version 1.1.1.1, 2012/10/09 09:29:52
|
version 1.1.1.2, 2013/07/22 10:46:12
|
Line 1
|
Line 1
|
.\" |
.\" |
.\" Copyright (c) 2003-2012 Todd C. Miller <Todd.Miller@courtesan.com> | .\" Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com> |
.\" |
.\" |
.\" Permission to use, copy, modify, and distribute this software for any |
.\" Permission to use, copy, modify, and distribute this software for any |
.\" purpose with or without fee is hereby granted, provided that the above |
.\" purpose with or without fee is hereby granted, provided that the above |
Line 14
|
Line 14
|
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" |
.\" |
.Dd July 12, 2012 | .Dd April 25, 2013 |
.Dt SUDOERS.LDAP @mansectsu@ |
.Dt SUDOERS.LDAP @mansectsu@ |
.Os Sudo @PACKAGE_VERSION@ |
.Os Sudo @PACKAGE_VERSION@ |
.Sh NAME |
.Sh NAME |
Line 82 Aliases are not supported.
|
Line 82 Aliases are not supported.
|
For the most part, there is really no need for |
For the most part, there is really no need for |
.Nm sudo Ns No -specific |
.Nm sudo Ns No -specific |
Aliases. |
Aliases. |
Unix groups or user netgroups can be used in place of User_Aliases and | Unix groups, non-Unix groups (via the |
Runas_Aliases. | .Em group_plugin ) |
| or user netgroups can be used in place of User_Aliases and Runas_Aliases. |
Host netgroups can be used in place of Host_Aliases. |
Host netgroups can be used in place of Host_Aliases. |
Since Unix groups and netgroups can also be stored in LDAP there is no | Since groups and netgroups can also be stored in LDAP there is no real need for |
real need for | |
.Nm sudo Ns No -specific |
.Nm sudo Ns No -specific |
aliases. |
aliases. |
.Pp |
.Pp |
Line 132 It consists of the following attributes:
|
Line 132 It consists of the following attributes:
|
.It Sy sudoUser |
.It Sy sudoUser |
A user name, user ID (prefixed with |
A user name, user ID (prefixed with |
.Ql # ) , |
.Ql # ) , |
Unix group (prefixed with | Unix group name or ID (prefixed with |
.Ql % ) , | .Ql % |
Unix group ID (prefixed with | or |
.Ql %# ) , | .Ql %# |
or user netgroup (prefixed with | respectively), user netgroup (prefixed with |
.Ql + ) . | .Ql + ) , |
| or non-Unix group name or ID (prefixed with |
| .Ql %: |
| or |
| .Ql %:# |
| respectively). |
| Non-Unix group support is only available when an appropriate |
| .Em group_plugin |
| is defined in the global |
| .Em defaults |
| .Li sudoRole |
| object. |
.It Sy sudoHost |
.It Sy sudoHost |
A host name, IP address, IP network, or host netgroup (prefixed with a |
A host name, IP address, IP network, or host netgroup (prefixed with a |
.Ql + ) . |
.Ql + ) . |
Line 145 The special value
|
Line 156 The special value
|
.Li ALL |
.Li ALL |
will match any host. |
will match any host. |
.It Sy sudoCommand |
.It Sy sudoCommand |
A Unix command with optional command line arguments, potentially | A fully-qualified Unix command name with optional command line arguments, |
including globbing characters (aka wild cards). | potentially including globbing characters (aka wild cards). |
| If a command name is preceded by an exclamation point, |
| .Ql \&! , |
| the user will be prohibited from running that command. |
| .Pp |
| The built-in command |
| .Dq Li sudoedit |
| is used to permit a user to run |
| .Nm sudo |
| with the |
| .Fl e |
| option (or as |
| .Nm sudoedit ) . |
| It may take command line arguments just as a normal command does. |
| Note that |
| .Dq Li sudoedit |
| is a command built into |
| .Nm sudo |
| itself and must be specified in without a leading path. |
| .Pp |
The special value |
The special value |
.Li ALL |
.Li ALL |
will match any command. |
will match any command. |
If a command is prefixed with an exclamation point | .Pp |
.Ql \&! , | If a command name is prefixed with a SHA-2 digest, it will |
the user will be prohibited from running that command. | only be allowed if the digest matches. |
| This may be useful in situations where the user invoking |
| .Nm sudo |
| has write access to the command or its parent directory. |
| The following digest formats are supported: sha224, sha256, sha384 and sha512. |
| The digest name must be followed by a colon |
| .Pq Ql :\& |
| and then the actual digest, in either hex or base64 format. |
| For example, given the following value for sudoCommand: |
| .Bd -literal -offset 4n |
| sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls |
| .Ed |
| .Pp |
| The user may only run |
| .Pa /bin/ls |
| if its sha224 digest matches the specified value. |
| Command digests are only supported by version 1.8.7 or higher. |
.It Sy sudoOption |
.It Sy sudoOption |
Identical in function to the global options described above, but |
Identical in function to the global options described above, but |
specific to the |
specific to the |
Line 248 The
|
Line 294 The
|
.Li sudoOrder |
.Li sudoOrder |
attribute is an integer (or floating point value for LDAP servers |
attribute is an integer (or floating point value for LDAP servers |
that support it) that is used to sort the matching entries. |
that support it) that is used to sort the matching entries. |
This allows LDAP-based sudoers entries to more closely mimic the behaviour | This allows LDAP-based sudoers entries to more closely mimic the behavior |
of the sudoers file, where the of the entries influences the result. |
of the sudoers file, where the of the entries influences the result. |
If multiple entries match, the entry with the highest |
If multiple entries match, the entry with the highest |
.Li sudoOrder |
.Li sudoOrder |
Line 304 to see if the user belongs to any of them.
|
Line 350 to see if the user belongs to any of them.
|
.Pp |
.Pp |
If timed entries are enabled with the |
If timed entries are enabled with the |
.Sy SUDOERS_TIMED |
.Sy SUDOERS_TIMED |
configuration directive, the LDAP queries include a subfilter that | configuration directive, the LDAP queries include a sub-filter that |
limits retrieval to entries that satisfy the time constraints, if any. |
limits retrieval to entries that satisfy the time constraints, if any. |
.Ss Differences between LDAP and non-LDAP sudoers |
.Ss Differences between LDAP and non-LDAP sudoers |
There are some subtle differences in the way sudoers is handled |
There are some subtle differences in the way sudoers is handled |
Line 403 section.
|
Line 449 section.
|
Sudo reads the |
Sudo reads the |
.Pa @ldap_conf@ |
.Pa @ldap_conf@ |
file for LDAP-specific configuration. |
file for LDAP-specific configuration. |
Typically, this file is shared amongst different LDAP-aware clients. | Typically, this file is shared between different LDAP-aware clients. |
As such, most of the settings are not |
As such, most of the settings are not |
.Nm sudo Ns No -specific. |
.Nm sudo Ns No -specific. |
Note that |
Note that |
Line 414 itself and may support options that differ from those
|
Line 460 itself and may support options that differ from those
|
system's |
system's |
.Xr ldap.conf @mansectsu@ |
.Xr ldap.conf @mansectsu@ |
manual. |
manual. |
|
The path to |
|
.Pa ldap.conf |
|
may be overridden via the |
|
.Em ldap_conf |
|
plugin argument in |
|
.Xr sudo.conf @mansectform@ . |
.Pp |
.Pp |
Also note that on systems using the OpenLDAP libraries, default |
Also note that on systems using the OpenLDAP libraries, default |
values specified in |
values specified in |
Line 429 as being supported by
|
Line 481 as being supported by
|
are honored. |
are honored. |
Configuration options are listed below in upper case but are parsed |
Configuration options are listed below in upper case but are parsed |
in a case-independent manner. |
in a case-independent manner. |
|
.Pp |
|
Long lines can be continued with a backslash |
|
.Pq Ql \e |
|
as the last character on the line. |
|
Note that leading white space is removed from the beginning of lines |
|
even when the continuation character is used. |
.Bl -tag -width 4n |
.Bl -tag -width 4n |
.It Sy URI Ar ldap[s]://[hostname[:port]] ... |
.It Sy URI Ar ldap[s]://[hostname[:port]] ... |
Specifies a whitespace-delimited list of one or more URIs describing | Specifies a white space-delimited list of one or more URIs describing |
the LDAP server(s) to connect to. |
the LDAP server(s) to connect to. |
The |
The |
.Em protocol |
.Em protocol |
Line 468 If no
|
Line 526 If no
|
.Sy URI |
.Sy URI |
is specified, the |
is specified, the |
.Sy HOST |
.Sy HOST |
parameter specifies a whitespace-delimited list of LDAP servers to connect to. | parameter specifies a white space-delimited list of LDAP servers to connect to. |
Each host may include an optional |
Each host may include an optional |
.Em port |
.Em port |
separated by a colon |
separated by a colon |
Line 556 A value of 1 results in a moderate amount of debugging
|
Line 614 A value of 1 results in a moderate amount of debugging
|
A value of 2 shows the results of the matches themselves. |
A value of 2 shows the results of the matches themselves. |
This parameter should not be set in a production environment as the |
This parameter should not be set in a production environment as the |
extra information is likely to confuse users. |
extra information is likely to confuse users. |
|
.Pp |
|
The |
|
.Sy SUDOERS_DEBUG |
|
parameter is deprecated and will be removed in a future release. |
|
The same information is now logged via the |
|
.Nm sudo |
|
debugging framework using the |
|
.Dq ldap |
|
subsystem at priorities |
|
.Em diag |
|
and |
|
.Em info |
|
for |
|
.Em debug_level |
|
values 1 and 2 respectively. |
|
See the |
|
.Xr sudo.conf @mansectform@ |
|
manual for details on how to configure |
|
.Nm sudo |
|
debugging. |
.It Sy BINDDN Ar DN |
.It Sy BINDDN Ar DN |
The |
The |
.Sy BINDDN |
.Sy BINDDN |
Line 577 parameter specifies the identity, in the form of a Dis
|
Line 655 parameter specifies the identity, in the form of a Dis
|
to use when performing privileged LDAP operations, such as |
to use when performing privileged LDAP operations, such as |
.Em sudoers |
.Em sudoers |
queries. |
queries. |
The password corresponding | The password corresponding to the identity should be stored in the |
to the identity should be stored in | or the path specified by the |
| .Em ldap_secret |
| plugin argument in |
| .Xr sudo.conf @mansectform@ , |
| which defaults to |
.Pa @ldap_secret@ . |
.Pa @ldap_secret@ . |
If not specified, the | If no |
| .Sy ROOTBINDDN |
| is specified, the |
.Sy BINDDN |
.Sy BINDDN |
identity is used (if any). |
identity is used (if any). |
.It Sy LDAP_VERSION Ar number |
.It Sy LDAP_VERSION Ar number |
Line 844 file can be ignored completely by using:
|
Line 928 file can be ignored completely by using:
|
sudoers = ldap |
sudoers = ldap |
.Ed |
.Ed |
.Pp |
.Pp |
To treat LDAP as authoratative and only use the local sudoers file | To treat LDAP as authoritative and only use the local sudoers file |
if the user is not present in LDAP, use: |
if the user is not present in LDAP, use: |
.Bd -literal -offset 4n |
.Bd -literal -offset 4n |
sudoers = ldap = auth, files |
sudoers = ldap = auth, files |
Line 852 sudoers = ldap = auth, files
|
Line 936 sudoers = ldap = auth, files
|
.Pp |
.Pp |
Note that in the above example, the |
Note that in the above example, the |
.Li auth |
.Li auth |
qualfier only affects user lookups; both LDAP and | qualifier only affects user lookups; both LDAP and |
.Em sudoers |
.Em sudoers |
will be queried for |
will be queried for |
.Li Defaults |
.Li Defaults |
Line 1073 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole'
|
Line 1157 objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole'
|
) |
) |
.Ed |
.Ed |
.Sh SEE ALSO |
.Sh SEE ALSO |
.Xr ldap.conf @mansectsu@ , | .Xr ldap.conf @mansectform@ , |
| .Xr sudo.conf @mansectform@ , |
.Xr sudoers @mansectsu@ |
.Xr sudoers @mansectsu@ |
.Sh CAVEATS |
.Sh CAVEATS |
Note that there are differences in the way that LDAP-based |
Note that there are differences in the way that LDAP-based |