diff options
author | Todd C. Miller <millert@cvs.openbsd.org> | 2000-01-28 01:10:21 +0000 |
---|---|---|
committer | Todd C. Miller <millert@cvs.openbsd.org> | 2000-01-28 01:10:21 +0000 |
commit | d4cab92e314f80d174f0d624e9a0aa72c407e710 (patch) | |
tree | 68cc1ae876796d15a78a27db0b5450337aacdff8 /usr.bin | |
parent | 79540e454b03060b6768f64289a7e1e1f5ad03dc (diff) |
1.6.2p1
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/sudo/CHANGES | 7 | ||||
-rw-r--r-- | usr.bin/sudo/INSTALL | 36 | ||||
-rw-r--r-- | usr.bin/sudo/Makefile.in | 5 | ||||
-rw-r--r-- | usr.bin/sudo/RUNSON | 3 | ||||
-rw-r--r-- | usr.bin/sudo/configure | 52 | ||||
-rw-r--r-- | usr.bin/sudo/configure.in | 16 | ||||
-rw-r--r-- | usr.bin/sudo/find_path.c | 4 | ||||
-rw-r--r-- | usr.bin/sudo/sudoers.5 | 168 | ||||
-rw-r--r-- | usr.bin/sudo/version.h | 2 |
9 files changed, 212 insertions, 81 deletions
diff --git a/usr.bin/sudo/CHANGES b/usr.bin/sudo/CHANGES index 4ac334d196a..f2d9cc266e8 100644 --- a/usr.bin/sudo/CHANGES +++ b/usr.bin/sudo/CHANGES @@ -1242,3 +1242,10 @@ Sudo 1.6.1 released. 392) PAM fixups: custom prompts now work correctly and errors are dealt with more sanely. Patches from Cloyce D. Spradling. + +Sudo 1.6.2 released. + +393) Users in the 'exempt' group shouldn't get their $PATH overridden + by 'secure-path'. Patch from jmknoble@pobox.com. + +394) Pam now works on HP-UX 11.0, thanks to Jeff A. Earickson. diff --git a/usr.bin/sudo/INSTALL b/usr.bin/sudo/INSTALL index 37f709ae906..20a1c59da55 100644 --- a/usr.bin/sudo/INSTALL +++ b/usr.bin/sudo/INSTALL @@ -159,11 +159,17 @@ Special features/options: on the machine. --with-pam - Enable PAM support. Tested on Redhat Linux 5.x, 6.0 and - Solaris 2.6, 7. - NOTE: on RedHat Linux (and perhaps others) you *must* install - an /etc/pam.d/sudo file. You may either use the sample.pam - file included with sudo or use /etc/pam.d/su as a reference. + Enable PAM support. Tested on: + Redhat Linux 5.x, 6.0, and 6.1 + Solaris 2.6 and 7 + HP-UX 11.0 + NOTE: on RedHat Linux you *must* install an /etc/pam.d/sudo file. + You may either use the sample.pam file included with sudo or use + /etc/pam.d/su as a reference. On Solaris and HP-UX 11 systems + you should check (and understand) the contents of /etc/pam.conf. + Do a "man pam.conf" for more information and consider using the + "debug" option, if available, with your PAM libraries in + /etc/pam.conf to obtain syslog output for debugging purposes. --with-AFS Enable AFS support with kerberos authentication. Should work under @@ -171,8 +177,14 @@ Special features/options: link without it. --with-DCE - Enable DCE support. Known to work on HP-UX 9.X and 10.0. Other - platforms may require source code and/or `configure' changes. + Enable DCE support. Known to work on HP-UX 9.X, 10.X, and 11.0. + The use of PAM is recommended for HP-UX 11.X systems, since PAM is + fully implemented (this is not true for 10.20 and earlier versions). + Check to see that your 11.X (or other) system uses DCE via PAM by + looking at /etc/pam.conf to see if "libpam_dce" libraries are + referenced there. Other platforms may require source code and/or + `configure' changes; you should check to see if your platform can + access DCE via PAM before using this option. --disable-sia Disable SIA support. This is the "Security Integration Architecture" @@ -228,11 +240,11 @@ Special features/options: security hole as most editors allow a user to get a shell (which would be a root shell and hence, no logging). -The following options are also configurable at runtime: - --with-otp-only This option is now just an alias for --without-passwd. +The following options are also configurable at runtime: + --with-long-otp-prompt When validating with a One Time Password scheme (S/Key or OPIE), a two-line prompt is used to make it easier to cut and paste the @@ -286,7 +298,7 @@ The following options are also configurable at runtime: Default is "*** SECURITY information for %h ***". --without-mail-if-no-user - Normally, sudo will mail to the "alermail" user if the user invoking + Normally, sudo will mail to the "alertmail" user if the user invoking sudo is not in the sudoers file. This option disables that behavior. --with-mail-if-no-host @@ -357,8 +369,8 @@ The following options are also configurable at runtime: The default is 5, set this to 0 for no password timeout. --with-tty-tickets - This makes sudo use a different ticket file for each tty (per user). - Ie: instead of the ticket file being "username" it is "username:tty". + This makes sudo use a different ticket file for each user/tty combo. + Ie: instead of the ticket path being "username" it is "username/tty". This is useful for "shared" accounts like "operator". Note that this means that there will be more files in the timestamp dir. This is not a problem if your system has a cron job to remove of files from /tmp diff --git a/usr.bin/sudo/Makefile.in b/usr.bin/sudo/Makefile.in index fea49bbe89c..3795d0da53e 100644 --- a/usr.bin/sudo/Makefile.in +++ b/usr.bin/sudo/Makefile.in @@ -34,7 +34,7 @@ # # @configure_input@ # -# $Sudo: Makefile.in,v 1.193 2000/01/17 23:46:24 millert Exp $ +# $Sudo: Makefile.in,v 1.194 2000/01/24 15:48:46 millert Exp $ # #### Start of system configuration section. #### @@ -148,7 +148,7 @@ DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES FAQ HISTORY INSTALL INSTALL.configure \ sample.sudoers sudo.cat sudo.man sudo.pod sudoers sudoers.cat \ sudoers.man sudoers.pod visudo.cat visudo.man visudo.pod auth/API -BINFILES= BUGS CHANGES FAQ HISTORY LICENSE README TODO TROUBLESHOOTING \ +BINFILES= BUGS CHANGES HISTORY LICENSE README TODO TROUBLESHOOTING \ UPGRADE install-sh mkinstalldirs sample.syslog.conf sample.sudoers \ sudo sudo.cat sudo.man sudo.pod sudoers sudoers.cat sudoers.man \ sudoers.pod visudo visudo.cat visudo.man visudo.pod @@ -342,6 +342,7 @@ bindist: cp ../../$(srcdir)/$$i . ; \ fi ; \ done ; \ + ln -s TROUBLESHOOTING FAQ ; \ for i in $(BINSPECIAL) ; do \ if [ -f ../../$$i ]; then \ cp ../../$$i `basename $$i .binary` ; \ diff --git a/usr.bin/sudo/RUNSON b/usr.bin/sudo/RUNSON index c3ffa3e8f16..15284a3c6a9 100644 --- a/usr.bin/sudo/RUNSON +++ b/usr.bin/sudo/RUNSON @@ -38,7 +38,8 @@ HP-UX 10.20 hp700 bundled cc 1.6.2 Todd Miller none HP-UX 10.20 PA-RISC2.0 bundled cc 1.5.4 Leon von Stauber none HP-UX 11.00 hp700 ansi-c 1.5.5b1 Alek Komarnitsky --with-C2 HP-UX 11.00 hp700 bundled cc 1.5.5p5 Lynn Osburn none -HP-UX 10.20 hp700 gcc 2.8.1 1.5.6b2 Jeff Earickson --with-DCE +HP-UX 11.00 hp700 HP C compiler 1.6.2 Jeff Earickson --with-pam +HP-UX 10.20 hp700 gcc 2.95.2 1.6.2 Jeff Earickson --with-DCE Ultrix 4.3 mips bundled cc 1.6.2 Todd Miller none Ultrix 4.3 mips gcc2.7.2.1 1.5.9 Todd Miller --with-skey IRIX 4.05H mips gcc2.6.3 1.5.3 Todd Miller none diff --git a/usr.bin/sudo/configure b/usr.bin/sudo/configure index 876186a6875..438e0cd795e 100644 --- a/usr.bin/sudo/configure +++ b/usr.bin/sudo/configure @@ -7630,6 +7630,44 @@ EOF AUTH_OBJS="${AUTH_OBJS} kerb5.o" fi +if test "$with_pam" = "yes"; then + echo $ac_n "checking for -ldl""... $ac_c" 1>&6 +echo "configure:7636: checking for -ldl" >&5 +if eval "test \"`echo '$''{'ac_cv_lib_dl'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + ac_save_LIBS="$LIBS" +LIBS="-ldl $LIBS" +cat > conftest.$ac_ext <<EOF +#line 7643 "configure" +#include "confdefs.h" + +int main() { +main() +; return 0; } +EOF +if { (eval echo configure:7650: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then + rm -rf conftest* + ac_cv_lib_dl=yes +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + ac_cv_lib_dl=no +fi +rm -f conftest* +LIBS="$ac_save_LIBS" + +fi +echo "$ac_t""$ac_cv_lib_dl" 1>&6 +if test "$ac_cv_lib_dl" = yes; then + SUDO_LIBS="${SUDO_LIBS} -ldl -lpam" +else + SUDO_LIBS="${SUDO_LIBS} -lpam" +fi + +fi + if test "$with_kerb4" = "yes"; then cat >> confdefs.h <<\EOF #define HAVE_KERB4 1 @@ -7658,21 +7696,21 @@ EOF fi echo $ac_n "checking for -ldes""... $ac_c" 1>&6 -echo "configure:7662: checking for -ldes" >&5 +echo "configure:7700: checking for -ldes" >&5 if eval "test \"`echo '$''{'ac_cv_lib_des'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else ac_save_LIBS="$LIBS" LIBS="-ldes $LIBS" cat > conftest.$ac_ext <<EOF -#line 7669 "configure" +#line 7707 "configure" #include "confdefs.h" int main() { main() ; return 0; } EOF -if { (eval echo configure:7676: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then +if { (eval echo configure:7714: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then rm -rf conftest* ac_cv_lib_des=yes else @@ -7695,10 +7733,6 @@ fi AUTH_OBJS="${AUTH_OBJS} kerb4.o" fi -if test "$with_pam" = "yes"; then - SUDO_LIBS="${SUDO_LIBS} -ldl -lpam" -fi - if test "$with_AFS" = "yes"; then # looks like the "standard" place for AFS libs is /usr/afsws/lib @@ -7795,7 +7829,7 @@ if test "$with_authenticate" = "yes"; then fi echo $ac_n "checking for log file location""... $ac_c" 1>&6 -echo "configure:7799: checking for log file location" >&5 +echo "configure:7833: checking for log file location" >&5 if test -n "$with_logpath"; then echo "$ac_t""$with_logpath" 1>&6 cat >> confdefs.h <<EOF @@ -7825,7 +7859,7 @@ else fi echo $ac_n "checking for timestamp file location""... $ac_c" 1>&6 -echo "configure:7829: checking for timestamp file location" >&5 +echo "configure:7863: checking for timestamp file location" >&5 if test -n "$with_timedir"; then echo "$ac_t""$with_timedir" 1>&6 cat >> confdefs.h <<EOF diff --git a/usr.bin/sudo/configure.in b/usr.bin/sudo/configure.in index 86a446617a1..aab9a996685 100644 --- a/usr.bin/sudo/configure.in +++ b/usr.bin/sudo/configure.in @@ -1,6 +1,6 @@ dnl dnl Process this file with GNU autoconf to produce a configure script. -dnl $Sudo: configure.in,v 1.299 2000/01/19 19:07:24 millert Exp $ +dnl $Sudo: configure.in,v 1.300 2000/01/27 20:01:37 millert Exp $ dnl dnl Copyright (c) 1994-1996,1998-1999 Todd C. Miller <Todd.Miller@courtesan.com> dnl @@ -1433,6 +1433,13 @@ if test "$with_kerb5" = "yes"; then fi dnl +dnl PAM libs +dnl +if test "$with_pam" = "yes"; then + AC_HAVE_LIBRARY(dl, SUDO_LIBS="${SUDO_LIBS} -ldl -lpam", SUDO_LIBS="${SUDO_LIBS} -lpam") +fi + +dnl dnl Find kerberos 4 includes and libs or complain dnl if test "$with_kerb4" = "yes"; then @@ -1464,13 +1471,6 @@ if test "$with_kerb4" = "yes"; then fi dnl -dnl PAM libs -dnl -if test "$with_pam" = "yes"; then - SUDO_LIBS="${SUDO_LIBS} -ldl -lpam" -fi - -dnl dnl extra AFS libs and includes dnl if test "$with_AFS" = "yes"; then diff --git a/usr.bin/sudo/find_path.c b/usr.bin/sudo/find_path.c index 4d84b4e79dc..1c6c05cc72b 100644 --- a/usr.bin/sudo/find_path.c +++ b/usr.bin/sudo/find_path.c @@ -64,7 +64,7 @@ extern int lstat __P((const char *, struct stat *)); #endif /* !STDC_HEADERS */ #ifndef lint -static const char rcsid[] = "$Sudo: find_path.c,v 1.94 1999/10/07 21:20:57 millert Exp $"; +static const char rcsid[] = "$Sudo: find_path.c,v 1.95 2000/01/27 04:31:58 millert Exp $"; #endif /* lint */ /* @@ -108,7 +108,7 @@ find_path(infile, outfile) * Grab PATH out of the environment (or from the string table * if SECURE_PATH is in effect) and make a local copy. */ - if (def_str(I_SECURE_PATH)) + if (def_str(I_SECURE_PATH) && !user_is_exempt()) path = def_str(I_SECURE_PATH); else if ((path = getenv("PATH")) == NULL) return(NOT_FOUND); diff --git a/usr.bin/sudo/sudoers.5 b/usr.bin/sudo/sudoers.5 index be44be9391c..0ba2eebcba8 100644 --- a/usr.bin/sudo/sudoers.5 +++ b/usr.bin/sudo/sudoers.5 @@ -1,12 +1,12 @@ .rn '' }` -''' $RCSfile: sudoers.5,v $$Revision: 1.3 $$Date: 2000/01/24 04:22:53 $ +''' $RCSfile: sudoers.5,v $$Revision: 1.4 $$Date: 2000/01/28 01:10:20 $ ''' ''' $Log: sudoers.5,v $ -''' Revision 1.3 2000/01/24 04:22:53 millert -''' sudo 1.6.2 +''' Revision 1.4 2000/01/28 01:10:20 millert +''' 1.6.2p1 ''' -''' Revision 1.22 2000/01/24 03:57:49 millert -''' Add netgroup caveat +''' Revision 1.23 2000/01/26 21:21:28 millert +''' Expanded docs on sudoers 'defaults' options based on INSTALL file info. ''' ''' .de Sh @@ -99,7 +99,7 @@ .nr % 0 .rr F .\} -.TH sudoers 5 "1.6.2" "23/Jan/2000" "FILE FORMATS" +.TH sudoers 5 "1.6.2" "26/Jan/2000" "FILE FORMATS" .UC .if n .hy 0 .if n .na @@ -379,96 +379,172 @@ be escaped with a backslash (\f(CW\e\fR). .PP \fBFlags\fR: .Ip "long_otp_prompt" 12 -Put \s-1OTP\s0 prompt on its own line +When validating with a One Time Password scheme (\fBS/Key\fR or \fB\s-1OPIE\s0\fR), +a two-line prompt is used to make it easier to cut and paste the +challenge to a local window. It's not as pretty as the default but +some people find it more convenient. This flag is off by default. .Ip "ignore_dot" 12 -Ignore \*(L'.\*(R' in \f(CW$PATH\fR +If set, \fBsudo\fR will ignore \*(L'.\*(R' or \*(L'\*(R' (current dir) in \f(CW$PATH\fR; +the \f(CW$PATH\fR itself is not modified. This flag is off by default. .Ip "mail_always" 12 -Always send mail when sudo is run +Send mail to the \fImailto\fR user every time a users runs sudo. +This flag is off by default. .Ip "mail_no_user" 12 -Send mail if the user is not in sudoers +If set, mail will be sent to the \fImailto\fR user if the invoking +user is not in the \fIsudoers\fR file. This flag is on by default. .Ip "mail_no_host" 12 -Send mail if the user is not in sudoers for this host +If set, mail will be sent to the \fImailto\fR user if the invoking +user exists in the \fIsudoers\fR file, but is not allowed to run +commands on the current host. This flag is off by default. .Ip "mail_no_perms" 12 -Send mail if the user is not allowed to run a command +If set, mail will be sent to the \fImailto\fR user if the invoking +user allowed to use sudo but the command they are trying is not +listed in their \fIsudoers\fR file entry. This flag is off by default. .Ip "tty_tickets" 12 -Use a separate timestamp for each user/tty combo +If set, users must authenticate on a per-tty basis. Normally, +\fBsudo\fR uses a directory in the ticket dir with the same name as +the user running it. With this flag enabled, \fBsudo\fR will use a +file named for the tty the user is logged in on in that directory. +This flag is off by default. .Ip "lecture" 12 -Lecture user the first time they run sudo +If set, a user will receive a short lecture the first time he/she +runs \fBsudo\fR. This flag is on by default. .Ip "authenticate" 12 -Require users to authenticate by default +If set, users must authenticate themselves via a password (or other +means of authentication) before they may run commands. This default +may be overridden via the \f(CWPASSWD\fR and \f(CWNOPASSWD\fR tags. +This flag is on by default. .Ip "root_sudo" 12 -Root may run sudo +If set, root is allowed to run sudo too. Disabling this prevents users +from \*(L"chaining\*(R" sudo commands to get a root shell by doing something +like \f(CW"sudo sudo /bin/sh"\fR. +This flag is on by default. .Ip "log_host" 12 -Log the hostname in the (non-syslog) log file +If set, the hostname will be logged in the (non-syslog) \fBsudo\fR log file. +This flag is off by default. .Ip "log_year" 12 -Log the year in the (non-syslog) log file +If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file. +This flag is off by default. .Ip "shell_noargs" 12 -If sudo is invoked with no arguments, start a shell +If set and \fBsudo\fR is invoked with no arguments it acts as if the +\f(CW-s\fR flag had been given. That is, it runs a shell as root (the +shell is determined by the \f(CWSHELL\fR environment variable if it is +set, falling back on the shell listed in the invoking user's +/etc/passwd entry if not). This flag is off by default. .Ip "set_home" 12 -Set \f(CW$HOME\fR to the target user when starting a shell with \f(CW-s\fR +If set and \fBsudo\fR is invoked with the \f(CW-s\fR flag the \f(CWHOME\fR +environment variable will be set to the home directory of the target +user (which is root unless the \f(CW-u\fR option is used). This effectively +makes the \f(CW-s\fR flag imply \f(CW-H\fR. This flag is off by default. .Ip "path_info" 12 -Allow some information gathering to give useful error messages +Normally, \fBsudo\fR will tell the user when a command could not be +found in their \f(CW$PATH\fR. Some sites may wish to disable this as +it could be used to gather information on the location of executables +that the normal user does not have access to. The disadvantage is +that if the executable is simply not in the user's \f(CW$PATH\fR, \fBsudo\fR +will tell the user that they are not allowed to run it, which can +be confusing. This flag is off by default. .Ip "fqdn" 12 -Require fully-qualified hostnames in the sudoers file +Set this flag if you want to put fully qualified hostnames in the +\fIsudoers\fR file. Ie: instead of myhost you would use myhost.mydomain.edu. +You may still use the short form if you wish (and even mix the two). +Beware that turning on \fIfqdn\fR requires sudo to make \s-1DNS\s0 lookups +which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example +if the machine is not plugged into the network). Also note that +you must use the host's official name as \s-1DNS\s0 knows it. That is, +you may not use a host alias (\f(CWCNAME\fR entry) due to performance +issues and the fact that there is no way to get all aliases from +\s-1DNS\s0. If your machine's hostname (as returned by the \f(CWhostname\fR +command) is already fully qualified you shouldn't need to set +\fIfqfn\fR. This flag is off by default. .Ip "insults" 12 -Insult the user when they enter an incorrect password +If set, sudo will insult users when they enter an incorrect +password. This flag is off by default. .Ip "requiretty" 12 -Only allow the user to run sudo if they have a tty +If set, sudo will only run when the user is logged in to a real +tty. This will disallow things like \f(CW"rsh somehost sudo ls"\fR since +\fIrsh\fR\|(1) does not allocate a tty. Because it is not possible to turn +of echo when there is no tty present, some sites may with to set +this flag to prevent a user from entering a visible password. This +flag is off by default. .PP \fBIntegers\fR: .Ip "passwd_tries" 12 -Number of tries to enter a password +The number of tries a user gets to enter his/her password before +sudo logs the failure and exits. The default is 3. .PP \fBIntegers that can be used in a boolean context\fR: .Ip "loglinelen" 12 -Length at which to wrap log file lines (use 0 or negate for no wrap) +Number of characters per line for the file log. This value is used +to decide when to wrap lines for nicer log files. This has no +effect on the syslog log file, only the file log. The default is +80 (use 0 or negate to disable word wrap). .Ip "timestamp_timeout" 12 -Authentication timestamp timeout +Number of minutes that can elapse before \fBsudo\fR will ask for a passwd +again. The default is 5, set this to 0 to always prompt for a password. .Ip "passwd_timeout" 12 -Password prompt timeout +Number of minutes before the sudo password prompt times out. +The default is 5, set this to 0 for no password timeout. .Ip "umask" 12 -Umask to use or 0777 to use user's +Umask to use when running the root command. Set this to 0777 to +not override the user's umask. The default is 0022. .PP \fBStrings\fR: .Ip "mailsub" 12 -Subject line for mail messages +Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR +will expand to the hostname of the machine. +Default is \*(L"*** \s-1SECURITY\s0 information for \f(CW%h\fR ***\*(R". .Ip "badpass_message" 12 -Incorrect password message +Message that is displayed if a user enters an incorrect password. +The default is \*(L"Sorry, try again.\*(R" unless insults are enabled. .Ip "timestampdir" 12 -Path to authentication timestamp dir +The directory in which \fBsudo\fR stores its timestamp files. +The default is either \f(CW/var/run/sudo\fR or \f(CW/tmp/sudo\fR. .Ip "passprompt" 12 -Default password prompt +The default prompt to use when asking for a password; can be overridden +via the \f(CW-p\fR option or the \f(CWSUDO_PROMPT\fR environment variable. Supports +two escapes: \*(L"%u\*(R" expands to the user's login name and \*(L"%h\*(R" expands +to the local hostname. The default value is \*(L"Password:\*(R". .Ip "runas_default" 12 -Default user to run commands as +The default user to run commands as if the \f(CW-u\fR flag is not specified +on the command line. This defaults to \*(L"root\*(R". .Ip "syslog_goodpri" 12 -Syslog priority to use when user authenticates successfully +Syslog priority to use when user authenticates successfully. +Defaults to \*(L"notice\*(R". .Ip "syslog_badpri" 12 -Syslog priority to use when user authenticates unsuccessfully +Syslog priority to use when user authenticates unsuccessfully. +Defaults to \*(L"alert\*(R". .PP \fBStrings that can be used in a boolean context\fR: .Ip "syslog" 12 -Syslog facility if syslog is being used for logging (negate to disable syslog) +Syslog facility if syslog is being used for logging (negate to +disable syslog logging). Defaults to \*(L"local2\*(R". .Ip "mailerpath" 12 -Path to mail program +Path to mail program used to send warning mail. +Defaults to the path to sendmail found at configure time. .Ip "mailerflags" 12 -Flags for mail program +Flags to use when invoking mailer. Defaults to \f(CW-t\fR. .Ip "mailto" 12 -Address to send mail to +Address to send warning and erorr mail to. Defaults to \*(L"root\*(R". .Ip "exempt_group" 12 -Users in this group are exempt from password and \s-1PATH\s0 requirements +Users in this group are exempt from password and \s-1PATH\s0 requirements. +This is not set by default. .Ip "secure_path" 12 -Value to override user's \f(CW$PATH\fR with +Path used for every command run from \fBsudo\fR. If you don't trust the +people running sudo to have a sane \f(CWPATH\fR environment variable you may +want to use this. Another use is if you want to have the \*(L"root path\*(R" +be separate from the \*(L"user path.\*(R" This is not set by default. .Ip "verifypw" 12 This option controls when a password will be required when a user runs sudo with the \fB\-v\fR. It has the following possible values: .Sp .Vb 3 -\& all All the user's sudoers entries for the +\& all All the user's I<sudoers> entries for the \& current host must have the C<NOPASSWD> \& flag set to avoid entering a password. .Ve .Vb 4 -\& any At least one of the user's sudoers entries +\& any At least one of the user's I<sudoers> entries \& for the current host must have the \& C<NOPASSWD> flag set to avoid entering a \& password. @@ -487,12 +563,12 @@ This option controls when a password will be required when a user runs sudo with the \fB\-l\fR. It has the following possible values: .Sp .Vb 3 -\& all All the user's sudoers entries for the +\& all All the user's I<sudoers> entries for the \& current host must have the C<NOPASSWD> \& flag set to avoid entering a password. .Ve .Vb 4 -\& any At least one of the user's sudoers entries +\& any At least one of the user's I<sudoers> entries \& for the current host must have the \& C<NOPASSWD> flag set to avoid entering a \& password. diff --git a/usr.bin/sudo/version.h b/usr.bin/sudo/version.h index 1fac06c59ee..34b9ce2afe3 100644 --- a/usr.bin/sudo/version.h +++ b/usr.bin/sudo/version.h @@ -37,6 +37,6 @@ #ifndef _SUDO_VERSION_H #define _SUDO_VERSION_H -static const char version[] = "1.6.2"; +static const char version[] = "1.6.2p1"; #endif /* _SUDO_VERSION_H */ |