version 1.1.1.3, 2012/10/09 09:29:52
|
version 1.1.1.4, 2013/07/22 10:46:12
|
Line 1
|
Line 1
|
SUDOERS(4) Programmer's Manual SUDOERS(4) |
SUDOERS(4) Programmer's Manual SUDOERS(4) |
|
|
NNAAMMEE |
NNAAMMEE |
ssuuddooeerrss - default sudo security policy module | ssuuddooeerrss - default sudo security policy plugin |
|
|
DDEESSCCRRIIPPTTIIOONN |
DDEESSCCRRIIPPTTIIOONN |
The _s_u_d_o_e_r_s policy module determines a user's ssuuddoo privileges. It is the | The _s_u_d_o_e_r_s policy plugin determines a user's ssuuddoo privileges. It is the |
default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s |
default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s |
file or, optionally in LDAP. The policy format is described in detail in |
file or, optionally in LDAP. The policy format is described in detail in |
the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing _s_u_d_o_e_r_s |
the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing _s_u_d_o_e_r_s |
policy information in LDAP, please see sudoers.ldap(4). |
policy information in LDAP, please see sudoers.ldap(4). |
|
|
|
CCoonnffiigguurriinngg ssuuddoo..ccoonnff ffoorr ssuuddooeerrss |
|
ssuuddoo consults the sudo.conf(4) file to determine which policy and and I/O |
|
logging plugins to load. If no sudo.conf(4) file is present, or if it |
|
contains no Plugin lines, ssuuddooeerrss will be used for policy decisions and |
|
I/O logging. To explicitly configure sudo.conf(4) to use the ssuuddooeerrss |
|
plugin, the following configuration can be used. |
|
|
|
Plugin sudoers_policy sudoers.so |
|
Plugin sudoers_io sudoers.so |
|
|
|
Starting with ssuuddoo 1.8.5, it is possible to specify optional arguments to |
|
the ssuuddooeerrss plugin in the sudo.conf(4) file. These arguments, if |
|
present, should be listed after the path to the plugin (i.e. after |
|
_s_u_d_o_e_r_s_._s_o). Multiple arguments may be specified, separated by white |
|
space. For example: |
|
|
|
Plugin sudoers_policy sudoers.so sudoers_mode=0400 |
|
|
|
The following plugin arguments are supported: |
|
|
|
ldap_conf=pathname |
|
The _l_d_a_p___c_o_n_f argument can be used to override the default path |
|
to the _l_d_a_p_._c_o_n_f file. |
|
|
|
ldap_secret=pathname |
|
The _l_d_a_p___s_e_c_r_e_t argument can be used to override the default |
|
path to the _l_d_a_p_._s_e_c_r_e_t file. |
|
|
|
sudoers_file=pathname |
|
The _s_u_d_o_e_r_s___f_i_l_e argument can be used to override the default |
|
path to the _s_u_d_o_e_r_s file. |
|
|
|
sudoers_uid=uid |
|
The _s_u_d_o_e_r_s___u_i_d argument can be used to override the default |
|
owner of the sudoers file. It should be specified as a numeric |
|
user ID. |
|
|
|
sudoers_gid=gid |
|
The _s_u_d_o_e_r_s___g_i_d argument can be used to override the default |
|
group of the sudoers file. It must be specified as a numeric |
|
group ID (not a group name). |
|
|
|
sudoers_mode=mode |
|
The _s_u_d_o_e_r_s___m_o_d_e argument can be used to override the default |
|
file mode for the sudoers file. It should be specified as an |
|
octal value. |
|
|
|
For more information on configuring sudo.conf(4), please refer to its |
|
manual. |
|
|
AAuutthheennttiiccaattiioonn aanndd llooggggiinngg |
AAuutthheennttiiccaattiioonn aanndd llooggggiinngg |
The _s_u_d_o_e_r_s security policy requires that most users authenticate |
The _s_u_d_o_e_r_s security policy requires that most users authenticate |
themselves before they can use ssuuddoo. A password is not required if the |
themselves before they can use ssuuddoo. A password is not required if the |
Line 186 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
Line 236 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
'!'* %:#nonunix_gid | |
'!'* %:#nonunix_gid | |
'!'* User_Alias |
'!'* User_Alias |
|
|
A User_List is made up of one or more user names, user ids (prefixed with | A User_List is made up of one or more user names, user IDs (prefixed with |
`#'), system group names and ids (prefixed with `%' and `%#' | `#'), system group names and IDs (prefixed with `%' and `%#' |
respectively), netgroups (prefixed with `+'), non-Unix group names and |
respectively), netgroups (prefixed with `+'), non-Unix group names and |
IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each |
IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each |
list item may be prefixed with zero or more `!' operators. An odd number |
list item may be prefixed with zero or more `!' operators. An odd number |
Line 201 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
Line 251 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
characters must be included inside the quotes. |
characters must be included inside the quotes. |
|
|
The actual nonunix_group and nonunix_gid syntax depends on the underlying |
The actual nonunix_group and nonunix_gid syntax depends on the underlying |
group provider plugin (see the _g_r_o_u_p___p_l_u_g_i_n description below). For | group provider plugin. For instance, the QAS AD plugin supports the |
instance, the QAS AD plugin supports the following formats: | following formats: |
|
|
oo Group in the same domain: "%:Group Name" |
oo Group in the same domain: "%:Group Name" |
|
|
Line 210 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
Line 260 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
|
|
oo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" |
oo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567" |
|
|
|
See _G_R_O_U_P _P_R_O_V_I_D_E_R _P_L_U_G_I_N_S for more information. |
|
|
Note that quotes around group names are optional. Unquoted strings must |
Note that quotes around group names are optional. Unquoted strings must |
use a backslash (`\') to escape spaces and special characters. See _O_t_h_e_r |
use a backslash (`\') to escape spaces and special characters. See _O_t_h_e_r |
_s_p_e_c_i_a_l _c_h_a_r_a_c_t_e_r_s _a_n_d _r_e_s_e_r_v_e_d _w_o_r_d_s for a list of characters that need |
_s_p_e_c_i_a_l _c_h_a_r_a_c_t_e_r_s _a_n_d _r_e_s_e_r_v_e_d _w_o_r_d_s for a list of characters that need |
Line 260 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
Line 312 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
``localhost'' will only match if that is the actual host name, which is |
``localhost'' will only match if that is the actual host name, which is |
usually only the case for non-networked systems. |
usually only the case for non-networked systems. |
|
|
|
digest ::= [A-Fa-f0-9]+ | |
|
[[A-Za-z0-9+/=]+ |
|
|
|
Digest_Spec ::= "sha224" ':' digest | |
|
"sha256" ':' digest | |
|
"sha384" ':' digest | |
|
"sha512" ':' digest |
|
|
Cmnd_List ::= Cmnd | |
Cmnd_List ::= Cmnd | |
Cmnd ',' Cmnd_List |
Cmnd ',' Cmnd_List |
|
|
Line 267 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
Line 327 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
file name args | |
file name args | |
file name '""' |
file name '""' |
|
|
Cmnd ::= '!'* command name | | Cmnd ::= Digest_Spec? '!'* command name | |
'!'* directory | |
'!'* directory | |
'!'* "sudoedit" | |
'!'* "sudoedit" | |
'!'* Cmnd_Alias |
'!'* Cmnd_Alias |
Line 287 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
Line 347 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
the Cmnd must match exactly those given by the user on the command line |
the Cmnd must match exactly those given by the user on the command line |
(or match the wildcards if there are any). Note that the following |
(or match the wildcards if there are any). Note that the following |
characters must be escaped with a `\' if they are used in command |
characters must be escaped with a `\' if they are used in command |
arguments: `,', `:', `=', `\'. The special command ``sudoedit'' is used | arguments: `,', `:', `=', `\'. The built-in command ``sudoedit'' is used |
to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may |
to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It may |
take command line arguments just as a normal command does. | take command line arguments just as a normal command does. Note that |
| ``sudoedit'' is a command built into ssuuddoo itself and must be specified in |
| _s_u_d_o_e_r_s without a leading path. |
|
|
|
If a command name is prefixed with a Digest_Spec, the command will only |
|
match successfully if it can be verified using the specified SHA-2 |
|
digest. This may be useful in situations where the user invoking ssuuddoo |
|
has write access to the command or its parent directory. The following |
|
digest formats are supported: sha224, sha256, sha384 and sha512. The |
|
string may be specified in either hex or base64 format (base64 is more |
|
compact). There are several utilities capable of generating SHA-2 |
|
digests in hex format such as openssl, shasum, sha224sum, sha256sum, |
|
sha384sum, sha512sum. |
|
|
|
For example, using openssl: |
|
|
|
$ openssl dgst -sha224 /bin/ls |
|
SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25 |
|
|
|
It is also possible to use openssl to generate base64 output: |
|
|
|
$ openssl dgst -binary -sha224 /bin/ls | openssl base64 |
|
EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ== |
|
|
|
Command digests are only supported by version 1.8.7 or higher. |
|
|
DDeeffaauullttss |
DDeeffaauullttss |
Certain configuration options may be changed from their default values at |
Certain configuration options may be changed from their default values at |
run-time via one or more Default_Entry lines. These may affect all users |
run-time via one or more Default_Entry lines. These may affect all users |
Line 469 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
Line 553 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
it is overridden by the opposite tag (in other words, PASSWD overrides |
it is overridden by the opposite tag (in other words, PASSWD overrides |
NOPASSWD and NOEXEC overrides EXEC). |
NOPASSWD and NOEXEC overrides EXEC). |
|
|
_N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D | _N_O_P_A_S_S_W_D and _P_A_S_S_W_D |
|
|
By default, ssuuddoo requires that a user authenticate him or herself before | By default, ssuuddoo requires that a user authenticate him or herself |
running a command. This behavior can be modified via the NOPASSWD tag. | before running a command. This behavior can be modified via the |
Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that | NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for |
follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used | the commands that follow it in the Cmnd_Spec_List. Conversely, the |
to reverse things. For example: | PASSWD tag can be used to reverse things. For example: |
|
|
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm | ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm |
|
|
would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m as | would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m |
rroooott on the machine rushmore without authenticating himself. If we only | as rroooott on the machine rushmore without authenticating himself. If we |
want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry would | only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry |
be: | would be: |
|
|
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm | ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm |
|
|
Note, however, that the PASSWD tag has no effect on users who are in the | Note, however, that the PASSWD tag has no effect on users who are in |
group specified by the _e_x_e_m_p_t___g_r_o_u_p option. | the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. |
|
|
By default, if the NOPASSWD tag is applied to any of the entries for a | By default, if the NOPASSWD tag is applied to any of the entries for a |
user on the current host, he or she will be able to run ``sudo -l'' | user on the current host, he or she will be able to run ``sudo -l'' |
without a password. Additionally, a user may only run ``sudo -v'' | without a password. Additionally, a user may only run ``sudo -v'' |
without a password if the NOPASSWD tag is present for all a user's | without a password if the NOPASSWD tag is present for all a user's |
entries that pertain to the current host. This behavior may be | entries that pertain to the current host. This behavior may be |
overridden via the _v_e_r_i_f_y_p_w and _l_i_s_t_p_w options. | overridden via the _v_e_r_i_f_y_p_w and _l_i_s_t_p_w options. |
|
|
_N_O_E_X_E_C _a_n_d _E_X_E_C | _N_O_E_X_E_C and _E_X_E_C |
|
|
If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying | If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying |
operating system supports it, the NOEXEC tag can be used to prevent a | operating system supports it, the NOEXEC tag can be used to prevent a |
dynamically-linked executable from running further commands itself. | dynamically-linked executable from running further commands itself. |
|
|
In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and | In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and |
_/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. | _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. |
|
|
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi | aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi |
|
|
See the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section below for more details on how | See the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section below for more details on how |
NOEXEC works and whether or not it will work on your system. | NOEXEC works and whether or not it will work on your system. |
|
|
_S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V | _S_E_T_E_N_V and _N_O_S_E_T_E_N_V |
|
|
These tags override the value of the _s_e_t_e_n_v option on a per-command | These tags override the value of the _s_e_t_e_n_v option on a per-command |
basis. Note that if SETENV has been set for a command, the user may | basis. Note that if SETENV has been set for a command, the user may |
disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option. | disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option. |
Additionally, environment variables set on the command line are not | Additionally, environment variables set on the command line are not |
subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or | subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or |
_e_n_v___k_e_e_p. As such, only trusted users should be allowed to set variables | _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set |
in this manner. If the command matched is AALLLL, the SETENV tag is implied | variables in this manner. If the command matched is AALLLL, the SETENV |
for that command; this default may be overridden by use of the NOSETENV | tag is implied for that command; this default may be overridden by use |
tag. | of the NOSETENV tag. |
|
|
_L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T | _L_O_G___I_N_P_U_T and _N_O_L_O_G___I_N_P_U_T |
|
|
These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command | These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command |
basis. For more information, see the description of _l_o_g___i_n_p_u_t in the | basis. For more information, see the description of _l_o_g___i_n_p_u_t in the |
_S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. | _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. |
|
|
_L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T | _L_O_G___O_U_T_P_U_T and _N_O_L_O_G___O_U_T_P_U_T |
|
|
These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command | These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command |
basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the | basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the |
_S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. | _S_U_D_O_E_R_S _O_P_T_I_O_N_S section below. |
|
|
WWiillddccaarrddss |
WWiillddccaarrddss |
ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be |
ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be |
used in host names, path names and command line arguments in the _s_u_d_o_e_r_s |
used in host names, path names and command line arguments in the _s_u_d_o_e_r_s |
file. Wildcard matching is done via the PPOOSSIIXX glob(3) and fnmatch(3) | file. Wildcard matching is done via the glob(3) and fnmatch(3) functions |
routines. Note that these are _n_o_t regular expressions. | as specified by IEEE Std 1003.1 (``POSIX.1''). Note that these are _n_o_t |
| regular expressions. |
|
|
* Matches any set of zero or more characters. |
* Matches any set of zero or more characters. |
|
|
Line 551 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
Line 636 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
\x For any character `x', evaluates to `x'. This is used to |
\x For any character `x', evaluates to `x'. This is used to |
escape special characters such as: `*', `?', `[', and `]'. |
escape special characters such as: `*', `?', `[', and `]'. |
|
|
POSIX character classes may also be used if your system's glob(3) and | Character classes may also be used if your system's glob(3) and |
fnmatch(3) functions support them. However, because the `:' character |
fnmatch(3) functions support them. However, because the `:' character |
has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example: |
has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example: |
|
|
Line 668 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
Line 753 SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
|
since in a command context, it allows the user to run aannyy command on the |
since in a command context, it allows the user to run aannyy command on the |
system. |
system. |
|
|
An exclamation point (`!') can be used as a logical _n_o_t operator both in | An exclamation point (`!') can be used as a logical _n_o_t operator in a |
an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain | list or _a_l_i_a_s as well as in front of a Cmnd. This allows one to exclude |
values. Note, however, that using a `!' in conjunction with the built-in | certain values. For the `!' operator to be effective, there must be |
AALLLL alias to allow a user to run ``all but a few'' commands rarely works | something for it to exclude. For example, to match all users except for |
as intended (see _S_E_C_U_R_I_T_Y _N_O_T_E_S below). | root one would use: |
|
|
|
ALL,!root |
|
|
|
If the AALLLL, is omitted, as in: |
|
|
|
!root |
|
|
|
it would explicitly deny root but not match any other users. This is |
|
different from a true ``negation'' operator. |
|
|
|
Note, however, that using a `!' in conjunction with the built-in AALLLL |
|
alias to allow a user to run ``all but a few'' commands rarely works as |
|
intended (see _S_E_C_U_R_I_T_Y _N_O_T_E_S below). |
|
|
Long lines can be continued with a backslash (`\') as the last character |
Long lines can be continued with a backslash (`\') as the last character |
on the line. |
on the line. |
|
|
Line 718 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 816 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
This flag is _o_n by default when ssuuddoo is compiled with |
This flag is _o_n by default when ssuuddoo is compiled with |
zzlliibb support. |
zzlliibb support. |
|
|
|
exec_background By default, ssuuddoo runs a command as the foreground |
|
process as long as ssuuddoo itself is running in the |
|
foreground. When the _e_x_e_c___b_a_c_k_g_r_o_u_n_d flag is enabled |
|
and the command is being run in a pty (due to I/O |
|
logging or the _u_s_e___p_t_y flag), the command will be run |
|
as a background process. Attempts to read from the |
|
controlling terminal (or to change terminal settings) |
|
will result in the command being suspended with the |
|
SIGTTIN signal (or SIGTTOU in the case of terminal |
|
settings). If this happens when ssuuddoo is a foreground |
|
process, the command will be granted the controlling |
|
terminal and resumed in the foreground with no user |
|
intervention required. The advantage of initially |
|
running the command in the background is that ssuuddoo need |
|
not read from the terminal unless the command |
|
explicitly requests it. Otherwise, any terminal input |
|
must be passed to the command, whether it has required |
|
it or not (the kernel buffers terminals so it is not |
|
possible to tell whether the command really wants the |
|
input). This is different from historic _s_u_d_o behavior |
|
or when the command is not being run in a pty. |
|
|
|
For this to work seamlessly, the operating system must |
|
support the automatic restarting of system calls. |
|
Unfortunately, not all operating systems do this by |
|
default, and even those that do may have bugs. For |
|
example, Mac OS X fails to restart the ttccggeettaattttrr() and |
|
ttccsseettaattttrr() system calls (this is a bug in Mac OS X). |
|
Furthermore, because this behavior depends on the |
|
command stopping with the SIGTTIN or SIGTTOU signals, |
|
programs that catch these signals and suspend |
|
themselves with a different signal (usually SIGTOP) |
|
will not be automatically foregrounded. Some versions |
|
of the linux su(1) command behave this way. |
|
|
|
This setting is only supported by version 1.8.7 or |
|
higher. It has no effect unless I/O logging is enabled |
|
or the _u_s_e___p_t_y flag is enabled. |
|
|
env_editor If set, vviissuuddoo will use the value of the EDITOR or |
env_editor If set, vviissuuddoo will use the value of the EDITOR or |
VISUAL environment variables before falling back on the |
VISUAL environment variables before falling back on the |
default editor list. Note that this may create a |
default editor list. Note that this may create a |
Line 906 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1043 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
well as the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section at the end |
well as the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section at the end |
of this manual. This flag is _o_f_f by default. |
of this manual. This flag is _o_f_f by default. |
|
|
|
pam_session On systems that use PAM for authentication, ssuuddoo will |
|
create a new PAM session for the command to be run in. |
|
Disabling _p_a_m___s_e_s_s_i_o_n may be needed on older PAM |
|
implementations or on operating systems where opening a |
|
PAM session changes the utmp or wtmp files. If PAM |
|
session support is disabled, resource limits may not be |
|
updated for the command being run. This flag is _o_n by |
|
default. |
|
|
|
This setting is only supported by version 1.8.7 or |
|
higher. |
|
|
|
passprompt_override |
|
The password prompt specified by _p_a_s_s_p_r_o_m_p_t will |
|
normally only be used if the password prompt provided |
|
by systems such as PAM matches the string |
|
``Password:''. If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, |
|
_p_a_s_s_p_r_o_m_p_t will always be used. This flag is _o_f_f by |
|
default. |
|
|
path_info Normally, ssuuddoo will tell the user when a command could |
path_info Normally, ssuuddoo will tell the user when a command could |
not be found in their PATH environment variable. Some |
not be found in their PATH environment variable. Some |
sites may wish to disable this as it could be used to |
sites may wish to disable this as it could be used to |
Line 916 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1073 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
not allowed to run it, which can be confusing. This |
not allowed to run it, which can be confusing. This |
flag is _o_n by default. |
flag is _o_n by default. |
|
|
passprompt_override |
|
The password prompt specified by _p_a_s_s_p_r_o_m_p_t will |
|
normally only be used if the password prompt provided |
|
by systems such as PAM matches the string |
|
``Password:''. If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, |
|
_p_a_s_s_p_r_o_m_p_t will always be used. This flag is _o_f_f by |
|
default. |
|
|
|
preserve_groups By default, ssuuddoo will initialize the group vector to |
preserve_groups By default, ssuuddoo will initialize the group vector to |
the list of groups the target user is in. When |
the list of groups the target user is in. When |
_p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group |
_p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group |
Line 1189 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1338 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
unique combination of digits and letters, similar to |
unique combination of digits and letters, similar to |
the mktemp(3) function. |
the mktemp(3) function. |
|
|
|
If the path created by concatenating _i_o_l_o_g___d_i_r and |
|
_i_o_l_o_g___f_i_l_e already exists, the existing I/O log file |
|
will be truncated and overwritten unless _i_o_l_o_g___f_i_l_e |
|
ends in six or more Xs. |
|
|
limitprivs The default Solaris limit privileges to use when |
limitprivs The default Solaris limit privileges to use when |
constructing a new privilege set for a command. This |
constructing a new privilege set for a command. This |
bounds all privileges of the executing process. The |
bounds all privileges of the executing process. The |
Line 1200 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1354 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
escape %h will expand to the host name of the machine. |
escape %h will expand to the host name of the machine. |
Default is ``*** SECURITY information for %h ***''. |
Default is ``*** SECURITY information for %h ***''. |
|
|
noexec_file This option is no longer supported. The path to the | maxseq The maximum sequence number that will be substituted |
noexec file should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f | for the ``%{seq}'' escape in the I/O log file (see the |
file. | _i_o_l_o_g___d_i_r description above for more information). |
| While the value substituted for ``%{seq}'' is in base |
| 36, _m_a_x_s_e_q itself should be expressed in decimal. |
| Values larger than 2176782336 (which corresponds to the |
| base 36 sequence number ``ZZZZZZ'') will be silently |
| truncated to 2176782336. The default value is |
| 2176782336. |
|
|
|
Once the local sequence number reaches the value of |
|
_m_a_x_s_e_q, it will ``roll over'' to zero, after which |
|
ssuuddooeerrss will truncate and re-use any existing I/O log |
|
pathnames. |
|
|
|
This setting is only supported by version 1.8.7 or |
|
higher. |
|
|
|
noexec_file As of ssuuddoo version 1.8.1 this option is no longer |
|
supported. The path to the noexec file should now be |
|
set in the sudo.conf(4) file. |
|
|
passprompt The default prompt to use when asking for a password; |
passprompt The default prompt to use when asking for a password; |
can be overridden via the --pp option or the SUDO_PROMPT |
can be overridden via the --pp option or the SUDO_PROMPT |
environment variable. The following percent (`%') |
environment variable. The following percent (`%') |
Line 1295 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1467 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
a % prefix. This is not set by default. |
a % prefix. This is not set by default. |
|
|
group_plugin A string containing a _s_u_d_o_e_r_s group plugin with optional |
group_plugin A string containing a _s_u_d_o_e_r_s group plugin with optional |
arguments. This can be used to implement support for the | arguments. The string should consist of the plugin path, |
nonunix_group syntax described earlier. The string should | either fully-qualified or relative to the |
consist of the plugin path, either fully-qualified or | _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o directory, followed by any |
relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory, followed by | configuration arguments the plugin requires. These |
any configuration arguments the plugin requires. These | |
arguments (if any) will be passed to the plugin's |
arguments (if any) will be passed to the plugin's |
initialization function. If arguments are present, the |
initialization function. If arguments are present, the |
string must be enclosed in double quotes (""). |
string must be enclosed in double quotes (""). |
|
|
For example, given _/_e_t_c_/_s_u_d_o_-_g_r_o_u_p, a group file in Unix | For more information see GROUP PROVIDER PLUGINS. |
group format, the sample group plugin can be used: | |
|
|
Defaults group_plugin="sample_group.so /etc/sudo-group" |
|
|
|
For more information see sudo_plugin(4). |
|
|
|
lecture This option controls when a short lecture will be printed |
lecture This option controls when a short lecture will be printed |
along with the password prompt. It has the following |
along with the password prompt. It has the following |
possible values: |
possible values: |
Line 1446 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
Line 1612 SSUUDDOOEERRSS OOPPTTIIOONNSS
|
variables to keep is displayed when ssuuddoo is run by root |
variables to keep is displayed when ssuuddoo is run by root |
with the --VV option. |
with the --VV option. |
|
|
|
GGRROOUUPP PPRROOVVIIDDEERR PPLLUUGGIINNSS |
|
The ssuuddooeerrss plugin supports its own plugin interface to allow non-Unix |
|
group lookups which can query a group source other than the standard Unix |
|
group database. This can be used to implement support for the |
|
nonunix_group syntax described earlier. |
|
|
|
Group provider plugins are specified via the _g_r_o_u_p___p_l_u_g_i_n Defaults |
|
setting. The argument to _g_r_o_u_p___p_l_u_g_i_n should consist of the plugin path, |
|
either fully-qualified or relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o |
|
directory, followed by any configuration options the plugin requires. |
|
These options (if specified) will be passed to the plugin's |
|
initialization function. If options are present, the string must be |
|
enclosed in double quotes (""). |
|
|
|
The following group provider plugins are installed by default: |
|
|
|
group_file |
|
The _g_r_o_u_p___f_i_l_e plugin supports an alternate group file that |
|
uses the same syntax as the _/_e_t_c_/_g_r_o_u_p file. The path to the |
|
group file should be specified as an option to the plugin. For |
|
example, if the group file to be used is _/_e_t_c_/_s_u_d_o_-_g_r_o_u_p: |
|
|
|
Defaults group_plugin="group_file.so /etc/sudo-group" |
|
|
|
system_group |
|
The _s_y_s_t_e_m___g_r_o_u_p plugin supports group lookups via the standard |
|
C library functions ggeettggrrnnaamm() and ggeettggrriidd(). This plugin can |
|
be used in instances where the user belongs to groups not |
|
present in the user's supplemental group vector. This plugin |
|
takes no options: |
|
|
|
Defaults group_plugin=system_group.so |
|
|
|
The group provider plugin API is described in detail in sudo_plugin(1m). |
|
|
LLOOGG FFOORRMMAATT |
LLOOGG FFOORRMMAATT |
ssuuddooeerrss can log events using either syslog(3) or a simple log file. In |
ssuuddooeerrss can log events using either syslog(3) or a simple log file. In |
each case the log format is almost identical. |
each case the log format is almost identical. |
Line 1547 LLOOGG FFOORRMMAATT
|
Line 1748 LLOOGG FFOORRMMAATT
|
when the _s_u_d_o_e_r_s file is located on a remote file system that maps |
when the _s_u_d_o_e_r_s file is located on a remote file system that maps |
user ID 0 to a different value. Normally, ssuuddooeerrss tries to open |
user ID 0 to a different value. Normally, ssuuddooeerrss tries to open |
_s_u_d_o_e_r_s using group permissions to avoid this problem. Consider |
_s_u_d_o_e_r_s using group permissions to avoid this problem. Consider |
changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s by adding an option like | either changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s or adding an argument |
``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s | like ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s |
file) to the ssuuddooeerrss plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. | file) to the end of the ssuuddooeerrss Plugin line in the sudo.conf(4) file. |
|
|
unable to stat /etc/sudoers |
unable to stat /etc/sudoers |
The _/_e_t_c_/_s_u_d_o_e_r_s file is missing. |
The _/_e_t_c_/_s_u_d_o_e_r_s file is missing. |
Line 1561 LLOOGG FFOORRMMAATT
|
Line 1762 LLOOGG FFOORRMMAATT
|
/etc/sudoers is owned by uid N, should be 0 |
/etc/sudoers is owned by uid N, should be 0 |
The _s_u_d_o_e_r_s file has the wrong owner. If you wish to change the |
The _s_u_d_o_e_r_s file has the wrong owner. If you wish to change the |
_s_u_d_o_e_r_s file owner, please add ``sudoers_uid=N'' (where `N' is the |
_s_u_d_o_e_r_s file owner, please add ``sudoers_uid=N'' (where `N' is the |
user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin line in the | user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin line in the |
_/_e_t_c_/_s_u_d_o_._c_o_n_f file. | sudo.conf(4) file. |
|
|
/etc/sudoers is world writable |
/etc/sudoers is world writable |
The permissions on the _s_u_d_o_e_r_s file allow all users to write to it. |
The permissions on the _s_u_d_o_e_r_s file allow all users to write to it. |
The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is |
The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is |
0440 (readable by owner and group, writable by none). The default |
0440 (readable by owner and group, writable by none). The default |
mode may be changed via the ``sudoers_mode'' option to the ssuuddooeerrss |
mode may be changed via the ``sudoers_mode'' option to the ssuuddooeerrss |
plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. | Plugin line in the sudo.conf(4) file. |
|
|
/etc/sudoers is owned by gid N, should be 1 |
/etc/sudoers is owned by gid N, should be 1 |
The _s_u_d_o_e_r_s file has the wrong group ownership. If you wish to change |
The _s_u_d_o_e_r_s file has the wrong group ownership. If you wish to change |
the _s_u_d_o_e_r_s file group ownership, please add ``sudoers_gid=N'' (where |
the _s_u_d_o_e_r_s file group ownership, please add ``sudoers_gid=N'' (where |
`N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin | `N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin |
line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file. | line in the sudo.conf(4) file. |
|
|
unable to open /var/adm/sudo/username/ttyname |
unable to open /var/adm/sudo/username/ttyname |
_s_u_d_o_e_r_s was unable to read or create the user's time stamp file. |
_s_u_d_o_e_r_s was unable to read or create the user's time stamp file. |
Line 1615 LLOOGG FFOORRMMAATT
|
Line 1816 LLOOGG FFOORRMMAATT
|
_l_o_g_l_i_n_e_l_e_n option is set to 0 (or negated with a `!'), word wrap |
_l_o_g_l_i_n_e_l_e_n option is set to 0 (or negated with a `!'), word wrap |
will be disabled. |
will be disabled. |
|
|
SSUUDDOO..CCOONNFF |
|
The _/_e_t_c_/_s_u_d_o_._c_o_n_f file determines which plugins the ssuuddoo front end will |
|
load. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it contains no Plugin |
|
lines, ssuuddoo will use the _s_u_d_o_e_r_s security policy and I/O logging, which |
|
corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f file. |
|
|
|
# |
|
# Default /etc/sudo.conf file |
|
# |
|
# Format: |
|
# Plugin plugin_name plugin_path plugin_options ... |
|
# Path askpass /path/to/askpass |
|
# Path noexec /path/to/sudo_noexec.so |
|
# Debug sudo /var/log/sudo_debug all@warn |
|
# Set disable_coredump true |
|
# |
|
# The plugin_path is relative to /usr/local/libexec unless |
|
# fully qualified. |
|
# The plugin_name corresponds to a global symbol in the plugin |
|
# that contains the plugin interface structure. |
|
# The plugin_options are optional. |
|
# |
|
Plugin policy_plugin sudoers.so |
|
Plugin io_plugin sudoers.so |
|
|
|
PPlluuggiinn ooppttiioonnss |
|
Starting with ssuuddoo 1.8.5, it is possible to pass options to the _s_u_d_o_e_r_s |
|
plugin. Options may be listed after the path to the plugin (i.e. after |
|
_s_u_d_o_e_r_s_._s_o); multiple options should be space-separated. For example: |
|
|
|
Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440 |
|
|
|
The following plugin options are supported: |
|
|
|
sudoers_file=pathname |
|
The _s_u_d_o_e_r_s___f_i_l_e option can be used to override the default |
|
path to the _s_u_d_o_e_r_s file. |
|
|
|
sudoers_uid=uid |
|
The _s_u_d_o_e_r_s___u_i_d option can be used to override the default |
|
owner of the sudoers file. It should be specified as a numeric |
|
user ID. |
|
|
|
sudoers_gid=gid |
|
The _s_u_d_o_e_r_s___g_i_d option can be used to override the default |
|
group of the sudoers file. It should be specified as a numeric |
|
group ID. |
|
|
|
sudoers_mode=mode |
|
The _s_u_d_o_e_r_s___m_o_d_e option can be used to override the default |
|
file mode for the sudoers file. It should be specified as an |
|
octal value. |
|
|
|
DDeebbuugg ffllaaggss |
|
Versions 1.8.4 and higher of the _s_u_d_o_e_r_s plugin supports a debugging |
|
framework that can help track down what the plugin is doing internally if |
|
there is a problem. This can be configured in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file as |
|
described in sudo(1m). |
|
|
|
The _s_u_d_o_e_r_s plugin uses the same debug flag format as the ssuuddoo front-end: |
|
_s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y. |
|
|
|
The priorities used by _s_u_d_o_e_r_s, in order of decreasing severity, are: |
|
_c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority, |
|
when specified, also includes all priorities higher than it. For |
|
example, a priority of _n_o_t_i_c_e would include debug messages logged at |
|
_n_o_t_i_c_e and higher. |
|
|
|
The following subsystems are used by _s_u_d_o_e_r_s: |
|
|
|
_a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing |
|
|
|
_a_l_l matches every subsystem |
|
|
|
_a_u_d_i_t BSM and Linux audit code |
|
|
|
_a_u_t_h user authentication |
|
|
|
_d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings |
|
|
|
_e_n_v environment handling |
|
|
|
_l_d_a_p LDAP-based sudoers |
|
|
|
_l_o_g_g_i_n_g logging support |
|
|
|
_m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s |
|
|
|
_n_e_t_i_f network interface handling |
|
|
|
_n_s_s network service switch handling in _s_u_d_o_e_r_s |
|
|
|
_p_a_r_s_e_r _s_u_d_o_e_r_s file parsing |
|
|
|
_p_e_r_m_s permission setting |
|
|
|
_p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin. |
|
|
|
_p_t_y pseudo-tty related code |
|
|
|
_r_b_t_r_e_e redblack tree internals |
|
|
|
_u_t_i_l utility functions |
|
|
|
FFIILLEESS |
FFIILLEESS |
_/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration |
_/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration |
|
|
Line 1768 EEXXAAMMPPLLEESS
|
Line 1865 EEXXAAMMPPLLEESS
|
|
|
# Cmnd alias specification |
# Cmnd alias specification |
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ |
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ |
/usr/sbin/restore, /usr/sbin/rrestore | /usr/sbin/restore, /usr/sbin/rrestore,\ |
| sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \ |
| /home/operator/bin/start_backups |
Cmnd_Alias KILL = /usr/bin/kill |
Cmnd_Alias KILL = /usr/bin/kill |
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm |
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm |
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown |
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown |
Line 1838 EEXXAAMMPPLLEESS
|
Line 1937 EEXXAAMMPPLLEESS
|
The ooppeerraattoorr user may run commands limited to simple maintenance. Here, |
The ooppeerraattoorr user may run commands limited to simple maintenance. Here, |
those are commands related to backups, killing processes, the printing |
those are commands related to backups, killing processes, the printing |
system, shutting down the system, and any commands in the directory |
system, shutting down the system, and any commands in the directory |
_/_u_s_r_/_o_p_e_r_/_b_i_n_/. | _/_u_s_r_/_o_p_e_r_/_b_i_n_/. Note that one command in the DUMPS Cmnd_Alias includes a |
| sha224 digest, _/_h_o_m_e_/_o_p_e_r_a_t_o_r_/_b_i_n_/_s_t_a_r_t___b_a_c_k_u_p_s. This is because the |
| directory containing the script is writable by the operator user. If the |
| script is modified (resulting in a digest mismatch) it will no longer be |
| possible to run it via ssuuddoo. |
|
|
joe ALL = /usr/bin/su operator |
joe ALL = /usr/bin/su operator |
|
|
Line 2047 SSEECCUURRIITTYY NNOOTTEESS
|
Line 2150 SSEECCUURRIITTYY NNOOTTEESS
|
stamp file is stale and will ignore it. Administrators should not rely |
stamp file is stale and will ignore it. Administrators should not rely |
on this feature as it is not universally available. |
on this feature as it is not universally available. |
|
|
|
DDEEBBUUGGGGIINNGG |
|
Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible |
|
debugging framework that can help track down what the plugin is doing |
|
internally if there is a problem. This can be configured in the |
|
sudo.conf(4) file. |
|
|
|
The ssuuddooeerrss plugin uses the same debug flag format as the ssuuddoo front-end: |
|
_s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y. |
|
|
|
The priorities used by ssuuddooeerrss, in order of decreasing severity, are: |
|
_c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority, |
|
when specified, also includes all priorities higher than it. For |
|
example, a priority of _n_o_t_i_c_e would include debug messages logged at |
|
_n_o_t_i_c_e and higher. |
|
|
|
The following subsystems are used by the ssuuddooeerrss plugin: |
|
|
|
_a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing |
|
|
|
_a_l_l matches every subsystem |
|
|
|
_a_u_d_i_t BSM and Linux audit code |
|
|
|
_a_u_t_h user authentication |
|
|
|
_d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings |
|
|
|
_e_n_v environment handling |
|
|
|
_l_d_a_p LDAP-based sudoers |
|
|
|
_l_o_g_g_i_n_g logging support |
|
|
|
_m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s |
|
|
|
_n_e_t_i_f network interface handling |
|
|
|
_n_s_s network service switch handling in _s_u_d_o_e_r_s |
|
|
|
_p_a_r_s_e_r _s_u_d_o_e_r_s file parsing |
|
|
|
_p_e_r_m_s permission setting |
|
|
|
_p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin. |
|
|
|
_p_t_y pseudo-tty related code |
|
|
|
_r_b_t_r_e_e redblack tree internals |
|
|
|
_u_t_i_l utility functions |
|
For example: |
|
|
|
Debug sudo /var/log/sudo_debug match@info,nss@info |
|
|
|
For more information, see the sudo.conf(4) manual. |
|
|
SSEEEE AALLSSOO |
SSEEEE AALLSSOO |
ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), | ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(4), |
sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m) |
sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m) |
|
|
CCAAVVEEAATTSS |
CCAAVVEEAATTSS |
Line 2078 DDIISSCCLLAAIIMMEERR
|
Line 2237 DDIISSCCLLAAIIMMEERR
|
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for |
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for |
complete details. |
complete details. |
|
|
Sudo 1.8.6 July 16, 2012 Sudo 1.8.6 | Sudo 1.8.7 April 30, 2013 Sudo 1.8.7 |