src/sudo.c:958
+#: src/sudo.c:1008
#, c-format
msgid "unable to set process priority"
msgstr "impossibile impostare la priorità del processo"
-#: src/sudo.c:966
+#: src/sudo.c:1016
#, c-format
msgid "unable to change root to %s"
msgstr "impossibile modificare root a %s"
-#: src/sudo.c:973 src/sudo.c:979 src/sudo.c:985
+#: src/sudo.c:1023 src/sudo.c:1029 src/sudo.c:1035
#, c-format
msgid "unable to change to runas uid (%u, %u)"
msgstr "impossibile passare a un diverso uid (%u, %u)"
-#: src/sudo.c:999
+#: src/sudo.c:1049
#, c-format
msgid "unable to change directory to %s"
msgstr "impossibile passare alla directory %s"
-#: src/sudo.c:1072
+#: src/sudo.c:1133
#, c-format
msgid "unexpected child termination condition: %d"
msgstr "condizione di uscita del figlio inattesa: %d"
-#: src/sudo.c:1133
+#: src/sudo.c:1194
#, c-format
msgid "policy plugin %s does not support listing privileges"
msgstr "il plugin di politica %s non supporta l'elencazione dei privilegi"
-#: src/sudo.c:1145
+#: src/sudo.c:1206
#, c-format
msgid "policy plugin %s does not support the -v option"
msgstr "il plugin di politica %s non supporta l'opzione -v"
-#: src/sudo.c:1157
+#: src/sudo.c:1218
#, c-format
msgid "policy plugin %s does not support the -k/-K options"
msgstr "il plguind di politica %s non supporta le opzioni -k/-K"
msgid "unable to restore stdin"
msgstr "impossibile ripristinare lo stdin"
-#: common/aix.c:149
-#, c-format
-msgid "unable to open userdb"
-msgstr "impossibile aprire lo userdb"
-
-#: common/aix.c:152
-#, c-format
-msgid "unable to switch to registry \"%s\" for %s"
-msgstr "impossibile passare al registro \"%s\" per %s"
-
-#: common/aix.c:169
-#, c-format
-msgid "unable to restore registry"
-msgstr "impossibile ripristinare il registro"
-
-#: common/alloc.c:82
-msgid "internal error, tried to emalloc(0)"
-msgstr "errore interno, tentativo di chiamare emalloc(0)"
-
-#: common/alloc.c:99
-msgid "internal error, tried to emalloc2(0)"
-msgstr "errore interno, tentativo di chiamare emalloc2(0)"
-
-#: common/alloc.c:101
-msgid "internal error, emalloc2() overflow"
-msgstr "errore interno, overflow di emalloc2()"
-
-#: common/alloc.c:120
-msgid "internal error, tried to ecalloc(0)"
-msgstr "errore interno, tentativo di chiamare ecalloc(0)"
-
-#: common/alloc.c:123
-msgid "internal error, ecalloc() overflow"
-msgstr "errore interno, overflow di ecalloc()"
-
-#: common/alloc.c:142
-msgid "internal error, tried to erealloc(0)"
-msgstr "errore interno, tentativo di chiamare erealloc(0)"
-
-#: common/alloc.c:161 common/alloc.c:185
-msgid "internal error, tried to erealloc3(0)"
-msgstr "errore interno, tentativo di chiamare erealloc3(0)"
-
-#: common/alloc.c:163 common/alloc.c:187
-msgid "internal error, erealloc3() overflow"
-msgstr "errore interno, overflow di erealloc3()"
+#~ msgid "%s: at least one policy plugin must be specified"
+#~ msgstr "%s: almeno un plugin di politica deve essere specificato"
-#: common/sudo_conf.c:306
-#, c-format
-msgid "unable to stat %s"
-msgstr "impossibile eseguire stat su %s"
-
-#: common/sudo_conf.c:309
-#, c-format
-msgid "%s is not a regular file"
-msgstr "%s non è un file regolare"
-
-#: common/sudo_conf.c:312
-#, c-format
-msgid "%s is owned by uid %u, should be %u"
-msgstr "%s è di proprietà dello uid %u, dovrebbe essere di %u"
+#~ msgid "internal error, emalloc2() overflow"
+#~ msgstr "errore interno, overflow di emalloc2()"
-#: common/sudo_conf.c:316
-#, c-format
-msgid "%s is world writable"
-msgstr "%s è scrivibile da tutti"
-
-#: common/sudo_conf.c:319
-#, c-format
-msgid "%s is group writable"
-msgstr "%s è scrivibile dal gruppo"
-
-#: compat/strsignal.c:47
-msgid "Unknown signal"
-msgstr "Segnale sconosciuto"
+#~ msgid "internal error, erealloc3() overflow"
+#~ msgstr "errore interno, overflow di erealloc3()"
#~ msgid "must be setuid root"
#~ msgstr "è necessario essere setuid root"
#
msgid ""
msgstr ""
-"Project-Id-Version: sudo 1.8.5rc3\n"
+"Project-Id-Version: sudo 1.8.6b4\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-04-24 13:41-0400\n"
-"PO-Revision-Date: 2012-04-30 16:14+0900\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-18 19:20+0900\n"
"Last-Translator: Takeshi Hamasaki <hmatrjp@users.sourceforge.jp>\n"
"Language-Team: Japanese <translation-team-ja@lists.sourceforge.net>\n"
"Language: ja\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=1; plural=0;\n"
-#: common/aix.c:149
+#: common/aix.c:150
#, c-format
msgid "unable to open userdb"
msgstr "ユーザーデータベースを開くことができません"
-#: common/aix.c:152
+#: common/aix.c:153
#, c-format
msgid "unable to switch to registry \"%s\" for %s"
msgstr "%s 用のレジストリー \"%s\" へ切り替えることができません"
-#: common/aix.c:169
+#: common/aix.c:170
#, c-format
msgid "unable to restore registry"
msgstr "レジストリーを復元できません"
#: common/alloc.c:85 common/alloc.c:105 common/alloc.c:127 common/alloc.c:146
#: common/alloc.c:168 common/alloc.c:192 common/alloc.c:256 common/alloc.c:270
-#: src/exec_common.c:111 src/parse_args.c:432 src/sudo.c:456 src/sudo.c:482
-#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:737
+#: src/exec_common.c:111 src/parse_args.c:430 src/sudo.c:456 src/sudo.c:482
+#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:759
#, c-format
msgid "unable to allocate memory"
msgstr "メモリ割り当てを行えませんでした"
msgid "internal error, tried to emalloc2(0)"
msgstr "内部エラー、 emalloc2(0) を試みました"
-#: common/alloc.c:101
-msgid "internal error, emalloc2() overflow"
-msgstr "内部エラー、 emalloc2() がオーバーフローしました"
+#: common/alloc.c:101 common/alloc.c:123 common/alloc.c:163 common/alloc.c:187
+#, c-format
+msgid "internal error, %s overflow"
+msgstr "内部エラー、 %s がオーバーフローしました"
#: common/alloc.c:120
msgid "internal error, tried to ecalloc(0)"
msgstr "内部エラー、ecalloc(0) を試みました"
-#: common/alloc.c:123
-msgid "internal error, ecalloc() overflow"
-msgstr "内部エラー、 ecalloc() がオーバーフローしました"
-
#: common/alloc.c:142
msgid "internal error, tried to erealloc(0)"
msgstr "内部エラー、 erealloc(0) を試みました"
-#: common/alloc.c:161 common/alloc.c:185
+#: common/alloc.c:161
msgid "internal error, tried to erealloc3(0)"
msgstr "内部エラー、 erealloc3(0) を試みました"
-#: common/alloc.c:163 common/alloc.c:187
-msgid "internal error, erealloc3() overflow"
-msgstr "内部エラー、 erealloc3() がオーバーフローしました"
+#: common/alloc.c:185
+msgid "internal error, tried to erecalloc(0)"
+msgstr "内部エラー、 erecalloc(0) を試みました"
-#: common/sudo_conf.c:306
+#: common/sudo_conf.c:305
#, c-format
msgid "unable to stat %s"
msgstr "%s の状態取得 (stat) ができません"
-#: common/sudo_conf.c:309
+#: common/sudo_conf.c:308
#, c-format
msgid "%s is not a regular file"
msgstr "%s は通常ファイルではありません"
-#: common/sudo_conf.c:312
+#: common/sudo_conf.c:311
#, c-format
msgid "%s is owned by uid %u, should be %u"
msgstr "%s はユーザーID %u によって所有されています。これは %u であるべきです"
-#: common/sudo_conf.c:316
+#: common/sudo_conf.c:315
#, c-format
msgid "%s is world writable"
msgstr "%s は誰でも書き込み可能です"
-#: common/sudo_conf.c:319
+#: common/sudo_conf.c:318
#, c-format
msgid "%s is group writable"
msgstr "%s はグループのメンバーによる書き込みが可能です"
-#: common/sudo_conf.c:328 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
+#: common/sudo_conf.c:327 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
#, c-format
msgid "unable to open %s"
msgstr "%s を開けません"
msgid ": "
msgstr ": "
-#: src/exec.c:107 src/exec_pty.c:628
+#: src/exec.c:113 src/exec_pty.c:674
#, c-format
msgid "policy plugin failed session initialization"
msgstr "ポリシープラグインがセッションの初期化に失敗しました"
-#: src/exec.c:112 src/exec_pty.c:633 src/exec_pty.c:967 src/tgetpass.c:221
+#: src/exec.c:118 src/exec_pty.c:690 src/exec_pty.c:1035 src/tgetpass.c:221
#, c-format
msgid "unable to fork"
msgstr "fork できません"
-#: src/exec.c:259
+#: src/exec.c:268
#, c-format
msgid "unable to create sockets"
msgstr "ソケットを作成できません"
-#: src/exec.c:266 src/exec_pty.c:572 src/exec_pty.c:581 src/exec_pty.c:589
-#: src/exec_pty.c:902 src/exec_pty.c:964 src/tgetpass.c:218
+#: src/exec.c:275 src/exec_pty.c:613 src/exec_pty.c:622 src/exec_pty.c:630
+#: src/exec_pty.c:960 src/exec_pty.c:1032 src/tgetpass.c:218
#, c-format
msgid "unable to create pipe"
msgstr "パイプを作成できません"
-#: src/exec.c:351 src/exec_pty.c:1029 src/exec_pty.c:1167
+#: src/exec.c:365 src/exec_pty.c:1102 src/exec_pty.c:1240
#, c-format
msgid "select failed"
msgstr "select に失敗しました"
-#: src/exec.c:441
+#: src/exec.c:467
#, c-format
msgid "unable to restore tty label"
msgstr "tty ラベルを復旧できません"
msgid "unable to remove PRIV_PROC_EXEC from PRIV_LIMIT"
msgstr "PRIV_LIMIT から PRIV_PROC_EXEC を取り除くことができません"
-#: src/exec_pty.c:144
+#: src/exec_pty.c:183
#, c-format
msgid "unable to allocate pty"
msgstr "pty を割り当てられません"
-#: src/exec_pty.c:619
+#: src/exec_pty.c:665
#, c-format
msgid "unable to set terminal to raw mode"
msgstr "端末を raw モードに設定できません"
-#: src/exec_pty.c:945
+#: src/exec_pty.c:1013
#, c-format
msgid "unable to set controlling tty"
msgstr "tty の制御設定ができません"
-#: src/exec_pty.c:1038
+#: src/exec_pty.c:1111
#, c-format
msgid "error reading from signal pipe"
msgstr "シグナルパイプからの読み込み中にエラーが発生しました"
-#: src/exec_pty.c:1059
+#: src/exec_pty.c:1132
#, c-format
msgid "error reading from pipe"
msgstr "パイプからの読み込み中にエラーが発生しました"
-#: src/exec_pty.c:1075
+#: src/exec_pty.c:1148
#, c-format
msgid "error reading from socketpair"
msgstr "ソケットペアからの読み込み中にエラーが発生しました"
-#: src/exec_pty.c:1079
+#: src/exec_pty.c:1152
#, c-format
msgid "unexpected reply type on backchannel: %d"
msgstr "バックチャンネルに関する予期しないリプレイタイプです: %d"
-#: src/load_plugins.c:79
+#: src/load_plugins.c:74
#, c-format
msgid "%s: %s"
msgstr "%s: %s"
-#: src/load_plugins.c:85
+#: src/load_plugins.c:80
#, c-format
msgid "%s%s: %s"
msgstr "%s%s: %s"
-#: src/load_plugins.c:95
+#: src/load_plugins.c:90
#, c-format
msgid "%s must be owned by uid %d"
msgstr "%s の所有者は uid %d でなければいけません"
-#: src/load_plugins.c:99
+#: src/load_plugins.c:94
#, c-format
msgid "%s must be only be writable by owner"
msgstr "%s は所有者のみ書き込み可能で無ければいけません"
-#: src/load_plugins.c:106
+#: src/load_plugins.c:101
#, c-format
msgid "unable to dlopen %s: %s"
msgstr "dlopen %s を行うことができません: %s"
-#: src/load_plugins.c:111
+#: src/load_plugins.c:106
#, c-format
msgid "%s: unable to find symbol %s"
msgstr "%s: シンボル %s を見つけることができません"
-#: src/load_plugins.c:117
+#: src/load_plugins.c:112
#, c-format
msgid "%s: unknown policy type %d"
msgstr "%s: 不明なポリシータイプ %d です"
-#: src/load_plugins.c:121
+#: src/load_plugins.c:116
#, c-format
msgid "%s: incompatible policy major version %d, expected %d"
msgstr "%s: 互換性の無いポリシーメジャーバージョン %d です。予期されるのは %d です"
-#: src/load_plugins.c:128
+#: src/load_plugins.c:123
#, c-format
msgid "%s: only a single policy plugin may be loaded"
msgstr "%s: 一つのポリシープラグインのみロードされているようです"
-#: src/load_plugins.c:148
-#, c-format
-msgid "%s: at least one policy plugin must be specified"
-msgstr "%s: 最低でも一つ以上のポリシープラグインを指定しなければいけません"
-
-#: src/load_plugins.c:153
+#: src/load_plugins.c:200
#, c-format
msgid "policy plugin %s does not include a check_policy method"
msgstr "ポリシープラグイン %s には check_policy メソッドが含まれていません"
msgid "the `-A' and `-S' options may not be used together"
msgstr "`-A' と `-S' オプションは同時に指定することはできません"
-#: src/parse_args.c:445
+#: src/parse_args.c:443
#, c-format
msgid "sudoedit is not supported on this platform"
msgstr "sudoedit はこのプラットフォームではサポートされていません"
-#: src/parse_args.c:518
+#: src/parse_args.c:516
#, c-format
msgid "Only one of the -e, -h, -i, -K, -l, -s, -v or -V options may be specified"
msgstr "-e, -h, -i, -K, -l, -s, -v または -V のうち一つのみ指定できます"
-#: src/parse_args.c:532
+#: src/parse_args.c:530
#, c-format
msgid ""
"%s - edit files as another user\n"
"%s - 別のユーザーとしてファイルを編集します\n"
"\n"
-#: src/parse_args.c:534
+#: src/parse_args.c:532
#, c-format
msgid ""
"%s - execute a command as another user\n"
"%s - 別のユーザーとしてコマンドを実行します\n"
"\n"
-#: src/parse_args.c:539
+#: src/parse_args.c:537
#, c-format
msgid ""
"\n"
"\n"
"オプション:\n"
-#: src/parse_args.c:542
+#: src/parse_args.c:540
msgid "use helper program for password prompting\n"
msgstr "パスワード要求のために補助プログラムを使用する\n"
-#: src/parse_args.c:545
+#: src/parse_args.c:543
msgid "use specified BSD authentication type\n"
msgstr "指定した BSD 認証タイプを使用する\n"
-#: src/parse_args.c:547
+#: src/parse_args.c:545
msgid "run command in the background\n"
msgstr "コマンドをバックグラウンドで実行する\n"
-#: src/parse_args.c:549
+#: src/parse_args.c:547
msgid "close all file descriptors >= fd\n"
msgstr "fd 以上のすべてのファイル記述子を閉じる\n"
-#: src/parse_args.c:552
+#: src/parse_args.c:550
msgid "run command with specified login class\n"
msgstr "指定したログインクラスでコマンドを実行する\n"
-#: src/parse_args.c:555
+#: src/parse_args.c:553
msgid "preserve user environment when executing command\n"
msgstr "コマンドを実行する時にユーザーの環境変数を保護する\n"
-#: src/parse_args.c:557
+#: src/parse_args.c:555
msgid "edit files instead of running a command\n"
msgstr "コマンドを実行する代わりにファイルを編集する\n"
-#: src/parse_args.c:559
+#: src/parse_args.c:557
msgid "execute command as the specified group\n"
msgstr "指定したグループでコマンドを実行する\n"
-#: src/parse_args.c:561
+#: src/parse_args.c:559
msgid "set HOME variable to target user's home dir.\n"
msgstr "HOME 変数を変更先となるユーザーのホームディレクトリに設定する\n"
-#: src/parse_args.c:563
+#: src/parse_args.c:561
msgid "display help message and exit\n"
msgstr "ヘルプメッセージを表示して終了する\n"
-#: src/parse_args.c:565
+#: src/parse_args.c:563
msgid "run a login shell as target user\n"
msgstr "変更先のユーザーとしてログインシェルを実行する\n"
-#: src/parse_args.c:567
+#: src/parse_args.c:565
msgid "remove timestamp file completely\n"
msgstr "タイムスタンプファイルを完全に削除する\n"
-#: src/parse_args.c:569
+#: src/parse_args.c:567
msgid "invalidate timestamp file\n"
msgstr "タイムスタンプファイルを無効にする\n"
-#: src/parse_args.c:571
+#: src/parse_args.c:569
msgid "list user's available commands\n"
msgstr "ユーザーが使用可能なコマンドを一覧表示する\n"
-#: src/parse_args.c:573
+#: src/parse_args.c:571
msgid "non-interactive mode, will not prompt user\n"
msgstr "非対話モードで実行し、ユーザーに入力を求めない\n"
-#: src/parse_args.c:575
+#: src/parse_args.c:573
msgid "preserve group vector instead of setting to target's\n"
msgstr "グループベクトルを保護する (変更先のユーザーのものに設定しない)\n"
-#: src/parse_args.c:577
+#: src/parse_args.c:575
msgid "use specified password prompt\n"
msgstr "指定したパスワードプロンプトを使用する\n"
-#: src/parse_args.c:580 src/parse_args.c:588
+#: src/parse_args.c:578 src/parse_args.c:586
msgid "create SELinux security context with specified role\n"
msgstr "指定した役割で SELinux セキュリティーコンテキストを作成する\n"
-#: src/parse_args.c:583
+#: src/parse_args.c:581
msgid "read password from standard input\n"
msgstr "標準入力からパスワードを読み込む\n"
-#: src/parse_args.c:585
+#: src/parse_args.c:583
msgid "run a shell as target user\n"
msgstr "変更先のユーザーとしてシェルを実行する\n"
-#: src/parse_args.c:591
+#: src/parse_args.c:589
msgid "when listing, list specified user's privileges\n"
msgstr "一覧表示する時に、指定したユーザーの権限を一覧表示する\n"
-#: src/parse_args.c:593
+#: src/parse_args.c:591
msgid "run command (or edit file) as specified user\n"
msgstr "指定したユーザーでコマンドを実行する (またはファイルを編集する)\n"
-#: src/parse_args.c:595
+#: src/parse_args.c:593
msgid "display version information and exit\n"
msgstr "バージョン情報を表示して終了する\n"
-#: src/parse_args.c:597
+#: src/parse_args.c:595
msgid "update user's timestamp without running a command\n"
msgstr "コマンドを実行せずにユーザーのタイムスタンプを更新する\n"
-#: src/parse_args.c:599
+#: src/parse_args.c:597
msgid "stop processing command line arguments\n"
msgstr "コマンドライン引数の処理を終了する\n"
msgid "unknown uid %u: who are you?"
msgstr "不明なユーザーID %u です: 誰ですか?"
-#: src/sudo.c:760
+#: src/sudo.c:782
#, c-format
msgid "%s must be owned by uid %d and have the setuid bit set"
msgstr "%s は所有者が uid %d である必要があり、かつ setuid が設定されている必要があります"
-#: src/sudo.c:763
+#: src/sudo.c:785
#, c-format
msgid "effective uid is not %d, is %s on a file system with the 'nosuid' option set or an NFS file system without root privileges?"
msgstr "実効 uid が %d ではありません、%s は 'nosuid' が設定されたファイルシステムにあるか、root 権限のないNFSファイルシステムにあるのでは?"
-#: src/sudo.c:769
+#: src/sudo.c:791
#, c-format
msgid "effective uid is not %d, is sudo installed setuid root?"
msgstr "実効 uid が %d ではありません、sudo は setuid root を設定してインストールされていますか?"
-#: src/sudo.c:838
+#: src/sudo.c:860
#, c-format
msgid "resource control limit has been reached"
msgstr "資源制御の制限の最大値に達しました"
-#: src/sudo.c:841
+#: src/sudo.c:863
#, c-format
msgid "user \"%s\" is not a member of project \"%s\""
msgstr "ユーザー \"%s\" はプロジェクト \"%s\" のメンバーではありません"
-#: src/sudo.c:845
+#: src/sudo.c:867
#, c-format
msgid "the invoking task is final"
msgstr "起動しているタスクは最後 (final) です"
-#: src/sudo.c:848
+#: src/sudo.c:870
#, c-format
msgid "could not join project \"%s\""
msgstr "プロジェクト \"%s\" に参加できません"
-#: src/sudo.c:853
+#: src/sudo.c:875
#, c-format
msgid "no resource pool accepting default bindings exists for project \"%s\""
msgstr "プロジェクト \"%s\" 用にはデフォルト割り当てとして受け付けられる資源プールがありません"
-#: src/sudo.c:857
+#: src/sudo.c:879
#, c-format
msgid "specified resource pool does not exist for project \"%s\""
msgstr "プロジェクト \"%s\" 用として指定した資源プールは存在しません"
-#: src/sudo.c:861
+#: src/sudo.c:883
#, c-format
msgid "could not bind to default resource pool for project \"%s\""
msgstr "プロジェクト \"%s\" 用にデフォルト資源プールを割り当てられませんでした"
-#: src/sudo.c:867
+#: src/sudo.c:889
#, c-format
msgid "setproject failed for project \"%s\""
msgstr "プロジェクト\"%s\" への setproject に失敗しました"
-#: src/sudo.c:869
+#: src/sudo.c:891
#, c-format
msgid "warning, resource control assignment failed for project \"%s\""
msgstr "警告、プロジェクト \"%s\" への資源制御割り当てに失敗しました"
-#: src/sudo.c:917
+#: src/sudo.c:959
#, c-format
msgid "unknown login class %s"
msgstr "不明なログインクラス %s です"
-#: src/sudo.c:931 src/sudo.c:934
+#: src/sudo.c:973 src/sudo.c:976
#, c-format
msgid "unable to set user context"
msgstr "ユーザーコンテキストを設定できません"
-#: src/sudo.c:946
+#: src/sudo.c:988
#, c-format
msgid "unable to set supplementary group IDs"
msgstr "追加のグループIDを設定できません"
-#: src/sudo.c:953
+#: src/sudo.c:995
#, c-format
msgid "unable to set effective gid to runas gid %u"
msgstr "実行時のグループID (gid) %u を実効グループIDに設定できません"
-#: src/sudo.c:959
+#: src/sudo.c:1001
#, c-format
msgid "unable to set gid to runas gid %u"
msgstr "実行時のグループID (gid) %u をグループIDに設定できません"
-#: src/sudo.c:966
+#: src/sudo.c:1008
#, c-format
msgid "unable to set process priority"
msgstr "プロセス優先度を設定できません"
-#: src/sudo.c:974
+#: src/sudo.c:1016
#, c-format
msgid "unable to change root to %s"
msgstr "root を %s へ変更できません"
-#: src/sudo.c:981 src/sudo.c:987 src/sudo.c:993
+#: src/sudo.c:1023 src/sudo.c:1029 src/sudo.c:1035
#, c-format
msgid "unable to change to runas uid (%u, %u)"
msgstr "実行時のユーザーID (uid) (%u, %u) へ変更できません"
-#: src/sudo.c:1007
+#: src/sudo.c:1049
#, c-format
msgid "unable to change directory to %s"
msgstr "ディレクトリーを %s に変更できません"
-#: src/sudo.c:1079
+#: src/sudo.c:1133
#, c-format
msgid "unexpected child termination condition: %d"
msgstr "予期しない子プロセスの終了コードです: %d"
-#: src/sudo.c:1140
+#: src/sudo.c:1194
#, c-format
msgid "policy plugin %s does not support listing privileges"
msgstr "ポリシープラグイン %s は権限の一覧表示をサポートしていません"
-#: src/sudo.c:1152
+#: src/sudo.c:1206
#, c-format
msgid "policy plugin %s does not support the -v option"
msgstr "ポリシープラグイン %s は -v オプションをサポートしません"
-#: src/sudo.c:1164
+#: src/sudo.c:1218
#, c-format
msgid "policy plugin %s does not support the -k/-K options"
msgstr "ポリシープラグイン %s は -k/-K オプションをサポートしません"
msgid "unable to restore stdin"
msgstr "標準入力を復元できません"
+#~ msgid "internal error, emalloc2() overflow"
+#~ msgstr "内部エラー、 emalloc2() がオーバーフローしました"
+
+#~ msgid "internal error, erealloc3() overflow"
+#~ msgstr "内部エラー、 erealloc3() がオーバーフローしました"
+
+#~ msgid "%s: at least one policy plugin must be specified"
+#~ msgstr "%s: 最低でも一つ以上のポリシープラグインを指定しなければいけません"
+
#~ msgid "must be setuid root"
#~ msgstr "setuid root されていなければいけません"
#
msgid ""
msgstr ""
-"Project-Id-Version: sudo 1.8.5rc3\n"
+"Project-Id-Version: sudo 1.8.6b4\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-04-24 13:41-0400\n"
-"PO-Revision-Date: 2012-05-06 21:33+0200\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-20 19:04+0200\n"
"Last-Translator: Jakub Bogusz <qboosh@pld-linux.org>\n"
"Language-Team: Polish <translation-team-pl@lists.sourceforge.net>\n"
"Language: pl\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
-#: common/aix.c:149
+#: common/aix.c:150
#, c-format
msgid "unable to open userdb"
msgstr "nie udało się otworzyć userdb"
-#: common/aix.c:152
+#: common/aix.c:153
#, c-format
msgid "unable to switch to registry \"%s\" for %s"
msgstr "nie udało się przełączyć na rejestr \"%s\" dla %s"
-#: common/aix.c:169
+#: common/aix.c:170
#, c-format
msgid "unable to restore registry"
msgstr "nie udało się odtworzyć rejestru"
#: common/alloc.c:85 common/alloc.c:105 common/alloc.c:127 common/alloc.c:146
#: common/alloc.c:168 common/alloc.c:192 common/alloc.c:256 common/alloc.c:270
-#: src/exec_common.c:111 src/parse_args.c:432 src/sudo.c:456 src/sudo.c:482
-#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:737
+#: src/exec_common.c:111 src/parse_args.c:430 src/sudo.c:456 src/sudo.c:482
+#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:759
#, c-format
msgid "unable to allocate memory"
msgstr "nie udało się przydzielić pamięci"
msgid "internal error, tried to emalloc2(0)"
msgstr "błąd wewnętrzny, próbowano wykonać emalloc2(0)"
-#: common/alloc.c:101
-msgid "internal error, emalloc2() overflow"
-msgstr "błąd wewnętrzny, przepełnienie emalloc2()"
+#: common/alloc.c:101 common/alloc.c:123 common/alloc.c:163 common/alloc.c:187
+#, c-format
+msgid "internal error, %s overflow"
+msgstr "błąd wewnętrzny, przepełnienie %s"
#: common/alloc.c:120
msgid "internal error, tried to ecalloc(0)"
msgstr "błąd wewnętrzny, próbowano wykonać ecalloc(0)"
-#: common/alloc.c:123
-msgid "internal error, ecalloc() overflow"
-msgstr "błąd wewnętrzny, przepełnienie ecalloc()"
-
#: common/alloc.c:142
msgid "internal error, tried to erealloc(0)"
msgstr "błąd wewnętrzny, próbowano wykonać erealloc(0)"
-#: common/alloc.c:161 common/alloc.c:185
+#: common/alloc.c:161
msgid "internal error, tried to erealloc3(0)"
msgstr "błąd wewnętrzny, próbowano wykonać erealloc3(0)"
-#: common/alloc.c:163 common/alloc.c:187
-msgid "internal error, erealloc3() overflow"
-msgstr "błąd wewnętrzny, przepełnienie erealloc3()"
+#: common/alloc.c:185
+msgid "internal error, tried to erecalloc(0)"
+msgstr "błąd wewnętrzny, próbowano wykonać erecalloc(0)"
-#: common/sudo_conf.c:306
+#: common/sudo_conf.c:305
#, c-format
msgid "unable to stat %s"
msgstr "nie udało się wykonać stat na %s"
-#: common/sudo_conf.c:309
+#: common/sudo_conf.c:308
#, c-format
msgid "%s is not a regular file"
msgstr "%s nie jest zwykłym plikiem"
-#: common/sudo_conf.c:312
+#: common/sudo_conf.c:311
#, c-format
msgid "%s is owned by uid %u, should be %u"
msgstr "właścicielem %s jest uid %u, powinien być %u"
-#: common/sudo_conf.c:316
+#: common/sudo_conf.c:315
#, c-format
msgid "%s is world writable"
msgstr "%s jest zapisywalny dla świata"
-#: common/sudo_conf.c:319
+#: common/sudo_conf.c:318
#, c-format
msgid "%s is group writable"
msgstr "%s jest zapisywalny dla grupy"
-#: common/sudo_conf.c:328 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
+#: common/sudo_conf.c:327 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
#, c-format
msgid "unable to open %s"
msgstr "nie udało się otworzyć %s"
msgid ": "
msgstr ": "
-#: src/exec.c:107 src/exec_pty.c:628
+#: src/exec.c:113 src/exec_pty.c:674
#, c-format
msgid "policy plugin failed session initialization"
msgstr "nie udało się zainicjować sesji przez wtyczkę polityki"
-#: src/exec.c:112 src/exec_pty.c:633 src/exec_pty.c:967 src/tgetpass.c:221
+#: src/exec.c:118 src/exec_pty.c:690 src/exec_pty.c:1035 src/tgetpass.c:221
#, c-format
msgid "unable to fork"
msgstr "nie udało się wykonać fork"
-#: src/exec.c:259
+#: src/exec.c:268
#, c-format
msgid "unable to create sockets"
msgstr "nie udało się utworzyć gniazd"
-#: src/exec.c:266 src/exec_pty.c:572 src/exec_pty.c:581 src/exec_pty.c:589
-#: src/exec_pty.c:902 src/exec_pty.c:964 src/tgetpass.c:218
+#: src/exec.c:275 src/exec_pty.c:613 src/exec_pty.c:622 src/exec_pty.c:630
+#: src/exec_pty.c:960 src/exec_pty.c:1032 src/tgetpass.c:218
#, c-format
msgid "unable to create pipe"
msgstr "nie udało się utworzyć potoku"
-#: src/exec.c:351 src/exec_pty.c:1029 src/exec_pty.c:1167
+#: src/exec.c:365 src/exec_pty.c:1102 src/exec_pty.c:1240
#, c-format
msgid "select failed"
msgstr "wywołanie select nie powiodło się"
-#: src/exec.c:441
+#: src/exec.c:467
#, c-format
msgid "unable to restore tty label"
msgstr "nie udało się przywrócić etykiety tty"
msgid "unable to remove PRIV_PROC_EXEC from PRIV_LIMIT"
msgstr "nie udało się usunąć PRIV_PROC_EXEC z PRIV_LIMIT"
-#: src/exec_pty.c:144
+#: src/exec_pty.c:183
#, c-format
msgid "unable to allocate pty"
msgstr "nie udało się przydzielić pty"
-#: src/exec_pty.c:619
+#: src/exec_pty.c:665
#, c-format
msgid "unable to set terminal to raw mode"
msgstr "nie udało się przestawić terminala w tryb surowy"
-#: src/exec_pty.c:945
+#: src/exec_pty.c:1013
#, c-format
msgid "unable to set controlling tty"
msgstr "nie udało się ustawić sterującego tty"
-#: src/exec_pty.c:1038
+#: src/exec_pty.c:1111
#, c-format
msgid "error reading from signal pipe"
msgstr "błąd odczytu z potoku sygnałowego"
-#: src/exec_pty.c:1059
+#: src/exec_pty.c:1132
#, c-format
msgid "error reading from pipe"
msgstr "błąd odczytu z potoku"
-#: src/exec_pty.c:1075
+#: src/exec_pty.c:1148
#, c-format
msgid "error reading from socketpair"
msgstr "błąd odczytu z pary gniazd"
-#: src/exec_pty.c:1079
+#: src/exec_pty.c:1152
#, c-format
msgid "unexpected reply type on backchannel: %d"
msgstr "nieoczekiwany typ odpowiedzi z kanału zwrotnego: %d"
-#: src/load_plugins.c:79
+#: src/load_plugins.c:74
#, c-format
msgid "%s: %s"
msgstr "%s: %s"
-#: src/load_plugins.c:85
+#: src/load_plugins.c:80
#, c-format
msgid "%s%s: %s"
msgstr "%s%s: %s"
-#: src/load_plugins.c:95
+#: src/load_plugins.c:90
#, c-format
msgid "%s must be owned by uid %d"
msgstr "właścicielem %s musi być uid %d"
-#: src/load_plugins.c:99
+#: src/load_plugins.c:94
#, c-format
msgid "%s must be only be writable by owner"
msgstr "prawo zapisu do %s może mieć tylko właściciel"
-#: src/load_plugins.c:106
+#: src/load_plugins.c:101
#, c-format
msgid "unable to dlopen %s: %s"
msgstr "nie udało się wykonać dlopen %s: %s"
-#: src/load_plugins.c:111
+#: src/load_plugins.c:106
#, c-format
msgid "%s: unable to find symbol %s"
msgstr "%s: nie udało się odnaleźć symbolu %s"
-#: src/load_plugins.c:117
+#: src/load_plugins.c:112
#, c-format
msgid "%s: unknown policy type %d"
msgstr "%s: nieznany typ polityki %d"
-#: src/load_plugins.c:121
+#: src/load_plugins.c:116
#, c-format
msgid "%s: incompatible policy major version %d, expected %d"
msgstr "%s: niezgodna główna wersja polityki %d, oczekiwano %d"
-#: src/load_plugins.c:128
+#: src/load_plugins.c:123
#, c-format
msgid "%s: only a single policy plugin may be loaded"
msgstr "%s: może być wczytana tylko jedna wtyczka polityki"
-#: src/load_plugins.c:148
-#, c-format
-msgid "%s: at least one policy plugin must be specified"
-msgstr "%s: musi być wczytana przynajmniej jedna wtyczka polityki"
-
-#: src/load_plugins.c:153
+#: src/load_plugins.c:200
#, c-format
msgid "policy plugin %s does not include a check_policy method"
msgstr "wtyczka polityki %s nie zawiera metody check_policy"
msgid "the `-A' and `-S' options may not be used together"
msgstr "opcji `-A' oraz `-S' nie można używać jednocześnie"
-#: src/parse_args.c:445
+#: src/parse_args.c:443
#, c-format
msgid "sudoedit is not supported on this platform"
msgstr "sudoedit nie jest obsługiwane na tej platformie"
-#: src/parse_args.c:518
+#: src/parse_args.c:516
#, c-format
msgid "Only one of the -e, -h, -i, -K, -l, -s, -v or -V options may be specified"
msgstr "Można podać tylko jedną z opcji -e, -h, -i, -K, -l, -s, -v lub -V"
-#: src/parse_args.c:532
+#: src/parse_args.c:530
#, c-format
msgid ""
"%s - edit files as another user\n"
"%s - modyfikowanie plików jako inny użytkownik\n"
"\n"
-#: src/parse_args.c:534
+#: src/parse_args.c:532
#, c-format
msgid ""
"%s - execute a command as another user\n"
"%s - wykonywanie poleceń jako inny użytkownik\n"
"\n"
-#: src/parse_args.c:539
+#: src/parse_args.c:537
#, c-format
msgid ""
"\n"
"\n"
"Opcje:\n"
-#: src/parse_args.c:542
+#: src/parse_args.c:540
msgid "use helper program for password prompting\n"
msgstr "użycie programu pomocniczego do pytań o hasło\n"
-#: src/parse_args.c:545
+#: src/parse_args.c:543
msgid "use specified BSD authentication type\n"
msgstr "użycie podanego rodzaju uwierzytelnienia BSD\n"
-#: src/parse_args.c:547
+#: src/parse_args.c:545
msgid "run command in the background\n"
msgstr "uruchomienie polecenia w tle\n"
-#: src/parse_args.c:549
+#: src/parse_args.c:547
msgid "close all file descriptors >= fd\n"
msgstr "zamknięcie wszystkich deskryptorów >= fd\n"
-#: src/parse_args.c:552
+#: src/parse_args.c:550
msgid "run command with specified login class\n"
msgstr "uruchomienie polecenia z podaną klasą logowania\n"
-#: src/parse_args.c:555
+#: src/parse_args.c:553
msgid "preserve user environment when executing command\n"
msgstr "zachowanie środowiska użytkownika przy uruchamianiu polecenia\n"
-#: src/parse_args.c:557
+#: src/parse_args.c:555
msgid "edit files instead of running a command\n"
msgstr "modyfikowanie plików zamiast uruchomienia polecenia\n"
-#: src/parse_args.c:559
+#: src/parse_args.c:557
msgid "execute command as the specified group\n"
msgstr "wywołanie polecenia jako określona grupa\n"
-#: src/parse_args.c:561
+#: src/parse_args.c:559
msgid "set HOME variable to target user's home dir.\n"
msgstr "ustawienie zmiennej HOME na katalog domowy użytkownika docelowego.\n"
-#: src/parse_args.c:563
+#: src/parse_args.c:561
msgid "display help message and exit\n"
msgstr "wyświetlenie opisu i zakończenie\n"
-#: src/parse_args.c:565
+#: src/parse_args.c:563
msgid "run a login shell as target user\n"
msgstr "uruchomienie powłoki logowania jako docelowy użytkownik\n"
-#: src/parse_args.c:567
+#: src/parse_args.c:565
msgid "remove timestamp file completely\n"
msgstr "całkowite usunięcie pliku znacznika czasu\n"
-#: src/parse_args.c:569
+#: src/parse_args.c:567
msgid "invalidate timestamp file\n"
msgstr "unieważnienie pliku znacznika czasu\n"
-#: src/parse_args.c:571
+#: src/parse_args.c:569
msgid "list user's available commands\n"
msgstr "wypisanie poleceń dostępnych dla użytkownika\n"
-#: src/parse_args.c:573
+#: src/parse_args.c:571
msgid "non-interactive mode, will not prompt user\n"
msgstr "tryb nieinteraktywny, użytkownik nie będzie pytany\n"
-#: src/parse_args.c:575
+#: src/parse_args.c:573
msgid "preserve group vector instead of setting to target's\n"
msgstr "zachowanie wektora grup zamiast ustawiania docelowych\n"
-#: src/parse_args.c:577
+#: src/parse_args.c:575
msgid "use specified password prompt\n"
msgstr "użycie podanego pytania o hasło\n"
-#: src/parse_args.c:580 src/parse_args.c:588
+#: src/parse_args.c:578 src/parse_args.c:586
msgid "create SELinux security context with specified role\n"
msgstr "utworzenie kontekstu bezpieczeństwa SELinuksa z podaną rolą\n"
-#: src/parse_args.c:583
+#: src/parse_args.c:581
msgid "read password from standard input\n"
msgstr "odczyt hasła ze standardowego wejścia\n"
-#: src/parse_args.c:585
+#: src/parse_args.c:583
msgid "run a shell as target user\n"
msgstr "uruchomienie powłoki jako użytkownik docelowy\n"
-#: src/parse_args.c:591
+#: src/parse_args.c:589
msgid "when listing, list specified user's privileges\n"
msgstr "przy wypisywaniu podanie uprawnień danego użytkownika\n"
-#: src/parse_args.c:593
+#: src/parse_args.c:591
msgid "run command (or edit file) as specified user\n"
msgstr "uruchomienie polecenia (lub modyfikowanie pliku) jako podany użytkownik\n"
-#: src/parse_args.c:595
+#: src/parse_args.c:593
msgid "display version information and exit\n"
msgstr "wyświetlenie informacji o wersji i zakończenie\n"
-#: src/parse_args.c:597
+#: src/parse_args.c:595
msgid "update user's timestamp without running a command\n"
msgstr "uaktualnienie znacznika czasu użytkownika bez uruchamiania polecenia\n"
-#: src/parse_args.c:599
+#: src/parse_args.c:597
msgid "stop processing command line arguments\n"
msgstr "zakończenie przetwarzania argumentów linii poleceń\n"
msgid "unknown uid %u: who are you?"
msgstr "nieznany uid %u: kim jesteś?"
-#: src/sudo.c:760
+#: src/sudo.c:782
#, c-format
msgid "%s must be owned by uid %d and have the setuid bit set"
msgstr "%s musi mieć uid %d jako właściciela oraz ustawiony bit setuid"
-#: src/sudo.c:763
+#: src/sudo.c:785
#, c-format
msgid "effective uid is not %d, is %s on a file system with the 'nosuid' option set or an NFS file system without root privileges?"
msgstr "efektywny uid nie wynosi %d, czy %s jest na systemie plików z opcją 'nosuid' albo systemie plików NFS bez uprawnień roota?"
-#: src/sudo.c:769
+#: src/sudo.c:791
#, c-format
msgid "effective uid is not %d, is sudo installed setuid root?"
msgstr "efektywny uid nie wynosi %d, czy sudo jest zainstalowane z setuid root?"
-#: src/sudo.c:838
+#: src/sudo.c:860
#, c-format
msgid "resource control limit has been reached"
msgstr "osiągnięto limit kontroli zasobów"
-#: src/sudo.c:841
+#: src/sudo.c:863
#, c-format
msgid "user \"%s\" is not a member of project \"%s\""
msgstr "użytkownik \"%s\" nie jest członkiem projektu \"%s\""
-#: src/sudo.c:845
+#: src/sudo.c:867
#, c-format
msgid "the invoking task is final"
msgstr "zadanie uruchamiające jest ostatnim"
-#: src/sudo.c:848
+#: src/sudo.c:870
#, c-format
msgid "could not join project \"%s\""
msgstr "nie udało się dołączyć do projektu \"%s\""
-#: src/sudo.c:853
+#: src/sudo.c:875
#, c-format
msgid "no resource pool accepting default bindings exists for project \"%s\""
msgstr "nie istnieje pula zasobów akceptująca domyślne przypisania dla projektu \"%s\""
-#: src/sudo.c:857
+#: src/sudo.c:879
#, c-format
msgid "specified resource pool does not exist for project \"%s\""
msgstr "podana pula zasobów nie istnieje w projekcie \"%s\""
-#: src/sudo.c:861
+#: src/sudo.c:883
#, c-format
msgid "could not bind to default resource pool for project \"%s\""
msgstr "nie można przypisać do domyślnej puli zasobów w projekcie \"%s\""
-#: src/sudo.c:867
+#: src/sudo.c:889
#, c-format
msgid "setproject failed for project \"%s\""
msgstr "setproject dla projektu \"%s\" nie powiodło się"
-#: src/sudo.c:869
+#: src/sudo.c:891
#, c-format
msgid "warning, resource control assignment failed for project \"%s\""
msgstr "uwaga: przypisanie kontroli zasobów dla projektu \"%s\" nie powiodło się"
-#: src/sudo.c:917
+#: src/sudo.c:959
#, c-format
msgid "unknown login class %s"
msgstr "nieznana klasa logowania %s"
-#: src/sudo.c:931 src/sudo.c:934
+#: src/sudo.c:973 src/sudo.c:976
#, c-format
msgid "unable to set user context"
msgstr "nie udało się ustawić kontekstu użytkownika"
-#: src/sudo.c:946
+#: src/sudo.c:988
#, c-format
msgid "unable to set supplementary group IDs"
msgstr "nie udało się ustawić ID dodatkowych grup"
-#: src/sudo.c:953
+#: src/sudo.c:995
#, c-format
msgid "unable to set effective gid to runas gid %u"
msgstr "nie udało się ustawić efektywnego gid-a w celu działania jako gid %u"
-#: src/sudo.c:959
+#: src/sudo.c:1001
#, c-format
msgid "unable to set gid to runas gid %u"
msgstr "nie udało się ustawić gid-a w celu działania jako gid %u"
-#: src/sudo.c:966
+#: src/sudo.c:1008
#, c-format
msgid "unable to set process priority"
msgstr "nie udało się ustawić priorytetu procesu"
-#: src/sudo.c:974
+#: src/sudo.c:1016
#, c-format
msgid "unable to change root to %s"
msgstr "nie udało się zmienić katalogu głównego na %s"
-#: src/sudo.c:981 src/sudo.c:987 src/sudo.c:993
+#: src/sudo.c:1023 src/sudo.c:1029 src/sudo.c:1035
#, c-format
msgid "unable to change to runas uid (%u, %u)"
msgstr "nie udało się zmienić uid-ów, aby działać jako (%u, %u)"
-#: src/sudo.c:1007
+#: src/sudo.c:1049
#, c-format
msgid "unable to change directory to %s"
msgstr "nie udało się zmienić katalogu na %s"
-#: src/sudo.c:1079
+#: src/sudo.c:1133
#, c-format
msgid "unexpected child termination condition: %d"
msgstr "nieoczekiwane zakończenie procesu potomnego: %d"
-#: src/sudo.c:1140
+#: src/sudo.c:1194
#, c-format
msgid "policy plugin %s does not support listing privileges"
msgstr "wtyczka polityki %s nie obsługuje wypisywania uprawnień"
-#: src/sudo.c:1152
+#: src/sudo.c:1206
#, c-format
msgid "policy plugin %s does not support the -v option"
msgstr "wtyczka polityki %s nie obsługuje opcji -v"
-#: src/sudo.c:1164
+#: src/sudo.c:1218
#, c-format
msgid "policy plugin %s does not support the -k/-K options"
msgstr "wtyczka polityki %s nie obsługuje opcji -k/-K"
#, c-format
msgid "unable to restore stdin"
msgstr "nie udało się przywrócić standardowego wejścia"
+
+#~ msgid "internal error, emalloc2() overflow"
+#~ msgstr "błąd wewnętrzny, przepełnienie emalloc2()"
+
+#~ msgid "internal error, erealloc3() overflow"
+#~ msgstr "błąd wewnętrzny, przepełnienie erealloc3()"
+
+#~ msgid "%s: at least one policy plugin must be specified"
+#~ msgstr "%s: musi być wczytana przynajmniej jedna wtyczka polityki"
# Yuri Kozlov <yuray@komyakino.ru>, 2011, 2012.
msgid ""
msgstr ""
-"Project-Id-Version: sudo 1.8.5rc3\n"
+"Project-Id-Version: sudo 1.8.6b4\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-04-24 13:41-0400\n"
-"PO-Revision-Date: 2012-04-30 08:23+0400\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-14 20:51+0400\n"
"Last-Translator: Yuri Kozlov <yuray@komyakino.ru>\n"
"Language-Team: Russian <gnu@mx.ru>\n"
-"Language: \n"
+"Language: ru\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
-"X-Generator: Lokalize 1.2\n"
+"X-Generator: Lokalize 1.4\n"
"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
-#: common/aix.c:149
+#: common/aix.c:150
#, c-format
msgid "unable to open userdb"
msgstr "не удаётся открыть userdb"
-#: common/aix.c:152
+#: common/aix.c:153
#, c-format
msgid "unable to switch to registry \"%s\" for %s"
msgstr "не удаётся переключиться на реестр «%s» для %s"
-#: common/aix.c:169
+#: common/aix.c:170
#, c-format
msgid "unable to restore registry"
msgstr "не удаётся восстановить реестр"
#: common/alloc.c:85 common/alloc.c:105 common/alloc.c:127 common/alloc.c:146
#: common/alloc.c:168 common/alloc.c:192 common/alloc.c:256 common/alloc.c:270
-#: src/exec_common.c:111 src/parse_args.c:432 src/sudo.c:456 src/sudo.c:482
-#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:737
+#: src/exec_common.c:111 src/parse_args.c:430 src/sudo.c:456 src/sudo.c:482
+#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:759
#, c-format
msgid "unable to allocate memory"
msgstr "не удаётся выделить память"
msgid "internal error, tried to emalloc2(0)"
msgstr "внутренняя ошибка, попытка выполнить emalloc2(0)"
-#: common/alloc.c:101
-msgid "internal error, emalloc2() overflow"
-msgstr "внутренняя ошибка, переполнение emalloc2()"
+#: common/alloc.c:101 common/alloc.c:123 common/alloc.c:163 common/alloc.c:187
+#, c-format
+msgid "internal error, %s overflow"
+msgstr "внутренняя ошибка, переполнение %s"
#: common/alloc.c:120
msgid "internal error, tried to ecalloc(0)"
msgstr "внутренняя ошибка, попытка выполнить ecalloc(0)"
-#: common/alloc.c:123
-msgid "internal error, ecalloc() overflow"
-msgstr "внутренняя ошибка, переполнение ecalloc()"
-
#: common/alloc.c:142
msgid "internal error, tried to erealloc(0)"
msgstr "внутренняя ошибка, попытка выполнить erealloc(0)"
-#: common/alloc.c:161 common/alloc.c:185
+#: common/alloc.c:161
msgid "internal error, tried to erealloc3(0)"
msgstr "внутренняя ошибка, попытка выполнить erealloc3(0)"
-#: common/alloc.c:163 common/alloc.c:187
-msgid "internal error, erealloc3() overflow"
-msgstr "внÑ\83Ñ\82Ñ\80еннÑ\8fÑ\8f оÑ\88ибка, пеÑ\80еполнение erealloc3()"
+#: common/alloc.c:185
+msgid "internal error, tried to erecalloc(0)"
+msgstr "внÑ\83Ñ\82Ñ\80еннÑ\8fÑ\8f оÑ\88ибка, попÑ\8bÑ\82ка вÑ\8bполниÑ\82Ñ\8c ereÑ\81alloc(0)"
-#: common/sudo_conf.c:306
+#: common/sudo_conf.c:305
#, c-format
msgid "unable to stat %s"
msgstr "не удалось выполнить вызов stat %s"
-#: common/sudo_conf.c:309
+#: common/sudo_conf.c:308
#, c-format
msgid "%s is not a regular file"
msgstr "%s не является обычным файлом"
-#: common/sudo_conf.c:312
+#: common/sudo_conf.c:311
#, c-format
msgid "%s is owned by uid %u, should be %u"
msgstr "%s принадлежит пользователю с uid %u, а должен принадлежать пользователю с uid %u"
-#: common/sudo_conf.c:316
+#: common/sudo_conf.c:315
#, c-format
msgid "%s is world writable"
msgstr "доступ на запись в %s разрешена всем"
-#: common/sudo_conf.c:319
+#: common/sudo_conf.c:318
#, c-format
msgid "%s is group writable"
msgstr "доступ на запись в %s разрешена группе"
-#: common/sudo_conf.c:328 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
+#: common/sudo_conf.c:327 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
#, c-format
msgid "unable to open %s"
msgstr "не удаётся открыть %s"
msgid ": "
msgstr ": "
-#: src/exec.c:107 src/exec_pty.c:628
+#: src/exec.c:113 src/exec_pty.c:674
#, c-format
msgid "policy plugin failed session initialization"
msgstr "модулю политик не удалось инициализировать сеанс"
-#: src/exec.c:112 src/exec_pty.c:633 src/exec_pty.c:967 src/tgetpass.c:221
+#: src/exec.c:118 src/exec_pty.c:690 src/exec_pty.c:1035 src/tgetpass.c:221
#, c-format
msgid "unable to fork"
msgstr "не удаётся создать дочерний процесс"
-#: src/exec.c:259
+#: src/exec.c:268
#, c-format
msgid "unable to create sockets"
msgstr "не удаётся создать сокеты"
-#: src/exec.c:266 src/exec_pty.c:572 src/exec_pty.c:581 src/exec_pty.c:589
-#: src/exec_pty.c:902 src/exec_pty.c:964 src/tgetpass.c:218
+#: src/exec.c:275 src/exec_pty.c:613 src/exec_pty.c:622 src/exec_pty.c:630
+#: src/exec_pty.c:960 src/exec_pty.c:1032 src/tgetpass.c:218
#, c-format
msgid "unable to create pipe"
msgstr "не удаётся создать канал"
-#: src/exec.c:351 src/exec_pty.c:1029 src/exec_pty.c:1167
+#: src/exec.c:365 src/exec_pty.c:1102 src/exec_pty.c:1240
#, c-format
msgid "select failed"
msgstr "ошибка select"
-#: src/exec.c:441
+#: src/exec.c:467
#, c-format
msgid "unable to restore tty label"
msgstr "не удаётся создать восстановить метку tty"
msgid "unable to remove PRIV_PROC_EXEC from PRIV_LIMIT"
msgstr "не удаётся удалить PRIV_PROC_EXEC из PRIV_LIMIT"
-#: src/exec_pty.c:144
+#: src/exec_pty.c:183
#, c-format
msgid "unable to allocate pty"
msgstr "не удаётся выделить pty"
-#: src/exec_pty.c:619
+#: src/exec_pty.c:665
#, c-format
msgid "unable to set terminal to raw mode"
msgstr "не удаётся перевести терминал в «сырой» режим"
-#: src/exec_pty.c:945
+#: src/exec_pty.c:1013
#, c-format
msgid "unable to set controlling tty"
msgstr "не удаётся установить управляющий tty"
-#: src/exec_pty.c:1038
+#: src/exec_pty.c:1111
#, c-format
msgid "error reading from signal pipe"
msgstr "ошибка чтения из сигнального канала"
-#: src/exec_pty.c:1059
+#: src/exec_pty.c:1132
#, c-format
msgid "error reading from pipe"
msgstr "ошибка чтения из канала"
-#: src/exec_pty.c:1075
+#: src/exec_pty.c:1148
#, c-format
msgid "error reading from socketpair"
msgstr "ошибка чтения из пары сокетов"
-#: src/exec_pty.c:1079
+#: src/exec_pty.c:1152
#, c-format
msgid "unexpected reply type on backchannel: %d"
msgstr "неожиданный тип ответа в резервном канале: %d"
-#: src/load_plugins.c:79
+#: src/load_plugins.c:74
#, c-format
msgid "%s: %s"
msgstr "%s: %s"
-#: src/load_plugins.c:85
+#: src/load_plugins.c:80
#, c-format
msgid "%s%s: %s"
msgstr "%s%s: %s"
-#: src/load_plugins.c:95
+#: src/load_plugins.c:90
#, c-format
msgid "%s must be owned by uid %d"
msgstr "%s должен принадлежать пользователю с uid %d"
-#: src/load_plugins.c:99
+#: src/load_plugins.c:94
#, c-format
msgid "%s must be only be writable by owner"
msgstr "%s должен быть доступен на запись только владельцу"
-#: src/load_plugins.c:106
+#: src/load_plugins.c:101
#, c-format
msgid "unable to dlopen %s: %s"
msgstr "не удаётся выполнить dlopen для %s: %s"
-#: src/load_plugins.c:111
+#: src/load_plugins.c:106
#, c-format
msgid "%s: unable to find symbol %s"
msgstr "%s: не удаётся найти символ %s"
-#: src/load_plugins.c:117
+#: src/load_plugins.c:112
#, c-format
msgid "%s: unknown policy type %d"
msgstr "%s: неизвестный тип политики %d"
-#: src/load_plugins.c:121
+#: src/load_plugins.c:116
#, c-format
msgid "%s: incompatible policy major version %d, expected %d"
msgstr "%s: несовместимая основная версия политики %d, ожидалась %d"
-#: src/load_plugins.c:128
+#: src/load_plugins.c:123
#, c-format
msgid "%s: only a single policy plugin may be loaded"
msgstr "%s: может быть загружен только один модуль политики"
-#: src/load_plugins.c:148
-#, c-format
-msgid "%s: at least one policy plugin must be specified"
-msgstr "%s: необходимо указать не менее одного модуля политики"
-
-#: src/load_plugins.c:153
+#: src/load_plugins.c:200
#, c-format
msgid "policy plugin %s does not include a check_policy method"
msgstr "модуль политики %s не содержит метод check_policy"
msgid "the `-A' and `-S' options may not be used together"
msgstr "параметры «-A» и «-S» являются взаимоисключающими"
-#: src/parse_args.c:445
+#: src/parse_args.c:443
#, c-format
msgid "sudoedit is not supported on this platform"
msgstr "sudoedit не поддерживается на этой платформе"
-#: src/parse_args.c:518
+#: src/parse_args.c:516
#, c-format
msgid "Only one of the -e, -h, -i, -K, -l, -s, -v or -V options may be specified"
msgstr "Можно указать только параметры -e, -h, -i, -K, -l, -s, -v или -V"
-#: src/parse_args.c:532
+#: src/parse_args.c:530
#, c-format
msgid ""
"%s - edit files as another user\n"
"%s — редактирование файлов от имени другого пользователя\n"
"\n"
-#: src/parse_args.c:534
+#: src/parse_args.c:532
#, c-format
msgid ""
"%s - execute a command as another user\n"
"%s — выполнение команд от имени другого пользователя\n"
"\n"
-#: src/parse_args.c:539
+#: src/parse_args.c:537
#, c-format
msgid ""
"\n"
"\n"
"Параметры:\n"
-#: src/parse_args.c:542
+#: src/parse_args.c:540
msgid "use helper program for password prompting\n"
msgstr "использовать вспомогательную программу для ввода пароля\n"
-#: src/parse_args.c:545
+#: src/parse_args.c:543
msgid "use specified BSD authentication type\n"
msgstr "использовать указанный тип проверки подлинности BSD\n"
-#: src/parse_args.c:547
+#: src/parse_args.c:545
msgid "run command in the background\n"
msgstr "выполнить команду в фоновом режиме\n"
-#: src/parse_args.c:549
+#: src/parse_args.c:547
msgid "close all file descriptors >= fd\n"
msgstr "закрыть все дескрипторы файлов >= fd\n"
-#: src/parse_args.c:552
+#: src/parse_args.c:550
msgid "run command with specified login class\n"
msgstr "выполнить команду с указанным классом входа в систему\n"
-#: src/parse_args.c:555
+#: src/parse_args.c:553
msgid "preserve user environment when executing command\n"
msgstr "сохранить пользовательскую среду при выполнении команды\n"
-#: src/parse_args.c:557
+#: src/parse_args.c:555
msgid "edit files instead of running a command\n"
msgstr "редактировать файлы вместо выполнения команды\n"
-#: src/parse_args.c:559
+#: src/parse_args.c:557
msgid "execute command as the specified group\n"
msgstr "выполнить команду от имени указанной группы\n"
-#: src/parse_args.c:561
+#: src/parse_args.c:559
msgid "set HOME variable to target user's home dir.\n"
msgstr "установить для переменной HOME домашний каталог указанного пользователя\n"
-#: src/parse_args.c:563
+#: src/parse_args.c:561
msgid "display help message and exit\n"
msgstr "показать справку и выйти\n"
-#: src/parse_args.c:565
+#: src/parse_args.c:563
msgid "run a login shell as target user\n"
msgstr "запустить оболочку входа в систему от имени указанного пользователя\n"
-#: src/parse_args.c:567
+#: src/parse_args.c:565
msgid "remove timestamp file completely\n"
msgstr "полностью удалить файл timestamp\n"
-#: src/parse_args.c:569
+#: src/parse_args.c:567
msgid "invalidate timestamp file\n"
msgstr "объявить недействительным файл timestamp\n"
-#: src/parse_args.c:571
+#: src/parse_args.c:569
msgid "list user's available commands\n"
msgstr "вывести список команд, доступных пользователю\n"
-#: src/parse_args.c:573
+#: src/parse_args.c:571
msgid "non-interactive mode, will not prompt user\n"
msgstr "автономный режим без не вывода запросов пользователю\n"
-#: src/parse_args.c:575
+#: src/parse_args.c:573
msgid "preserve group vector instead of setting to target's\n"
msgstr "сохранить вектор группы вместо установки целевой группы\n"
-#: src/parse_args.c:577
+#: src/parse_args.c:575
msgid "use specified password prompt\n"
msgstr "использовать указанный запрос пароля\n"
-#: src/parse_args.c:580 src/parse_args.c:588
+#: src/parse_args.c:578 src/parse_args.c:586
msgid "create SELinux security context with specified role\n"
msgstr "создать контекст безопасности SELinux с указанной ролью\n"
-#: src/parse_args.c:583
+#: src/parse_args.c:581
msgid "read password from standard input\n"
msgstr "читать пароль из стандартного ввода\n"
-#: src/parse_args.c:585
+#: src/parse_args.c:583
msgid "run a shell as target user\n"
msgstr "запустить оболочку от имени указанного пользователя\n"
-#: src/parse_args.c:591
+#: src/parse_args.c:589
msgid "when listing, list specified user's privileges\n"
msgstr "при выводе списка показать привилегии пользователя\n"
-#: src/parse_args.c:593
+#: src/parse_args.c:591
msgid "run command (or edit file) as specified user\n"
msgstr "выполнить команду (или редактировать файл) от имени указанного пользователя\n"
-#: src/parse_args.c:595
+#: src/parse_args.c:593
msgid "display version information and exit\n"
msgstr "показать сведения о версии и выйти\n"
-#: src/parse_args.c:597
+#: src/parse_args.c:595
msgid "update user's timestamp without running a command\n"
msgstr "обновить временную метку пользователя без выполнения команды\n"
-#: src/parse_args.c:599
+#: src/parse_args.c:597
msgid "stop processing command line arguments\n"
msgstr "прекратить обработку аргументов командной строки\n"
msgid "unknown uid %u: who are you?"
msgstr "неизвестный uid %u: кто вы?"
-#: src/sudo.c:760
+#: src/sudo.c:782
#, c-format
msgid "%s must be owned by uid %d and have the setuid bit set"
msgstr "%s должен принадлежать пользователю с uid %d и иметь бит setuid"
-#: src/sudo.c:763
+#: src/sudo.c:785
#, c-format
msgid "effective uid is not %d, is %s on a file system with the 'nosuid' option set or an NFS file system without root privileges?"
msgstr "эффективный uid не равен %d, возможно, %s находится в файловой системе, смонтированной с битом «nosuid» или в файловой системе NFS без прав суперпользователя?"
-#: src/sudo.c:769
+#: src/sudo.c:791
#, c-format
msgid "effective uid is not %d, is sudo installed setuid root?"
msgstr "эффективный uid не равен %d, программа sudo установлена с битом setuid и принадлежит root?"
-#: src/sudo.c:838
+#: src/sudo.c:860
#, c-format
msgid "resource control limit has been reached"
msgstr "достигнут лимит управления ресурсами"
-#: src/sudo.c:841
+#: src/sudo.c:863
#, c-format
msgid "user \"%s\" is not a member of project \"%s\""
msgstr "пользователь «%s» не является членом проекта «%s»"
-#: src/sudo.c:845
+#: src/sudo.c:867
#, c-format
msgid "the invoking task is final"
msgstr "вызывающе задание — последнее"
-#: src/sudo.c:848
+#: src/sudo.c:870
#, c-format
msgid "could not join project \"%s\""
msgstr "не удалось присоединиться к проекту «%s»"
-#: src/sudo.c:853
+#: src/sudo.c:875
#, c-format
msgid "no resource pool accepting default bindings exists for project \"%s\""
msgstr "для проекта «%s» не существует пула ресурсов, принимающих привязки по умолчанию"
-#: src/sudo.c:857
+#: src/sudo.c:879
#, c-format
msgid "specified resource pool does not exist for project \"%s\""
msgstr "у проекта «%s» нет указанного пула ресурсов"
-#: src/sudo.c:861
+#: src/sudo.c:883
#, c-format
msgid "could not bind to default resource pool for project \"%s\""
msgstr "не удаётся подключиться к пулу ресурсов по умолчанию проекта «%s»"
-#: src/sudo.c:867
+#: src/sudo.c:889
#, c-format
msgid "setproject failed for project \"%s\""
msgstr "setproject завершилась с ошибкой для проекта «%s»"
-#: src/sudo.c:869
+#: src/sudo.c:891
#, c-format
msgid "warning, resource control assignment failed for project \"%s\""
msgstr "предупреждение: назначение контроля за ресурсами завершилось с ошибкой для проекта «%s»"
-#: src/sudo.c:917
+#: src/sudo.c:959
#, c-format
msgid "unknown login class %s"
msgstr "неизвестный класс входа %s"
-#: src/sudo.c:931 src/sudo.c:934
+#: src/sudo.c:973 src/sudo.c:976
#, c-format
msgid "unable to set user context"
msgstr "не удаётся назначить контекст пользователя"
-#: src/sudo.c:946
+#: src/sudo.c:988
#, c-format
msgid "unable to set supplementary group IDs"
msgstr "не удаётся назначить дополнительные идентификаторы групп"
-#: src/sudo.c:953
+#: src/sudo.c:995
#, c-format
msgid "unable to set effective gid to runas gid %u"
msgstr "не удаётся назначить эффективный gid на runas gid %u"
-#: src/sudo.c:959
+#: src/sudo.c:1001
#, c-format
msgid "unable to set gid to runas gid %u"
msgstr "не удаётся назначить gid на runas gid %u"
-#: src/sudo.c:966
+#: src/sudo.c:1008
#, c-format
msgid "unable to set process priority"
msgstr "не удаётся назначить приоритет процесса"
-#: src/sudo.c:974
+#: src/sudo.c:1016
#, c-format
msgid "unable to change root to %s"
msgstr "не удаётся изменить root на %s"
-#: src/sudo.c:981 src/sudo.c:987 src/sudo.c:993
+#: src/sudo.c:1023 src/sudo.c:1029 src/sudo.c:1035
#, c-format
msgid "unable to change to runas uid (%u, %u)"
msgstr "не удаётся изменить на runas uid (%u, %u)"
-#: src/sudo.c:1007
+#: src/sudo.c:1049
#, c-format
msgid "unable to change directory to %s"
msgstr "не удаётся сменить каталог на %s"
-#: src/sudo.c:1079
+#: src/sudo.c:1133
#, c-format
msgid "unexpected child termination condition: %d"
msgstr "неожиданное условие завершения потомка: %d"
-#: src/sudo.c:1140
+#: src/sudo.c:1194
#, c-format
msgid "policy plugin %s does not support listing privileges"
msgstr "модуль политики %s не поддерживает списка прав"
-#: src/sudo.c:1152
+#: src/sudo.c:1206
#, c-format
msgid "policy plugin %s does not support the -v option"
msgstr "модуль политики %s не поддерживает параметр -v"
-#: src/sudo.c:1164
+#: src/sudo.c:1218
#, c-format
msgid "policy plugin %s does not support the -k/-K options"
msgstr "модуль политики %s не поддерживает параметры -k/-K"
msgid "unable to restore stdin"
msgstr "не удаётся восстановить стандартный ввод"
+#~ msgid "internal error, emalloc2() overflow"
+#~ msgstr "внутренняя ошибка, переполнение emalloc2()"
+
+#~ msgid "internal error, erealloc3() overflow"
+#~ msgstr "внутренняя ошибка, переполнение erealloc3()"
+
+#~ msgid "%s: at least one policy plugin must be specified"
+#~ msgstr "%s: необходимо указать не менее одного модуля политики"
+
#~ msgid "must be setuid root"
#~ msgstr "требуется setuid пользователя root"
--- /dev/null
+# Slovenian translation of sudo.
+# This file is put in the public domain.
+# This file is distributed under the same license as the sudo package.
+#
+# Damir Jerovšek <damir.jerovsek@gmail.com>, 2012.
+# Klemen Košir <klemen.kosir@gmx.com>, 2012.
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: sudo 1.8.6b4\n"
+"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-13 22:13+0100\n"
+"Last-Translator: Klemen Košir <klemen.kosir@gmx.com>\n"
+"Language-Team: Slovenian <translation-team-sl@lists.sourceforge.net>\n"
+"Language: sl\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#: common/aix.c:150
+#, c-format
+msgid "unable to open userdb"
+msgstr "ni mogoče odpreti userdb"
+
+#: common/aix.c:153
+#, c-format
+msgid "unable to switch to registry \"%s\" for %s"
+msgstr "ni mogoče preklopiti na vpisnik \"%s\" za %s"
+
+#: common/aix.c:170
+#, c-format
+msgid "unable to restore registry"
+msgstr "ni mogoče obnoviti vpisnika"
+
+#: common/alloc.c:82
+msgid "internal error, tried to emalloc(0)"
+msgstr "notranja napaka, poskus uporabe emalloc(0)"
+
+#: common/alloc.c:85 common/alloc.c:105 common/alloc.c:127 common/alloc.c:146
+#: common/alloc.c:168 common/alloc.c:192 common/alloc.c:256 common/alloc.c:270
+#: src/exec_common.c:111 src/parse_args.c:430 src/sudo.c:456 src/sudo.c:482
+#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:759
+#, c-format
+msgid "unable to allocate memory"
+msgstr "ni mogoče dodeliti pomnilnika"
+
+#: common/alloc.c:99
+msgid "internal error, tried to emalloc2(0)"
+msgstr "notranja napaka, poskus uporabe emalloc2(0)"
+
+#: common/alloc.c:101 common/alloc.c:123 common/alloc.c:163 common/alloc.c:187
+#, c-format
+msgid "internal error, %s overflow"
+msgstr "notranja napaka, prekoračitev funkcije %s"
+
+#: common/alloc.c:120
+msgid "internal error, tried to ecalloc(0)"
+msgstr "notranja napaka med izvajanjem funkcije ecalloc(0)"
+
+#: common/alloc.c:142
+msgid "internal error, tried to erealloc(0)"
+msgstr "notranja napaka, poskus uporabe erealloc(0)"
+
+#: common/alloc.c:161
+msgid "internal error, tried to erealloc3(0)"
+msgstr "notranja napaka, poskus uporabe erealloc3(0)"
+
+#: common/alloc.c:185
+msgid "internal error, tried to erecalloc(0)"
+msgstr "notranja napaka, poskus uporabe erealloc(0)"
+
+#: common/sudo_conf.c:305
+#, c-format
+msgid "unable to stat %s"
+msgstr "stanja datoteke %s ni mogoče izpisati"
+
+#: common/sudo_conf.c:308
+#, c-format
+msgid "%s is not a regular file"
+msgstr "%s ni običajna datoteka"
+
+#: common/sudo_conf.c:311
+#, c-format
+msgid "%s is owned by uid %u, should be %u"
+msgstr "%s je v lasti uporabnika z ID-jem %u, moral bi biti %u"
+
+#: common/sudo_conf.c:315
+#, c-format
+msgid "%s is world writable"
+msgstr "v datoteko %s lahko zapisujejo vsi uporabniki"
+
+#: common/sudo_conf.c:318
+#, c-format
+msgid "%s is group writable"
+msgstr "%s"
+
+#: common/sudo_conf.c:327 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
+#, c-format
+msgid "unable to open %s"
+msgstr "ni mogoče odpreti %s"
+
+#: compat/strsignal.c:47
+msgid "Unknown signal"
+msgstr "Neznan signal"
+
+#: src/error.c:82 src/error.c:86
+msgid ": "
+msgstr ": "
+
+#: src/exec.c:113 src/exec_pty.c:674
+#, c-format
+msgid "policy plugin failed session initialization"
+msgstr "vstavek za pravilnik ni mogel zagnati seje"
+
+#: src/exec.c:118 src/exec_pty.c:690 src/exec_pty.c:1035 src/tgetpass.c:221
+#, c-format
+msgid "unable to fork"
+msgstr "ni mogoče razvejiti"
+
+#: src/exec.c:268
+#, c-format
+msgid "unable to create sockets"
+msgstr "ni mogoče ustvariti vtičev"
+
+#: src/exec.c:275 src/exec_pty.c:613 src/exec_pty.c:622 src/exec_pty.c:630
+#: src/exec_pty.c:960 src/exec_pty.c:1032 src/tgetpass.c:218
+#, c-format
+msgid "unable to create pipe"
+msgstr "ni mogoče ustvariti cevi"
+
+#: src/exec.c:365 src/exec_pty.c:1102 src/exec_pty.c:1240
+#, c-format
+msgid "select failed"
+msgstr "izbira je spodletela"
+
+#: src/exec.c:467
+#, c-format
+msgid "unable to restore tty label"
+msgstr "ni mogoče obnoviti oznake tty"
+
+#: src/exec_common.c:69
+#, c-format
+msgid "unable to remove PRIV_PROC_EXEC from PRIV_LIMIT"
+msgstr "ni mogoče odstraniti PRIV_PROC_EXEC iz PRIV_LIMIT"
+
+#: src/exec_pty.c:183
+#, c-format
+msgid "unable to allocate pty"
+msgstr "ni mogoče dodeliti pty"
+
+#: src/exec_pty.c:665
+#, c-format
+msgid "unable to set terminal to raw mode"
+msgstr "ni mogoče postaviti terminala v surov način"
+
+#: src/exec_pty.c:1013
+#, c-format
+msgid "unable to set controlling tty"
+msgstr "ni mogoče nastaviti nadzora tty"
+
+#: src/exec_pty.c:1111
+#, c-format
+msgid "error reading from signal pipe"
+msgstr "napaka med branjem iz cevi signala"
+
+#: src/exec_pty.c:1132
+#, c-format
+msgid "error reading from pipe"
+msgstr "napaka med branjem iz cevovoda"
+
+#: src/exec_pty.c:1148
+#, c-format
+msgid "error reading from socketpair"
+msgstr "napaka med branjem iz para vtičev"
+
+#: src/exec_pty.c:1152
+#, c-format
+msgid "unexpected reply type on backchannel: %d"
+msgstr "nepričakovana vrsta odgovora na ozadnem kanalu: %d"
+
+#: src/load_plugins.c:74
+#, c-format
+msgid "%s: %s"
+msgstr "%s: %s"
+
+#: src/load_plugins.c:80
+#, c-format
+msgid "%s%s: %s"
+msgstr "%s%s: %s"
+
+#: src/load_plugins.c:90
+#, c-format
+msgid "%s must be owned by uid %d"
+msgstr "%s mora biti v lasti ID-ja uporabnika %d"
+
+#: src/load_plugins.c:94
+#, c-format
+msgid "%s must be only be writable by owner"
+msgstr "%s mora biti zapisljiv samo za lastnika"
+
+#: src/load_plugins.c:101
+#, c-format
+msgid "unable to dlopen %s: %s"
+msgstr "ni mogoče uporabiti dlopen %s: %s"
+
+#: src/load_plugins.c:106
+#, c-format
+msgid "%s: unable to find symbol %s"
+msgstr "%s: ni mogoče najti simbola %s"
+
+#: src/load_plugins.c:112
+#, c-format
+msgid "%s: unknown policy type %d"
+msgstr "%s: neznana vrsta pravilnika %d"
+
+#: src/load_plugins.c:116
+#, c-format
+msgid "%s: incompatible policy major version %d, expected %d"
+msgstr "%s: nezdružljiva glavna različica pravil %d, pričakovana %d"
+
+#: src/load_plugins.c:123
+#, c-format
+msgid "%s: only a single policy plugin may be loaded"
+msgstr "%s: naložen je lahko le en vstavek pravilnika"
+
+#: src/load_plugins.c:200
+#, c-format
+msgid "policy plugin %s does not include a check_policy method"
+msgstr "vstavek pravilnika %s ne vključuje načina check_policy"
+
+#: src/net_ifs.c:157 src/net_ifs.c:166 src/net_ifs.c:178 src/net_ifs.c:187
+#: src/net_ifs.c:298 src/net_ifs.c:322
+#, c-format
+msgid "load_interfaces: overflow detected"
+msgstr "load_interfaces: zaznana je bila prekoračitev"
+
+#: src/net_ifs.c:227
+#, c-format
+msgid "unable to open socket"
+msgstr "ni mogoče odpreti vtiča"
+
+#: src/parse_args.c:187
+#, c-format
+msgid "the argument to -C must be a number greater than or equal to 3"
+msgstr "argument k -C mora biti številka, večja kot ali enaka 3"
+
+#: src/parse_args.c:276
+#, c-format
+msgid "unknown user: %s"
+msgstr "neznan uporabnik: %s"
+
+#: src/parse_args.c:335
+#, c-format
+msgid "you may not specify both the `-i' and `-s' options"
+msgstr "možnosti `-i' in `-s' ne smeta biti navedeni hkrati"
+
+#: src/parse_args.c:339
+#, c-format
+msgid "you may not specify both the `-i' and `-E' options"
+msgstr "možnosti `-i' in `-E' ne smeta biti navedeni hkrati"
+
+#: src/parse_args.c:349
+#, c-format
+msgid "the `-E' option is not valid in edit mode"
+msgstr "možnost `-E' ni veljavna v načinu urejanja"
+
+#: src/parse_args.c:351
+#, c-format
+msgid "you may not specify environment variables in edit mode"
+msgstr "v načinu urejanja se ne sme podati spremenljivk okolja"
+
+#: src/parse_args.c:359
+#, c-format
+msgid "the `-U' option may only be used with the `-l' option"
+msgstr "možnost `-U' se lahko uporabi samo z možnostjo `-l'"
+
+#: src/parse_args.c:363
+#, c-format
+msgid "the `-A' and `-S' options may not be used together"
+msgstr "možnosti `-A' in `-S' se ne smeta uporabljati hkrati"
+
+#: src/parse_args.c:443
+#, c-format
+msgid "sudoedit is not supported on this platform"
+msgstr "sudoedit ni podprt v tem okolju"
+
+#: src/parse_args.c:516
+#, c-format
+msgid "Only one of the -e, -h, -i, -K, -l, -s, -v or -V options may be specified"
+msgstr "Od -e, -h, -i, -K, -l, -s, -v ali -V je lahko navedena samo ena možnost"
+
+#: src/parse_args.c:530
+#, c-format
+msgid ""
+"%s - edit files as another user\n"
+"\n"
+msgstr ""
+"%s - urejaj datoteke kot drug uporabnik\n"
+"\n"
+
+#: src/parse_args.c:532
+#, c-format
+msgid ""
+"%s - execute a command as another user\n"
+"\n"
+msgstr ""
+"%s - izvedi ukaz kot drug uporabnik\n"
+"\n"
+
+#: src/parse_args.c:537
+#, c-format
+msgid ""
+"\n"
+"Options:\n"
+msgstr ""
+"\n"
+"Možnosti:\n"
+
+#: src/parse_args.c:540
+msgid "use helper program for password prompting\n"
+msgstr "uporabi program pomagalnik za pozive za vnos gesla\n"
+
+#: src/parse_args.c:543
+msgid "use specified BSD authentication type\n"
+msgstr "uporabi navedeno vrsto urejanja BSD\n"
+
+#: src/parse_args.c:545
+msgid "run command in the background\n"
+msgstr "zaženi ukaz v ozadju\n"
+
+#: src/parse_args.c:547
+msgid "close all file descriptors >= fd\n"
+msgstr "zapri vse opisnike datotek >= fd\n"
+
+#: src/parse_args.c:550
+msgid "run command with specified login class\n"
+msgstr "zaženi ukaz z navedenim prijavnim razredom\n"
+
+#: src/parse_args.c:553
+msgid "preserve user environment when executing command\n"
+msgstr "ohrani okolje uporabnika, kadar se izvajajo ukazi\n"
+
+#: src/parse_args.c:555
+msgid "edit files instead of running a command\n"
+msgstr "namesto izvedbe ukaza uredi datoteke\n"
+
+#: src/parse_args.c:557
+msgid "execute command as the specified group\n"
+msgstr "izvedi ukaz kot navedena skupina\n"
+
+#: src/parse_args.c:559
+msgid "set HOME variable to target user's home dir.\n"
+msgstr "nastavi spremenljivko HOME kot cilj v domači mapi uporabnika\n"
+
+#: src/parse_args.c:561
+msgid "display help message and exit\n"
+msgstr "prikaži sporočilo pomoči in končaj\n"
+
+#: src/parse_args.c:563
+msgid "run a login shell as target user\n"
+msgstr "zaženi lupino prijave kot ciljni uporabnik\n"
+
+#: src/parse_args.c:565
+msgid "remove timestamp file completely\n"
+msgstr "popolnoma odstrani datoteko s časovnimi žigi\n"
+
+#: src/parse_args.c:567
+msgid "invalidate timestamp file\n"
+msgstr "razveljavi veljavnost datoteke s časovnimi žigi\n"
+
+#: src/parse_args.c:569
+msgid "list user's available commands\n"
+msgstr "prikaži razpoložljive ukaze uporabnika\n"
+
+#: src/parse_args.c:571
+msgid "non-interactive mode, will not prompt user\n"
+msgstr "nevzajemni način, ne bo poziva uporabnika\n"
+
+#: src/parse_args.c:573
+msgid "preserve group vector instead of setting to target's\n"
+msgstr "ohrani vektor skupine namesto nastavitve tarči\n"
+
+#: src/parse_args.c:575
+msgid "use specified password prompt\n"
+msgstr "uporabi določen poziv za vnos gesla\n"
+
+#: src/parse_args.c:578 src/parse_args.c:586
+msgid "create SELinux security context with specified role\n"
+msgstr "ustvari varnostno vsebino SELinux z določeno vlogo\n"
+
+#: src/parse_args.c:581
+msgid "read password from standard input\n"
+msgstr "preberi geslo s standardnega vnosa\n"
+
+#: src/parse_args.c:583
+msgid "run a shell as target user\n"
+msgstr "zaženi lupino kot ciljni uporabnik\n"
+
+#: src/parse_args.c:589
+msgid "when listing, list specified user's privileges\n"
+msgstr "med naštevanjem prikaži določena dovoljenja uporabnika\n"
+
+#: src/parse_args.c:591
+msgid "run command (or edit file) as specified user\n"
+msgstr "zaženi ukaz (ali uredi datoteko) kot določen uporabnik\n"
+
+#: src/parse_args.c:593
+msgid "display version information and exit\n"
+msgstr "prikaži podrobnosti različice in končaj\n"
+
+#: src/parse_args.c:595
+msgid "update user's timestamp without running a command\n"
+msgstr "posodobi časovni žig uporabnika brez izvajanja ukaza\n"
+
+#: src/parse_args.c:597
+msgid "stop processing command line arguments\n"
+msgstr "zaustavi obdelovanje argumentov ukazne vrstice\n"
+
+#: src/selinux.c:77
+#, c-format
+msgid "unable to open audit system"
+msgstr "ni mogoče odpreti nadzornega sistema"
+
+#: src/selinux.c:85
+#, c-format
+msgid "unable to send audit message"
+msgstr "ni mogoče poslati nadzornega sporočila"
+
+#: src/selinux.c:113
+#, c-format
+msgid "unable to fgetfilecon %s"
+msgstr "ni mogoče uporabiti fgetfilecon %s"
+
+#: src/selinux.c:118
+#, c-format
+msgid "%s changed labels"
+msgstr "%s spremenjenih oznak"
+
+#: src/selinux.c:123
+#, c-format
+msgid "unable to restore context for %s"
+msgstr "ni mogoče obnoviti vsebine za %s"
+
+#: src/selinux.c:163
+#, c-format
+msgid "unable to open %s, not relabeling tty"
+msgstr "ni mogoče odpreti %s, brez ponovnega označevanja tty"
+
+#: src/selinux.c:172
+#, c-format
+msgid "unable to get current tty context, not relabeling tty"
+msgstr "ni mogoče pridobiti trenutne vsebine tty, brez ponovnega označevanja tty"
+
+#: src/selinux.c:179
+#, c-format
+msgid "unable to get new tty context, not relabeling tty"
+msgstr "ni mogoče pridobiti nove vsebine tty, brez ponovnega označevanja tty"
+
+#: src/selinux.c:186
+#, c-format
+msgid "unable to set new tty context"
+msgstr "ni mogoče nastaviti nove vsebine tty"
+
+#: src/selinux.c:252
+#, c-format
+msgid "you must specify a role for type %s"
+msgstr "podati morate vlogo za vrsto %s"
+
+#: src/selinux.c:258
+#, c-format
+msgid "unable to get default type for role %s"
+msgstr "ni mogoče pridobiti privzete vrste za vlogo %s"
+
+#: src/selinux.c:276
+#, c-format
+msgid "failed to set new role %s"
+msgstr "nastavitev nove vloge %s ni uspela"
+
+#: src/selinux.c:280
+#, c-format
+msgid "failed to set new type %s"
+msgstr "nastavitev nove vrste %s ni uspela"
+
+#: src/selinux.c:289
+#, c-format
+msgid "%s is not a valid context"
+msgstr "%s ni veljavna vsebina"
+
+#: src/selinux.c:324
+#, c-format
+msgid "failed to get old_context"
+msgstr "pridobitev stare_vsebine je spodletela"
+
+#: src/selinux.c:330
+#, c-format
+msgid "unable to determine enforcing mode."
+msgstr "ni mogoče določiti načina vsiljenja"
+
+#: src/selinux.c:342
+#, c-format
+msgid "unable to setup tty context for %s"
+msgstr "ni mogoče nastaviti vsebine tty za %s"
+
+#: src/selinux.c:373
+#, c-format
+msgid "unable to set exec context to %s"
+msgstr "ni mogoče nastavite izvedene vsebine k %s"
+
+#: src/selinux.c:380
+#, c-format
+msgid "unable to set key creation context to %s"
+msgstr "ni mogoče nastaviti vsebine ustvarjenja ključa k %s"
+
+#: src/sesh.c:70
+#, c-format
+msgid "requires at least one argument"
+msgstr "zahteva vsaj en argument"
+
+#: src/sesh.c:91
+#, c-format
+msgid "unable to execute %s"
+msgstr "ni mogoče izvršiti %s"
+
+#: src/sudo.c:211
+#, c-format
+msgid "Sudo version %s\n"
+msgstr "Sudo različica %s\n"
+
+#: src/sudo.c:213
+#, c-format
+msgid "Configure options: %s\n"
+msgstr "Nastavitev možnosti: %s\n"
+
+#: src/sudo.c:218
+#, c-format
+msgid "fatal error, unable to load plugins"
+msgstr "usodna napaka, ni mogoče naložiti vstavka"
+
+#: src/sudo.c:226
+#, c-format
+msgid "unable to initialize policy plugin"
+msgstr "ni mogoče začenjati vstavka pravilnika"
+
+#: src/sudo.c:281
+#, c-format
+msgid "error initializing I/O plugin %s"
+msgstr "napaka med začenjanjem I/O vstavka %s"
+
+#: src/sudo.c:306
+#, c-format
+msgid "unexpected sudo mode 0x%x"
+msgstr "nepričakovan način sudo 0x%x"
+
+#: src/sudo.c:400
+#, c-format
+msgid "unable to get group vector"
+msgstr "ni mogoče pridobiti vektorja skupine"
+
+#: src/sudo.c:452
+#, c-format
+msgid "unknown uid %u: who are you?"
+msgstr "neznan ID uporabnika %u: kdo ste?"
+
+#: src/sudo.c:782
+#, c-format
+msgid "%s must be owned by uid %d and have the setuid bit set"
+msgstr "%s si mora lastiti uporabnik z ID-jem %d and mora imeti nastavljen bit setuid"
+
+#: src/sudo.c:785
+#, c-format
+msgid "effective uid is not %d, is %s on a file system with the 'nosuid' option set or an NFS file system without root privileges?"
+msgstr "trenutni ID uporabnika ni %d. Ali je %s na datotečnem sistemu z nastavljeno možnostjo \"nosuid\" ali datotečnem sistemu NFS brez dovoljenj skrbnika?"
+
+#: src/sudo.c:791
+#, c-format
+msgid "effective uid is not %d, is sudo installed setuid root?"
+msgstr "trenutni uid ni %d. Ali je sudo pravilno nameščen?"
+
+#: src/sudo.c:860
+#, c-format
+msgid "resource control limit has been reached"
+msgstr "meja omejitve virov je bila dosežena"
+
+#: src/sudo.c:863
+#, c-format
+msgid "user \"%s\" is not a member of project \"%s\""
+msgstr "uporabnik \"%s\" ni član projekta \"%s\""
+
+#: src/sudo.c:867
+#, c-format
+msgid "the invoking task is final"
+msgstr "priklicana naloga je končna"
+
+#: src/sudo.c:870
+#, c-format
+msgid "could not join project \"%s\""
+msgstr "ni mogoče pridružiti projekta \"%s\""
+
+#: src/sudo.c:875
+#, c-format
+msgid "no resource pool accepting default bindings exists for project \"%s\""
+msgstr "nobene zaloge virov, ki sprejemajo privzete vezi, ne obstajajo za projekt \"% s\""
+
+#: src/sudo.c:879
+#, c-format
+msgid "specified resource pool does not exist for project \"%s\""
+msgstr "določen vir zalog ne obstaja za projekt \"%s\""
+
+#: src/sudo.c:883
+#, c-format
+msgid "could not bind to default resource pool for project \"%s\""
+msgstr "ni mogoče vezati na privzet vir zalog za projekt \"%s\""
+
+#: src/sudo.c:889
+#, c-format
+msgid "setproject failed for project \"%s\""
+msgstr "setproject je spodletel za projekt \"%s\""
+
+#: src/sudo.c:891
+#, c-format
+msgid "warning, resource control assignment failed for project \"%s\""
+msgstr "opozorilo, naloga nadzora virov je spodletela za projekt \"%s\""
+
+#: src/sudo.c:959
+#, c-format
+msgid "unknown login class %s"
+msgstr "neznan razred prijave %s"
+
+#: src/sudo.c:973 src/sudo.c:976
+#, c-format
+msgid "unable to set user context"
+msgstr "ni mogoče nastaviti vsebine uporabnika"
+
+#: src/sudo.c:988
+#, c-format
+msgid "unable to set supplementary group IDs"
+msgstr "ni mogoče nastaviti dopolnilnih ID-jev skupin"
+
+#: src/sudo.c:995
+#, c-format
+msgid "unable to set effective gid to runas gid %u"
+msgstr "ni mogoče nastaviti učinkovitega ID-ja skupine, da se zažene kot ID skupine %u"
+
+#: src/sudo.c:1001
+#, c-format
+msgid "unable to set gid to runas gid %u"
+msgstr "ni mogoče nastaviti ID-ja skupine, da se zažene kot ID skupine %u"
+
+#: src/sudo.c:1008
+#, c-format
+msgid "unable to set process priority"
+msgstr "ni mogoče nastaviti prednosti opravil"
+
+#: src/sudo.c:1016
+#, c-format
+msgid "unable to change root to %s"
+msgstr "ni mogoče spremeniti skrbnika v %s"
+
+#: src/sudo.c:1023 src/sudo.c:1029 src/sudo.c:1035
+#, c-format
+msgid "unable to change to runas uid (%u, %u)"
+msgstr "ni mogoče spremeniti ID uporabnika zaženi kot (%u, %u)"
+
+#: src/sudo.c:1049
+#, c-format
+msgid "unable to change directory to %s"
+msgstr "ni mogoče spremeniti mape v %s"
+
+#: src/sudo.c:1133
+#, c-format
+msgid "unexpected child termination condition: %d"
+msgstr "nepričakovan pogoj uničenja podrejenega opravila: %d"
+
+#: src/sudo.c:1194
+#, c-format
+msgid "policy plugin %s does not support listing privileges"
+msgstr "vstavek pravilnika %s ne podpira navajanja dovoljenj"
+
+#: src/sudo.c:1206
+#, c-format
+msgid "policy plugin %s does not support the -v option"
+msgstr "vstavek pravilnika %s ne podpira možnosti -v"
+
+#: src/sudo.c:1218
+#, c-format
+msgid "policy plugin %s does not support the -k/-K options"
+msgstr "vstavek pravilnika %s ne podpira možnosti -k/-K"
+
+#: src/sudo_edit.c:111
+#, c-format
+msgid "unable to change uid to root (%u)"
+msgstr "ni mogoče spremeniti ID-ja uporabnika v skrbnika (%u)"
+
+#: src/sudo_edit.c:143
+#, c-format
+msgid "plugin error: missing file list for sudoedit"
+msgstr "napaka vstavka: manjka seznam datotek za sudoedit"
+
+#: src/sudo_edit.c:171 src/sudo_edit.c:271
+#, c-format
+msgid "%s: not a regular file"
+msgstr "%s: ni običajna datoteka"
+
+#: src/sudo_edit.c:205 src/sudo_edit.c:307
+#, c-format
+msgid "%s: short write"
+msgstr "%s: kratko pisanje"
+
+#: src/sudo_edit.c:272
+#, c-format
+msgid "%s left unmodified"
+msgstr "%s je ostalo nespremenjeno"
+
+#: src/sudo_edit.c:285
+#, c-format
+msgid "%s unchanged"
+msgstr "%s nespremenjeno"
+
+#: src/sudo_edit.c:297 src/sudo_edit.c:318
+#, c-format
+msgid "unable to write to %s"
+msgstr "ni mogoče pisati v %s"
+
+#: src/sudo_edit.c:298 src/sudo_edit.c:316 src/sudo_edit.c:319
+#, c-format
+msgid "contents of edit session left in %s"
+msgstr "vsebina seje urejanja je ostala v %s"
+
+#: src/sudo_edit.c:315
+#, c-format
+msgid "unable to read temporary file"
+msgstr "ni mogoče brati začasne datoteke"
+
+#: src/tgetpass.c:90
+#, c-format
+msgid "no tty present and no askpass program specified"
+msgstr "prisotnega ni nobenega tty in določen ni noben program askpass"
+
+#: src/tgetpass.c:99
+#, c-format
+msgid "no askpass program specified, try setting SUDO_ASKPASS"
+msgstr "določenega ni nobenega programa askpass, poskusite nastaviti SUDO_ASKPASS"
+
+#: src/tgetpass.c:231
+#, c-format
+msgid "unable to set gid to %u"
+msgstr "ni mogoče nastaviti ID skupine v %u"
+
+#: src/tgetpass.c:235
+#, c-format
+msgid "unable to set uid to %u"
+msgstr "ni mogoče nastaviti ID uporabnika v %u"
+
+#: src/tgetpass.c:240
+#, c-format
+msgid "unable to run %s"
+msgstr "ni mogoče zagnati %s"
+
+#: src/utmp.c:278
+#, c-format
+msgid "unable to save stdin"
+msgstr "ni mogoče shraniti stdin"
+
+#: src/utmp.c:280
+#, c-format
+msgid "unable to dup2 stdin"
+msgstr "ni mogoče uporabiti dup2 za stdin"
+
+#: src/utmp.c:283
+#, c-format
+msgid "unable to restore stdin"
+msgstr "ni mogoče obnoviti stdin"
+
+#~ msgid "internal error, emalloc2() overflow"
+#~ msgstr "notranja napaka, prekoračitev emalloc2(0)"
+
+#~ msgid "internal error, erealloc3() overflow"
+#~ msgstr "notranja napaka, prekoračitev erealloc3(0)"
+
+#~ msgid "%s: at least one policy plugin must be specified"
+#~ msgstr "%s: naveden mora biti vsaj en vstavek pravilnika"
#, fuzzy
msgid ""
msgstr ""
-"Project-Id-Version: sudo 1.8.5\n"
+"Project-Id-Version: sudo 1.8.6\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-04-24 13:41-0400\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Content-Type: text/plain; charset=CHARSET\n"
"Content-Transfer-Encoding: 8bit\n"
-#: common/aix.c:149
+#: common/aix.c:150
#, c-format
msgid "unable to open userdb"
msgstr ""
-#: common/aix.c:152
+#: common/aix.c:153
#, c-format
msgid "unable to switch to registry \"%s\" for %s"
msgstr ""
-#: common/aix.c:169
+#: common/aix.c:170
#, c-format
msgid "unable to restore registry"
msgstr ""
#: common/alloc.c:85 common/alloc.c:105 common/alloc.c:127 common/alloc.c:146
#: common/alloc.c:168 common/alloc.c:192 common/alloc.c:256 common/alloc.c:270
-#: src/exec_common.c:111 src/parse_args.c:432 src/sudo.c:456 src/sudo.c:482
-#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:737
+#: src/exec_common.c:111 src/parse_args.c:430 src/sudo.c:456 src/sudo.c:482
+#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:759
#, c-format
msgid "unable to allocate memory"
msgstr ""
msgid "internal error, tried to emalloc2(0)"
msgstr ""
-#: common/alloc.c:101
-msgid "internal error, emalloc2() overflow"
+#: common/alloc.c:101 common/alloc.c:123 common/alloc.c:163 common/alloc.c:187
+#, c-format
+msgid "internal error, %s overflow"
msgstr ""
#: common/alloc.c:120
msgid "internal error, tried to ecalloc(0)"
msgstr ""
-#: common/alloc.c:123
-msgid "internal error, ecalloc() overflow"
-msgstr ""
-
#: common/alloc.c:142
msgid "internal error, tried to erealloc(0)"
msgstr ""
-#: common/alloc.c:161 common/alloc.c:185
+#: common/alloc.c:161
msgid "internal error, tried to erealloc3(0)"
msgstr ""
-#: common/alloc.c:163 common/alloc.c:187
-msgid "internal error, erealloc3() overflow"
+#: common/alloc.c:185
+msgid "internal error, tried to erecalloc(0)"
msgstr ""
-#: common/sudo_conf.c:306
+#: common/sudo_conf.c:305
#, c-format
msgid "unable to stat %s"
msgstr ""
-#: common/sudo_conf.c:309
+#: common/sudo_conf.c:308
#, c-format
msgid "%s is not a regular file"
msgstr ""
-#: common/sudo_conf.c:312
+#: common/sudo_conf.c:311
#, c-format
msgid "%s is owned by uid %u, should be %u"
msgstr ""
-#: common/sudo_conf.c:316
+#: common/sudo_conf.c:315
#, c-format
msgid "%s is world writable"
msgstr ""
-#: common/sudo_conf.c:319
+#: common/sudo_conf.c:318
#, c-format
msgid "%s is group writable"
msgstr ""
-#: common/sudo_conf.c:328 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
+#: common/sudo_conf.c:327 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
#, c-format
msgid "unable to open %s"
msgstr ""
msgid ": "
msgstr ""
-#: src/exec.c:107 src/exec_pty.c:628
+#: src/exec.c:113 src/exec_pty.c:674
#, c-format
msgid "policy plugin failed session initialization"
msgstr ""
-#: src/exec.c:112 src/exec_pty.c:633 src/exec_pty.c:967 src/tgetpass.c:221
+#: src/exec.c:118 src/exec_pty.c:690 src/exec_pty.c:1035 src/tgetpass.c:221
#, c-format
msgid "unable to fork"
msgstr ""
-#: src/exec.c:259
+#: src/exec.c:268
#, c-format
msgid "unable to create sockets"
msgstr ""
-#: src/exec.c:266 src/exec_pty.c:572 src/exec_pty.c:581 src/exec_pty.c:589
-#: src/exec_pty.c:902 src/exec_pty.c:964 src/tgetpass.c:218
+#: src/exec.c:275 src/exec_pty.c:613 src/exec_pty.c:622 src/exec_pty.c:630
+#: src/exec_pty.c:960 src/exec_pty.c:1032 src/tgetpass.c:218
#, c-format
msgid "unable to create pipe"
msgstr ""
-#: src/exec.c:351 src/exec_pty.c:1029 src/exec_pty.c:1167
+#: src/exec.c:365 src/exec_pty.c:1102 src/exec_pty.c:1240
#, c-format
msgid "select failed"
msgstr ""
-#: src/exec.c:441
+#: src/exec.c:467
#, c-format
msgid "unable to restore tty label"
msgstr ""
msgid "unable to remove PRIV_PROC_EXEC from PRIV_LIMIT"
msgstr ""
-#: src/exec_pty.c:144
+#: src/exec_pty.c:183
#, c-format
msgid "unable to allocate pty"
msgstr ""
-#: src/exec_pty.c:619
+#: src/exec_pty.c:665
#, c-format
msgid "unable to set terminal to raw mode"
msgstr ""
-#: src/exec_pty.c:945
+#: src/exec_pty.c:1013
#, c-format
msgid "unable to set controlling tty"
msgstr ""
-#: src/exec_pty.c:1038
+#: src/exec_pty.c:1111
#, c-format
msgid "error reading from signal pipe"
msgstr ""
-#: src/exec_pty.c:1059
+#: src/exec_pty.c:1132
#, c-format
msgid "error reading from pipe"
msgstr ""
-#: src/exec_pty.c:1075
+#: src/exec_pty.c:1148
#, c-format
msgid "error reading from socketpair"
msgstr ""
-#: src/exec_pty.c:1079
+#: src/exec_pty.c:1152
#, c-format
msgid "unexpected reply type on backchannel: %d"
msgstr ""
-#: src/load_plugins.c:79
+#: src/load_plugins.c:74
#, c-format
msgid "%s: %s"
msgstr ""
-#: src/load_plugins.c:85
+#: src/load_plugins.c:80
#, c-format
msgid "%s%s: %s"
msgstr ""
-#: src/load_plugins.c:95
+#: src/load_plugins.c:90
#, c-format
msgid "%s must be owned by uid %d"
msgstr ""
-#: src/load_plugins.c:99
+#: src/load_plugins.c:94
#, c-format
msgid "%s must be only be writable by owner"
msgstr ""
-#: src/load_plugins.c:106
+#: src/load_plugins.c:101
#, c-format
msgid "unable to dlopen %s: %s"
msgstr ""
-#: src/load_plugins.c:111
+#: src/load_plugins.c:106
#, c-format
msgid "%s: unable to find symbol %s"
msgstr ""
-#: src/load_plugins.c:117
+#: src/load_plugins.c:112
#, c-format
msgid "%s: unknown policy type %d"
msgstr ""
-#: src/load_plugins.c:121
+#: src/load_plugins.c:116
#, c-format
msgid "%s: incompatible policy major version %d, expected %d"
msgstr ""
-#: src/load_plugins.c:128
+#: src/load_plugins.c:123
#, c-format
msgid "%s: only a single policy plugin may be loaded"
msgstr ""
-#: src/load_plugins.c:148
-#, c-format
-msgid "%s: at least one policy plugin must be specified"
-msgstr ""
-
-#: src/load_plugins.c:153
+#: src/load_plugins.c:200
#, c-format
msgid "policy plugin %s does not include a check_policy method"
msgstr ""
msgid "the `-A' and `-S' options may not be used together"
msgstr ""
-#: src/parse_args.c:445
+#: src/parse_args.c:443
#, c-format
msgid "sudoedit is not supported on this platform"
msgstr ""
-#: src/parse_args.c:518
+#: src/parse_args.c:516
#, c-format
msgid ""
"Only one of the -e, -h, -i, -K, -l, -s, -v or -V options may be specified"
msgstr ""
-#: src/parse_args.c:532
+#: src/parse_args.c:530
#, c-format
msgid ""
"%s - edit files as another user\n"
"\n"
msgstr ""
-#: src/parse_args.c:534
+#: src/parse_args.c:532
#, c-format
msgid ""
"%s - execute a command as another user\n"
"\n"
msgstr ""
-#: src/parse_args.c:539
+#: src/parse_args.c:537
#, c-format
msgid ""
"\n"
"Options:\n"
msgstr ""
-#: src/parse_args.c:542
+#: src/parse_args.c:540
msgid "use helper program for password prompting\n"
msgstr ""
-#: src/parse_args.c:545
+#: src/parse_args.c:543
msgid "use specified BSD authentication type\n"
msgstr ""
-#: src/parse_args.c:547
+#: src/parse_args.c:545
msgid "run command in the background\n"
msgstr ""
-#: src/parse_args.c:549
+#: src/parse_args.c:547
msgid "close all file descriptors >= fd\n"
msgstr ""
-#: src/parse_args.c:552
+#: src/parse_args.c:550
msgid "run command with specified login class\n"
msgstr ""
-#: src/parse_args.c:555
+#: src/parse_args.c:553
msgid "preserve user environment when executing command\n"
msgstr ""
-#: src/parse_args.c:557
+#: src/parse_args.c:555
msgid "edit files instead of running a command\n"
msgstr ""
-#: src/parse_args.c:559
+#: src/parse_args.c:557
msgid "execute command as the specified group\n"
msgstr ""
-#: src/parse_args.c:561
+#: src/parse_args.c:559
msgid "set HOME variable to target user's home dir.\n"
msgstr ""
-#: src/parse_args.c:563
+#: src/parse_args.c:561
msgid "display help message and exit\n"
msgstr ""
-#: src/parse_args.c:565
+#: src/parse_args.c:563
msgid "run a login shell as target user\n"
msgstr ""
-#: src/parse_args.c:567
+#: src/parse_args.c:565
msgid "remove timestamp file completely\n"
msgstr ""
-#: src/parse_args.c:569
+#: src/parse_args.c:567
msgid "invalidate timestamp file\n"
msgstr ""
-#: src/parse_args.c:571
+#: src/parse_args.c:569
msgid "list user's available commands\n"
msgstr ""
-#: src/parse_args.c:573
+#: src/parse_args.c:571
msgid "non-interactive mode, will not prompt user\n"
msgstr ""
-#: src/parse_args.c:575
+#: src/parse_args.c:573
msgid "preserve group vector instead of setting to target's\n"
msgstr ""
-#: src/parse_args.c:577
+#: src/parse_args.c:575
msgid "use specified password prompt\n"
msgstr ""
-#: src/parse_args.c:580 src/parse_args.c:588
+#: src/parse_args.c:578 src/parse_args.c:586
msgid "create SELinux security context with specified role\n"
msgstr ""
-#: src/parse_args.c:583
+#: src/parse_args.c:581
msgid "read password from standard input\n"
msgstr ""
-#: src/parse_args.c:585
+#: src/parse_args.c:583
msgid "run a shell as target user\n"
msgstr ""
-#: src/parse_args.c:591
+#: src/parse_args.c:589
msgid "when listing, list specified user's privileges\n"
msgstr ""
-#: src/parse_args.c:593
+#: src/parse_args.c:591
msgid "run command (or edit file) as specified user\n"
msgstr ""
-#: src/parse_args.c:595
+#: src/parse_args.c:593
msgid "display version information and exit\n"
msgstr ""
-#: src/parse_args.c:597
+#: src/parse_args.c:595
msgid "update user's timestamp without running a command\n"
msgstr ""
-#: src/parse_args.c:599
+#: src/parse_args.c:597
msgid "stop processing command line arguments\n"
msgstr ""
msgid "unknown uid %u: who are you?"
msgstr ""
-#: src/sudo.c:760
+#: src/sudo.c:782
#, c-format
msgid "%s must be owned by uid %d and have the setuid bit set"
msgstr ""
-#: src/sudo.c:763
+#: src/sudo.c:785
#, c-format
msgid ""
"effective uid is not %d, is %s on a file system with the 'nosuid' option set "
"or an NFS file system without root privileges?"
msgstr ""
-#: src/sudo.c:769
+#: src/sudo.c:791
#, c-format
msgid "effective uid is not %d, is sudo installed setuid root?"
msgstr ""
-#: src/sudo.c:838
+#: src/sudo.c:860
#, c-format
msgid "resource control limit has been reached"
msgstr ""
-#: src/sudo.c:841
+#: src/sudo.c:863
#, c-format
msgid "user \"%s\" is not a member of project \"%s\""
msgstr ""
-#: src/sudo.c:845
+#: src/sudo.c:867
#, c-format
msgid "the invoking task is final"
msgstr ""
-#: src/sudo.c:848
+#: src/sudo.c:870
#, c-format
msgid "could not join project \"%s\""
msgstr ""
-#: src/sudo.c:853
+#: src/sudo.c:875
#, c-format
msgid "no resource pool accepting default bindings exists for project \"%s\""
msgstr ""
-#: src/sudo.c:857
+#: src/sudo.c:879
#, c-format
msgid "specified resource pool does not exist for project \"%s\""
msgstr ""
-#: src/sudo.c:861
+#: src/sudo.c:883
#, c-format
msgid "could not bind to default resource pool for project \"%s\""
msgstr ""
-#: src/sudo.c:867
+#: src/sudo.c:889
#, c-format
msgid "setproject failed for project \"%s\""
msgstr ""
-#: src/sudo.c:869
+#: src/sudo.c:891
#, c-format
msgid "warning, resource control assignment failed for project \"%s\""
msgstr ""
-#: src/sudo.c:917
+#: src/sudo.c:959
#, c-format
msgid "unknown login class %s"
msgstr ""
-#: src/sudo.c:931 src/sudo.c:934
+#: src/sudo.c:973 src/sudo.c:976
#, c-format
msgid "unable to set user context"
msgstr ""
-#: src/sudo.c:946
+#: src/sudo.c:988
#, c-format
msgid "unable to set supplementary group IDs"
msgstr ""
-#: src/sudo.c:953
+#: src/sudo.c:995
#, c-format
msgid "unable to set effective gid to runas gid %u"
msgstr ""
-#: src/sudo.c:959
+#: src/sudo.c:1001
#, c-format
msgid "unable to set gid to runas gid %u"
msgstr ""
-#: src/sudo.c:966
+#: src/sudo.c:1008
#, c-format
msgid "unable to set process priority"
msgstr ""
-#: src/sudo.c:974
+#: src/sudo.c:1016
#, c-format
msgid "unable to change root to %s"
msgstr ""
-#: src/sudo.c:981 src/sudo.c:987 src/sudo.c:993
+#: src/sudo.c:1023 src/sudo.c:1029 src/sudo.c:1035
#, c-format
msgid "unable to change to runas uid (%u, %u)"
msgstr ""
-#: src/sudo.c:1007
+#: src/sudo.c:1049
#, c-format
msgid "unable to change directory to %s"
msgstr ""
-#: src/sudo.c:1079
+#: src/sudo.c:1133
#, c-format
msgid "unexpected child termination condition: %d"
msgstr ""
-#: src/sudo.c:1140
+#: src/sudo.c:1194
#, c-format
msgid "policy plugin %s does not support listing privileges"
msgstr ""
-#: src/sudo.c:1152
+#: src/sudo.c:1206
#, c-format
msgid "policy plugin %s does not support the -v option"
msgstr ""
-#: src/sudo.c:1164
+#: src/sudo.c:1218
#, c-format
msgid "policy plugin %s does not support the -k/-K options"
msgstr ""
# Yuri Chornoivan <yurchor@ukr.net>, 2011, 2012.
msgid ""
msgstr ""
-"Project-Id-Version: sudo 1.8.5rc3\n"
+"Project-Id-Version: sudo 1.8.6b4\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-04-24 13:41-0400\n"
-"PO-Revision-Date: 2012-04-29 12:02+0300\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-13 21:36+0300\n"
"Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
"Language-Team: Ukrainian <translation-team-uk@lists.sourceforge.net>\n"
"Language: uk\n"
"X-Generator: Lokalize 1.5\n"
"Plural-Forms: nplurals=1; plural=0;\n"
-#: common/aix.c:149
+#: common/aix.c:150
#, c-format
msgid "unable to open userdb"
msgstr "не вдалося відкрити userdb"
-#: common/aix.c:152
+#: common/aix.c:153
#, c-format
msgid "unable to switch to registry \"%s\" for %s"
msgstr "не вдалося перемкнутися на регістр «%s» для %s"
-#: common/aix.c:169
+#: common/aix.c:170
#, c-format
msgid "unable to restore registry"
msgstr "не вдалося відновити регістр"
#: common/alloc.c:85 common/alloc.c:105 common/alloc.c:127 common/alloc.c:146
#: common/alloc.c:168 common/alloc.c:192 common/alloc.c:256 common/alloc.c:270
-#: src/exec_common.c:111 src/parse_args.c:432 src/sudo.c:456 src/sudo.c:482
-#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:737
+#: src/exec_common.c:111 src/parse_args.c:430 src/sudo.c:456 src/sudo.c:482
+#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:759
#, c-format
msgid "unable to allocate memory"
msgstr "не вдалося отримати потрібний об’єм пам’яті"
msgid "internal error, tried to emalloc2(0)"
msgstr "внутрішня помилка, спроба виконання emalloc2(0)"
-#: common/alloc.c:101
-msgid "internal error, emalloc2() overflow"
-msgstr "внутрішня помилка, переповнення emalloc2()"
+#: common/alloc.c:101 common/alloc.c:123 common/alloc.c:163 common/alloc.c:187
+#, c-format
+msgid "internal error, %s overflow"
+msgstr "внутрішня помилка, переповнення %s"
#: common/alloc.c:120
msgid "internal error, tried to ecalloc(0)"
msgstr "внутрішня помилка, спроба виконання ecalloc(0)"
-#: common/alloc.c:123
-msgid "internal error, ecalloc() overflow"
-msgstr "внутрішня помилка, переповнення ecalloc()"
-
#: common/alloc.c:142
msgid "internal error, tried to erealloc(0)"
msgstr "внутрішня помилка, спроба виконання erealloc(0)"
-#: common/alloc.c:161 common/alloc.c:185
+#: common/alloc.c:161
msgid "internal error, tried to erealloc3(0)"
msgstr "внутрішня помилка, спроба виконання erealloc3(0)"
-#: common/alloc.c:163 common/alloc.c:187
-msgid "internal error, erealloc3() overflow"
-msgstr "внутрішня помилка, переповнення erealloc3()"
+#: common/alloc.c:185
+msgid "internal error, tried to erecalloc(0)"
+msgstr "внутрішня помилка, спроба виконання erecalloc(0)"
-#: common/sudo_conf.c:306
+#: common/sudo_conf.c:305
#, c-format
msgid "unable to stat %s"
msgstr "не вдалося виконати stat для %s"
-#: common/sudo_conf.c:309
+#: common/sudo_conf.c:308
#, c-format
msgid "%s is not a regular file"
msgstr "%s не є звичайним файлом"
-#: common/sudo_conf.c:312
+#: common/sudo_conf.c:311
#, c-format
msgid "%s is owned by uid %u, should be %u"
msgstr "%s належить uid %u, має належати %u"
-#: common/sudo_conf.c:316
+#: common/sudo_conf.c:315
#, c-format
msgid "%s is world writable"
msgstr "Запис до «%s» можливий для довільного користувача"
-#: common/sudo_conf.c:319
+#: common/sudo_conf.c:318
#, c-format
msgid "%s is group writable"
msgstr "Запис до «%s» може здійснювати будь-який користувач з групи"
-#: common/sudo_conf.c:328 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
+#: common/sudo_conf.c:327 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
#, c-format
msgid "unable to open %s"
msgstr "не вдалося відкрити %s"
msgid ": "
msgstr ": "
-#: src/exec.c:107 src/exec_pty.c:628
+#: src/exec.c:113 src/exec_pty.c:674
#, c-format
msgid "policy plugin failed session initialization"
msgstr "не вдалося виконати ініціалізацію сеансу через додаток правил"
-#: src/exec.c:112 src/exec_pty.c:633 src/exec_pty.c:967 src/tgetpass.c:221
+#: src/exec.c:118 src/exec_pty.c:690 src/exec_pty.c:1035 src/tgetpass.c:221
#, c-format
msgid "unable to fork"
msgstr "не вдалося створити відгалуження"
-#: src/exec.c:259
+#: src/exec.c:268
#, c-format
msgid "unable to create sockets"
msgstr "не вдалося створити сокети"
-#: src/exec.c:266 src/exec_pty.c:572 src/exec_pty.c:581 src/exec_pty.c:589
-#: src/exec_pty.c:902 src/exec_pty.c:964 src/tgetpass.c:218
+#: src/exec.c:275 src/exec_pty.c:613 src/exec_pty.c:622 src/exec_pty.c:630
+#: src/exec_pty.c:960 src/exec_pty.c:1032 src/tgetpass.c:218
#, c-format
msgid "unable to create pipe"
msgstr "не вдалося створити канал"
-#: src/exec.c:351 src/exec_pty.c:1029 src/exec_pty.c:1167
+#: src/exec.c:365 src/exec_pty.c:1102 src/exec_pty.c:1240
#, c-format
msgid "select failed"
msgstr "спроба виконати select зазнала невдачі"
-#: src/exec.c:441
+#: src/exec.c:467
#, c-format
msgid "unable to restore tty label"
msgstr "не вдалося відновити позначку tty"
msgid "unable to remove PRIV_PROC_EXEC from PRIV_LIMIT"
msgstr "не вдалося вилучити PRIV_PROC_EXEC з PRIV_LIMIT"
-#: src/exec_pty.c:144
+#: src/exec_pty.c:183
#, c-format
msgid "unable to allocate pty"
msgstr "не вдалося розмістити pty"
-#: src/exec_pty.c:619
+#: src/exec_pty.c:665
#, c-format
msgid "unable to set terminal to raw mode"
msgstr "не вдалося перевести термінал у режим без обробки"
-#: src/exec_pty.c:945
+#: src/exec_pty.c:1013
#, c-format
msgid "unable to set controlling tty"
msgstr "не вдалося встановити tty для керування"
-#: src/exec_pty.c:1038
+#: src/exec_pty.c:1111
#, c-format
msgid "error reading from signal pipe"
msgstr "помилка під час спроби читання з каналу сигналів"
-#: src/exec_pty.c:1059
+#: src/exec_pty.c:1132
#, c-format
msgid "error reading from pipe"
msgstr "помилка під час спроби читання з каналу"
-#: src/exec_pty.c:1075
+#: src/exec_pty.c:1148
#, c-format
msgid "error reading from socketpair"
msgstr "помилка під час спроби читання з пари сокетів"
-#: src/exec_pty.c:1079
+#: src/exec_pty.c:1152
#, c-format
msgid "unexpected reply type on backchannel: %d"
msgstr "неочікуваний тип відповіді на зворотному каналі: %d"
-#: src/load_plugins.c:79
+#: src/load_plugins.c:74
#, c-format
msgid "%s: %s"
msgstr "%s: %s"
-#: src/load_plugins.c:85
+#: src/load_plugins.c:80
#, c-format
msgid "%s%s: %s"
msgstr "%s%s: %s"
-#: src/load_plugins.c:95
+#: src/load_plugins.c:90
#, c-format
msgid "%s must be owned by uid %d"
msgstr "%s має належати користувачеві з uid %d"
-#: src/load_plugins.c:99
+#: src/load_plugins.c:94
#, c-format
msgid "%s must be only be writable by owner"
msgstr "%s має бути доступним до запису лише для власника"
-#: src/load_plugins.c:106
+#: src/load_plugins.c:101
#, c-format
msgid "unable to dlopen %s: %s"
msgstr "не вдалося виконати dlopen для %s: %s"
-#: src/load_plugins.c:111
+#: src/load_plugins.c:106
#, c-format
msgid "%s: unable to find symbol %s"
msgstr "%s: не вдалося знайти символ %s"
-#: src/load_plugins.c:117
+#: src/load_plugins.c:112
#, c-format
msgid "%s: unknown policy type %d"
msgstr "%s: невідомий тип правил %d"
-#: src/load_plugins.c:121
+#: src/load_plugins.c:116
#, c-format
msgid "%s: incompatible policy major version %d, expected %d"
msgstr "%s: несумісна основна версія правил %d, мало бути — %d"
-#: src/load_plugins.c:128
+#: src/load_plugins.c:123
#, c-format
msgid "%s: only a single policy plugin may be loaded"
msgstr "%s: можна завантажувати лише єдиний додаток правил"
-#: src/load_plugins.c:148
-#, c-format
-msgid "%s: at least one policy plugin must be specified"
-msgstr "%s: мало бути вказано принаймні один додаток правил"
-
-#: src/load_plugins.c:153
+#: src/load_plugins.c:200
#, c-format
msgid "policy plugin %s does not include a check_policy method"
msgstr "до додатка правил %s не включено метод check_policy"
msgid "the `-A' and `-S' options may not be used together"
msgstr "параметри «-A» і «-S» не можна використовувати одночасно"
-#: src/parse_args.c:445
+#: src/parse_args.c:443
#, c-format
msgid "sudoedit is not supported on this platform"
msgstr "підтримки sudoedit для цієї платформи не передбачено"
-#: src/parse_args.c:518
+#: src/parse_args.c:516
#, c-format
msgid "Only one of the -e, -h, -i, -K, -l, -s, -v or -V options may be specified"
msgstr "Можна використовувати лише такі параметри: -e, -h, -i, -K, -l, -s, -v та -V"
-#: src/parse_args.c:532
+#: src/parse_args.c:530
#, c-format
msgid ""
"%s - edit files as another user\n"
"%s — редагувати файли від імені іншого користувача\n"
"\n"
-#: src/parse_args.c:534
+#: src/parse_args.c:532
#, c-format
msgid ""
"%s - execute a command as another user\n"
"%s — виконати команду від імені іншого користувача\n"
"\n"
-#: src/parse_args.c:539
+#: src/parse_args.c:537
#, c-format
msgid ""
"\n"
"\n"
"Параметри:\n"
-#: src/parse_args.c:542
+#: src/parse_args.c:540
msgid "use helper program for password prompting\n"
msgstr "використовувати допоміжну програму для запитів щодо пароля\n"
-#: src/parse_args.c:545
+#: src/parse_args.c:543
msgid "use specified BSD authentication type\n"
msgstr "використовувати вказаний тип розпізнавання BSD\n"
-#: src/parse_args.c:547
+#: src/parse_args.c:545
msgid "run command in the background\n"
msgstr "виконати команду у фоновому режимі\n"
-#: src/parse_args.c:549
+#: src/parse_args.c:547
msgid "close all file descriptors >= fd\n"
msgstr "закрити всі дескриптори файлів >= fd\n"
-#: src/parse_args.c:552
+#: src/parse_args.c:550
msgid "run command with specified login class\n"
msgstr "виконати команду з вказаним класом доступу\n"
-#: src/parse_args.c:555
+#: src/parse_args.c:553
msgid "preserve user environment when executing command\n"
msgstr "зберегти середовище користувача на час виконання команди\n"
-#: src/parse_args.c:557
+#: src/parse_args.c:555
msgid "edit files instead of running a command\n"
msgstr "редагувати файли замість виконання команди\n"
-#: src/parse_args.c:559
+#: src/parse_args.c:557
msgid "execute command as the specified group\n"
msgstr "виконати команду від імені вказаної групи користувачів\n"
-#: src/parse_args.c:561
+#: src/parse_args.c:559
msgid "set HOME variable to target user's home dir.\n"
msgstr "встановити для змінної HOME значення домашнього каталогу вказаного користувача.\n"
-#: src/parse_args.c:563
+#: src/parse_args.c:561
msgid "display help message and exit\n"
msgstr "показати довідкове повідомлення і завершити роботу\n"
-#: src/parse_args.c:565
+#: src/parse_args.c:563
msgid "run a login shell as target user\n"
msgstr "запустити оболонку для входу до системи від імені вказаного користувача\n"
-#: src/parse_args.c:567
+#: src/parse_args.c:565
msgid "remove timestamp file completely\n"
msgstr "повністю вилучити файл часового штампу\n"
-#: src/parse_args.c:569
+#: src/parse_args.c:567
msgid "invalidate timestamp file\n"
msgstr "позбавити чинності файл часового штампу\n"
-#: src/parse_args.c:571
+#: src/parse_args.c:569
msgid "list user's available commands\n"
msgstr "показати список доступних користувачеві команд\n"
-#: src/parse_args.c:573
+#: src/parse_args.c:571
msgid "non-interactive mode, will not prompt user\n"
msgstr "неінтерактивний режим, не просити користувача відповідати на питання\n"
-#: src/parse_args.c:575
+#: src/parse_args.c:573
msgid "preserve group vector instead of setting to target's\n"
msgstr "зберегти вектор групи, не встановлювати вектор вказаного користувача\n"
-#: src/parse_args.c:577
+#: src/parse_args.c:575
msgid "use specified password prompt\n"
msgstr "використовувати вказаний інструмент отримання паролів\n"
-#: src/parse_args.c:580 src/parse_args.c:588
+#: src/parse_args.c:578 src/parse_args.c:586
msgid "create SELinux security context with specified role\n"
msgstr "створити контекст захисту SELinux з вказаною роллю\n"
-#: src/parse_args.c:583
+#: src/parse_args.c:581
msgid "read password from standard input\n"
msgstr "прочитати пароль зі стандартного джерела вхідних даних\n"
-#: src/parse_args.c:585
+#: src/parse_args.c:583
msgid "run a shell as target user\n"
msgstr "запустити командну оболонку від імені вказаного користувача\n"
-#: src/parse_args.c:591
+#: src/parse_args.c:589
msgid "when listing, list specified user's privileges\n"
msgstr "у списку показати права доступу вказаного користувача\n"
-#: src/parse_args.c:593
+#: src/parse_args.c:591
msgid "run command (or edit file) as specified user\n"
msgstr "виконати команду (або редагувати файл) від імені вказаного користувача\n"
-#: src/parse_args.c:595
+#: src/parse_args.c:593
msgid "display version information and exit\n"
msgstr "показати дані щодо версії і завершити роботу\n"
-#: src/parse_args.c:597
+#: src/parse_args.c:595
msgid "update user's timestamp without running a command\n"
msgstr "оновити штамп часу користувача без виконання команди\n"
-#: src/parse_args.c:599
+#: src/parse_args.c:597
msgid "stop processing command line arguments\n"
msgstr "зупинити обробку аргументів командного рядка\n"
msgid "unknown uid %u: who are you?"
msgstr "невідомий uid %u: хто ви такий?"
-#: src/sudo.c:760
+#: src/sudo.c:782
#, c-format
msgid "%s must be owned by uid %d and have the setuid bit set"
msgstr "%s має належати користувачеві з uid %d, крім того, має бути встановлено біт setuid"
-#: src/sudo.c:763
+#: src/sudo.c:785
#, c-format
msgid "effective uid is not %d, is %s on a file system with the 'nosuid' option set or an NFS file system without root privileges?"
msgstr "поточним uid не є %d. Можливо %s зберігається у файловій системі зі встановленим параметром «nosuid» або у файловій системі NFS без прав доступу root?"
-#: src/sudo.c:769
+#: src/sudo.c:791
#, c-format
msgid "effective uid is not %d, is sudo installed setuid root?"
msgstr "поточним uid не є %d, sudo встановлено з ідентифікатором користувача root?"
-#: src/sudo.c:838
+#: src/sudo.c:860
#, c-format
msgid "resource control limit has been reached"
msgstr "перевищено обмеження керування ресурсами"
-#: src/sudo.c:841
+#: src/sudo.c:863
#, c-format
msgid "user \"%s\" is not a member of project \"%s\""
msgstr "користувач «%s» не є учасником проекту «%s»"
-#: src/sudo.c:845
+#: src/sudo.c:867
#, c-format
msgid "the invoking task is final"
msgstr "викликане завдання є завершальним"
-#: src/sudo.c:848
+#: src/sudo.c:870
#, c-format
msgid "could not join project \"%s\""
msgstr "не вдалося приєднатися до проекту «%s»"
-#: src/sudo.c:853
+#: src/sudo.c:875
#, c-format
msgid "no resource pool accepting default bindings exists for project \"%s\""
msgstr "для проекту «%s» не існує сховища ресурсів, яке приймає типові прив’язки"
-#: src/sudo.c:857
+#: src/sudo.c:879
#, c-format
msgid "specified resource pool does not exist for project \"%s\""
msgstr "у проекті «%s» не існує вказаного сховища ресурсів"
-#: src/sudo.c:861
+#: src/sudo.c:883
#, c-format
msgid "could not bind to default resource pool for project \"%s\""
msgstr "не вдалося виконати прив’язку до типового сховища ресурсів проекту «%s»"
-#: src/sudo.c:867
+#: src/sudo.c:889
#, c-format
msgid "setproject failed for project \"%s\""
msgstr "помилка під час виконання setproject для проекту «%s»"
-#: src/sudo.c:869
+#: src/sudo.c:891
#, c-format
msgid "warning, resource control assignment failed for project \"%s\""
msgstr "попередження, помилка призначення керування ресурсами проекту «%s»"
-#: src/sudo.c:917
+#: src/sudo.c:959
#, c-format
msgid "unknown login class %s"
msgstr "невідомий клас входу %s"
-#: src/sudo.c:931 src/sudo.c:934
+#: src/sudo.c:973 src/sudo.c:976
#, c-format
msgid "unable to set user context"
msgstr "не вдалося встановити контекст користувача"
-#: src/sudo.c:946
+#: src/sudo.c:988
#, c-format
msgid "unable to set supplementary group IDs"
msgstr "не вдалося встановити ідентифікатори додаткових груп"
-#: src/sudo.c:953
+#: src/sudo.c:995
#, c-format
msgid "unable to set effective gid to runas gid %u"
msgstr "не вдалося встановити ефективний ідентифікатор групи для ідентифікатора групи запуску %u"
-#: src/sudo.c:959
+#: src/sudo.c:1001
#, c-format
msgid "unable to set gid to runas gid %u"
msgstr "не вдалося встановити ідентифікатор групи для ідентифікатора групи запуску %u"
-#: src/sudo.c:966
+#: src/sudo.c:1008
#, c-format
msgid "unable to set process priority"
msgstr "не вдалося встановити пріоритет процесу"
-#: src/sudo.c:974
+#: src/sudo.c:1016
#, c-format
msgid "unable to change root to %s"
msgstr "не вдалося змінити root на %s"
-#: src/sudo.c:981 src/sudo.c:987 src/sudo.c:993
+#: src/sudo.c:1023 src/sudo.c:1029 src/sudo.c:1035
#, c-format
msgid "unable to change to runas uid (%u, %u)"
msgstr "не вдалося змінити uid користувача, від імені якого відбувається виконання (%u, %u)"
-#: src/sudo.c:1007
+#: src/sudo.c:1049
#, c-format
msgid "unable to change directory to %s"
msgstr "не вдалося змінити каталог на %s"
-#: src/sudo.c:1079
+#: src/sudo.c:1133
#, c-format
msgid "unexpected child termination condition: %d"
msgstr "неочікувана умова переривання дочірнього процесу: %d"
-#: src/sudo.c:1140
+#: src/sudo.c:1194
#, c-format
msgid "policy plugin %s does not support listing privileges"
msgstr "у додатку правил %s не передбачено підтримки побудови списку прав доступу"
-#: src/sudo.c:1152
+#: src/sudo.c:1206
#, c-format
msgid "policy plugin %s does not support the -v option"
msgstr "у додатку правил %s не передбачено підтримки параметра -v"
-#: src/sudo.c:1164
+#: src/sudo.c:1218
#, c-format
msgid "policy plugin %s does not support the -k/-K options"
msgstr "у додатку правил %s не передбачено підтримки параметрів -k/-K"
msgid "unable to restore stdin"
msgstr "не вдалося відновити stdin"
+#~ msgid "internal error, emalloc2() overflow"
+#~ msgstr "внутрішня помилка, переповнення emalloc2()"
+
+#~ msgid "internal error, erealloc3() overflow"
+#~ msgstr "внутрішня помилка, переповнення erealloc3()"
+
+#~ msgid "%s: at least one policy plugin must be specified"
+#~ msgstr "%s: мало бути вказано принаймні один додаток правил"
+
#~ msgid "must be setuid root"
#~ msgstr "має виконуватися з setuid root"
#
msgid ""
msgstr ""
-"Project-Id-Version: sudo-1.8.5rc3\n"
+"Project-Id-Version: sudo-1.8.6b4\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-04-24 13:41-0400\n"
-"PO-Revision-Date: 2012-04-30 07:00+0700\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-14 13:34+0700\n"
"Last-Translator: Trần Ngọc Quân <vnwildman@gmail.com>\n"
"Language-Team: Vietnamese <translation-team-vi@lists.sourceforge.net>\n"
"Language: vi\n"
"X-Poedit-Country: VIET NAM\n"
"X-Poedit-SourceCharset: utf-8\n"
-#: common/aix.c:149
+#: common/aix.c:150
#, c-format
msgid "unable to open userdb"
msgstr "không thể mở userdb"
-#: common/aix.c:152
+#: common/aix.c:153
#, c-format
msgid "unable to switch to registry \"%s\" for %s"
msgstr "không thể chuyển đến sổ đăng ký \"%s\" cho %s"
-#: common/aix.c:169
+#: common/aix.c:170
#, c-format
msgid "unable to restore registry"
msgstr "không thể phục hồi sổ đăng ký"
#: common/alloc.c:85 common/alloc.c:105 common/alloc.c:127 common/alloc.c:146
#: common/alloc.c:168 common/alloc.c:192 common/alloc.c:256 common/alloc.c:270
-#: src/exec_common.c:111 src/parse_args.c:432 src/sudo.c:456 src/sudo.c:482
-#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:737
+#: src/exec_common.c:111 src/parse_args.c:430 src/sudo.c:456 src/sudo.c:482
+#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:759
#, c-format
msgid "unable to allocate memory"
msgstr "không thể cấp phát vùng nhớ"
msgid "internal error, tried to emalloc2(0)"
msgstr "lỗi nội bộ, dùng thử erealloc2(0)"
-#: common/alloc.c:101
-msgid "internal error, emalloc2() overflow"
-msgstr "lỗi nội bộ, erealloc2() bị tràn"
+#: common/alloc.c:101 common/alloc.c:123 common/alloc.c:163 common/alloc.c:187
+#, c-format
+msgid "internal error, %s overflow"
+msgstr "lỗi nội bộ, %s bị tràn"
#: common/alloc.c:120
msgid "internal error, tried to ecalloc(0)"
msgstr "lỗi nội bộ, đã dùng thử ecalloc(0)"
-#: common/alloc.c:123
-msgid "internal error, ecalloc() overflow"
-msgstr "lỗi nội bộ, ecalloc() bị tràn"
-
#: common/alloc.c:142
msgid "internal error, tried to erealloc(0)"
msgstr "lỗi nội bộ, dùng thử erealloc(0)"
-#: common/alloc.c:161 common/alloc.c:185
+#: common/alloc.c:161
msgid "internal error, tried to erealloc3(0)"
msgstr "lỗi nội bộ, dùng thử erealloc3(0)"
-#: common/alloc.c:163 common/alloc.c:187
-msgid "internal error, erealloc3() overflow"
-msgstr "lỗi nội bộ, erealloc3() bị tràn"
+#: common/alloc.c:185
+msgid "internal error, tried to erecalloc(0)"
+msgstr "lỗi nội bộ, đã dùng erecalloc(0)"
-#: common/sudo_conf.c:306
+#: common/sudo_conf.c:305
#, c-format
msgid "unable to stat %s"
msgstr "không thể lấy trạng thái về %s"
-#: common/sudo_conf.c:309
+#: common/sudo_conf.c:308
#, c-format
msgid "%s is not a regular file"
msgstr "%s không phải tập tin thường"
-#: common/sudo_conf.c:312
+#: common/sudo_conf.c:311
#, c-format
msgid "%s is owned by uid %u, should be %u"
msgstr "%s được sở hữu bởi uid %u, nên là %u"
-#: common/sudo_conf.c:316
+#: common/sudo_conf.c:315
#, c-format
msgid "%s is world writable"
msgstr "%s ai ghi cũng được"
-#: common/sudo_conf.c:319
+#: common/sudo_conf.c:318
#, c-format
msgid "%s is group writable"
msgstr "%s là nhóm có thể ghi"
-#: common/sudo_conf.c:328 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
+#: common/sudo_conf.c:327 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
#, c-format
msgid "unable to open %s"
msgstr "không mở được %s"
msgid ": "
msgstr ": "
-#: src/exec.c:107 src/exec_pty.c:628
+#: src/exec.c:113 src/exec_pty.c:674
#, c-format
msgid "policy plugin failed session initialization"
msgstr "phần bổ xung chính sách gặp lỗi khi khởi tạo phiên"
-#: src/exec.c:112 src/exec_pty.c:633 src/exec_pty.c:967 src/tgetpass.c:221
+#: src/exec.c:118 src/exec_pty.c:690 src/exec_pty.c:1035 src/tgetpass.c:221
#, c-format
msgid "unable to fork"
msgstr "không thể tạo tiến trình con"
-#: src/exec.c:259
+#: src/exec.c:268
#, c-format
msgid "unable to create sockets"
msgstr "không thể tạo sockets"
-#: src/exec.c:266 src/exec_pty.c:572 src/exec_pty.c:581 src/exec_pty.c:589
-#: src/exec_pty.c:902 src/exec_pty.c:964 src/tgetpass.c:218
+#: src/exec.c:275 src/exec_pty.c:613 src/exec_pty.c:622 src/exec_pty.c:630
+#: src/exec_pty.c:960 src/exec_pty.c:1032 src/tgetpass.c:218
#, c-format
msgid "unable to create pipe"
msgstr "không tạo được đường ống pipe"
-#: src/exec.c:351 src/exec_pty.c:1029 src/exec_pty.c:1167
+#: src/exec.c:365 src/exec_pty.c:1102 src/exec_pty.c:1240
#, c-format
msgid "select failed"
msgstr "lựa chọn gặp lỗi"
-#: src/exec.c:441
+#: src/exec.c:467
#, c-format
msgid "unable to restore tty label"
msgstr "không thể phục hồi nhãn cho tty"
msgid "unable to remove PRIV_PROC_EXEC from PRIV_LIMIT"
msgstr "không thể xóa bỏ PRIV_PROC_EXEC từ PRIV_LIMIT"
-#: src/exec_pty.c:144
+#: src/exec_pty.c:183
#, c-format
msgid "unable to allocate pty"
msgstr "không thể phân bổ pty"
-#: src/exec_pty.c:619
+#: src/exec_pty.c:665
#, c-format
msgid "unable to set terminal to raw mode"
msgstr "không thể đặt thiết bị cuối sang chế độ raw"
-#: src/exec_pty.c:945
+#: src/exec_pty.c:1013
#, c-format
msgid "unable to set controlling tty"
msgstr "không thể đặt điều khiển cho tty"
-#: src/exec_pty.c:1038
+#: src/exec_pty.c:1111
#, c-format
msgid "error reading from signal pipe"
msgstr "lỗi khi đọc từ đường ống dẫn tín hiệu"
-#: src/exec_pty.c:1059
+#: src/exec_pty.c:1132
#, c-format
msgid "error reading from pipe"
msgstr "gặp lỗi khi đọc từ một đường ống dẫn lệnh"
-#: src/exec_pty.c:1075
+#: src/exec_pty.c:1148
#, c-format
msgid "error reading from socketpair"
msgstr "gặp lỗi khi đọc từ socketpair"
-#: src/exec_pty.c:1079
+#: src/exec_pty.c:1152
#, c-format
msgid "unexpected reply type on backchannel: %d"
msgstr "kiểu trả về không như mong đợi từ backchannel: %d"
-#: src/load_plugins.c:79
+#: src/load_plugins.c:74
#, c-format
msgid "%s: %s"
msgstr "%s: %s"
-#: src/load_plugins.c:85
+#: src/load_plugins.c:80
#, c-format
msgid "%s%s: %s"
msgstr "%s%s: %s"
-#: src/load_plugins.c:95
+#: src/load_plugins.c:90
#, c-format
msgid "%s must be owned by uid %d"
msgstr "%s phải được sở hữu bởi uid %d"
-#: src/load_plugins.c:99
+#: src/load_plugins.c:94
#, c-format
msgid "%s must be only be writable by owner"
msgstr "%s phải là những thứ chỉ có thể ghi bởi chủ sở hữu"
-#: src/load_plugins.c:106
+#: src/load_plugins.c:101
#, c-format
msgid "unable to dlopen %s: %s"
msgstr "không thể dlopen %s: %s"
-#: src/load_plugins.c:111
+#: src/load_plugins.c:106
#, c-format
msgid "%s: unable to find symbol %s"
msgstr "%s: không thể tìm thấy liên kết tượng trưng (symbol) %s"
-#: src/load_plugins.c:117
+#: src/load_plugins.c:112
#, c-format
msgid "%s: unknown policy type %d"
msgstr "%s: không hiểu kiểu chính sách %d"
-#: src/load_plugins.c:121
+#: src/load_plugins.c:116
#, c-format
msgid "%s: incompatible policy major version %d, expected %d"
msgstr "%s: chính sách không tương thích với phiên bản %d, mong chờ %d"
-#: src/load_plugins.c:128
+#: src/load_plugins.c:123
#, c-format
msgid "%s: only a single policy plugin may be loaded"
msgstr "%s: chỉ có một phần bổ xung chính sách được tải lên thôi"
-#: src/load_plugins.c:148
-#, c-format
-msgid "%s: at least one policy plugin must be specified"
-msgstr "%s: phải xác định ít nhất một phần bổ xung chính sách"
-
-#: src/load_plugins.c:153
+#: src/load_plugins.c:200
#, c-format
msgid "policy plugin %s does not include a check_policy method"
msgstr "phần bổ xung chính sách %s không bao gồm phương thức kiểm tra chính sách"
msgid "the `-A' and `-S' options may not be used together"
msgstr "tùy chọn `-A' và `-S' không thể dùng cùng một lúc với nhau"
-#: src/parse_args.c:445
+#: src/parse_args.c:443
#, c-format
msgid "sudoedit is not supported on this platform"
msgstr "sudoedit không được hỗ trợ trên nền tảng này"
-#: src/parse_args.c:518
+#: src/parse_args.c:516
#, c-format
msgid "Only one of the -e, -h, -i, -K, -l, -s, -v or -V options may be specified"
msgstr "Chỉ có một trong số các tùy chọn -e, -h, -i, -K, -l, -s, -v hay -V được chỉ định"
-#: src/parse_args.c:532
+#: src/parse_args.c:530
#, c-format
msgid ""
"%s - edit files as another user\n"
"%s - sửa chữa các tập tin trên danh nghĩa người dùng khác\n"
"\n"
-#: src/parse_args.c:534
+#: src/parse_args.c:532
#, c-format
msgid ""
"%s - execute a command as another user\n"
"%s - thực hiện câu lệnh với người dùng khác\n"
"\n"
-#: src/parse_args.c:539
+#: src/parse_args.c:537
#, c-format
msgid ""
"\n"
"\n"
"Tùy chọn:\n"
-#: src/parse_args.c:542
+#: src/parse_args.c:540
msgid "use helper program for password prompting\n"
msgstr "sử dụng chương trình trợ giúp cho hỏi đáp mật khẩu\n"
-#: src/parse_args.c:545
+#: src/parse_args.c:543
msgid "use specified BSD authentication type\n"
msgstr "sử dụng kiểu xác thực BSD được chỉ ra\n"
-#: src/parse_args.c:547
+#: src/parse_args.c:545
msgid "run command in the background\n"
msgstr "chạy lệnh ở chế độ nền\n"
-#: src/parse_args.c:549
+#: src/parse_args.c:547
msgid "close all file descriptors >= fd\n"
msgstr "đóng tất cả các mô tả của tập tin >= fd\n"
-#: src/parse_args.c:552
+#: src/parse_args.c:550
msgid "run command with specified login class\n"
msgstr "chạy lệnh với một lớp đăng nhập được chỉ ra\n"
-#: src/parse_args.c:555
+#: src/parse_args.c:553
msgid "preserve user environment when executing command\n"
msgstr "ngăn ngừa môi trường người dùng khi thi hành lệnh\n"
-#: src/parse_args.c:557
+#: src/parse_args.c:555
msgid "edit files instead of running a command\n"
msgstr "chỉnh sửa các tập tin thay vì chạy lệnh\n"
-#: src/parse_args.c:559
+#: src/parse_args.c:557
msgid "execute command as the specified group\n"
msgstr "thực hiện câu lệnh như là nhóm được chỉ định\n"
-#: src/parse_args.c:561
+#: src/parse_args.c:559
msgid "set HOME variable to target user's home dir.\n"
msgstr "đặt biến HOME cho thư mục home của người dùng đích.\n"
-#: src/parse_args.c:563
+#: src/parse_args.c:561
msgid "display help message and exit\n"
msgstr "hiển thị trợ giúp này rồi thoát\n"
-#: src/parse_args.c:565
+#: src/parse_args.c:563
msgid "run a login shell as target user\n"
msgstr "chạy shell đăng nhập như là người dùng đích\n"
-#: src/parse_args.c:567
+#: src/parse_args.c:565
msgid "remove timestamp file completely\n"
msgstr "gỡ bỏ timestamp tập tin\n"
-#: src/parse_args.c:569
+#: src/parse_args.c:567
msgid "invalidate timestamp file\n"
msgstr "làm mất hiệu lực timestamp của tập tin\n"
-#: src/parse_args.c:571
+#: src/parse_args.c:569
msgid "list user's available commands\n"
msgstr "danh sách các câu lệnh người dùng có thể sử dụng\n"
-#: src/parse_args.c:573
+#: src/parse_args.c:571
msgid "non-interactive mode, will not prompt user\n"
msgstr "chế độ không tương tác, không hỏi tên tài khoản người dùng\n"
-#: src/parse_args.c:575
+#: src/parse_args.c:573
msgid "preserve group vector instead of setting to target's\n"
msgstr "ngăn ngừa véc tơ nhóm thay vì các cài đặt cho đích\n"
-#: src/parse_args.c:577
+#: src/parse_args.c:575
msgid "use specified password prompt\n"
msgstr "sử dụng nhắc nhập mật khẩu.\n"
-#: src/parse_args.c:580 src/parse_args.c:588
+#: src/parse_args.c:578 src/parse_args.c:586
msgid "create SELinux security context with specified role\n"
msgstr "tạo ngữ cảnh an ninh SELinux với vai trò đã được chỉ định\n"
-#: src/parse_args.c:583
+#: src/parse_args.c:581
msgid "read password from standard input\n"
msgstr "đọc mật khẩu từ đầu vào tiêu chuẩn\n"
-#: src/parse_args.c:585
+#: src/parse_args.c:583
msgid "run a shell as target user\n"
msgstr "chạy shell như là người dùng đích\n"
-#: src/parse_args.c:591
+#: src/parse_args.c:589
msgid "when listing, list specified user's privileges\n"
msgstr "khi liệt kê, liệt kê các đặc quyền của người dùng\n"
-#: src/parse_args.c:593
+#: src/parse_args.c:591
msgid "run command (or edit file) as specified user\n"
msgstr "chạy lệnh (hay sửa chữa tập tin) trên tư cách của người dùng đã chỉ định\n"
-#: src/parse_args.c:595
+#: src/parse_args.c:593
msgid "display version information and exit\n"
msgstr "hiển thị thông tin phiên bản rồi thoát\n"
-#: src/parse_args.c:597
+#: src/parse_args.c:595
msgid "update user's timestamp without running a command\n"
msgstr "cập nhật dấu thời gian (timestamp) của người dùng mà không chạy một lệnh\n"
-#: src/parse_args.c:599
+#: src/parse_args.c:597
msgid "stop processing command line arguments\n"
msgstr "dừng việc xử lý đối số dòng lệnh\n"
#: src/sudo.c:213
#, c-format
msgid "Configure options: %s\n"
-msgstr "Cấu hình các tùy chọn: %s\n"
+msgstr "Các tùy chọn cấu hình: %s\n"
#: src/sudo.c:218
#, c-format
msgid "unknown uid %u: who are you?"
msgstr "không hiểu uid %u: bạn là ai?"
-#: src/sudo.c:760
+#: src/sudo.c:782
#, c-format
msgid "%s must be owned by uid %d and have the setuid bit set"
msgstr "%s phải được sở hữu bởi uid %d và bít setuid phải được đặt"
-#: src/sudo.c:763
+#: src/sudo.c:785
#, c-format
msgid "effective uid is not %d, is %s on a file system with the 'nosuid' option set or an NFS file system without root privileges?"
msgstr "uid hữu hiệu thì không là %d, %s trên hệ thống tập tin với tuỳ chọn 'nosuid' được đặt, hay một hệ thống tập tin NFS không có đặc quyền của root có phải vậy không?"
-#: src/sudo.c:769
+#: src/sudo.c:791
#, c-format
msgid "effective uid is not %d, is sudo installed setuid root?"
msgstr "uid hữu hiệu thì không là %d, chương trình sudo có được cài với setuid root không?"
-#: src/sudo.c:838
+#: src/sudo.c:860
#, c-format
msgid "resource control limit has been reached"
msgstr "giới hạn điều khiển tài nguyên đã tới hạn"
-#: src/sudo.c:841
+#: src/sudo.c:863
#, c-format
msgid "user \"%s\" is not a member of project \"%s\""
msgstr "người dùng \"%s\" không phải là thành viên của dự án \"%s\""
-#: src/sudo.c:845
+#: src/sudo.c:867
#, c-format
msgid "the invoking task is final"
msgstr "tác vụ được gọi đã kết thúc"
-#: src/sudo.c:848
+#: src/sudo.c:870
#, c-format
msgid "could not join project \"%s\""
msgstr "không thể gia nhập dự án \"%s\""
-#: src/sudo.c:853
+#: src/sudo.c:875
#, c-format
msgid "no resource pool accepting default bindings exists for project \"%s\""
msgstr "không kho tài nguyên chung nào được thừa nhận ràng buộc đã tồn tại sẵn cho dự án \"%s\""
-#: src/sudo.c:857
+#: src/sudo.c:879
#, c-format
msgid "specified resource pool does not exist for project \"%s\""
msgstr "nguồn tài nguyên chung được chỉ ra chưa tồn tại cho dự án \"%s\""
-#: src/sudo.c:861
+#: src/sudo.c:883
#, c-format
msgid "could not bind to default resource pool for project \"%s\""
msgstr "không thể buộc phần tài nguyên chung mặc định cho dự án \"%s\""
-#: src/sudo.c:867
+#: src/sudo.c:889
#, c-format
msgid "setproject failed for project \"%s\""
msgstr "đặt dự án cho dự án \"%s\" gặp lỗi"
-#: src/sudo.c:869
+#: src/sudo.c:891
#, c-format
msgid "warning, resource control assignment failed for project \"%s\""
msgstr "cảnh báo, nguồn điều khiển gán gặp lỗi cho dự án \"%s\""
-#: src/sudo.c:917
+#: src/sudo.c:959
#, c-format
msgid "unknown login class %s"
msgstr "không rõ lớp đăng nhập %s"
-#: src/sudo.c:931 src/sudo.c:934
+#: src/sudo.c:973 src/sudo.c:976
#, c-format
msgid "unable to set user context"
msgstr "không thể đặt ngữ cảnh người dùng"
-#: src/sudo.c:946
+#: src/sudo.c:988
#, c-format
msgid "unable to set supplementary group IDs"
msgstr "không thể đặt nhóm phụ IDs"
-#: src/sudo.c:953
+#: src/sudo.c:995
#, c-format
msgid "unable to set effective gid to runas gid %u"
msgstr "không thể đặt hiệu ứng gid chạy như là gid %u"
-#: src/sudo.c:959
+#: src/sudo.c:1001
#, c-format
msgid "unable to set gid to runas gid %u"
msgstr "không thể thay đổi gid thành runas gid %u"
-#: src/sudo.c:966
+#: src/sudo.c:1008
#, c-format
msgid "unable to set process priority"
msgstr "không thể đặt ưu tiên cho quá trình"
-#: src/sudo.c:974
+#: src/sudo.c:1016
#, c-format
msgid "unable to change root to %s"
msgstr "không thể chuyển đổi thư mục gốc thành %s"
-#: src/sudo.c:981 src/sudo.c:987 src/sudo.c:993
+#: src/sudo.c:1023 src/sudo.c:1029 src/sudo.c:1035
#, c-format
msgid "unable to change to runas uid (%u, %u)"
msgstr "không thể thay đổi thành runas uid (%u, %u)"
-#: src/sudo.c:1007
+#: src/sudo.c:1049
#, c-format
msgid "unable to change directory to %s"
msgstr "không thể thay đổi thư mục thành %s"
-#: src/sudo.c:1079
+#: src/sudo.c:1133
#, c-format
msgid "unexpected child termination condition: %d"
msgstr "biểu thức điều kiện con kết thúc không như mong đợi: %d"
-#: src/sudo.c:1140
+#: src/sudo.c:1194
#, c-format
msgid "policy plugin %s does not support listing privileges"
msgstr "phần bổ xung chính sách %s không hỗ trợ liệt kê đặc quyền"
-#: src/sudo.c:1152
+#: src/sudo.c:1206
#, c-format
msgid "policy plugin %s does not support the -v option"
msgstr "phần bổ xung chính sách %s không hỗ trợ tùy chọn -v"
-#: src/sudo.c:1164
+#: src/sudo.c:1218
#, c-format
msgid "policy plugin %s does not support the -k/-K options"
msgstr "phần bổ xung chính sách %s không hỗ trợ tùy chọn -k/-K"
msgid "unable to restore stdin"
msgstr "không thể phục hồi stdin"
+#~ msgid "internal error, emalloc2() overflow"
+#~ msgstr "lỗi nội bộ, erealloc2() bị tràn"
+
+#~ msgid "internal error, erealloc3() overflow"
+#~ msgstr "lỗi nội bộ, erealloc3() bị tràn"
+
+#~ msgid "%s: at least one policy plugin must be specified"
+#~ msgstr "%s: phải xác định ít nhất một phần bổ xung chính sách"
+
#~ msgid "must be setuid root"
#~ msgstr "phải được đặt setuid của root"
#
msgid ""
msgstr ""
-"Project-Id-Version: sudo-1.8.5rc3\n"
+"Project-Id-Version: sudo-1.8.6b4\n"
"Report-Msgid-Bugs-To: http://www.sudo.ws/bugs\n"
-"POT-Creation-Date: 2012-04-24 13:41-0400\n"
-"PO-Revision-Date: 2012-04-29 17:01+0800\n"
+"POT-Creation-Date: 2012-08-10 13:08-0400\n"
+"PO-Revision-Date: 2012-08-21 10:16+0800\n"
"Last-Translator: Wylmer Wang <wantinghard@gmail.com>\n"
"Language-Team: Chinese (simplified) <i18n-zh@googlegroups.com>\n"
"Language: zh_CN\n"
"Content-Type: text/plain; charset=utf-8\n"
"Content-Transfer-Encoding: 8bit\n"
-#: common/aix.c:149
+#: common/aix.c:150
#, c-format
msgid "unable to open userdb"
msgstr "无法打开 userdb"
-#: common/aix.c:152
+#: common/aix.c:153
#, c-format
msgid "unable to switch to registry \"%s\" for %s"
msgstr "无法为 %2$s 切换到注册表“%1$s”"
-#: common/aix.c:169
+#: common/aix.c:170
#, c-format
msgid "unable to restore registry"
msgstr "无法恢复注册表"
#: common/alloc.c:85 common/alloc.c:105 common/alloc.c:127 common/alloc.c:146
#: common/alloc.c:168 common/alloc.c:192 common/alloc.c:256 common/alloc.c:270
-#: src/exec_common.c:111 src/parse_args.c:432 src/sudo.c:456 src/sudo.c:482
-#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:737
+#: src/exec_common.c:111 src/parse_args.c:430 src/sudo.c:456 src/sudo.c:482
+#: src/sudo.c:489 src/sudo.c:500 src/sudo.c:759
#, c-format
msgid "unable to allocate memory"
msgstr "无法分配内存"
msgid "internal error, tried to emalloc2(0)"
msgstr "内部错误,试图 emalloc2(0)"
-#: common/alloc.c:101
-msgid "internal error, emalloc2() overflow"
-msgstr "内部错误,emalloc2() 溢出"
+#: common/alloc.c:101 common/alloc.c:123 common/alloc.c:163 common/alloc.c:187
+#, c-format
+msgid "internal error, %s overflow"
+msgstr "内部错误,%s 溢出"
#: common/alloc.c:120
msgid "internal error, tried to ecalloc(0)"
msgstr "内部错误,试图 ecalloc(0)"
-#: common/alloc.c:123
-msgid "internal error, ecalloc() overflow"
-msgstr "内部错误,ecalloc() 溢出"
-
#: common/alloc.c:142
msgid "internal error, tried to erealloc(0)"
msgstr "内部错误,试图 erealloc(0)"
-#: common/alloc.c:161 common/alloc.c:185
+#: common/alloc.c:161
msgid "internal error, tried to erealloc3(0)"
msgstr "内部错误,试图 erealloc3(0)"
-#: common/alloc.c:163 common/alloc.c:187
-msgid "internal error, erealloc3() overflow"
-msgstr "内部错误,erealloc3() 错误"
+#: common/alloc.c:185
+msgid "internal error, tried to erecalloc(0)"
+msgstr "内部错误,试图 erecalloc(0)"
-#: common/sudo_conf.c:306
+#: common/sudo_conf.c:305
#, c-format
msgid "unable to stat %s"
msgstr "无法 stat %s"
-#: common/sudo_conf.c:309
+#: common/sudo_conf.c:308
#, c-format
msgid "%s is not a regular file"
msgstr "%s 不是常规文件"
-#: common/sudo_conf.c:312
+#: common/sudo_conf.c:311
#, c-format
msgid "%s is owned by uid %u, should be %u"
msgstr "%s 属于用户 ID %u,应为 %u"
-#: common/sudo_conf.c:316
+#: common/sudo_conf.c:315
#, c-format
msgid "%s is world writable"
msgstr "%s 可被任何人写"
-#: common/sudo_conf.c:319
+#: common/sudo_conf.c:318
#, c-format
msgid "%s is group writable"
msgstr "%s 可被用户组写"
-#: common/sudo_conf.c:328 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
+#: common/sudo_conf.c:327 src/selinux.c:196 src/selinux.c:209 src/sudo.c:331
#, c-format
msgid "unable to open %s"
msgstr "打不开 %s"
msgid ": "
msgstr ":"
-#: src/exec.c:107 src/exec_pty.c:628
+#: src/exec.c:113 src/exec_pty.c:674
#, c-format
msgid "policy plugin failed session initialization"
msgstr "策略插件会话初始化失败"
-#: src/exec.c:112 src/exec_pty.c:633 src/exec_pty.c:967 src/tgetpass.c:221
+#: src/exec.c:118 src/exec_pty.c:690 src/exec_pty.c:1035 src/tgetpass.c:221
#, c-format
msgid "unable to fork"
msgstr "无法执行 fork"
-#: src/exec.c:259
+#: src/exec.c:268
#, c-format
msgid "unable to create sockets"
msgstr "无法创建套接字"
-#: src/exec.c:266 src/exec_pty.c:572 src/exec_pty.c:581 src/exec_pty.c:589
-#: src/exec_pty.c:902 src/exec_pty.c:964 src/tgetpass.c:218
+#: src/exec.c:275 src/exec_pty.c:613 src/exec_pty.c:622 src/exec_pty.c:630
+#: src/exec_pty.c:960 src/exec_pty.c:1032 src/tgetpass.c:218
#, c-format
msgid "unable to create pipe"
msgstr "无法创建管道"
-#: src/exec.c:351 src/exec_pty.c:1029 src/exec_pty.c:1167
+#: src/exec.c:365 src/exec_pty.c:1102 src/exec_pty.c:1240
#, c-format
msgid "select failed"
msgstr "select 失败"
-#: src/exec.c:441
+#: src/exec.c:467
#, c-format
msgid "unable to restore tty label"
msgstr "无法恢复终端标签"
msgid "unable to remove PRIV_PROC_EXEC from PRIV_LIMIT"
msgstr "无法从 PRIV_LIMIT 中移除 PRIV_PROC_EXEC"
-#: src/exec_pty.c:144
+#: src/exec_pty.c:183
#, c-format
msgid "unable to allocate pty"
msgstr "无法分配伪终端"
-#: src/exec_pty.c:619
+#: src/exec_pty.c:665
#, c-format
msgid "unable to set terminal to raw mode"
msgstr "无法将终端设为原始模式"
-#: src/exec_pty.c:945
+#: src/exec_pty.c:1013
#, c-format
msgid "unable to set controlling tty"
msgstr "无法设置控制终端"
-#: src/exec_pty.c:1038
+#: src/exec_pty.c:1111
#, c-format
msgid "error reading from signal pipe"
msgstr "从单管道读取出错"
-#: src/exec_pty.c:1059
+#: src/exec_pty.c:1132
#, c-format
msgid "error reading from pipe"
msgstr "从管道读取出错"
-#: src/exec_pty.c:1075
+#: src/exec_pty.c:1148
#, c-format
msgid "error reading from socketpair"
msgstr "从套接字对读取出错"
-#: src/exec_pty.c:1079
+#: src/exec_pty.c:1152
#, c-format
msgid "unexpected reply type on backchannel: %d"
msgstr "联络通道的回应类型异常:%d"
-#: src/load_plugins.c:79
+#: src/load_plugins.c:74
#, c-format
msgid "%s: %s"
msgstr "%s:%s"
-#: src/load_plugins.c:85
+#: src/load_plugins.c:80
#, c-format
msgid "%s%s: %s"
msgstr "%s%s:%s"
-#: src/load_plugins.c:95
+#: src/load_plugins.c:90
#, c-format
msgid "%s must be owned by uid %d"
msgstr "%s 必须属于用户 ID %d(的用户)"
-#: src/load_plugins.c:99
+#: src/load_plugins.c:94
#, c-format
msgid "%s must be only be writable by owner"
msgstr "%s 必须只对其所有者可写"
-#: src/load_plugins.c:106
+#: src/load_plugins.c:101
#, c-format
msgid "unable to dlopen %s: %s"
msgstr "无法 dlopen %s:%s"
-#: src/load_plugins.c:111
+#: src/load_plugins.c:106
#, c-format
msgid "%s: unable to find symbol %s"
msgstr "%s:找不到符号 %s"
-#: src/load_plugins.c:117
+#: src/load_plugins.c:112
#, c-format
msgid "%s: unknown policy type %d"
msgstr "%s:未知的策略类型 %d"
-#: src/load_plugins.c:121
+#: src/load_plugins.c:116
#, c-format
msgid "%s: incompatible policy major version %d, expected %d"
msgstr "%s:不兼容的策略主版本号 %d,应为 %d"
-#: src/load_plugins.c:128
+#: src/load_plugins.c:123
#, c-format
msgid "%s: only a single policy plugin may be loaded"
msgstr "%s:只能加载一个策略插件"
-#: src/load_plugins.c:148
-#, c-format
-msgid "%s: at least one policy plugin must be specified"
-msgstr "%s:至少要指定一个策略插件"
-
-#: src/load_plugins.c:153
+#: src/load_plugins.c:200
#, c-format
msgid "policy plugin %s does not include a check_policy method"
msgstr "策略插件 %s 不包含 check_policy 方法"
msgid "the `-A' and `-S' options may not be used together"
msgstr "“-A”和“-S”选项不可同时使用"
-#: src/parse_args.c:445
+#: src/parse_args.c:443
#, c-format
msgid "sudoedit is not supported on this platform"
msgstr "此平台不支持 sudoedit"
-#: src/parse_args.c:518
+#: src/parse_args.c:516
#, c-format
msgid "Only one of the -e, -h, -i, -K, -l, -s, -v or -V options may be specified"
msgstr "只能指定 -e、-h、-i、-K、-l、-s、-v 或 -V 选项中的一个"
-#: src/parse_args.c:532
+#: src/parse_args.c:530
#, c-format
msgid ""
"%s - edit files as another user\n"
"%s - 以其他用户身份编辑文件\n"
"\n"
-#: src/parse_args.c:534
+#: src/parse_args.c:532
#, c-format
msgid ""
"%s - execute a command as another user\n"
"%s - 以其他用户身份执行一条命令\n"
"\n"
-#: src/parse_args.c:539
+#: src/parse_args.c:537
#, c-format
msgid ""
"\n"
"\n"
"选项:\n"
-#: src/parse_args.c:542
+#: src/parse_args.c:540
msgid "use helper program for password prompting\n"
msgstr "使用助手程序进行密码提示\n"
-#: src/parse_args.c:545
+#: src/parse_args.c:543
msgid "use specified BSD authentication type\n"
msgstr "使用指定的 BSD 认证类型\n"
-#: src/parse_args.c:547
+#: src/parse_args.c:545
msgid "run command in the background\n"
msgstr "在后台运行命令\n"
-#: src/parse_args.c:549
+#: src/parse_args.c:547
msgid "close all file descriptors >= fd\n"
msgstr "关闭所有 >= fd 的文件描述符\n"
-#: src/parse_args.c:552
+#: src/parse_args.c:550
msgid "run command with specified login class\n"
msgstr "以指定的登录类别运行命令\n"
-#: src/parse_args.c:555
+#: src/parse_args.c:553
msgid "preserve user environment when executing command\n"
msgstr "在执行命令时保留用户环境\n"
-#: src/parse_args.c:557
+#: src/parse_args.c:555
msgid "edit files instead of running a command\n"
msgstr "编辑文件而非执行命令\n"
-#: src/parse_args.c:559
+#: src/parse_args.c:557
msgid "execute command as the specified group\n"
msgstr "以指定的用户组执行命令\n"
-#: src/parse_args.c:561
+#: src/parse_args.c:559
msgid "set HOME variable to target user's home dir.\n"
msgstr "将 HOME 变量设为目标用户的主目录。\n"
-#: src/parse_args.c:563
+#: src/parse_args.c:561
msgid "display help message and exit\n"
msgstr "显示帮助消息并退出\n"
-#: src/parse_args.c:565
+#: src/parse_args.c:563
msgid "run a login shell as target user\n"
msgstr "以目标用户身份运行一个登录 shell\n"
-#: src/parse_args.c:567
+#: src/parse_args.c:565
msgid "remove timestamp file completely\n"
msgstr "完全移除时间戳文件\n"
-#: src/parse_args.c:569
+#: src/parse_args.c:567
msgid "invalidate timestamp file\n"
msgstr "无效的时间戳文件\n"
-#: src/parse_args.c:571
+#: src/parse_args.c:569
msgid "list user's available commands\n"
msgstr "列出用户能执行的命令\n"
-#: src/parse_args.c:573
+#: src/parse_args.c:571
msgid "non-interactive mode, will not prompt user\n"
msgstr "非交互模式,将不提示用户\n"
-#: src/parse_args.c:575
+#: src/parse_args.c:573
msgid "preserve group vector instead of setting to target's\n"
msgstr "保留组向量,而非设置为目标的组向量\n"
-#: src/parse_args.c:577
+#: src/parse_args.c:575
msgid "use specified password prompt\n"
msgstr "使用指定的密码提示\n"
-#: src/parse_args.c:580 src/parse_args.c:588
+#: src/parse_args.c:578 src/parse_args.c:586
msgid "create SELinux security context with specified role\n"
msgstr "以指定的角色创建 SELinux 安全环境\n"
-#: src/parse_args.c:583
+#: src/parse_args.c:581
msgid "read password from standard input\n"
msgstr "从标准输入读取密码\n"
-#: src/parse_args.c:585
+#: src/parse_args.c:583
msgid "run a shell as target user\n"
msgstr "以目标用户身份运行 shell\n"
-#: src/parse_args.c:591
+#: src/parse_args.c:589
msgid "when listing, list specified user's privileges\n"
msgstr "在列表时,列出指定用户的权限\n"
-#: src/parse_args.c:593
+#: src/parse_args.c:591
msgid "run command (or edit file) as specified user\n"
msgstr "以指定用户身份运行命令(或编辑文件)\n"
-#: src/parse_args.c:595
+#: src/parse_args.c:593
msgid "display version information and exit\n"
msgstr "显示版本信息并退出\n"
-#: src/parse_args.c:597
+#: src/parse_args.c:595
msgid "update user's timestamp without running a command\n"
msgstr "更新用户的时间戳而不执行命令\n"
-#: src/parse_args.c:599
+#: src/parse_args.c:597
msgid "stop processing command line arguments\n"
msgstr "停止处理命令行参数\n"
msgid "unknown uid %u: who are you?"
msgstr "未知的用户 ID %u:您是?"
-#: src/sudo.c:760
+#: src/sudo.c:782
#, c-format
msgid "%s must be owned by uid %d and have the setuid bit set"
msgstr "%s 必须属于用户 ID %d(的用户)并且设置 setuid 位"
-#: src/sudo.c:763
+#: src/sudo.c:785
#, c-format
msgid "effective uid is not %d, is %s on a file system with the 'nosuid' option set or an NFS file system without root privileges?"
msgstr "有效用户 ID 不是 %d,%s 位于一个设置了“nosuid”选项的文件系统或没有 root 权限的 NFS 文件系统中吗?"
-#: src/sudo.c:769
+#: src/sudo.c:791
#, c-format
msgid "effective uid is not %d, is sudo installed setuid root?"
msgstr "有效用户 ID 不是 %d,sudo 属于 root 并设置了 setuid 位吗?"
-#: src/sudo.c:838
+#: src/sudo.c:860
#, c-format
msgid "resource control limit has been reached"
msgstr "达到了资源控制限制"
-#: src/sudo.c:841
+#: src/sudo.c:863
#, c-format
msgid "user \"%s\" is not a member of project \"%s\""
msgstr "用户“%s”不是项目“%s”的成员"
-#: src/sudo.c:845
+#: src/sudo.c:867
#, c-format
msgid "the invoking task is final"
msgstr "调用的任务是最终的(final)"
-#: src/sudo.c:848
+#: src/sudo.c:870
#, c-format
msgid "could not join project \"%s\""
msgstr "无法加入项目“%s”"
-#: src/sudo.c:853
+#: src/sudo.c:875
#, c-format
msgid "no resource pool accepting default bindings exists for project \"%s\""
msgstr "不存在对应于项目“%s”的、接受默认绑定的资源池"
-#: src/sudo.c:857
+#: src/sudo.c:879
#, c-format
msgid "specified resource pool does not exist for project \"%s\""
msgstr "指定的对应于项目“%s”的资源池不存在"
-#: src/sudo.c:861
+#: src/sudo.c:883
#, c-format
msgid "could not bind to default resource pool for project \"%s\""
msgstr "无法为项目“%s”绑定到默认的资源池"
-#: src/sudo.c:867
+#: src/sudo.c:889
#, c-format
msgid "setproject failed for project \"%s\""
msgstr "对项目“%s”执行 setproject 失败"
-#: src/sudo.c:869
+#: src/sudo.c:891
#, c-format
msgid "warning, resource control assignment failed for project \"%s\""
msgstr "警告,对项目“%s”的资源控制分配失败"
-#: src/sudo.c:917
+#: src/sudo.c:959
#, c-format
msgid "unknown login class %s"
msgstr "未知的登录类别 %s"
-#: src/sudo.c:931 src/sudo.c:934
+#: src/sudo.c:973 src/sudo.c:976
#, c-format
msgid "unable to set user context"
msgstr "无法设置用户环境"
-#: src/sudo.c:946
+#: src/sudo.c:988
#, c-format
msgid "unable to set supplementary group IDs"
msgstr "无法设置补充组 ID"
-#: src/sudo.c:953
+#: src/sudo.c:995
#, c-format
msgid "unable to set effective gid to runas gid %u"
msgstr "无法设置有效组 ID 来以组 ID %u 运行"
-#: src/sudo.c:959
+#: src/sudo.c:1001
#, c-format
msgid "unable to set gid to runas gid %u"
msgstr "无法设置组 ID 来以组 ID %u 运行"
-#: src/sudo.c:966
+#: src/sudo.c:1008
#, c-format
msgid "unable to set process priority"
msgstr "无法设置进程优先级"
-#: src/sudo.c:974
+#: src/sudo.c:1016
#, c-format
msgid "unable to change root to %s"
msgstr "无法从 root 切换到 %s"
-#: src/sudo.c:981 src/sudo.c:987 src/sudo.c:993
+#: src/sudo.c:1023 src/sudo.c:1029 src/sudo.c:1035
#, c-format
msgid "unable to change to runas uid (%u, %u)"
msgstr "无法切换到以用户 ID(%u,%u)运行"
-#: src/sudo.c:1007
+#: src/sudo.c:1049
#, c-format
msgid "unable to change directory to %s"
msgstr "无法将目录切换到 %s"
-#: src/sudo.c:1079
+#: src/sudo.c:1133
#, c-format
msgid "unexpected child termination condition: %d"
msgstr "异常的子进程终止条件:%d"
-#: src/sudo.c:1140
+#: src/sudo.c:1194
#, c-format
msgid "policy plugin %s does not support listing privileges"
msgstr "策略插件 %s 不支持列出权限"
-#: src/sudo.c:1152
+#: src/sudo.c:1206
#, c-format
msgid "policy plugin %s does not support the -v option"
msgstr "策略插件 %s不支持 -v 选项"
-#: src/sudo.c:1164
+#: src/sudo.c:1218
#, c-format
msgid "policy plugin %s does not support the -k/-K options"
msgstr "策略插件 %s 不支持 -k/-K 选项"
msgid "unable to restore stdin"
msgstr "无法恢复 stdin"
+#~ msgid "internal error, emalloc2() overflow"
+#~ msgstr "内部错误,emalloc2() 溢出"
+
+#~ msgid "internal error, erealloc3() overflow"
+#~ msgstr "内部错误,erealloc3() 错误"
+
+#~ msgid "%s: at least one policy plugin must be specified"
+#~ msgstr "%s:至少要指定一个策略插件"
+
#~ msgid "must be setuid root"
#~ msgstr "必须为 setuid root"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <signal.h>
#include <unistd.h>
#ifdef HAVE_SETLOCALE
# include <locale.h>
/* Make sure we are setuid root. */
sudo_check_suid(argv[0]);
- /* Reset signal mask and make sure fds 0-2 are open. */
+ /* Reset signal mask, save signal state and make sure fds 0-2 are open. */
(void) sigemptyset(&mask);
(void) sigprocmask(SIG_SETMASK, &mask, NULL);
+ save_signals();
fix_fds();
+ /* Read sudo.conf. */
+ sudo_conf_read();
+
/* Fill in user_info with user name, uid, cwd, etc. */
memset(&user_details, 0, sizeof(user_details));
user_info = get_user_info(&user_details);
- /* Read sudo.conf. */
- sudo_conf_read();
-
/* Disable core dumps if not enabled in sudo.conf. */
disable_coredumps();
}
break;
}
+#ifdef HAVE_PRIV_SET
+ if (strncmp("runas_privs=", info[i], sizeof("runas_privs=") - 1) == 0) {
+ const char *endp;
+ cp = info[i] + sizeof("runas_privs=") - 1;
+ if (*cp == '\0')
+ break;
+ errno = 0;
+ details->privs = priv_str_to_set(cp, ",", &endp);
+ if (details->privs == NULL)
+ warning("invalid runas_privs %s", endp);
+ }
+ if (strncmp("runas_limitprivs=", info[i], sizeof("runas_limitprivs=") - 1) == 0) {
+ const char *endp;
+ cp = info[i] + sizeof("runas_limitprivs=") - 1;
+ if (*cp == '\0')
+ break;
+ errno = 0;
+ details->limitprivs = priv_str_to_set(cp, ",", &endp);
+ if (details->limitprivs == NULL)
+ warning("invalid runas_limitprivs %s", endp);
+ }
+#endif /* HAVE_PRIV_SET */
break;
case 's':
SET_STRING("selinux_role=", selinux_role)
#ifdef HAVE_PROJECT_H
set_project(details->pw);
#endif
+#ifdef HAVE_PRIV_SET
+ if (details->privs != NULL) {
+ if (setppriv(PRIV_SET, PRIV_INHERITABLE, details->privs) != 0) {
+ warning("unable to set privileges");
+ goto done;
+ }
+ }
+ if (details->limitprivs != NULL) {
+ if (setppriv(PRIV_SET, PRIV_LIMIT, details->limitprivs) != 0) {
+ warning("unable to set limit privileges");
+ goto done;
+ }
+ } else if (details->privs != NULL) {
+ if (setppriv(PRIV_SET, PRIV_LIMIT, details->privs) != 0) {
+ warning("unable to set limit privileges");
+ goto done;
+ }
+ }
+#endif /* HAVE_PRIV_SET */
+
#ifdef HAVE_GETUSERATTR
aix_prep_user(details->pw->pw_name, ptyname ? ptyname : user_details.tty);
#endif
}
/*
- * Restore nproc resource limit if pam_limits didn't do it for us.
+ * SuSE Enterprise Linux uses RLIMIT_NPROC and _SC_CHILD_MAX
+ * interchangably. This causes problems when setting RLIMIT_NPROC
+ * to RLIM_INFINITY due to a bug in bash where bash tries to honor
+ * the value of _SC_CHILD_MAX but treats a value of -1 as an error,
+ * and uses a default value of 32 instead.
+ *
+ * To work around this problem, we restore the nproc resource limit
+ * if sysconf(_SC_CHILD_MAX) is negative. In most cases, pam_limits
+ * will set RLIMIT_NPROC for us.
+ *
* We must do this *after* the uid change to avoid potential EAGAIN
* from setuid().
*/
-#if defined(__linux__)
+#if defined(__linux__) && defined(_SC_CHILD_MAX)
{
struct rlimit rl;
- if (getrlimit(RLIMIT_NPROC, &rl) == 0) {
+ long l;
+ errno = 0;
+ l = sysconf(_SC_CHILD_MAX);
+ if (l == -1 && errno == 0 && getrlimit(RLIMIT_NPROC, &rl) == 0) {
if (rl.rlim_cur == RLIM_INFINITY && rl.rlim_max == RLIM_INFINITY)
(void) setrlimit(RLIMIT_NPROC, &nproclimit);
}
#include "sudo_debug.h"
#include "gettext.h"
+#ifdef HAVE_PRIV_SET
+# include <priv.h>
+#endif
+
#ifdef __TANDEM
# define ROOT_UID 65535
#else
const char *utmp_user;
char **argv;
char **envp;
+#ifdef HAVE_PRIV_SET
+ priv_set_t *privs;
+ priv_set_t *limitprivs;
+#endif
};
/* Status passed between parent and child via socketpair */
#define CMD_ERRNO 1
#define CMD_WSTATUS 2
#define CMD_SIGNO 3
+#define CMD_PID 4
int type;
int val;
};
/* exec.c */
int sudo_execve(const char *path, char *const argv[], char *const envp[], int noexec);
int pipe_nonblock(int fds[2]);
+extern volatile pid_t cmnd_pid;
/* exec_pty.c */
struct command_details;
struct command_status;
-int fork_pty(struct command_details *details, int sv[], int *maxfd);
+int fork_pty(struct command_details *details, int sv[], int *maxfd, sigset_t *omask);
int perform_io(fd_set *fdsr, fd_set *fdsw, struct command_status *cstat);
int suspend_parent(int signo);
void fd_set_iobs(fd_set *fdsr, fd_set *fdsw);
+#ifdef SA_SIGINFO
+void handler(int s, siginfo_t *info, void *context);
+#else
void handler(int s);
+#endif
void pty_close(struct command_status *cstat);
void pty_setup(uid_t uid, const char *tty, const char *utmp_user);
-void terminate_child(pid_t pid, bool use_pgrp);
+void terminate_command(pid_t pid, bool use_pgrp);
extern int signal_pipe[2];
/* utmp.c */
}
#define DUMMY2(fn, t1, t2) \
-int \
+__dso_public int \
fn(t1 a1, t2 a2) \
DUMMY_BODY
#define DUMMY3(fn, t1, t2, t3) \
-int \
+__dso_public int \
fn(t1 a1, t2 a2, t3 a3) \
DUMMY_BODY
#define DUMMY6(fn, t1, t2, t3, t4, t5, t6) \
-int \
+__dso_public int \
fn(t1 a1, t2 a2, t3 a3, t4 a4, t5 a5, t6 a6) \
DUMMY_BODY
#define DUMMY_VA(fn, t1, t2) \
-int \
+__dso_public int \
fn(t1 a1, t2 a2, ...) \
DUMMY_BODY
/*
- * Copyright (c) 2012 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2012-2013 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
/*
* Do a breadth-first scan of dir looking for the specified device.
*/
-static
-char *sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin)
+static char *
+sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin)
{
- DIR *d;
+ DIR *d = NULL;
char pathbuf[PATH_MAX], **subdirs = NULL, *devname = NULL;
size_t sdlen, d_len, len, num_subdirs = 0, max_subdirs = 0;
struct dirent *dp;
}
if (S_ISCHR(sb.st_mode) && sb.st_rdev == rdev) {
devname = estrdup(pathbuf);
- break;
+ goto done;
}
}
- closedir(d);
/* Search subdirs if we didn't find it in the root level. */
for (i = 0; devname == NULL && i < num_subdirs; i++)
devname = sudo_ttyname_scan(subdirs[i], rdev, false);
done:
+ if (d != NULL)
+ closedir(d);
for (i = 0; i < num_subdirs; i++)
efree(subdirs[i]);
efree(subdirs);
debug_decl(sudo_ttyname_dev, SUDO_DEBUG_UTIL)
/*
- * First check search_devs.
+ * First check search_devs for common tty devices.
*/
- for (sd = search_devs; (devname = *sd) != NULL; sd++) {
+ for (sd = search_devs; tty == NULL && (devname = *sd) != NULL; sd++) {
len = strlen(devname);
if (devname[len - 1] == '/') {
- /* Special case /dev/pts */
if (strcmp(devname, "/dev/pts/") == 0) {
+ /* Special case /dev/pts */
(void)snprintf(buf, sizeof(buf), "%spts/%u", _PATH_DEV,
(unsigned int)minor(rdev));
if (stat(buf, &sb) == 0) {
- if (S_ISCHR(sb.st_mode) && sb.st_rdev == rdev) {
+ if (S_ISCHR(sb.st_mode) && sb.st_rdev == rdev)
tty = estrdup(buf);
- break;
- }
}
- continue;
+ } else {
+ /* Traverse directory */
+ tty = sudo_ttyname_scan(devname, rdev, true);
}
- /* Traverse directory */
- tty = sudo_ttyname_scan(devname, rdev, true);
} else {
if (stat(devname, &sb) == 0) {
- if (S_ISCHR(sb.st_mode) && sb.st_rdev == rdev) {
+ if (S_ISCHR(sb.st_mode) && sb.st_rdev == rdev)
tty = estrdup(devname);
- break;
- }
}
}
}
}
efree(ki_proc);
- /* If all else fails, fall back on ttyname(). */
- if (tty == NULL) {
- if ((tty = ttyname(STDIN_FILENO)) != NULL ||
- (tty = ttyname(STDOUT_FILENO)) != NULL ||
- (tty = ttyname(STDERR_FILENO)) != NULL)
- tty = estrdup(tty);
- }
-
debug_return_str(tty);
}
#elif defined(HAVE_STRUCT_PSINFO_PR_TTYDEV)
get_process_ttyname(void)
{
char path[PATH_MAX], *tty = NULL;
- struct stat sb;
struct psinfo psinfo;
ssize_t nread;
int i, fd;
continue;
nread = read(fd, &psinfo, sizeof(psinfo));
close(fd);
- if (nread == (ssize_t)sizeof(psinfo) && psinfo.pr_ttydev != (dev_t)-1) {
- tty = sudo_ttyname_dev(psinfo.pr_ttydev);
+ if (nread == (ssize_t)sizeof(psinfo)) {
+ dev_t rdev = (dev_t)psinfo.pr_ttydev;
+#ifdef DEVNO64
+ if (psinfo.pr_ttydev & DEVNO64)
+ rdev = makedev(major64(psinfo.pr_ttydev), minor64(psinfo.pr_ttydev));
+#endif
+ if (rdev != (dev_t)-1)
+ tty = sudo_ttyname_dev(rdev);
}
}
- /* If all else fails, fall back on ttyname(). */
- if (tty == NULL) {
- if ((tty = ttyname(STDIN_FILENO)) != NULL ||
- (tty = ttyname(STDOUT_FILENO)) != NULL ||
- (tty = ttyname(STDERR_FILENO)) != NULL)
- tty = estrdup(tty);
- }
-
debug_return_str(tty);
}
#elif defined(__linux__)
int i;
debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
- /* Try to determine the tty from pr_ttydev in /proc/pid/psinfo. */
+ /* Try to determine the tty from tty_nr in /proc/pid/stat. */
for (i = 0; tty == NULL && i < 2; i++) {
FILE *fp;
char path[PATH_MAX];
}
efree(line);
- /* If all else fails, fall back on ttyname(). */
- if (tty == NULL) {
- if ((tty = ttyname(STDIN_FILENO)) != NULL ||
- (tty = ttyname(STDOUT_FILENO)) != NULL ||
- (tty = ttyname(STDERR_FILENO)) != NULL)
- tty = estrdup(tty);
- }
-
debug_return_str(tty);
}
#else
# include <ttyent.h>
#endif
#include <fcntl.h>
+#include <signal.h>
#include "sudo.h"
#include "sudo_exec.h"
}
}
utmp_fill(to_line, user, ut_old, &utbuf);
+#ifdef HAVE_FSEEKO
+ if (fseeko(fp, slot * (off_t)sizeof(utbuf), SEEK_SET) == 0) {
+#else
if (fseek(fp, slot * (long)sizeof(utbuf), SEEK_SET) == 0) {
+#endif
if (fwrite(&utbuf, sizeof(utbuf), 1, fp) == 1)
rval = true;
}
# endif
utmp_settime(&utbuf);
/* Back up and overwrite record. */
+#ifdef HAVE_FSEEKO
+ if (fseeko(fp, (off_t)0 - (off_t)sizeof(utbuf), SEEK_CUR) == 0) {
+#else
if (fseek(fp, 0L - (long)sizeof(utbuf), SEEK_CUR) == 0) {
+#endif
if (fwrite(&utbuf, sizeof(utbuf), 1, fp) == 1)
rval = true;
}
still allow people to get their work done."
vendor="Todd C. Miller"
copyright="(c) 1993-1996,1998-2012 Todd C. Miller"
+ sudoedit_man=`echo ${pp_destdir}$mandir/*/sudoedit.*|sed "s:^${pp_destdir}::"`
+ sudoedit_man_target=`basename $sudoedit_man | sed 's/edit//'`
%if [aix]
# AIX package summary is limited to 40 characters
pp_rpm_license="BSD"
pp_rpm_url="http://www.sudo.ws/"
pp_rpm_group="Applications/System"
- pp_rpm_packager="Todd.Miller@courtesan.com"
+ pp_rpm_packager="Todd C. Miller <Todd.Miller@courtesan.com>"
if test -n "$linux_audit"; then
pp_rpm_requires="audit-libs >= $linux_audit"
fi
-
- pp_deb_maintainer="$pp_rpm_packager"
- pp_deb_release="$pp_rpm_release"
- pp_deb_version="$pp_rpm_version"
%else
# For all but RPM and Debian we need to install sudoers with a different
# name and make a copy of it if there is no existing file.
mv ${pp_destdir}$sudoersdir/sudoers ${pp_destdir}$sudoersdir/sudoers.dist
%endif
+%if [deb]
+ pp_deb_maintainer="$pp_rpm_packager"
+ pp_deb_release="$pp_rpm_release"
+ pp_deb_version="$pp_rpm_version"
+ pp_deb_section=admin
+ install -D -m 644 ${pp_destdir}$docdir/LICENSE ${pp_wrkdir}/${name}/usr/share/doc/${name}/copyright
+ install -D -m 644 ${pp_destdir}$docdir/ChangeLog ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog
+ gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog
+ printf "$name ($pp_deb_version-$pp_deb_release) admin; urgency=low\n\n * see upstream changelog\n\n -- $pp_deb_maintainer `date '+%a, %d %b %Y %T %z'`\n" > ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
+ chmod 644 ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
+ gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
+ # Create lintian override file
+ mkdir -p ${pp_wrkdir}/${name}/usr/share/lintian/overrides
+ cat >${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name} <<-EOF
+ # The sudo binary must be setuid root
+ $name: setuid-binary usr/bin/sudo 4755 root/root
+ # Sudo configuration and data dirs must not be world-readable
+ $name: non-standard-file-perm etc/sudoers 0440 != 0644
+ $name: non-standard-dir-perm etc/sudoers.d/ 0750 != 0755
+ $name: non-standard-dir-perm var/lib/sudo/ 0700 != 0755
+ # Sudo ships with debugging symbols
+ $name: unstripped-binary-or-object
+ EOF
+ chmod 644 ${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name}
+%endif
+
%if [rpm]
# Add distro info to release
osrelease=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*//' -e 's/-.*$//'`
perl -pe 'last if (/^What/i && $seen++)' NEWS > ${pp_wrkdir}/ReadMe.txt
%endif
+%if X"$aix_freeware" = X"true"
+ # Create links from /opt/freeware/{bin,sbin} -> /usr/{bin.sbin}
+ mkdir -p ${pp_destdir}/usr/bin ${pp_destdir}/usr/sbin
+ ln -s -f ${bindir}/sudo ${pp_destdir}/usr/bin
+ ln -s -f ${bindir}/sudoedit ${pp_destdir}/usr/bin
+ ln -s -f ${bindir}/sudoreplay ${pp_destdir}/usr/bin
+ ln -s -f ${sbindir}/visudo ${pp_destdir}/usr/sbin
+%endif
+
# OS-level directories that should generally exist but might not.
extradirs=`echo ${pp_destdir}/${mandir}/[mc]* | sed "s#${pp_destdir}/##g"`
extradirs="$extradirs `dirname $docdir` `dirname $timedir`"
+ test -d ${pp_destdir}${localedir} && extradirs="$extradirs $localedir"
test -d ${pp_destdir}/etc/pam.d && extradirs="${extradirs} /etc/pam.d"
for dir in $bindir $sbindir $libexecdir $includedir $extradirs; do
while test "$dir" != "/"; do
done
osdirs=`echo $osdirs | tr " " "\n" | sort -u`
+%depend [deb]
+ libc6, libpam0g, libpam-modules, zlib1g, libselinux1
+
+%fixup [deb]
+ # Add Conflicts, Replaces headers and add libldap depedency as needed.
+ if test -z "%{flavor}"; then
+ echo "Conflicts: sudo-ldap" >> %{pp_wrkdir}/%{name}/DEBIAN/control
+ echo "Replaces: sudo-ldap" >> %{pp_wrkdir}/%{name}/DEBIAN/control
+ elif test "%{flavor}" = "ldap"; then
+ echo "Conflicts: sudo" >> %{pp_wrkdir}/%{name}/DEBIAN/control
+ echo "Replaces: sudo" >> %{pp_wrkdir}/%{name}/DEBIAN/control
+ echo "Provides: sudo" >> %{pp_wrkdir}/%{name}/DEBIAN/control
+ cp -p %{pp_wrkdir}/%{name}/DEBIAN/control %{pp_wrkdir}/%{name}/DEBIAN/control.$$
+ sed 's/^\(Depends:.*\) *$/\1, libldap-2.4-2/' %{pp_wrkdir}/%{name}/DEBIAN/control.$$ > %{pp_wrkdir}/%{name}/DEBIAN/control
+ rm -f %{pp_wrkdir}/%{name}/DEBIAN/control.$$
+ fi
+ echo "Homepage: http://www.sudo.ws/sudo/" >> %{pp_wrkdir}/%{name}/DEBIAN/control
+ echo "Bugs: http://www.sudo.ws/bugs/" >> %{pp_wrkdir}/%{name}/DEBIAN/control
+
%files
$osdirs -
- $bindir/sudo 4111 root:
- $bindir/sudoedit 4111 root:
- $sbindir/visudo 0111
- $bindir/sudoreplay 0111
- $includedir/sudo_plugin.h 0444
- $libexecdir/* 0755 optional
+ $bindir/sudo 4755 root:
+ $bindir/sudoedit 0755 root: symlink sudo
+ $sbindir/visudo 0755
+ $bindir/sudoreplay 0755
+ $includedir/sudo_plugin.h 0644
+ $libexecdir/* $shlib_mode optional
$sudoersdir/sudoers.d/ 0750 $sudoers_uid:$sudoers_gid
$timedir/ 0700 root:
$docdir/ 0755
- $docdir/sudoers2ldif 0555 optional,ignore-others
- $docdir/* 0444
- $localedir/ - optional
- $localedir/** 0444 optional
- /etc/pam.d/* 0444 volatile,optional
+ $docdir/sudoers2ldif 0755 optional,ignore-others
+%if [deb]
+ $docdir/LICENSE ignore,ignore-others
+ $docdir/ChangeLog ignore,ignore-others
+%endif
+ $docdir/* 0644
+ $localedir/*/ - optional
+ $localedir/*/LC_MESSAGES/ - optional
+ $localedir/*/LC_MESSAGES/* 0644 optional
+ /etc/pam.d/* 0644 volatile,optional
%if [rpm,deb]
$sudoersdir/sudoers $sudoers_mode $sudoers_uid:$sudoers_gid volatile
%else
$sudoersdir/sudoers.dist $sudoers_mode $sudoers_uid:$sudoers_gid volatile
%endif
+%if X"$aix_freeware" = X"true"
+ # Links for binaries from /opt/freeware to /usr
+ /usr/bin/sudo 0755 root: symlink $bindir/sudo
+ /usr/bin/sudoedit 0755 root: symlink $bindir/sudoedit
+ /usr/bin/sudoreplay 0755 root: symlink $bindir/sudoreplay
+ /usr/sbin/visudo 0755 root: symlink $sbindir/visudo
+%endif
%files [!aix]
- $mandir/man*/*
+ $sudoedit_man 0644 symlink,ignore-others $sudoedit_man_target
+ $mandir/man*/* 0644
%files [aix]
# Some versions use catpages, some use manpages.
- $mandir/cat*/* optional
- $mandir/man*/* optional
+ $sudoedit_man 0644 symlink,ignore-others $sudoedit_man_target
+ $mandir/cat*/* 0644 optional
+ $mandir/man*/* 0644 optional
+
+%pre [aix]
+ if rpm -q %{name} >/dev/null 2>&1; then
+ echo "Another version of sudo is currently installed via rpm." 2>&1
+ echo "Please either uninstall the rpm version of sudo by running \"rpm -e sudo\"" 2>&1
+ echo "or upgrade the existing version of sudo using the .rpm packagae instead" 2>&1
+ echo "instead of the .bff package." 2>&1
+ echo "" 2>&1
+ echo "Note that you may need to pass rpm the --oldpackage flag when upgrading" 2>&1
+ echo "the AIX Toolbox version of sudo to the latest sudo rpm from sudo.ws." 2>&1
+ echo "" 2>&1
+ exit 1
+ fi
%post [!rpm,deb]
# Don't overwrite an existing sudoers file
fi
%post [deb]
+ set -e
+
# dpkg-deb does not maintain the mode on the sudoers file, and
# installs it 0640 when sudo requires 0440
chmod %{sudoers_mode} %{sudoersdir}/sudoers
'
%preun [deb]
+ set -e
+
# Remove the /etc/ldap/ldap.conf -> /etc/sudo-ldap.conf symlink if
# it matches what we created in the postinstall script.
if test X"%{flavor}" = X"ldap" -a \
srcdir = @srcdir@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
+cross_compiling = @CROSS_COMPILING@
# Compiler & tools to use
CC = @CC@
CFLAGS = @CFLAGS@
# OS dependent defines
-DEFS = @OSDEFS@
+DEFS = @OSDEFS@ @NO_VIZ@
#### End of system configuration section. ####
projects / debian / sudo / commitdiff