|
version 1.1.1.2, 2013/07/22 10:46:12
|
version 1.1.1.3, 2013/10/14 07:56:34
|
|
Line 19
|
Line 19
|
| .\" Agency (DARPA) and Air Force Research Laboratory, Air Force |
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force |
| .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. |
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. |
| .\" |
.\" |
| .Dd April 30, 2013 | .Dd August 31, 2013 |
| .Dt SUDOERS @mansectform@ |
.Dt SUDOERS @mansectform@ |
| .Os Sudo @PACKAGE_VERSION@ |
.Os Sudo @PACKAGE_VERSION@ |
| .Sh NAME |
.Sh NAME |
|
Line 1597 This effectively means that the
|
Line 1597 This effectively means that the
|
| option is always implied. |
option is always implied. |
| Note that |
Note that |
| .Ev HOME |
.Ev HOME |
| is already set when the the | is already set when the |
| .Em env_reset |
.Em env_reset |
| option is enabled, so |
option is enabled, so |
| .Em always_set_home |
.Em always_set_home |
|
Line 2080 may be needed on older PAM implementations or on opera
|
Line 2080 may be needed on older PAM implementations or on opera
|
| opening a PAM session changes the utmp or wtmp files. |
opening a PAM session changes the utmp or wtmp files. |
| If PAM session support is disabled, resource limits may not be updated |
If PAM session support is disabled, resource limits may not be updated |
| for the command being run. |
for the command being run. |
| |
If |
| |
.Em pam_session , |
| |
.Em pam_setcred , |
| |
and |
| |
.Em use_pty |
| |
are disabled and I/O logging has not been configured, |
| |
.Nm sudo |
| |
will execute the command directly instead of running it as a child |
| |
process. |
| This flag is |
This flag is |
| .Em @pam_session@ |
.Em @pam_session@ |
| by default. |
by default. |
| .Pp |
.Pp |
| This setting is only supported by version 1.8.7 or higher. |
This setting is only supported by version 1.8.7 or higher. |
| |
.It pam_setcred |
| |
On systems that use PAM for authentication, |
| |
.Nm sudo |
| |
will attempt to establish credentials for the target user by default, |
| |
if supported by the underlying authentication system. |
| |
One example of a credential is a Kerberos ticket. |
| |
If |
| |
.Em pam_session , |
| |
.Em pam_setcred , |
| |
and |
| |
.Em use_pty |
| |
are disabled and I/O logging has not been configured, |
| |
.Nm sudo |
| |
will execute the command directly instead of running it as a child |
| |
process. |
| |
This flag is |
| |
.Em on |
| |
by default. |
| |
.Pp |
| |
This setting is only supported by version 1.8.8 or higher. |
| .It passprompt_override |
.It passprompt_override |
| The password prompt specified by |
The password prompt specified by |
| .Em passprompt |
.Em passprompt |
|
Line 2212 option imply
|
Line 2241 option imply
|
| .Fl H . |
.Fl H . |
| Note that |
Note that |
| .Ev HOME |
.Ev HOME |
| is already set when the the | is already set when the |
| .Em env_reset |
.Em env_reset |
| option is enabled, so |
option is enabled, so |
| .Em set_home |
.Em set_home |
|
Line 2661 version 1.8.1 this option is no longer supported.
|
Line 2690 version 1.8.1 this option is no longer supported.
|
| The path to the noexec file should now be set in the |
The path to the noexec file should now be set in the |
| .Xr sudo.conf @mansectform@ |
.Xr sudo.conf @mansectform@ |
| file. |
file. |
| |
.It pam_login_service |
| |
On systems that use PAM for authentication, this is the service |
| |
name used when the |
| |
.Fl i |
| |
option is specified. |
| |
The default value is |
| |
.Dq Li @pam_login_service@ . |
| |
See the description of |
| |
.Em pam_service |
| |
for more information. |
| |
.Pp |
| |
This setting is only supported by version 1.8.8 or higher. |
| |
.It pam_service |
| |
On systems that use PAM for authentication, the service name |
| |
specifies the PAM policy to apply. |
| |
This usually corresponds to an entry in the |
| |
.Pa pam.conf |
| |
file or a file in the |
| |
.Pa /etc/pam.d |
| |
directory. |
| |
The default value is |
| |
.Dq Li sudo . |
| |
.Pp |
| |
This setting is only supported by version 1.8.8 or higher. |
| .It passprompt |
.It passprompt |
| The default prompt to use when asking for a password; can be overridden via the |
The default prompt to use when asking for a password; can be overridden via the |
| .Fl p |
.Fl p |
|
Line 2753 Defaults to
|
Line 2806 Defaults to
|
| .Li @goodpri@ . |
.Li @goodpri@ . |
| .Pp |
.Pp |
| See |
See |
| .Sx syslog_badpri | .Em syslog_badpri |
| for the list of supported syslog priorities. |
for the list of supported syslog priorities. |
| .It sudoers_locale |
.It sudoers_locale |
| Locale to use when parsing the sudoers file, logging commands, and |
Locale to use when parsing the sudoers file, logging commands, and |
|
Line 3543 Lastly, we disable shell escapes for the commands in t
|
Line 3596 Lastly, we disable shell escapes for the commands in t
|
| and |
and |
| .Pa /usr/bin/less |
.Pa /usr/bin/less |
| .Pc . |
.Pc . |
| |
Note that this will not effectively constrain users with |
| |
.Nm sudo |
| |
.Sy ALL |
| |
privileges. |
| .Bd -literal |
.Bd -literal |
| # Override built-in defaults |
# Override built-in defaults |
| Defaults syslog=auth |
Defaults syslog=auth |
|
Line 3774 belonging to the
|
Line 3831 belonging to the
|
| and |
and |
| .Em SHELLS |
.Em SHELLS |
| .Li Cmnd_Aliases . |
.Li Cmnd_Aliases . |
| |
While not specifically mentioned in the rule, the commands in the |
| |
.Em PAGERS |
| |
.Li Cmnd_Alias |
| |
all reside in |
| |
.Pa /usr/bin |
| |
and have the |
| |
.Em noexec |
| |
option set. |
| .Bd -literal |
.Bd -literal |
| steve CSNETS = (operator) /usr/local/op_commands/ |
steve CSNETS = (operator) /usr/local/op_commands/ |
| .Ed |
.Ed |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudoers.mdoc.in CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / doc