summaryrefslogtreecommitdiffstats
path: root/doc/visudo.cat
diff options
context:
space:
mode:
Diffstat (limited to 'doc/visudo.cat')
-rw-r--r--doc/visudo.cat226
1 files changed, 226 insertions, 0 deletions
diff --git a/doc/visudo.cat b/doc/visudo.cat
new file mode 100644
index 0000000..ac5eca3
--- /dev/null
+++ b/doc/visudo.cat
@@ -0,0 +1,226 @@
+VISUDO(1m) System Manager's Manual VISUDO(1m)
+
+NNAAMMEE
+ vviissuuddoo - edit the sudoers file
+
+SSYYNNOOPPSSIISS
+ vviissuuddoo [--cchhqqssVV] [[--ff] _s_u_d_o_e_r_s]
+
+DDEESSCCRRIIPPTTIIOONN
+ vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to vipw(1m).
+ vviissuuddoo locks the _s_u_d_o_e_r_s file against multiple simultaneous edits,
+ provides basic sanity checks, and checks for parse errors. If the
+ _s_u_d_o_e_r_s file is currently being edited you will receive a message to try
+ again later.
+
+ vviissuuddoo parses the _s_u_d_o_e_r_s file after editing and will not save the
+ changes if there is a syntax error. Upon finding an error, vviissuuddoo will
+ print a message stating the line number(s) where the error occurred and
+ the user will receive the "What now?" prompt. At this point the user may
+ enter `e' to re-edit the _s_u_d_o_e_r_s file, `x' to exit without saving the
+ changes, or `Q' to quit and save changes. The `Q' option should be used
+ with extreme caution because if vviissuuddoo believes there to be a parse
+ error, so will ssuuddoo and no one will be able to run ssuuddoo again until the
+ error is fixed. If `e' is typed to edit the _s_u_d_o_e_r_s file after a parse
+ error has been detected, the cursor will be placed on the line where the
+ error occurred (if the editor supports this feature).
+
+ There are two _s_u_d_o_e_r_s settings that determine which editor vviissuuddoo will
+ run.
+
+ editor A colon (`:') separated list of editors allowed to be used with
+ vviissuuddoo. vviissuuddoo will choose the editor that matches the user's
+ SUDO_EDITOR, VISUAL or EDITOR environment variable if possible,
+ or the first editor in the list that exists and is executable.
+ Note that the SUDO_EDITOR, VISUAL and EDITOR environment
+ variables are not preserved by default when the _e_n_v___r_e_s_e_t
+ _s_u_d_o_e_r_s option is enabled. The default editor path is _v_i which
+ can be set at compile time via the --with-editor configure
+ option.
+
+ env_editor
+ If set, vviissuuddoo will use the value of the SUDO_EDITOR, VISUAL or
+ EDITOR environment variables before falling back on the default
+ editor list. Note that this may create a security hole as it
+ allows the user to run any arbitrary command as root without
+ logging. A safer alternative is to place a colon-separated
+ list of editors in the _e_d_i_t_o_r variable. vviissuuddoo will then only
+ use SUDO_EDITOR, VISUAL or EDITOR if they match a value
+ specified in _e_d_i_t_o_r. If the _e_n_v___r_e_s_e_t flag is enabled, the
+ SUDO_EDITOR, VISUAL and/or EDITOR environment variables must be
+ present in the _e_n_v___k_e_e_p list for the _e_n_v___e_d_i_t_o_r flag to
+ function when vviissuuddoo is invoked via ssuuddoo. The default value is
+ _o_f_f, which can be set at compile time via the --with-env-editor
+ configure option.
+
+ The options are as follows:
+
+ --cc, ----cchheecckk
+ Enable _c_h_e_c_k_-_o_n_l_y mode. The existing _s_u_d_o_e_r_s file (and any
+ other files it includes) will be checked for syntax errors.
+ If the path to the _s_u_d_o_e_r_s file was not specified, vviissuuddoo
+ will also check the file owner and mode. A message will be
+ printed to the standard output describing the status of
+ _s_u_d_o_e_r_s unless the --qq option was specified. If the check
+ completes successfully, vviissuuddoo will exit with a value of 0.
+ If an error is encountered, vviissuuddoo will exit with a value of
+ 1.
+
+ --ff _s_u_d_o_e_r_s, ----ffiillee=_s_u_d_o_e_r_s
+ Specify an alternate _s_u_d_o_e_r_s file location, see below. As of
+ version 1.8.27, the _s_u_d_o_e_r_s path can be specified without
+ using the --ff option.
+
+ --hh, ----hheellpp Display a short help message to the standard output and exit.
+
+ --qq, ----qquuiieett
+ Enable _q_u_i_e_t mode. In this mode details about syntax errors
+ are not printed. This option is only useful when combined
+ with the --cc option.
+
+ --ss, ----ssttrriicctt
+ Enable _s_t_r_i_c_t checking of the _s_u_d_o_e_r_s file. If an alias is
+ referenced but not actually defined or if there is a cycle in
+ an alias, vviissuuddoo will consider this a parse error. Note that
+ it is not possible to differentiate between an alias and a
+ host name or user name that consists solely of uppercase
+ letters, digits, and the underscore (`_') character.
+
+ --VV, ----vveerrssiioonn
+ Print the vviissuuddoo and _s_u_d_o_e_r_s grammar versions and exit.
+
+ A _s_u_d_o_e_r_s file may be specified instead of the default, _/_e_t_c_/_s_u_d_o_e_r_s.
+ The lock file used is the specified _s_u_d_o_e_r_s file with ".tmp" appended to
+ it. In _c_h_e_c_k_-_o_n_l_y mode only, `-' may be used to indicate that _s_u_d_o_e_r_s
+ will be read from the standard input. Because the policy is evaluated in
+ its entirety, it is not sufficient to check an individual _s_u_d_o_e_r_s include
+ file for syntax errors.
+
+ DDeebbuuggggiinngg aanndd ssuuddooeerrss pplluuggiinn aarrgguummeennttss
+ vviissuuddoo versions 1.8.4 and higher support a flexible debugging framework
+ that is configured via Debug lines in the sudo.conf(4) file.
+
+ Starting with ssuuddoo 1.8.12, vviissuuddoo will also parse the arguments to the
+ _s_u_d_o_e_r_s plugin to override the default _s_u_d_o_e_r_s path name, UID, GID and
+ file mode. These arguments, if present, should be listed after the path
+ to the plugin (i.e., after _s_u_d_o_e_r_s_._s_o). Multiple arguments may be
+ specified, separated by white space. For example:
+
+ Plugin sudoers_policy sudoers.so sudoers_mode=0400
+
+ The following arguments are supported:
+
+ sudoers_file=pathname
+ The _s_u_d_o_e_r_s___f_i_l_e argument can be used to override the default
+ path to the _s_u_d_o_e_r_s file.
+
+ sudoers_uid=uid
+ The _s_u_d_o_e_r_s___u_i_d argument can be used to override the default
+ owner of the sudoers file. It should be specified as a numeric
+ user ID.
+
+ sudoers_gid=gid
+ The _s_u_d_o_e_r_s___g_i_d argument can be used to override the default
+ group of the sudoers file. It must be specified as a numeric
+ group ID (not a group name).
+
+ sudoers_mode=mode
+ The _s_u_d_o_e_r_s___m_o_d_e argument can be used to override the default
+ file mode for the sudoers file. It should be specified as an
+ octal value.
+
+ For more information on configuring sudo.conf(4), please refer to its
+ manual.
+
+EENNVVIIRROONNMMEENNTT
+ The following environment variables may be consulted depending on the
+ value of the _e_d_i_t_o_r and _e_n_v___e_d_i_t_o_r _s_u_d_o_e_r_s settings:
+
+ SUDO_EDITOR Invoked by vviissuuddoo as the editor to use
+
+ VISUAL Used by vviissuuddoo if SUDO_EDITOR is not set
+
+ EDITOR Used by vviissuuddoo if neither SUDO_EDITOR nor VISUAL is set
+
+FFIILLEESS
+ _/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration
+
+ _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what
+
+ _/_e_t_c_/_s_u_d_o_e_r_s_._t_m_p Lock file for visudo
+
+DDIIAAGGNNOOSSTTIICCSS
+ In addition to reporting _s_u_d_o_e_r_s parse errors, vviissuuddoo may produce the
+ following messages:
+
+ sudoers file busy, try again later.
+ Someone else is currently editing the _s_u_d_o_e_r_s file.
+
+ /etc/sudoers.tmp: Permission denied
+ You didn't run vviissuuddoo as root.
+
+ you do not exist in the passwd database
+ Your user ID does not appear in the system passwd database.
+
+ Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
+ Either you are trying to use an undeclared
+ {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed
+ that consists solely of uppercase letters, digits, and the
+ underscore (`_') character. In the latter case, you can ignore the
+ warnings (ssuuddoo will not complain). The message is prefixed with
+ the path name of the _s_u_d_o_e_r_s file and the line number where the
+ undefined alias was used. In --ss (strict) mode these are errors,
+ not warnings.
+
+ Warning: unused {User,Runas,Host,Cmnd}_Alias
+ The specified {User,Runas,Host,Cmnd}_Alias was defined but never
+ used. The message is prefixed with the path name of the _s_u_d_o_e_r_s
+ file and the line number where the unused alias was defined. You
+ may wish to comment out or remove the unused alias.
+
+ Warning: cycle in {User,Runas,Host,Cmnd}_Alias
+ The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
+ itself, either directly or through an alias it includes. The
+ message is prefixed with the path name of the _s_u_d_o_e_r_s file and the
+ line number where the cycle was detected. This is only a warning
+ unless vviissuuddoo is run in --ss (strict) mode as ssuuddoo will ignore cycles
+ when parsing the _s_u_d_o_e_r_s file.
+
+ unknown defaults entry "name"
+ The _s_u_d_o_e_r_s file contains a Defaults setting not recognized by
+ vviissuuddoo.
+
+SSEEEE AALLSSOO
+ vi(1), sudo.conf(4), sudoers(4), sudo(1m), vipw(1m)
+
+AAUUTTHHOORRSS
+ Many people have worked on ssuuddoo over the years; this version consists of
+ code written primarily by:
+
+ Todd C. Miller
+
+ See the CONTRIBUTORS file in the ssuuddoo distribution
+ (https://www.sudo.ws/contributors.html) for an exhaustive list of people
+ who have contributed to ssuuddoo.
+
+CCAAVVEEAATTSS
+ There is no easy way to prevent a user from gaining a root shell if the
+ editor used by vviissuuddoo allows shell escapes.
+
+BBUUGGSS
+ If you feel you have found a bug in vviissuuddoo, please submit a bug report at
+ https://bugzilla.sudo.ws/
+
+SSUUPPPPOORRTT
+ Limited free support is available via the sudo-users mailing list, see
+ https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
+ the archives.
+
+DDIISSCCLLAAIIMMEERR
+ vviissuuddoo is provided "AS IS" and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantability
+ and fitness for a particular purpose are disclaimed. See the LICENSE
+ file distributed with ssuuddoo or https://www.sudo.ws/license.html for
+ complete details.
+
+Sudo 1.8.26 December 24, 2018 Sudo 1.8.26