diff options
Diffstat (limited to 'doc/visudo.cat')
-rw-r--r-- | doc/visudo.cat | 226 |
1 files changed, 226 insertions, 0 deletions
diff --git a/doc/visudo.cat b/doc/visudo.cat new file mode 100644 index 0000000..ac5eca3 --- /dev/null +++ b/doc/visudo.cat @@ -0,0 +1,226 @@ +VISUDO(1m) System Manager's Manual VISUDO(1m) + +NNAAMMEE + vviissuuddoo - edit the sudoers file + +SSYYNNOOPPSSIISS + vviissuuddoo [--cchhqqssVV] [[--ff] _s_u_d_o_e_r_s] + +DDEESSCCRRIIPPTTIIOONN + vviissuuddoo edits the _s_u_d_o_e_r_s file in a safe fashion, analogous to vipw(1m). + vviissuuddoo locks the _s_u_d_o_e_r_s file against multiple simultaneous edits, + provides basic sanity checks, and checks for parse errors. If the + _s_u_d_o_e_r_s file is currently being edited you will receive a message to try + again later. + + vviissuuddoo parses the _s_u_d_o_e_r_s file after editing and will not save the + changes if there is a syntax error. Upon finding an error, vviissuuddoo will + print a message stating the line number(s) where the error occurred and + the user will receive the "What now?" prompt. At this point the user may + enter `e' to re-edit the _s_u_d_o_e_r_s file, `x' to exit without saving the + changes, or `Q' to quit and save changes. The `Q' option should be used + with extreme caution because if vviissuuddoo believes there to be a parse + error, so will ssuuddoo and no one will be able to run ssuuddoo again until the + error is fixed. If `e' is typed to edit the _s_u_d_o_e_r_s file after a parse + error has been detected, the cursor will be placed on the line where the + error occurred (if the editor supports this feature). + + There are two _s_u_d_o_e_r_s settings that determine which editor vviissuuddoo will + run. + + editor A colon (`:') separated list of editors allowed to be used with + vviissuuddoo. vviissuuddoo will choose the editor that matches the user's + SUDO_EDITOR, VISUAL or EDITOR environment variable if possible, + or the first editor in the list that exists and is executable. + Note that the SUDO_EDITOR, VISUAL and EDITOR environment + variables are not preserved by default when the _e_n_v___r_e_s_e_t + _s_u_d_o_e_r_s option is enabled. The default editor path is _v_i which + can be set at compile time via the --with-editor configure + option. + + env_editor + If set, vviissuuddoo will use the value of the SUDO_EDITOR, VISUAL or + EDITOR environment variables before falling back on the default + editor list. Note that this may create a security hole as it + allows the user to run any arbitrary command as root without + logging. A safer alternative is to place a colon-separated + list of editors in the _e_d_i_t_o_r variable. vviissuuddoo will then only + use SUDO_EDITOR, VISUAL or EDITOR if they match a value + specified in _e_d_i_t_o_r. If the _e_n_v___r_e_s_e_t flag is enabled, the + SUDO_EDITOR, VISUAL and/or EDITOR environment variables must be + present in the _e_n_v___k_e_e_p list for the _e_n_v___e_d_i_t_o_r flag to + function when vviissuuddoo is invoked via ssuuddoo. The default value is + _o_f_f, which can be set at compile time via the --with-env-editor + configure option. + + The options are as follows: + + --cc, ----cchheecckk + Enable _c_h_e_c_k_-_o_n_l_y mode. The existing _s_u_d_o_e_r_s file (and any + other files it includes) will be checked for syntax errors. + If the path to the _s_u_d_o_e_r_s file was not specified, vviissuuddoo + will also check the file owner and mode. A message will be + printed to the standard output describing the status of + _s_u_d_o_e_r_s unless the --qq option was specified. If the check + completes successfully, vviissuuddoo will exit with a value of 0. + If an error is encountered, vviissuuddoo will exit with a value of + 1. + + --ff _s_u_d_o_e_r_s, ----ffiillee=_s_u_d_o_e_r_s + Specify an alternate _s_u_d_o_e_r_s file location, see below. As of + version 1.8.27, the _s_u_d_o_e_r_s path can be specified without + using the --ff option. + + --hh, ----hheellpp Display a short help message to the standard output and exit. + + --qq, ----qquuiieett + Enable _q_u_i_e_t mode. In this mode details about syntax errors + are not printed. This option is only useful when combined + with the --cc option. + + --ss, ----ssttrriicctt + Enable _s_t_r_i_c_t checking of the _s_u_d_o_e_r_s file. If an alias is + referenced but not actually defined or if there is a cycle in + an alias, vviissuuddoo will consider this a parse error. Note that + it is not possible to differentiate between an alias and a + host name or user name that consists solely of uppercase + letters, digits, and the underscore (`_') character. + + --VV, ----vveerrssiioonn + Print the vviissuuddoo and _s_u_d_o_e_r_s grammar versions and exit. + + A _s_u_d_o_e_r_s file may be specified instead of the default, _/_e_t_c_/_s_u_d_o_e_r_s. + The lock file used is the specified _s_u_d_o_e_r_s file with ".tmp" appended to + it. In _c_h_e_c_k_-_o_n_l_y mode only, `-' may be used to indicate that _s_u_d_o_e_r_s + will be read from the standard input. Because the policy is evaluated in + its entirety, it is not sufficient to check an individual _s_u_d_o_e_r_s include + file for syntax errors. + + DDeebbuuggggiinngg aanndd ssuuddooeerrss pplluuggiinn aarrgguummeennttss + vviissuuddoo versions 1.8.4 and higher support a flexible debugging framework + that is configured via Debug lines in the sudo.conf(4) file. + + Starting with ssuuddoo 1.8.12, vviissuuddoo will also parse the arguments to the + _s_u_d_o_e_r_s plugin to override the default _s_u_d_o_e_r_s path name, UID, GID and + file mode. These arguments, if present, should be listed after the path + to the plugin (i.e., after _s_u_d_o_e_r_s_._s_o). Multiple arguments may be + specified, separated by white space. For example: + + Plugin sudoers_policy sudoers.so sudoers_mode=0400 + + The following arguments are supported: + + sudoers_file=pathname + The _s_u_d_o_e_r_s___f_i_l_e argument can be used to override the default + path to the _s_u_d_o_e_r_s file. + + sudoers_uid=uid + The _s_u_d_o_e_r_s___u_i_d argument can be used to override the default + owner of the sudoers file. It should be specified as a numeric + user ID. + + sudoers_gid=gid + The _s_u_d_o_e_r_s___g_i_d argument can be used to override the default + group of the sudoers file. It must be specified as a numeric + group ID (not a group name). + + sudoers_mode=mode + The _s_u_d_o_e_r_s___m_o_d_e argument can be used to override the default + file mode for the sudoers file. It should be specified as an + octal value. + + For more information on configuring sudo.conf(4), please refer to its + manual. + +EENNVVIIRROONNMMEENNTT + The following environment variables may be consulted depending on the + value of the _e_d_i_t_o_r and _e_n_v___e_d_i_t_o_r _s_u_d_o_e_r_s settings: + + SUDO_EDITOR Invoked by vviissuuddoo as the editor to use + + VISUAL Used by vviissuuddoo if SUDO_EDITOR is not set + + EDITOR Used by vviissuuddoo if neither SUDO_EDITOR nor VISUAL is set + +FFIILLEESS + _/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration + + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what + + _/_e_t_c_/_s_u_d_o_e_r_s_._t_m_p Lock file for visudo + +DDIIAAGGNNOOSSTTIICCSS + In addition to reporting _s_u_d_o_e_r_s parse errors, vviissuuddoo may produce the + following messages: + + sudoers file busy, try again later. + Someone else is currently editing the _s_u_d_o_e_r_s file. + + /etc/sudoers.tmp: Permission denied + You didn't run vviissuuddoo as root. + + you do not exist in the passwd database + Your user ID does not appear in the system passwd database. + + Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined + Either you are trying to use an undeclared + {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed + that consists solely of uppercase letters, digits, and the + underscore (`_') character. In the latter case, you can ignore the + warnings (ssuuddoo will not complain). The message is prefixed with + the path name of the _s_u_d_o_e_r_s file and the line number where the + undefined alias was used. In --ss (strict) mode these are errors, + not warnings. + + Warning: unused {User,Runas,Host,Cmnd}_Alias + The specified {User,Runas,Host,Cmnd}_Alias was defined but never + used. The message is prefixed with the path name of the _s_u_d_o_e_r_s + file and the line number where the unused alias was defined. You + may wish to comment out or remove the unused alias. + + Warning: cycle in {User,Runas,Host,Cmnd}_Alias + The specified {User,Runas,Host,Cmnd}_Alias includes a reference to + itself, either directly or through an alias it includes. The + message is prefixed with the path name of the _s_u_d_o_e_r_s file and the + line number where the cycle was detected. This is only a warning + unless vviissuuddoo is run in --ss (strict) mode as ssuuddoo will ignore cycles + when parsing the _s_u_d_o_e_r_s file. + + unknown defaults entry "name" + The _s_u_d_o_e_r_s file contains a Defaults setting not recognized by + vviissuuddoo. + +SSEEEE AALLSSOO + vi(1), sudo.conf(4), sudoers(4), sudo(1m), vipw(1m) + +AAUUTTHHOORRSS + Many people have worked on ssuuddoo over the years; this version consists of + code written primarily by: + + Todd C. Miller + + See the CONTRIBUTORS file in the ssuuddoo distribution + (https://www.sudo.ws/contributors.html) for an exhaustive list of people + who have contributed to ssuuddoo. + +CCAAVVEEAATTSS + There is no easy way to prevent a user from gaining a root shell if the + editor used by vviissuuddoo allows shell escapes. + +BBUUGGSS + If you feel you have found a bug in vviissuuddoo, please submit a bug report at + https://bugzilla.sudo.ws/ + +SSUUPPPPOORRTT + Limited free support is available via the sudo-users mailing list, see + https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search + the archives. + +DDIISSCCLLAAIIMMEERR + vviissuuddoo is provided "AS IS" and any express or implied warranties, + including, but not limited to, the implied warranties of merchantability + and fitness for a particular purpose are disclaimed. See the LICENSE + file distributed with ssuuddoo or https://www.sudo.ws/license.html for + complete details. + +Sudo 1.8.26 December 24, 2018 Sudo 1.8.26 |