diff options
| -rw-r--r-- | usr.bin/sudo/sudo.8 | 15 | ||||
| -rw-r--r-- | usr.bin/sudo/sudoers.5 | 45 | ||||
| -rw-r--r-- | usr.bin/sudo/visudo.8 | 31 |
3 files changed, 50 insertions, 41 deletions
diff --git a/usr.bin/sudo/sudo.8 b/usr.bin/sudo/sudo.8 index 01334df3ad2..fc1f04ef67f 100644 --- a/usr.bin/sudo/sudo.8 +++ b/usr.bin/sudo/sudo.8 @@ -1,7 +1,10 @@ .rn '' }` -''' $RCSfile: sudo.8,v $$Revision: 1.5 $$Date: 2000/11/21 17:58:44 $ +''' $RCSfile: sudo.8,v $$Revision: 1.6 $$Date: 2001/09/17 23:49:21 $ ''' ''' $Log: sudo.8,v $ +''' Revision 1.6 2001/09/17 23:49:21 pjanzen +''' Typo and grammar fixes, one from PR/2058 (Dennis Schwarz); ok millert@ +''' ''' Revision 1.5 2000/11/21 17:58:44 millert ''' A few updates from the sudo developement tree: ''' - Add bsd authentication support (currently disabled) @@ -101,7 +104,7 @@ .\" Ip Item .\" X<> Xref (embedded .\" Of course, you have to process the output yourself -.\" in some meaninful fashion. +.\" in some meaningful fashion. .if \nF \{ .de IX .tm Index:\\$1\t\\n%\t"\\$2" @@ -236,7 +239,7 @@ mail will not be sent if an unauthorized user tries to run sudo with the \f(CW-l\fR or \f(CW-v\fR flags. This allows users to determine for themselves whether or not they are allowed to use \fBsudo\fR. .PP -\fBsudo\fR can log both successful an unsuccessful attempts (as well +\fBsudo\fR can log both successful and unsuccessful attempts (as well as errors) to \fIsyslog\fR\|(3), a log file, or both. By default \fBsudo\fR will log via \fIsyslog\fR\|(3) but this is changeable at configure time. .SH "OPTIONS" @@ -285,7 +288,7 @@ with resources limited by the specified login class. The \fIclass\fR argument can be either a class name as defined in /etc/login.conf, or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates that the command should be run restricted by the default login -capibilities for the user the command is run as. If the \fIclass\fR +capabilities for the user the command is run as. If the \fIclass\fR argument specifies an existing user class, the command must be run as root, or the \fBsudo\fR command must be run from a shell that is already root. This option is only available on systems with \s-1BSD\s0 login classes @@ -355,7 +358,7 @@ behavior or link \fBsudo\fR statically. (\fI/var/run/sudo\fR by default) and ignore the directory's contents if it is not owned by root and only writable by root. On systems that allow non-root users to give away files via \fIchown\fR\|(2), if the timestamp -directory is located in a directory writable by anyone (eg: \fI/tmp\fR), +directory is located in a directory writable by anyone (e.g.: \fI/tmp\fR), it is possible for a user to create the timestamp directory before \fBsudo\fR is run. However, because \fBsudo\fR checks the ownership and mode of the directory and its contents, the only damage that can @@ -429,7 +432,7 @@ to make the \f(CWcd\fR and file redirection work. \& /var/run/sudo Directory containing timestamps .Ve .SH "AUTHORS" -Many people have worked on \fBsudo\fR over the years, this +Many people have worked on \fBsudo\fR over the years. This version consists of code written primarily by: .PP .Vb 2 diff --git a/usr.bin/sudo/sudoers.5 b/usr.bin/sudo/sudoers.5 index 98d35dac471..e2d9241c5c9 100644 --- a/usr.bin/sudo/sudoers.5 +++ b/usr.bin/sudo/sudoers.5 @@ -1,7 +1,10 @@ .rn '' }` -''' $RCSfile: sudoers.5,v $$Revision: 1.6 $$Date: 2001/01/09 18:15:31 $ +''' $RCSfile: sudoers.5,v $$Revision: 1.7 $$Date: 2001/09/17 23:49:21 $ ''' ''' $Log: sudoers.5,v $ +''' Revision 1.7 2001/09/17 23:49:21 pjanzen +''' Typo and grammar fixes, one from PR/2058 (Dennis Schwarz); ok millert@ +''' ''' Revision 1.6 2001/01/09 18:15:31 krw ''' Typos: 'eg.' -> 'e.g.' ''' @@ -95,7 +98,7 @@ .\" Ip Item .\" X<> Xref (embedded .\" Of course, you have to process the output yourself -.\" in some meaninful fashion. +.\" in some meaningful fashion. .if \nF \{ .de IX .tm Index:\\$1\t\\n%\t"\\$2" @@ -200,15 +203,15 @@ .SH "NAME" sudoers \- list of which users may execute what .SH "DESCRIPTION" -The \fIsudoers\fR file is composed two types of entries: +The \fIsudoers\fR file is composed of two types of entries: aliases (basically variables) and user specifications (which specify who may run what). The grammar of \fIsudoers\fR will be described below in Extended Backus-Naur Form (EBNF). -Don't despair if you don't know what EBNF is, it is fairly -simple and the definitions below are annotated. +Don't despair if you don't know what EBNF is; it is fairly +simple, and the definitions below are annotated. .Sh "Quick guide to \s-1EBNF\s0" \s-1EBNF\s0 is a concise and exact way of describing the grammar of a language. -Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. Eg. +Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g., .PP .Vb 1 \& symbol ::= definition | alternate1 | alternate2 ... @@ -232,7 +235,7 @@ Parentheses may be used to group symbols together. For clarity, we will use single quotes ('') to designate what is a verbatim character string (as opposed to a symbol name). .Sh "Aliases" -There are four kinds of aliases: the \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, +There are four kinds of aliases: \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, \f(CWHost_Alias\fR and \f(CWCmnd_Alias\fR. .PP .Vb 4 @@ -262,10 +265,10 @@ Each \fIalias\fR definition is of the form \& Alias_Type NAME = item1, item2, ... .Ve where \fIAlias_Type\fR is one of \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, \f(CWHost_Alias\fR, -or \f(CWCmnd_Alias\fR. A \f(CWNAME\fR is a string of upper case letters, numbers, +or \f(CWCmnd_Alias\fR. A \f(CWNAME\fR is a string of uppercase letters, numbers, and the underscore characters ('_'). A \f(CWNAME\fR \fBmust\fR start with an -upper case letter. It is possible to put several alias definitions -of the same type on a single line, joined by a semicolon (':'). Eg. +uppercase letter. It is possible to put several alias definitions +of the same type on a single line, joined by a semicolon (':'). E.g., .PP .Vb 1 \& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 @@ -287,7 +290,7 @@ A \f(CWUser_List\fR is made up of one or more usernames, uids (prefixed with \*(L'#'), System groups (prefixed with \*(L'%'), netgroups (prefixed with \*(L'+') and other aliases. Each list item may be prefixed with one or more \*(L'!\*(R' operators. An odd number -of \*(L'!\*(R' operators negates the value of the item; an even number +of \*(L'!\*(R' operators negate the value of the item; an even number just cancel each other out. .PP .Vb 2 @@ -454,7 +457,7 @@ will tell the user that they are not allowed to run it, which can be confusing. This flag is off by default. .Ip "fqdn" 12 Set this flag if you want to put fully qualified hostnames in the -\fIsudoers\fR file. Ie: instead of myhost you would use myhost.mydomain.edu. +\fIsudoers\fR file. I.e.: instead of myhost you would use myhost.mydomain.edu. You may still use the short form if you wish (and even mix the two). Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example @@ -511,7 +514,7 @@ effect on the syslog log file, only the file log. The default is 80 (use 0 or negate to disable word wrap). .Ip "timestamp_timeout" 12 Number of minutes that can elapse before \fBsudo\fR will ask for a passwd -again. The default is 5, set this to 0 to always prompt for a password. +again. The default is 5. Set this to 0 to always prompt for a password. .Ip "passwd_timeout" 12 Number of minutes before the \fBsudo\fR password prompt times out. The default is 5, set this to 0 for no password timeout. @@ -551,7 +554,7 @@ to vi on your system. \fBStrings that can be used in a boolean context\fR: .Ip "logfile" 12 Path to the \fBsudo\fR log file (not the syslog log file). Setting a path -turns on logging to a file, negating this option turns it off. +turns on logging to a file; negating this option turns it off. .Ip "syslog" 12 Syslog facility if syslog is being used for logging (negate to disable syslog logging). Defaults to \*(L"local2\*(R". @@ -561,7 +564,7 @@ Defaults to the path to sendmail found at configure time. .Ip "mailerflags" 12 Flags to use when invoking mailer. Defaults to \f(CW-t\fR. .Ip "mailto" 12 -Address to send warning and erorr mail to. Defaults to \*(L"root\*(R". +Address to send warning and error mail to. Defaults to \*(L"root\*(R". .Ip "exempt_group" 12 Users in this group are exempt from password and \s-1PATH\s0 requirements. This is not set by default. @@ -572,7 +575,7 @@ want to use this. Another use is if you want to have the \*(L"root path\*(R" be separate from the \*(L"user path.\*(R" This is not set by default. .Ip "verifypw" 12 This option controls when a password will be required when a -user runs \fBsudo\fR with the \fB\-v\fR. It has the following possible values: +user runs \fBsudo\fR with \fB\-v\fR. It has the following possible values: .Sp .Vb 3 \& all All the user's I<sudoers> entries for the @@ -643,7 +646,7 @@ syslog priorities are supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\ .Ve A \fBuser specification\fR determines which commands a user may run (and as what user) on specified hosts. By default, commands are -run as \fBroot\fR but this can be changed on a per-command basis. +run as \fBroot\fR, but this can be changed on a per-command basis. .PP Let's break that down into its constituent parts: .Sh "Runas_Spec" @@ -657,7 +660,7 @@ commands that follow it. What this means is that for the entry: \& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who .Ve The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and -\fI/usr/bin/lprm\fR -- but only as \fBoperator\fR. Eg. +\fI/usr/bin/lprm\fR -- but only as \fBoperator\fR. E.g., .PP .Vb 1 \& sudo -u operator /bin/ls. @@ -689,7 +692,7 @@ run \fI/bin/kill\fR without a password the entry would be: .Vb 1 \& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm .Ve -Note however, that the \f(CWPASSWD\fR tag has no effect on users who are +Note, however, that the \f(CWPASSWD\fR tag has no effect on users who are in the group specified by the exempt_group option. .PP By default, if the \f(CWNOPASSWD\fR tag is applied to any of the entries @@ -755,7 +758,7 @@ run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\ Long lines can be continued with a backslash (\*(R'\e') as the last character on the line. .PP -Whitespace between elements in a list as well as specicial syntactic +Whitespace between elements in a list as well as special syntactic characters in a \fIUser Specification\fR ('=\*(R', \*(L':\*(R', \*(L'(\*(R', \*(L')') is optional. .PP The following characters must be escaped with a backslash (\*(R'\e') when @@ -945,7 +948,7 @@ web pages) or simply \fIsu\fR\|(1) to www. .Ve Any user may mount or unmount a CD\-ROM on the machines in the CDROM \f(CWHost_Alias\fR (orion, perseus, hercules) without entering a password. -This is a bit tedious for users to type, so it is a prime candiate +This is a bit tedious for users to type, so it is a prime candidate for encapsulating in a shell script. .SH "SECURITY NOTES" It is generally not effective to \*(L"subtract\*(R" commands from \f(CWALL\fR diff --git a/usr.bin/sudo/visudo.8 b/usr.bin/sudo/visudo.8 index 40cc57c258b..eb0a60fd5d7 100644 --- a/usr.bin/sudo/visudo.8 +++ b/usr.bin/sudo/visudo.8 @@ -1,7 +1,10 @@ .rn '' }` -''' $RCSfile: visudo.8,v $$Revision: 1.3 $$Date: 2000/03/27 03:44:39 $ +''' $RCSfile: visudo.8,v $$Revision: 1.4 $$Date: 2001/09/17 23:49:21 $ ''' ''' $Log: visudo.8,v $ +''' Revision 1.4 2001/09/17 23:49:21 pjanzen +''' Typo and grammar fixes, one from PR/2058 (Dennis Schwarz); ok millert@ +''' ''' Revision 1.3 2000/03/27 03:44:39 millert ''' sudo 1.6.3; see http://www.courtesan.com/sudo/current.html for a list ''' of changes. @@ -92,7 +95,7 @@ .\" Ip Item .\" X<> Xref (embedded .\" Of course, you have to process the output yourself -.\" in some meaninful fashion. +.\" in some meaningful fashion. .if \nF \{ .de IX .tm Index:\\$1\t\\n%\t"\\$2" @@ -205,25 +208,25 @@ simultaneous edits, provides basic sanity checks, and checks for parse errors. If the \fIsudoers\fR file is currently being edited you will receive a message to try again later. In the default configuration, the \fIvi\fR\|(1) editor is used, but there is -a compile time option to allow use of whatever editor the +a compile-time option to allow use of whatever editor the environment variables \f(CWEDITOR\fR or \f(CWVISUAL\fR are set to. .PP \fBvisudo\fR parses the \fIsudoers\fR file after the edit and will not save the changes if there is a syntax error. Upon finding -an error, a message will be printed stating the line \fInumber\fR\|(s) +an error, \fBvisudo\fR will print a message stating the line \fInumber\fR\|(s) that the error occurred on and the user will receive the \*(L"What now?\*(R" prompt. At this point the user may enter \*(L"e\*(R" -to re-edit the \fIsudoers\fR file, enter \*(L"x\*(R" to exit without +to re-edit the \fIsudoers\fR file, \*(L"x\*(R" to exit without saving the changes, or \*(L"Q\*(R" to quit and save changes. The \*(L"Q\*(R" option should be used with extreme care because if \fBvisudo\fR believes there to be a parse error, so will \fBsudo\fR and no one -will be able to execute \fBsudo\fR again until the error is fixed. +will be able to use \fBsudo\fR again until the error is fixed. Any other command at this prompt will print a short help message. -When editing the \fIsudoers\fR file after a parse error has been -detected the cursor will be placed on the line where the error +If \*(L"e\*(R" is typed to edit the \fIsudoers\fR file after a parse error +has been detected, the cursor will be placed on the line where the error occurred (if the editor supports this feature). .SH "OPTIONS" -\fBvisudo\fR accepts the following command line option: +\fBvisudo\fR accepts the following command line options: .Ip "-s" 4 Enable \fBstrict\fR checking of the \fIsudoers\fR file. If an alias is used before it is defined, \fBvisudo\fR will consider this a parse @@ -231,7 +234,7 @@ error. Note that it is not possible to differentiate between an alias and a hostname or username that consists solely of upper case letters, digits, and the underscore ('_') character. .Ip "-V" 4 -The \f(CW-V\fR (version) option causes \fBvisudo\fR to print the version number +The \f(CW-V\fR (version) option causes \fBvisudo\fR to print its version number and exit. .SH "ERRORS" .Ip "sudoers file busy, try again later." 4 @@ -246,14 +249,14 @@ defining it or you have a user or hostname listed that consists solely of upper case letters, digits, and the underscore ('_') character. If the latter, you can ignore the warnings (\fBsudo\fR will not complain). In \fB\-s\fR (strict) -mode these are errors not warnings. +mode these are errors, not warnings. .SH "ENVIRONMENT" The following environment variables are used only if \fBvisudo\fR was configured with the \fI--with-env-editor\fR option: .PP .Vb 2 -\& EDITOR Used by visudo as the editor to use -\& VISUAL Used by visudo if EDITOR is not set +\& EDITOR Invoked by visudo as the editor +\& VISUAL Invoked by visudo if EDITOR is not set .Ve .SH "FILES" .PP @@ -262,7 +265,7 @@ was configured with the \fI--with-env-editor\fR option: \& /etc/sudoers.tmp Lock file for visudo .Ve .SH "AUTHOR" -Many people have worked on \fIsudo\fR over the years, this version of +Many people have worked on \fIsudo\fR over the years. This version of \fBvisudo\fR was written by: .PP .Vb 1 |