as per the documentation.
Sudo 1.6.9p15 released.
+
+657) There was a missing space before the ldap libraries in the Makefile
+ for some configurations.
+
+658) LDAPS_PORT may not be defined on older Solaris LDAP SDKs.
+
+659) If the LDAP server could not be contacted and the user was not present
+ in sudoers, a syntax error in sudoers was incorrectly reported.
+
+Sudo 1.6.9p16 released.
#
# @configure_input@
#
-# $Sudo: Makefile.in,v 1.246.2.30 2008/03/23 19:43:51 millert Exp $
+# $Sudo: Makefile.in,v 1.246.2.31 2008/05/08 19:48:23 millert Exp $
#
#### Start of system configuration section. ####
LIBOBJS = @LIBOBJS@ @ALLOCA@
-VERSION = 1.6.9p15
+VERSION = 1.6.9p16
DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \
LICENSE Makefile.in PORTING README README.LDAP \
int
main ()
{
-DIR *d; (void)dirfd(d);
+DIR d; (void)dirfd(&d);
;
return 0;
}
echo "$as_me: WARNING: unable to find socket() trying -lsocket -lnsl" >&2;}
{ echo "$as_me:$LINENO: checking for socket in -lsocket" >&5
echo $ECHO_N "checking for socket in -lsocket... $ECHO_C" >&6; }
-if test "${ac_cv_lib_socket_socket+set}" = set; then
+if test "${ac_cv_lib_socket_socket_lnsl+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
ac_check_lib_save_LIBS=$LIBS
test ! -s conftest.err
} && test -s conftest$ac_exeext &&
$as_test_x conftest$ac_exeext; then
- ac_cv_lib_socket_socket=yes
+ ac_cv_lib_socket_socket_lnsl=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
- ac_cv_lib_socket_socket=no
+ ac_cv_lib_socket_socket_lnsl=no
fi
rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_socket_socket" >&5
-echo "${ECHO_T}$ac_cv_lib_socket_socket" >&6; }
-if test $ac_cv_lib_socket_socket = yes; then
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_socket_socket_lnsl" >&5
+echo "${ECHO_T}$ac_cv_lib_socket_socket_lnsl" >&6; }
+if test $ac_cv_lib_socket_socket_lnsl = yes; then
NET_LIBS="${NET_LIBS} -lsocket -lnsl"; LIBS="${LIBS} -lsocket -lnsl"
fi
echo "$as_me: WARNING: unable to find inet_addr() trying -lsocket -lnsl" >&2;}
{ echo "$as_me:$LINENO: checking for inet_addr in -lsocket" >&5
echo $ECHO_N "checking for inet_addr in -lsocket... $ECHO_C" >&6; }
-if test "${ac_cv_lib_socket_inet_addr+set}" = set; then
+if test "${ac_cv_lib_socket_inet_addr_lnsl+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
ac_check_lib_save_LIBS=$LIBS
test ! -s conftest.err
} && test -s conftest$ac_exeext &&
$as_test_x conftest$ac_exeext; then
- ac_cv_lib_socket_inet_addr=yes
+ ac_cv_lib_socket_inet_addr_lnsl=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
- ac_cv_lib_socket_inet_addr=no
+ ac_cv_lib_socket_inet_addr_lnsl=no
fi
rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_socket_inet_addr" >&5
-echo "${ECHO_T}$ac_cv_lib_socket_inet_addr" >&6; }
-if test $ac_cv_lib_socket_inet_addr = yes; then
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_socket_inet_addr_lnsl" >&5
+echo "${ECHO_T}$ac_cv_lib_socket_inet_addr_lnsl" >&6; }
+if test $ac_cv_lib_socket_inet_addr_lnsl = yes; then
NET_LIBS="${NET_LIBS} -lsocket -lnsl"; LIBS="${LIBS} -lsocket -lnsl"
fi
#
{ echo "$as_me:$LINENO: checking for SD_Init in -laceclnt" >&5
echo $ECHO_N "checking for SD_Init in -laceclnt... $ECHO_C" >&6; }
-if test "${ac_cv_lib_aceclnt_SD_Init+set}" = set; then
+if test "${ac_cv_lib_aceclnt_SD_Init_______lpthread_______+set}" = set; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
ac_check_lib_save_LIBS=$LIBS
test ! -s conftest.err
} && test -s conftest$ac_exeext &&
$as_test_x conftest$ac_exeext; then
- ac_cv_lib_aceclnt_SD_Init=yes
+ ac_cv_lib_aceclnt_SD_Init_______lpthread_______=yes
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
- ac_cv_lib_aceclnt_SD_Init=no
+ ac_cv_lib_aceclnt_SD_Init_______lpthread_______=no
fi
rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_aceclnt_SD_Init" >&5
-echo "${ECHO_T}$ac_cv_lib_aceclnt_SD_Init" >&6; }
-if test $ac_cv_lib_aceclnt_SD_Init = yes; then
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_aceclnt_SD_Init_______lpthread_______" >&5
+echo "${ECHO_T}$ac_cv_lib_aceclnt_SD_Init_______lpthread_______" >&6; }
+if test $ac_cv_lib_aceclnt_SD_Init_______lpthread_______ = yes; then
AUTH_OBJS="$AUTH_OBJS securid5.o";
SUDO_LIBS="${SUDO_LIBS} -laceclnt -lpthread"
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- { echo "$as_me:$LINENO: checking for main in -lkrb" >&5
+ as_ac_Lib=`echo "ac_cv_lib_krb_main$K4LIBS" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for main in -lkrb" >&5
echo $ECHO_N "checking for main in -lkrb... $ECHO_C" >&6; }
-if test "${ac_cv_lib_krb_main+set}" = set; then
+if { as_var=$as_ac_Lib; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
ac_check_lib_save_LIBS=$LIBS
test ! -s conftest.err
} && test -s conftest$ac_exeext &&
$as_test_x conftest$ac_exeext; then
- ac_cv_lib_krb_main=yes
+ eval "$as_ac_Lib=yes"
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
- ac_cv_lib_krb_main=no
+ eval "$as_ac_Lib=no"
fi
rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_krb_main" >&5
-echo "${ECHO_T}$ac_cv_lib_krb_main" >&6; }
-if test $ac_cv_lib_krb_main = yes; then
+ac_res=`eval echo '${'$as_ac_Lib'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Lib'}'` = yes; then
K4LIBS="-lkrb $K4LIBS"
else
- { echo "$as_me:$LINENO: checking for main in -lkrb4" >&5
+ as_ac_Lib=`echo "ac_cv_lib_krb4_main$K4LIBS" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for main in -lkrb4" >&5
echo $ECHO_N "checking for main in -lkrb4... $ECHO_C" >&6; }
-if test "${ac_cv_lib_krb4_main+set}" = set; then
+if { as_var=$as_ac_Lib; eval "test \"\${$as_var+set}\" = set"; }; then
echo $ECHO_N "(cached) $ECHO_C" >&6
else
ac_check_lib_save_LIBS=$LIBS
test ! -s conftest.err
} && test -s conftest$ac_exeext &&
$as_test_x conftest$ac_exeext; then
- ac_cv_lib_krb4_main=yes
+ eval "$as_ac_Lib=yes"
else
echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
- ac_cv_lib_krb4_main=no
+ eval "$as_ac_Lib=no"
fi
rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ echo "$as_me:$LINENO: result: $ac_cv_lib_krb4_main" >&5
-echo "${ECHO_T}$ac_cv_lib_krb4_main" >&6; }
-if test $ac_cv_lib_krb4_main = yes; then
+ac_res=`eval echo '${'$as_ac_Lib'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_Lib'}'` = yes; then
K4LIBS="-lkrb4 $K4LIBS"
else
K4LIBS="-lkrb $K4LIBS"
done
- SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"
+ SUDO_LIBS="${SUDO_LIBS} ${LDAP_LIBS}"
LIBS="$_LIBS"
LDFLAGS="$_LDFLAGS"
# XXX - OpenLDAP has deprecated ldap_get_values()
dnl
dnl Process this file with GNU autoconf to produce a configure script.
-dnl $Sudo: configure.in,v 1.413.2.49 2008/03/23 14:22:33 millert Exp $
+dnl $Sudo: configure.in,v 1.413.2.50 2008/04/10 16:52:36 millert Exp $
dnl
dnl Copyright (c) 1994-1996,1998-2007 Todd C. Miller <Todd.Miller@courtesan.com>
dnl
dnl Check for the dirfd function/macro. If not found, look for dd_fd in DIR.
dnl
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
-#include <$ac_header_dirent>]], [[DIR *d; (void)dirfd(d);]])], [AC_DEFINE(HAVE_DIRFD)], [AC_TRY_LINK([#include <sys/types.h>
+#include <$ac_header_dirent>]], [[DIR d; (void)dirfd(&d);]])], [AC_DEFINE(HAVE_DIRFD)], [AC_TRY_LINK([#include <sys/types.h>
#include <$ac_header_dirent>], [DIR d; memset(&d, 0, sizeof(d)); return(d.dd_fd);], [AC_DEFINE(HAVE_DD_FD)])])
dnl
dnl If NEED_SNPRINTF is set, add snprintf.c to LIBOBJS
AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength)
AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
- SUDO_LIBS="${SUDO_LIBS}${LDAP_LIBS}"
+ SUDO_LIBS="${SUDO_LIBS} ${LDAP_LIBS}"
LIBS="$_LIBS"
LDFLAGS="$_LDFLAGS"
# XXX - OpenLDAP has deprecated ldap_get_values()
#include "parse.h"
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.37 2008/02/09 14:44:47 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.38 2008/04/11 14:03:51 millert Exp $";
#endif /* lint */
#ifndef LINE_MAX
# define LDAP_OPT_SUCCESS LDAP_SUCCESS
#endif
+#ifndef LDAPS_PORT
+# define LDAPS_PORT 636
+#endif
+
#define DPRINTF(args, level) if (ldap_conf.debug >= level) warnx args
#define CONF_BOOL 0
/usr/sbin/rrestore, /bin/mt
Cmnd_Alias KILL = /bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
-Cmnd_Alias SHUTDOWN = /sbin/shutdown
-Cmnd_Alias HALT = /sbin/halt
-Cmnd_Alias REBOOT = /sbin/reboot
-Cmnd_Alias SHELLS = /sbin/sh, /bin/sh, /bin/csh, /usr/bin/ksh, \
- /usr/bin/tcsh, /usr/bin/rsh, \
- /usr/bin/zsh
-Cmnd_Alias SU = /bin/su
+Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
+Cmnd_Alias HALT = /usr/sbin/halt
+Cmnd_Alias REBOOT = /usr/sbin/reboot
+Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
+ /usr/local/bin/tcsh, /usr/bin/rsh, \
+ /usr/local/bin/zsh
+Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
/usr/bin/chfn
#include "version.h"
#ifndef lint
-__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.38 2008/03/05 19:34:49 millert Exp $";
+__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.39 2008/04/10 17:56:05 millert Exp $";
#endif /* lint */
/*
/* Local sudoers file overrides LDAP if we have a match. */
v = sudoers_lookup(pwflag);
- if (ISSET(v, VALIDATE_OK))
+ if (validated == VALIDATE_ERROR || ISSET(v, VALIDATE_OK))
validated = v;
}
#else
user_host = user_shost = "localhost";
else {
user_host = estrdup(thost);
- if ((p = strchr(user_host, '.'))) {
- *p = '\0';
- user_shost = estrdup(user_host);
- *p = '.';
+ if (def_fqdn) {
+ /* Defer call to set_fqdn() until log_error() is safe. */
+ user_shost = user_host;
} else {
user_shost = user_host;
}
if (nohostname)
log_error(USE_ERRNO|MSG_ONLY, "can't get hostname");
- /* We don't query FQDN yet, it might get disabled later. Querying is done
- * when host matching is executed and def_fqdn still true */
-
set_runaspw(*user_runas); /* may call log_error() */
if (*user_runas[0] == '#' && runas_pw->pw_name && runas_pw->pw_name[0])
*user_runas = estrdup(runas_pw->pw_name);
return(TRUE);
}
+/*
+ * Get passwd entry for the user we are going to run commands as.
+ * By default, this is "root". Updates runas_pw as a side effect.
+ */
+int
+set_runaspw(user)
+ char *user;
+{
+ if (runas_pw != NULL) {
+ if (user_runas != &def_runas_default)
+ return(TRUE); /* don't override -u option */
+ efree(runas_pw);
+ }
+ if (*user == '#') {
+ runas_pw = sudo_getpwuid(atoi(user + 1));
+ if (runas_pw == NULL) {
+ runas_pw = emalloc(sizeof(struct passwd));
+ (void) memset((VOID *)runas_pw, 0, sizeof(struct passwd));
+ runas_pw->pw_uid = atoi(user + 1);
+ }
+ } else {
+ runas_pw = sudo_getpwnam(user);
+ if (runas_pw == NULL)
+ log_error(NO_MAIL|MSG_ONLY, "no passwd entry for %s!", user);
+ }
+ return(TRUE);
+}
+
/*
* Get passwd entry for the user we are going to authenticate as.
* By default, this is the user invoking sudo. In the most common
+<<<<<<< HEAD:sudo.cat
1.6.9p15 March 23, 2008 1
+=======
+1.6.9p16 May 8, 2008 1
+>>>>>>> 17fe41bae8a65fb88683c9795414556ed9b636e9:sudo.cat
+<<<<<<< HEAD:sudo.cat
1.6.9p15 March 23, 2008 2
+=======
+1.6.9p16 May 8, 2008 2
+>>>>>>> 17fe41bae8a65fb88683c9795414556ed9b636e9:sudo.cat
+<<<<<<< HEAD:sudo.cat
1.6.9p15 March 23, 2008 3
+=======
+1.6.9p16 May 8, 2008 3
+>>>>>>> 17fe41bae8a65fb88683c9795414556ed9b636e9:sudo.cat
+<<<<<<< HEAD:sudo.cat
1.6.9p15 March 23, 2008 4
+=======
+1.6.9p16 May 8, 2008 4
+>>>>>>> 17fe41bae8a65fb88683c9795414556ed9b636e9:sudo.cat
+<<<<<<< HEAD:sudo.cat
1.6.9p15 March 23, 2008 5
+=======
+1.6.9p16 May 8, 2008 5
+>>>>>>> 17fe41bae8a65fb88683c9795414556ed9b636e9:sudo.cat
+<<<<<<< HEAD:sudo.cat
1.6.9p15 March 23, 2008 6
+=======
+1.6.9p16 May 8, 2008 6
+>>>>>>> 17fe41bae8a65fb88683c9795414556ed9b636e9:sudo.cat
+<<<<<<< HEAD:sudo.cat
1.6.9p15 March 23, 2008 7
+=======
+1.6.9p16 May 8, 2008 7
+>>>>>>> 17fe41bae8a65fb88683c9795414556ed9b636e9:sudo.cat
+<<<<<<< HEAD:sudo.cat
1.6.9p15 March 23, 2008 8
+=======
+1.6.9p16 May 8, 2008 8
+>>>>>>> 17fe41bae8a65fb88683c9795414556ed9b636e9:sudo.cat
+<<<<<<< HEAD:sudo.cat
1.6.9p15 March 23, 2008 9
+=======
+1.6.9p16 May 8, 2008 9
+>>>>>>> 17fe41bae8a65fb88683c9795414556ed9b636e9:sudo.cat
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" $Sudo: sudo.man.in,v 1.29.2.25 2008/03/23 19:43:51 millert Exp $
+.\" $Sudo: sudo.man.in,v 1.29.2.26 2008/05/08 19:48:23 millert Exp $
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
.\"
.\" Standard preamble:
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. \*(C+ will
-.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
+.\" double quote, and \*(R" will give a right double quote. | will give a
+.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
+.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
+.\" expand to `' in nroff, nothing in troff, for use with C<>.
+.tr \(*W-|\(bv\*(Tr
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "March 23, 2008" "1.6.9p15" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "May 8, 2008" "1.6.9p16" "MAINTENANCE COMMANDS"
.SH "NAME"
sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS"
-1.6.9p15 March 23, 2008 1
+1.6.9p16 May 8, 2008 1
-1.6.9p15 March 23, 2008 2
+1.6.9p16 May 8, 2008 2
-1.6.9p15 March 23, 2008 3
+1.6.9p16 May 8, 2008 3
-1.6.9p15 March 23, 2008 4
+1.6.9p16 May 8, 2008 4
-1.6.9p15 March 23, 2008 5
+1.6.9p16 May 8, 2008 5
-1.6.9p15 March 23, 2008 6
+1.6.9p16 May 8, 2008 6
-1.6.9p15 March 23, 2008 7
+1.6.9p16 May 8, 2008 7
-1.6.9p15 March 23, 2008 8
+1.6.9p16 May 8, 2008 8
-1.6.9p15 March 23, 2008 9
+1.6.9p16 May 8, 2008 9
-1.6.9p15 March 23, 2008 10
+1.6.9p16 May 8, 2008 10
-1.6.9p15 March 23, 2008 11
+1.6.9p16 May 8, 2008 11
-1.6.9p15 March 23, 2008 12
+1.6.9p16 May 8, 2008 12
-1.6.9p15 March 23, 2008 13
+1.6.9p16 May 8, 2008 13
-1.6.9p15 March 23, 2008 14
+1.6.9p16 May 8, 2008 14
-1.6.9p15 March 23, 2008 15
+1.6.9p16 May 8, 2008 15
-1.6.9p15 March 23, 2008 16
+1.6.9p16 May 8, 2008 16
-1.6.9p15 March 23, 2008 17
+1.6.9p16 May 8, 2008 17
-1.6.9p15 March 23, 2008 18
+1.6.9p16 May 8, 2008 18
-1.6.9p15 March 23, 2008 19
+1.6.9p16 May 8, 2008 19
-1.6.9p15 March 23, 2008 20
+1.6.9p16 May 8, 2008 20
-1.6.9p15 March 23, 2008 21
+1.6.9p16 May 8, 2008 21
-1.6.9p15 March 23, 2008 22
+1.6.9p16 May 8, 2008 22
-1.6.9p15 March 23, 2008 23
+1.6.9p16 May 8, 2008 23
-1.6.9p15 March 23, 2008 24
+1.6.9p16 May 8, 2008 24
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" $Sudo: sudoers.man.in,v 1.45.2.27 2008/03/23 19:43:51 millert Exp $
+.\" $Sudo: sudoers.man.in,v 1.45.2.28 2008/05/08 19:48:23 millert Exp $
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
.\"
.\" Standard preamble:
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "March 23, 2008" "1.6.9p15" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "May 8, 2008" "1.6.9p16" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
.IP "always" 8
.IX Item "always"
+The user must always enter a password to use the \fB\-l\fR flag.
+.IP "any" 8
+.IX Item "any"
+At least one of the user's \fIsudoers\fR entries for the current host
+must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
+.IP "never" 8
+.IX Item "never"
+The user need never enter a password to use the \fB\-l\fR flag.
+.RE
+.RS 12
+.Sp
+If no value is specified, a value of \fIany\fR is implied.
+Negating the option results in a value of \fInever\fR being used.
+The default value is \fIany\fR.
+.RE
+.IP "logfile" 12
+.IX Item "logfile"
+Path to the \fBsudo\fR log file (not the syslog log file). Setting a path
+turns on logging to a file; negating this option turns it off.
+By default, \fBsudo\fR logs via syslog.
+.IP "mailerflags" 12
+.IX Item "mailerflags"
+Flags to use when invoking mailer. Defaults to \fB\-t\fR.
+.IP "mailerpath" 12
+.IX Item "mailerpath"
+Path to mail program used to send warning mail.
+Defaults to the path to sendmail found at configure time.
+.IP "mailto" 12
+.IX Item "mailto"
+Address to send warning and error mail to. The address should
+be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR
+interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR.
+.IP "syslog" 12
+.IX Item "syslog"
+Syslog facility if syslog is being used for logging (negate to
+disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR.
+.IP "verifypw" 12
+.IX Item "verifypw"
+This option controls when a password will be required when a user runs
+\&\fBsudo\fR with the \fB\-v\fR flag. It has the following possible values:
+.RS 12
+.IP "all" 8
+.IX Item "all"
+All the user's \fIsudoers\fR entries for the current host must have
+the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
+.IP "always" 8
+.IX Item "always"
The user must always enter a password to use the \fB\-v\fR flag.
.IP "any" 8
.IX Item "any"
=over 16
-=item always_set_home
+=item mail_badpass
-If set, B<sudo> will set the C<HOME> environment variable to the home
-directory of the target user (which is root unless the B<-u> option is used).
-This effectively means that the B<-H> flag is always implied.
-This flag is I<off> by default.
+Send mail to the I<mailto> user if the user running B<sudo> does not
+enter the correct password. This flag is I<off> by default.
+
+=item mail_no_host
+
+If set, mail will be sent to the I<mailto> user if the invoking
+user exists in the I<sudoers> file, but is not allowed to run
+commands on the current host. This flag is I<@mail_no_host@> by default.
+
+=item mail_no_perms
+
+If set, mail will be sent to the I<mailto> user if the invoking
+user is allowed to use B<sudo> but the command they are trying is not
+listed in their I<sudoers> file entry or is explicitly denied.
+This flag is I<@mail_no_perms@> by default.
+
+=item mail_no_user
+
+If set, mail will be sent to the I<mailto> user if the invoking
+user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
+by default.
+
+=item noexec
+
+If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
+tag has been set, unless overridden by a C<EXEC> tag. See the
+description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL
+ESCAPES> section at the end of this manual. This flag is I<off> by default.
=item authenticate
I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
-which may make affect B<sudo> performance if DNS stops working (for example
-if the machine is not plugged into the network). The default behavior for
-Debian has been modified to minimize the potential of a problem, but there
-may still be some cases in which lack of working DNS might make sudo work
-very slowly. Also note that
+which may make B<sudo> unusable if DNS stops working (for example
+if the machine is not plugged into the network). Also note that
you must use the host's official name as DNS knows it. That is,
you may not use a host alias (C<CNAME> entry) due to performance
issues and the fact that there is no way to get all aliases from
=item env_check
-Like I<env_keep>, but listed environment variables are taken from the user's environment if
-the variable's value does B<not> contain C<%> or C</> characters. This can
+Environment variables to be removed from the user's environment if
+the variable's value contains C<%> or C</> characters. This can
be used to guard against printf-style format vulnerabilities in
poorly-written programs. The argument may be a double-quoted,
space-separated list or a single value without double-quotes. The
the C<Host_Alias>, C<User_Alias>, and C<Cmnd_Alias> specifications
come first, followed by any C<Default_Entry> lines, and finally the
C<Runas_Alias> and user specifications. The basic rule of thumb
-is that you cannot reference an Alias that has not already been defined.
+is you cannot reference an Alias that has not already been defined.
+
+Below are example I<sudoers> entries. Admittedly, some of
+these are a bit contrived. First, we define our I<aliases>:
Below are example I<sudoers> entries. Admittedly, some of
these are a bit contrived. First, we allow a few environment
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
*
- * $Sudo: version.h,v 1.66.2.18 2008/03/23 19:43:51 millert Exp $
+ * $Sudo: version.h,v 1.66.2.19 2008/05/08 19:48:24 millert Exp $
*/
#ifndef _SUDO_VERSION_H
#define _SUDO_VERSION_H
-static const char version[] = "1.6.9p15";
+static const char version[] = "1.6.9p16";
#endif /* _SUDO_VERSION_H */
-1.6.9p15 March 23, 2008 1
+1.6.9p16 May 8, 2008 1
-1.6.9p15 March 23, 2008 2
+1.6.9p16 May 8, 2008 2
-1.6.9p15 March 23, 2008 3
+1.6.9p16 May 8, 2008 3
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" $Sudo: visudo.man.in,v 1.20.2.20 2008/03/23 19:43:51 millert Exp $
+.\" $Sudo: visudo.man.in,v 1.20.2.21 2008/05/08 19:48:24 millert Exp $
.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
.\"
.\" Standard preamble:
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "March 23, 2008" "1.6.9p15" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "May 8, 2008" "1.6.9p16" "MAINTENANCE COMMANDS"
.SH "NAME"
visudo \- edit the sudoers file
.SH "SYNOPSIS"