|
version 1.1.1.1, 2012/10/09 09:29:52
|
version 1.1.1.2, 2013/07/22 10:46:12
|
|
Line 1
|
Line 1
|
| .\" |
.\" |
| .\" Copyright (c) 2003-2012 Todd C. Miller <Todd.Miller@courtesan.com> | .\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com> |
| .\" |
.\" |
| .\" Permission to use, copy, modify, and distribute this software for any |
.\" Permission to use, copy, modify, and distribute this software for any |
| .\" purpose with or without fee is hereby granted, provided that the above |
.\" purpose with or without fee is hereby granted, provided that the above |
|
Line 14
|
Line 14
|
| .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| .\" |
.\" |
| .Dd July 12, 2012 | .Dd April 25, 2013 |
| .Dt SUDOERS.LDAP @mansectsu@ |
.Dt SUDOERS.LDAP @mansectsu@ |
| .Os Sudo @PACKAGE_VERSION@ |
.Os Sudo @PACKAGE_VERSION@ |
| .Sh NAME |
.Sh NAME |
|
Line 82 Aliases are not supported.
|
Line 82 Aliases are not supported.
|
| For the most part, there is really no need for |
For the most part, there is really no need for |
| .Nm sudo Ns No -specific |
.Nm sudo Ns No -specific |
| Aliases. |
Aliases. |
| Unix groups or user netgroups can be used in place of User_Aliases and | Unix groups, non-Unix groups (via the |
| Runas_Aliases. | .Em group_plugin ) |
| | or user netgroups can be used in place of User_Aliases and Runas_Aliases. |
| Host netgroups can be used in place of Host_Aliases. |
Host netgroups can be used in place of Host_Aliases. |
| Since Unix groups and netgroups can also be stored in LDAP there is no | Since groups and netgroups can also be stored in LDAP there is no real need for |
| real need for | |
| .Nm sudo Ns No -specific |
.Nm sudo Ns No -specific |
| aliases. |
aliases. |
| .Pp |
.Pp |
|
Line 132 It consists of the following attributes:
|
Line 132 It consists of the following attributes:
|
| .It Sy sudoUser |
.It Sy sudoUser |
| A user name, user ID (prefixed with |
A user name, user ID (prefixed with |
| .Ql # ) , |
.Ql # ) , |
| Unix group (prefixed with | Unix group name or ID (prefixed with |
| .Ql % ) , | .Ql % |
| Unix group ID (prefixed with | or |
| .Ql %# ) , | .Ql %# |
| or user netgroup (prefixed with | respectively), user netgroup (prefixed with |
| .Ql + ) . | .Ql + ) , |
| | or non-Unix group name or ID (prefixed with |
| | .Ql %: |
| | or |
| | .Ql %:# |
| | respectively). |
| | Non-Unix group support is only available when an appropriate |
| | .Em group_plugin |
| | is defined in the global |
| | .Em defaults |
| | .Li sudoRole |
| | object. |
| .It Sy sudoHost |
.It Sy sudoHost |
| A host name, IP address, IP network, or host netgroup (prefixed with a |
A host name, IP address, IP network, or host netgroup (prefixed with a |
| .Ql + ) . |
.Ql + ) . |
|
Line 145 The special value
|
Line 156 The special value
|
| .Li ALL |
.Li ALL |
| will match any host. |
will match any host. |
| .It Sy sudoCommand |
.It Sy sudoCommand |
| A Unix command with optional command line arguments, potentially | A fully-qualified Unix command name with optional command line arguments, |
| including globbing characters (aka wild cards). | potentially including globbing characters (aka wild cards). |
| | If a command name is preceded by an exclamation point, |
| | .Ql \&! , |
| | the user will be prohibited from running that command. |
| | .Pp |
| | The built-in command |
| | .Dq Li sudoedit |
| | is used to permit a user to run |
| | .Nm sudo |
| | with the |
| | .Fl e |
| | option (or as |
| | .Nm sudoedit ) . |
| | It may take command line arguments just as a normal command does. |
| | Note that |
| | .Dq Li sudoedit |
| | is a command built into |
| | .Nm sudo |
| | itself and must be specified in without a leading path. |
| | .Pp |
| The special value |
The special value |
| .Li ALL |
.Li ALL |
| will match any command. |
will match any command. |
| If a command is prefixed with an exclamation point | .Pp |
| .Ql \&! , | If a command name is prefixed with a SHA-2 digest, it will |
| the user will be prohibited from running that command. | only be allowed if the digest matches. |
| | This may be useful in situations where the user invoking |
| | .Nm sudo |
| | has write access to the command or its parent directory. |
| | The following digest formats are supported: sha224, sha256, sha384 and sha512. |
| | The digest name must be followed by a colon |
| | .Pq Ql :\& |
| | and then the actual digest, in either hex or base64 format. |
| | For example, given the following value for sudoCommand: |
| | .Bd -literal -offset 4n |
| | sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls |
| | .Ed |
| | .Pp |
| | The user may only run |
| | .Pa /bin/ls |
| | if its sha224 digest matches the specified value. |
| | Command digests are only supported by version 1.8.7 or higher. |
| .It Sy sudoOption |
.It Sy sudoOption |
| Identical in function to the global options described above, but |
Identical in function to the global options described above, but |
| specific to the |
specific to the |
|
Line 248 The
|
Line 294 The
|
| .Li sudoOrder |
.Li sudoOrder |
| attribute is an integer (or floating point value for LDAP servers |
attribute is an integer (or floating point value for LDAP servers |
| that support it) that is used to sort the matching entries. |
that support it) that is used to sort the matching entries. |
| This allows LDAP-based sudoers entries to more closely mimic the behaviour | This allows LDAP-based sudoers entries to more closely mimic the behavior |
| of the sudoers file, where the of the entries influences the result. |
of the sudoers file, where the of the entries influences the result. |
| If multiple entries match, the entry with the highest |
If multiple entries match, the entry with the highest |
| .Li sudoOrder |
.Li sudoOrder |
|
Line 304 to see if the user belongs to any of them.
|
Line 350 to see if the user belongs to any of them.
|
| .Pp |
.Pp |
| If timed entries are enabled with the |
If timed entries are enabled with the |
| .Sy SUDOERS_TIMED |
.Sy SUDOERS_TIMED |
| configuration directive, the LDAP queries include a subfilter that | configuration directive, the LDAP queries include a sub-filter that |
| limits retrieval to entries that satisfy the time constraints, if any. |
limits retrieval to entries that satisfy the time constraints, if any. |
| .Ss Differences between LDAP and non-LDAP sudoers |
.Ss Differences between LDAP and non-LDAP sudoers |
| There are some subtle differences in the way sudoers is handled |
There are some subtle differences in the way sudoers is handled |
|
Line 403 section.
|
Line 449 section.
|
| Sudo reads the |
Sudo reads the |
| .Pa @ldap_conf@ |
.Pa @ldap_conf@ |
| file for LDAP-specific configuration. |
file for LDAP-specific configuration. |
| Typically, this file is shared amongst different LDAP-aware clients. | Typically, this file is shared between different LDAP-aware clients. |
| As such, most of the settings are not |
As such, most of the settings are not |
| .Nm sudo Ns No -specific. |
.Nm sudo Ns No -specific. |
| Note that |
Note that |
|
Line 414 itself and may support options that differ from those
|
Line 460 itself and may support options that differ from those
|
| system's |
system's |
| .Xr ldap.conf @mansectsu@ |
.Xr ldap.conf @mansectsu@ |
| manual. |
manual. |
| |
The path to |
| |
.Pa ldap.conf |
| |
may be overridden via the |
| |
.Em ldap_conf |
| |
plugin argument in |
| |
.Xr sudo.conf @mansectform@ . |
| .Pp |
.Pp |
| Also note that on systems using the OpenLDAP libraries, default |
Also note that on systems using the OpenLDAP libraries, default |
| values specified in |
values specified in |
|
Line 429 as being supported by
|
Line 481 as being supported by
|
| are honored. |
are honored. |
| Configuration options are listed below in upper case but are parsed |
Configuration options are listed below in upper case but are parsed |
| in a case-independent manner. |
in a case-independent manner. |
| |
.Pp |
| |
Long lines can be continued with a backslash |
| |
.Pq Ql \e |
| |
as the last character on the line. |
| |
Note that leading white space is removed from the beginning of lines |
| |
even when the continuation character is used. |
| .Bl -tag -width 4n |
.Bl -tag -width 4n |
| .It Sy URI Ar ldap[s]://[hostname[:port]] ... |
.It Sy URI Ar ldap[s]://[hostname[:port]] ... |
| Specifies a whitespace-delimited list of one or more URIs describing | Specifies a white space-delimited list of one or more URIs describing |
| the LDAP server(s) to connect to. |
the LDAP server(s) to connect to. |
| The |
The |
| .Em protocol |
.Em protocol |
|
Line 468 If no
|
Line 526 If no
|
| .Sy URI |
.Sy URI |
| is specified, the |
is specified, the |
| .Sy HOST |
.Sy HOST |
| parameter specifies a whitespace-delimited list of LDAP servers to connect to. | parameter specifies a white space-delimited list of LDAP servers to connect to. |
| Each host may include an optional |
Each host may include an optional |
| .Em port |
.Em port |
| separated by a colon |
separated by a colon |
|
Line 556 A value of 1 results in a moderate amount of debugging
|
Line 614 A value of 1 results in a moderate amount of debugging
|
| A value of 2 shows the results of the matches themselves. |
A value of 2 shows the results of the matches themselves. |
| This parameter should not be set in a production environment as the |
This parameter should not be set in a production environment as the |
| extra information is likely to confuse users. |
extra information is likely to confuse users. |
| |
.Pp |
| |
The |
| |
.Sy SUDOERS_DEBUG |
| |
parameter is deprecated and will be removed in a future release. |
| |
The same information is now logged via the |
| |
.Nm sudo |
| |
debugging framework using the |
| |
.Dq ldap |
| |
subsystem at priorities |
| |
.Em diag |
| |
and |
| |
.Em info |
| |
for |
| |
.Em debug_level |
| |
values 1 and 2 respectively. |
| |
See the |
| |
.Xr sudo.conf @mansectform@ |
| |
manual for details on how to configure |
| |
.Nm sudo |
| |
debugging. |
| .It Sy BINDDN Ar DN |
.It Sy BINDDN Ar DN |
| The |
The |
| .Sy BINDDN |
.Sy BINDDN |
|
Line 577 parameter specifies the identity, in the form of a Dis
|
Line 655 parameter specifies the identity, in the form of a Dis
|
| to use when performing privileged LDAP operations, such as |
to use when performing privileged LDAP operations, such as |
| .Em sudoers |
.Em sudoers |
| queries. |
queries. |
| The password corresponding | The password corresponding to the identity should be stored in the |
| to the identity should be stored in | or the path specified by the |
| | .Em ldap_secret |
| | plugin argument in |
| | .Xr sudo.conf @mansectform@ , |
| | which defaults to |
| .Pa @ldap_secret@ . |
.Pa @ldap_secret@ . |
| If not specified, the | If no |
| | .Sy ROOTBINDDN |
| | is specified, the |
| .Sy BINDDN |
.Sy BINDDN |
| identity is used (if any). |
identity is used (if any). |
| .It Sy LDAP_VERSION Ar number |
.It Sy LDAP_VERSION Ar number |
|
Line 844 file can be ignored completely by using:
|
Line 928 file can be ignored completely by using:
|
| sudoers = ldap |
sudoers = ldap |
| .Ed |
.Ed |
| .Pp |
.Pp |
| To treat LDAP as authoratative and only use the local sudoers file | To treat LDAP as authoritative and only use the local sudoers file |
| if the user is not present in LDAP, use: |
if the user is not present in LDAP, use: |
| .Bd -literal -offset 4n |
.Bd -literal -offset 4n |
| sudoers = ldap = auth, files |
sudoers = ldap = auth, files |
|
Line 852 sudoers = ldap = auth, files
|
Line 936 sudoers = ldap = auth, files
|
| .Pp |
.Pp |
| Note that in the above example, the |
Note that in the above example, the |
| .Li auth |
.Li auth |
| qualfier only affects user lookups; both LDAP and | qualifier only affects user lookups; both LDAP and |
| .Em sudoers |
.Em sudoers |
| will be queried for |
will be queried for |
| .Li Defaults |
.Li Defaults |
|
Line 1073 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole'
|
Line 1157 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole'
|
| ) |
) |
| .Ed |
.Ed |
| .Sh SEE ALSO |
.Sh SEE ALSO |
| .Xr ldap.conf @mansectsu@ , | .Xr ldap.conf @mansectform@ , |
| | .Xr sudo.conf @mansectform@ , |
| .Xr sudoers @mansectsu@ |
.Xr sudoers @mansectsu@ |
| .Sh CAVEATS |
.Sh CAVEATS |
| Note that there are differences in the way that LDAP-based |
Note that there are differences in the way that LDAP-based |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.ldap.mdoc.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc