Annotation of embedaddon/sudo/doc/sudoers.ldap.man.in, revision 1.1.1.5
1.1.1.3 misho 1: .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
2: .\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in
3: .\"
1.1.1.4 misho 4: .\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com>
1.1.1.3 misho 5: .\"
1.1 misho 6: .\" Permission to use, copy, modify, and distribute this software for any
7: .\" purpose with or without fee is hereby granted, provided that the above
8: .\" copyright notice and this permission notice appear in all copies.
1.1.1.3 misho 9: .\"
1.1 misho 10: .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11: .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12: .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13: .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14: .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15: .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16: .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17: .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
18: .\"
1.1.1.5 ! misho 19: .TH "SUDOERS.LDAP" "8" "August 30, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
1.1 misho 20: .nh
1.1.1.3 misho 21: .if n .ad l
1.1 misho 22: .SH "NAME"
1.1.1.3 misho 23: \fBsudoers.ldap\fR
24: \- sudo LDAP configuration
1.1 misho 25: .SH "DESCRIPTION"
1.1.1.3 misho 26: In addition to the standard
27: \fIsudoers\fR
28: file,
29: \fBsudo\fR
30: may be configured
31: via LDAP.
32: This can be especially useful for synchronizing
33: \fIsudoers\fR
1.1 misho 34: in a large, distributed environment.
35: .PP
1.1.1.3 misho 36: Using LDAP for
37: \fIsudoers\fR
38: has several benefits:
39: .TP 4n
40: \fBo\fR
41: \fBsudo\fR
42: no longer needs to read
43: \fIsudoers\fR
44: in its entirety.
45: When LDAP is used, there are only two or three LDAP queries per invocation.
46: This makes it especially fast and particularly usable in LDAP environments.
47: .TP 4n
48: \fBo\fR
49: \fBsudo\fR
50: no longer exits if there is a typo in
51: \fIsudoers\fR.
52: It is not possible to load LDAP data into the server that does
1.1 misho 53: not conform to the sudoers schema, so proper syntax is guaranteed.
54: It is still possible to have typos in a user or host name, but
1.1.1.3 misho 55: this will not prevent
56: \fBsudo\fR
57: from running.
58: .TP 4n
59: \fBo\fR
1.1 misho 60: It is possible to specify per-entry options that override the global
1.1.1.3 misho 61: default options.
62: \fI@sysconfdir@/sudoers\fR
63: only supports default options and limited options associated with
64: user/host/commands/aliases.
65: The syntax is complicated and can be difficult for users to understand.
1.1 misho 66: Placing the options directly in the entry is more natural.
1.1.1.3 misho 67: .TP 4n
68: \fBo\fR
69: The
70: \fBvisudo\fR
71: program is no longer needed.
72: \fBvisudo\fR
73: provides locking and syntax checking of the
74: \fI@sysconfdir@/sudoers\fR
75: file.
76: Since LDAP updates are atomic, locking is no longer necessary.
77: Because syntax is checked when the data is inserted into LDAP, there
1.1 misho 78: is no need for a specialized tool to check syntax.
79: .PP
1.1.1.3 misho 80: Another major difference between LDAP and file-based
81: \fIsudoers\fR
82: is that in LDAP,
83: \fBsudo\fR-specific
84: Aliases are not supported.
85: .PP
86: For the most part, there is really no need for
87: \fBsudo\fR-specific
88: Aliases.
1.1.1.4 misho 89: Unix groups, non-Unix groups (via the
90: \fIgroup_plugin\fR)
91: or user netgroups can be used in place of User_Aliases and Runas_Aliases.
1.1.1.3 misho 92: Host netgroups can be used in place of Host_Aliases.
1.1.1.4 misho 93: Since groups and netgroups can also be stored in LDAP there is no real need for
1.1.1.3 misho 94: \fBsudo\fR-specific
95: aliases.
1.1 misho 96: .PP
97: Cmnd_Aliases are not really required either since it is possible
1.1.1.3 misho 98: to have multiple users listed in a
99: \fRsudoRole\fR.
100: Instead of defining a Cmnd_Alias that is referenced by multiple users,
101: one can create a
102: \fRsudoRole\fR
103: that contains the commands and assign multiple users to it.
104: .SS "SUDOers LDAP container"
105: The
106: \fIsudoers\fR
107: configuration is contained in the
108: \fRou=SUDOers\fR
109: LDAP container.
110: .PP
111: Sudo first looks for the
112: \fRcn=default\fR
113: entry in the SUDOers container.
114: If found, the multi-valued
115: \fRsudoOption\fR
116: attribute is parsed in the same manner as a global
117: \fRDefaults\fR
118: line in
119: \fI@sysconfdir@/sudoers\fR.
120: In the following example, the
121: \fRSSH_AUTH_SOCK\fR
122: variable will be preserved in the environment for all users.
123: .nf
124: .sp
125: .RS 4n
126: dn: cn=defaults,ou=SUDOers,dc=example,dc=com
127: objectClass: top
128: objectClass: sudoRole
129: cn: defaults
130: description: Default sudoOption's go here
131: sudoOption: env_keep+=SSH_AUTH_SOCK
132: .RE
133: .fi
134: .PP
135: The equivalent of a sudoer in LDAP is a
136: \fRsudoRole\fR.
137: It consists of the following attributes:
138: .TP 6n
139: \fBsudoUser\fR
140: A user name, user ID (prefixed with
141: `#'),
1.1.1.4 misho 142: Unix group name or ID (prefixed with
143: `%'
144: or
145: `%#'
146: respectively), user netgroup (prefixed with
147: `+'),
148: or non-Unix group name or ID (prefixed with
149: `%:'
150: or
151: `%:#'
152: respectively).
153: Non-Unix group support is only available when an appropriate
154: \fIgroup_plugin\fR
155: is defined in the global
156: \fIdefaults\fR
157: \fRsudoRole\fR
158: object.
1.1.1.3 misho 159: .TP 6n
160: \fBsudoHost\fR
161: A host name, IP address, IP network, or host netgroup (prefixed with a
162: `+').
163: The special value
164: \fRALL\fR
165: will match any host.
166: .TP 6n
167: \fBsudoCommand\fR
1.1.1.4 misho 168: A fully-qualified Unix command name with optional command line arguments,
169: potentially including globbing characters (aka wild cards).
170: If a command name is preceded by an exclamation point,
171: `\&!',
172: the user will be prohibited from running that command.
173: .sp
174: The built-in command
175: ``\fRsudoedit\fR''
176: is used to permit a user to run
177: \fBsudo\fR
178: with the
179: \fB\-e\fR
180: option (or as
181: \fBsudoedit\fR).
182: It may take command line arguments just as a normal command does.
183: Note that
184: ``\fRsudoedit\fR''
185: is a command built into
186: \fBsudo\fR
187: itself and must be specified in without a leading path.
188: .sp
1.1.1.3 misho 189: The special value
190: \fRALL\fR
191: will match any command.
1.1.1.4 misho 192: .sp
193: If a command name is prefixed with a SHA-2 digest, it will
194: only be allowed if the digest matches.
195: This may be useful in situations where the user invoking
196: \fBsudo\fR
197: has write access to the command or its parent directory.
198: The following digest formats are supported: sha224, sha256, sha384 and sha512.
199: The digest name must be followed by a colon
200: (`:\&')
201: and then the actual digest, in either hex or base64 format.
202: For example, given the following value for sudoCommand:
203: .RS
204: .nf
205: .sp
206: .RS 4n
207: sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
208: .RE
209: .fi
210: .sp
211: The user may only run
212: \fI/bin/ls\fR
213: if its sha224 digest matches the specified value.
214: Command digests are only supported by version 1.8.7 or higher.
215: .PP
216: .RE
217: .PD 0
1.1.1.3 misho 218: .TP 6n
219: \fBsudoOption\fR
1.1 misho 220: Identical in function to the global options described above, but
1.1.1.3 misho 221: specific to the
222: \fRsudoRole\fR
223: in which it resides.
1.1.1.4 misho 224: .PD
1.1.1.3 misho 225: .TP 6n
226: \fBsudoRunAsUser\fR
227: A user name or uid (prefixed with
228: `#')
229: that commands may be run as or a Unix group (prefixed with a
230: `%')
231: or user netgroup (prefixed with a
232: `+')
233: that contains a list of users that commands may be run as.
234: The special value
235: \fRALL\fR
236: will match any user.
237: .sp
238: The
239: \fRsudoRunAsUser\fR
240: attribute is only available in
241: \fBsudo\fR
242: versions
243: 1.7.0 and higher.
244: Older versions of
245: \fBsudo\fR
246: use the
247: \fRsudoRunAs\fR
1.1 misho 248: attribute instead.
1.1.1.3 misho 249: .TP 6n
250: \fBsudoRunAsGroup\fR
251: A Unix group or gid (prefixed with
252: `#')
253: that commands may be run as.
254: The special value
255: \fRALL\fR
256: will match any group.
257: .sp
258: The
259: \fRsudoRunAsGroup\fR
260: attribute is only available in
261: \fBsudo\fR
262: versions
1.1 misho 263: 1.7.0 and higher.
1.1.1.3 misho 264: .TP 6n
265: \fBsudoNotBefore\fR
266: A timestamp in the form
267: \fRyyyymmddHHMMSSZ\fR
268: that can be used to provide a start date/time for when the
269: \fRsudoRole\fR
270: will be valid.
271: If multiple
272: \fRsudoNotBefore\fR
273: entries are present, the earliest is used.
274: Note that timestamps must be in Coordinated Universal Time (UTC),
275: not the local timezone.
276: The minute and seconds portions are optional, but some LDAP servers
277: require that they be present (contrary to the RFC).
278: .sp
279: The
280: \fRsudoNotBefore\fR
281: attribute is only available in
282: \fBsudo\fR
283: versions 1.7.5 and higher and must be explicitly enabled via the
284: \fBSUDOERS_TIMED\fR
285: option in
286: \fI@ldap_conf@\fR.
287: .TP 6n
288: \fBsudoNotAfter\fR
289: A timestamp in the form
290: \fRyyyymmddHHMMSSZ\fR
291: that indicates an expiration date/time, after which the
292: \fRsudoRole\fR
293: will no longer be valid.
294: If multiple
295: \fRsudoNotBefore\fR
296: entries are present, the last one is used.
297: Note that timestamps must be in Coordinated Universal Time (UTC),
298: not the local timezone.
299: The minute and seconds portions are optional, but some LDAP servers
300: require that they be present (contrary to the RFC).
301: .sp
302: The
303: \fRsudoNotAfter\fR
304: attribute is only available in
305: \fBsudo\fR
306: versions
307: 1.7.5 and higher and must be explicitly enabled via the
308: \fBSUDOERS_TIMED\fR
309: option in
310: \fI@ldap_conf@\fR.
311: .TP 6n
312: \fBsudoOrder\fR
313: The
314: \fRsudoRole\fR
315: entries retrieved from the LDAP directory have no inherent order.
316: The
317: \fRsudoOrder\fR
318: attribute is an integer (or floating point value for LDAP servers
319: that support it) that is used to sort the matching entries.
1.1.1.4 misho 320: This allows LDAP-based sudoers entries to more closely mimic the behavior
1.1.1.3 misho 321: of the sudoers file, where the of the entries influences the result.
322: If multiple entries match, the entry with the highest
323: \fRsudoOrder\fR
324: attribute is chosen.
325: This corresponds to the
326: ``last match''
327: behavior of the sudoers file.
328: If the
329: \fRsudoOrder\fR
330: attribute is not present, a value of 0 is assumed.
331: .sp
332: The
333: \fRsudoOrder\fR
334: attribute is only available in
335: \fBsudo\fR
336: versions 1.7.5 and higher.
1.1 misho 337: .PP
338: Each attribute listed above should contain a single value, but there
1.1.1.3 misho 339: may be multiple instances of each attribute type.
340: A
341: \fRsudoRole\fR
342: must contain at least one
343: \fRsudoUser\fR,
344: \fRsudoHost\fR
345: and
346: \fRsudoCommand\fR.
1.1 misho 347: .PP
348: The following example allows users in group wheel to run any command
1.1.1.3 misho 349: on any host via
350: \fBsudo\fR:
351: .nf
352: .sp
353: .RS 4n
354: dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
355: objectClass: top
356: objectClass: sudoRole
357: cn: %wheel
358: sudoUser: %wheel
359: sudoHost: ALL
360: sudoCommand: ALL
361: .RE
362: .fi
363: .SS "Anatomy of LDAP sudoers lookup"
364: When looking up a sudoer using LDAP there are only two or three
365: LDAP queries per invocation.
366: The first query is to parse the global options.
367: The second is to match against the user's name and the groups that
368: the user belongs to.
369: (The special
370: \fRALL\fR
371: tag is matched in this query too.)
372: If no match is returned for the user's name and groups, a third
373: query returns all entries containing user netgroups and checks
374: to see if the user belongs to any of them.
375: .PP
376: If timed entries are enabled with the
377: \fBSUDOERS_TIMED\fR
1.1.1.4 misho 378: configuration directive, the LDAP queries include a sub-filter that
1.1.1.3 misho 379: limits retrieval to entries that satisfy the time constraints, if any.
380: .SS "Differences between LDAP and non-LDAP sudoers"
1.1 misho 381: There are some subtle differences in the way sudoers is handled
1.1.1.3 misho 382: once in LDAP.
383: Probably the biggest is that according to the RFC, LDAP ordering
384: is arbitrary and you cannot expect that Attributes and Entries are
385: returned in any specific order.
1.1 misho 386: .PP
387: The order in which different entries are applied can be controlled
1.1.1.3 misho 388: using the
389: \fRsudoOrder\fR
390: attribute, but there is no way to guarantee the order of attributes
391: within a specific entry.
392: If there are conflicting command rules in an entry, the negative
393: takes precedence.
1.1 misho 394: This is called paranoid behavior (not necessarily the most specific
395: match).
396: .PP
397: Here is an example:
1.1.1.3 misho 398: .nf
399: .sp
400: .RS 4n
401: # /etc/sudoers:
402: # Allow all commands except shell
403: johnny ALL=(root) ALL,!/bin/sh
404: # Always allows all commands because ALL is matched last
405: puddles ALL=(root) !/bin/sh,ALL
406:
407: # LDAP equivalent of johnny
408: # Allows all commands except shell
409: dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
410: objectClass: sudoRole
411: objectClass: top
412: cn: role1
413: sudoUser: johnny
414: sudoHost: ALL
415: sudoCommand: ALL
416: sudoCommand: !/bin/sh
417:
418: # LDAP equivalent of puddles
419: # Notice that even though ALL comes last, it still behaves like
420: # role1 since the LDAP code assumes the more paranoid configuration
421: dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
422: objectClass: sudoRole
423: objectClass: top
424: cn: role2
425: sudoUser: puddles
426: sudoHost: ALL
427: sudoCommand: !/bin/sh
428: sudoCommand: ALL
429: .RE
430: .fi
1.1 misho 431: .PP
432: Another difference is that negations on the Host, User or Runas are
1.1.1.3 misho 433: currently ignored.
434: For example, the following attributes do not behave the way one might expect.
435: .nf
436: .sp
437: .RS 4n
438: # does not match all but joe
439: # rather, does not match anyone
440: sudoUser: !joe
441:
442: # does not match all but joe
443: # rather, matches everyone including Joe
444: sudoUser: ALL
445: sudoUser: !joe
446:
447: # does not match all but web01
448: # rather, matches all hosts including web01
449: sudoHost: ALL
450: sudoHost: !web01
451: .RE
452: .fi
453: .SS "Sudoers schema"
454: In order to use
455: \fBsudo\fR's
456: LDAP support, the
457: \fBsudo\fR
458: schema must be
459: installed on your LDAP server.
460: In addition, be sure to index the
461: \fRsudoUser\fR
462: attribute.
463: .PP
464: Three versions of the schema: one for OpenLDAP servers
465: (\fIschema.OpenLDAP\fR),
466: one for Netscape-derived servers
467: (\fIschema.iPlanet\fR),
468: and one for Microsoft Active Directory
469: (\fIschema.ActiveDirectory\fR)
470: may be found in the
471: \fBsudo\fR
472: distribution.
473: .PP
474: The schema for
475: \fBsudo\fR
476: in OpenLDAP form is also included in the
477: \fIEXAMPLES\fR
1.1 misho 478: section.
479: .SS "Configuring ldap.conf"
1.1.1.3 misho 480: Sudo reads the
481: \fI@ldap_conf@\fR
482: file for LDAP-specific configuration.
1.1.1.4 misho 483: Typically, this file is shared between different LDAP-aware clients.
1.1.1.3 misho 484: As such, most of the settings are not
485: \fBsudo\fR-specific.
486: Note that
487: \fBsudo\fR
488: parses
489: \fI@ldap_conf@\fR
490: itself and may support options that differ from those described in the
491: system's
492: ldap.conf(@mansectsu@)
493: manual.
1.1.1.4 misho 494: The path to
495: \fIldap.conf\fR
496: may be overridden via the
497: \fIldap_conf\fR
498: plugin argument in
499: sudo.conf(@mansectform@).
1.1 misho 500: .PP
501: Also note that on systems using the OpenLDAP libraries, default
1.1.1.3 misho 502: values specified in
503: \fI/etc/openldap/ldap.conf\fR
504: or the user's
505: \fI.ldaprc\fR
506: files are not used.
507: .PP
508: Only those options explicitly listed in
509: \fI@ldap_conf@\fR
510: as being supported by
511: \fBsudo\fR
512: are honored.
513: Configuration options are listed below in upper case but are parsed
514: in a case-independent manner.
1.1.1.4 misho 515: .PP
1.1.1.5 ! misho 516: The pound sign
! 517: (`#')
! 518: is used to indicate a comment.
! 519: Both the comment character and any text after it, up to the end of
! 520: the line, are ignored.
1.1.1.4 misho 521: Long lines can be continued with a backslash
522: (`\e')
523: as the last character on the line.
524: Note that leading white space is removed from the beginning of lines
525: even when the continuation character is used.
1.1.1.3 misho 526: .TP 6n
527: \fBURI\fR \fIldap[s]://[hostname[:port]] ...\fR
1.1.1.4 misho 528: Specifies a white space-delimited list of one or more URIs describing
1.1.1.3 misho 529: the LDAP server(s) to connect to.
530: The
531: \fIprotocol\fR
532: may be either
533: \fIldap\fR
534: \fIldaps\fR,
535: the latter being for servers that support TLS (SSL) encryption.
536: If no
537: \fIport\fR
538: is specified, the default is port 389 for
539: \fRldap://\fR
540: or port 636 for
541: \fRldaps://\fR.
542: If no
543: \fIhostname\fR
544: is specified,
545: \fBsudo\fR
546: will connect to
547: \fIlocalhost\fR.
548: Multiple
549: \fBURI\fR
550: lines are treated identically to a
551: \fBURI\fR
552: line containing multiple entries.
553: Only systems using the OpenSSL libraries support the mixing of
554: \fRldap://\fR
555: and
556: \fRldaps://\fR
557: URIs.
558: Both the Netscape-derived and Tivoli LDAP libraries used on most commercial
559: versions of Unix are only capable of supporting one or the other.
560: .TP 6n
561: \fBHOST\fR \fIname[:port] ...\fR
562: If no
563: \fBURI\fR
564: is specified, the
565: \fBHOST\fR
1.1.1.4 misho 566: parameter specifies a white space-delimited list of LDAP servers to connect to.
1.1.1.3 misho 567: Each host may include an optional
568: \fIport\fR
569: separated by a colon
570: (`:\&').
571: The
572: \fBHOST\fR
573: parameter is deprecated in favor of the
574: \fBURI\fR
575: specification and is included for backwards compatibility.
576: .TP 6n
577: \fBPORT\fR \fIport_number\fR
578: If no
579: \fBURI\fR
580: is specified, the
581: \fBPORT\fR
582: parameter specifies the default port to connect to on the LDAP server if a
583: \fBHOST\fR
584: parameter does not specify the port itself.
585: If no
586: \fBPORT\fR
587: parameter is used, the default is port 389 for LDAP and port 636 for LDAP
588: over TLS (SSL).
589: The
590: \fBPORT\fR
591: parameter is deprecated in favor of the
592: \fBURI\fR
1.1 misho 593: specification and is included for backwards compatibility.
1.1.1.3 misho 594: .TP 6n
595: \fBBIND_TIMELIMIT\fR \fIseconds\fR
596: The
597: \fBBIND_TIMELIMIT\fR
598: parameter specifies the amount of time, in seconds, to wait while trying
599: to connect to an LDAP server.
600: If multiple
601: \fBURI\fRs
602: or
603: \fBHOST\fRs
604: are specified, this is the amount of time to wait before trying
1.1 misho 605: the next one in the list.
1.1.1.3 misho 606: .TP 6n
607: \fBNETWORK_TIMEOUT\fR \fIseconds\fR
608: An alias for
609: \fBBIND_TIMELIMIT\fR
610: for OpenLDAP compatibility.
611: .TP 6n
612: \fBTIMELIMIT\fR \fIseconds\fR
613: The
614: \fBTIMELIMIT\fR
615: parameter specifies the amount of time, in seconds, to wait for a
616: response to an LDAP query.
617: .TP 6n
618: \fBTIMEOUT\fR \fIseconds\fR
619: The
620: \fBTIMEOUT\fR
621: parameter specifies the amount of time, in seconds, to wait for a
622: response from the various LDAP APIs.
623: .TP 6n
624: \fBSUDOERS_BASE\fR \fIbase\fR
625: The base DN to use when performing
626: \fBsudo\fR
627: LDAP queries.
628: Typically this is of the form
629: \fRou=SUDOers,dc=example,dc=com\fR
630: for the domain
631: \fRexample.com\fR.
632: Multiple
633: \fBSUDOERS_BASE\fR
634: lines may be specified, in which case they are queried in the order specified.
635: .TP 6n
636: \fBSUDOERS_SEARCH_FILTER\fR \fIldap_filter\fR
637: An LDAP filter which is used to restrict the set of records returned
638: when performing a
639: \fBsudo\fR
640: LDAP query.
641: Typically, this is of the
642: form
643: \fRattribute=value\fR
644: or
645: \fR(&(attribute=value)(attribute2=value2))\fR.
646: .TP 6n
647: \fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR
648: Whether or not to evaluate the
649: \fRsudoNotBefore\fR
650: and
651: \fRsudoNotAfter\fR
1.1 misho 652: attributes that implement time-dependent sudoers entries.
1.1.1.3 misho 653: .TP 6n
654: \fBSUDOERS_DEBUG\fR \fIdebug_level\fR
655: This sets the debug level for
656: \fBsudo\fR
657: LDAP queries.
658: Debugging information is printed to the standard error.
659: A value of 1 results in a moderate amount of debugging information.
660: A value of 2 shows the results of the matches themselves.
661: This parameter should not be set in a production environment as the
662: extra information is likely to confuse users.
1.1.1.4 misho 663: .sp
664: The
665: \fBSUDOERS_DEBUG\fR
666: parameter is deprecated and will be removed in a future release.
667: The same information is now logged via the
668: \fBsudo\fR
669: debugging framework using the
670: ``ldap''
671: subsystem at priorities
672: \fIdiag\fR
673: and
674: \fIinfo\fR
675: for
676: \fIdebug_level\fR
677: values 1 and 2 respectively.
678: See the
679: sudo.conf(@mansectform@)
680: manual for details on how to configure
681: \fBsudo\fR
682: debugging.
1.1.1.3 misho 683: .TP 6n
684: \fBBINDDN\fR \fIDN\fR
685: The
686: \fBBINDDN\fR
687: parameter specifies the identity, in the form of a Distinguished Name (DN),
688: to use when performing LDAP operations.
689: If not specified, LDAP operations are performed with an anonymous identity.
690: By default, most LDAP servers will allow anonymous access.
691: .TP 6n
692: \fBBINDPW\fR \fIsecret\fR
693: The
694: \fBBINDPW\fR
695: parameter specifies the password to use when performing LDAP operations.
696: This is typically used in conjunction with the
697: \fBBINDDN\fR
698: parameter.
699: .TP 6n
700: \fBROOTBINDDN\fR \fIDN\fR
701: The
702: \fBROOTBINDDN\fR
703: parameter specifies the identity, in the form of a Distinguished Name (DN),
704: to use when performing privileged LDAP operations, such as
705: \fIsudoers\fR
706: queries.
1.1.1.4 misho 707: The password corresponding to the identity should be stored in the
708: or the path specified by the
709: \fIldap_secret\fR
710: plugin argument in
711: sudo.conf(@mansectform@),
712: which defaults to
1.1.1.3 misho 713: \fI@ldap_secret@\fR.
1.1.1.4 misho 714: If no
715: \fBROOTBINDDN\fR
716: is specified, the
1.1.1.3 misho 717: \fBBINDDN\fR
718: identity is used (if any).
719: .TP 6n
720: \fBLDAP_VERSION\fR \fInumber\fR
721: The version of the LDAP protocol to use when connecting to the server.
1.1 misho 722: The default value is protocol version 3.
1.1.1.3 misho 723: .TP 6n
724: \fBSSL\fR \fIon/true/yes/off/false/no\fR
725: If the
726: \fBSSL\fR
727: parameter is set to
728: \fRon\fR,
729: \fRtrue\fR
730: \fRor\fR
731: \fRyes\fR,
732: TLS (SSL) encryption is always used when communicating with the LDAP server.
733: Typically, this involves connecting to the server on port 636 (ldaps).
734: .TP 6n
735: \fBSSL\fR \fIstart_tls\fR
736: If the
737: \fBSSL\fR
738: parameter is set to
739: \fRstart_tls\fR,
740: the LDAP server connection is initiated normally and TLS encryption is
741: begun before the bind credentials are sent.
742: This has the advantage of not requiring a dedicated port for encrypted
743: communications.
744: This parameter is only supported by LDAP servers that honor the
745: \fIstart_tls\fR
746: extension, such as the OpenLDAP and Tivoli Directory servers.
747: .TP 6n
748: \fBTLS_CHECKPEER\fR \fIon/true/yes/off/false/no\fR
749: If enabled,
750: \fBTLS_CHECKPEER\fR
751: will cause the LDAP server's TLS certificated to be verified.
752: If the server's TLS certificate cannot be verified (usually because it
753: is signed by an unknown certificate authority),
754: \fBsudo\fR
755: will be unable to connect to it.
756: If
757: \fBTLS_CHECKPEER\fR
758: is disabled, no check is made.
759: Note that disabling the check creates an opportunity for man-in-the-middle
760: attacks since the server's identity will not be authenticated.
761: If possible, the CA's certificate should be installed locally so it can
762: be verified.
763: This option is not supported by the Tivoli Directory Server LDAP libraries.
764: .TP 6n
765: \fBTLS_CACERT\fR \fIfile name\fR
766: An alias for
767: \fBTLS_CACERTFILE\fR
768: for OpenLDAP compatibility.
769: .TP 6n
770: \fBTLS_CACERTFILE\fR \fIfile name\fR
1.1 misho 771: The path to a certificate authority bundle which contains the certificates
1.1.1.3 misho 772: for all the Certificate Authorities the client knows to be valid, e.g.\&
773: \fI/etc/ssl/ca-bundle.pem\fR.
1.1 misho 774: This option is only supported by the OpenLDAP libraries.
1.1.1.3 misho 775: Netscape-derived LDAP libraries use the same certificate
776: database for CA and client certificates (see
777: \fBTLS_CERT\fR).
778: .TP 6n
779: \fBTLS_CACERTDIR\fR \fIdirectory\fR
780: Similar to
781: \fBTLS_CACERTFILE\fR
782: but instead of a file, it is a directory containing individual
783: Certificate Authority certificates, e.g.\&
784: \fI/etc/ssl/certs\fR.
785: The directory specified by
786: \fBTLS_CACERTDIR\fR
787: is checked after
788: \fBTLS_CACERTFILE\fR.
1.1 misho 789: This option is only supported by the OpenLDAP libraries.
1.1.1.3 misho 790: .TP 6n
791: \fBTLS_CERT\fR \fIfile name\fR
1.1 misho 792: The path to a file containing the client certificate which can
1.1.1.3 misho 793: be used to authenticate the client to the LDAP server.
794: The certificate type depends on the LDAP libraries used.
795: .RS
796: .TP 6n
1.1 misho 797: OpenLDAP:
1.1.1.3 misho 798: \fRtls_cert /etc/ssl/client_cert.pem\fR
799: .TP 6n
1.1 misho 800: Netscape-derived:
1.1.1.3 misho 801: \fRtls_cert /var/ldap/cert7.db\fR
802: .TP 6n
803: Tivoli Directory Server:
804: Unused, the key database specified by
805: \fBTLS_KEY\fR
806: contains both keys and certificates.
807: .sp
1.1 misho 808: When using Netscape-derived libraries, this file may also contain
809: Certificate Authority certificates.
1.1.1.3 misho 810: .PP
811: .RE
812: .PD 0
813: .TP 6n
814: \fBTLS_KEY\fR \fIfile name\fR
1.1 misho 815: The path to a file containing the private key which matches the
1.1.1.3 misho 816: certificate specified by
817: \fBTLS_CERT\fR.
818: The private key must not be password-protected.
819: The key type depends on the LDAP libraries used.
820: .RS
821: .PD
822: .TP 6n
1.1 misho 823: OpenLDAP:
1.1.1.3 misho 824: \fRtls_key /etc/ssl/client_key.pem\fR
825: .TP 6n
1.1 misho 826: Netscape-derived:
1.1.1.3 misho 827: \fRtls_key /var/ldap/key3.db\fR
828: .TP 6n
829: Tivoli Directory Server:
1.1.1.5 ! misho 830: \fRtls_key /usr/ldap/ldapkey.kdb\fR
1.1.1.3 misho 831: .PD 0
832: .PP
833: .PD
834: When using Tivoli LDAP libraries, this file may also contain
835: Certificate Authority and client certificates and may be encrypted.
836: .PP
837: .RE
838: .PD 0
839: .TP 6n
840: \fBTLS_KEYPW\fR \fIsecret\fR
841: The
842: \fBTLS_KEYPW\fR
843: contains the password used to decrypt the key database on clients
844: using the Tivoli Directory Server LDAP library.
1.1.1.5 ! misho 845: This should be a simple string without quotes.
! 846: The password may not include the comment character
! 847: (`#')
! 848: and escaping of special characters with a backslash
! 849: (`\e')
! 850: is not supported.
! 851: If this option is used,
! 852: \fI@ldap_conf@\fR
! 853: must not be world-readable to avoid exposing the password.
! 854: Alternately, a
! 855: \fIstash file\fR
! 856: can be used to store the password in encrypted form (see below).
! 857: .sp
1.1.1.3 misho 858: If no
859: \fBTLS_KEYPW\fR
860: is specified, a
861: \fIstash file\fR
862: will be used if it exists.
863: The
864: \fIstash file\fR
865: must have the same path as the file specified by
866: \fBTLS_KEY\fR,
867: but use a
868: \fR.sth\fR
869: file extension instead of
870: \fR.kdb\fR,
871: e.g.\&
872: \fRldapkey.sth\fR.
873: The default
874: \fRldapkey.kdb\fR
875: that ships with Tivoli Directory Server is encrypted with the password
876: \fRssl_password\fR.
1.1.1.5 ! misho 877: The
! 878: \fIgsk8capicmd\fR
! 879: utility can be used to manage the key database and create a
! 880: \fIstash file\fR.
1.1.1.3 misho 881: This option is only supported by the Tivoli LDAP libraries.
882: .PD
883: .TP 6n
884: \fBTLS_RANDFILE\fR \fIfile name\fR
885: The
886: \fBTLS_RANDFILE\fR
887: parameter specifies the path to an entropy source for systems that lack
888: a random device.
889: It is generally used in conjunction with
890: \fIprngd\fR
891: or
892: \fIegd\fR.
1.1 misho 893: This option is only supported by the OpenLDAP libraries.
1.1.1.3 misho 894: .TP 6n
895: \fBTLS_CIPHERS\fR \fIcipher list\fR
896: The
897: \fBTLS_CIPHERS\fR
898: parameter allows the administer to restrict which encryption algorithms
899: may be used for TLS (SSL) connections.
900: See the OpenLDAP or Tivoli Directory Server manual for a list of valid
901: ciphers.
902: This option is not supported by Netscape-derived libraries.
903: .TP 6n
904: \fBUSE_SASL\fR \fIon/true/yes/off/false/no\fR
905: Enable
906: \fBUSE_SASL\fR
907: for LDAP servers that support SASL authentication.
908: .TP 6n
909: \fBSASL_AUTH_ID\fR \fIidentity\fR
910: The SASL user name to use when connecting to the LDAP server.
911: By default,
912: \fBsudo\fR
913: will use an anonymous connection.
914: .TP 6n
915: \fBROOTUSE_SASL\fR \fIon/true/yes/off/false/no\fR
916: Enable
917: \fBROOTUSE_SASL\fR
918: to enable SASL authentication when connecting
919: to an LDAP server from a privileged process, such as
920: \fBsudo\fR.
921: .TP 6n
922: \fBROOTSASL_AUTH_ID\fR \fIidentity\fR
923: The SASL user name to use when
924: \fBROOTUSE_SASL\fR
925: is enabled.
926: .TP 6n
927: \fBSASL_SECPROPS\fR \fInone/properties\fR
928: SASL security properties or
929: \fInone\fR
930: for no properties.
931: See the SASL programmer's manual for details.
932: .TP 6n
933: \fBKRB5_CCNAME\fR \fIfile name\fR
1.1 misho 934: The path to the Kerberos 5 credential cache to use when authenticating
935: with the remote server.
1.1.1.3 misho 936: .TP 6n
937: \fBDEREF\fR \fInever/searching/finding/always\fR
938: How alias dereferencing is to be performed when searching.
939: See the
940: ldap.conf(@mansectsu@)
941: manual for a full description of this option.
942: .PP
943: See the
944: \fIldap.conf\fR
945: entry in the
946: \fIEXAMPLES\fR
947: section.
1.1 misho 948: .SS "Configuring nsswitch.conf"
1.1.1.3 misho 949: Unless it is disabled at build time,
950: \fBsudo\fR
951: consults the Name Service Switch file,
952: \fI@nsswitch_conf@\fR,
953: to specify the
954: \fIsudoers\fR
955: search order.
956: Sudo looks for a line beginning with
957: \fRsudoers\fR:
958: and uses this to determine the search order.
959: Note that
960: \fBsudo\fR
961: does
1.1 misho 962: not stop searching after the first match and later matches take
963: precedence over earlier ones.
964: The following sources are recognized:
1.1.1.3 misho 965: .TP 10n
966: files
967: read sudoers from
968: \fI@sysconfdir@/sudoers\fR
969: .PD 0
970: .TP 10n
971: ldap
972: read sudoers from LDAP
973: .PD
974: .PP
975: In addition, the entry
976: \fR[NOTFOUND=return]\fR
977: will short-circuit the search if the user was not found in the
978: preceding source.
1.1 misho 979: .PP
1.1.1.3 misho 980: To consult LDAP first followed by the local sudoers file (if it
1.1 misho 981: exists), use:
1.1.1.3 misho 982: .nf
983: .sp
984: .RS 4n
985: sudoers: ldap files
986: .RE
987: .fi
1.1 misho 988: .PP
1.1.1.3 misho 989: The local
990: \fIsudoers\fR
991: file can be ignored completely by using:
992: .nf
993: .sp
994: .RS 4n
995: sudoers: ldap
996: .RE
997: .fi
1.1 misho 998: .PP
1.1.1.3 misho 999: If the
1000: \fI@nsswitch_conf@\fR
1001: file is not present or there is no sudoers line, the following
1002: default is assumed:
1003: .nf
1004: .sp
1005: .RS 4n
1006: sudoers: files
1007: .RE
1008: .fi
1.1 misho 1009: .PP
1.1.1.3 misho 1010: Note that
1011: \fI@nsswitch_conf@\fR
1012: is supported even when the underlying operating system does not use
1013: an nsswitch.conf file, except on AIX (see below).
1.1 misho 1014: .SS "Configuring netsvc.conf"
1.1.1.3 misho 1015: On AIX systems, the
1016: \fI@netsvc_conf@\fR
1017: file is consulted instead of
1018: \fI@nsswitch_conf@\fR.
1019: \fBsudo\fR
1020: simply treats
1021: \fInetsvc.conf\fR
1022: as a variant of
1023: \fInsswitch.conf\fR;
1024: information in the previous section unrelated to the file format
1025: itself still applies.
1.1 misho 1026: .PP
1.1.1.3 misho 1027: To consult LDAP first followed by the local sudoers file (if it
1.1 misho 1028: exists), use:
1.1.1.3 misho 1029: .nf
1030: .sp
1031: .RS 4n
1032: sudoers = ldap, files
1033: .RE
1034: .fi
1.1 misho 1035: .PP
1.1.1.3 misho 1036: The local
1037: \fIsudoers\fR
1038: file can be ignored completely by using:
1039: .nf
1040: .sp
1041: .RS 4n
1042: sudoers = ldap
1043: .RE
1044: .fi
1.1 misho 1045: .PP
1.1.1.4 misho 1046: To treat LDAP as authoritative and only use the local sudoers file
1.1.1.3 misho 1047: if the user is not present in LDAP, use:
1048: .nf
1049: .sp
1050: .RS 4n
1051: sudoers = ldap = auth, files
1052: .RE
1053: .fi
1.1 misho 1054: .PP
1.1.1.3 misho 1055: Note that in the above example, the
1056: \fRauth\fR
1.1.1.4 misho 1057: qualifier only affects user lookups; both LDAP and
1.1.1.3 misho 1058: \fIsudoers\fR
1059: will be queried for
1060: \fRDefaults\fR
1.1 misho 1061: entries.
1062: .PP
1.1.1.3 misho 1063: If the
1064: \fI@netsvc_conf@\fR
1065: file is not present or there is no sudoers line, the following
1066: default is assumed:
1067: .nf
1068: .sp
1069: .RS 4n
1070: sudoers = files
1071: .RE
1072: .fi
1.1 misho 1073: .SH "FILES"
1.1.1.3 misho 1074: .TP 26n
1075: \fI@ldap_conf@\fR
1076: LDAP configuration file
1077: .TP 26n
1078: \fI@nsswitch_conf@\fR
1.1 misho 1079: determines sudoers source order
1.1.1.3 misho 1080: .TP 26n
1081: \fI@netsvc_conf@\fR
1082: determines sudoers source order on AIX
1.1 misho 1083: .SH "EXAMPLES"
1084: .SS "Example ldap.conf"
1.1.1.3 misho 1085: .nf
1086: .RS 2n
1087: # Either specify one or more URIs or one or more host:port pairs.
1088: # If neither is specified sudo will default to localhost, port 389.
1089: #
1090: #host ldapserver
1091: #host ldapserver1 ldapserver2:390
1092: #
1093: # Default port if host is specified without one, defaults to 389.
1094: #port 389
1095: #
1096: # URI will override the host and port settings.
1097: uri ldap://ldapserver
1098: #uri ldaps://secureldapserver
1099: #uri ldaps://secureldapserver ldap://ldapserver
1100: #
1101: # The amount of time, in seconds, to wait while trying to connect to
1102: # an LDAP server.
1103: bind_timelimit 30
1104: #
1105: # The amount of time, in seconds, to wait while performing an LDAP query.
1106: timelimit 30
1107: #
1108: # Must be set or sudo will ignore LDAP; may be specified multiple times.
1109: sudoers_base ou=SUDOers,dc=example,dc=com
1110: #
1111: # verbose sudoers matching from ldap
1112: #sudoers_debug 2
1113: #
1114: # Enable support for time-based entries in sudoers.
1115: #sudoers_timed yes
1116: #
1117: # optional proxy credentials
1118: #binddn <who to search as>
1119: #bindpw <password>
1120: #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
1121: #
1122: # LDAP protocol version, defaults to 3
1123: #ldap_version 3
1124: #
1125: # Define if you want to use an encrypted LDAP connection.
1126: # Typically, you must also set the port to 636 (ldaps).
1127: #ssl on
1128: #
1129: # Define if you want to use port 389 and switch to
1130: # encryption before the bind credentials are sent.
1131: # Only supported by LDAP servers that support the start_tls
1132: # extension such as OpenLDAP.
1133: #ssl start_tls
1134: #
1135: # Additional TLS options follow that allow tweaking of the
1136: # SSL/TLS connection.
1137: #
1138: #tls_checkpeer yes # verify server SSL certificate
1139: #tls_checkpeer no # ignore server SSL certificate
1140: #
1141: # If you enable tls_checkpeer, specify either tls_cacertfile
1142: # or tls_cacertdir. Only supported when using OpenLDAP.
1143: #
1144: #tls_cacertfile /etc/certs/trusted_signers.pem
1145: #tls_cacertdir /etc/certs
1146: #
1147: # For systems that don't have /dev/random
1148: # use this along with PRNGD or EGD.pl to seed the
1149: # random number pool to generate cryptographic session keys.
1150: # Only supported when using OpenLDAP.
1151: #
1152: #tls_randfile /etc/egd-pool
1153: #
1154: # You may restrict which ciphers are used. Consult your SSL
1155: # documentation for which options go here.
1156: # Only supported when using OpenLDAP.
1157: #
1158: #tls_ciphers <cipher-list>
1159: #
1160: # Sudo can provide a client certificate when communicating to
1161: # the LDAP server.
1162: # Tips:
1163: # * Enable both lines at the same time.
1164: # * Do not password protect the key file.
1165: # * Ensure the keyfile is only readable by root.
1166: #
1167: # For OpenLDAP:
1168: #tls_cert /etc/certs/client_cert.pem
1169: #tls_key /etc/certs/client_key.pem
1170: #
1171: # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
1172: # a directory, in which case the files in the directory must have the
1173: # default names (e.g. cert8.db and key4.db), or the path to the cert
1174: # and key files themselves. However, a bug in version 5.0 of the LDAP
1175: # SDK will prevent specific file names from working. For this reason
1176: # it is suggested that tls_cert and tls_key be set to a directory,
1177: # not a file name.
1178: #
1179: # The certificate database specified by tls_cert may contain CA certs
1180: # and/or the client's cert. If the client's cert is included, tls_key
1181: # should be specified as well.
1182: # For backward compatibility, "sslpath" may be used in place of tls_cert.
1183: #tls_cert /var/ldap
1184: #tls_key /var/ldap
1185: #
1186: # If using SASL authentication for LDAP (OpenSSL)
1187: # use_sasl yes
1188: # sasl_auth_id <SASL user name>
1189: # rootuse_sasl yes
1190: # rootsasl_auth_id <SASL user name for root access>
1191: # sasl_secprops none
1192: # krb5_ccname /etc/.ldapcache
1193: .RE
1194: .fi
1.1 misho 1195: .SS "Sudo schema for OpenLDAP"
1.1.1.3 misho 1196: The following schema, in OpenLDAP format, is included with
1197: \fBsudo\fR
1198: source and binary distributions as
1199: \fIschema.OpenLDAP\fR.
1200: Simply copy
1201: it to the schema directory (e.g.\&
1202: \fI/etc/openldap/schema\fR),
1203: add the proper
1204: \fRinclude\fR
1205: line in
1206: \fIslapd.conf\fR
1207: and restart
1208: \fBslapd\fR.
1209: .nf
1210: .sp
1211: .RS 2n
1212: attributetype ( 1.3.6.1.4.1.15953.9.1.1
1213: NAME 'sudoUser'
1214: DESC 'User(s) who may run sudo'
1215: EQUALITY caseExactIA5Match
1216: SUBSTR caseExactIA5SubstringsMatch
1217: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1218:
1219: attributetype ( 1.3.6.1.4.1.15953.9.1.2
1220: NAME 'sudoHost'
1221: DESC 'Host(s) who may run sudo'
1222: EQUALITY caseExactIA5Match
1223: SUBSTR caseExactIA5SubstringsMatch
1224: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1225:
1226: attributetype ( 1.3.6.1.4.1.15953.9.1.3
1227: NAME 'sudoCommand'
1228: DESC 'Command(s) to be executed by sudo'
1229: EQUALITY caseExactIA5Match
1230: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1231:
1232: attributetype ( 1.3.6.1.4.1.15953.9.1.4
1233: NAME 'sudoRunAs'
1234: DESC 'User(s) impersonated by sudo'
1235: EQUALITY caseExactIA5Match
1236: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1237:
1238: attributetype ( 1.3.6.1.4.1.15953.9.1.5
1239: NAME 'sudoOption'
1240: DESC 'Options(s) followed by sudo'
1241: EQUALITY caseExactIA5Match
1242: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1243:
1244: attributetype ( 1.3.6.1.4.1.15953.9.1.6
1245: NAME 'sudoRunAsUser'
1246: DESC 'User(s) impersonated by sudo'
1247: EQUALITY caseExactIA5Match
1248: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1249:
1250: attributetype ( 1.3.6.1.4.1.15953.9.1.7
1251: NAME 'sudoRunAsGroup'
1252: DESC 'Group(s) impersonated by sudo'
1253: EQUALITY caseExactIA5Match
1254: SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
1255:
1256: attributetype ( 1.3.6.1.4.1.15953.9.1.8
1257: NAME 'sudoNotBefore'
1258: DESC 'Start of time interval for which the entry is valid'
1259: EQUALITY generalizedTimeMatch
1260: ORDERING generalizedTimeOrderingMatch
1261: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1262:
1263: attributetype ( 1.3.6.1.4.1.15953.9.1.9
1264: NAME 'sudoNotAfter'
1265: DESC 'End of time interval for which the entry is valid'
1266: EQUALITY generalizedTimeMatch
1267: ORDERING generalizedTimeOrderingMatch
1268: SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
1269:
1270: attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
1271: NAME 'sudoOrder'
1272: DESC 'an integer to order the sudoRole entries'
1273: EQUALITY integerMatch
1274: ORDERING integerOrderingMatch
1275: SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
1276:
1277: objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
1278: DESC 'Sudoer Entries'
1279: MUST ( cn )
1280: MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
1281: sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
1282: sudoOrder $ description )
1283: )
1284: .RE
1285: .fi
1.1 misho 1286: .SH "SEE ALSO"
1.1.1.4 misho 1287: ldap.conf(@mansectform@),
1288: sudo.conf(@mansectform@),
1.1.1.3 misho 1289: sudoers(@mansectsu@)
1.1 misho 1290: .SH "CAVEATS"
1.1.1.3 misho 1291: Note that there are differences in the way that LDAP-based
1292: \fIsudoers\fR
1293: is parsed compared to file-based
1294: \fIsudoers\fR.
1295: See the
1296: \fIDifferences between LDAP and non-LDAP sudoers\fR
1297: section for more information.
1.1 misho 1298: .SH "BUGS"
1.1.1.3 misho 1299: If you feel you have found a bug in
1300: \fBsudo\fR,
1301: please submit a bug report at http://www.sudo.ws/sudo/bugs/
1.1 misho 1302: .SH "SUPPORT"
1303: Limited free support is available via the sudo-users mailing list,
1.1.1.3 misho 1304: see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1.1 misho 1305: search the archives.
1306: .SH "DISCLAIMER"
1.1.1.3 misho 1307: \fBsudo\fR
1308: is provided
1309: ``AS IS''
1310: and any express or implied warranties, including, but not limited
1311: to, the implied warranties of merchantability and fitness for a
1312: particular purpose are disclaimed.
1313: See the LICENSE file distributed with
1314: \fBsudo\fR
1315: or http://www.sudo.ws/sudo/license.html for complete details.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>