[Midnightbsd-cvs] src [6804] trunk/contrib/sudo: sudo 1.7.6p2
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Wed Oct 1 23:32:57 EDT 2014
Revision: 6804
http://svnweb.midnightbsd.org/src/?rev=6804
Author: laffer1
Date: 2014-10-01 23:32:57 -0400 (Wed, 01 Oct 2014)
Log Message:
-----------
sudo 1.7.6p2
Modified Paths:
--------------
trunk/contrib/sudo/ChangeLog
trunk/contrib/sudo/Makefile.in
trunk/contrib/sudo/NEWS
trunk/contrib/sudo/UPGRADE
trunk/contrib/sudo/aclocal.m4
trunk/contrib/sudo/aix.c
trunk/contrib/sudo/configure
trunk/contrib/sudo/configure.in
trunk/contrib/sudo/exec.c
trunk/contrib/sudo/exec_pty.c
trunk/contrib/sudo/gram.c
trunk/contrib/sudo/gram.y
trunk/contrib/sudo/lbuf.c
trunk/contrib/sudo/ldap.c
trunk/contrib/sudo/match.c
trunk/contrib/sudo/mkpkg
trunk/contrib/sudo/parse_args.c
trunk/contrib/sudo/pp
trunk/contrib/sudo/pwutil.c
trunk/contrib/sudo/sudo.cat
trunk/contrib/sudo/sudo.man.in
trunk/contrib/sudo/sudo.pp
trunk/contrib/sudo/sudoers.cat
trunk/contrib/sudo/sudoers.ldap.cat
trunk/contrib/sudo/sudoers.ldap.man.in
trunk/contrib/sudo/sudoers.man.in
trunk/contrib/sudo/sudoreplay.cat
trunk/contrib/sudo/sudoreplay.man.in
trunk/contrib/sudo/testsudoers.c
trunk/contrib/sudo/toke.c
trunk/contrib/sudo/toke.l
trunk/contrib/sudo/visudo.cat
trunk/contrib/sudo/visudo.man.in
Added Paths:
-----------
trunk/contrib/sudo/config.h
trunk/contrib/sudo/pathnames.h
trunk/contrib/sudo/sudo.8
trunk/contrib/sudo/sudo.pod
trunk/contrib/sudo/sudo_usage.h
trunk/contrib/sudo/sudoers
trunk/contrib/sudo/sudoers.5
trunk/contrib/sudo/sudoers.ldap.man
trunk/contrib/sudo/sudoers.ldap.pod
trunk/contrib/sudo/sudoers.pod
trunk/contrib/sudo/sudoreplay.man
trunk/contrib/sudo/sudoreplay.pod
trunk/contrib/sudo/visudo.8
trunk/contrib/sudo/visudo.pod
trunk/contrib/sudo/zlib/zconf.h
Modified: trunk/contrib/sudo/ChangeLog
===================================================================
--- trunk/contrib/sudo/ChangeLog 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/ChangeLog 2014-10-02 03:32:57 UTC (rev 6804)
@@ -1,8 +1,370 @@
+2011-04-29 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * toke.c, toke.l:
+ Split ALL, ROLE and TYPE into their own actions. Since you can only
+ have #ifdefs inside of braces, ROLE and TYPE use a naughty goto in
+ the non-SELinux case. This is safe because the actions are in one
+ big switch() statement.
+ [19863b5cecde] [tip] <1.7>
+
+ * toke.c, toke.l:
+ Fix regexp for matching a CIDR-style IPv4 netmask. From Marc Espie.
+ [cbf8c4ee2981] <1.7>
+
+ * sudoers.pod:
+ Remove obsolete warning about runas_default and ordering.
+ [eff3ac4c594b] <1.7>
+
+2011-04-18 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * configure, configure.in:
+ Need to do checks for krb5_verify_user, krb5_init_secure_context and
+ krb5_get_init_creds_opt_alloc regardless of whether or not
+ krb5-config is present.
+ [6ceda8c8c126] <1.7>
+
+ * NEWS:
+ sudo 1.7.6p1 updates
+ [888e4e84b839] <1.7>
+
+2011-04-14 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * sudo.pp:
+ update copyright year
+ [edf691539a65] <1.7>
+
+ * toke.c, toke.l:
+ Treat a missing includedir like an empty one and do not return an
+ error.
+ [9c770ff2d0bc] <1.7>
+
+2011-04-12 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * pp:
+ Fix ARCH setting in cross-compile Solaris packages.
+ [057d743bd1a2] <1.7>
+
+ * sudo.pp:
+ Fix aix version setting.
+ [1a2621321f5c] <1.7>
+
+ * ldap.c:
+ Remove extraneous parens in LDAP filter when sudoers_search_filter
+ is enabled that causes a search error. From Matthew Thomas.
+ [7a5a2d021d32] <1.7>
+
+2011-04-09 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * .hgtags:
+ Added tag SUDO_1_7_6 for changeset fafbb7b0aea2
+ [6f5c74a8a6ac] <1.7>
+
+ * configure, configure.in, sudo.cat, sudo.man.in, sudoers.cat,
+ sudoers.ldap.cat, sudoers.ldap.man.in, sudoers.man.in,
+ sudoreplay.cat, sudoreplay.man.in, visudo.cat, visudo.man.in:
+ regen for 1.7.6
+ [fafbb7b0aea2] [SUDO_1_7_6] <1.7>
+
+ * sudo.cat, sudo.man.in:
+ regen man pages for 1.7.6
+ [94d851285f31] <1.7>
+
+2011-04-06 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * configure, configure.in:
+ Fix warnings when -without-skey, --without-opie, --without-kerb4,
+ --without-kerb5 or --without-SecurID were specified.
+ [83a99d369286] <1.7>
+
+2011-04-05 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * NEWS:
+ Mention %#gid support in User_List and Runas_List
+ [8ff14765d7df] <1.7>
+
+ * sudoers.pod:
+ Merge SETENV and NOSETENV description from 1.8
+ [dd44e79b53a0] <1.7>
+
+2011-04-01 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * testsudoers.c:
+ In dump-only mode, use "root" as the default username instead of
+ "nobody" as the latter may not be available on all systems.
+ [8082b8a1374c] <1.7>
+
+2011-03-31 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * testsudoers.c:
+ Fix setting of user_args
+ [0669612feeb1] <1.7>
+
+ * toke.c, toke.l:
+ Add '!' token to lex tracing
+ [7738d002a8d0] <1.7>
+
+ * toke.c, toke.l:
+ Avoid using pre or post increment in a parameter to a ctype(3)
+ function as it might be a macro that causes the increment to happen
+ more than once.
+ [2d23161e06dc] <1.7>
+
+2011-03-30 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * sudo.pp:
+ Strip off the beta or release candidate version when building AIX
+ packages.
+ [246ebb79e64f] <1.7>
+
+ * aix.c:
+ getuserattr(user, ...) will fall back to the "default" entry
+ automatically, there's no need to check "default" manually.
+ [dd233ca1092a] <1.7>
+
+2011-03-29 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * UPGRADE:
+ Document parser changes.
+ [f767c045e6c0] <1.7>
+
+ * testsudoers.c:
+ Add runasgroup support to testsudoers
+ [23f060665d23] <1.7>
+
+ * testsudoers.c:
+ More useful exit codes:
+ * 0 - parsed OK and command matched.
+ * 1 - parse error
+ * 2 - command not matched
+ * 3 - command denied
+ [bda610d9f6da] <1.7>
+
+ * Makefile.in:
+ If there is an existing sudoers file, only install if it passes a
+ syntax check.
+ [189eaeea562e] <1.7>
+
+ * sudoers.pod:
+ Document %#gid, and %:#nonunix_gid syntax.
+ [59e7df4c91e4] <1.7>
+
+ * pwutil.c:
+ Add support to user_in_group() for treating group names that begin
+ with a '#' as gids.
+ [3926017fbf95] <1.7>
+
+2011-03-28 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * aclocal.m4:
+ Quote first argument to AC_DEFUN(); from Elan Ruusamae
+ [a245e4891bab] <1.7>
+
+2011-03-27 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * toke.c, toke.l:
+ Use bitwise AND instead of modulus to check for length being odd. A
+ newline in the middle of a string is an error unless a line
+ continuation character is used.
+ [37a7f1fc54b7] <1.7>
+
+ * gram.c, toke.c:
+ Add missing include of config.h
+ [b13da7baee1e] <1.7>
+
+ * gram.c, gram.y, toke.c, toke.l:
+ Move lexer globals initialization into init_lexer.
+ [b7c124212d05] <1.7>
+
+ * toke.c, toke.l:
+ Fix a potential crash when a non-regular file is present in an
+ includedir. Fixes bz #452
+ [f1209a710607] <1.7>
+
+ * pp:
+ On some Linux systems, "uname -p" contains detailed processor info
+ so check "uname -m" first and then "uname -p" if needed. Recognize
+ PLD Linux.
+ [83af85a391df] <1.7>
+
+ * toke.c, toke.l:
+ Make an empty group or netgroup a syntax error.
+ [e88aa7b31a43] <1.7>
+
+ * toke.c, toke.l:
+ Allow a group ID in the User_Spec.
+ [3e58bc732e33] <1.7>
+
+ * toke.c, toke.l:
+ Return an error for the empty string when a word is expected. Allow
+ an ID for per-user or per-runas Defaults.
+ [83bb1a9c80ad] <1.7>
+
+2011-03-23 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * testsudoers.c:
+ Fix printing "User_Alias FOO = ALL"
+ [8e6e810e89ce] <1.7>
+
+2011-03-22 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * parse_args.c:
+ Better error message about invalid -C argument
+ [fc14f8dc03d2] <1.7>
+
+ * NEWS:
+ fix typo
+ [f789649fdeaf] <1.7>
+
+ * sudoers.pod:
+ Fix placement of equal size ('=') in user specification summary.
+ [51861d678ac1] <1.7>
+
+2011-03-21 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * toke.l:
+ If we match a rule anchored to the beginning of a line after parsing
+ a line continuation character, return an ERROR token. It would be
+ nicer to use REJECT instead but that substantially slows down the
+ lexer.
+ [f31c6622aaf9] <1.7>
+
+ * toke.c, toke.l:
+ Allow whitespace after the modifier in a Defaults entry. E.g.
+ "Defaults: username set_home"
+ [57c09139d10c] <1.7>
+
+2011-03-18 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * mkpkg:
+ Don't set CC when cross-compiling. Use the Sun Studio C compiler on
+ Solaris if possible.
+ [b91feb0678c1] <1.7>
+
+ * NEWS:
+ Credit Matthew Thomas for the sudoers_search_filter changes.
+ [4b3f239e114d] <1.7>
+
+ * NEWS:
+ Update for sudo 1.7.6 beta
+ [26cdd6578c23] <1.7>
+
+ * exec_pty.c:
+ Save the controlling tty process group before suspending in pty
+ mode. Previously, we assumed that the child pgrp == child pid
+ (which is usually, but not always, the case).
+ [670657004784] <1.7>
+
+ * ldap.c, sudoers.ldap.pod:
+ Add support for sudoers_search_filter setting in ldap.conf. This
+ can be used to restrict the set of records returned by the LDAP
+ query.
+ [c941bb5f68f2] <1.7>
+
+2011-03-17 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * configure, configure.in:
+ Remove the hack to disable -g in CFLAGS unless --with-devel
+ [933300bf3848] <1.7>
+
+ * sudoers.pod:
+ The '@' character does not normally need to be quoted.
+ [7e96569aed54] <1.7>
+
+ * toke.c, toke.l:
+ We normaly transition from GOTDEFS to STARTDEFS on whitespace, but
+ if that whitespace is followed by a comma, we want to treat it as
+ part of a list and not transition.
+ [6dd87c25c79c] <1.7>
+
+ * Makefile.in:
+ toke_util.c lives in $(srcdir) not $(devdir)
+ [b1b59d72f026] <1.7>
+
+ * toke.c, toke.l:
+ Fix parsing of double-quoted names in Defaults and Aliases which was
+ broken in c2b486b12951.
+ [30b2fdbafdc2] <1.7>
+
+2011-03-16 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * NEWS:
+ Document major changes for sudo 1.7.6
+ [d474a2aeb411] <1.7>
+
+ * configure, configure.in:
+ Update version to 1.7.6
+ [c1c80b99ed82] <1.7>
+
+ * match.c:
+ Be careful not to deref user_stat if it is NULL. This cannot
+ currently happen in sudo but might in other programs using the
+ parser.
+ [0926b1653e20] <1.7>
+
+ * mkpkg:
+ configure will not add -O2 to CFLAGS if it is already defined to add
+ -O2 to the CFLAGS we pass in when PIE is being used.
+ [a4444e287bcb] <1.7>
+
+ * sudoers.pod:
+ Warn about the dangers of log_input and mention iolog_dir in the
+ log_input and log_output descriptions.
+ [68c3615f7487] <1.7>
+
+ * pp:
+ Back out 2b81d57de4a4 and sync with git version
+ [5a2443567b9c] <1.7>
+
+ * exec.c:
+ Save the controlling tty process group before suspending so we can
+ restore it when we resume. Fixes job control problems on Linux
+ caused by the previous attemp to fix resuming a shell when I/O
+ logging not enabled.
+ [3e4e26b79f59] <1.7>
+
+ * exec.c:
+ In handle_signals(), restart the read() on EINTR to make sure we
+ keep up with the signal pipe. Don't return -1 on EAGAIN, it just
+ means we have emptied the pipe.
+ [5bcfe5a061c2] <1.7>
+
+ * lbuf.c:
+ Fix printing of the remainder after a newline. Fixes "sudo -l"
+ output corruption that could occur in some cases.
+ [41e5595f0559] <1.7>
+
+2011-03-08 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * mkpkg:
+ Fix default setting of osversion variable.
+ [c67d9d3bfa2b] <1.7>
+
+2011-03-07 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * mkpkg:
+ Add --osversion flag to specify OS instead of running "pp
+ --probeonly"
+ [550104604d4b] <1.7>
+
+ * sudo.pp:
+ Fix expr usage w/ GNU expr
+ [c2161988dec9] <1.7>
+
+2011-03-02 Todd C. Miller <Todd.Miller at courtesan.com>
+
+ * sudo.pp:
+ Don't use the beta or release candidate version as the rpm release.
+ [56f8c0b1eb46] <1.7>
+
2011-02-25 Todd C. Miller <Todd.Miller at courtesan.com>
+ * .hgtags:
+ Added tag SUDO_1_7_5 for changeset 9314212577c3
+ [75f9d661ea03] <1.7>
+
* configure, configure.in:
version 1.7.5
- [9314212577c3] [tip] <1.7>
+ [9314212577c3] [SUDO_1_7_5] <1.7>
2011-02-21 Todd C. Miller <Todd.Miller at courtesan.com>
Modified: trunk/contrib/sudo/Makefile.in
===================================================================
--- trunk/contrib/sudo/Makefile.in 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/Makefile.in 2014-10-02 03:32:57 UTC (rev 6804)
@@ -393,8 +393,8 @@
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/timestr.c
toke.o: $(devdir)/toke.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(srcdir)/toke.h $(devdir)/gram.h
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(devdir)/toke.c
-toke_util.o: $(devdir)/toke_util.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(srcdir)/toke.h $(devdir)/gram.h
- $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(devdir)/toke_util.c
+toke_util.o: $(srcdir)/toke_util.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(srcdir)/toke.h $(devdir)/gram.h
+ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/toke_util.c
tsgetgrpw.o: $(srcdir)/tsgetgrpw.c $(SUDODEP)
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/tsgetgrpw.c
utimes.o: $(srcdir)/utimes.c $(srcdir)/missing.h $(srcdir)/emul/utime.h config.h
@@ -535,8 +535,14 @@
fi; \
fi
-install: install-dirs install-binaries @INSTALL_NOEXEC@ install-sudoers install-doc
+pre-install:
+ @if test -r $(DESTDIR)$(sudoersdir)/sudoers; then \
+ echo "Checking existing sudoers file for syntax errors."; \
+ ./visudo -c -f $(DESTDIR)$(sudoersdir)/sudoers; \
+ fi
+install: pre-install install-dirs install-binaries @INSTALL_NOEXEC@ install-sudoers install-doc
+
install-dirs:
$(SHELL) $(srcdir)/mkinstalldirs $(DESTDIR)$(sudodir) \
$(DESTDIR)$(visudodir) $(DESTDIR)$(noexecdir) \
Modified: trunk/contrib/sudo/NEWS
===================================================================
--- trunk/contrib/sudo/NEWS 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/NEWS 2014-10-02 03:32:57 UTC (rev 6804)
@@ -1,3 +1,44 @@
+What's new in Sudo 1.7.6p2
+
+ * Two-character CIDR-style IPv4 netmasks are now matched correctly
+ in the sudoers file.
+
+ * A build error with MIT Kerberos V has been resolved.
+
+What's new in Sudo 1.7.6p1
+
+ * A non-existent includedir is now treated the same as an empty
+ directory and not reported as an error.
+
+ * Removed extraneous parens in LDAP filter when sudoers_search_filter
+ is enabled that can cause an LDAP search error.
+
+What's new in Sudo 1.7.6?
+
+ * A new LDAP setting, sudoers_search_filter, has been added to
+ ldap.conf. This setting can be used to restrict the set of
+ records returned by the LDAP query. Based on changes from Matthew
+ Thomas.
+
+ * White space is now permitted within a User_List when used in
+ conjunction with a per-user Defaults definition.
+
+ * A group ID (%#gid) may now be specified in a User_List or Runas_List.
+ Likewise, for non-Unix groups the syntax is %:#gid.
+
+ * Support for double-quoted words in the sudoers file has been fixed.
+ The change in 1.7.5 for escaping the double quote character
+ caused the double quoting to only be available at the beginning
+ of an entry.
+
+ * The fix for resuming a suspended shell in 1.7.5 caused problems
+ with resuming non-shells on Linux. Sudo will now save the process
+ group ID of the program it is running on suspend and restore it
+ when resuming, which fixes both problems.
+
+ * A bug that could result in corrupted output in "sudo -l" has been
+ fixed.
+
What's new in Sudo 1.7.5?
* When using visudo in check mode, a file named "-" may be used to
@@ -39,7 +80,7 @@
* LDAP Sudoers entries may now specify a sudoOrder attribute that
determines the order in which matching entries are applied. The
last matching entry is used, just like file-based sudoers. This
- requires an updated sudoers schema that includes the sudOrder
+ requires an updated sudoers schema that includes the sudoOrder
attribute. Based on changes from Andreas Mueller.
* When run as sudoedit, or when given the -e flag, sudo now treats
Modified: trunk/contrib/sudo/UPGRADE
===================================================================
--- trunk/contrib/sudo/UPGRADE 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/UPGRADE 2014-10-02 03:32:57 UTC (rev 6804)
@@ -1,6 +1,35 @@
Notes on upgrading from an older release
========================================
+o Upgrading from a version prior to 1.7.6:
+
+ Changes in the sudoers parser could result in parse errors for
+ existing sudoers file. These changes cause certain erroneous
+ entries to be flagged as errors where before they allowed.
+ Changes include:
+
+ Combining multiple Defaults entries with a backslash. E.g.
+
+ Defaults set_path \
+ Defaults syslog
+
+ which should be:
+
+ Defaults set_path
+ Defaults syslog
+
+ Also, double-quoted strings with a missing end-quote are now
+ detected and result in an error. Previously, text starting a
+ double quote and ending with a newline was ignored. E.g.
+
+ Defaults set_path"foo
+
+ In previous versions of sudo, the `"foo' portion would have
+ been ignored.
+
+ To avoid problems, sudo 1.8.1's "make install" will not install
+ a new sudo binary if the existing sudoers file has errors.
+
o Upgrading from a version prior to 1.7.5:
Sudo 1.7.5 includes an updated LDAP schema with support for
Modified: trunk/contrib/sudo/aclocal.m4
===================================================================
--- trunk/contrib/sudo/aclocal.m4 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/aclocal.m4 2014-10-02 03:32:57 UTC (rev 6804)
@@ -10,7 +10,7 @@
dnl
dnl check for sendmail in well-known locations
dnl
-AC_DEFUN(SUDO_PROG_SENDMAIL, [AC_MSG_CHECKING([for sendmail])
+AC_DEFUN([SUDO_PROG_SENDMAIL], [AC_MSG_CHECKING([for sendmail])
found=no
for p in "/usr/sbin/sendmail" "/usr/lib/sendmail" "/usr/etc/sendmail" "/usr/ucblib/sendmail" "/usr/local/lib/sendmail" "/usr/local/bin/sendmail"; do
if test -f "$p"; then
@@ -28,7 +28,7 @@
dnl
dnl check for vi in well-known locations
dnl
-AC_DEFUN(SUDO_PROG_VI, [AC_MSG_CHECKING([for vi])
+AC_DEFUN([SUDO_PROG_VI], [AC_MSG_CHECKING([for vi])
found=no
for editor in "/usr/bin/vi" "/bin/vi" "/usr/ucb/vi" "/usr/bsd/vi" "/usr/local/bin/vi"; do
if test -f "$editor"; then
@@ -46,7 +46,7 @@
dnl
dnl check for mv in well-known locations
dnl
-AC_DEFUN(SUDO_PROG_MV, [AC_MSG_CHECKING([for mv])
+AC_DEFUN([SUDO_PROG_MV], [AC_MSG_CHECKING([for mv])
found=no
for p in "/usr/bin/mv" "/bin/mv" "/usr/ucb/mv" "/usr/sbin/mv"; do
if test -f "$p"; then
@@ -64,7 +64,7 @@
dnl
dnl check for bourne shell in well-known locations
dnl
-AC_DEFUN(SUDO_PROG_BSHELL, [AC_MSG_CHECKING([for bourne shell])
+AC_DEFUN([SUDO_PROG_BSHELL], [AC_MSG_CHECKING([for bourne shell])
found=no
for p in "/bin/sh" "/usr/bin/sh" "/sbin/sh" "/usr/sbin/sh" "/bin/ksh" "/usr/bin/ksh" "/bin/bash" "/usr/bin/bash"; do
if test -f "$p"; then
@@ -82,7 +82,7 @@
dnl
dnl Where the log file goes, use /var/log if it exists, else /{var,usr}/adm
dnl
-AC_DEFUN(SUDO_LOGFILE, [AC_MSG_CHECKING(for log file location)
+AC_DEFUN([SUDO_LOGFILE], [AC_MSG_CHECKING(for log file location)
if test -n "$with_logpath"; then
AC_MSG_RESULT($with_logpath)
SUDO_DEFINE_UNQUOTED(_PATH_SUDO_LOGFILE, "$with_logpath")
@@ -103,7 +103,7 @@
dnl
dnl Where the timestamp files go.
dnl
-AC_DEFUN(SUDO_TIMEDIR, [AC_MSG_CHECKING(for timestamp file location)
+AC_DEFUN([SUDO_TIMEDIR], [AC_MSG_CHECKING(for timestamp file location)
timedir="$with_timedir"
if test -z "$timedir"; then
for d in /var/db /var/lib /var/adm /usr/adm; do
@@ -121,7 +121,7 @@
dnl Where the I/O log files go, use /var/log/sudo-io if
dnl /var/log exists, else /{var,usr}/adm/sudo-io
dnl
-AC_DEFUN(SUDO_IO_LOGDIR, [
+AC_DEFUN([SUDO_IO_LOGDIR], [
AC_MSG_CHECKING(for I/O log dir location)
if test "${with_iologdir-yes}" != "yes"; then
iolog_dir="$with_iologdir"
@@ -142,7 +142,7 @@
dnl SUDO_CHECK_TYPE(TYPE, DEFAULT)
dnl XXX - should require the check for unistd.h...
dnl
-AC_DEFUN(SUDO_CHECK_TYPE,
+AC_DEFUN([SUDO_CHECK_TYPE],
[AC_REQUIRE([AC_HEADER_STDC])dnl
AC_MSG_CHECKING(for $1)
AC_CACHE_VAL(sudo_cv_type_$1,
@@ -163,31 +163,31 @@
dnl
dnl Check for size_t declation
dnl
-AC_DEFUN(SUDO_TYPE_SIZE_T,
+AC_DEFUN([SUDO_TYPE_SIZE_T],
[SUDO_CHECK_TYPE(size_t, int)])
dnl
dnl Check for ssize_t declation
dnl
-AC_DEFUN(SUDO_TYPE_SSIZE_T,
+AC_DEFUN([SUDO_TYPE_SSIZE_T],
[SUDO_CHECK_TYPE(ssize_t, int)])
dnl
dnl Check for dev_t declation
dnl
-AC_DEFUN(SUDO_TYPE_DEV_T,
+AC_DEFUN([SUDO_TYPE_DEV_T],
[SUDO_CHECK_TYPE(dev_t, int)])
dnl
dnl Check for ino_t declation
dnl
-AC_DEFUN(SUDO_TYPE_INO_T,
+AC_DEFUN([SUDO_TYPE_INO_T],
[SUDO_CHECK_TYPE(ino_t, unsigned int)])
dnl
dnl check for working fnmatch(3)
dnl
-AC_DEFUN(SUDO_FUNC_FNMATCH,
+AC_DEFUN([SUDO_FUNC_FNMATCH],
[AC_MSG_CHECKING([for working fnmatch with FNM_CASEFOLD])
AC_CACHE_VAL(sudo_cv_func_fnmatch,
[rm -f conftestdata; > conftestdata
@@ -253,7 +253,7 @@
dnl
dnl check for sa_len field in struct sockaddr
dnl
-AC_DEFUN(SUDO_SOCK_SA_LEN, [
+AC_DEFUN([SUDO_SOCK_SA_LEN], [
AC_CHECK_MEMBER([struct sockaddr.sa_len],
[AC_DEFINE(HAVE_SA_LEN, 1, [Define if your struct sockadr has an sa_len field.])],
[],
@@ -266,7 +266,7 @@
dnl we can't really trust UID_MAX or MAXUID since they may exist
dnl only for backwards compatibility.
dnl
-AC_DEFUN(SUDO_UID_T_LEN,
+AC_DEFUN([SUDO_UID_T_LEN],
[AC_REQUIRE([AC_TYPE_UID_T])
AC_MSG_CHECKING(max length of uid_t)
AC_CACHE_VAL(sudo_cv_uid_t_len,
@@ -299,7 +299,7 @@
dnl
dnl append a libpath to an LDFLAGS style variable
dnl
-AC_DEFUN(SUDO_APPEND_LIBPATH, [
+AC_DEFUN([SUDO_APPEND_LIBPATH], [
if test X"$with_rpath" = X"yes"; then
case "$host" in
*-*-hpux*) $1="${$1} -L$2 -Wl,+b,$2"
@@ -319,7 +319,7 @@
dnl Determine the mail spool location
dnl NOTE: must be run *after* check for paths.h
dnl
-AC_DEFUN(SUDO_MAILDIR, [
+AC_DEFUN([SUDO_MAILDIR], [
maildir=no
if test X"$ac_cv_header_paths_h" = X"yes"; then
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT
Modified: trunk/contrib/sudo/aix.c
===================================================================
--- trunk/contrib/sudo/aix.c 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/aix.c 2014-10-02 03:32:57 UTC (rev 6804)
@@ -73,10 +73,8 @@
{
int val;
- if (getuserattr(user, lim, &val, SEC_INT) != 0 &&
- getuserattr("default", lim, &val, SEC_INT) != 0) {
+ if (getuserattr(user, lim, &val, SEC_INT) != 0)
return -1;
- }
*valp = val;
return 0;
}
Added: trunk/contrib/sudo/config.h
===================================================================
--- trunk/contrib/sudo/config.h (rev 0)
+++ trunk/contrib/sudo/config.h 2014-10-02 03:32:57 UTC (rev 6804)
@@ -0,0 +1,885 @@
+/* config.h. Generated from config.h.in by configure. */
+/* config.h.in. Generated from configure.in by autoheader. */
+
+#ifndef _SUDO_CONFIG_H
+#define _SUDO_CONFIG_H
+
+/* Define to 1 if the `syslog' function returns a non-zero int to denote
+ failure. */
+/* #undef BROKEN_SYSLOG */
+
+/* Define to 1 if you want the insults from the "classic" version sudo. */
+#define CLASSIC_INSULTS 1
+
+/* Define to 1 if you want insults culled from the twisted minds of CSOps. */
+#define CSOPS_INSULTS 1
+
+/* Define to 1 if you want sudo to display "command not allowed" instead of
+ "command not found" when a command cannot be found. */
+/* #undef DONT_LEAK_PATH_INFO */
+
+/* A colon-separated list of pathnames to be used as the editor for visudo. */
+#define EDITOR _PATH_VI
+
+/* Define to 1 to enable environment function debugging. */
+/* #undef ENV_DEBUG */
+
+/* Define to 1 if you want visudo to honor the EDITOR and VISUAL env
+ variables. */
+/* #undef ENV_EDITOR */
+
+/* Define to 1 to enable environment resetting by default. */
+#define ENV_RESET TRUE
+
+/* If defined, users in this group need not enter a passwd (ie "sudo"). */
+/* #undef EXEMPTGROUP */
+
+/* Define to 1 if you want to require fully qualified hosts in sudoers. */
+/* #undef FQDN */
+
+/* Define to the type of elements in the array set by `getgroups'. Usually
+ this is either `int' or `gid_t'. */
+#define GETGROUPS_T gid_t
+
+/* Define to 1 if you want insults from the "Goon Show". */
+/* #undef GOONS_INSULTS */
+
+/* Define to 1 if you want 2001-like insults. */
+/* #undef HAL_INSULTS */
+
+/* Define to 1 if you use AFS. */
+/* #undef HAVE_AFS */
+
+/* Define to 1 if you use AIX general authentication. */
+/* #undef HAVE_AIXAUTH */
+
+/* Define to 1 if you have the `asprintf' function. */
+#define HAVE_ASPRINTF 1
+
+/* Define to 1 if you have the `authenticate' function. */
+/* #undef HAVE_AUTHENTICATE */
+
+/* Define to 1 if you have the `auth_challenge' function. */
+/* #undef HAVE_AUTH_CHALLENGE */
+
+/* Define to 1 if you have the `bigcrypt' function. */
+/* #undef HAVE_BIGCRYPT */
+
+/* Define to 1 if you use BSD authentication. */
+/* #undef HAVE_BSD_AUTH_H */
+
+/* Define to 1 to enable BSM audit support. */
+/* #undef HAVE_BSM_AUDIT */
+
+/* Define to 1 if you have the `closefrom' function. */
+#define HAVE_CLOSEFROM 1
+
+/* Define to 1 if you use OSF DCE. */
+/* #undef HAVE_DCE */
+
+/* Define to 1 if your `DIR' contains dd_fd. */
+/* #undef HAVE_DD_FD */
+
+/* Define to 1 if you have the declaration of `sys_siglist', and to 0 if you
+ don't. */
+/* #undef HAVE_DECL_SYS_SIGLIST */
+
+/* Define to 1 if you have the declaration of `_sys_siglist', and to 0 if you
+ don't. */
+/* #undef HAVE_DECL__SYS_SIGLIST */
+
+/* Define to 1 if you have the declaration of `__sys_siglist', and to 0 if you
+ don't. */
+/* #undef HAVE_DECL___SYS_SIGLIST */
+
+/* Define to 1 if you have the `dgettext' function. */
+/* #undef HAVE_DGETTEXT */
+
+/* Define to 1 if you have the <dirent.h> header file, and it defines `DIR'.
+ */
+#define HAVE_DIRENT_H 1
+
+/* Define to 1 if you have the `dirfd' function or macro. */
+#define HAVE_DIRFD 1
+
+/* Define to 1 if you have the `dispcrypt' function. */
+/* #undef HAVE_DISPCRYPT */
+
+/* Define to 1 if you have the <dlfcn.h> header file. */
+#define HAVE_DLFCN_H 1
+
+/* Define to 1 if your glob.h defines the GLOB_BRACE and GLOB_TILDE flags. */
+#define HAVE_EXTENDED_GLOB 1
+
+/* Define to 1 if your system has the F_CLOSEM fcntl. */
+/* #undef HAVE_FCNTL_CLOSEM */
+
+/* Define to 1 if you have the `fgetln' function. */
+/* #undef HAVE_FGETLN */
+
+/* Define to 1 if you have the `flock' function. */
+/* #undef HAVE_FLOCK */
+
+/* Define to 1 if you have the `fnmatch' function. */
+#define HAVE_FNMATCH 1
+
+/* Define to 1 if you have the `freeifaddrs' function. */
+#define HAVE_FREEIFADDRS 1
+
+/* Define to 1 if you have the `fstat' function. */
+#define HAVE_FSTAT 1
+
+/* Define to 1 if you have the `futime' function. */
+/* #undef HAVE_FUTIME */
+
+/* Define to 1 if you have the `futimes' function. */
+#define HAVE_FUTIMES 1
+
+/* Define to 1 if you have the `futimesat' function. */
+/* #undef HAVE_FUTIMESAT */
+
+/* Define to 1 if you use the FWTK authsrv daemon. */
+/* #undef HAVE_FWTK */
+
+/* Define to 1 if you have the `getaddrinfo' function. */
+#define HAVE_GETADDRINFO 1
+
+/* Define to 1 if you have the `getauthuid' function. (ULTRIX 4.x shadow
+ passwords) */
+/* #undef HAVE_GETAUTHUID */
+
+/* Define to 1 if you have the `getcwd' function. */
+#define HAVE_GETCWD 1
+
+/* Define to 1 if you have the `getdomainname' function. */
+#define HAVE_GETDOMAINNAME 1
+
+/* Define to 1 if you have the `getgroups' function. */
+#define HAVE_GETGROUPS 1
+
+/* Define to 1 if you have the `getifaddrs' function. */
+#define HAVE_GETIFADDRS 1
+
+/* Define to 1 if you have the `getline' function. */
+#define HAVE_GETLINE 1
+
+/* Define to 1 if you have the `getprogname' function. */
+#define HAVE_GETPROGNAME 1
+
+/* Define to 1 if you have the `getprpwnam' function. (SecureWare-style shadow
+ passwords) */
+/* #undef HAVE_GETPRPWNAM */
+
+/* Define to 1 if you have the `getpwanam' function. (SunOS 4.x shadow
+ passwords) */
+/* #undef HAVE_GETPWANAM */
+
+/* Define to 1 if you have the `getspnam' function (SVR4-style shadow
+ passwords) */
+/* #undef HAVE_GETSPNAM */
+
+/* Define to 1 if you have the `getspwuid' function. (HP-UX <= 9.X shadow
+ passwords) */
+/* #undef HAVE_GETSPWUID */
+
+/* Define to 1 if you have the `gettimeofday' function. */
+#define HAVE_GETTIMEOFDAY 1
+
+/* Define to 1 if you have the `getuserattr' function. */
+/* #undef HAVE_GETUSERATTR */
+
+/* Define to 1 if you have the `getutid' function. */
+/* #undef HAVE_GETUTID */
+
+/* Define to 1 if you have the `getutxid' function. */
+/* #undef HAVE_GETUTXID */
+
+/* Define to 1 if you have the `glob' function. */
+#define HAVE_GLOB 1
+
+/* Define to 1 if you have the `grantpt' function. */
+/* #undef HAVE_GRANTPT */
+
+/* Define to 1 if you have the <gssapi/gssapi_krb5.h> header file. */
+/* #undef HAVE_GSSAPI_GSSAPI_KRB5_H */
+
+/* Define to 1 if you have the `gss_krb5_ccache_name' function. */
+/* #undef HAVE_GSS_KRB5_CCACHE_NAME */
+
+/* Define to 1 if your Kerberos is Heimdal. */
+/* #undef HAVE_HEIMDAL */
+
+/* Define to 1 if <netinet/in.h> contains struct in6_addr. */
+#define HAVE_IN6_ADDR 1
+
+/* Define to 1 if you have the `initgroups' function. */
+#define HAVE_INITGROUPS 1
+
+/* Define to 1 if you have the `initprivs' function. */
+/* #undef HAVE_INITPRIVS */
+
+/* Define to 1 if you have the `innetgr' function. */
+#define HAVE_INNETGR 1
+
+/* Define to 1 if you have the <inttypes.h> header file. */
+#define HAVE_INTTYPES_H 1
+
+/* Define if you have isblank(3). */
+#define HAVE_ISBLANK 1
+
+/* Define to 1 if you have the `iscomsec' function. (HP-UX >= 10.x check for
+ shadow enabled) */
+/* #undef HAVE_ISCOMSEC */
+
+/* Define to 1 if you have the `issecure' function. (SunOS 4.x check for
+ shadow enabled) */
+/* #undef HAVE_ISSECURE */
+
+/* Define to 1 if you use Kerberos IV. */
+/* #undef HAVE_KERB4 */
+
+/* Define to 1 if you use Kerberos V. */
+/* #undef HAVE_KERB5 */
+
+/* Define to 1 if you have the `killpg' function. */
+#define HAVE_KILLPG 1
+
+/* Define to 1 if you have the `krb5_get_init_creds_opt_alloc' function. */
+/* #undef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC */
+
+/* Define to 1 if your `krb5_get_init_creds_opt_free' function takes two
+ arguments. */
+/* #undef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS */
+
+/* Define to 1 if you have the `krb5_init_secure_context' function. */
+/* #undef HAVE_KRB5_INIT_SECURE_CONTEXT */
+
+/* Define to 1 if you have the `krb5_verify_user' function. */
+/* #undef HAVE_KRB5_VERIFY_USER */
+
+/* Define to 1 if your LDAP needs <lber.h>. (OpenLDAP does not) */
+/* #undef HAVE_LBER_H */
+
+/* Define to 1 if you use LDAP for sudoers. */
+/* #undef HAVE_LDAP */
+
+/* Define to 1 if you have the `ldapssl_init' function. */
+/* #undef HAVE_LDAPSSL_INIT */
+
+/* Define to 1 if you have the `ldapssl_set_strength' function. */
+/* #undef HAVE_LDAPSSL_SET_STRENGTH */
+
+/* Define to 1 if you have the `ldap_create' function. */
+/* #undef HAVE_LDAP_CREATE */
+
+/* Define to 1 if you have the `ldap_initialize' function. */
+/* #undef HAVE_LDAP_INITIALIZE */
+
+/* Define to 1 if you have the `ldap_sasl_bind_s' function. */
+/* #undef HAVE_LDAP_SASL_BIND_S */
+
+/* Define to 1 if you have the `ldap_sasl_interactive_bind_s' function. */
+/* #undef HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
+
+/* Define to 1 if you have the `ldap_search_ext_s' function. */
+/* #undef HAVE_LDAP_SEARCH_EXT_S */
+
+/* Define to 1 if you have the `ldap_search_st' function. */
+/* #undef HAVE_LDAP_SEARCH_ST */
+
+/* Define to 1 if you have the `ldap_ssl_client_init' function. */
+/* #undef HAVE_LDAP_SSL_CLIENT_INIT */
+
+/* Define to 1 if you have the <ldap_ssl.h> header file. */
+/* #undef HAVE_LDAP_SSL_H */
+
+/* Define to 1 if you have the `ldap_start_tls_s' function. */
+/* #undef HAVE_LDAP_START_TLS_S */
+
+/* Define to 1 if you have the `ldap_start_tls_s_np' function. */
+/* #undef HAVE_LDAP_START_TLS_S_NP */
+
+/* Define to 1 if you have the `ldap_str2dn' function. */
+/* #undef HAVE_LDAP_STR2DN */
+
+/* Define to 1 if you have the `ldap_unbind_ext_s' function. */
+/* #undef HAVE_LDAP_UNBIND_EXT_S */
+
+/* Define to 1 if you have the `dl' library (-ldl). */
+/* #undef HAVE_LIBDL */
+
+/* Define to 1 to enable Linux audit support. */
+/* #undef HAVE_LINUX_AUDIT */
+
+/* Define to 1 if you have the `lockf' function. */
+#define HAVE_LOCKF 1
+
+/* Define to 1 if you have the <login_cap.h> header file. */
+#define HAVE_LOGIN_CAP_H 1
+
+/* Define to 1 if the system has the type `long long int'. */
+#define HAVE_LONG_LONG_INT 1
+
+/* Define to 1 if you have the `lrand48' function. */
+/* #undef HAVE_LRAND48 */
+
+/* Define to 1 if you have the <maillock.h> header file. */
+/* #undef HAVE_MAILLOCK_H */
+
+/* Define to 1 if you have the <malloc.h> header file. */
+/* #undef HAVE_MALLOC_H */
+
+/* Define to 1 if you have the `mbr_check_membership' function. */
+/* #undef HAVE_MBR_CHECK_MEMBERSHIP */
+
+/* Define to 1 if you have the `memchr' function. */
+#define HAVE_MEMCHR 1
+
+/* Define to 1 if you have the `memcpy' function. */
+#define HAVE_MEMCPY 1
+
+/* Define to 1 if you have the <memory.h> header file. */
+#define HAVE_MEMORY_H 1
+
+/* Define to 1 if you have the `memrchr' function. */
+#define HAVE_MEMRCHR 1
+
+/* Define to 1 if you have the `memset' function. */
+#define HAVE_MEMSET 1
+
+/* Define to 1 if you have the `mkstemps' function. */
+#define HAVE_MKSTEMPS 1
+
+/* Define to 1 if you have the <mps/ldap_ssl.h> header file. */
+/* #undef HAVE_MPS_LDAP_SSL_H */
+
+/* Define to 1 if you have the `nanosleep' function. */
+#define HAVE_NANOSLEEP 1
+
+/* Define to 1 if you have the <ndir.h> header file, and it defines `DIR'. */
+/* #undef HAVE_NDIR_H */
+
+/* Define to 1 if you have the <netgroup.h> header file. */
+/* #undef HAVE_NETGROUP_H */
+
+/* Define to 1 if you have the `nl_langinfo' function. */
+#define HAVE_NL_LANGINFO 1
+
+/* Define to 1 if you have the `openpty' function. */
+#define HAVE_OPENPTY 1
+
+/* Define to 1 if you use NRL OPIE. */
+/* #undef HAVE_OPIE */
+
+/* Define to 1 if you use PAM authentication. */
+#define HAVE_PAM 1
+
+/* Define to 1 if you use a specific PAM session for sudo -i. */
+/* #undef HAVE_PAM_LOGIN */
+
+/* Define to 1 if you have the <pam/pam_appl.h> header file. */
+/* #undef HAVE_PAM_PAM_APPL_H */
+
+/* Define to 1 if you have the <paths.h> header file. */
+#define HAVE_PATHS_H 1
+
+/* Define to 1 if you have the `posix_openpt' function. */
+/* #undef HAVE_POSIX_OPENPT */
+
+/* Define to 1 if you have the <project.h> header file. */
+/* #undef HAVE_PROJECT_H */
+
+/* Define to 1 if you have the <pty.h> header file. */
+/* #undef HAVE_PTY_H */
+
+/* Define to 1 if you have the `random' function. */
+/* #undef HAVE_RANDOM */
+
+/* Define to 1 if you have the `regcomp' function. */
+#define HAVE_REGCOMP 1
+
+/* Define to 1 if you have the `revoke' function. */
+/* #undef HAVE_REVOKE */
+
+/* Define to 1 if you have the <sasl.h> header file. */
+/* #undef HAVE_SASL_H */
+
+/* Define to 1 if you have the <sasl/sasl.h> header file. */
+/* #undef HAVE_SASL_SASL_H */
+
+/* Define if your struct sockadr has an sa_len field. */
+#define HAVE_SA_LEN 1
+
+/* Define to 1 if you use SecurID for authentication. */
+/* #undef HAVE_SECURID */
+
+/* Define to 1 if you have the <security/pam_appl.h> header file. */
+#define HAVE_SECURITY_PAM_APPL_H 1
+
+/* Define to 1 to enable SELinux RBAC support. */
+/* #undef HAVE_SELINUX */
+
+/* Define to 1 if you have the `setauthdb' function. */
+/* #undef HAVE_SETAUTHDB */
+
+/* Define to 1 if you have the `setenv' function. */
+#define HAVE_SETENV 1
+
+/* Define to 1 if you have the `seteuid' function. */
+#define HAVE_SETEUID 1
+
+/* Define to 1 if you have the `setkeycreatecon' function. */
+/* #undef HAVE_SETKEYCREATECON */
+
+/* Define to 1 if you have the `setlocale' function. */
+#define HAVE_SETLOCALE 1
+
+/* Define to 1 if you have the `setresuid' function. */
+#define HAVE_SETRESUID 1
+
+/* Define to 1 if you have the `setreuid' function. */
+/* #undef HAVE_SETREUID */
+
+/* Define to 1 if you have the `setrlimit' function. */
+#define HAVE_SETRLIMIT 1
+
+/* Define to 1 if you have the `setrlimit64' function. */
+/* #undef HAVE_SETRLIMIT64 */
+
+/* Define to 1 if you have the `setsid' function. */
+#define HAVE_SETSID 1
+
+/* Define to 1 if you have the `set_auth_parameters' function. */
+/* #undef HAVE_SET_AUTH_PARAMETERS */
+
+/* Define to 1 if you have the `sia_ses_init' function. */
+/* #undef HAVE_SIA_SES_INIT */
+
+/* Define to 1 if you have the `sigaction' function. */
+#define HAVE_SIGACTION 1
+
+/* Define to 1 if <signal.h> has the sigaction_t typedef. */
+/* #undef HAVE_SIGACTION_T */
+
+/* Define to 1 if you use S/Key. */
+/* #undef HAVE_SKEY */
+
+/* Define to 1 if your S/Key library has skeyaccess(). */
+/* #undef HAVE_SKEYACCESS */
+
+/* Define to 1 if you have the `snprintf' function. */
+#define HAVE_SNPRINTF 1
+
+/* Define to 1 if you have the <stdint.h> header file. */
+#define HAVE_STDINT_H 1
+
+/* Define to 1 if you have the <stdlib.h> header file. */
+#define HAVE_STDLIB_H 1
+
+/* Define to 1 if you have the `strcasecmp' function. */
+#define HAVE_STRCASECMP 1
+
+/* Define to 1 if you have the `strchr' function. */
+#define HAVE_STRCHR 1
+
+/* Define to 1 if you have the `strerror' function. */
+#define HAVE_STRERROR 1
+
+/* Define to 1 if you have the `strftime' function. */
+#define HAVE_STRFTIME 1
+
+/* Define to 1 if you have the <strings.h> header file. */
+#define HAVE_STRINGS_H 1
+
+/* Define to 1 if you have the <string.h> header file. */
+#define HAVE_STRING_H 1
+
+/* Define to 1 if you have the `strlcat' function. */
+#define HAVE_STRLCAT 1
+
+/* Define to 1 if you have the `strlcpy' function. */
+#define HAVE_STRLCPY 1
+
+/* Define to 1 if you have the `strrchr' function. */
+#define HAVE_STRRCHR 1
+
+/* Define to 1 if you have the `strsignal' function. */
+#define HAVE_STRSIGNAL 1
+
+/* Define to 1 if the system has the type `struct in6_addr'. */
+#define HAVE_STRUCT_IN6_ADDR 1
+
+/* Define to 1 if your struct stat has an st_mtim member */
+#define HAVE_ST_MTIM 1
+
+/* Define to 1 if your struct stat has an st_mtimespec member */
+/* #undef HAVE_ST_MTIMESPEC */
+
+/* Define to 1 if your struct stat uses an st__tim union */
+/* #undef HAVE_ST__TIM */
+
+/* Define to 1 if you have the `sysconf' function. */
+#define HAVE_SYSCONF 1
+
+/* Define to 1 if you have the `sysctl' function. */
+#define HAVE_SYSCTL 1
+
+/* Define to 1 if you have the <sys/bsdtypes.h> header file. */
+/* #undef HAVE_SYS_BSDTYPES_H */
+
+/* Define to 1 if you have the <sys/dir.h> header file, and it defines `DIR'.
+ */
+/* #undef HAVE_SYS_DIR_H */
+
+/* Define to 1 if you have the <sys/ndir.h> header file, and it defines `DIR'.
+ */
+/* #undef HAVE_SYS_NDIR_H */
+
+/* Define to 1 if you have the <sys/select.h> header file. */
+#define HAVE_SYS_SELECT_H 1
+
+/* Define to 1 if you have the <sys/sockio.h> header file. */
+#define HAVE_SYS_SOCKIO_H 1
+
+/* Define to 1 if you have the <sys/stat.h> header file. */
+#define HAVE_SYS_STAT_H 1
+
+/* Define to 1 if you have the <sys/stropts.h> header file. */
+/* #undef HAVE_SYS_STROPTS_H */
+
+/* Define to 1 if you have the <sys/sysmacros.h> header file. */
+/* #undef HAVE_SYS_SYSMACROS_H */
+
+/* Define to 1 if you have the <sys/types.h> header file. */
+#define HAVE_SYS_TYPES_H 1
+
+/* Define to 1 if you have the `tcsetpgrp' function. */
+#define HAVE_TCSETPGRP 1
+
+/* Define to 1 if you have the <termios.h> header file and the `tcgetattr'
+ function. */
+#define HAVE_TERMIOS_H 1
+
+/* Define to 1 if you have the <termio.h> header file. */
+/* #undef HAVE_TERMIO_H */
+
+/* Define to 1 if you have struct timespec in sys/time.h */
+#define HAVE_TIMESPEC 1
+
+/* Define to 1 if you have the `tzset' function. */
+#define HAVE_TZSET 1
+
+/* Define to 1 if you have the <unistd.h> header file. */
+#define HAVE_UNISTD_H 1
+
+/* Define to 1 if you have the `unsetenv' function. */
+#define HAVE_UNSETENV 1
+
+/* Define to 1 if you have the <util.h> header file. */
+/* #undef HAVE_UTIL_H */
+
+/* Define to 1 if you have the `utimes' function. */
+#define HAVE_UTIMES 1
+
+/* Define to 1 if you have the <utime.h> header file. */
+#define HAVE_UTIME_H 1
+
+/* Define to 1 if you have the `vasprintf' function. */
+#define HAVE_VASPRINTF 1
+
+/* Define to 1 if you have the `vsnprintf' function. */
+#define HAVE_VSNPRINTF 1
+
+/* Define to 1 if you have the `wait3' function. */
+/* #undef HAVE_WAIT3 */
+
+/* Define to 1 if you have the `waitpid' function. */
+#define HAVE_WAITPID 1
+
+/* Define to 1 if you have the <zlib.h> header file. */
+#define HAVE_ZLIB_H 1
+
+/* Define to 1 if you have the `_getpty' function. */
+/* #undef HAVE__GETPTY */
+
+/* Define to 1 if you have the `_innetgr' function. */
+/* #undef HAVE__INNETGR */
+
+/* Define to 1 if your crt0.o defines the __progname symbol for you. */
+/* #undef HAVE___PROGNAME */
+
+/* Define to 1 if you want the hostname to be entered into the log file. */
+/* #undef HOST_IN_LOG */
+
+/* Define to 1 if you want to ignore '.' and empty PATH elements */
+/* #undef IGNORE_DOT_PATH */
+
+/* The message given when a bad password is entered. */
+#define INCORRECT_PASSWORD "Sorry, try again."
+
+/* The name of libvas.so */
+/* #undef LIBVAS_SO */
+
+/* The syslog facility sudo will use. */
+#define LOGFAC "authpriv"
+
+/* Define to SLOG_SYSLOG, SLOG_FILE, or SLOG_BOTH. */
+#define LOGGING SLOG_SYSLOG
+
+/* Define to 1 if you want a two line OTP (S/Key or OPIE) prompt. */
+/* #undef LONG_OTP_PROMPT */
+
+/* Define to the sub-directory in which libtool stores uninstalled libraries.
+ */
+#define LT_OBJDIR ".libs/"
+
+/* The subject of the mail sent by sudo to the MAILTO user/address. */
+#define MAILSUBJECT "*** SECURITY information for %h ***"
+
+/* The user or email address that sudo mail is sent to. */
+#define MAILTO "root"
+
+/* The max number of chars per log file line (for line wrapping). */
+#define MAXLOGFILELEN 80
+
+/* Define to the max length of a uid_t in string context (excluding the NUL).
+ */
+#define MAX_UID_T_LEN 10
+
+/* Define to 1 if you don't want sudo to prompt for a password by default. */
+/* #undef NO_AUTHENTICATION */
+
+/* Define to 1 if you don't want users to get the lecture the first they user
+ sudo. */
+/* #undef NO_LECTURE */
+
+/* Define to 1 if you don't want to use sudo's PAM session support */
+/* #undef NO_PAM_SESSION */
+
+/* Define to avoid runing the mailer as root. */
+/* #undef NO_ROOT_MAILER */
+
+/* Define to 1 if root should not be allowed to use sudo. */
+/* #undef NO_ROOT_SUDO */
+
+/* Define to 1 if you want a single ticket file instead of per-tty files. */
+/* #undef NO_TTY_TICKETS */
+
+/* Define to the address where bug reports for this package should be sent. */
+#define PACKAGE_BUGREPORT "http://www.sudo.ws/bugs/"
+
+/* Define to the full name of this package. */
+#define PACKAGE_NAME "sudo"
+
+/* Define to the full name and version of this package. */
+#define PACKAGE_STRING "sudo 1.7.6p2"
+
+/* Define to the one symbol short name of this package. */
+#define PACKAGE_TARNAME "sudo"
+
+/* Define to the home page for this package. */
+#define PACKAGE_URL ""
+
+/* Define to the version of this package. */
+#define PACKAGE_VERSION "1.7.6p2"
+
+/* The default password prompt. */
+#define PASSPROMPT "Password:"
+
+/* The passwd prompt timeout (in minutes). */
+#define PASSWORD_TIMEOUT 5
+
+/* Define to 1 to replace politically incorrect insults with less offensive
+ ones. */
+/* #undef PC_INSULTS */
+
+/* The syslog priority sudo will use for unsuccessful attempts/errors. */
+#define PRI_FAILURE "alert"
+
+/* The syslog priority sudo will use for successful attempts. */
+#define PRI_SUCCESS "notice"
+
+/* Define to 1 if the `putenv' has a const argument. */
+/* #undef PUTENV_CONST */
+
+/* Define as the return type of signal handlers (`int' or `void'). */
+#define RETSIGTYPE void
+
+/* The user sudo should run commands as by default. */
+#define RUNAS_DEFAULT "root"
+
+/* Define to 1 to override the user's path with a built-in one. */
+/* #undef SECURE_PATH */
+
+/* Define to 1 to send mail when the user is not allowed to run a command. */
+/* #undef SEND_MAIL_WHEN_NOT_OK */
+
+/* Define to 1 to send mail when the user is not allowed to run sudo on this
+ host. */
+/* #undef SEND_MAIL_WHEN_NO_HOST */
+
+/* Define to 1 to send mail when the user is not in the sudoers file. */
+#define SEND_MAIL_WHEN_NO_USER 1
+
+/* Define to 1 if the `setpgrp' function takes no argument. */
+/* #undef SETPGRP_VOID */
+
+/* Define to 1 if you want sudo to start a shell if given no arguments. */
+/* #undef SHELL_IF_NO_ARGS */
+
+/* Define to 1 if you want sudo to set $HOME in shell mode. */
+/* #undef SHELL_SETS_HOME */
+
+/* The size of `long int', as computed by sizeof. */
+#define SIZEOF_LONG_INT 8
+
+/* Define to 1 if you have the ANSI C header files. */
+#define STDC_HEADERS 1
+
+/* Define to 1 if the code in interfaces.c does not compile for you. */
+/* #undef STUB_LOAD_INTERFACES */
+
+/* The umask that the sudo-run prog should use. */
+#define SUDO_UMASK 0022
+
+/* The number of minutes before sudo asks for a password again. */
+#define TIMEOUT 5
+
+/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
+#define TIME_WITH_SYS_TIME 1
+
+/* The number of tries a user gets to enter their password. */
+#define TRIES_FOR_PASSWORD 3
+
+/* Define to 1 to use the umask specified in sudoers even when it is less
+ restrictive than the invoking user's. */
+/* #undef UMASK_OVERRIDE */
+
+/* Define to 1 if the `unsetenv' function returns void instead of `int'. */
+/* #undef UNSETENV_VOID */
+
+/* Define to 1 if you want to create ~/.sudo_as_admin_successful if the user
+ is in the admin group the first time they run sudo. */
+/* #undef USE_ADMIN_FLAG */
+
+/* Define to 1 if you want to insult the user for entering an incorrect
+ password. */
+#define USE_INSULTS 1
+
+/* Define to 1 if you use GNU stow packaging. */
+/* #undef USE_STOW */
+
+/* Define to 1 if using a non-Unix group lookup implementation. */
+/* #undef USING_NONUNIX_GROUPS */
+
+/* Define to avoid using the passwd/shadow file for authentication. */
+#define WITHOUT_PASSWD 1
+
+/* Number of bits in a file offset, on hosts where this is settable. */
+/* #undef _FILE_OFFSET_BITS */
+
+/* Define for large files, on AIX-style hosts. */
+/* #undef _LARGE_FILES */
+
+/* Define to `signed' or nothing if compiler does not support a signed type
+ qualifier. */
+/* #undef __signed */
+
+/* Define to empty if `const' does not conform to ANSI C. */
+/* #undef const */
+
+/* Define if your system lacks the dev_t type. */
+/* #undef dev_t */
+
+/* Define to `int' if <sys/types.h> doesn't define. */
+/* #undef gid_t */
+
+/* Define if your system lacks the ino_t type. */
+/* #undef ino_t */
+
+/* Define to `int' if <sys/types.h> does not define. */
+/* #undef mode_t */
+
+/* Define to `int' if <signal.h> does not define. */
+/* #undef sig_atomic_t */
+
+/* Define to `unsigned int' if <sys/types.h> does not define. */
+/* #undef size_t */
+
+/* Define if your system lacks the ssize_t type. */
+/* #undef ssize_t */
+
+/* Define to `int' if <sys/types.h> doesn't define. */
+/* #undef uid_t */
+
+/* Define to empty if the keyword `volatile' does not work. Warning: valid
+ code using `volatile' can become incorrect without. Disable with care. */
+/* #undef volatile */
+
+/*
+ * Macros to convert ctime and mtime into timevals.
+ */
+#define timespec2timeval(_ts, _tv) do { \
+ (_tv)->tv_sec = (_ts)->tv_sec; \
+ (_tv)->tv_usec = (_ts)->tv_nsec / 1000; \
+} while (0)
+
+#ifdef HAVE_ST_MTIM
+# ifdef HAVE_ST__TIM
+# define ctim_get(_x, _y) timespec2timeval(&(_x)->st_ctim.st__tim, (_y))
+# define mtim_get(_x, _y) timespec2timeval(&(_x)->st_mtim.st__tim, (_y))
+# else
+# define ctim_get(_x, _y) timespec2timeval(&(_x)->st_ctim, (_y))
+# define mtim_get(_x, _y) timespec2timeval(&(_x)->st_mtim, (_y))
+# endif
+#else
+# ifdef HAVE_ST_MTIMESPEC
+# define ctim_get(_x, _y) timespec2timeval(&(_x)->st_ctimespec, (_y))
+# define mtim_get(_x, _y) timespec2timeval(&(_x)->st_mtimespec, (_y))
+# else
+# define ctim_get(_x, _y) do { (_y)->tv_sec = (_x)->st_ctime; (_y)->tv_usec = 0; } while (0)
+# define mtim_get(_x, _y) do { (_y)->tv_sec = (_x)->st_mtime; (_y)->tv_usec = 0; } while (0)
+# endif /* HAVE_ST_MTIMESPEC */
+#endif /* HAVE_ST_MTIM */
+
+/*
+ * Emulate a subset of waitpid() if we don't have it.
+ */
+#ifdef HAVE_WAITPID
+# define sudo_waitpid(p, s, o) waitpid(p, s, o)
+#else
+# ifdef HAVE_WAIT3
+# define sudo_waitpid(p, s, o) wait3(s, o, NULL)
+# endif
+#endif
+
+/* GNU stow needs /etc/sudoers to be a symlink. */
+#ifdef USE_STOW
+# define stat_sudoers stat
+#else
+# define stat_sudoers lstat
+#endif
+
+/* Macros to set/clear/test flags. */
+/* #undef SET */
+#define SET(t, f) ((t) |= (f))
+/* #undef CLR */
+#define CLR(t, f) ((t) &= ~(f))
+/* #undef ISSET */
+#define ISSET(t, f) ((t) & (f))
+
+/* New ANSI-style OS defs for HP-UX and ConvexOS. */
+#if defined(hpux) && !defined(__hpux)
+# define __hpux 1
+#endif /* hpux */
+
+#if defined(convex) && !defined(__convex__)
+# define __convex__ 1
+#endif /* convex */
+
+/* BSD compatibility on some SVR4 systems. */
+#ifdef __svr4__
+# define BSD_COMP
+#endif /* __svr4__ */
+
+#endif /* _SUDO_CONFIG_H */
Modified: trunk/contrib/sudo/configure
===================================================================
--- trunk/contrib/sudo/configure 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/configure 2014-10-02 03:32:57 UTC (rev 6804)
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.65 for sudo 1.7.5.
+# Generated by GNU Autoconf 2.65 for sudo 1.7.6p2.
#
# Report bugs to <http://www.sudo.ws/bugs/>.
#
@@ -701,8 +701,8 @@
# Identity of this package.
PACKAGE_NAME='sudo'
PACKAGE_TARNAME='sudo'
-PACKAGE_VERSION='1.7.5'
-PACKAGE_STRING='sudo 1.7.5'
+PACKAGE_VERSION='1.7.6p2'
+PACKAGE_STRING='sudo 1.7.6p2'
PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/'
PACKAGE_URL=''
@@ -1559,7 +1559,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures sudo 1.7.5 to adapt to many kinds of systems.
+\`configure' configures sudo 1.7.6p2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1624,7 +1624,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of sudo 1.7.5:";;
+ short | recursive ) echo "Configuration of sudo 1.7.6p2:";;
esac
cat <<\_ACEOF
@@ -1839,7 +1839,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-sudo configure 1.7.5
+sudo configure 1.7.6p2
generated by GNU Autoconf 2.65
Copyright (C) 2009 Free Software Foundation, Inc.
@@ -2538,7 +2538,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by sudo $as_me 1.7.5, which was
+It was created by sudo $as_me 1.7.6p2, which was
generated by GNU Autoconf 2.65. Invocation command line was
$ $0 $@
@@ -3081,9 +3081,6 @@
esac
fi
-if test X"$with_devel" != X"yes"; then
- ac_cv_prog_cc_g=no
-fi
# Check whether --with-CC was given.
@@ -4077,8 +4074,7 @@
# Check whether --with-skey was given.
if test "${with_skey+set}" = set; then :
withval=$with_skey; case $with_skey in
- no) with_skey=""
- ;;
+ no) ;;
*) $as_echo "#define HAVE_SKEY 1" >>confdefs.h
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to try S/Key authentication" >&5
@@ -4095,8 +4091,7 @@
# Check whether --with-opie was given.
if test "${with_opie+set}" = set; then :
withval=$with_opie; case $with_opie in
- no) with_opie=""
- ;;
+ no) ;;
*) $as_echo "#define HAVE_OPIE 1" >>confdefs.h
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to try NRL OPIE authentication" >&5
@@ -4133,7 +4128,7 @@
# Check whether --with-SecurID was given.
if test "${with_SecurID+set}" = set; then :
withval=$with_SecurID; case $with_SecurID in
- no) with_SecurID="";;
+ no) ;;
*) $as_echo "#define HAVE_SECURID 1" >>confdefs.h
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use SecurID for authentication" >&5
@@ -4150,7 +4145,7 @@
# Check whether --with-fwtk was given.
if test "${with_fwtk+set}" = set; then :
withval=$with_fwtk; case $with_fwtk in
- no) with_fwtk="";;
+ no) ;;
*) $as_echo "#define HAVE_FWTK 1" >>confdefs.h
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use FWTK AuthSRV for authentication" >&5
@@ -4167,7 +4162,7 @@
# Check whether --with-kerb4 was given.
if test "${with_kerb4+set}" = set; then :
withval=$with_kerb4; case $with_kerb4 in
- no) with_kerb4="";;
+ no) ;;
*) { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to try kerberos IV authentication" >&5
$as_echo_n "checking whether to try kerberos IV authentication... " >&6; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
@@ -4182,7 +4177,7 @@
# Check whether --with-kerb5 was given.
if test "${with_kerb5+set}" = set; then :
withval=$with_kerb5; case $with_kerb5 in
- no) with_kerb5="";;
+ no) ;;
*) { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to try Kerberos V authentication" >&5
$as_echo_n "checking whether to try Kerberos V authentication... " >&6; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
@@ -6827,13 +6822,13 @@
else
lt_cv_nm_interface="BSD nm"
echo "int some_variable = 0;" > conftest.$ac_ext
- (eval echo "\"\$as_me:6830: $ac_compile\"" >&5)
+ (eval echo "\"\$as_me:6825: $ac_compile\"" >&5)
(eval "$ac_compile" 2>conftest.err)
cat conftest.err >&5
- (eval echo "\"\$as_me:6833: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+ (eval echo "\"\$as_me:6828: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
(eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
cat conftest.err >&5
- (eval echo "\"\$as_me:6836: output\"" >&5)
+ (eval echo "\"\$as_me:6831: output\"" >&5)
cat conftest.out >&5
if $GREP 'External.*some_variable' conftest.out > /dev/null; then
lt_cv_nm_interface="MS dumpbin"
@@ -8038,7 +8033,7 @@
;;
*-*-irix6*)
# Find out which ABI we are using.
- echo '#line 8041 "configure"' > conftest.$ac_ext
+ echo '#line 8036 "configure"' > conftest.$ac_ext
if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -9431,11 +9426,11 @@
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9434: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9429: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:9438: \$? = $ac_status" >&5
+ echo "$as_me:9433: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -9770,11 +9765,11 @@
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9773: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9768: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:9777: \$? = $ac_status" >&5
+ echo "$as_me:9772: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -9875,11 +9870,11 @@
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9878: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9873: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:9882: \$? = $ac_status" >&5
+ echo "$as_me:9877: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -9930,11 +9925,11 @@
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:9933: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:9928: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:9937: \$? = $ac_status" >&5
+ echo "$as_me:9932: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -12297,7 +12292,7 @@
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 12300 "configure"
+#line 12295 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -12393,7 +12388,7 @@
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<_LT_EOF
-#line 12396 "configure"
+#line 12391 "configure"
#include "confdefs.h"
#if HAVE_DLFCN_H
@@ -13307,7 +13302,7 @@
SKIP_SETREUID=yes
;;
esac
- if test "$with_skey" = "yes"; then
+ if test "${with_skey-'no'}" = "yes"; then
SUDO_LIBS="${SUDO_LIBS} -lmd"
fi
CHECKSHADOW="false"
@@ -13343,7 +13338,7 @@
: ${with_logincap='maybe'}
;;
*-*-dragonfly*)
- if test "$with_skey" = "yes"; then
+ if test "${with_skey-'no'}" = "yes"; then
SUDO_LIBS="${SUDO_LIBS} -lmd"
fi
CHECKSHADOW="false"
@@ -17303,17 +17298,15 @@
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- fi
-fi
-if test ${with_kerb5-'no'} != "no" -a -z "$KRB5CONFIG"; then
- $as_echo "#define HAVE_KERB5 1" >>confdefs.h
+ else
+ $as_echo "#define HAVE_KERB5 1" >>confdefs.h
- if test "$with_kerb5" = "yes"; then
- found=no
- O_CPPFLAGS="$CPPFLAGS"
- for dir in "" "kerberosV/" "krb5/" "kerberos5/" "kerberosv5/"; do
- CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ if test "$with_kerb5" = "yes"; then
+ found=no
+ O_CPPFLAGS="$CPPFLAGS"
+ for dir in "" "kerberosV/" "krb5/" "kerberos5/" "kerberosv5/"; do
+ CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <krb5.h>
_ACEOF
@@ -17321,13 +17314,13 @@
found=yes; break
fi
rm -f conftest.err conftest.$ac_ext
- done
- if test X"$found" = X"no"; then
- CPPFLAGS="$O_CPPFLAGS"
- { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Unable to locate Kerberos V include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS" >&5
+ done
+ if test X"$found" = X"no"; then
+ CPPFLAGS="$O_CPPFLAGS"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Unable to locate Kerberos V include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS" >&5
$as_echo "$as_me: WARNING: Unable to locate Kerberos V include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS" >&2;}
- fi
- else
+ fi
+ else
if test X"$with_rpath" = X"yes"; then
case "$host" in
@@ -17343,12 +17336,12 @@
blibpath_add="${blibpath_add}:${with_kerb5}/lib"
fi
- CPPFLAGS="$CPPFLAGS -I${with_kerb5}/include"
- fi
+ CPPFLAGS="$CPPFLAGS -I${with_kerb5}/include"
+ fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5
$as_echo_n "checking whether we are using Heimdal... " >&6; }
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <krb5.h>
int
@@ -17361,13 +17354,13 @@
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
- $as_echo "#define HAVE_HEIMDAL 1" >>confdefs.h
+ $as_echo "#define HAVE_HEIMDAL 1" >>confdefs.h
- # XXX - need to check whether -lcrypo is needed!
- SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lcrypto -ldes -lcom_err -lasn1"
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lroken" >&5
+ # XXX - need to check whether -lcrypo is needed!
+ SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lcrypto -ldes -lcom_err -lasn1"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lroken" >&5
$as_echo_n "checking for main in -lroken... " >&6; }
if test "${ac_cv_lib_roken_main+set}" = set; then :
$as_echo_n "(cached) " >&6
@@ -17404,10 +17397,10 @@
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
- SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lk5crypto -lcom_err"
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lkrb5support" >&5
+ SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lk5crypto -lcom_err"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lkrb5support" >&5
$as_echo_n "checking for main in -lkrb5support... " >&6; }
if test "${ac_cv_lib_krb5support_main+set}" = set; then :
$as_echo_n "(cached) " >&6
@@ -17444,7 +17437,8 @@
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
- AUTH_OBJS="$AUTH_OBJS kerb5.o"
+ AUTH_OBJS="$AUTH_OBJS kerb5.o"
+ fi
_LIBS="$LIBS"
LIBS="${LIBS} ${SUDO_LIBS}"
for ac_func in krb5_verify_user krb5_init_secure_context
@@ -17503,7 +17497,7 @@
done
if test X"$sudo_cv_krb5_get_init_creds_opt_free_two_args" = X"yes"; then
- $as_echo "#define HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS 1" >>confdefs.h
+ $as_echo "#define HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS 1" >>confdefs.h
fi
LIBS="$_LIBS"
@@ -17575,7 +17569,7 @@
AUTH_OBJS="$AUTH_OBJS dce.o"
fi
-if test ${with_skey-'no'} = "yes"; then
+if test "${with_skey-'no'}" = "yes"; then
O_LDFLAGS="$LDFLAGS"
if test "$with_skey" != "yes"; then
CPPFLAGS="${CPPFLAGS} -I${with_skey}/include"
@@ -17755,7 +17749,7 @@
AUTH_OBJS="$AUTH_OBJS rfc1938.o"
fi
-if test ${with_opie-'no'} = "yes"; then
+if test "${with_opie-'no'}" = "yes"; then
O_LDFLAGS="$LDFLAGS"
if test "$with_opie" != "yes"; then
CPPFLAGS="${CPPFLAGS} -I${with_opie}/include"
@@ -19326,7 +19320,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by sudo $as_me 1.7.5, which was
+This file was extended by sudo $as_me 1.7.6p2, which was
generated by GNU Autoconf 2.65. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -19392,7 +19386,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-sudo config.status 1.7.5
+sudo config.status 1.7.6p2
configured by $0, generated by GNU Autoconf 2.65,
with options \\"\$ac_cs_config\\"
Modified: trunk/contrib/sudo/configure.in
===================================================================
--- trunk/contrib/sudo/configure.in 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/configure.in 2014-10-02 03:32:57 UTC (rev 6804)
@@ -3,7 +3,7 @@
dnl
dnl Copyright (c) 1994-1996,1998-2011 Todd C. Miller <Todd.Miller at courtesan.com>
dnl
-AC_INIT([sudo], [1.7.5], [http://www.sudo.ws/bugs/], [sudo])
+AC_INIT([sudo], [1.7.6p2], [http://www.sudo.ws/bugs/], [sudo])
AC_CONFIG_HEADER(config.h pathnames.h zlib/zconf.h)
dnl
dnl Note: this must come after AC_INIT
@@ -206,9 +206,6 @@
*) AC_MSG_WARN([Ignoring unknown argument to --with-devel: $with_devel])
;;
esac])
-if test X"$with_devel" != X"yes"; then
- ac_cv_prog_cc_g=no
-fi
AC_ARG_WITH(CC, [AS_HELP_STRING([--with-CC], [C compiler to use])],
[case $with_CC in
@@ -342,8 +339,7 @@
AC_ARG_WITH(skey, [AS_HELP_STRING([--with-skey[=DIR]], [enable S/Key support ])],
[case $with_skey in
- no) with_skey=""
- ;;
+ no) ;;
*) AC_DEFINE(HAVE_SKEY)
AC_MSG_CHECKING(whether to try S/Key authentication)
AC_MSG_RESULT(yes)
@@ -353,8 +349,7 @@
AC_ARG_WITH(opie, [AS_HELP_STRING([--with-opie[=DIR]], [enable OPIE support ])],
[case $with_opie in
- no) with_opie=""
- ;;
+ no) ;;
*) AC_DEFINE(HAVE_OPIE)
AC_MSG_CHECKING(whether to try NRL OPIE authentication)
AC_MSG_RESULT(yes)
@@ -377,7 +372,7 @@
AC_ARG_WITH(SecurID, [AS_HELP_STRING([--with-SecurID[[=DIR]]], [enable SecurID support])],
[case $with_SecurID in
- no) with_SecurID="";;
+ no) ;;
*) AC_DEFINE(HAVE_SECURID)
AC_MSG_CHECKING(whether to use SecurID for authentication)
AC_MSG_RESULT(yes)
@@ -387,7 +382,7 @@
AC_ARG_WITH(fwtk, [AS_HELP_STRING([--with-fwtk[[=DIR]]], [enable FWTK AuthSRV support])],
[case $with_fwtk in
- no) with_fwtk="";;
+ no) ;;
*) AC_DEFINE(HAVE_FWTK)
AC_MSG_CHECKING(whether to use FWTK AuthSRV for authentication)
AC_MSG_RESULT(yes)
@@ -397,7 +392,7 @@
AC_ARG_WITH(kerb4, [AS_HELP_STRING([--with-kerb4[[=DIR]]], [enable Kerberos IV support])],
[case $with_kerb4 in
- no) with_kerb4="";;
+ no) ;;
*) AC_MSG_CHECKING(whether to try kerberos IV authentication)
AC_MSG_RESULT(yes)
AUTH_REG="$AUTH_REG kerb4"
@@ -406,7 +401,7 @@
AC_ARG_WITH(kerb5, [AS_HELP_STRING([--with-kerb5[[=DIR]]], [enable Kerberos V support])],
[case $with_kerb5 in
- no) with_kerb5="";;
+ no) ;;
*) AC_MSG_CHECKING(whether to try Kerberos V authentication)
AC_MSG_RESULT(yes)
AUTH_REG="$AUTH_REG kerb5"
@@ -1743,7 +1738,7 @@
SKIP_SETREUID=yes
;;
esac
- if test "$with_skey" = "yes"; then
+ if test "${with_skey-'no'}" = "yes"; then
SUDO_LIBS="${SUDO_LIBS} -lmd"
fi
CHECKSHADOW="false"
@@ -1779,7 +1774,7 @@
: ${with_logincap='maybe'}
;;
*-*-dragonfly*)
- if test "$with_skey" = "yes"; then
+ if test "${with_skey-'no'}" = "yes"; then
SUDO_LIBS="${SUDO_LIBS} -lmd"
fi
CHECKSHADOW="false"
@@ -2395,46 +2390,45 @@
AC_MSG_RESULT(no)
]
)
- fi
-fi
-if test ${with_kerb5-'no'} != "no" -a -z "$KRB5CONFIG"; then
- AC_DEFINE(HAVE_KERB5)
- dnl
- dnl Use the specified directory, if any, else search for correct inc dir
- dnl
- if test "$with_kerb5" = "yes"; then
- found=no
- O_CPPFLAGS="$CPPFLAGS"
- for dir in "" "kerberosV/" "krb5/" "kerberos5/" "kerberosv5/"; do
- CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
- AC_PREPROC_IFELSE([#include <krb5.h>], [found=yes; break])
- done
- if test X"$found" = X"no"; then
- CPPFLAGS="$O_CPPFLAGS"
- AC_MSG_WARN([Unable to locate Kerberos V include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS])
+ else
+ AC_DEFINE(HAVE_KERB5)
+ dnl
+ dnl Use the specified directory, if any, else search for correct inc dir
+ dnl
+ if test "$with_kerb5" = "yes"; then
+ found=no
+ O_CPPFLAGS="$CPPFLAGS"
+ for dir in "" "kerberosV/" "krb5/" "kerberos5/" "kerberosv5/"; do
+ CPPFLAGS="$O_CPPFLAGS -I/usr/include/${dir}"
+ AC_PREPROC_IFELSE([#include <krb5.h>], [found=yes; break])
+ done
+ if test X"$found" = X"no"; then
+ CPPFLAGS="$O_CPPFLAGS"
+ AC_MSG_WARN([Unable to locate Kerberos V include files, you will have to edit the Makefile and add -I/path/to/krb/includes to CPPFLAGS])
+ fi
+ else
+ dnl XXX - try to include krb5.h here too
+ SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_kerb5}/lib])
+ CPPFLAGS="$CPPFLAGS -I${with_kerb5}/include"
fi
- else
- dnl XXX - try to include krb5.h here too
- SUDO_APPEND_LIBPATH(SUDO_LDFLAGS, [${with_kerb5}/lib])
- CPPFLAGS="$CPPFLAGS -I${with_kerb5}/include"
+
+ dnl
+ dnl Try to determine whether we have Heimdal or MIT Kerberos
+ dnl
+ AC_MSG_CHECKING(whether we are using Heimdal)
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[const char *tmp = heimdal_version;]])], [
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(HAVE_HEIMDAL)
+ # XXX - need to check whether -lcrypo is needed!
+ SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lcrypto -ldes -lcom_err -lasn1"
+ AC_CHECK_LIB(roken, main, [SUDO_LIBS="${SUDO_LIBS} -lroken"])
+ ], [
+ AC_MSG_RESULT(no)
+ SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lk5crypto -lcom_err"
+ AC_CHECK_LIB(krb5support, main, [SUDO_LIBS="${SUDO_LIBS} -lkrb5support"])
+ ])
+ AUTH_OBJS="$AUTH_OBJS kerb5.o"
fi
-
- dnl
- dnl Try to determine whether we have Heimdal or MIT Kerberos
- dnl
- AC_MSG_CHECKING(whether we are using Heimdal)
- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <krb5.h>]], [[const char *tmp = heimdal_version;]])], [
- AC_MSG_RESULT(yes)
- AC_DEFINE(HAVE_HEIMDAL)
- # XXX - need to check whether -lcrypo is needed!
- SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lcrypto -ldes -lcom_err -lasn1"
- AC_CHECK_LIB(roken, main, [SUDO_LIBS="${SUDO_LIBS} -lroken"])
- ], [
- AC_MSG_RESULT(no)
- SUDO_LIBS="${SUDO_LIBS} -lkrb5 -lk5crypto -lcom_err"
- AC_CHECK_LIB(krb5support, main, [SUDO_LIBS="${SUDO_LIBS} -lkrb5support"])
- ])
- AUTH_OBJS="$AUTH_OBJS kerb5.o"
_LIBS="$LIBS"
LIBS="${LIBS} ${SUDO_LIBS}"
AC_CHECK_FUNCS(krb5_verify_user krb5_init_secure_context)
@@ -2445,7 +2439,7 @@
[AC_LANG_PROGRAM(
[[#include <krb5.h>]],
[[krb5_get_init_creds_opt_free(NULL, NULL);]]
- )],
+ )],
[sudo_cv_krb5_get_init_creds_opt_free_two_args=yes],
[sudo_cv_krb5_get_init_creds_opt_free_two_args=no]
)
@@ -2453,7 +2447,7 @@
)
])
if test X"$sudo_cv_krb5_get_init_creds_opt_free_two_args" = X"yes"; then
- AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS)
+ AC_DEFINE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS)
fi
LIBS="$_LIBS"
fi
@@ -2518,7 +2512,7 @@
dnl
dnl extra S/Key lib and includes
dnl
-if test ${with_skey-'no'} = "yes"; then
+if test "${with_skey-'no'}" = "yes"; then
O_LDFLAGS="$LDFLAGS"
if test "$with_skey" != "yes"; then
CPPFLAGS="${CPPFLAGS} -I${with_skey}/include"
@@ -2552,7 +2546,7 @@
dnl
dnl extra OPIE lib and includes
dnl
-if test ${with_opie-'no'} = "yes"; then
+if test "${with_opie-'no'}" = "yes"; then
O_LDFLAGS="$LDFLAGS"
if test "$with_opie" != "yes"; then
CPPFLAGS="${CPPFLAGS} -I${with_opie}/include"
Modified: trunk/contrib/sudo/exec.c
===================================================================
--- trunk/contrib/sudo/exec.c 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/exec.c 2014-10-02 03:32:57 UTC (rev 6804)
@@ -359,8 +359,6 @@
goto done;
}
if (n == -1) {
- if (errno == EAGAIN || errno == EINTR)
- continue;
/* Error reading signal_pipe[0], should not happen. */
break;
}
@@ -445,7 +443,7 @@
/*
* Read signals on fd written to by handler().
- * Returns -1 on error (possibly non-fatal), 0 on child exit, else 1.
+ * Returns -1 on error, 0 on child exit, else 1.
*/
static int
handle_signals(fd, child, cstat)
@@ -465,10 +463,14 @@
/* It should not be possible to get EOF but just in case. */
if (nread == 0)
errno = ECONNRESET;
- if (errno != EINTR && errno != EAGAIN) {
- cstat->type = CMD_ERRNO;
- cstat->val = errno;
- }
+ /* Restart if interrupted by signal so the pipe doesn't fill. */
+ if (errno == EINTR)
+ continue;
+ /* If pipe is empty, we are done. */
+ if (errno == EAGAIN)
+ break;
+ cstat->type = CMD_ERRNO;
+ cstat->val = errno;
return -1;
}
if (signo == SIGCHLD) {
@@ -490,9 +492,25 @@
#endif
{
if (WIFSTOPPED(status)) {
- /* Child may not have privs to suspend us itself. */
+ /*
+ * Save the controlling terminal's process group
+ * so we can restore it after we resume.
+ */
+#ifdef HAVE_TCSETPGRP
+ pid_t saved_pgrp = (pid_t)-1;
+ int fd = open(_PATH_TTY, O_RDWR|O_NOCTTY, 0);
+ if (fd != -1)
+ saved_pgrp = tcgetpgrp(fd);
+#endif /* HAVE_TCSETPGRP */
if (kill(getpid(), WSTOPSIG(status)) != 0)
warning("kill(%d, %d)", getpid(), WSTOPSIG(status));
+#ifdef HAVE_TCSETPGRP
+ if (fd != -1) {
+ if (saved_pgrp != (pid_t)-1)
+ (void)tcsetpgrp(fd, saved_pgrp);
+ close(fd);
+ }
+#endif /* HAVE_TCSETPGRP */
} else {
/* Child has exited, we are done. */
cstat->type = CMD_WSTATUS;
@@ -510,20 +528,6 @@
} else
#endif
{
-#ifdef HAVE_TCSETPGRP
- if (signo == SIGCONT) {
- /*
- * Before continuing the child, make it the foreground
- * pgrp if possible. Fixes resuming a shell.
- */
- int fd = open(_PATH_TTY, O_RDWR|O_NOCTTY, 0);
- if (fd != -1) {
- if (tcgetpgrp(fd) == getpgrp())
- (void)tcsetpgrp(fd, child);
- close(fd);
- }
- }
-#endif
/* Nothing listening on sv[0], send directly. */
if (kill(child, signo) != 0)
warning("kill(%d, %d)", child, signo);
Modified: trunk/contrib/sudo/exec_pty.c
===================================================================
--- trunk/contrib/sudo/exec_pty.c 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/exec_pty.c 2014-10-02 03:32:57 UTC (rev 6804)
@@ -97,7 +97,7 @@
static int pipeline = FALSE;
static int tty_initialized;
static int ttymode = TERM_COOKED;
-static pid_t ppgrp, child;
+static pid_t ppgrp, child, child_pgrp;
static struct io_buffer *iobufs;
static void flush_output __P((void));
@@ -594,7 +594,7 @@
case SIGCONT_FG:
/* Continue in foreground, grant it controlling tty. */
do {
- status = tcsetpgrp(io_fds[SFD_SLAVE], pid);
+ status = tcsetpgrp(io_fds[SFD_SLAVE], child_pgrp);
} while (status == -1 && errno == EINTR);
killpg(pid, SIGCONT);
break;
@@ -662,6 +662,9 @@
cstat->type = CMD_WSTATUS;
cstat->val = status;
if (WIFSTOPPED(status)) {
+ do {
+ child_pgrp = tcgetpgrp(io_fds[SFD_SLAVE]);
+ } while (child_pgrp == -1 && errno == EINTR);
if (send_status(backchannel, cstat) == -1)
return alive; /* XXX */
}
@@ -793,10 +796,11 @@
* Put child in its own process group. If we are starting the command
* in the foreground, assign its pgrp to the tty.
*/
- setpgid(child, child);
+ child_pgrp = child;
+ setpgid(child, child_pgrp);
if (foreground) {
do {
- status = tcsetpgrp(io_fds[SFD_SLAVE], child);
+ status = tcsetpgrp(io_fds[SFD_SLAVE], child_pgrp);
} while (status == -1 && errno == EINTR);
}
Modified: trunk/contrib/sudo/gram.c
===================================================================
--- trunk/contrib/sudo/gram.c 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/gram.c 2014-10-02 03:32:57 UTC (rev 6804)
@@ -821,10 +821,9 @@
parse_error = FALSE;
errorlineno = -1;
errorfile = NULL;
- sudolineno = 1;
verbose = !quiet;
}
-#line 775 "y.tab.c"
+#line 774 "y.tab.c"
/* allocate initial stack or double stack size, up to YYMAXDEPTH */
#if defined(__cplusplus) || defined(__STDC__)
static int yygrowstack(void)
@@ -1593,7 +1592,7 @@
yyval.member = new_member(yyvsp[0].string, WORD);
}
break;
-#line 1544 "y.tab.c"
+#line 1543 "y.tab.c"
}
yyssp -= yym;
yystate = *yyssp;
Modified: trunk/contrib/sudo/gram.y
===================================================================
--- trunk/contrib/sudo/gram.y 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/gram.y 2014-10-02 03:32:57 UTC (rev 6804)
@@ -790,6 +790,5 @@
parse_error = FALSE;
errorlineno = -1;
errorfile = NULL;
- sudolineno = 1;
verbose = !quiet;
}
Modified: trunk/contrib/sudo/lbuf.c
===================================================================
--- trunk/contrib/sudo/lbuf.c 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/lbuf.c 2014-10-02 03:32:57 UTC (rev 6804)
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2007-2010 Todd C. Miller <Todd.Miller at courtesan.com>
+ * Copyright (c) 2007-2011 Todd C. Miller <Todd.Miller at courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -280,12 +280,14 @@
struct lbuf *lbuf;
{
char *cp, *ep;
- int len, contlen;
+ int len;
- contlen = lbuf->continuation ? strlen(lbuf->continuation) : 0;
+ if (lbuf->buf == NULL || lbuf->len == 0)
+ goto done;
/* For very small widths just give up... */
- if (lbuf->cols <= lbuf->indent + contlen + 20) {
+ len = lbuf->continuation ? strlen(lbuf->continuation) : 0;
+ if (lbuf->cols <= lbuf->indent + len + 20) {
lbuf->buf[lbuf->len] = '\0';
lbuf->output(lbuf->buf);
goto done;
@@ -297,9 +299,11 @@
lbuf->output("\n");
cp++;
} else {
- ep = memchr(cp, '\n', lbuf->len - (cp - lbuf->buf));
- len = ep ? (int)(ep - cp) : lbuf->len;
- lbuf_println(lbuf, cp, len);
+ len = lbuf->len - (cp - lbuf->buf);
+ if ((ep = memchr(cp, '\n', len)) != NULL)
+ len = (int)(ep - cp);
+ if (len)
+ lbuf_println(lbuf, cp, len);
cp = ep ? ep + 1 : NULL;
}
}
Modified: trunk/contrib/sudo/ldap.c
===================================================================
--- trunk/contrib/sudo/ldap.c 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/ldap.c 2014-10-02 03:32:57 UTC (rev 6804)
@@ -201,6 +201,7 @@
char *bindpw;
char *rootbinddn;
struct ldap_config_list_str *base;
+ char *search_filter;
char *ssl;
char *tls_cacertfile;
char *tls_cacertdir;
@@ -285,6 +286,7 @@
{ "rootbinddn", CONF_STR, FALSE, -1, &ldap_conf.rootbinddn },
{ "sudoers_base", CONF_LIST_STR, FALSE, -1, &ldap_conf.base },
{ "sudoers_timed", CONF_BOOL, FALSE, -1, &ldap_conf.timed },
+ { "sudoers_search_filter", CONF_STR, FALSE, -1, &ldap_conf.search_filter },
#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
{ "use_sasl", CONF_BOOL, FALSE, -1, &ldap_conf.use_sasl },
{ "sasl_auth_id", CONF_STR, FALSE, -1, &ldap_conf.sasl_auth_id },
@@ -977,6 +979,21 @@
}
/*
+ * Builds up a filter to search for default settings
+ */
+static char *
+sudo_ldap_build_default_filter()
+{
+ char *filt;
+
+ if (ldap_conf.search_filter)
+ easprintf(&filt, "(&%s(cn=defaults))", ldap_conf.search_filter);
+ else
+ filt = estrdup("cn=defaults");
+ return filt;
+}
+
+/*
* Builds up a filter to check against LDAP.
*/
static char *
@@ -985,12 +1002,16 @@
{
struct group *grp;
char *buf, timebuffer[TIMEFILTER_LENGTH];
- size_t sz;
+ size_t sz = 0;
int i;
- /* Start with (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
- sz = 29 + strlen(pw->pw_name);
+ /* Start with LDAP search filter length + 3 */
+ if (ldap_conf.search_filter)
+ sz += strlen(ldap_conf.search_filter) + 3;
+ /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
+ sz += 29 + strlen(pw->pw_name);
+
/* Add space for groups */
if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
sz += 12 + strlen(grp->gr_name); /* primary group */
@@ -1012,12 +1033,15 @@
*buf = '\0';
/*
- * If timed, start a global AND clause that will have the time limits
- * as the second leg.
+ * If timed or using a search filter, start a global AND clause to
+ * contain the search filter, search criteria, and time restriction.
*/
- if (ldap_conf.timed)
+ if (ldap_conf.timed || ldap_conf.search_filter)
(void) strlcpy(buf, "(&", sz);
+ if (ldap_conf.search_filter)
+ (void) strlcat(buf, ldap_conf.search_filter, sz);
+
/* Global OR + sudoUser=user_name filter */
(void) strlcat(buf, "(|(sudoUser=", sz);
(void) strlcat(buf, pw->pw_name, sz);
@@ -1052,6 +1076,8 @@
strlcat(buf, ")", sz); /* closes the global OR */
sudo_ldap_timefilter(timebuffer, sizeof(timebuffer));
strlcat(buf, timebuffer, sz);
+ } else if (ldap_conf.search_filter) {
+ strlcat(buf, ")", sz); /* closes the global OR */
}
strlcat(buf, ")", sz); /* closes the global OR or the global AND */
@@ -1064,21 +1090,23 @@
static char *
sudo_ldap_build_pass2()
{
- char *buf, timebuffer[TIMEFILTER_LENGTH];
+ char *filt, timebuffer[TIMEFILTER_LENGTH];
- if (ldap_conf.timed) {
- /*
- * If timed, use a global AND clause that has the time limit as
- * as the second leg.
- */
+ if (ldap_conf.timed)
sudo_ldap_timefilter(timebuffer, sizeof(timebuffer));
- easprintf(&buf, "(&(sudoUser=+*)%s)", timebuffer);
- } else {
- /* No time limit, just the netgroup selection. */
- buf = estrdup("sudoUser=+*");
- }
- return buf;
+ /*
+ * Match all sudoUsers beginning with a '+'.
+ * If a search filter or time restriction is specified,
+ * those get ANDed in to the expression.
+ */
+ easprintf(&filt, "%s%s(sudoUser=+*)%s%s",
+ (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "",
+ ldap_conf.search_filter ? ldap_conf.search_filter : "",
+ ldap_conf.timed ? timebuffer : "",
+ (ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
+
+ return filt;
}
/*
@@ -1242,6 +1270,8 @@
fprintf(stderr, "sudoers_base %s\n",
"(NONE) <---Sudo will ignore ldap)");
}
+ if (ldap_conf.search_filter)
+ fprintf(stderr, "search_filter %s\n", ldap_conf.search_filter);
fprintf(stderr, "binddn %s\n", ldap_conf.binddn ?
ldap_conf.binddn : "(anonymous)");
fprintf(stderr, "bindpw %s\n", ldap_conf.bindpw ?
@@ -1339,6 +1369,18 @@
#endif
}
+ /* If search filter is not parenthesized, make it so. */
+ if (ldap_conf.search_filter && ldap_conf.search_filter[0] != '(') {
+ size_t len = strlen(ldap_conf.search_filter);
+ cp = ldap_conf.search_filter;
+ ldap_conf.search_filter = emalloc(len + 3);
+ ldap_conf.search_filter[0] = '(';
+ memcpy(ldap_conf.search_filter + 1, cp, len);
+ ldap_conf.search_filter[len + 1] = ')';
+ ldap_conf.search_filter[len + 2] = '\0';
+ efree(cp);
+ }
+
/* If rootbinddn set, read in /etc/ldap.secret if it exists. */
if (ldap_conf.rootbinddn)
sudo_ldap_read_secret(_PATH_LDAP_SECRET);
@@ -1413,7 +1455,7 @@
struct sudo_ldap_handle *handle = nss->handle;
LDAP *ld;
LDAPMessage *entry, *result;
- char *prefix;
+ char *prefix, *filt;
int rc, count = 0;
if (handle == NULL || handle->ld == NULL)
@@ -1420,6 +1462,7 @@
goto done;
ld = handle->ld;
+ filt = sudo_ldap_build_default_filter();
for (base = ldap_conf.base; base != NULL; base = base->next) {
if (ldap_conf.timeout > 0) {
tv.tv_sec = ldap_conf.timeout;
@@ -1428,7 +1471,7 @@
}
result = NULL;
rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE,
- "cn=defaults", NULL, 0, NULL, NULL, tvp, 0, &result);
+ filt, NULL, 0, NULL, NULL, tvp, 0, &result);
if (rc == LDAP_SUCCESS && (entry = ldap_first_entry(ld, result))) {
bv = ldap_get_values_len(ld, entry, "sudoOption");
if (bv != NULL) {
@@ -1447,6 +1490,7 @@
if (result)
ldap_msgfree(result);
}
+ efree(filt);
done:
return count;
}
@@ -2079,6 +2123,7 @@
struct timeval tv, *tvp = NULL;
LDAP *ld;
LDAPMessage *entry, *result;
+ char *filt;
int rc;
if (handle == NULL || handle->ld == NULL)
@@ -2085,6 +2130,9 @@
return -1;
ld = handle->ld;
+ filt = sudo_ldap_build_default_filter();
+ DPRINTF(("Looking for cn=defaults: %s", filt), 1);
+
for (base = ldap_conf.base; base != NULL; base = base->next) {
if (ldap_conf.timeout > 0) {
tv.tv_sec = ldap_conf.timeout;
@@ -2093,7 +2141,7 @@
}
result = NULL;
rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE,
- "cn=defaults", NULL, 0, NULL, NULL, NULL, 0, &result);
+ filt, NULL, 0, NULL, NULL, NULL, 0, &result);
if (rc == LDAP_SUCCESS && (entry = ldap_first_entry(ld, result))) {
DPRINTF(("found:%s", ldap_get_dn(ld, entry)), 1);
sudo_ldap_parse_options(ld, entry);
@@ -2103,6 +2151,7 @@
if (result)
ldap_msgfree(result);
}
+ efree(filt);
return 0;
}
@@ -2139,7 +2188,7 @@
enum def_tupple pwcheck =
(pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
- for (i = 0; i < lres->nentries; i++) {
+ for (i = 0; i < lres->nentries; i++) {
entry = lres->entries[i].entry;
if ((pwcheck == any && doauth != FALSE) ||
(pwcheck == all && doauth == FALSE)) {
@@ -2258,7 +2307,7 @@
struct ldap_search_list *result = lres->searches;
if (result) {
- while (result->next)
+ while (result->next)
result = result->next;
}
return result;
Modified: trunk/contrib/sudo/match.c
===================================================================
--- trunk/contrib/sudo/match.c 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/match.c 2014-10-02 03:32:57 UTC (rev 6804)
@@ -606,8 +606,9 @@
if (strcmp(user_base, dent->d_name) != 0 ||
stat(buf, &sudoers_stat) == -1)
continue;
- if (user_stat->st_dev == sudoers_stat.st_dev &&
- user_stat->st_ino == sudoers_stat.st_ino) {
+ if (user_stat == NULL ||
+ (user_stat->st_dev == sudoers_stat.st_dev &&
+ user_stat->st_ino == sudoers_stat.st_ino)) {
efree(safe_cmnd);
safe_cmnd = estrdup(buf);
break;
Modified: trunk/contrib/sudo/mkpkg
===================================================================
--- trunk/contrib/sudo/mkpkg 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/mkpkg 2014-10-02 03:32:57 UTC (rev 6804)
@@ -1,7 +1,7 @@
#!/bin/sh
#
# Build a binary package using polypkg
-# Usage: mkpkg [--debug] [--flavor flavor] [--platform platform]
+# Usage: mkpkg [--debug] [--flavor flavor] [--platform platform] [--osversion ver]
#
# Make sure IFS is set to space, tab, newline in that order.
@@ -12,9 +12,10 @@
IFS=" $nl"
# Parse arguments
-usage="usage: mkpkg [--debug] [--flavor flavor] [--platform platform]"
+usage="usage: mkpkg [--debug] [--flavor flavor] [--platform platform] [--osversion ver]"
debug=0
flavor=vanilla
+crossbuild=false
while test $# -gt 0; do
case "$1" in
--debug)
@@ -47,6 +48,22 @@
PPFLAGS="${PPFLAGS}${PPFLAGS+$space}--platform $2"
shift
;;
+ --osversion=?*)
+ arg=`echo "$1" | sed -n 's/^--osversion=\(.*\)/\1/p'`
+ osversion="$arg"
+ ;;
+ --osversion)
+ if [ $# -lt 2 ]; then
+ echo "$usage" 1>&2
+ exit 1
+ fi
+ osversion="$2"
+ shift
+ ;;
+ --build|--host)
+ crossbuild=true
+ configure_opts="${configure_opts}${configure_opts+$tab}$1"
+ ;;
*)
# Pass unknown options to configure
configure_opts="${configure_opts}${configure_opts+$tab}$1"
@@ -57,8 +74,9 @@
top_srcdir=`dirname $0`
-platform=`$top_srcdir/pp --probe` || exit 1
-osrelease=`echo "$platform" | sed -e 's/^[^0-9]*//' -e 's/-.*$//'`
+: ${osversion="`$top_srcdir/pp --probe`"}
+test -n "$osversion" || exit 1
+osrelease=`echo "$osversion" | sed -e 's/^[^0-9]*//' -e 's/-.*$//'`
# Default paths
prefix=/usr/local
@@ -65,7 +83,7 @@
# Linux distros may build binaries as pie files.
# This is really something libtool should figure out, but it does not.
-case "$platform" in
+case "$osversion" in
*-s390*|*-sparc*|*-alpha*)
F_PIE=-fPIE
;;
@@ -74,27 +92,38 @@
;;
esac
-# Choose compiler options by platform.
-case "$platform" in
- hpux*)
- # Use the HP ANSI C compiler on HP-UX if possible
- if [ -z "$CC" -a -x /opt/ansic/bin/cc ]; then
- CC=/opt/ansic/bin/cc; export CC
- if [ -z "$CFLAGS" ]; then
- CFLAGS=-O; export CFLAGS
+# Choose compiler options by osversion if not cross-compiling.
+if [ "$crossbuild" = "false" ]; then
+ case "$osversion" in
+ hpux*)
+ # Use the HP ANSI C compiler on HP-UX if possible
+ if [ -z "$CC" -a -x /opt/ansic/bin/cc ]; then
+ CC=/opt/ansic/bin/cc; export CC
+ if [ -z "$CFLAGS" ]; then
+ CFLAGS=-O; export CFLAGS
+ fi
fi
- fi
- ;;
-esac
+ ;;
+ sol[0-9]*)
+ # Use the Sun Studio C compiler on Solaris if possible
+ if [ -z "$CC" -a -x /usr/bin/cc ]; then
+ CC=/usr/bin/cc; export CC
+ if [ -z "$CFLAGS" ]; then
+ CFLAGS=-O; export CFLAGS
+ fi
+ fi
+ ;;
+ esac
+fi
-# Choose configure options by platform.
+# Choose configure options by osversion.
# We use the same configure options as vendor packages when possible.
-case "$platform" in
+case "$osversion" in
centos*|rhel*)
prefix=/usr
if [ $osrelease -ge 50 ]; then
# RHEL 5 and up build pies and have audit support
- export CFLAGS="$F_PIE" LDFLAGS="-pie"
+ export CFLAGS="-O2 $F_PIE" LDFLAGS="-pie"
configure_opts="${configure_opts}${configure_opts+$tab}--with-linux-audit"
PPVARS="${PPVARS}${PPVARS+$space}linux_audit=1.4.0"
fi
@@ -118,7 +147,7 @@
prefix=/usr
if [ $osrelease -ge 10 ]; then
# SLES 10 and higher build pies
- export CFLAGS="$F_PIE" LDFLAGS="-pie"
+ export CFLAGS="-O2 $F_PIE" LDFLAGS="-pie"
if [ $osrelease -ge 11 ]; then
# SLES 11 and higher has SELinux
configure_opts="${configure_opts}${configure_opts+$tab}--with-selinux"
@@ -125,7 +154,7 @@
fi
fi
# SuSE doesn't have /usr/libexec
- case "$platform" in
+ case "$osversion" in
*64*) libexec=lib64;;
*) libexec=lib;;
esac
@@ -152,7 +181,7 @@
deb*|ubu*)
prefix=/usr
# If Ubuntu, add --enable-admin-flag
- case "$platform" in
+ case "$osversion" in
ubu*)
configure_opts="${configure_opts}${configure_opts+$tab}--enable-admin-flag${tab}--without-lecture"
;;
@@ -187,7 +216,7 @@
*)
# For Solaris, add project support and use let configure choose zlib.
# For all others, use the builtin zlib.
- case "$platform" in
+ case "$osversion" in
sol*) configure_opts="${configure_opts}${configure_opts+$tab}--with-project";;
*) configure_opts="${configure_opts}${configure_opts+$tab}--enable-zlib=builtin";;
esac
Modified: trunk/contrib/sudo/parse_args.c
===================================================================
--- trunk/contrib/sudo/parse_args.c 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/parse_args.c 2014-10-02 03:32:57 UTC (rev 6804)
@@ -121,7 +121,7 @@
break;
case 'C':
if ((user_closefrom = atoi(optarg)) < 3) {
- warningx("the argument to -C must be at least 3");
+ warningx("the argument to -C must be a number greater than or equal to 3");
usage(1);
}
break;
Added: trunk/contrib/sudo/pathnames.h
===================================================================
--- trunk/contrib/sudo/pathnames.h (rev 0)
+++ trunk/contrib/sudo/pathnames.h 2014-10-02 03:32:57 UTC (rev 6804)
@@ -0,0 +1,152 @@
+/* pathnames.h. Generated from pathnames.h.in by configure. */
+/*
+ * Copyright (c) 1996, 1998, 1999, 2001, 2004, 2005, 2007-2010
+ * Todd C. Miller <Todd.Miller at courtesan.com>.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Sponsored in part by the Defense Advanced Research Projects
+ * Agency (DARPA) and Air Force Research Laboratory, Air Force
+ * Materiel Command, USAF, under agreement number F39502-99-1-0512.
+ */
+
+/*
+ * Pathnames to programs and files used by sudo.
+ */
+
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif /* HAVE_PATHS_H */
+
+#ifdef HAVE_MAILLOCK_H
+#include <maillock.h>
+#endif /* HAVE_MAILLOCK_H */
+
+#ifndef _PATH_DEV
+#define _PATH_DEV "/dev/"
+#endif /* _PATH_DEV */
+
+#ifndef _PATH_TTY
+#define _PATH_TTY "/dev/tty"
+#endif /* _PATH_TTY */
+
+#ifndef _PATH_DEVNULL
+#define _PATH_DEVNULL "/dev/null"
+#endif /* _PATH_DEVNULL */
+
+#ifndef _PATH_DEFPATH
+#define _PATH_DEFPATH "/usr/bin:/bin"
+#endif /* _PATH_DEFPATH */
+
+#ifndef _PATH_STDPATH
+#define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin"
+#endif /* _PATH_STDPATH */
+
+#ifndef _PATH_ENVIRONMENT
+#define _PATH_ENVIRONMENT "/etc/environment"
+#endif /* _PATH_ENVIRONMENT */
+
+/*
+ * NOTE: _PATH_SUDOERS is usually overridden by the Makefile.
+ */
+#ifndef _PATH_SUDOERS
+#define _PATH_SUDOERS "/etc/sudoers"
+#endif /* _PATH_SUDOERS */
+
+/*
+ * The following paths are controlled via the configure script.
+ */
+
+/*
+ * Where to put the timestamp files. Defaults to /var/run/sudo,
+ * /var/adm/sudo or /usr/adm/sudo depending on what exists.
+ */
+#ifndef _PATH_SUDO_TIMEDIR
+#define _PATH_SUDO_TIMEDIR "/var/db/sudo"
+#endif /* _PATH_SUDO_TIMEDIR */
+
+/*
+ * Where to put the I/O log files. Defaults to /var/log/sudo-io,
+ * /var/adm/sudo-io or /usr/adm/sudo-io depending on what exists.
+ */
+#ifndef _PATH_SUDO_IO_LOGDIR
+#define _PATH_SUDO_IO_LOGDIR "/var/log/sudo-io"
+#endif /* _PATH_SUDO_IO_LOGDIR */
+
+/*
+ * Where to put the sudo log file when logging to a file. Defaults to
+ * /var/log/sudo.log if /var/log exists, else /var/adm/sudo.log.
+ */
+#ifndef _PATH_SUDO_LOGFILE
+#define _PATH_SUDO_LOGFILE "/var/log/sudo.log"
+#endif /* _PATH_SUDO_LOGFILE */
+
+#ifndef _PATH_SUDO_SENDMAIL
+#define _PATH_SUDO_SENDMAIL "/usr/sbin/sendmail"
+#endif /* _PATH_SUDO_SENDMAIL */
+
+#ifndef _PATH_SUDO_NOEXEC
+#define _PATH_SUDO_NOEXEC "/usr/libexec/sudo_noexec.so"
+#endif /* _PATH_SUDO_NOEXEC */
+
+#ifndef _PATH_SUDO_ASKPASS
+/* #undef _PATH_SUDO_ASKPASS */
+#endif /* _PATH_SUDO_ASKPASS */
+
+#ifndef _PATH_VI
+#define _PATH_VI "/usr/bin/vi"
+#endif /* _PATH_VI */
+
+#ifndef _PATH_MV
+#define _PATH_MV "/bin/mv"
+#endif /* _PATH_MV */
+
+#ifndef _PATH_BSHELL
+#define _PATH_BSHELL "/bin/sh"
+#endif /* _PATH_BSHELL */
+
+#ifndef _PATH_TMP
+#define _PATH_TMP "/tmp/"
+#endif /* _PATH_TMP */
+
+#ifndef _PATH_VARTMP
+#define _PATH_VARTMP "/var/tmp/"
+#endif /* _PATH_VARTMP */
+
+#ifndef _PATH_USRTMP
+#define _PATH_USRTMP "/usr/tmp/"
+#endif /* _PATH_USRTMP */
+
+#ifndef _PATH_MAILDIR
+/* #undef _PATH_MAILDIR */
+#endif /* _PATH_MAILDIR */
+
+#ifndef _PATH_SUDO_SESH
+#define _PATH_SUDO_SESH "/usr/libexec/sesh"
+#endif /* _PATH_SUDO_SESH */
+
+#ifndef _PATH_LDAP_CONF
+#define _PATH_LDAP_CONF "/etc/ldap.conf"
+#endif /* _PATH_LDAP_CONF */
+
+#ifndef _PATH_LDAP_SECRET
+#define _PATH_LDAP_SECRET "/etc/ldap.secret"
+#endif /* _PATH_LDAP_SECRET */
+
+#ifndef _PATH_NSSWITCH_CONF
+#define _PATH_NSSWITCH_CONF "/etc/nsswitch.conf"
+#endif /* _PATH_NSSWITCH_CONF */
+
+#ifndef _PATH_NETSVC_CONF
+/* #undef _PATH_NETSVC_CONF */
+#endif /* _PATH_NETSVC_CONF */
Modified: trunk/contrib/sudo/pp
===================================================================
--- trunk/contrib/sudo/pp 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/pp 2014-10-02 03:32:57 UTC (rev 6804)
@@ -1,6 +1,6 @@
#!/bin/sh
# (c) 2011 Quest Software, Inc. All rights reserved
-pp_revision="301"
+pp_revision="305"
# Copyright 2010 Quest Software, Inc. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
@@ -1435,8 +1435,8 @@
esac
# convert numeric uids into usernames; only works for /etc/passwd
- #case "$_o" in [0-9]*) _o=`pp_getpwuid $_o`;; esac
- #case "$_g" in [0-9]*) _g=`pp_getgrgid $_g`;; esac
+ case "$_o" in [0-9]*) _o=`pp_getpwuid $_o`;; esac
+ case "$_g" in [0-9]*) _g=`pp_getgrgid $_g`;; esac
pp_debug "$_type $_m $_o $_g $_f $_path" $_tgt
$_ignore || echo "$_type $_m $_o $_g $_f $_path" $_tgt
@@ -1554,6 +1554,8 @@
pp_aix_start_services_after_install=false
pp_aix_init_services_after_install=true
+ pp_aix_sudo=sudo # AIX package tools must run as root
+
case "$pp_aix_os" in
*) pp_readlink_fn=pp_ls_readlink;; # XXX
esac
@@ -1688,8 +1690,6 @@
esac
echo " type = $type"
echo " class = inventory,apply,$fileset"
- set -- `/bin/ls -ld "$pp_destdir$p" 2>/dev/null`
- owner=$3 group=$4 size=$5
if test x"$m" = x"-"; then m="$defm"; fi
if test x"$o" = x"-"; then o="root"; fi
if test x"$g" = x"-"; then g="system"; fi
@@ -2043,7 +2043,7 @@
(cd $pp_destdir && pp_verbose /usr/sbin/backup -i -q -p -f -) \
< $pp_wrkdir/bff.list \
> $pp_wrkdir/$outbff || pp_error "backup failed"
- ${SUDO:-sudo} /usr/sbin/installp -l -d $pp_wrkdir/$outbff
+ $pp_aix_sudo /usr/sbin/installp -l -d $pp_wrkdir/$outbff
}
pp_backend_aix_cleanup () {
@@ -3138,9 +3138,9 @@
echo "$prototype::"; cat $prototype
fi >&2
- pkgmk -a $pp_solaris_arch -d $pp_wrkdir/pkg \
- -f $prototype || { error "pkgmk failed"; return; }
- pkgtrans -s $pp_wrkdir/pkg \
+ pkgmk -d $pp_wrkdir/pkg -f $prototype \
+ || { error "pkgmk failed"; return; }
+ pkgtrans -s $pp_wrkdir/pkg \
$pp_wrkdir/`pp_backend_solaris_names` \
${pp_solaris_name:-$name} \
|| { error "pkgtrans failed"; return; }
@@ -5269,28 +5269,29 @@
rm $pp_wrkdir/dummy.spec
#-- Ask the kernel what machine architecture is in use
- local arch=`uname -p`
- if [ "$arch" = "unknown" ]; then
- arch=`uname -m`
- fi
-
- case "$arch" in
- i?86) pp_rpm_arch_std=i386;;
- x86_64) pp_rpm_arch_std=x86_64;;
- ppc) pp_rpm_arch_std=ppc;;
- ppc64) pp_rpm_arch_std=ppc64;;
- ia64) pp_rpm_arch_std=ia64;;
- s390) pp_rpm_arch_std=s390;;
- s390x) pp_rpm_arch_std=s390x;;
- powerpc)
+ local arch
+ for arch in "`uname -m`" "`uname -p`"; do
+ case "$arch" in
+ i?86)
+ pp_rpm_arch_std=i386
+ break
+ ;;
+ x86_64|ppc|ppc64|ia64|s390|s390x)
+ pp_rpm_arch_std="$arch"
+ break
+ ;;
+ powerpc)
# Probably AIX
case "`/usr/sbin/lsattr -El proc0 -a type -F value`" in
PowerPC_POWER*) pp_rpm_arch_std=ppc64;;
*) pp_rpm_arch_std=ppc;;
esac
+ break
;;
- *) pp_rpm_arch_std=unknown;;
- esac
+ *) pp_rpm_arch_std=unknown
+ ;;
+ esac
+ done
#-- Later on, when files are processed, we use 'file' to determine
# what platform ABIs are used. This is used when pp_rpm_arch == auto
@@ -5332,6 +5333,10 @@
/^S[uU]SE LINUX Enterprise Server [0-9]/ { print "sles" $5; exit; }
/^SuSE SLES-[0-9]/ { print "sles" substr($2,6); exit; }
' /etc/SuSE-release`
+ elif test -f /etc/pld-release; then
+ pp_rpm_distro=`awk '
+ /^[^ ]* PLD Linux/ { print "pld" $1; exit; }
+ ' /etc/pld-release`
elif test X"`uname -s 2>/dev/null`" = X"AIX"; then
local r v
r=`uname -r`
@@ -6450,6 +6455,7 @@
pp_macos_prog_packagemaker=/Developer/usr/bin/packagemaker
pp_macos_pkg_domain=anywhere
pp_macos_pkg_extra_flags=
+ pp_macos_sudo=
# OS X puts the library version *before* the .dylib extension
pp_shlib_suffix='*.dylib'
}
@@ -6644,20 +6650,20 @@
bomstage=$pp_wrkdir/bom_stage
while IFS=' ' read path mode ugid size cksumi linkpath; do
if test -h "$pp_destdir/$path"; then
- /bin/ln -s "$linkpath" "$bomstage/$path"
+ $pp_macos_sudo /bin/ln -s "$linkpath" "$bomstage/$path"
else
if test -d "$pp_destdir/$path"; then
- /bin/mkdir -p "$bomstage/$path"
+ $pp_macos_sudo /bin/mkdir -p "$bomstage/$path"
else
- /bin/cp "$pp_destdir/$path" "$bomstage/$path"
+ $pp_macos_sudo /bin/cp "$pp_destdir/$path" "$bomstage/$path"
fi
- /bin/chmod $mode "$bomstage/$path"
- /usr/sbin/chown `echo $ugid| tr / :` "$bomstage/$path"
+ $pp_macos_sudo /bin/chmod $mode "$bomstage/$path"
+ $pp_macos_sudo /usr/sbin/chown `echo $ugid| tr / :` "$bomstage/$path"
fi
done <"$1"
- (cd $bomstage && mkbom . $pp_wrkdir/bom_stage.bom) ||
+ (cd $bomstage && $pp_macos_sudo mkbom . $pp_wrkdir/bom_stage.bom) ||
pp_error "mkbom failed"
- mv $pp_wrkdir/bom_stage.bom "$2"
+ $pp_macos_sudo mv $pp_wrkdir/bom_stage.bom "$2"
}
pp_backend_macos () {
@@ -6828,7 +6834,7 @@
cat $pp_wrkdir/%files.* | awk '{ print "." $6 }' | sed '/\/$/d' | sort | /bin/pax -w -f - | gzip -9 -c > $Contents/Archive.pax.gz
)
- rm -rf $pp_wrkdir/bom_stage
+ $pp_macos_sudo rm -rf $pp_wrkdir/bom_stage
hdiutil create -fs HFS+ -srcfolder $pkgdir -volname $name ${name}-${version}.dmg
}
Modified: trunk/contrib/sudo/pwutil.c
===================================================================
--- trunk/contrib/sudo/pwutil.c 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/pwutil.c 2014-10-02 03:32:57 UTC (rev 6804)
@@ -677,7 +677,9 @@
#ifdef HAVE_SETAUTHDB
aix_setauthdb(pw->pw_name);
#endif
- grp = sudo_getgrnam(group);
+ /* A group name that begins with a '#' may be a gid. */
+ if ((grp = sudo_getgrnam(group)) == NULL && *group == '#')
+ grp = sudo_getgrgid(atoi(group + 1));
#ifdef HAVE_SETAUTHDB
aix_restoreauthdb();
#endif
Added: trunk/contrib/sudo/sudo.8
===================================================================
--- trunk/contrib/sudo/sudo.8 (rev 0)
+++ trunk/contrib/sudo/sudo.8 2014-10-02 03:32:57 UTC (rev 6804)
@@ -0,0 +1,803 @@
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2010
+.\" Todd C. Miller <Todd.Miller at courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" Sponsored in part by the Defense Advanced Research Projects
+.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
+.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
+.\"
+.nr SL 0
+.nr BA 0
+.nr LC 1
+.nr PT 5
+.\"
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings. \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+. ds -- \(*W-
+. ds PI pi
+. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
+. ds L" ""
+. ds R" ""
+. ds C`
+. ds C'
+'br\}
+.el\{\
+. ds -- \|\(em\|
+. ds PI \(*p
+. ds L" ``
+. ds R" ''
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD. Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.ie \nF \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
+..
+. nr % 0
+. rr F
+.\}
+.el \{\
+. de IX
+..
+.\}
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear. Run. Save yourself. No user-serviceable parts.
+. \" fudge factors for nroff and troff
+.if n \{\
+. ds #H 0
+. ds #V .8m
+. ds #F .3m
+. ds #[ \f1
+. ds #] \fP
+.\}
+.if t \{\
+. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+. ds #V .6m
+. ds #F 0
+. ds #[ \&
+. ds #] \&
+.\}
+. \" simple accents for nroff and troff
+.if n \{\
+. ds ' \&
+. ds ` \&
+. ds ^ \&
+. ds , \&
+. ds ~ ~
+. ds /
+.\}
+.if t \{\
+. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+. \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+. \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+. \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+. ds : e
+. ds 8 ss
+. ds o a
+. ds d- d\h'-1'\(ga
+. ds D- D\h'-1'\(hy
+. ds th \o'bp'
+. ds Th \o'LP'
+. ds ae ae
+. ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "SUDO 8"
+.TH SUDO 8 "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+sudo, sudoedit \- execute a command as another user
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR
+.PP
+\&\fBsudo\fR \fB\-v\fR [\fB\-AknS\fR]
+.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
+[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
+.PP
+\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR]
+.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
+[\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fIcommand\fR]
+.PP
+\&\fBsudo\fR [\fB\-AbEHnPS\fR]
+.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
+[\fB\-C\fR\ \fIfd\fR]
+.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
+.if \n(SL [\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
+[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR]
+[\fB\s-1VAR\s0\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] [\fIcommand\fR]
+.PP
+\&\fBsudoedit\fR [\fB\-AnS\fR]
+.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
+[\fB\-C\fR\ \fIfd\fR]
+.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
+[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] file ...
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+\&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the
+superuser or another user, as specified in the \fIsudoers\fR file.
+The real and effective uid and gid are set to match those of the
+target user as specified in the passwd file and the group vector
+is initialized based on the group file (unless the \fB\-P\fR option was
+specified). If the invoking user is root or if the target user is
+the same as the invoking user, no password is required. Otherwise,
+\&\fBsudo\fR requires that users authenticate themselves with a password
+by default (\s-1NOTE:\s0 in the default configuration this is the user's
+password, not the root password). Once a user has been authenticated,
+a time stamp is updated and the user may then use sudo without a
+password for a short period of time (\f(CW\*(C`5\*(C'\fR minutes unless
+overridden in \fIsudoers\fR).
+.PP
+When invoked as \fBsudoedit\fR, the \fB\-e\fR option (described below),
+is implied.
+.PP
+\&\fBsudo\fR determines who is an authorized user by consulting the file
+\&\fI/etc/sudoers\fR. By running \fBsudo\fR with the \fB\-v\fR option,
+a user can update the time stamp without running a \fIcommand\fR. If
+a password is required, \fBsudo\fR will exit if the user's password
+is not entered within a configurable time limit. The default
+password prompt timeout is
+.ie \n(PT \f(CW\*(C`5\*(C'\fR minutes.
+.el unlimited.
+.PP
+If a user who is not listed in the \fIsudoers\fR file tries to run a
+command via \fBsudo\fR, mail is sent to the proper authorities, as
+defined at configure time or in the \fIsudoers\fR file (defaults to
+\&\f(CW\*(C`root\*(C'\fR). Note that the mail will not be sent if an unauthorized
+user tries to run sudo with the \fB\-l\fR or \fB\-v\fR option. This allows
+users to determine for themselves whether or not they are allowed
+to use \fBsudo\fR.
+.PP
+If \fBsudo\fR is run by root and the \f(CW\*(C`SUDO_USER\*(C'\fR environment variable
+is set, \fBsudo\fR will use this value to determine who the actual
+user is. This can be used by a user to log commands through sudo
+even when a root shell has been invoked. It also allows the \fB\-e\fR
+option to remain useful even when being run via a sudo-run script or
+program. Note however, that the sudoers lookup is still done for
+root, not the user specified by \f(CW\*(C`SUDO_USER\*(C'\fR.
+.PP
+\&\fBsudo\fR can log both successful and unsuccessful attempts (as well
+as errors) to \fIsyslog\fR\|(3), a log file, or both. By default \fBsudo\fR
+will log via \fIsyslog\fR\|(3) but this is changeable at configure time
+or via the \fIsudoers\fR file.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+\&\fBsudo\fR accepts the following command line options:
+.IP "\-A" 12
+.IX Item "-A"
+Normally, if \fBsudo\fR requires a password, it will read it from the
+current terminal. If the \fB\-A\fR (\fIaskpass\fR) option is specified,
+a (possibly graphical) helper program is executed to read the
+user's password and output the password to the standard output. If
+the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the
+path to the helper program. Otherwise, the value specified by the
+\&\fIaskpass\fR option in \fIsudoers\fR\|(5) is used.
+.if \n(BA \{\
+.IP "\-a \fItype\fR" 12
+.IX Item "-a type"
+The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
+specified authentication type when validating the user, as allowed
+by \fI/etc/login.conf\fR. The system administrator may specify a list
+of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R"
+entry in \fI/etc/login.conf\fR. This option is only available on systems
+that support \s-1BSD\s0 authentication.
+\}
+.IP "\-b" 12
+.IX Item "-b"
+The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given
+command in the background. Note that if you use the \fB\-b\fR
+option you cannot use shell job control to manipulate the process.
+.IP "\-C \fIfd\fR" 12
+.IX Item "-C fd"
+Normally, \fBsudo\fR will close all open file descriptors other than
+standard input, standard output and standard error. The \fB\-C\fR
+(\fIclose from\fR) option allows the user to specify a starting point
+above the standard error (file descriptor three). Values less than
+three are not permitted. This option is only available if the
+administrator has enabled the \fIclosefrom_override\fR option in
+\&\fIsudoers\fR\|(5).
+.if \n(LC \{\
+.IP "\-c \fIclass\fR" 12
+.IX Item "-c class"
+The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
+with resources limited by the specified login class. The \fIclass\fR
+argument can be either a class name as defined in \fI/etc/login.conf\fR,
+or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
+that the command should be run restricted by the default login
+capabilities for the user the command is run as. If the \fIclass\fR
+argument specifies an existing user class, the command must be run
+as root, or the \fBsudo\fR command must be run from a shell that is already
+root. This option is only available on systems with \s-1BSD\s0 login classes.
+\}
+.IP "\-E" 12
+.IX Item "-E"
+The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option will override the
+\&\fIenv_reset\fR option in \fIsudoers\fR\|(5)). It is only
+available when either the matching command has the \f(CW\*(C`SETENV\*(C'\fR tag
+or the \fIsetenv\fR option is set in \fIsudoers\fR\|(5).
+.IP "\-e" 12
+.IX Item "-e"
+The \fB\-e\fR (\fIedit\fR) option indicates that, instead of running
+a command, the user wishes to edit one or more files. In lieu
+of a command, the string \*(L"sudoedit\*(R" is used when consulting
+the \fIsudoers\fR file. If the user is authorized by \fIsudoers\fR
+the following steps are taken:
+.RS 12
+.IP "1." 4
+Temporary copies are made of the files to be edited with the owner
+set to the invoking user.
+.IP "2." 4
+The editor specified by the \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR
+environment variables is run to edit the temporary files. If none
+of \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR are set, the first program
+listed in the \fIeditor\fR \fIsudoers\fR variable is used.
+.IP "3." 4
+If they have been modified, the temporary files are copied back to
+their original location and the temporary versions are removed.
+.RE
+.RS 12
+.Sp
+If the specified file does not exist, it will be created. Note
+that unlike most commands run by \fBsudo\fR, the editor is run with
+the invoking user's environment unmodified. If, for some reason,
+\&\fBsudo\fR is unable to update a file with its edited version, the
+user will receive a warning and the edited copy will remain in a
+temporary file.
+.RE
+.IP "\-g \fIgroup\fR" 12
+.IX Item "-g group"
+Normally, \fBsudo\fR sets the primary group to the one specified by
+the passwd database for the user the command is being run as (by
+default, root). The \fB\-g\fR (\fIgroup\fR) option causes \fBsudo\fR to run
+the specified command with the primary group set to \fIgroup\fR. To
+specify a \fIgid\fR instead of a \fIgroup name\fR, use \fI#gid\fR. When
+running commands as a \fIgid\fR, many shells require that the '#' be
+escaped with a backslash ('\e'). If no \fB\-u\fR option is specified,
+the command will be run as the invoking user (not root). In either
+case, the primary group will be set to \fIgroup\fR.
+.IP "\-H" 12
+.IX Item "-H"
+The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable
+to the homedir of the target user (root by default) as specified
+in \fIpasswd\fR\|(5). The default handling of the \f(CW\*(C`HOME\*(C'\fR environment
+variable depends on \fIsudoers\fR\|(5) settings. By default, \fBsudo\fR
+will set \f(CW\*(C`HOME\*(C'\fR if \fIenv_reset\fR or \fIalways_set_home\fR are set, or
+if \fIset_home\fR is set and the \fB\-s\fR option is specified on the
+command line.
+.IP "\-h" 12
+.IX Item "-h"
+The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a short help message
+to the standard output and exit.
+.IP "\-i [command]" 12
+.IX Item "-i [command]"
+The \fB\-i\fR (\fIsimulate initial login\fR) option runs the shell specified
+in the \fIpasswd\fR\|(5) entry of the target user as a login shell. This
+means that login-specific resource files such as \f(CW\*(C`.profile\*(C'\fR or
+\&\f(CW\*(C`.login\*(C'\fR will be read by the shell. If a command is specified,
+it is passed to the shell for execution. Otherwise, an interactive
+shell is executed. \fBsudo\fR attempts to change to that user's home
+directory before running the shell. It also initializes the
+environment, leaving \fI\s-1DISPLAY\s0\fR and \fI\s-1TERM\s0\fR unchanged, setting
+\&\fI\s-1HOME\s0\fR, \fI\s-1MAIL\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR, \fI\s-1LOGNAME\s0\fR, and \fI\s-1PATH\s0\fR, as well as
+the contents of \fI/etc/environment\fR on Linux and \s-1AIX\s0 systems.
+All other environment variables are removed.
+.IP "\-K" 12
+.IX Item "-K"
+The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes
+the user's time stamp entirely and may not be used in conjunction
+with a command or other option. This option does not require a
+password.
+.IP "\-k" 12
+.IX Item "-k"
+When used by itself, the \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates
+the user's time stamp by setting the time on it to the Epoch. The
+next time \fBsudo\fR is run a password will be required. This option
+does not require a password and was added to allow a user to revoke
+\&\fBsudo\fR permissions from a .logout file.
+.Sp
+When used in conjunction with a command or an option that may require
+a password, the \fB\-k\fR option will cause \fBsudo\fR to ignore the user's
+time stamp file. As a result, \fBsudo\fR will prompt for a password
+(if one is required by \fIsudoers\fR) and will not update the user's
+time stamp file.
+.IP "\-L" 12
+.IX Item "-L"
+The \fB\-L\fR (\fIlist\fR defaults) option will list the parameters that
+may be set in a \fIDefaults\fR line along with a short description for
+each. This option will be removed from a future version of \fBsudo\fR.
+.IP "\-l[l] [\fIcommand\fR]" 12
+.IX Item "-l[l] [command]"
+If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list
+the allowed (and forbidden) commands for the invoking user (or the
+user specified by the \fB\-U\fR option) on the current host. If a
+\&\fIcommand\fR is specified and is permitted by \fIsudoers\fR, the
+fully-qualified path to the command is displayed along with any
+command line arguments. If \fIcommand\fR is specified but not allowed,
+\&\fBsudo\fR will exit with a status value of 1. If the \fB\-l\fR option is
+specified with an \fBl\fR argument (i.e. \fB\-ll\fR), or if \fB\-l\fR
+is specified multiple times, a longer list format is used.
+.IP "\-n" 12
+.IX Item "-n"
+The \fB\-n\fR (\fInon-interactive\fR) option prevents \fBsudo\fR from prompting
+the user for a password. If a password is required for the command
+to run, \fBsudo\fR will display an error messages and exit.
+.IP "\-P" 12
+.IX Item "-P"
+The \fB\-P\fR (\fIpreserve\fR \fIgroup vector\fR) option causes \fBsudo\fR to
+preserve the invoking user's group vector unaltered. By default,
+\&\fBsudo\fR will initialize the group vector to the list of groups the
+target user is in. The real and effective group IDs, however, are
+still set to match the target user.
+.IP "\-p \fIprompt\fR" 12
+.IX Item "-p prompt"
+The \fB\-p\fR (\fIprompt\fR) option allows you to override the default
+password prompt and use a custom one. The following percent (`\f(CW\*(C`%\*(C'\fR')
+escapes are supported:
+.RS 12
+.ie n .IP "%H" 4
+.el .IP "\f(CW%H\fR" 4
+.IX Item "%H"
+expanded to the local host name including the domain name
+(on if the machine's host name is fully qualified or the \fIfqdn\fR
+\&\fIsudoers\fR option is set)
+.ie n .IP "%h" 4
+.el .IP "\f(CW%h\fR" 4
+.IX Item "%h"
+expanded to the local host name without the domain name
+.ie n .IP "%p" 4
+.el .IP "\f(CW%p\fR" 4
+.IX Item "%p"
+expanded to the user whose password is being asked for (respects the
+\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR)
+.ie n .IP "%U" 4
+.el .IP "\f(CW%U\fR" 4
+.IX Item "%U"
+expanded to the login name of the user the command will
+be run as (defaults to root)
+.ie n .IP "%u" 4
+.el .IP "\f(CW%u\fR" 4
+.IX Item "%u"
+expanded to the invoking user's login name
+.ie n .IP "\*(C`%%\*(C'" 4
+.el .IP "\f(CW\*(C`%%\*(C'\fR" 4
+.IX Item "%%"
+two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
+.RE
+.RS 12
+.Sp
+The prompt specified by the \fB\-p\fR option will override the system
+password prompt on systems that support \s-1PAM\s0 unless the
+\&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR.
+.RE
+.if \n(SL \{\
+.IP "\-r \fIrole\fR" 12
+.IX Item "-r role"
+The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
+have the role specified by \fIrole\fR.
+\}
+.IP "\-S" 12
+.IX Item "-S"
+The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
+the standard input instead of the terminal device. The password must
+be followed by a newline character.
+.IP "\-s [command]" 12
+.IX Item "-s [command]"
+The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR
+environment variable if it is set or the shell as specified in
+\&\fIpasswd\fR\|(5). If a command is specified, it is passed to the shell
+for execution. Otherwise, an interactive shell is executed.
+.if \n(SL \{\
+.IP "\-t \fItype\fR" 12
+.IX Item "-t type"
+The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
+have the type specified by \fItype\fR. If no type is specified, the default
+type is derived from the specified role.
+\}
+.IP "\-U \fIuser\fR" 12
+.IX Item "-U user"
+The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR
+option to specify the user whose privileges should be listed. Only
+root or a user with \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host may use this
+option.
+.IP "\-u \fIuser\fR" 12
+.IX Item "-u user"
+The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified
+command as a user other than \fIroot\fR. To specify a \fIuid\fR instead
+of a \fIuser name\fR, use \fI#uid\fR. When running commands as a \fIuid\fR,
+many shells require that the '#' be escaped with a backslash ('\e').
+Note that if the \fItargetpw\fR Defaults option is set (see \fIsudoers\fR\|(5))
+it is not possible to run commands with a uid not listed in the
+password database.
+.IP "\-V" 12
+.IX Item "-V"
+The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version
+number and exit. If the invoking user is already root the \fB\-V\fR
+option will print out a list of the defaults \fBsudo\fR was compiled
+with as well as the machine's local network addresses.
+.IP "\-v" 12
+.IX Item "-v"
+If given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the
+user's time stamp, prompting for the user's password if necessary.
+This extends the \fBsudo\fR timeout for another \f(CW\*(C`5\*(C'\fR minutes
+(or whatever the timeout is set to in \fIsudoers\fR) but does not run
+a command.
+.IP "\-\-" 12
+The \fB\-\-\fR option indicates that \fBsudo\fR should stop processing command
+line arguments.
+.PP
+Environment variables to be set for the command may also be passed
+on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g.
+\&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. Variables passed on the
+command line are subject to the same restrictions as normal environment
+variables with one important exception. If the \fIsetenv\fR option
+is set in \fIsudoers\fR, the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag
+set or the command matched is \f(CW\*(C`ALL\*(C'\fR, the user may set variables
+that would overwise be forbidden. See \fIsudoers\fR\|(5) for more information.
+.SH "RETURN VALUES"
+.IX Header "RETURN VALUES"
+Upon successful execution of a program, the exit status from \fBsudo\fR
+will simply be the exit status of the program that was executed.
+.PP
+Otherwise, \fBsudo\fR quits with an exit value of 1 if there is a
+configuration/permission problem or if \fBsudo\fR cannot execute the
+given command. In the latter case the error string is printed to
+stderr. If \fBsudo\fR cannot \fIstat\fR\|(2) one or more entries in the user's
+\&\f(CW\*(C`PATH\*(C'\fR an error is printed on stderr. (If the directory does not
+exist or if it is not really a directory, the entry is ignored and
+no error is printed.) This should not happen under normal
+circumstances. The most common reason for \fIstat\fR\|(2) to return
+\&\*(L"permission denied\*(R" is if you are running an automounter and one
+of the directories in your \f(CW\*(C`PATH\*(C'\fR is on a machine that is currently
+unreachable.
+.SH "SECURITY NOTES"
+.IX Header "SECURITY NOTES"
+\&\fBsudo\fR tries to be safe when executing external commands.
+.PP
+There are two distinct ways to deal with environment variables.
+By default, the \fIenv_reset\fR \fIsudoers\fR option is enabled.
+This causes commands to be executed with a minimal environment
+containing \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR
+and \f(CW\*(C`USERNAME\*(C'\fR in addition to variables from the invoking process
+permitted by the \fIenv_check\fR and \fIenv_keep\fR \fIsudoers\fR options.
+There is effectively a whitelist for environment variables.
+.PP
+If, however, the \fIenv_reset\fR option is disabled in \fIsudoers\fR, any
+variables not explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR
+options are inherited from the invoking process. In this case,
+\&\fIenv_check\fR and \fIenv_delete\fR behave like a blacklist. Since it
+is not possible to blacklist all potentially dangerous environment
+variables, use of the default \fIenv_reset\fR behavior is encouraged.
+.PP
+In all cases, environment variables with a value beginning with
+\&\f(CW\*(C`()\*(C'\fR are removed as they could be interpreted as \fBbash\fR functions.
+The list of environment variables that \fBsudo\fR allows or denies is
+contained in the output of \f(CW\*(C`sudo \-V\*(C'\fR when run as root.
+.PP
+Note that the dynamic linker on most operating systems will remove
+variables that can control dynamic linking from the environment of
+setuid executables, including \fBsudo\fR. Depending on the operating
+system this may include \f(CW\*(C`_RLD*\*(C'\fR, \f(CW\*(C`DYLD_*\*(C'\fR, \f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`LDR_*\*(C'\fR,
+\&\f(CW\*(C`LIBPATH\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR, and others. These type of variables are
+removed from the environment before \fBsudo\fR even begins execution
+and, as such, it is not possible for \fBsudo\fR to preserve them.
+.PP
+To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting
+current directory) last when searching for a command in the user's
+\&\s-1PATH\s0 (if one or both are in the \s-1PATH\s0). Note, however, that the
+actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed
+unchanged to the program that \fBsudo\fR executes.
+.PP
+\&\fBsudo\fR will check the ownership of its time stamp directory
+(\fI/var/db/sudo\fR by default) and ignore the directory's contents if
+it is not owned by root or if it is writable by a user other than
+root. On systems that allow non-root users to give away files via
+\&\fIchown\fR\|(2), if the time stamp directory is located in a directory
+writable by anyone (e.g., \fI/tmp\fR), it is possible for a user to
+create the time stamp directory before \fBsudo\fR is run. However,
+because \fBsudo\fR checks the ownership and mode of the directory and
+its contents, the only damage that can be done is to \*(L"hide\*(R" files
+by putting them in the time stamp dir. This is unlikely to happen
+since once the time stamp dir is owned by root and inaccessible by
+any other user, the user placing files there would be unable to get
+them back out. To get around this issue you can use a directory
+that is not world-writable for the time stamps (\fI/var/adm/sudo\fR for
+instance) or create \fI/var/db/sudo\fR with the appropriate owner (root)
+and permissions (0700) in the system startup files.
+.PP
+\&\fBsudo\fR will not honor time stamps set far in the future.
+Timestamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR
+will be ignored and sudo will log and complain. This is done to
+keep a user from creating his/her own time stamp with a bogus
+date on systems that allow users to give away files.
+.PP
+On systems where the boot time is available, \fBsudo\fR will also not
+honor time stamps from before the machine booted.
+.PP
+Since time stamp files live in the file system, they can outlive a
+user's login session. As a result, a user may be able to login,
+run a command with \fBsudo\fR after authenticating, logout, login
+again, and run \fBsudo\fR without authenticating so long as the time
+stamp file's modification time is within \f(CW\*(C`5\*(C'\fR minutes (or
+whatever the timeout is set to in \fIsudoers\fR). When the \fItty_tickets\fR
+option is enabled in \fIsudoers\fR, the time stamp has per-tty granularity
+but still may outlive the user's session. On Linux systems where
+the devpts filesystem is used, Solaris systems with the devices
+filesystem, as well as other systems that utilize a devfs filesystem
+that monotonically increase the inode number of devices as they are
+created (such as Mac \s-1OS\s0 X), \fBsudo\fR is able to determine when a
+tty-based time stamp file is stale and will ignore it. Administrators
+should not rely on this feature as it is not universally available.
+.PP
+Please note that \fBsudo\fR will normally only log the command it
+explicitly runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or
+\&\f(CW\*(C`sudo sh\*(C'\fR, subsequent commands run from that shell will \fInot\fR be
+logged, nor will \fBsudo\fR's access control affect them. The same
+is true for commands that offer shell escapes (including most
+editors). Because of this, care must be taken when giving users
+access to commands via \fBsudo\fR to verify that the command does not
+inadvertently give the user an effective root shell. For more
+information, please see the \f(CW\*(C`PREVENTING SHELL ESCAPES\*(C'\fR section in
+\&\fIsudoers\fR\|(5).
+.SH "ENVIRONMENT"
+.IX Header "ENVIRONMENT"
+\&\fBsudo\fR utilizes the following environment variables:
+.ie n .IP "\*(C`EDITOR\*(C'" 16
+.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16
+.IX Item "EDITOR"
+Default editor to use in \fB\-e\fR (sudoedit) mode if neither \f(CW\*(C`SUDO_EDITOR\*(C'\fR
+nor \f(CW\*(C`VISUAL\*(C'\fR is set
+.ie n .IP "\*(C`MAIL\*(C'" 16
+.el .IP "\f(CW\*(C`MAIL\*(C'\fR" 16
+.IX Item "MAIL"
+In \fB\-i\fR mode or when \fIenv_reset\fR is enabled in \fIsudoers\fR, set
+to the mail spool of the target user
+.ie n .IP "\*(C`HOME\*(C'" 16
+.el .IP "\f(CW\*(C`HOME\*(C'\fR" 16
+.IX Item "HOME"
+Set to the home directory of the target user if \fB\-i\fR or \fB\-H\fR are
+specified, \fIenv_reset\fR or \fIalways_set_home\fR are set in \fIsudoers\fR,
+or when the \fB\-s\fR option is specified and \fIset_home\fR is set in
+\&\fIsudoers\fR
+.ie n .IP "\*(C`PATH\*(C'" 16
+.el .IP "\f(CW\*(C`PATH\*(C'\fR" 16
+.IX Item "PATH"
+Set to a sane value if the \fIsecure_path\fR sudoers option is set.
+.ie n .IP "\*(C`SHELL\*(C'" 16
+.el .IP "\f(CW\*(C`SHELL\*(C'\fR" 16
+.IX Item "SHELL"
+Used to determine shell to run with \f(CW\*(C`\-s\*(C'\fR option
+.ie n .IP "\*(C`SUDO_ASKPASS\*(C'" 16
+.el .IP "\f(CW\*(C`SUDO_ASKPASS\*(C'\fR" 16
+.IX Item "SUDO_ASKPASS"
+Specifies the path to a helper program used to read the password
+if no terminal is available or if the \f(CW\*(C`\-A\*(C'\fR option is specified.
+.ie n .IP "\*(C`SUDO_COMMAND\*(C'" 16
+.el .IP "\f(CW\*(C`SUDO_COMMAND\*(C'\fR" 16
+.IX Item "SUDO_COMMAND"
+Set to the command run by sudo
+.ie n .IP "\*(C`SUDO_EDITOR\*(C'" 16
+.el .IP "\f(CW\*(C`SUDO_EDITOR\*(C'\fR" 16
+.IX Item "SUDO_EDITOR"
+Default editor to use in \fB\-e\fR (sudoedit) mode
+.ie n .IP "\*(C`SUDO_GID\*(C'" 16
+.el .IP "\f(CW\*(C`SUDO_GID\*(C'\fR" 16
+.IX Item "SUDO_GID"
+Set to the group \s-1ID\s0 of the user who invoked sudo
+.ie n .IP "\*(C`SUDO_PROMPT\*(C'" 16
+.el .IP "\f(CW\*(C`SUDO_PROMPT\*(C'\fR" 16
+.IX Item "SUDO_PROMPT"
+Used as the default password prompt
+.ie n .IP "\*(C`SUDO_PS1\*(C'" 16
+.el .IP "\f(CW\*(C`SUDO_PS1\*(C'\fR" 16
+.IX Item "SUDO_PS1"
+If set, \f(CW\*(C`PS1\*(C'\fR will be set to its value for the program being run
+.ie n .IP "\*(C`SUDO_UID\*(C'" 16
+.el .IP "\f(CW\*(C`SUDO_UID\*(C'\fR" 16
+.IX Item "SUDO_UID"
+Set to the user \s-1ID\s0 of the user who invoked sudo
+.ie n .IP "\*(C`SUDO_USER\*(C'" 16
+.el .IP "\f(CW\*(C`SUDO_USER\*(C'\fR" 16
+.IX Item "SUDO_USER"
+Set to the login of the user who invoked sudo
+.ie n .IP "\*(C`USER\*(C'" 16
+.el .IP "\f(CW\*(C`USER\*(C'\fR" 16
+.IX Item "USER"
+Set to the target user (root unless the \fB\-u\fR option is specified)
+.ie n .IP "\*(C`VISUAL\*(C'" 16
+.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16
+.IX Item "VISUAL"
+Default editor to use in \fB\-e\fR (sudoedit) mode if \f(CW\*(C`SUDO_EDITOR\*(C'\fR
+is not set
+.SH "FILES"
+.IX Header "FILES"
+.ie n .IP "\fI/etc/sudoers\fR" 24
+.el .IP "\fI/etc/sudoers\fR" 24
+.IX Item "/etc/sudoers"
+List of who can run what
+.ie n .IP "\fI/var/db/sudo\fR" 24
+.el .IP "\fI/var/db/sudo\fR" 24
+.IX Item "/var/db/sudo"
+Directory containing time stamps
+.IP "\fI/etc/environment\fR" 24
+.IX Item "/etc/environment"
+Initial environment for \fB\-i\fR mode on Linux and \s-1AIX\s0
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Note: the following examples assume suitable \fIsudoers\fR\|(5) entries.
+.PP
+To get a file listing of an unreadable directory:
+.PP
+.Vb 1
+\& $ sudo ls /usr/local/protected
+.Ve
+.PP
+To list the home directory of user yaz on a machine where the
+file system holding ~yaz is not exported as root:
+.PP
+.Vb 1
+\& $ sudo \-u yaz ls ~yaz
+.Ve
+.PP
+To edit the \fIindex.html\fR file as user www:
+.PP
+.Vb 1
+\& $ sudo \-u www vi ~www/htdocs/index.html
+.Ve
+.PP
+To view system logs only accessible to root and users in the adm group:
+.PP
+.Vb 1
+\& $ sudo \-g adm view /var/log/syslog
+.Ve
+.PP
+To run an editor as jim with a different primary group:
+.PP
+.Vb 1
+\& $ sudo \-u jim \-g audio vi ~jim/sound.txt
+.Ve
+.PP
+To shutdown a machine:
+.PP
+.Vb 1
+\& $ sudo shutdown \-r +15 "quick reboot"
+.Ve
+.PP
+To make a usage listing of the directories in the /home
+partition. Note that this runs the commands in a sub-shell
+to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
+.PP
+.Vb 1
+\& $ sudo sh \-c "cd /home ; du \-s * | sort \-rn > USAGE"
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2),
+.if \n(LC \&\fIlogin_cap\fR\|(3),
+\&\fIpasswd\fR\|(5), \fIsudoers\fR\|(5), \fIvisudo\fR\|(8)
+.SH "AUTHORS"
+.IX Header "AUTHORS"
+Many people have worked on \fBsudo\fR over the years; this
+version consists of code written primarily by:
+.PP
+.Vb 1
+\& Todd C. Miller
+.Ve
+.PP
+See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution or visit
+http://www.sudo.ws/sudo/history.html for a short history
+of \fBsudo\fR.
+.SH "CAVEATS"
+.IX Header "CAVEATS"
+There is no easy way to prevent a user from gaining a root shell
+if that user is allowed to run arbitrary commands via \fBsudo\fR.
+Also, many programs (such as editors) allow the user to run commands
+via shell escapes, thus avoiding \fBsudo\fR's checks. However, on
+most systems it is possible to prevent shell escapes with \fBsudo\fR's
+\&\fInoexec\fR functionality. See the \fIsudoers\fR\|(5) manual
+for details.
+.PP
+It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g.,
+.PP
+.Vb 1
+\& $ sudo cd /usr/local/protected
+.Ve
+.PP
+since when the command exits the parent process (your shell) will
+still be the same. Please see the \s-1EXAMPLES\s0 section for more information.
+.PP
+If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from
+creating their own program that gives them a root shell regardless
+of any '!' elements in the user specification.
+.PP
+Running shell scripts via \fBsudo\fR can expose the same kernel bugs that
+make setuid shell scripts unsafe on some operating systems (if your \s-1OS\s0
+has a /dev/fd/ directory, setuid shell scripts are generally safe).
+.SH "BUGS"
+.IX Header "BUGS"
+If you feel you have found a bug in \fBsudo\fR, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
+.SH "SUPPORT"
+.IX Header "SUPPORT"
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+search the archives.
+.SH "DISCLAIMER"
+.IX Header "DISCLAIMER"
+\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
+file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
+for complete details.
Modified: trunk/contrib/sudo/sudo.cat
===================================================================
--- trunk/contrib/sudo/sudo.cat 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/sudo.cat 2014-10-02 03:32:57 UTC (rev 6804)
@@ -61,7 +61,7 @@
-1.7.5rc1 February 21, 2011 1
+1.7.6 April 9, 2011 1
@@ -127,7 +127,7 @@
-1.7.5rc1 February 21, 2011 2
+1.7.6 April 9, 2011 2
@@ -193,7 +193,7 @@
-1.7.5rc1 February 21, 2011 3
+1.7.6 April 9, 2011 3
@@ -259,7 +259,7 @@
-1.7.5rc1 February 21, 2011 4
+1.7.6 April 9, 2011 4
@@ -325,7 +325,7 @@
-1.7.5rc1 February 21, 2011 5
+1.7.6 April 9, 2011 5
@@ -391,7 +391,7 @@
-1.7.5rc1 February 21, 2011 6
+1.7.6 April 9, 2011 6
@@ -457,7 +457,7 @@
-1.7.5rc1 February 21, 2011 7
+1.7.6 April 9, 2011 7
@@ -523,7 +523,7 @@
-1.7.5rc1 February 21, 2011 8
+1.7.6 April 9, 2011 8
@@ -589,7 +589,7 @@
-1.7.5rc1 February 21, 2011 9
+1.7.6 April 9, 2011 9
@@ -655,6 +655,6 @@
-1.7.5rc1 February 21, 2011 10
+1.7.6 April 9, 2011 10
Modified: trunk/contrib/sudo/sudo.man.in
===================================================================
--- trunk/contrib/sudo/sudo.man.in 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/sudo.man.in 2014-10-02 03:32:57 UTC (rev 6804)
@@ -149,7 +149,7 @@
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "February 21, 2011" "1.7.5rc1" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
Added: trunk/contrib/sudo/sudo.pod
===================================================================
--- trunk/contrib/sudo/sudo.pod (rev 0)
+++ trunk/contrib/sudo/sudo.pod 2014-10-02 03:32:57 UTC (rev 6804)
@@ -0,0 +1,702 @@
+Copyright (c) 1994-1996, 1998-2005, 2007-2010
+ Todd C. Miller <Todd.Miller at courtesan.com>
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+Sponsored in part by the Defense Advanced Research Projects
+Agency (DARPA) and Air Force Research Laboratory, Air Force
+Materiel Command, USAF, under agreement number F39502-99-1-0512.
+
+=pod
+
+=head1 NAME
+
+sudo, sudoedit - execute a command as another user
+
+=head1 SYNOPSIS
+
+B<sudo> B<-h> | B<-K> | B<-k> | B<-L> | B<-V>
+
+B<sudo> B<-v> [B<-AknS>]
+S<[B<-a> I<auth_type>]>
+S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
+S<[B<-u> I<username>|I<#uid>]>
+
+B<sudo> B<-l[l]> [B<-AknS>]
+S<[B<-a> I<auth_type>]>
+S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
+S<[B<-U> I<user name>]> S<[B<-u> I<user name>|I<#uid>]> [I<command>]
+
+B<sudo> [B<-AbEHnPS>]
+S<[B<-a> I<auth_type>]>
+S<[B<-C> I<fd>]>
+S<[B<-c> I<class>|I<->]>
+S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
+S<[B<-r> I<role>]> S<[B<-t> I<type>]>
+S<[B<-u> I<user name>|I<#uid>]>
+S<[B<VAR>=I<value>]> S<[B<-i> | B<-s>]> [I<command>]
+
+B<sudoedit> [B<-AnS>]
+S<[B<-a> I<auth_type>]>
+S<[B<-C> I<fd>]>
+S<[B<-c> I<class>|I<->]>
+S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
+S<[B<-u> I<user name>|I<#uid>]> file ...
+
+=head1 DESCRIPTION
+
+B<sudo> allows a permitted user to execute a I<command> as the
+superuser or another user, as specified in the I<sudoers> file.
+The real and effective uid and gid are set to match those of the
+target user as specified in the passwd file and the group vector
+is initialized based on the group file (unless the B<-P> option was
+specified). If the invoking user is root or if the target user is
+the same as the invoking user, no password is required. Otherwise,
+B<sudo> requires that users authenticate themselves with a password
+by default (NOTE: in the default configuration this is the user's
+password, not the root password). Once a user has been authenticated,
+a time stamp is updated and the user may then use sudo without a
+password for a short period of time (C<@timeout@> minutes unless
+overridden in I<sudoers>).
+
+When invoked as B<sudoedit>, the B<-e> option (described below),
+is implied.
+
+B<sudo> determines who is an authorized user by consulting the file
+F<@sysconfdir@/sudoers>. By running B<sudo> with the B<-v> option,
+a user can update the time stamp without running a I<command>. If
+a password is required, B<sudo> will exit if the user's password
+is not entered within a configurable time limit. The default
+password prompt timeout is C<@password_timeout@> minutes.
+
+If a user who is not listed in the I<sudoers> file tries to run a
+command via B<sudo>, mail is sent to the proper authorities, as
+defined at configure time or in the I<sudoers> file (defaults to
+C<@mailto@>). Note that the mail will not be sent if an unauthorized
+user tries to run sudo with the B<-l> or B<-v> option. This allows
+users to determine for themselves whether or not they are allowed
+to use B<sudo>.
+
+If B<sudo> is run by root and the C<SUDO_USER> environment variable
+is set, B<sudo> will use this value to determine who the actual
+user is. This can be used by a user to log commands through sudo
+even when a root shell has been invoked. It also allows the B<-e>
+option to remain useful even when being run via a sudo-run script or
+program. Note however, that the sudoers lookup is still done for
+root, not the user specified by C<SUDO_USER>.
+
+B<sudo> can log both successful and unsuccessful attempts (as well
+as errors) to syslog(3), a log file, or both. By default B<sudo>
+will log via syslog(3) but this is changeable at configure time
+or via the I<sudoers> file.
+
+=head1 OPTIONS
+
+B<sudo> accepts the following command line options:
+
+=over 12
+
+=item -A
+
+Normally, if B<sudo> requires a password, it will read it from the
+current terminal. If the B<-A> (I<askpass>) option is specified,
+a (possibly graphical) helper program is executed to read the
+user's password and output the password to the standard output. If
+the C<SUDO_ASKPASS> environment variable is set, it specifies the
+path to the helper program. Otherwise, the value specified by the
+I<askpass> option in L<sudoers(5)> is used.
+
+=item -a I<type>
+
+The B<-a> (I<authentication type>) option causes B<sudo> to use the
+specified authentication type when validating the user, as allowed
+by F</etc/login.conf>. The system administrator may specify a list
+of sudo-specific authentication methods by adding an "auth-sudo"
+entry in F</etc/login.conf>. This option is only available on systems
+that support BSD authentication.
+
+=item -b
+
+The B<-b> (I<background>) option tells B<sudo> to run the given
+command in the background. Note that if you use the B<-b>
+option you cannot use shell job control to manipulate the process.
+
+=item -C I<fd>
+
+Normally, B<sudo> will close all open file descriptors other than
+standard input, standard output and standard error. The B<-C>
+(I<close from>) option allows the user to specify a starting point
+above the standard error (file descriptor three). Values less than
+three are not permitted. This option is only available if the
+administrator has enabled the I<closefrom_override> option in
+L<sudoers(5)>.
+
+=item -c I<class>
+
+The B<-c> (I<class>) option causes B<sudo> to run the specified command
+with resources limited by the specified login class. The I<class>
+argument can be either a class name as defined in F</etc/login.conf>,
+or a single '-' character. Specifying a I<class> of C<-> indicates
+that the command should be run restricted by the default login
+capabilities for the user the command is run as. If the I<class>
+argument specifies an existing user class, the command must be run
+as root, or the B<sudo> command must be run from a shell that is already
+root. This option is only available on systems with BSD login classes.
+
+=item -E
+
+The B<-E> (I<preserve> I<environment>) option will override the
+I<env_reset> option in L<sudoers(5)>). It is only
+available when either the matching command has the C<SETENV> tag
+or the I<setenv> option is set in L<sudoers(5)>.
+
+=item -e
+
+The B<-e> (I<edit>) option indicates that, instead of running
+a command, the user wishes to edit one or more files. In lieu
+of a command, the string "sudoedit" is used when consulting
+the I<sudoers> file. If the user is authorized by I<sudoers>
+the following steps are taken:
+
+=over 4
+
+=item 1.
+
+Temporary copies are made of the files to be edited with the owner
+set to the invoking user.
+
+=item 2.
+
+The editor specified by the C<SUDO_EDITOR>, C<VISUAL> or C<EDITOR>
+environment variables is run to edit the temporary files. If none
+of C<SUDO_EDITOR>, C<VISUAL> or C<EDITOR> are set, the first program
+listed in the I<editor> I<sudoers> variable is used.
+
+=item 3.
+
+If they have been modified, the temporary files are copied back to
+their original location and the temporary versions are removed.
+
+=back
+
+If the specified file does not exist, it will be created. Note
+that unlike most commands run by B<sudo>, the editor is run with
+the invoking user's environment unmodified. If, for some reason,
+B<sudo> is unable to update a file with its edited version, the
+user will receive a warning and the edited copy will remain in a
+temporary file.
+
+=item -g I<group>
+
+Normally, B<sudo> sets the primary group to the one specified by
+the passwd database for the user the command is being run as (by
+default, root). The B<-g> (I<group>) option causes B<sudo> to run
+the specified command with the primary group set to I<group>. To
+specify a I<gid> instead of a I<group name>, use I<#gid>. When
+running commands as a I<gid>, many shells require that the '#' be
+escaped with a backslash ('\'). If no B<-u> option is specified,
+the command will be run as the invoking user (not root). In either
+case, the primary group will be set to I<group>.
+
+=item -H
+
+The B<-H> (I<HOME>) option sets the C<HOME> environment variable
+to the homedir of the target user (root by default) as specified
+in passwd(5). The default handling of the C<HOME> environment
+variable depends on L<sudoers(5)> settings. By default, B<sudo>
+will set C<HOME> if I<env_reset> or I<always_set_home> are set, or
+if I<set_home> is set and the B<-s> option is specified on the
+command line.
+
+=item -h
+
+The B<-h> (I<help>) option causes B<sudo> to print a short help message
+to the standard output and exit.
+
+=item -i [command]
+
+The B<-i> (I<simulate initial login>) option runs the shell specified
+in the L<passwd(5)> entry of the target user as a login shell. This
+means that login-specific resource files such as C<.profile> or
+C<.login> will be read by the shell. If a command is specified,
+it is passed to the shell for execution. Otherwise, an interactive
+shell is executed. B<sudo> attempts to change to that user's home
+directory before running the shell. It also initializes the
+environment, leaving I<DISPLAY> and I<TERM> unchanged, setting
+I<HOME>, I<MAIL>, I<SHELL>, I<USER>, I<LOGNAME>, and I<PATH>, as well as
+the contents of F</etc/environment> on Linux and AIX systems.
+All other environment variables are removed.
+
+=item -K
+
+The B<-K> (sure I<kill>) option is like B<-k> except that it removes
+the user's time stamp entirely and may not be used in conjunction
+with a command or other option. This option does not require a
+password.
+
+=item -k
+
+When used by itself, the B<-k> (I<kill>) option to B<sudo> invalidates
+the user's time stamp by setting the time on it to the Epoch. The
+next time B<sudo> is run a password will be required. This option
+does not require a password and was added to allow a user to revoke
+B<sudo> permissions from a .logout file.
+
+When used in conjunction with a command or an option that may require
+a password, the B<-k> option will cause B<sudo> to ignore the user's
+time stamp file. As a result, B<sudo> will prompt for a password
+(if one is required by I<sudoers>) and will not update the user's
+time stamp file.
+
+=item -L
+
+The B<-L> (I<list> defaults) option will list the parameters that
+may be set in a I<Defaults> line along with a short description for
+each. This option will be removed from a future version of B<sudo>.
+
+=item -l[l] [I<command>]
+
+If no I<command> is specified, the B<-l> (I<list>) option will list
+the allowed (and forbidden) commands for the invoking user (or the
+user specified by the B<-U> option) on the current host. If a
+I<command> is specified and is permitted by I<sudoers>, the
+fully-qualified path to the command is displayed along with any
+command line arguments. If I<command> is specified but not allowed,
+B<sudo> will exit with a status value of 1. If the B<-l> option is
+specified with an B<l> argument (i.e. B<-ll>), or if B<-l>
+is specified multiple times, a longer list format is used.
+
+=item -n
+
+The B<-n> (I<non-interactive>) option prevents B<sudo> from prompting
+the user for a password. If a password is required for the command
+to run, B<sudo> will display an error messages and exit.
+
+=item -P
+
+The B<-P> (I<preserve> I<group vector>) option causes B<sudo> to
+preserve the invoking user's group vector unaltered. By default,
+B<sudo> will initialize the group vector to the list of groups the
+target user is in. The real and effective group IDs, however, are
+still set to match the target user.
+
+=item -p I<prompt>
+
+The B<-p> (I<prompt>) option allows you to override the default
+password prompt and use a custom one. The following percent (`C<%>')
+escapes are supported:
+
+=over 4
+
+=item C<%H>
+
+expanded to the local host name including the domain name
+(on if the machine's host name is fully qualified or the I<fqdn>
+I<sudoers> option is set)
+
+=item C<%h>
+
+expanded to the local host name without the domain name
+
+=item C<%p>
+
+expanded to the user whose password is being asked for (respects the
+I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
+
+=item C<%U>
+
+expanded to the login name of the user the command will
+be run as (defaults to root)
+
+=item C<%u>
+
+expanded to the invoking user's login name
+
+=item C<%%>
+
+two consecutive C<%> characters are collapsed into a single C<%> character
+
+=back
+
+The prompt specified by the B<-p> option will override the system
+password prompt on systems that support PAM unless the
+I<passprompt_override> flag is disabled in I<sudoers>.
+
+=item -r I<role>
+
+The B<-r> (I<role>) option causes the new (SELinux) security context to
+have the role specified by I<role>.
+
+=item -S
+
+The B<-S> (I<stdin>) option causes B<sudo> to read the password from
+the standard input instead of the terminal device. The password must
+be followed by a newline character.
+
+=item -s [command]
+
+The B<-s> (I<shell>) option runs the shell specified by the I<SHELL>
+environment variable if it is set or the shell as specified in
+L<passwd(5)>. If a command is specified, it is passed to the shell
+for execution. Otherwise, an interactive shell is executed.
+
+=item -t I<type>
+
+The B<-t> (I<type>) option causes the new (SELinux) security context to
+have the type specified by I<type>. If no type is specified, the default
+type is derived from the specified role.
+
+=item -U I<user>
+
+The B<-U> (I<other user>) option is used in conjunction with the B<-l>
+option to specify the user whose privileges should be listed. Only
+root or a user with B<sudo> C<ALL> on the current host may use this
+option.
+
+=item -u I<user>
+
+The B<-u> (I<user>) option causes B<sudo> to run the specified
+command as a user other than I<root>. To specify a I<uid> instead
+of a I<user name>, use I<#uid>. When running commands as a I<uid>,
+many shells require that the '#' be escaped with a backslash ('\').
+Note that if the I<targetpw> Defaults option is set (see L<sudoers(5)>)
+it is not possible to run commands with a uid not listed in the
+password database.
+
+=item -V
+
+The B<-V> (I<version>) option causes B<sudo> to print the version
+number and exit. If the invoking user is already root the B<-V>
+option will print out a list of the defaults B<sudo> was compiled
+with as well as the machine's local network addresses.
+
+=item -v
+
+If given the B<-v> (I<validate>) option, B<sudo> will update the
+user's time stamp, prompting for the user's password if necessary.
+This extends the B<sudo> timeout for another C<@timeout@> minutes
+(or whatever the timeout is set to in I<sudoers>) but does not run
+a command.
+
+=item --
+
+The B<--> option indicates that B<sudo> should stop processing command
+line arguments.
+
+=back
+
+Environment variables to be set for the command may also be passed
+on the command line in the form of B<VAR>=I<value>, e.g.
+B<LD_LIBRARY_PATH>=I</usr/local/pkg/lib>. Variables passed on the
+command line are subject to the same restrictions as normal environment
+variables with one important exception. If the I<setenv> option
+is set in I<sudoers>, the command to be run has the C<SETENV> tag
+set or the command matched is C<ALL>, the user may set variables
+that would overwise be forbidden. See L<sudoers(5)> for more information.
+
+=head1 RETURN VALUES
+
+Upon successful execution of a program, the exit status from B<sudo>
+will simply be the exit status of the program that was executed.
+
+Otherwise, B<sudo> quits with an exit value of 1 if there is a
+configuration/permission problem or if B<sudo> cannot execute the
+given command. In the latter case the error string is printed to
+stderr. If B<sudo> cannot L<stat(2)> one or more entries in the user's
+C<PATH> an error is printed on stderr. (If the directory does not
+exist or if it is not really a directory, the entry is ignored and
+no error is printed.) This should not happen under normal
+circumstances. The most common reason for L<stat(2)> to return
+"permission denied" is if you are running an automounter and one
+of the directories in your C<PATH> is on a machine that is currently
+unreachable.
+
+=head1 SECURITY NOTES
+
+B<sudo> tries to be safe when executing external commands.
+
+There are two distinct ways to deal with environment variables.
+By default, the I<env_reset> I<sudoers> option is enabled.
+This causes commands to be executed with a minimal environment
+containing C<TERM>, C<PATH>, C<HOME>, C<SHELL>, C<LOGNAME>, C<USER>
+and C<USERNAME> in addition to variables from the invoking process
+permitted by the I<env_check> and I<env_keep> I<sudoers> options.
+There is effectively a whitelist for environment variables.
+
+If, however, the I<env_reset> option is disabled in I<sudoers>, any
+variables not explicitly denied by the I<env_check> and I<env_delete>
+options are inherited from the invoking process. In this case,
+I<env_check> and I<env_delete> behave like a blacklist. Since it
+is not possible to blacklist all potentially dangerous environment
+variables, use of the default I<env_reset> behavior is encouraged.
+
+In all cases, environment variables with a value beginning with
+C<()> are removed as they could be interpreted as B<bash> functions.
+The list of environment variables that B<sudo> allows or denies is
+contained in the output of C<sudo -V> when run as root.
+
+Note that the dynamic linker on most operating systems will remove
+variables that can control dynamic linking from the environment of
+setuid executables, including B<sudo>. Depending on the operating
+system this may include C<_RLD*>, C<DYLD_*>, C<LD_*>, C<LDR_*>,
+C<LIBPATH>, C<SHLIB_PATH>, and others. These type of variables are
+removed from the environment before B<sudo> even begins execution
+and, as such, it is not possible for B<sudo> to preserve them.
+
+To prevent command spoofing, B<sudo> checks "." and "" (both denoting
+current directory) last when searching for a command in the user's
+PATH (if one or both are in the PATH). Note, however, that the
+actual C<PATH> environment variable is I<not> modified and is passed
+unchanged to the program that B<sudo> executes.
+
+B<sudo> will check the ownership of its time stamp directory
+(F<@timedir@> by default) and ignore the directory's contents if
+it is not owned by root or if it is writable by a user other than
+root. On systems that allow non-root users to give away files via
+L<chown(2)>, if the time stamp directory is located in a directory
+writable by anyone (e.g., F</tmp>), it is possible for a user to
+create the time stamp directory before B<sudo> is run. However,
+because B<sudo> checks the ownership and mode of the directory and
+its contents, the only damage that can be done is to "hide" files
+by putting them in the time stamp dir. This is unlikely to happen
+since once the time stamp dir is owned by root and inaccessible by
+any other user, the user placing files there would be unable to get
+them back out. To get around this issue you can use a directory
+that is not world-writable for the time stamps (F</var/adm/sudo> for
+instance) or create F<@timedir@> with the appropriate owner (root)
+and permissions (0700) in the system startup files.
+
+B<sudo> will not honor time stamps set far in the future.
+Timestamps with a date greater than current_time + 2 * C<TIMEOUT>
+will be ignored and sudo will log and complain. This is done to
+keep a user from creating his/her own time stamp with a bogus
+date on systems that allow users to give away files.
+
+On systems where the boot time is available, B<sudo> will also not
+honor time stamps from before the machine booted.
+
+Since time stamp files live in the file system, they can outlive a
+user's login session. As a result, a user may be able to login,
+run a command with B<sudo> after authenticating, logout, login
+again, and run B<sudo> without authenticating so long as the time
+stamp file's modification time is within C<@timeout@> minutes (or
+whatever the timeout is set to in I<sudoers>). When the I<tty_tickets>
+option is enabled in I<sudoers>, the time stamp has per-tty granularity
+but still may outlive the user's session. On Linux systems where
+the devpts filesystem is used, Solaris systems with the devices
+filesystem, as well as other systems that utilize a devfs filesystem
+that monotonically increase the inode number of devices as they are
+created (such as Mac OS X), B<sudo> is able to determine when a
+tty-based time stamp file is stale and will ignore it. Administrators
+should not rely on this feature as it is not universally available.
+
+Please note that B<sudo> will normally only log the command it
+explicitly runs. If a user runs a command such as C<sudo su> or
+C<sudo sh>, subsequent commands run from that shell will I<not> be
+logged, nor will B<sudo>'s access control affect them. The same
+is true for commands that offer shell escapes (including most
+editors). Because of this, care must be taken when giving users
+access to commands via B<sudo> to verify that the command does not
+inadvertently give the user an effective root shell. For more
+information, please see the C<PREVENTING SHELL ESCAPES> section in
+L<sudoers(5)>.
+
+=head1 ENVIRONMENT
+
+B<sudo> utilizes the following environment variables:
+
+=over 16
+
+=item C<EDITOR>
+
+Default editor to use in B<-e> (sudoedit) mode if neither C<SUDO_EDITOR>
+nor C<VISUAL> is set
+
+=item C<MAIL>
+
+In B<-i> mode or when I<env_reset> is enabled in I<sudoers>, set
+to the mail spool of the target user
+
+=item C<HOME>
+
+Set to the home directory of the target user if B<-i> or B<-H> are
+specified, I<env_reset> or I<always_set_home> are set in I<sudoers>,
+or when the B<-s> option is specified and I<set_home> is set in
+I<sudoers>
+
+=item C<PATH>
+
+Set to a sane value if the I<secure_path> sudoers option is set.
+
+=item C<SHELL>
+
+Used to determine shell to run with C<-s> option
+
+=item C<SUDO_ASKPASS>
+
+Specifies the path to a helper program used to read the password
+if no terminal is available or if the C<-A> option is specified.
+
+=item C<SUDO_COMMAND>
+
+Set to the command run by sudo
+
+=item C<SUDO_EDITOR>
+
+Default editor to use in B<-e> (sudoedit) mode
+
+=item C<SUDO_GID>
+
+Set to the group ID of the user who invoked sudo
+
+=item C<SUDO_PROMPT>
+
+Used as the default password prompt
+
+=item C<SUDO_PS1>
+
+If set, C<PS1> will be set to its value for the program being run
+
+=item C<SUDO_UID>
+
+Set to the user ID of the user who invoked sudo
+
+=item C<SUDO_USER>
+
+Set to the login of the user who invoked sudo
+
+=item C<USER>
+
+Set to the target user (root unless the B<-u> option is specified)
+
+=item C<VISUAL>
+
+Default editor to use in B<-e> (sudoedit) mode if C<SUDO_EDITOR>
+is not set
+
+=back
+
+=head1 FILES
+
+=over 24
+
+=item F<@sysconfdir@/sudoers>
+
+List of who can run what
+
+=item F<@timedir@>
+
+Directory containing time stamps
+
+=item F</etc/environment>
+
+Initial environment for B<-i> mode on Linux and AIX
+
+=back
+
+=head1 EXAMPLES
+
+Note: the following examples assume suitable L<sudoers(5)> entries.
+
+To get a file listing of an unreadable directory:
+
+ $ sudo ls /usr/local/protected
+
+To list the home directory of user yaz on a machine where the
+file system holding ~yaz is not exported as root:
+
+ $ sudo -u yaz ls ~yaz
+
+To edit the F<index.html> file as user www:
+
+ $ sudo -u www vi ~www/htdocs/index.html
+
+To view system logs only accessible to root and users in the adm group:
+
+ $ sudo -g adm view /var/log/syslog
+
+To run an editor as jim with a different primary group:
+
+ $ sudo -u jim -g audio vi ~jim/sound.txt
+
+To shutdown a machine:
+
+ $ sudo shutdown -r +15 "quick reboot"
+
+To make a usage listing of the directories in the /home
+partition. Note that this runs the commands in a sub-shell
+to make the C<cd> and file redirection work.
+
+ $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+
+=head1 SEE ALSO
+
+L<grep(1)>, L<su(1)>, L<stat(2)>,
+L<login_cap(3)>,
+L<passwd(5)>, L<sudoers(5)>, L<visudo(8)>
+
+=head1 AUTHORS
+
+Many people have worked on B<sudo> over the years; this
+version consists of code written primarily by:
+
+ Todd C. Miller
+
+See the HISTORY file in the B<sudo> distribution or visit
+http://www.sudo.ws/sudo/history.html for a short history
+of B<sudo>.
+
+=head1 CAVEATS
+
+There is no easy way to prevent a user from gaining a root shell
+if that user is allowed to run arbitrary commands via B<sudo>.
+Also, many programs (such as editors) allow the user to run commands
+via shell escapes, thus avoiding B<sudo>'s checks. However, on
+most systems it is possible to prevent shell escapes with B<sudo>'s
+I<noexec> functionality. See the L<sudoers(5)> manual
+for details.
+
+It is not meaningful to run the C<cd> command directly via sudo, e.g.,
+
+ $ sudo cd /usr/local/protected
+
+since when the command exits the parent process (your shell) will
+still be the same. Please see the EXAMPLES section for more information.
+
+If users have sudo C<ALL> there is nothing to prevent them from
+creating their own program that gives them a root shell regardless
+of any '!' elements in the user specification.
+
+Running shell scripts via B<sudo> can expose the same kernel bugs that
+make setuid shell scripts unsafe on some operating systems (if your OS
+has a /dev/fd/ directory, setuid shell scripts are generally safe).
+
+=head1 BUGS
+
+If you feel you have found a bug in B<sudo>, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
+
+=head1 SUPPORT
+
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+
+=head1 DISCLAIMER
+
+B<sudo> is provided ``AS IS'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the LICENSE
+file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
+for complete details.
Modified: trunk/contrib/sudo/sudo.pp
===================================================================
--- trunk/contrib/sudo/sudo.pp 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/sudo.pp 2014-10-02 03:32:57 UTC (rev 6804)
@@ -12,7 +12,7 @@
The basic philosophy is to give as few privileges as possible but \
still allow people to get their work done."
vendor="Todd C. Miller"
- copyright="(c) 1993-1996,1998-2010 Todd C. Miller"
+ copyright="(c) 1993-1996,1998-2011 Todd C. Miller"
%if [aix]
# AIX package summary is limited to 40 characters
@@ -19,12 +19,12 @@
summary="Configurable super-user privileges"
# Convert to 4 part version for AIX, including patch level
- pp_aix_version=`echo $version|sed -e 's/\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/' -e 's/[^0-9]*\([0-9]*\)$/.\1/'`
+ pp_aix_version=`echo $version|sed -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)p\([0-9]*\)$/\1.\2/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)[^0-9\.].*$/\1/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/'`
%endif
%if [kit]
# Strip off patchlevel for kit which only supports xyz versions
- pp_kit_version="`echo $version|sed -e 's/\.//g' -e 's/[bp][0-9]*$//'`"
+ pp_kit_version="`echo $version|sed -e 's/\.//g' -e 's/[^0-9][^0-9]*[0-9][0-9]*$//'`"
pp_kit_name="TCM"
%endif
@@ -39,9 +39,8 @@
%if [rpm,deb]
# Convert patch level into release and remove from version
- pp_rpm_release="`echo $version|sed 's/^[0-9]*\.[0-9]*\.[0-9]*[^0-9]*//'`"
- pp_rpm_release="`expr $pp_rpm_release + 1`"
- pp_rpm_version="`echo $version|sed 's/p[0-9]*$//'`"
+ pp_rpm_release="`expr \( $version : '.*p\([0-9][0-9]*\)' \| 0 \) + 1`"
+ pp_rpm_version="`expr $version : '\(.*\)p[0-9][0-9]*'`"
pp_rpm_license="BSD"
pp_rpm_url="http://www.sudo.ws/"
pp_rpm_group="Applications/System"
Added: trunk/contrib/sudo/sudo_usage.h
===================================================================
--- trunk/contrib/sudo/sudo_usage.h (rev 0)
+++ trunk/contrib/sudo/sudo_usage.h 2014-10-02 03:32:57 UTC (rev 6804)
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 2007-2009 Todd C. Miller <Todd.Miller at courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _SUDO_USAGE_H
+#define _SUDO_USAGE_H
+
+void help __P((void)) __attribute__((__noreturn__));
+void usage __P((int));
+
+/*
+ * Usage strings for sudo. These are here because we
+ * need to be able to substitute values from configure.
+ */
+#define SUDO_USAGE1 " -h | -K | -k | -L | -V"
+#define SUDO_USAGE2 " -v [-AknS] [-g groupname|#gid] [-p prompt] [-u user name|#uid]"
+#define SUDO_USAGE3 " -l[l] [-AknS] [-g groupname|#gid] [-p prompt] [-U user name] [-u user name|#uid] [-g groupname|#gid] [command]"
+#define SUDO_USAGE4 " [-AbEHknPS] [-C fd] [-c class|-] [-g groupname|#gid] [-p prompt] [-u user name|#uid] [-g groupname|#gid] [VAR=value] [-i|-s] [<command>]"
+#define SUDO_USAGE5 " -e [-AknS] [-C fd] [-c class|-] [-g groupname|#gid] [-p prompt] [-u user name|#uid] file ..."
+
+/*
+ * Configure script arguments used to build sudo.
+ */
+#define CONFIGURE_ARGS "--prefix=/usr --build=amd64-midnightbsd-freebsd9.1 --with-insults"
+
+#endif /* _SUDO_USAGE_H */
Added: trunk/contrib/sudo/sudoers
===================================================================
--- trunk/contrib/sudo/sudoers (rev 0)
+++ trunk/contrib/sudo/sudoers 2014-10-02 03:32:57 UTC (rev 6804)
@@ -0,0 +1,90 @@
+## sudoers file.
+##
+## This file MUST be edited with the 'visudo' command as root.
+## Failure to use 'visudo' may result in syntax or file permission errors
+## that prevent sudo from running.
+##
+## See the sudoers man page for the details on how to write a sudoers file.
+##
+
+##
+## Host alias specification
+##
+## Groups of machines. These may include host names (optionally with wildcards),
+## IP addresses, network numbers or netgroups.
+# Host_Alias WEBSERVERS = www1, www2, www3
+
+##
+## User alias specification
+##
+## Groups of users. These may consist of user names, uids, Unix groups,
+## or netgroups.
+# User_Alias ADMINS = millert, dowdy, mikef
+
+##
+## Cmnd alias specification
+##
+## Groups of commands. Often used to group related commands together.
+# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
+# /usr/bin/pkill, /usr/bin/top
+
+##
+## Defaults specification
+##
+## You may wish to keep some of the following environment variables
+## when running commands via sudo.
+##
+## Locale settings
+# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
+##
+## Run X applications through sudo; HOME is used to find the
+## .Xauthority file. Note that other programs use HOME to find
+## configuration files and this may lead to privilege escalation!
+# Defaults env_keep += "HOME"
+##
+## X11 resource path settings
+# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
+##
+## Desktop path settings
+# Defaults env_keep += "QTDIR KDEDIR"
+##
+## Allow sudo-run commands to inherit the callers' ConsoleKit session
+# Defaults env_keep += "XDG_SESSION_COOKIE"
+##
+## Uncomment to enable special input methods. Care should be taken as
+## this may allow users to subvert the command being run via sudo.
+# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+##
+## Uncomment to enable logging of a command's output, except for
+## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
+# Defaults log_output
+# Defaults!/usr/bin/sudoreplay !log_output
+# Defaults!/usr/local/bin/sudoreplay !log_output
+# Defaults!/sbin/reboot !log_output
+
+##
+## Runas alias specification
+##
+
+##
+## User privilege specification
+##
+root ALL=(ALL) ALL
+
+## Uncomment to allow members of group wheel to execute any command
+# %wheel ALL=(ALL) ALL
+
+## Same thing without a password
+# %wheel ALL=(ALL) NOPASSWD: ALL
+
+## Uncomment to allow members of group sudo to execute any command
+# %sudo ALL=(ALL) ALL
+
+## Uncomment to allow any user to run sudo if they know the password
+## of the user they are running the command as (root by default).
+# Defaults targetpw # Ask for the password of the target user
+# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
+
+## Read drop-in files from /etc/sudoers.d
+## (the '#' here does not indicate a comment)
+#includedir /etc/sudoers.d
Added: trunk/contrib/sudo/sudoers.5
===================================================================
--- trunk/contrib/sudo/sudoers.5 (rev 0)
+++ trunk/contrib/sudo/sudoers.5 2014-10-02 03:32:57 UTC (rev 6804)
@@ -0,0 +1,1814 @@
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2011
+.\" Todd C. Miller <Todd.Miller at courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" Sponsored in part by the Defense Advanced Research Projects
+.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
+.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
+.\"
+.nr SL 0
+.nr BA 0
+.nr LC 1
+.\"
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings. \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+. ds -- \(*W-
+. ds PI pi
+. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
+. ds L" ""
+. ds R" ""
+. ds C`
+. ds C'
+'br\}
+.el\{\
+. ds -- \|\(em\|
+. ds PI \(*p
+. ds L" ``
+. ds R" ''
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD. Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.ie \nF \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
+..
+. nr % 0
+. rr F
+.\}
+.el \{\
+. de IX
+..
+.\}
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear. Run. Save yourself. No user-serviceable parts.
+. \" fudge factors for nroff and troff
+.if n \{\
+. ds #H 0
+. ds #V .8m
+. ds #F .3m
+. ds #[ \f1
+. ds #] \fP
+.\}
+.if t \{\
+. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+. ds #V .6m
+. ds #F 0
+. ds #[ \&
+. ds #] \&
+.\}
+. \" simple accents for nroff and troff
+.if n \{\
+. ds ' \&
+. ds ` \&
+. ds ^ \&
+. ds , \&
+. ds ~ ~
+. ds /
+.\}
+.if t \{\
+. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+. \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+. \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+. \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+. ds : e
+. ds 8 ss
+. ds o a
+. ds d- d\h'-1'\(ga
+. ds D- D\h'-1'\(hy
+. ds th \o'bp'
+. ds Th \o'LP'
+. ds ae ae
+. ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "SUDOERS 5"
+.TH SUDOERS 5 "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+sudoers \- list of which users may execute what
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+The \fIsudoers\fR file is composed of two types of entries: aliases
+(basically variables) and user specifications (which specify who
+may run what).
+.PP
+When multiple entries match for a user, they are applied in order.
+Where there are multiple matches, the last match is used (which is
+not necessarily the most specific match).
+.PP
+The \fIsudoers\fR grammar will be described below in Extended Backus-Naur
+Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is
+fairly simple, and the definitions below are annotated.
+.SS "Quick guide to \s-1EBNF\s0"
+.IX Subsection "Quick guide to EBNF"
+\&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
+Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
+.PP
+.Vb 1
+\& symbol ::= definition | alternate1 | alternate2 ...
+.Ve
+.PP
+Each \fIproduction rule\fR references others and thus makes up a
+grammar for the language. \s-1EBNF\s0 also contains the following
+operators, which many readers will recognize from regular
+expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
+characters, which have different meanings.
+.ie n .IP "\*(C`?\*(C'" 4
+.el .IP "\f(CW\*(C`?\*(C'\fR" 4
+.IX Item "?"
+Means that the preceding symbol (or group of symbols) is optional.
+That is, it may appear once or not at all.
+.ie n .IP "\*(C`*\*(C'" 4
+.el .IP "\f(CW\*(C`*\*(C'\fR" 4
+.IX Item "*"
+Means that the preceding symbol (or group of symbols) may appear
+zero or more times.
+.ie n .IP "\*(C`+\*(C'" 4
+.el .IP "\f(CW\*(C`+\*(C'\fR" 4
+.IX Item "+"
+Means that the preceding symbol (or group of symbols) may appear
+one or more times.
+.PP
+Parentheses may be used to group symbols together. For clarity,
+we will use single quotes ('') to designate what is a verbatim character
+string (as opposed to a symbol name).
+.SS "Aliases"
+.IX Subsection "Aliases"
+There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR,
+\&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
+.PP
+.Vb 4
+\& Alias ::= \*(AqUser_Alias\*(Aq User_Alias (\*(Aq:\*(Aq User_Alias)* |
+\& \*(AqRunas_Alias\*(Aq Runas_Alias (\*(Aq:\*(Aq Runas_Alias)* |
+\& \*(AqHost_Alias\*(Aq Host_Alias (\*(Aq:\*(Aq Host_Alias)* |
+\& \*(AqCmnd_Alias\*(Aq Cmnd_Alias (\*(Aq:\*(Aq Cmnd_Alias)*
+\&
+\& User_Alias ::= NAME \*(Aq=\*(Aq User_List
+\&
+\& Runas_Alias ::= NAME \*(Aq=\*(Aq Runas_List
+\&
+\& Host_Alias ::= NAME \*(Aq=\*(Aq Host_List
+\&
+\& Cmnd_Alias ::= NAME \*(Aq=\*(Aq Cmnd_List
+\&
+\& NAME ::= [A\-Z]([A\-Z][0\-9]_)*
+.Ve
+.PP
+Each \fIalias\fR definition is of the form
+.PP
+.Vb 1
+\& Alias_Type NAME = item1, item2, ...
+.Ve
+.PP
+where \fIAlias_Type\fR is one of \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR,
+or \f(CW\*(C`Cmnd_Alias\*(C'\fR. A \f(CW\*(C`NAME\*(C'\fR is a string of uppercase letters, numbers,
+and underscore characters ('_'). A \f(CW\*(C`NAME\*(C'\fR \fBmust\fR start with an
+uppercase letter. It is possible to put several alias definitions
+of the same type on a single line, joined by a colon (':'). E.g.,
+.PP
+.Vb 1
+\& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
+.Ve
+.PP
+The definitions of what constitutes a valid \fIalias\fR member follow.
+.PP
+.Vb 2
+\& User_List ::= User |
+\& User \*(Aq,\*(Aq User_List
+\&
+\& User ::= \*(Aq!\*(Aq* user name |
+\& \*(Aq!\*(Aq* #uid |
+\& \*(Aq!\*(Aq* %group |
+\& \*(Aq!\*(Aq* %#gid |
+\& \*(Aq!\*(Aq* +netgroup |
+\& \*(Aq!\*(Aq* %:nonunix_group |
+\& \*(Aq!\*(Aq* %:#nonunix_gid |
+\& \*(Aq!\*(Aq* User_Alias
+.Ve
+.PP
+A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, user ids
+(prefixed with '#'), system group names and ids (prefixed with '%'
+and '%#' respectively), netgroups (prefixed with '+'), non-Unix
+group names and IDs (prefixed with '%:' and '%:#' respectively) and
+\&\f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with zero or more
+\&'!' operators. An odd number of '!' operators negate the value of
+the item; an even number just cancel each other out.
+.PP
+A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`uid\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`gid\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR, \f(CW\*(C`nonunix_group\*(C'\fR
+or \f(CW\*(C`nonunix_gid\*(C'\fR may be enclosed in double quotes to avoid the
+need for escaping special characters. Alternately, special characters
+may be specified in escaped hex mode, e.g. \ex20 for space. When
+using double quotes, any prefix characters must be included inside
+the quotes.
+.PP
+The \f(CW\*(C`nonunix_group\*(C'\fR and \f(CW\*(C`nonunix_gid\*(C'\fR syntax depends on the
+underlying implementation. For instance, the \s-1QAS\s0 \s-1AD\s0 backend supports
+the following formats:
+.IP "\(bu" 4
+Group in the same domain: \*(L"Group Name\*(R"
+.IP "\(bu" 4
+Group in any domain: \*(L"Group Name at FULLY.QUALIFIED.DOMAIN\*(R"
+.IP "\(bu" 4
+Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
+.PP
+Note that quotes around group names are optional. Unquoted strings
+must use a backslash (\e) to escape spaces and special characters.
+See \*(L"Other special characters and reserved words\*(R" for a list of
+characters that need to be escaped.
+.PP
+.Vb 2
+\& Runas_List ::= Runas_Member |
+\& Runas_Member \*(Aq,\*(Aq Runas_List
+\&
+\& Runas_Member ::= \*(Aq!\*(Aq* user name |
+\& \*(Aq!\*(Aq* #uid |
+\& \*(Aq!\*(Aq* %group |
+\& \*(Aq!\*(Aq* %#gid |
+\& \*(Aq!\*(Aq* %:nonunix_group |
+\& \*(Aq!\*(Aq* %:#nonunix_gid |
+\& \*(Aq!\*(Aq* +netgroup |
+\& \*(Aq!\*(Aq* Runas_Alias
+.Ve
+.PP
+A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
+of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that
+user names and groups are matched as strings. In other words, two
+users (groups) with the same uid (gid) are considered to be distinct.
+If you wish to match all user names with the same uid (e.g.\ root
+and toor), you can use a uid instead (#0 in the example given).
+.PP
+.Vb 2
+\& Host_List ::= Host |
+\& Host \*(Aq,\*(Aq Host_List
+\&
+\& Host ::= \*(Aq!\*(Aq* host name |
+\& \*(Aq!\*(Aq* ip_addr |
+\& \*(Aq!\*(Aq* network(/netmask)? |
+\& \*(Aq!\*(Aq* +netgroup |
+\& \*(Aq!\*(Aq* Host_Alias
+.Ve
+.PP
+A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more host names, \s-1IP\s0 addresses,
+network numbers, netgroups (prefixed with '+') and other aliases.
+Again, the value of an item may be negated with the '!' operator.
+If you do not specify a netmask along with the network number,
+\&\fBsudo\fR will query each of the local host's network interfaces and,
+if the network number corresponds to one of the hosts's network
+interfaces, the corresponding netmask will be used. The netmask
+may be specified either in standard \s-1IP\s0 address notation
+(e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::),
+or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may
+include shell-style wildcards (see the Wildcards section below),
+but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully
+qualified host name, you'll need to use the \fIfqdn\fR option for
+wildcards to be useful. Note \fBsudo\fR only inspects actual network
+interfaces; this means that \s-1IP\s0 address 127.0.0.1 (localhost) will
+never match. Also, the host name \*(L"localhost\*(R" will only match if
+that is the actual host name, which is usually only the case for
+non-networked systems.
+.PP
+.Vb 2
+\& Cmnd_List ::= Cmnd |
+\& Cmnd \*(Aq,\*(Aq Cmnd_List
+\&
+\& commandname ::= file name |
+\& file name args |
+\& file name \*(Aq""\*(Aq
+\&
+\& Cmnd ::= \*(Aq!\*(Aq* commandname |
+\& \*(Aq!\*(Aq* directory |
+\& \*(Aq!\*(Aq* "sudoedit" |
+\& \*(Aq!\*(Aq* Cmnd_Alias
+.Ve
+.PP
+A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
+aliases. A commandname is a fully qualified file name which may include
+shell-style wildcards (see the Wildcards section below). A simple
+file name allows the user to run the command with any arguments he/she
+wishes. However, you may also specify command line arguments (including
+wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command
+may only be run \fBwithout\fR command line arguments. A directory is a
+fully qualified path name ending in a '/'. When you specify a directory
+in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory
+(but not in any subdirectories therein).
+.PP
+If a \f(CW\*(C`Cmnd\*(C'\fR has associated command line arguments, then the arguments
+in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line
+(or match the wildcards if there are any). Note that the following
+characters must be escaped with a '\e' if they are used in command
+arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR
+is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or
+as \fBsudoedit\fR). It may take command line arguments just as
+a normal command does.
+.SS "Defaults"
+.IX Subsection "Defaults"
+Certain configuration options may be changed from their default
+values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
+may affect all users on any host, all users on a specific host, a
+specific user, a specific command, or commands being run as a specific user.
+Note that per-command entries may not include command line arguments.
+If you need to specify arguments, define a \f(CW\*(C`Cmnd_Alias\*(C'\fR and reference
+that instead.
+.PP
+.Vb 5
+\& Default_Type ::= \*(AqDefaults\*(Aq |
+\& \*(AqDefaults\*(Aq \*(Aq@\*(Aq Host_List |
+\& \*(AqDefaults\*(Aq \*(Aq:\*(Aq User_List |
+\& \*(AqDefaults\*(Aq \*(Aq!\*(Aq Cmnd_List |
+\& \*(AqDefaults\*(Aq \*(Aq>\*(Aq Runas_List
+\&
+\& Default_Entry ::= Default_Type Parameter_List
+\&
+\& Parameter_List ::= Parameter |
+\& Parameter \*(Aq,\*(Aq Parameter_List
+\&
+\& Parameter ::= Parameter \*(Aq=\*(Aq Value |
+\& Parameter \*(Aq+=\*(Aq Value |
+\& Parameter \*(Aq\-=\*(Aq Value |
+\& \*(Aq!\*(Aq* Parameter
+.Ve
+.PP
+Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR.
+Flags are implicitly boolean and can be turned off via the '!'
+operator. Some integer, string and list parameters may also be
+used in a boolean context to disable them. Values may be enclosed
+in double quotes (\f(CW\*(C`"\*(C'\fR) when they contain multiple words. Special
+characters may be escaped with a backslash (\f(CW\*(C`\e\*(C'\fR).
+.PP
+Lists have two additional assignment operators, \f(CW\*(C`+=\*(C'\fR and \f(CW\*(C`\-=\*(C'\fR.
+These operators are used to add to and delete from a list respectively.
+It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element
+that does not exist in a list.
+.PP
+Defaults entries are parsed in the following order: generic, host
+and user Defaults first, then runas Defaults and finally command
+defaults.
+.PP
+See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
+.SS "User Specification"
+.IX Subsection "User Specification"
+.Vb 2
+\& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e
+\& (\*(Aq:\*(Aq Host_List \*(Aq=\*(Aq Cmnd_Spec_List)*
+\&
+\& Cmnd_Spec_List ::= Cmnd_Spec |
+\& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List
+\&
+.ie \n(SL \& Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
+.el \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
+\&
+\& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq
+\&
+.if \n(SL \{\
+\& SELinux_Spec ::= (\*(AqROLE=role\*(Aq | \*(AqTYPE=type\*(Aq)
+\&
+\}
+\& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
+\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqLOG_INPUT:\*(Aq | \*(AqNOLOG_INPUT:\*(Aq |
+\& \*(AqLOG_OUTPUT:\*(Aq | \*(AqNOLOG_OUTPUT:\*(Aq)
+.Ve
+.PP
+A \fBuser specification\fR determines which commands a user may run
+(and as what user) on specified hosts. By default, commands are
+run as \fBroot\fR, but this can be changed on a per-command basis.
+.PP
+The basic structure of a user specification is `who where = (as_whom)
+what'. Let's break that down into its constituent parts:
+.SS "Runas_Spec"
+.IX Subsection "Runas_Spec"
+A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command
+may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two
+\&\f(CW\*(C`Runas_List\*(C'\fRs (as defined above) separated by a colon (':') and
+enclosed in a set of parentheses. The first \f(CW\*(C`Runas_List\*(C'\fR indicates
+which users the command may be run as via \fBsudo\fR's \fB\-u\fR option.
+The second defines a list of groups that can be specified via
+\&\fBsudo\fR's \fB\-g\fR option. If both \f(CW\*(C`Runas_List\*(C'\fRs are specified, the
+command may be run with any combination of users and groups listed
+in their respective \f(CW\*(C`Runas_List\*(C'\fRs. If only the first is specified,
+the command may be run as any user in the list but no \fB\-g\fR option
+may be specified. If the first \f(CW\*(C`Runas_List\*(C'\fR is empty but the
+second is specified, the command may be run as the invoking user
+with the group set to any listed in the \f(CW\*(C`Runas_List\*(C'\fR. If no
+\&\f(CW\*(C`Runas_Spec\*(C'\fR is specified the command may be run as \fBroot\fR and
+no group may be specified.
+.PP
+A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for the commands that follow it.
+What this means is that for the entry:
+.PP
+.Vb 1
+\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
+.Ve
+.PP
+The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
+\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
+.PP
+.Vb 1
+\& $ sudo \-u operator /bin/ls
+.Ve
+.PP
+It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
+entry. If we modify the entry like so:
+.PP
+.Vb 1
+\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+.Ve
+.PP
+Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
+but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
+.PP
+We can extend this to allow \fBdgb\fR to run \f(CW\*(C`/bin/ls\*(C'\fR with either
+the user or group set to \fBoperator\fR:
+.PP
+.Vb 2
+\& dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \e
+\& /usr/bin/lprm
+.Ve
+.PP
+Note that while the group portion of the \f(CW\*(C`Runas_Spec\*(C'\fR permits the
+user to run as command with that group, it does not force the user
+to do so. If no group is specified on the command line, the command
+will run with the group listed in the target user's password database
+entry. The following would all be permitted by the sudoers entry above:
+.PP
+.Vb 3
+\& $ sudo \-u operator /bin/ls
+\& $ sudo \-u operator \-g operator /bin/ls
+\& $ sudo \-g operator /bin/ls
+.Ve
+.PP
+In the following example, user \fBtcm\fR may run commands that access
+a modem device file with the dialer group.
+.PP
+.Vb 2
+\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
+\& /usr/local/bin/minicom
+.Ve
+.PP
+Note that in this example only the group will be set, the command
+still runs as user \fBtcm\fR. E.g.
+.PP
+.Vb 1
+\& $ sudo \-g dialer /usr/bin/cu
+.Ve
+.PP
+Multiple users and groups may be present in a \f(CW\*(C`Runas_Spec\*(C'\fR, in
+which case the user may select any combination of users and groups
+via the \fB\-u\fR and \fB\-g\fR options. In this example:
+.PP
+.Vb 1
+\& alan ALL = (root, bin : operator, system) ALL
+.Ve
+.PP
+user \fBalan\fR may run any command as either user root or bin,
+optionally setting the group to operator or system.
+.if \n(SL \{\
+.SS "SELinux_Spec"
+.IX Subsection "SELinux_Spec"
+On systems with SELinux support, \fIsudoers\fR entries may optionally have
+an SELinux role and/or type associated with a command. If a role or
+type is specified with the command it will override any default values
+specified in \fIsudoers\fR. A role or type specified on the command line,
+however, will supercede the values in \fIsudoers\fR.
+\}
+.SS "Tag_Spec"
+.IX Subsection "Tag_Spec"
+A command may have zero or more tags associated with it. There are
+eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR,
+\&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`LOG_INPUT\*(C'\fR, \f(CW\*(C`NOLOG_INPUT\*(C'\fR,
+\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR and \f(CW\*(C`NOLOG_OUTPUT\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR,
+subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless
+it is overridden by the opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides
+\&\f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR overrides \f(CW\*(C`EXEC\*(C'\fR).
+.PP
+\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
+.IX Subsection "NOPASSWD and PASSWD"
+.PP
+By default, \fBsudo\fR requires that a user authenticate him or herself
+before running a command. This behavior can be modified via the
+\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
+a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
+Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
+For example:
+.PP
+.Vb 1
+\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+.Ve
+.PP
+would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
+\&\fI/usr/bin/lprm\fR as \fBroot\fR on the machine rushmore without
+authenticating himself. If we only want \fBray\fR to be able to
+run \fI/bin/kill\fR without a password the entry would be:
+.PP
+.Vb 1
+\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+.Ve
+.PP
+Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
+in the group specified by the \fIexempt_group\fR option.
+.PP
+By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
+for a user on the current host, he or she will be able to run
+\&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
+\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
+for all a user's entries that pertain to the current host.
+This behavior may be overridden via the verifypw and listpw options.
+.PP
+\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
+.IX Subsection "NOEXEC and EXEC"
+.PP
+If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
+operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
+a dynamically-linked executable from running further commands itself.
+.PP
+In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
+and \fI/usr/bin/vi\fR but shell escapes will be disabled.
+.PP
+.Vb 1
+\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+.Ve
+.PP
+See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
+on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
+.PP
+\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR
+.IX Subsection "SETENV and NOSETENV"
+.PP
+These tags override the value of the \fIsetenv\fR option on a per-command
+basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, the user
+may disable the \fIenv_reset\fR option from the command line via the
+\&\fB\-E\fR option. Additionally, environment variables set on the command
+line are not subject to the restrictions imposed by \fIenv_check\fR,
+\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
+be allowed to set variables in this manner. If the command matched
+is \fB\s-1ALL\s0\fR, the \f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this
+default may be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag.
+.PP
+\fI\s-1LOG_INPUT\s0 and \s-1NOLOG_INPUT\s0\fR
+.IX Subsection "LOG_INPUT and NOLOG_INPUT"
+.PP
+These tags override the value of the \fIlog_input\fR option on a
+per-command basis. For more information, see the description of
+\&\fIlog_input\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
+.PP
+\fI\s-1LOG_OUTPUT\s0 and \s-1NOLOG_OUTPUT\s0\fR
+.IX Subsection "LOG_OUTPUT and NOLOG_OUTPUT"
+.PP
+These tags override the value of the \fIlog_output\fR option on a
+per-command basis. For more information, see the description of
+\&\fIlog_output\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
+.SS "Wildcards"
+.IX Subsection "Wildcards"
+\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
+to be used in host names, path names and command line arguments in
+the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
+\&\fIglob\fR\|(3) and \fIfnmatch\fR\|(3) routines. Note that these are \fInot\fR
+regular expressions.
+.ie n .IP "\*(C`*\*(C'" 8
+.el .IP "\f(CW\*(C`*\*(C'\fR" 8
+.IX Item "*"
+Matches any set of zero or more characters.
+.ie n .IP "\*(C`?\*(C'" 8
+.el .IP "\f(CW\*(C`?\*(C'\fR" 8
+.IX Item "?"
+Matches any single character.
+.ie n .IP "\*(C`[...]\*(C'" 8
+.el .IP "\f(CW\*(C`[...]\*(C'\fR" 8
+.IX Item "[...]"
+Matches any character in the specified range.
+.ie n .IP "\*(C`[!...]\*(C'" 8
+.el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8
+.IX Item "[!...]"
+Matches any character \fBnot\fR in the specified range.
+.ie n .IP "\*(C`\ex\*(C'" 8
+.el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
+.IX Item "x"
+For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
+escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
+.PP
+\&\s-1POSIX\s0 character classes may also be used if your system's \fIglob\fR\|(3)
+and \fIfnmatch\fR\|(3) functions support them. However, because the
+\&\f(CW\*(Aq:\*(Aq\fR character has special meaning in \fIsudoers\fR, it must be
+escaped. For example:
+.PP
+.Vb 1
+\& /bin/ls [[\e:alpha\e:]]*
+.Ve
+.PP
+Would match any file name beginning with a letter.
+.PP
+Note that a forward slash ('/') will \fBnot\fR be matched by
+wildcards used in the path name. When matching the command
+line arguments, however, a slash \fBdoes\fR get matched by
+wildcards. This is to make a path like:
+.PP
+.Vb 1
+\& /usr/bin/*
+.Ve
+.PP
+match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
+.SS "Exceptions to wildcard rules"
+.IX Subsection "Exceptions to wildcard rules"
+The following exceptions apply to the above rules:
+.ie n .IP """""" 8
+.el .IP "\f(CW``''\fR" 8
+.IX Item """"""
+If the empty string \f(CW""\fR is the only command line argument in the
+\&\fIsudoers\fR entry it means that command is not allowed to be run
+with \fBany\fR arguments.
+.SS "Including other files from within sudoers"
+.IX Subsection "Including other files from within sudoers"
+It is possible to include other \fIsudoers\fR files from within the
+\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR and
+\&\f(CW\*(C`#includedir\*(C'\fR directives.
+.PP
+This can be used, for example, to keep a site-wide \fIsudoers\fR file
+in addition to a local, per-machine file. For the sake of this
+example the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the
+per-machine one will be \fI/etc/sudoers.local\fR. To include
+\&\fI/etc/sudoers.local\fR from within \fI/etc/sudoers\fR we would use the
+following line in \fI/etc/sudoers\fR:
+.Sp
+.RS 4
+\&\f(CW\*(C`#include /etc/sudoers.local\*(C'\fR
+.RE
+.PP
+When \fBsudo\fR reaches this line it will suspend processing of the
+current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
+Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
+\&\fI/etc/sudoers\fR will be processed. Files that are included may
+themselves include other files. A hard limit of 128 nested include
+files is enforced to prevent include file loops.
+.PP
+The file name may include the \f(CW%h\fR escape, signifying the short form
+of the host name. I.e., if the machine's host name is \*(L"xerxes\*(R", then
+.PP
+\&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR
+.PP
+will cause \fBsudo\fR to include the file \fI/etc/sudoers.xerxes\fR.
+.PP
+The \f(CW\*(C`#includedir\*(C'\fR directive can be used to create a \fIsudo.d\fR
+directory that the system package manager can drop \fIsudoers\fR rules
+into as part of package installation. For example, given:
+.PP
+\&\f(CW\*(C`#includedir /etc/sudoers.d\*(C'\fR
+.PP
+\&\fBsudo\fR will read each file in \fI/etc/sudoers.d\fR, skipping file
+names that end in \f(CW\*(C`~\*(C'\fR or contain a \f(CW\*(C`.\*(C'\fR character to avoid causing
+problems with package manager or editor temporary/backup files.
+Files are parsed in sorted lexical order. That is,
+\&\fI/etc/sudoers.d/01_first\fR will be parsed before
+\&\fI/etc/sudoers.d/10_second\fR. Be aware that because the sorting is
+lexical, not numeric, \fI/etc/sudoers.d/1_whoops\fR would be loaded
+\&\fBafter\fR \fI/etc/sudoers.d/10_second\fR. Using a consistent number
+of leading zeroes in the file names can be used to avoid such
+problems.
+.PP
+Note that unlike files included via \f(CW\*(C`#include\*(C'\fR, \fBvisudo\fR will not
+edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them
+contains a syntax error. It is still possible to run \fBvisudo\fR
+with the \f(CW\*(C`\-f\*(C'\fR flag to edit the files directly.
+.SS "Other special characters and reserved words"
+.IX Subsection "Other special characters and reserved words"
+The pound sign ('#') is used to indicate a comment (unless it is
+part of a #include directive or unless it occurs in the context of
+a user name and is followed by one or more digits, in which case
+it is treated as a uid). Both the comment character and any text
+after it, up to the end of the line, are ignored.
+.PP
+The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
+a match to succeed. It can be used wherever one might otherwise
+use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
+You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
+built-in alias will be used in preference to your own. Please note
+that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
+allows the user to run \fBany\fR command on the system.
+.PP
+An exclamation point ('!') can be used as a logical \fInot\fR operator
+both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
+exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
+conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
+run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
+\&\s-1NOTES\s0 below).
+.PP
+Long lines can be continued with a backslash ('\e') as the last
+character on the line.
+.PP
+Whitespace between elements in a list as well as special syntactic
+characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
+.PP
+The following characters must be escaped with a backslash ('\e') when
+used as part of a word (e.g.\ a user name or host name):
+\&'!', '=', ':', ',', '(', ')', '\e'.
+.SH "SUDOERS OPTIONS"
+.IX Header "SUDOERS OPTIONS"
+\&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
+explained earlier. A list of all supported Defaults parameters,
+grouped by type, are listed below.
+.PP
+\&\fBBoolean Flags\fR:
+.IP "always_set_home" 16
+.IX Item "always_set_home"
+If enabled, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the
+home directory of the target user (which is root unless the \fB\-u\fR
+option is used). This effectively means that the \fB\-H\fR option is
+always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the
+\&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only
+effective for configurations where either \fIenv_reset\fR is disabled
+or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
+This flag is \fIoff\fR by default.
+.IP "authenticate" 16
+.IX Item "authenticate"
+If set, users must authenticate themselves via a password (or other
+means of authentication) before they may run commands. This default
+may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags.
+This flag is \fIon\fR by default.
+.IP "closefrom_override" 16
+.IX Item "closefrom_override"
+If set, the user may use \fBsudo\fR's \fB\-C\fR option which
+overrides the default starting point at which \fBsudo\fR begins
+closing open file descriptors. This flag is \fIoff\fR by default.
+.IP "compress_io" 16
+.IX Item "compress_io"
+If set, and \fBsudo\fR is configured to log a command's input or output,
+the I/O logs will be compressed using \fBzlib\fR. This flag is \fIon\fR
+by default when \fBsudo\fR is compiled with \fBzlib\fR support.
+.IP "env_editor" 16
+.IX Item "env_editor"
+If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
+environment variables before falling back on the default editor list.
+Note that this may create a security hole as it allows the user to
+run any arbitrary command as root without logging. A safer alternative
+is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR
+variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if
+they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \fIoff\fR by
+default.
+.IP "env_reset" 16
+.IX Item "env_reset"
+If set, \fBsudo\fR will reset the environment to only contain the
+\&\s-1LOGNAME\s0, \s-1MAIL\s0, \s-1SHELL\s0, \s-1USER\s0, \s-1USERNAME\s0 and the \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
+variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR
+and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of the
+\&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is
+run by root with the \fI\-V\fR option. If the \fIsecure_path\fR option
+is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable.
+This flag is \fIon\fR by default.
+.IP "fast_glob" 16
+.IX Item "fast_glob"
+Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
+globbing when matching path names. However, since it accesses the
+file system, \fIglob\fR\|(3) can take a long time to complete for some
+patterns, especially when the pattern references a network file
+system that is mounted on demand (automounted). The \fIfast_glob\fR
+option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
+not access the file system to do its matching. The disadvantage
+of \fIfast_glob\fR is that it is unable to match relative path names
+such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications
+when path names that include globbing characters are used with the
+negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed.
+As such, this option should not be used when \fIsudoers\fR contains rules
+that contain negated path names which include globbing characters.
+This flag is \fIoff\fR by default.
+.IP "fqdn" 16
+.IX Item "fqdn"
+Set this flag if you want to put fully qualified host names in the
+\&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu.
+You may still use the short form if you wish (and even mix the two).
+Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
+which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
+if the machine is not plugged into the network). Also note that
+you must use the host's official name as \s-1DNS\s0 knows it. That is,
+you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
+issues and the fact that there is no way to get all aliases from
+\&\s-1DNS\s0. If your machine's host name (as returned by the \f(CW\*(C`hostname\*(C'\fR
+command) is already fully qualified you shouldn't need to set
+\&\fIfqdn\fR. This flag is \fIoff\fR by default.
+.IP "ignore_dot" 16
+.IX Item "ignore_dot"
+If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR
+environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This
+flag is \fIoff\fR by default.
+.IP "ignore_local_sudoers" 16
+.IX Item "ignore_local_sudoers"
+If set via \s-1LDAP\s0, parsing of \fI/etc/sudoers\fR will be skipped.
+This is intended for Enterprises that wish to prevent the usage of local
+sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of
+rogue operators who would attempt to add roles to \fI/etc/sudoers\fR.
+When this option is present, \fI/etc/sudoers\fR does not even need to
+exist. Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0
+entries have been matched, this sudoOption is only meaningful for the
+\&\f(CW\*(C`cn=defaults\*(C'\fR section. This flag is \fIoff\fR by default.
+.IP "insults" 16
+.IX Item "insults"
+If set, \fBsudo\fR will insult users when they enter an incorrect
+password. This flag is \fIon\fR by default.
+.IP "log_host" 16
+.IX Item "log_host"
+If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file.
+This flag is \fIoff\fR by default.
+.IP "log_input" 16
+.IX Item "log_input"
+If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
+user input.
+If the standard input is not connected to the user's tty, due to
+I/O redirection or because the command is part of a pipeline, that
+input is also captured and stored in a separate log file.
+.Sp
+Input is logged to the directory specified by the \fIiolog_dir\fR
+option (\fI/var/log/sudo-io\fR by default) using a unique session \s-1ID\s0 that
+is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
+.Sp
+Note that user input may contain sensitive information such as
+passwords (even if they are not echoed to the screen), which will
+be stored in the log file unencrypted. In most cases, logging the
+command output via \fIlog_output\fR is all that is required.
+.IP "log_output" 16
+.IX Item "log_output"
+If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
+output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
+If the standard output or standard error is not connected to the
+user's tty, due to I/O redirection or because the command is part
+of a pipeline, that output is also captured and stored in separate
+log files.
+.Sp
+Output is logged to the directory specified by the \fIiolog_dir\fR
+option (\fI/var/log/sudo-io\fR by default) using a unique session \s-1ID\s0 that
+is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
+.Sp
+Output logs may be viewed with the \fIsudoreplay\fR\|(8) utility, which
+can also be used to list or search the available logs.
+.IP "log_year" 16
+.IX Item "log_year"
+If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
+This flag is \fIoff\fR by default.
+.IP "long_otp_prompt" 16
+.IX Item "long_otp_prompt"
+When validating with a One Time Password (\s-1OPT\s0) scheme such as
+\&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier
+to cut and paste the challenge to a local window. It's not as
+pretty as the default but some people find it more convenient. This
+flag is \fIoff\fR by default.
+.IP "mail_always" 16
+.IX Item "mail_always"
+Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR.
+This flag is \fIoff\fR by default.
+.IP "mail_badpass" 16
+.IX Item "mail_badpass"
+Send mail to the \fImailto\fR user if the user running \fBsudo\fR does not
+enter the correct password. This flag is \fIoff\fR by default.
+.IP "mail_no_host" 16
+.IX Item "mail_no_host"
+If set, mail will be sent to the \fImailto\fR user if the invoking
+user exists in the \fIsudoers\fR file, but is not allowed to run
+commands on the current host. This flag is \fIoff\fR by default.
+.IP "mail_no_perms" 16
+.IX Item "mail_no_perms"
+If set, mail will be sent to the \fImailto\fR user if the invoking
+user is allowed to use \fBsudo\fR but the command they are trying is not
+listed in their \fIsudoers\fR file entry or is explicitly denied.
+This flag is \fIoff\fR by default.
+.IP "mail_no_user" 16
+.IX Item "mail_no_user"
+If set, mail will be sent to the \fImailto\fR user if the invoking
+user is not in the \fIsudoers\fR file. This flag is \fIon\fR
+by default.
+.IP "noexec" 16
+.IX Item "noexec"
+If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
+tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
+description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0
+\&\s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
+.IP "path_info" 16
+.IX Item "path_info"
+Normally, \fBsudo\fR will tell the user when a command could not be
+found in their \f(CW\*(C`PATH\*(C'\fR environment variable. Some sites may wish
+to disable this as it could be used to gather information on the
+location of executables that the normal user does not have access
+to. The disadvantage is that if the executable is simply not in
+the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not
+allowed to run it, which can be confusing. This flag is \fIon\fR
+by default.
+.IP "passprompt_override" 16
+.IX Item "passprompt_override"
+The password prompt specified by \fIpassprompt\fR will normally only
+be used if the password prompt provided by systems such as \s-1PAM\s0 matches
+the string \*(L"Password:\*(R". If \fIpassprompt_override\fR is set, \fIpassprompt\fR
+will always be used. This flag is \fIoff\fR by default.
+.IP "preserve_groups" 16
+.IX Item "preserve_groups"
+By default, \fBsudo\fR will initialize the group vector to the list of
+groups the target user is in. When \fIpreserve_groups\fR is set, the
+user's existing group vector is left unaltered. The real and
+effective group IDs, however, are still set to match the target
+user. This flag is \fIoff\fR by default.
+.IP "pwfeedback" 16
+.IX Item "pwfeedback"
+By default, \fBsudo\fR reads the password like most other Unix programs,
+by turning off echo until the user hits the return (or enter) key.
+Some users become confused by this as it appears to them that \fBsudo\fR
+has hung at this point. When \fIpwfeedback\fR is set, \fBsudo\fR will
+provide visual feedback when the user presses a key. Note that
+this does have a security impact as an onlooker may be able to
+determine the length of the password being entered.
+This flag is \fIoff\fR by default.
+.IP "requiretty" 16
+.IX Item "requiretty"
+If set, \fBsudo\fR will only run when the user is logged in to a real
+tty. When this flag is set, \fBsudo\fR can only be run from a login
+session and not via other means such as \fIcron\fR\|(8) or cgi-bin scripts.
+This flag is \fIoff\fR by default.
+.IP "root_sudo" 16
+.IX Item "root_sudo"
+If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
+from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
+like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR
+will also prevent root from running \fBsudoedit\fR.
+Disabling \fIroot_sudo\fR provides no real additional security; it
+exists purely for historical reasons.
+This flag is \fIon\fR by default.
+.IP "rootpw" 16
+.IX Item "rootpw"
+If set, \fBsudo\fR will prompt for the root password instead of the password
+of the invoking user. This flag is \fIoff\fR by default.
+.IP "runaspw" 16
+.IX Item "runaspw"
+If set, \fBsudo\fR will prompt for the password of the user defined by the
+\&\fIrunas_default\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the
+password of the invoking user. This flag is \fIoff\fR by default.
+.IP "set_home" 16
+.IX Item "set_home"
+If enabled and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR
+environment variable will be set to the home directory of the target
+user (which is root unless the \fB\-u\fR option is used). This effectively
+makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already
+set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is
+only effective for configurations where either \fIenv_reset\fR is disabled
+or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
+This flag is \fIoff\fR by default.
+.IP "set_logname" 16
+.IX Item "set_logname"
+Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR
+environment variables to the name of the target user (usually root
+unless the \fB\-u\fR option is given). However, since some programs
+(including the \s-1RCS\s0 revision control system) use \f(CW\*(C`LOGNAME\*(C'\fR to
+determine the real identity of the user, it may be desirable to
+change this behavior. This can be done by negating the set_logname
+option. Note that if the \fIenv_reset\fR option has not been disabled,
+entries in the \fIenv_keep\fR list will override the value of
+\&\fIset_logname\fR. This flag is \fIon\fR by default.
+.IP "setenv" 16
+.IX Item "setenv"
+Allow the user to disable the \fIenv_reset\fR option from the command
+line. Additionally, environment variables set via the command line
+are not subject to the restrictions imposed by \fIenv_check\fR,
+\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
+be allowed to set variables in this manner. This flag is \fIoff\fR
+by default.
+.IP "shell_noargs" 16
+.IX Item "shell_noargs"
+If set and \fBsudo\fR is invoked with no arguments it acts as if the
+\&\fB\-s\fR option had been given. That is, it runs a shell as root (the
+shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
+set, falling back on the shell listed in the invoking user's
+/etc/passwd entry if not). This flag is \fIoff\fR by default.
+.IP "stay_setuid" 16
+.IX Item "stay_setuid"
+Normally, when \fBsudo\fR executes a command the real and effective
+UIDs are set to the target user (root by default). This option
+changes that behavior such that the real \s-1UID\s0 is left as the invoking
+user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid
+wrapper. This can be useful on systems that disable some potentially
+dangerous functionality when a program is run setuid. This option
+is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\fR
+function. This flag is \fIoff\fR by default.
+.IP "targetpw" 16
+.IX Item "targetpw"
+If set, \fBsudo\fR will prompt for the password of the user specified
+by the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password
+of the invoking user. In addition, the timestamp file name will
+include the target user's name. Note that this flag precludes the
+use of a uid not listed in the passwd database as an argument to
+the \fB\-u\fR option. This flag is \fIoff\fR by default.
+.IP "tty_tickets" 16
+.IX Item "tty_tickets"
+If set, users must authenticate on a per-tty basis. With this flag
+enabled, \fBsudo\fR will use a file named for the tty the user is
+logged in on in the user's time stamp directory. If disabled, the
+time stamp of the directory is used instead. This flag is
+\&\fIon\fR by default.
+.IP "umask_override" 16
+.IX Item "umask_override"
+If set, \fBsudo\fR will set the umask as specified by \fIsudoers\fR without
+modification. This makes it possible to specify a more permissive
+umask in \fIsudoers\fR than the user's own umask and matches historical
+behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the
+umask to be the union of the user's umask and what is specified in
+\&\fIsudoers\fR. This flag is \fIoff\fR by default.
+.if \n(LC \{\
+.IP "use_loginclass" 16
+.IX Item "use_loginclass"
+If set, \fBsudo\fR will apply the defaults specified for the target user's
+login class if one exists. Only available if \fBsudo\fR is configured with
+the \-\-with\-logincap option. This flag is \fIoff\fR by default.
+\}
+.IP "use_pty" 16
+.IX Item "use_pty"
+If set, \fBsudo\fR will run the command in a pseudo-pty even if no I/O
+logging is being gone. A malicious program run under \fBsudo\fR could
+conceivably fork a background process that retains to the user's
+terminal device after the main program has finished executing. Use
+of this option will make that impossible.
+.IP "visiblepw" 16
+.IX Item "visiblepw"
+By default, \fBsudo\fR will refuse to run if the user must enter a
+password but it is not possible to disable echo on the terminal.
+If the \fIvisiblepw\fR flag is set, \fBsudo\fR will prompt for a password
+even when it would be visible on the screen. This makes it possible
+to run things like \f(CW"rsh somehost sudo ls"\fR since \fIrsh\fR\|(1) does
+not allocate a tty. This flag is \fIoff\fR by default.
+.PP
+\&\fBIntegers\fR:
+.IP "closefrom" 16
+.IX Item "closefrom"
+Before it executes a command, \fBsudo\fR will close all open file
+descriptors other than standard input, standard output and standard
+error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used
+to specify a different file descriptor at which to start closing.
+The default is \f(CW3\fR.
+.IP "passwd_tries" 16
+.IX Item "passwd_tries"
+The number of tries a user gets to enter his/her password before
+\&\fBsudo\fR logs the failure and exits. The default is \f(CW\*(C`3\*(C'\fR.
+.PP
+\&\fBIntegers that can be used in a boolean context\fR:
+.IP "loglinelen" 16
+.IX Item "loglinelen"
+Number of characters per line for the file log. This value is used
+to decide when to wrap lines for nicer log files. This has no
+effect on the syslog log file, only the file log. The default is
+\&\f(CW\*(C`80\*(C'\fR (use 0 or negate the option to disable word wrap).
+.IP "passwd_timeout" 16
+.IX Item "passwd_timeout"
+Number of minutes before the \fBsudo\fR password prompt times out, or
+\&\f(CW0\fR for no timeout. The timeout may include a fractional component
+if minute granularity is insufficient, for example \f(CW2.5\fR. The
+default is \f(CW\*(C`5\*(C'\fR.
+.IP "timestamp_timeout" 16
+.IX Item "timestamp_timeout"
+Number of minutes that can elapse before \fBsudo\fR will ask for a
+passwd again. The timeout may include a fractional component if
+minute granularity is insufficient, for example \f(CW2.5\fR. The default
+is \f(CW\*(C`5\*(C'\fR. Set this to \f(CW0\fR to always prompt for a password.
+If set to a value less than \f(CW0\fR the user's timestamp will never
+expire. This can be used to allow users to create or delete their
+own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively.
+.IP "umask" 16
+.IX Item "umask"
+Umask to use when running the command. Negate this option or set
+it to 0777 to preserve the user's umask. The actual umask that is
+used will be the union of the user's umask and the value of the
+\&\fIumask\fR option, which defaults to \f(CW\*(C`0022\*(C'\fR. This guarantees
+that \fBsudo\fR never lowers the umask when running a command. Note
+on systems that use \s-1PAM\s0, the default \s-1PAM\s0 configuration may specify
+its own umask which will override the value set in \fIsudoers\fR.
+.PP
+\&\fBStrings\fR:
+.IP "badpass_message" 16
+.IX Item "badpass_message"
+Message that is displayed if a user enters an incorrect password.
+The default is \f(CW\*(C`Sorry, try again.\*(C'\fR unless insults are enabled.
+.IP "editor" 16
+.IX Item "editor"
+A colon (':') separated list of editors allowed to be used with
+\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
+\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the
+list that exists and is executable. The default is \f(CW"/usr/bin/vi"\fR.
+.IP "iolog_dir" 16
+.IX Item "iolog_dir"
+The directory in which to store input/output logs when the \fIlog_input\fR
+or \fIlog_output\fR options are enabled or when the \f(CW\*(C`LOG_INPUT\*(C'\fR or
+\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command.
+The default is \f(CW"/var/log/sudo-io"\fR.
+.IP "mailsub" 16
+.IX Item "mailsub"
+Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
+will expand to the host name of the machine.
+Default is \f(CW\*(C`*** SECURITY information for %h ***\*(C'\fR.
+.IP "noexec_file" 16
+.IX Item "noexec_file"
+Path to a shared library containing dummy versions of the \fIexecv()\fR,
+\&\fIexecve()\fR and \fIfexecve()\fR library functions that just return an error.
+This is used to implement the \fInoexec\fR functionality on systems that
+support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent. Defaults to \fI/usr/libexec/sudo_noexec.so\fR.
+.IP "passprompt" 16
+.IX Item "passprompt"
+The default prompt to use when asking for a password; can be overridden
+via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable.
+The following percent (`\f(CW\*(C`%\*(C'\fR') escapes are supported:
+.RS 16
+.ie n .IP "%H" 4
+.el .IP "\f(CW%H\fR" 4
+.IX Item "%H"
+expanded to the local host name including the domain name
+(on if the machine's host name is fully qualified or the \fIfqdn\fR
+option is set)
+.ie n .IP "%h" 4
+.el .IP "\f(CW%h\fR" 4
+.IX Item "%h"
+expanded to the local host name without the domain name
+.ie n .IP "%p" 4
+.el .IP "\f(CW%p\fR" 4
+.IX Item "%p"
+expanded to the user whose password is being asked for (respects the
+\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR)
+.ie n .IP "%U" 4
+.el .IP "\f(CW%U\fR" 4
+.IX Item "%U"
+expanded to the login name of the user the command will
+be run as (defaults to root)
+.ie n .IP "%u" 4
+.el .IP "\f(CW%u\fR" 4
+.IX Item "%u"
+expanded to the invoking user's login name
+.ie n .IP "\*(C`%%\*(C'" 4
+.el .IP "\f(CW\*(C`%%\*(C'\fR" 4
+.IX Item "%%"
+two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
+.RE
+.RS 16
+.Sp
+The default value is \f(CW\*(C`Password:\*(C'\fR.
+.RE
+.if \n(SL \{\
+.IP "role" 16
+.IX Item "role"
+The default SELinux role to use when constructing a new security
+context to run the command. The default role may be overridden on
+a per-command basis in \fIsudoers\fR or via command line options.
+This option is only available whe \fBsudo\fR is built with SELinux support.
+\}
+.IP "runas_default" 16
+.IX Item "runas_default"
+The default user to run commands as if the \fB\-u\fR option is not specified
+on the command line. This defaults to \f(CW\*(C`root\*(C'\fR.
+Note that if \fIrunas_default\fR is set it \fBmust\fR occur before
+any \f(CW\*(C`Runas_Alias\*(C'\fR specifications.
+.IP "syslog_badpri" 16
+.IX Item "syslog_badpri"
+Syslog priority to use when user authenticates unsuccessfully.
+Defaults to \f(CW\*(C`alert\*(C'\fR.
+.IP "syslog_goodpri" 16
+.IX Item "syslog_goodpri"
+Syslog priority to use when user authenticates successfully.
+Defaults to \f(CW\*(C`notice\*(C'\fR.
+.IP "sudoers_locale" 16
+.IX Item "sudoers_locale"
+Locale to use when parsing the sudoers file, logging commands, and
+sending email. Note that changing the locale may affect how sudoers
+is interpreted. Defaults to \f(CW"C"\fR.
+.IP "timestampdir" 16
+.IX Item "timestampdir"
+The directory in which \fBsudo\fR stores its timestamp files.
+The default is \fI/var/db/sudo\fR.
+.IP "timestampowner" 16
+.IX Item "timestampowner"
+The owner of the timestamp directory and the timestamps stored therein.
+The default is \f(CW\*(C`root\*(C'\fR.
+.if \n(SL \{\
+.IP "type" 16
+.IX Item "type"
+The default SELinux type to use when constructing a new security
+context to run the command. The default type may be overridden on
+a per-command basis in \fIsudoers\fR or via command line options.
+This option is only available whe \fBsudo\fR is built with SELinux support.
+\}
+.PP
+\&\fBStrings that can be used in a boolean context\fR:
+.IP "askpass" 12
+.IX Item "askpass"
+The \fIaskpass\fR option specifies the fully qualified path to a helper
+program used to read the user's password when no terminal is
+available. This may be the case when \fBsudo\fR is executed from a
+graphical (as opposed to text-based) application. The program
+specified by \fIaskpass\fR should display the argument passed to it
+as the prompt and write the user's password to the standard output.
+The value of \fIaskpass\fR may be overridden by the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR
+environment variable.
+.IP "env_file" 12
+.IX Item "env_file"
+The \fIenv_file\fR options specifies the fully qualified path to a
+file containing variables to be set in the environment of the program
+being run. Entries in this file should either be of the form
+\&\f(CW\*(C`VARIABLE=value\*(C'\fR or \f(CW\*(C`export VARIABLE=value\*(C'\fR. The value may
+optionally be surrounded by single or double quotes. Variables in
+this file are subject to other \fBsudo\fR environment settings such
+as \fIenv_keep\fR and \fIenv_check\fR.
+.IP "exempt_group" 12
+.IX Item "exempt_group"
+Users in this group are exempt from password and \s-1PATH\s0 requirements.
+This is not set by default.
+.IP "lecture" 12
+.IX Item "lecture"
+This option controls when a short lecture will be printed along with
+the password prompt. It has the following possible values:
+.RS 12
+.IP "always" 8
+.IX Item "always"
+Always lecture the user.
+.IP "never" 8
+.IX Item "never"
+Never lecture the user.
+.IP "once" 8
+.IX Item "once"
+Only lecture the user the first time they run \fBsudo\fR.
+.RE
+.RS 12
+.Sp
+If no value is specified, a value of \fIonce\fR is implied.
+Negating the option results in a value of \fInever\fR being used.
+The default value is \fIonce\fR.
+.RE
+.IP "lecture_file" 12
+.IX Item "lecture_file"
+Path to a file containing an alternate \fBsudo\fR lecture that will
+be used in place of the standard lecture if the named file exists.
+By default, \fBsudo\fR uses a built-in lecture.
+.IP "listpw" 12
+.IX Item "listpw"
+This option controls when a password will be required when a
+user runs \fBsudo\fR with the \fB\-l\fR option. It has the following possible values:
+.RS 12
+.IP "all" 8
+.IX Item "all"
+All the user's \fIsudoers\fR entries for the current host must have
+the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
+.IP "always" 8
+.IX Item "always"
+The user must always enter a password to use the \fB\-l\fR option.
+.IP "any" 8
+.IX Item "any"
+At least one of the user's \fIsudoers\fR entries for the current host
+must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
+.IP "never" 8
+.IX Item "never"
+The user need never enter a password to use the \fB\-l\fR option.
+.RE
+.RS 12
+.Sp
+If no value is specified, a value of \fIany\fR is implied.
+Negating the option results in a value of \fInever\fR being used.
+The default value is \fIany\fR.
+.RE
+.IP "logfile" 12
+.IX Item "logfile"
+Path to the \fBsudo\fR log file (not the syslog log file). Setting a path
+turns on logging to a file; negating this option turns it off.
+By default, \fBsudo\fR logs via syslog.
+.IP "mailerflags" 12
+.IX Item "mailerflags"
+Flags to use when invoking mailer. Defaults to \fB\-t\fR.
+.IP "mailerpath" 12
+.IX Item "mailerpath"
+Path to mail program used to send warning mail.
+Defaults to the path to sendmail found at configure time.
+.IP "mailfrom" 12
+.IX Item "mailfrom"
+Address to use for the \*(L"from\*(R" address when sending warning and error
+mail. The address should be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to
+protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to
+the name of the user running \fBsudo\fR.
+.IP "mailto" 12
+.IX Item "mailto"
+Address to send warning and error mail to. The address should
+be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR
+interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`root\*(C'\fR.
+.IP "secure_path" 12
+.IX Item "secure_path"
+Path used for every command run from \fBsudo\fR. If you don't trust the
+people running \fBsudo\fR to have a sane \f(CW\*(C`PATH\*(C'\fR environment variable you may
+want to use this. Another use is if you want to have the \*(L"root path\*(R"
+be separate from the \*(L"user path.\*(R" Users in the group specified by the
+\&\fIexempt_group\fR option are not affected by \fIsecure_path\fR.
+This option is not set by default.
+.IP "syslog" 12
+.IX Item "syslog"
+Syslog facility if syslog is being used for logging (negate to
+disable syslog logging). Defaults to \f(CW\*(C`authpriv\*(C'\fR.
+.IP "verifypw" 12
+.IX Item "verifypw"
+This option controls when a password will be required when a user runs
+\&\fBsudo\fR with the \fB\-v\fR option. It has the following possible values:
+.RS 12
+.IP "all" 8
+.IX Item "all"
+All the user's \fIsudoers\fR entries for the current host must have
+the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
+.IP "always" 8
+.IX Item "always"
+The user must always enter a password to use the \fB\-v\fR option.
+.IP "any" 8
+.IX Item "any"
+At least one of the user's \fIsudoers\fR entries for the current host
+must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
+.IP "never" 8
+.IX Item "never"
+The user need never enter a password to use the \fB\-v\fR option.
+.RE
+.RS 12
+.Sp
+If no value is specified, a value of \fIall\fR is implied.
+Negating the option results in a value of \fInever\fR being used.
+The default value is \fIall\fR.
+.RE
+.PP
+\&\fBLists that can be used in a boolean context\fR:
+.IP "env_check" 16
+.IX Item "env_check"
+Environment variables to be removed from the user's environment if
+the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can
+be used to guard against printf-style format vulnerabilities in
+poorly-written programs. The argument may be a double-quoted,
+space-separated list or a single value without double-quotes. The
+list can be replaced, added to, deleted from, or disabled by using
+the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. Regardless
+of whether the \f(CW\*(C`env_reset\*(C'\fR option is enabled or disabled, variables
+specified by \f(CW\*(C`env_check\*(C'\fR will be preserved in the environment if
+they pass the aforementioned check. The default list of environment
+variables to check is displayed when \fBsudo\fR is run by root with
+the \fI\-V\fR option.
+.IP "env_delete" 16
+.IX Item "env_delete"
+Environment variables to be removed from the user's environment
+when the \fIenv_reset\fR option is not in effect. The argument may
+be a double-quoted, space-separated list or a single value without
+double-quotes. The list can be replaced, added to, deleted from,
+or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators
+respectively. The default list of environment variables to remove
+is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
+Note that many operating systems will remove potentially dangerous
+variables from the environment of any setuid process (such as
+\&\fBsudo\fR).
+.IP "env_keep" 16
+.IX Item "env_keep"
+Environment variables to be preserved in the user's environment
+when the \fIenv_reset\fR option is in effect. This allows fine-grained
+control over the environment \fBsudo\fR\-spawned processes will receive.
+The argument may be a double-quoted, space-separated list or a
+single value without double-quotes. The list can be replaced, added
+to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
+\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep
+is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
+.PP
+When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values
+for the syslog facility (the value of the \fBsyslog\fR Parameter):
+\&\fBauthpriv\fR (if your \s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR,
+\&\fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR,
+\&\fBlocal6\fR, and \fBlocal7\fR. The following syslog priorities are
+supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR,
+\&\fBnotice\fR, and \fBwarning\fR.
+.SH "FILES"
+.IX Header "FILES"
+.ie n .IP "\fI/etc/sudoers\fR" 24
+.el .IP "\fI/etc/sudoers\fR" 24
+.IX Item "/etc/sudoers"
+List of who can run what
+.IP "\fI/etc/group\fR" 24
+.IX Item "/etc/group"
+Local groups file
+.IP "\fI/etc/netgroup\fR" 24
+.IX Item "/etc/netgroup"
+List of network groups
+.ie n .IP "\fI/var/log/sudo-io\fR" 24
+.el .IP "\fI/var/log/sudo-io\fR" 24
+.IX Item "/var/log/sudo-io"
+I/O log files
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+Below are example \fIsudoers\fR entries. Admittedly, some of
+these are a bit contrived. First, we allow a few environment
+variables to pass and then define our \fIaliases\fR:
+.PP
+.Vb 4
+\& # Run X applications through sudo; HOME is used to find the
+\& # .Xauthority file. Note that other programs use HOME to find
+\& # configuration files and this may lead to privilege escalation!
+\& Defaults env_keep += "DISPLAY HOME"
+\&
+\& # User alias specification
+\& User_Alias FULLTIMERS = millert, mikef, dowdy
+\& User_Alias PARTTIMERS = bostley, jwfox, crawl
+\& User_Alias WEBMASTERS = will, wendy, wim
+\&
+\& # Runas alias specification
+\& Runas_Alias OP = root, operator
+\& Runas_Alias DB = oracle, sybase
+\& Runas_Alias ADMINGRP = adm, oper
+\&
+\& # Host alias specification
+\& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
+\& SGI = grolsch, dandelion, black :\e
+\& ALPHA = widget, thalamus, foobar :\e
+\& HPPA = boa, nag, python
+\& Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+\& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+\& Host_Alias SERVERS = master, mail, www, ns
+\& Host_Alias CDROM = orion, perseus, hercules
+\&
+\& # Cmnd alias specification
+\& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
+\& /usr/sbin/restore, /usr/sbin/rrestore
+\& Cmnd_Alias KILL = /usr/bin/kill
+\& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+\& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
+\& Cmnd_Alias HALT = /usr/sbin/halt
+\& Cmnd_Alias REBOOT = /usr/sbin/reboot
+\& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e
+\& /usr/local/bin/tcsh, /usr/bin/rsh, \e
+\& /usr/local/bin/zsh
+\& Cmnd_Alias SU = /usr/bin/su
+\& Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
+.Ve
+.PP
+Here we override some of the compiled in default values. We want
+\&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all
+cases. We don't want to subject the full time staff to the \fBsudo\fR
+lecture, user \fBmillert\fR need not give a password, and we don't
+want to reset the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR or \f(CW\*(C`USERNAME\*(C'\fR environment
+variables when running commands as root. Additionally, on the
+machines in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional
+local log file and make sure we log the year in each log line since
+the log entries will be kept around for several years. Lastly, we
+disable shell escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR
+(\fI/usr/bin/more\fR, \fI/usr/bin/pg\fR and \fI/usr/bin/less\fR).
+.PP
+.Vb 7
+\& # Override built\-in defaults
+\& Defaults syslog=auth
+\& Defaults>root !set_logname
+\& Defaults:FULLTIMERS !lecture
+\& Defaults:millert !authenticate
+\& Defaults at SERVERS log_year, logfile=/var/log/sudo.log
+\& Defaults!PAGERS noexec
+.Ve
+.PP
+The \fIUser specification\fR is the part that actually determines who may
+run what.
+.PP
+.Vb 2
+\& root ALL = (ALL) ALL
+\& %wheel ALL = (ALL) ALL
+.Ve
+.PP
+We let \fBroot\fR and any user in group \fBwheel\fR run any command on any
+host as any user.
+.PP
+.Vb 1
+\& FULLTIMERS ALL = NOPASSWD: ALL
+.Ve
+.PP
+Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any
+command on any host without authenticating themselves.
+.PP
+.Vb 1
+\& PARTTIMERS ALL = ALL
+.Ve
+.PP
+Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any
+command on any host but they must authenticate themselves first
+(since the entry lacks the \f(CW\*(C`NOPASSWD\*(C'\fR tag).
+.PP
+.Vb 1
+\& jack CSNETS = ALL
+.Ve
+.PP
+The user \fBjack\fR may run any command on the machines in the \fI\s-1CSNETS\s0\fR alias
+(the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR).
+Of those networks, only \f(CW128.138.204.0\fR has an explicit netmask (in
+\&\s-1CIDR\s0 notation) indicating it is a class C network. For the other
+networks in \fI\s-1CSNETS\s0\fR, the local machine's netmask will be used
+during matching.
+.PP
+.Vb 1
+\& lisa CUNETS = ALL
+.Ve
+.PP
+The user \fBlisa\fR may run any command on any host in the \fI\s-1CUNETS\s0\fR alias
+(the class B network \f(CW128.138.0.0\fR).
+.PP
+.Vb 2
+\& operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
+\& sudoedit /etc/printcap, /usr/oper/bin/
+.Ve
+.PP
+The \fBoperator\fR user may run commands limited to simple maintenance.
+Here, those are commands related to backups, killing processes, the
+printing system, shutting down the system, and any commands in the
+directory \fI/usr/oper/bin/\fR.
+.PP
+.Vb 1
+\& joe ALL = /usr/bin/su operator
+.Ve
+.PP
+The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
+.PP
+.Vb 1
+\& pete HPPA = /usr/bin/passwd [A\-Za\-z]*, !/usr/bin/passwd root
+\&
+\& %opers ALL = (: ADMINGRP) /usr/sbin/
+.Ve
+.PP
+Users in the \fBopers\fR group may run commands in \fI/usr/sbin/\fR as themselves
+with any group in the \fI\s-1ADMINGRP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (the \fBadm\fR and \fBoper\fR
+groups).
+.PP
+The user \fBpete\fR is allowed to change anyone's password except for
+root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1)
+does not take multiple user names on the command line.
+.PP
+.Vb 1
+\& bob SPARC = (OP) ALL : SGI = (OP) ALL
+.Ve
+.PP
+The user \fBbob\fR may run anything on the \fI\s-1SPARC\s0\fR and \fI\s-1SGI\s0\fR machines
+as any user listed in the \fI\s-1OP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (\fBroot\fR and \fBoperator\fR).
+.PP
+.Vb 1
+\& jim +biglab = ALL
+.Ve
+.PP
+The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
+\&\fBsudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix.
+.PP
+.Vb 1
+\& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+.Ve
+.PP
+Users in the \fBsecretaries\fR netgroup need to help manage the printers
+as well as add and remove users, so they are allowed to run those
+commands on all machines.
+.PP
+.Vb 1
+\& fred ALL = (DB) NOPASSWD: ALL
+.Ve
+.PP
+The user \fBfred\fR can run commands as any user in the \fI\s-1DB\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR
+(\fBoracle\fR or \fBsybase\fR) without giving a password.
+.PP
+.Vb 1
+\& john ALPHA = /usr/bin/su [!\-]*, !/usr/bin/su *root*
+.Ve
+.PP
+On the \fI\s-1ALPHA\s0\fR machines, user \fBjohn\fR may su to anyone except root
+but he is not allowed to specify any options to the \fIsu\fR\|(1) command.
+.PP
+.Vb 1
+\& jen ALL, !SERVERS = ALL
+.Ve
+.PP
+The user \fBjen\fR may run any command on any machine except for those
+in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR (master, mail, www and ns).
+.PP
+.Vb 1
+\& jill SERVERS = /usr/bin/, !SU, !SHELLS
+.Ve
+.PP
+For any machine in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, \fBjill\fR may run
+any commands in the directory \fI/usr/bin/\fR except for those commands
+belonging to the \fI\s-1SU\s0\fR and \fI\s-1SHELLS\s0\fR \f(CW\*(C`Cmnd_Aliases\*(C'\fR.
+.PP
+.Vb 1
+\& steve CSNETS = (operator) /usr/local/op_commands/
+.Ve
+.PP
+The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/
+but only as user operator.
+.PP
+.Vb 1
+\& matt valkyrie = KILL
+.Ve
+.PP
+On his personal workstation, valkyrie, \fBmatt\fR needs to be able to
+kill hung processes.
+.PP
+.Vb 1
+\& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
+.Ve
+.PP
+On the host www, any user in the \fI\s-1WEBMASTERS\s0\fR \f(CW\*(C`User_Alias\*(C'\fR (will,
+wendy, and wim), may run any command as user www (which owns the
+web pages) or simply \fIsu\fR\|(1) to www.
+.PP
+.Vb 2
+\& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
+\& /sbin/mount \-o nosuid\e,nodev /dev/cd0a /CDROM
+.Ve
+.PP
+Any user may mount or unmount a CD-ROM on the machines in the \s-1CDROM\s0
+\&\f(CW\*(C`Host_Alias\*(C'\fR (orion, perseus, hercules) without entering a password.
+This is a bit tedious for users to type, so it is a prime candidate
+for encapsulating in a shell script.
+.SH "SECURITY NOTES"
+.IX Header "SECURITY NOTES"
+It is generally not effective to \*(L"subtract\*(R" commands from \f(CW\*(C`ALL\*(C'\fR
+using the '!' operator. A user can trivially circumvent this
+by copying the desired command to a different name and then
+executing that. For example:
+.PP
+.Vb 1
+\& bill ALL = ALL, !SU, !SHELLS
+.Ve
+.PP
+Doesn't really prevent \fBbill\fR from running the commands listed in
+\&\fI\s-1SU\s0\fR or \fI\s-1SHELLS\s0\fR since he can simply copy those commands to a
+different name, or use a shell escape from an editor or other
+program. Therefore, these kind of restrictions should be considered
+advisory at best (and reinforced by policy).
+.PP
+Furthermore, if the \fIfast_glob\fR option is in use, it is not possible
+to reliably negate commands where the path name includes globbing
+(aka wildcard) characters. This is because the C library's
+\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this
+is typically only an inconvenience for rules that grant privileges,
+it can result in a security issue for rules that subtract or revoke
+privileges.
+.PP
+For example, given the following \fIsudoers\fR entry:
+.PP
+.Vb 2
+\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,
+\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
+.Ve
+.PP
+User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is
+enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead.
+.SH "PREVENTING SHELL ESCAPES"
+.IX Header "PREVENTING SHELL ESCAPES"
+Once \fBsudo\fR executes a program, that program is free to do whatever
+it pleases, including run other programs. This can be a security
+issue since it is not uncommon for a program to allow shell escapes,
+which lets a user bypass \fBsudo\fR's access control and logging.
+Common programs that permit shell escapes include shells (obviously),
+editors, paginators, mail and terminal programs.
+.PP
+There are two basic approaches to this problem:
+.IP "restrict" 10
+.IX Item "restrict"
+Avoid giving users access to commands that allow the user to run
+arbitrary commands. Many editors have a restricted mode where shell
+escapes are disabled, though \fBsudoedit\fR is a better solution to
+running editors via \fBsudo\fR. Due to the large number of programs that
+offer shell escapes, restricting users to the set of programs that
+do not is often unworkable.
+.IP "noexec" 10
+.IX Item "noexec"
+Many systems that support shared libraries have the ability to
+override default library functions by pointing an environment
+variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library.
+On such systems, \fBsudo\fR's \fInoexec\fR functionality can be used to
+prevent a program run by \fBsudo\fR from executing any other programs.
+Note, however, that this applies only to native dynamically-linked
+executables. Statically-linked executables and foreign executables
+running under binary emulation are not affected.
+.Sp
+To tell whether or not \fBsudo\fR supports \fInoexec\fR, you can run
+the following as root:
+.Sp
+.Vb 1
+\& sudo \-V | grep "dummy exec"
+.Ve
+.Sp
+If the resulting output contains a line that begins with:
+.Sp
+.Vb 1
+\& File containing dummy exec functions:
+.Ve
+.Sp
+then \fBsudo\fR may be able to replace the exec family of functions
+in the standard library with its own that simply return an error.
+Unfortunately, there is no foolproof way to know whether or not
+\&\fInoexec\fR will work at compile-time. \fInoexec\fR should work on
+SunOS, Solaris, *BSD, Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, and HP-UX
+11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fInoexec\fR
+is expected to work on most operating systems that support the
+\&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's
+manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
+dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported.
+.Sp
+To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented
+in the User Specification section above. Here is that example again:
+.Sp
+.Vb 1
+\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+.Ve
+.Sp
+This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR
+with \fInoexec\fR enabled. This will prevent those two commands from
+executing other commands (such as a shell). If you are unsure
+whether or not your system is capable of supporting \fInoexec\fR you
+can always just try it out and see if it works.
+.PP
+Note that restricting shell escapes is not a panacea. Programs
+running as root are still capable of many potentially hazardous
+operations (such as changing or overwriting files) that could lead
+to unintended privilege escalation. In the specific case of an
+editor, a safer approach is to give the user permission to run
+\&\fBsudoedit\fR.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fIsudo\fR\|(8), \fIvisudo\fR\|(8)
+.SH "CAVEATS"
+.IX Header "CAVEATS"
+The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
+command which locks the file and does grammatical checking. It is
+imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
+will not run with a syntactically incorrect \fIsudoers\fR file.
+.PP
+When using netgroups of machines (as opposed to users), if you
+store fully qualified host name in the netgroup (as is usually the
+case), you either need to have the machine's host name be fully qualified
+as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
+\&\fIsudoers\fR.
+.SH "BUGS"
+.IX Header "BUGS"
+If you feel you have found a bug in \fBsudo\fR, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
+.SH "SUPPORT"
+.IX Header "SUPPORT"
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+search the archives.
+.SH "DISCLAIMER"
+.IX Header "DISCLAIMER"
+\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
+file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
+for complete details.
Modified: trunk/contrib/sudo/sudoers.cat
===================================================================
--- trunk/contrib/sudo/sudoers.cat 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/sudoers.cat 2014-10-02 03:32:57 UTC (rev 6804)
@@ -61,7 +61,7 @@
-1.7.5rc1 February 21, 2011 1
+1.7.6 April 9, 2011 1
@@ -93,25 +93,31 @@
User ',' User_List
User ::= '!'* user name |
- '!'* '#'uid |
- '!'* '%'group |
- '!'* '+'netgroup |
- '!'* '%:'nonunix_group |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* +netgroup |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
'!'* User_Alias
- A User_List is made up of one or more user names, uids (prefixed with
- '#'), system groups (prefixed with '%'), netgroups (prefixed with '+')
- and User_Aliases. Each list item may be prefixed with zero or more '!'
- operators. An odd number of '!' operators negate the value of the
- item; an even number just cancel each other out.
+ A User_List is made up of one or more user names, user ids (prefixed
+ with '#'), system group names and ids (prefixed with '%' and '%#'
+ respectively), netgroups (prefixed with '+'), non-Unix group names and
+ IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
+ list item may be prefixed with zero or more '!' operators. An odd
+ number of '!' operators negate the value of the item; an even number
+ just cancel each other out.
- A user name, group, netgroup or nonunix_group may be enclosed in double
- quotes to avoid the need for escaping special characters. Alternately,
- special characters may be specified in escaped hex mode, e.g. \x20 for
- space.
+ A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
+ may be enclosed in double quotes to avoid the need for escaping special
+ characters. Alternately, special characters may be specified in
+ escaped hex mode, e.g. \x20 for space. When using double quotes, any
+ prefix characters must be included inside the quotes.
- The nonunix_group syntax depends on the underlying implementation. For
- instance, the QAS AD backend supports the following formats:
+ The nonunix_group and nonunix_gid syntax depends on the underlying
+ implementation. For instance, the QAS AD backend supports the
+ following formats:
+�o Group in the same domain: "Group Name"
@@ -119,27 +125,31 @@
+�o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
- Note that quotes around group names are optional. Unquoted strings
- must use a backslash (\) to escape spaces and the '@' symbol.
- Runas_List ::= Runas_Member |
- Runas_Member ',' Runas_List
+1.7.6 April 9, 2011 2
-1.7.5rc1 February 21, 2011 2
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Note that quotes around group names are optional. Unquoted strings
+ must use a backslash (\) to escape spaces and special characters. See
+ "Other special characters and reserved words" for a list of characters
+ that need to be escaped.
+ Runas_List ::= Runas_Member |
+ Runas_Member ',' Runas_List
-
Runas_Member ::= '!'* user name |
- '!'* '#'uid |
- '!'* '%'group |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
'!'* +netgroup |
'!'* Runas_Alias
@@ -156,7 +166,7 @@
Host ::= '!'* host name |
'!'* ip_addr |
'!'* network(/netmask)? |
- '!'* '+'netgroup |
+ '!'* +netgroup |
'!'* Host_Alias
A Host_List is made up of one or more host names, IP addresses, network
@@ -180,28 +190,28 @@
Cmnd ',' Cmnd_List
commandname ::= file name |
- file name args |
- file name '""'
- Cmnd ::= '!'* commandname |
- '!'* directory |
- '!'* "sudoedit" |
- '!'* Cmnd_Alias
- A Cmnd_List is a list of one or more commandnames, directories, and
- other aliases. A commandname is a fully qualified file name which may
+1.7.6 April 9, 2011 3
-1.7.5rc1 February 21, 2011 3
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ file name args |
+ file name '""'
+ Cmnd ::= '!'* commandname |
+ '!'* directory |
+ '!'* "sudoedit" |
+ '!'* Cmnd_Alias
+ A Cmnd_List is a list of one or more commandnames, directories, and
+ other aliases. A commandname is a fully qualified file name which may
include shell-style wildcards (see the Wildcards section below). A
simple file name allows the user to run the command with any arguments
he/she wishes. However, you may also specify command line arguments
@@ -246,27 +256,27 @@
Parameters may be f�fl�la�ag�gs�s, i�in�nt�te�eg�ge�er�r values, s�st�tr�ri�in�ng�gs�s, or l�li�is�st�ts�s. Flags are
implicitly boolean and can be turned off via the '!' operator. Some
- integer, string and list parameters may also be used in a boolean
- context to disable them. Values may be enclosed in double quotes (")
- when they contain multiple words. Special characters may be escaped
- with a backslash (\).
- Lists have two additional assignment operators, += and -=. These
- operators are used to add to and delete from a list respectively. It
- is not an error to use the -= operator to remove an element that does
- not exist in a list.
+1.7.6 April 9, 2011 4
-1.7.5rc1 February 21, 2011 4
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ integer, string and list parameters may also be used in a boolean
+ context to disable them. Values may be enclosed in double quotes (")
+ when they contain multiple words. Special characters may be escaped
+ with a backslash (\).
+ Lists have two additional assignment operators, += and -=. These
+ operators are used to add to and delete from a list respectively. It
+ is not an error to use the -= operator to remove an element that does
+ not exist in a list.
Defaults entries are parsed in the following order: generic, host and
user Defaults first, then runas Defaults and finally command defaults.
@@ -294,7 +304,7 @@
what user) on specified hosts. By default, commands are run as r�ro�oo�ot�t,
but this can be changed on a per-command basis.
- The basic structure of a user specification is `who = where (as_whom)
+ The basic structure of a user specification is `who where = (as_whom)
what'. Let's break that down into its constituent parts:
R�Ru�un�na�as�s_�_S�Sp�pe�ec�c
@@ -312,27 +322,27 @@
the group set to any listed in the Runas_List. If no Runas_Spec is
specified the command may be run as r�ro�oo�ot�t and no group may be specified.
- A Runas_Spec sets the default for the commands that follow it. What
- this means is that for the entry:
- dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
- The user d�dg�gb�b may run _�/_�b_�i_�n_�/_�l_�s, _�/_�b_�i_�n_�/_�k_�i_�l_�l, and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m -- but only
- as o�op�pe�er�ra�at�to�or�r. E.g.,
- $ sudo -u operator /bin/ls
+1.7.6 April 9, 2011 5
-1.7.5rc1 February 21, 2011 5
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ A Runas_Spec sets the default for the commands that follow it. What
+ this means is that for the entry:
+ dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ The user d�dg�gb�b may run _�/_�b_�i_�n_�/_�l_�s, _�/_�b_�i_�n_�/_�k_�i_�l_�l, and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�p_�r_�m -- but only
+ as o�op�pe�er�ra�at�to�or�r. E.g.,
+ $ sudo -u operator /bin/ls
It is also possible to override a Runas_Spec later on in an entry. If
we modify the entry like so:
@@ -378,28 +388,28 @@
user a�al�la�an�n may run any command as either user root or bin, optionally
setting the group to operator or system.
- S�SE�EL�Li�in�nu�ux�x_�_S�Sp�pe�ec�c
- On systems with SELinux support, _�s_�u_�d_�o_�e_�r_�s entries may optionally have an
- SELinux role and/or type associated with a command. If a role or type
- is specified with the command it will override any default values
- specified in _�s_�u_�d_�o_�e_�r_�s. A role or type specified on the command line,
- however, will supercede the values in _�s_�u_�d_�o_�e_�r_�s.
- T�Ta�ag�g_�_S�Sp�pe�ec�c
- A command may have zero or more tags associated with it. There are
- eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
+1.7.6 April 9, 2011 6
-1.7.5rc1 February 21, 2011 6
-
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ S�SE�EL�Li�in�nu�ux�x_�_S�Sp�pe�ec�c
+ On systems with SELinux support, _�s_�u_�d_�o_�e_�r_�s entries may optionally have an
+ SELinux role and/or type associated with a command. If a role or type
+ is specified with the command it will override any default values
+ specified in _�s_�u_�d_�o_�e_�r_�s. A role or type specified on the command line,
+ however, will supercede the values in _�s_�u_�d_�o_�e_�r_�s.
+
+ T�Ta�ag�g_�_S�Sp�pe�ec�c
+ A command may have zero or more tags associated with it. There are
+ eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
the tag unless it is overridden by the opposite tag (i.e.: PASSWD
@@ -444,29 +454,31 @@
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more details on
- how NOEXEC works and whether or not it will work on your system.
- _�S_�E_�T_�E_�N_�V _�a_�n_�d _�N_�O_�S_�E_�T_�E_�N_�V
- These tags override the value of the _�s_�e_�t_�e_�n_�v option on a per-command
- basis. Note that if SETENV has been set for a command, any environment
- variables set on the command line way are not subject to the
- restrictions imposed by _�e_�n_�v_�__�c_�h_�e_�c_�k, _�e_�n_�v_�__�d_�e_�l_�e_�t_�e, or _�e_�n_�v_�__�k_�e_�e_�p. As such,
- only trusted users should be allowed to set variables in this manner.
- If the command matched is A�AL�LL�L, the SETENV tag is implied for that
+1.7.6 April 9, 2011 7
-1.7.5rc1 February 21, 2011 7
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ how NOEXEC works and whether or not it will work on your system.
+ _�S_�E_�T_�E_�N_�V _�a_�n_�d _�N_�O_�S_�E_�T_�E_�N_�V
- command; this default may be overridden by use of the NOSETENV tag.
+ These tags override the value of the _�s_�e_�t_�e_�n_�v option on a per-command
+ basis. Note that if SETENV has been set for a command, the user may
+ disable the _�e_�n_�v_�__�r_�e_�s_�e_�t option from the command line via the -�-E�E option.
+ Additionally, environment variables set on the command line are not
+ subject to the restrictions imposed by _�e_�n_�v_�__�c_�h_�e_�c_�k, _�e_�n_�v_�__�d_�e_�l_�e_�t_�e, or
+ _�e_�n_�v_�__�k_�e_�e_�p. As such, only trusted users should be allowed to set
+ variables in this manner. If the command matched is A�AL�LL�L, the SETENV
+ tag is implied for that command; this default may be overridden by use
+ of the NOSETENV tag.
_�L_�O_�G_�__�I_�N_�P_�U_�T _�a_�n_�d _�N_�O_�L_�O_�G_�__�I_�N_�P_�U_�T
@@ -509,29 +521,28 @@
in the path name. When matching the command line arguments, however, a
slash d�do�oe�es�s get matched by wildcards. This is to make a path like:
- /usr/bin/*
- match _�/_�u_�s_�r_�/_�b_�i_�n_�/_�w_�h_�o but not _�/_�u_�s_�r_�/_�b_�i_�n_�/_�X_�1_�1_�/_�x_�t_�e_�r_�m.
- E�Ex�xc�ce�ep�pt�ti�io�on�ns�s t�to�o w�wi�il�ld�dc�ca�ar�rd�d r�ru�ul�le�es�s
- The following exceptions apply to the above rules:
+1.7.6 April 9, 2011 8
- "" If the empty string "" is the only command line argument in the
- _�s_�u_�d_�o_�e_�r_�s entry it means that command is not allowed to be run
- with a�an�ny�y arguments.
-1.7.5rc1 February 21, 2011 8
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ /usr/bin/*
+ match _�/_�u_�s_�r_�/_�b_�i_�n_�/_�w_�h_�o but not _�/_�u_�s_�r_�/_�b_�i_�n_�/_�X_�1_�1_�/_�x_�t_�e_�r_�m.
+ E�Ex�xc�ce�ep�pt�ti�io�on�ns�s t�to�o w�wi�il�ld�dc�ca�ar�rd�d r�ru�ul�le�es�s
+ The following exceptions apply to the above rules:
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ "" If the empty string "" is the only command line argument in the
+ _�s_�u_�d_�o_�e_�r_�s entry it means that command is not allowed to be run
+ with a�an�ny�y arguments.
-
I�In�nc�cl�lu�ud�di�in�ng�g o�ot�th�he�er�r f�fi�il�le�es�s f�fr�ro�om�m w�wi�it�th�hi�in�n s�su�ud�do�oe�er�rs�s
It is possible to include other _�s_�u_�d_�o_�e_�r_�s files from within the _�s_�u_�d_�o_�e_�r_�s
file currently being parsed using the #include and #includedir
@@ -575,28 +586,28 @@
in the file names can be used to avoid such problems.
Note that unlike files included via #include, v�vi�is�su�ud�do�o will not edit the
- files in a #includedir directory unless one of them contains a syntax
- error. It is still possible to run v�vi�is�su�ud�do�o with the -f flag to edit the
- files directly.
- O�Ot�th�he�er�r s�sp�pe�ec�ci�ia�al�l c�ch�ha�ar�ra�ac�ct�te�er�rs�s a�an�nd�d r�re�es�se�er�rv�ve�ed�d w�wo�or�rd�ds�s
- The pound sign ('#') is used to indicate a comment (unless it is part
- of a #include directive or unless it occurs in the context of a user
- name and is followed by one or more digits, in which case it is treated
- as a uid). Both the comment character and any text after it, up to the
- end of the line, are ignored.
+1.7.6 April 9, 2011 9
-1.7.5rc1 February 21, 2011 9
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ files in a #includedir directory unless one of them contains a syntax
+ error. It is still possible to run v�vi�is�su�ud�do�o with the -f flag to edit the
+ files directly.
+ O�Ot�th�he�er�r s�sp�pe�ec�ci�ia�al�l c�ch�ha�ar�ra�ac�ct�te�er�rs�s a�an�nd�d r�re�es�se�er�rv�ve�ed�d w�wo�or�rd�ds�s
+ The pound sign ('#') is used to indicate a comment (unless it is part
+ of a #include directive or unless it occurs in the context of a user
+ name and is followed by one or more digits, in which case it is treated
+ as a uid). Both the comment character and any text after it, up to the
+ end of the line, are ignored.
The reserved word A�AL�LL�L is a built-in _�a_�l_�i_�a_�s that always causes a match to
succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
@@ -619,8 +630,8 @@
characters in a _�U_�s_�e_�r _�S_�p_�e_�c_�i_�f_�i_�c_�a_�t_�i_�o_�n ('=', ':', '(', ')') is optional.
The following characters must be escaped with a backslash ('\') when
- used as part of a word (e.g. a user name or host name): '@', '!', '=',
- ':', ',', '(', ')', '\'.
+ used as part of a word (e.g. a user name or host name): '!', '=', ':',
+ ',', '(', ')', '\'.
S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
s�su�ud�do�o's behavior can be modified by Default_Entry lines, as explained
@@ -641,29 +652,29 @@
authenticate If set, users must authenticate themselves via a
password (or other means of authentication) before they
- may run commands. This default may be overridden via
- the PASSWD and NOPASSWD tags. This flag is _�o_�n by
- default.
- closefrom_override
- If set, the user may use s�su�ud�do�o's -�-C�C option which
- overrides the default starting point at which s�su�ud�do�o
- begins closing open file descriptors. This flag is _�o_�f_�f
- by default.
- compress_io If set, and s�su�ud�do�o is configured to log a command's input
+1.7.6 April 9, 2011 10
-1.7.5rc1 February 21, 2011 10
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ may run commands. This default may be overridden via
+ the PASSWD and NOPASSWD tags. This flag is _�o_�n by
+ default.
+ closefrom_override
+ If set, the user may use s�su�ud�do�o's -�-C�C option which
+ overrides the default starting point at which s�su�ud�do�o
+ begins closing open file descriptors. This flag is _�o_�f_�f
+ by default.
+ compress_io If set, and s�su�ud�do�o is configured to log a command's input
or output, the I/O logs will be compressed using z�zl�li�ib�b.
This flag is _�o_�n by default when s�su�ud�do�o is compiled with
z�zl�li�ib�b support.
@@ -707,6 +718,18 @@
flag is _�o_�f_�f by default.
fqdn Set this flag if you want to put fully qualified host
+
+
+
+1.7.6 April 9, 2011 11
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
names in the _�s_�u_�d_�o_�e_�r_�s file. I.e., instead of myhost you
would use myhost.mydomain.edu. You may still use the
short form if you wish (and even mix the two). Beware
@@ -718,18 +741,6 @@
use a host alias (CNAME entry) due to performance
issues and the fact that there is no way to get all
aliases from DNS. If your machine's host name (as
-
-
-
-1.7.5rc1 February 21, 2011 11
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
returned by the hostname command) is already fully
qualified you shouldn't need to set _�f_�q_�d_�n. This flag is
_�o_�f_�f by default.
@@ -757,6 +768,51 @@
log_host If set, the host name will be logged in the (non-
syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default.
+ log_input If set, s�su�ud�do�o will run the command in a _�p_�s_�e_�u_�d_�o _�t_�t_�y and
+ log all user input. If the standard input is not
+ connected to the user's tty, due to I/O redirection or
+ because the command is part of a pipeline, that input
+ is also captured and stored in a separate log file.
+
+ Input is logged to the directory specified by the
+ _�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a
+ unique session ID that is included in the normal s�su�ud�do�o
+ log line, prefixed with _�T_�S_�I_�D_�=.
+
+ Note that user input may contain sensitive information
+ such as passwords (even if they are not echoed to the
+ screen), which will be stored in the log file
+ unencrypted. In most cases, logging the command output
+ via _�l_�o_�g_�__�o_�u_�t_�p_�u_�t is all that is required.
+
+
+
+1.7.6 April 9, 2011 12
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+ log_output If set, s�su�ud�do�o will run the command in a _�p_�s_�e_�u_�d_�o _�t_�t_�y and
+ log all output that is sent to the screen, similar to
+ the _�s_�c_�r_�i_�p_�t(1) command. If the standard output or
+ standard error is not connected to the user's tty, due
+ to I/O redirection or because the command is part of a
+ pipeline, that output is also captured and stored in
+ separate log files.
+
+ Output is logged to the directory specified by the
+ _�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a
+ unique session ID that is included in the normal s�su�ud�do�o
+ log line, prefixed with _�T_�S_�I_�D_�=.
+
+ Output logs may be viewed with the _�s_�u_�d_�o_�r_�e_�p_�l_�a_�y(1m)
+ utility, which can also be used to list or search the
+ available logs.
+
log_year If set, the four-digit year will be logged in the (non-
syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default.
@@ -785,26 +841,26 @@
entry or is explicitly denied. This flag is _�o_�f_�f by
default.
+ mail_no_user If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the
+ invoking user is not in the _�s_�u_�d_�o_�e_�r_�s file. This flag is
+ _�o_�n by default.
+ noexec If set, all commands run via s�su�ud�do�o will behave as if the
+ NOEXEC tag has been set, unless overridden by a EXEC
+ tag. See the description of _�N_�O_�E_�X_�E_�C _�a_�n_�d _�E_�X_�E_�C below as
+ well as the "PREVENTING SHELL ESCAPES" section at the
+ end of this manual. This flag is _�o_�f_�f by default.
-1.7.5rc1 February 21, 2011 12
+1.7.6 April 9, 2011 13
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- mail_no_user If set, mail will be sent to the _�m_�a_�i_�l_�t_�o user if the
- invoking user is not in the _�s_�u_�d_�o_�e_�r_�s file. This flag is
- _�o_�n by default.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- noexec If set, all commands run via s�su�ud�do�o will behave as if the
- NOEXEC tag has been set, unless overridden by a EXEC
- tag. See the description of _�N_�O_�E_�X_�E_�C _�a_�n_�d _�E_�X_�E_�C below as
- well as the "PREVENTING SHELL ESCAPES" section at the
- end of this manual. This flag is _�o_�f_�f by default.
path_info Normally, s�su�ud�do�o will tell the user when a command could
not be found in their PATH environment variable. Some
@@ -850,28 +906,28 @@
this prevents users from "chaining" s�su�ud�do�o commands to
get a root shell by doing something like "sudo sudo
/bin/sh". Note, however, that turning off _�r_�o_�o_�t_�__�s_�u_�d_�o
+ will also prevent root from running s�su�ud�do�oe�ed�di�it�t.
+ Disabling _�r_�o_�o_�t_�__�s_�u_�d_�o provides no real additional
+ security; it exists purely for historical reasons.
+ This flag is _�o_�n by default.
+ rootpw If set, s�su�ud�do�o will prompt for the root password instead
+ of the password of the invoking user. This flag is _�o_�f_�f
+ by default.
+ runaspw If set, s�su�ud�do�o will prompt for the password of the user
-1.7.5rc1 February 21, 2011 13
+1.7.6 April 9, 2011 14
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- will also prevent root from running s�su�ud�do�oe�ed�di�it�t.
- Disabling _�r_�o_�o_�t_�__�s_�u_�d_�o provides no real additional
- security; it exists purely for historical reasons.
- This flag is _�o_�n by default.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- rootpw If set, s�su�ud�do�o will prompt for the root password instead
- of the password of the invoking user. This flag is _�o_�f_�f
- by default.
- runaspw If set, s�su�ud�do�o will prompt for the password of the user
defined by the _�r_�u_�n_�a_�s_�__�d_�e_�f_�a_�u_�l_�t option (defaults to root)
instead of the password of the invoking user. This
flag is _�o_�f_�f by default.
@@ -916,59 +972,33 @@
effective UIDs are set to the target user (root by
default). This option changes that behavior such that
the real UID is left as the invoking user's UID. In
+ other words, this makes s�su�ud�do�o act as a setuid wrapper.
+ This can be useful on systems that disable some
+ potentially dangerous functionality when a program is
+ run setuid. This option is only effective on systems
+ with either the _�s_�e_�t_�r_�e_�u_�i_�d_�(_�) or _�s_�e_�t_�r_�e_�s_�u_�i_�d_�(_�) function.
+ This flag is _�o_�f_�f by default.
+ targetpw If set, s�su�ud�do�o will prompt for the password of the user
+ specified by the -�-u�u option (defaults to root) instead
+ of the password of the invoking user. In addition, the
-1.7.5rc1 February 21, 2011 14
+1.7.6 April 9, 2011 15
+
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- other words, this makes s�su�ud�do�o act as a setuid wrapper.
- This can be useful on systems that disable some
- potentially dangerous functionality when a program is
- run setuid. This option is only effective on systems
- with either the _�s_�e_�t_�r_�e_�u_�i_�d_�(_�) or _�s_�e_�t_�r_�e_�s_�u_�i_�d_�(_�) function.
- This flag is _�o_�f_�f by default.
-
- targetpw If set, s�su�ud�do�o will prompt for the password of the user
- specified by the -�-u�u option (defaults to root) instead
- of the password of the invoking user. In addition, the
timestamp file name will include the target user's
name. Note that this flag precludes the use of a uid
not listed in the passwd database as an argument to the
-�-u�u option. This flag is _�o_�f_�f by default.
- log_input If set, s�su�ud�do�o will run the command in a _�p_�s_�e_�u_�d_�o _�t_�t_�y and
- log all user input. If the standard input is not
- connected to the user's tty, due to I/O redirection or
- because the command is part of a pipeline, that input
- is also captured and stored in a separate log file.
-
- Input is logged to the _�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o directory using
- a unique session ID that is included in the normal s�su�ud�do�o
- log line, prefixed with _�T_�S_�I_�D_�=.
-
- log_output If set, s�su�ud�do�o will run the command in a _�p_�s_�e_�u_�d_�o _�t_�t_�y and
- log all output that is sent to the screen, similar to
- the _�s_�c_�r_�i_�p_�t(1) command. If the standard output or
- standard error is not connected to the user's tty, due
- to I/O redirection or because the command is part of a
- pipeline, that output is also captured and stored in
- separate log files.
-
- Output is logged to the _�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o directory
- using a unique session ID that is included in the
- normal s�su�ud�do�o log line, prefixed with _�T_�S_�I_�D_�=.
-
- Output logs may be viewed with the _�s_�u_�d_�o_�r_�e_�p_�l_�a_�y(1m)
- utility, which can also be used to list or search the
- available logs.
-
tty_tickets If set, users must authenticate on a per-tty basis.
With this flag enabled, s�su�ud�do�o will use a file named for
the tty the user is logged in on in the user's time
@@ -983,17 +1013,6 @@
be the union of the user's umask and what is specified
in _�s_�u_�d_�o_�e_�r_�s. This flag is _�o_�f_�f by default.
-
-
-1.7.5rc1 February 21, 2011 15
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
use_loginclass If set, s�su�ud�do�o will apply the defaults specified for the
target user's login class if one exists. Only
available if s�su�ud�do�o is configured with the
@@ -1029,6 +1048,18 @@
I�In�nt�te�eg�ge�er�rs�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t:
+
+
+
+1.7.6 April 9, 2011 16
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
loglinelen Number of characters per line for the file log. This
value is used to decide when to wrap lines for nicer
log files. This has no effect on the syslog log file,
@@ -1048,18 +1079,6 @@
this to 0 to always prompt for a password. If set to a
value less than 0 the user's timestamp will never
expire. This can be used to allow users to create or
-
-
-
-1.7.5rc1 February 21, 2011 16
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
delete their own timestamps via sudo -v and sudo -k
respectively.
@@ -1095,6 +1114,18 @@
Default is *** SECURITY information for %h ***.
noexec_file Path to a shared library containing dummy versions of
+
+
+
+1.7.6 April 9, 2011 17
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
the _�e_�x_�e_�c_�v_�(_�), _�e_�x_�e_�c_�v_�e_�(_�) and _�f_�e_�x_�e_�c_�v_�e_�(_�) library functions
that just return an error. This is used to implement
the _�n_�o_�e_�x_�e_�c functionality on systems that support
@@ -1114,18 +1145,6 @@
name
%p expanded to the user whose password is being asked
-
-
-
-1.7.5rc1 February 21, 2011 17
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
for (respects the _�r_�o_�o_�t_�p_�w, _�t_�a_�r_�g_�e_�t_�p_�w and _�r_�u_�n_�a_�s_�p_�w
flags in _�s_�u_�d_�o_�e_�r_�s)
@@ -1161,6 +1180,18 @@
locale may affect how sudoers is interpreted. Defaults
to "C".
+
+
+
+1.7.6 April 9, 2011 18
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
timestampdir The directory in which s�su�ud�do�o stores its timestamp files.
The default is _�/_�v_�a_�r_�/_�a_�d_�m_�/_�s_�u_�d_�o.
@@ -1180,18 +1211,6 @@
terminal is available. This may be the case when s�su�ud�do�o is
executed from a graphical (as opposed to text-based)
application. The program specified by _�a_�s_�k_�p_�a_�s_�s should
-
-
-
-1.7.5rc1 February 21, 2011 18
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
display the argument passed to it as the prompt and write
the user's password to the standard output. The value of
_�a_�s_�k_�p_�a_�s_�s may be overridden by the SUDO_ASKPASS environment
@@ -1228,6 +1247,17 @@
will be used in place of the standard lecture if the named
file exists. By default, s�su�ud�do�o uses a built-in lecture.
+
+
+1.7.6 April 9, 2011 19
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
listpw This option controls when a password will be required when
a user runs s�su�ud�do�o with the -�-l�l option. It has the following
possible values:
@@ -1246,18 +1276,6 @@
never The user need never enter a password to use the -�-l�l
option.
-
-
-
-1.7.5rc1 February 21, 2011 19
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
If no value is specified, a value of _�a_�n_�y is implied.
Negating the option results in a value of _�n_�e_�v_�e_�r being used.
The default value is _�a_�n_�y.
@@ -1295,6 +1313,17 @@
a user runs s�su�ud�do�o with the -�-v�v option. It has the following
possible values:
+
+
+1.7.6 April 9, 2011 20
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
all All the user's _�s_�u_�d_�o_�e_�r_�s entries for the current host
must have the NOPASSWD flag set to avoid entering a
password.
@@ -1313,17 +1342,6 @@
Negating the option results in a value of _�n_�e_�v_�e_�r being used.
The default value is _�a_�l_�l.
-
-
-1.7.5rc1 February 21, 2011 20
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
L�Li�is�st�ts�s t�th�ha�at�t c�ca�an�n b�be�e u�us�se�ed�d i�in�n a�a b�bo�oo�ol�le�ea�an�n c�co�on�nt�te�ex�xt�t:
env_check Environment variables to be removed from the user's
@@ -1360,6 +1378,18 @@
be a double-quoted, space-separated list or a single
value without double-quotes. The list can be replaced,
added to, deleted from, or disabled by using the =, +=,
+
+
+
+1.7.6 April 9, 2011 21
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
-=, and ! operators respectively. The default list of
variables to keep is displayed when s�su�ud�do�o is run by root
with the _�-_�V option.
@@ -1378,18 +1408,6 @@
_�/_�e_�t_�c_�/_�n_�e_�t_�g_�r_�o_�u_�p List of network groups
-
-
-
-1.7.5rc1 February 21, 2011 21
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o I/O log files
E�EX�XA�AM�MP�PL�LE�ES�S
@@ -1426,6 +1444,18 @@
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
Cmnd_Alias KILL = /usr/bin/kill
+
+
+
+1.7.6 April 9, 2011 22
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
@@ -1444,18 +1474,6 @@
Additionally, on the machines in the _�S_�E_�R_�V_�E_�R_�S Host_Alias, we keep an
additional local log file and make sure we log the year in each log
line since the log entries will be kept around for several years.
-
-
-
-1.7.5rc1 February 21, 2011 22
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
Lastly, we disable shell escapes for the commands in the PAGERS
Cmnd_Alias (_�/_�u_�s_�r_�/_�b_�i_�n_�/_�m_�o_�r_�e, _�/_�u_�s_�r_�/_�b_�i_�n_�/_�p_�g and _�/_�u_�s_�r_�/_�b_�i_�n_�/_�l_�e_�s_�s).
@@ -1492,6 +1510,18 @@
The user j�ja�ac�ck�k may run any command on the machines in the _�C_�S_�N_�E_�T_�S alias
(the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
those networks, only 128.138.204.0 has an explicit netmask (in CIDR
+
+
+
+1.7.6 April 9, 2011 23
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
notation) indicating it is a class C network. For the other networks
in _�C_�S_�N_�E_�T_�S, the local machine's netmask will be used during matching.
@@ -1510,18 +1540,6 @@
joe ALL = /usr/bin/su operator
-
-
-
-1.7.5rc1 February 21, 2011 23
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
The user j�jo�oe�e may only _�s_�u(1) to operator.
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
@@ -1558,6 +1576,18 @@
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+
+
+
+1.7.6 April 9, 2011 24
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
On the _�A_�L_�P_�H_�A machines, user j�jo�oh�hn�n may su to anyone except root but he is
not allowed to specify any options to the _�s_�u(1) command.
@@ -1577,17 +1607,6 @@
The user s�st�te�ev�ve�e may run any command in the directory
/usr/local/op_commands/ but only as user operator.
-
-
-1.7.5rc1 February 21, 2011 24
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
matt valkyrie = KILL
On his personal workstation, valkyrie, m�ma�at�tt�t needs to be able to kill
@@ -1623,6 +1642,18 @@
Furthermore, if the _�f_�a_�s_�t_�__�g_�l_�o_�b option is in use, it is not possible to
reliably negate commands where the path name includes globbing (aka
+
+
+
+1.7.6 April 9, 2011 25
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
wildcard) characters. This is because the C library's _�f_�n_�m_�a_�t_�c_�h(3)
function cannot resolve relative paths. While this is typically only
an inconvenience for rules that grant privileges, it can result in a
@@ -1642,18 +1673,6 @@
since it is not uncommon for a program to allow shell escapes, which
lets a user bypass s�su�ud�do�o's access control and logging. Common programs
that permit shell escapes include shells (obviously), editors,
-
-
-
-1.7.5rc1 February 21, 2011 25
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
paginators, mail and terminal programs.
There are two basic approaches to this problem:
@@ -1689,6 +1708,18 @@
error. Unfortunately, there is no foolproof way to know
whether or not _�n_�o_�e_�x_�e_�c will work at compile-time. _�n_�o_�e_�x_�e_�c
should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
+
+
+
+1.7.6 April 9, 2011 26
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
MacOS X, and HP-UX 11.x. It is known n�no�ot�t to work on AIX and
UnixWare. _�n_�o_�e_�x_�e_�c is expected to work on most operating
systems that support the LD_PRELOAD environment variable.
@@ -1708,18 +1739,6 @@
unsure whether or not your system is capable of supporting
_�n_�o_�e_�x_�e_�c you can always just try it out and see if it works.
-
-
-
-1.7.5rc1 February 21, 2011 26
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
Note that restricting shell escapes is not a panacea. Programs running
as root are still capable of many potentially hazardous operations
(such as changing or overwriting files) that could lead to unintended
@@ -1758,25 +1777,6 @@
+1.7.6 April 9, 2011 27
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.7.5rc1 February 21, 2011 27
-
-
Modified: trunk/contrib/sudo/sudoers.ldap.cat
===================================================================
--- trunk/contrib/sudo/sudoers.ldap.cat 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/sudoers.ldap.cat 2014-10-02 03:32:57 UTC (rev 6804)
@@ -61,7 +61,7 @@
-1.7.5rc1 February 21, 2011 1
+1.7.6 April 9, 2011 1
@@ -127,7 +127,7 @@
-1.7.5rc1 February 21, 2011 2
+1.7.6 April 9, 2011 2
@@ -193,7 +193,7 @@
-1.7.5rc1 February 21, 2011 3
+1.7.6 April 9, 2011 3
@@ -259,7 +259,7 @@
-1.7.5rc1 February 21, 2011 4
+1.7.6 April 9, 2011 4
@@ -325,7 +325,7 @@
-1.7.5rc1 February 21, 2011 5
+1.7.6 April 9, 2011 5
@@ -372,6 +372,12 @@
example.com. Multiple S�SU�UD�DO�OE�ER�RS�S_�_B�BA�AS�SE�E lines may be specified, in
which case they are queried in the order specified.
+ S�SU�UD�DO�OE�ER�RS�S_�_S�SE�EA�AR�RC�CH�H_�_F�FI�IL�LT�TE�ER�R ldap_filter
+ An LDAP filter which is used to restrict the set of records
+ returned when performing a s�su�ud�do�o LDAP query. Typically, this is of
+ the form attribute=value or
+ (&(attribute=value)(attribute2=value2)).
+
S�SU�UD�DO�OE�ER�RS�S_�_T�TI�IM�ME�ED�D on/true/yes/off/false/no
Whether or not to evaluate the sudoNotBefore and sudoNotAfter
attributes that implement time-dependent sudoers entries.
@@ -382,24 +388,24 @@
in a moderate amount of debugging information. A value of 2 shows
the results of the matches themselves. This parameter should not
be set in a production environment as the extra information is
- likely to confuse users.
- B�BI�IN�ND�DD�DN�N DN
- The B�BI�IN�ND�DD�DN�N parameter specifies the identity, in the form of a
- Distinguished Name (DN), to use when performing LDAP operations.
- If not specified, LDAP operations are performed with an anonymous
+1.7.6 April 9, 2011 6
-1.7.5rc1 February 21, 2011 6
-
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ likely to confuse users.
+
+ B�BI�IN�ND�DD�DN�N DN
+ The B�BI�IN�ND�DD�DN�N parameter specifies the identity, in the form of a
+ Distinguished Name (DN), to use when performing LDAP operations.
+ If not specified, LDAP operations are performed with an anonymous
identity. By default, most LDAP servers will allow anonymous
access.
@@ -447,25 +453,27 @@
T�TL�LS�S_�_C�CA�AC�CE�ER�RT�T file name
An alias for T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E for OpenLDAP compatibility.
- T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E file name
- The path to a certificate authority bundle which contains the
- certificates for all the Certificate Authorities the client knows
- to be valid, e.g. _�/_�e_�t_�c_�/_�s_�s_�l_�/_�c_�a_�-_�b_�u_�n_�d_�l_�e_�._�p_�e_�m. This option is only
- supported by the OpenLDAP libraries. Netscape-derived LDAP
- libraries use the same certificate database for CA and client
- certificates (see T�TL�LS�S_�_C�CE�ER�RT�T).
-1.7.5rc1 February 21, 2011 7
+1.7.6 April 9, 2011 7
+
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E file name
+ The path to a certificate authority bundle which contains the
+ certificates for all the Certificate Authorities the client knows
+ to be valid, e.g. _�/_�e_�t_�c_�/_�s_�s_�l_�/_�c_�a_�-_�b_�u_�n_�d_�l_�e_�._�p_�e_�m. This option is only
+ supported by the OpenLDAP libraries. Netscape-derived LDAP
+ libraries use the same certificate database for CA and client
+ certificates (see T�TL�LS�S_�_C�CE�ER�RT�T).
+
T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TD�DI�IR�R directory
Similar to T�TL�LS�S_�_C�CA�AC�CE�ER�RT�TF�FI�IL�LE�E but instead of a file, it is a directory
containing individual Certificate Authority certificates, e.g.
@@ -511,27 +519,28 @@
the OpenSSL manual for a list of valid ciphers. This option is
only supported by the OpenLDAP libraries.
- U�US�SE�E_�_S�SA�AS�SL�L on/true/yes/off/false/no
- Enable U�US�SE�E_�_S�SA�AS�SL�L for LDAP servers that support SASL authentication.
- S�SA�AS�SL�L_�_A�AU�UT�TH�H_�_I�ID�D identity
- The SASL user name to use when connecting to the LDAP server. By
- default, s�su�ud�do�o will use an anonymous connection.
- R�RO�OO�OT�TU�US�SE�E_�_S�SA�AS�SL�L on/true/yes/off/false/no
- Enable R�RO�OO�OT�TU�US�SE�E_�_S�SA�AS�SL�L to enable SASL authentication when connecting
+1.7.6 April 9, 2011 8
-1.7.5rc1 February 21, 2011 8
-
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ U�US�SE�E_�_S�SA�AS�SL�L on/true/yes/off/false/no
+ Enable U�US�SE�E_�_S�SA�AS�SL�L for LDAP servers that support SASL authentication.
+
+ S�SA�AS�SL�L_�_A�AU�UT�TH�H_�_I�ID�D identity
+ The SASL user name to use when connecting to the LDAP server. By
+ default, s�su�ud�do�o will use an anonymous connection.
+
+ R�RO�OO�OT�TU�US�SE�E_�_S�SA�AS�SL�L on/true/yes/off/false/no
+ Enable R�RO�OO�OT�TU�US�SE�E_�_S�SA�AS�SL�L to enable SASL authentication when connecting
to an LDAP server from a privileged process, such as s�su�ud�do�o.
R�RO�OO�OT�TS�SA�AS�SL�L_�_A�AU�UT�TH�H_�_I�ID�D identity
@@ -577,26 +586,26 @@
sudoers: files
- Note that _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f is supported even when the underlying
- operating system does not use an nsswitch.conf file.
- C�Co�on�nf�fi�ig�gu�ur�ri�in�ng�g n�ne�et�ts�sv�vc�c.�.c�co�on�nf�f
- On AIX systems, the _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f file is consulted instead of
- _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f. s�su�ud�do�o simply treats _�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f as a variant of
- _�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f; information in the previous section unrelated to the
- file format itself still applies.
+1.7.6 April 9, 2011 9
-1.7.5rc1 February 21, 2011 9
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ Note that _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f is supported even when the underlying
+ operating system does not use an nsswitch.conf file.
+ C�Co�on�nf�fi�ig�gu�ur�ri�in�ng�g n�ne�et�ts�sv�vc�c.�.c�co�on�nf�f
+ On AIX systems, the _�/_�e_�t_�c_�/_�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f file is consulted instead of
+ _�/_�e_�t_�c_�/_�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f. s�su�ud�do�o simply treats _�n_�e_�t_�s_�v_�c_�._�c_�o_�n_�f as a variant of
+ _�n_�s_�s_�w_�i_�t_�c_�h_�._�c_�o_�n_�f; information in the previous section unrelated to the
+ file format itself still applies.
To consult LDAP first followed by the local sudoers file (if it
exists), use:
@@ -643,19 +652,10 @@
#uri ldaps://secureldapserver
#uri ldaps://secureldapserver ldap://ldapserver
#
- # The amount of time, in seconds, to wait while trying to connect to
- # an LDAP server.
- bind_timelimit 30
- #
- # The amount of time, in seconds, to wait while performing an LDAP query.
- timelimit 30
- #
- # Must be set or sudo will ignore LDAP; may be specified multiple times.
- sudoers_base ou=SUDOers,dc=example,dc=com
-1.7.5rc1 February 21, 2011 10
+1.7.6 April 9, 2011 10
@@ -664,7 +664,16 @@
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ # The amount of time, in seconds, to wait while trying to connect to
+ # an LDAP server.
+ bind_timelimit 30
#
+ # The amount of time, in seconds, to wait while performing an LDAP query.
+ timelimit 30
+ #
+ # Must be set or sudo will ignore LDAP; may be specified multiple times.
+ sudoers_base ou=SUDOers,dc=example,dc=com
+ #
# verbose sudoers matching from ldap
#sudoers_debug 2
#
@@ -709,19 +718,10 @@
#tls_randfile /etc/egd-pool
#
# You may restrict which ciphers are used. Consult your SSL
- # documentation for which options go here.
- # Only supported when using OpenLDAP.
- #
- #tls_ciphers <cipher-list>
- #
- # Sudo can provide a client certificate when communicating to
- # the LDAP server.
- # Tips:
- # * Enable both lines at the same time.
-1.7.5rc1 February 21, 2011 11
+1.7.6 April 9, 2011 11
@@ -730,6 +730,15 @@
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ # documentation for which options go here.
+ # Only supported when using OpenLDAP.
+ #
+ #tls_ciphers <cipher-list>
+ #
+ # Sudo can provide a client certificate when communicating to
+ # the LDAP server.
+ # Tips:
+ # * Enable both lines at the same time.
# * Do not password protect the key file.
# * Ensure the keyfile is only readable by root.
#
@@ -775,29 +784,29 @@
attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
- DESC 'Host(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
- attributetype ( 1.3.6.1.4.1.15953.9.1.3
- NAME 'sudoCommand'
- DESC 'Command(s) to be executed by sudo'
- EQUALITY caseExactIA5Match
+1.7.6 April 9, 2011 12
-1.7.5rc1 February 21, 2011 12
-
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ DESC 'Host(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ attributetype ( 1.3.6.1.4.1.15953.9.1.3
+ NAME 'sudoCommand'
+ DESC 'Command(s) to be executed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
attributetype ( 1.3.6.1.4.1.15953.9.1.4
NAME 'sudoRunAs'
DESC 'User(s) impersonated by sudo'
@@ -841,27 +850,28 @@
DESC 'an integer to order the sudoRole entries'
EQUALITY integerMatch
ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
- objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
- DESC 'Sudoer Entries'
- MUST ( cn )
- MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
- sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
- sudoOrder $ description )
- )
+1.7.6 April 9, 2011 13
-1.7.5rc1 February 21, 2011 13
-
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+ objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+ DESC 'Sudoer Entries'
+ MUST ( cn )
+ MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
+ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
+ sudoOrder $ description )
+ )
+
S�SE�EE�E A�AL�LS�SO�O
_�l_�d_�a_�p_�._�c_�o_�n_�f(4), _�s_�u_�d_�o_�e_�r_�s(5)
@@ -909,16 +919,6 @@
+1.7.6 April 9, 2011 14
-
-
-
-
-
-
-
-
-1.7.5rc1 February 21, 2011 14
-
-
Added: trunk/contrib/sudo/sudoers.ldap.man
===================================================================
--- trunk/contrib/sudo/sudoers.ldap.man (rev 0)
+++ trunk/contrib/sudo/sudoers.ldap.man 2014-10-02 03:32:57 UTC (rev 6804)
@@ -0,0 +1,918 @@
+.\" Copyright (c) 2003-2011
+.\" Todd C. Miller <Todd.Miller at courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings. \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+. ds -- \(*W-
+. ds PI pi
+. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
+. ds L" ""
+. ds R" ""
+. ds C`
+. ds C'
+'br\}
+.el\{\
+. ds -- \|\(em\|
+. ds PI \(*p
+. ds L" ``
+. ds R" ''
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD. Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.ie \nF \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
+..
+. nr % 0
+. rr F
+.\}
+.el \{\
+. de IX
+..
+.\}
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear. Run. Save yourself. No user-serviceable parts.
+. \" fudge factors for nroff and troff
+.if n \{\
+. ds #H 0
+. ds #V .8m
+. ds #F .3m
+. ds #[ \f1
+. ds #] \fP
+.\}
+.if t \{\
+. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+. ds #V .6m
+. ds #F 0
+. ds #[ \&
+. ds #] \&
+.\}
+. \" simple accents for nroff and troff
+.if n \{\
+. ds ' \&
+. ds ` \&
+. ds ^ \&
+. ds , \&
+. ds ~ ~
+. ds /
+.\}
+.if t \{\
+. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+. \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+. \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+. \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+. ds : e
+. ds 8 ss
+. ds o a
+. ds d- d\h'-1'\(ga
+. ds D- D\h'-1'\(hy
+. ds th \o'bp'
+. ds Th \o'LP'
+. ds ae ae
+. ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "SUDOERS.LDAP 5"
+.TH SUDOERS.LDAP 5 "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+sudoers.ldap \- sudo LDAP configuration
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured
+via \s-1LDAP\s0. This can be especially useful for synchronizing \fIsudoers\fR
+in a large, distributed environment.
+.PP
+Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits:
+.IP "\(bu" 4
+\&\fBsudo\fR no longer needs to read \fIsudoers\fR in its entirety. When
+\&\s-1LDAP\s0 is used, there are only two or three \s-1LDAP\s0 queries per invocation.
+This makes it especially fast and particularly usable in \s-1LDAP\s0
+environments.
+.IP "\(bu" 4
+\&\fBsudo\fR no longer exits if there is a typo in \fIsudoers\fR.
+It is not possible to load \s-1LDAP\s0 data into the server that does
+not conform to the sudoers schema, so proper syntax is guaranteed.
+It is still possible to have typos in a user or host name, but
+this will not prevent \fBsudo\fR from running.
+.IP "\(bu" 4
+It is possible to specify per-entry options that override the global
+default options. \fI/etc/sudoers\fR only supports default options and
+limited options associated with user/host/commands/aliases. The
+syntax is complicated and can be difficult for users to understand.
+Placing the options directly in the entry is more natural.
+.IP "\(bu" 4
+The \fBvisudo\fR program is no longer needed. \fBvisudo\fR provides
+locking and syntax checking of the \fI/etc/sudoers\fR file.
+Since \s-1LDAP\s0 updates are atomic, locking is no longer necessary.
+Because syntax is checked when the data is inserted into \s-1LDAP\s0, there
+is no need for a specialized tool to check syntax.
+.PP
+Another major difference between \s-1LDAP\s0 and file-based \fIsudoers\fR
+is that in \s-1LDAP\s0, \fBsudo\fR\-specific Aliases are not supported.
+.PP
+For the most part, there is really no need for \fBsudo\fR\-specific
+Aliases. Unix groups or user netgroups can be used in place of
+User_Aliases and Runas_Aliases. Host netgroups can be used in place
+of Host_Aliases. Since Unix groups and netgroups can also be stored
+in \s-1LDAP\s0 there is no real need for \fBsudo\fR\-specific aliases.
+.PP
+Cmnd_Aliases are not really required either since it is possible
+to have multiple users listed in a \f(CW\*(C`sudoRole\*(C'\fR. Instead of defining
+a Cmnd_Alias that is referenced by multiple users, one can create
+a \f(CW\*(C`sudoRole\*(C'\fR that contains the commands and assign multiple users
+to it.
+.SS "SUDOers \s-1LDAP\s0 container"
+.IX Subsection "SUDOers LDAP container"
+The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0
+container.
+.PP
+Sudo first looks for the \f(CW\*(C`cn=default\*(C'\fR entry in the SUDOers container.
+If found, the multi-valued \f(CW\*(C`sudoOption\*(C'\fR attribute is parsed in the
+same manner as a global \f(CW\*(C`Defaults\*(C'\fR line in \fI/etc/sudoers\fR. In
+the following example, the \f(CW\*(C`SSH_AUTH_SOCK\*(C'\fR variable will be preserved
+in the environment for all users.
+.PP
+.Vb 6
+\& dn: cn=defaults,ou=SUDOers,dc=example,dc=com
+\& objectClass: top
+\& objectClass: sudoRole
+\& cn: defaults
+\& description: Default sudoOption\*(Aqs go here
+\& sudoOption: env_keep+=SSH_AUTH_SOCK
+.Ve
+.PP
+The equivalent of a sudoer in \s-1LDAP\s0 is a \f(CW\*(C`sudoRole\*(C'\fR. It consists of
+the following attributes:
+.IP "\fBsudoUser\fR" 4
+.IX Item "sudoUser"
+A user name, uid (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with
+a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed with a \f(CW\*(Aq+\*(Aq\fR).
+.IP "\fBsudoHost\fR" 4
+.IX Item "sudoHost"
+A host name, \s-1IP\s0 address, \s-1IP\s0 network, or host netgroup (prefixed
+with a \f(CW\*(Aq+\*(Aq\fR).
+The special value \f(CW\*(C`ALL\*(C'\fR will match any host.
+.IP "\fBsudoCommand\fR" 4
+.IX Item "sudoCommand"
+A Unix command with optional command line arguments, potentially
+including globbing characters (aka wild cards).
+The special value \f(CW\*(C`ALL\*(C'\fR will match any command.
+If a command is prefixed with an exclamation point \f(CW\*(Aq!\*(Aq\fR, the
+user will be prohibited from running that command.
+.IP "\fBsudoOption\fR" 4
+.IX Item "sudoOption"
+Identical in function to the global options described above, but
+specific to the \f(CW\*(C`sudoRole\*(C'\fR in which it resides.
+.IP "\fBsudoRunAsUser\fR" 4
+.IX Item "sudoRunAsUser"
+A user name or uid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run
+as or a Unix group (prefixed with a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed
+with a \f(CW\*(Aq+\*(Aq\fR) that contains a list of users that commands may be
+run as.
+The special value \f(CW\*(C`ALL\*(C'\fR will match any user.
+.Sp
+The \f(CW\*(C`sudoRunAsUser\*(C'\fR attribute is only available in \fBsudo\fR versions
+1.7.0 and higher. Older versions of \fBsudo\fR use the \f(CW\*(C`sudoRunAs\*(C'\fR
+attribute instead.
+.IP "\fBsudoRunAsGroup\fR" 4
+.IX Item "sudoRunAsGroup"
+A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as.
+The special value \f(CW\*(C`ALL\*(C'\fR will match any group.
+.Sp
+The \f(CW\*(C`sudoRunAsGroup\*(C'\fR attribute is only available in \fBsudo\fR versions
+1.7.0 and higher.
+.IP "\fBsudoNotBefore\fR" 4
+.IX Item "sudoNotBefore"
+A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that can be used to provide
+a start date/time for when the \f(CW\*(C`sudoRole\*(C'\fR will be valid. If
+multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the earliest is used.
+Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
+not the local timezone.
+.Sp
+The \f(CW\*(C`sudoNotBefore\*(C'\fR attribute is only available in \fBsudo\fR versions
+1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
+option in \fI/etc/ldap.conf\fR.
+.IP "\fBsudoNotAfter\fR" 4
+.IX Item "sudoNotAfter"
+A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that indicates an expiration
+date/time, after which the \f(CW\*(C`sudoRole\*(C'\fR will no longer be valid. If
+multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the last one is used.
+Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
+not the local timezone.
+.Sp
+The \f(CW\*(C`sudoNotAfter\*(C'\fR attribute is only available in \fBsudo\fR versions
+1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
+option in \fI/etc/ldap.conf\fR.
+.IP "\fBsudoOrder\fR" 4
+.IX Item "sudoOrder"
+The \f(CW\*(C`sudoRole\*(C'\fR entries retrieved from the \s-1LDAP\s0 directory have no
+inherent order. The \f(CW\*(C`sudoOrder\*(C'\fR attribute is an integer (or
+floating point value for \s-1LDAP\s0 servers that support it) that is used
+to sort the matching entries. This allows LDAP-based sudoers entries
+to more closely mimic the behaviour of the sudoers file, where the
+of the entries influences the result. If multiple entries match,
+the entry with the highest \f(CW\*(C`sudoOrder\*(C'\fR attribute is chosen. This
+corresponds to the \*(L"last match\*(R" behavior of the sudoers file. If
+the \f(CW\*(C`sudoOrder\*(C'\fR attribute is not present, a value of 0 is assumed.
+.Sp
+The \f(CW\*(C`sudoOrder\*(C'\fR attribute is only available in \fBsudo\fR versions
+1.7.5 and higher.
+.PP
+Each attribute listed above should contain a single value, but there
+may be multiple instances of each attribute type. A \f(CW\*(C`sudoRole\*(C'\fR must
+contain at least one \f(CW\*(C`sudoUser\*(C'\fR, \f(CW\*(C`sudoHost\*(C'\fR and \f(CW\*(C`sudoCommand\*(C'\fR.
+.PP
+The following example allows users in group wheel to run any command
+on any host via \fBsudo\fR:
+.PP
+.Vb 7
+\& dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+\& objectClass: top
+\& objectClass: sudoRole
+\& cn: %wheel
+\& sudoUser: %wheel
+\& sudoHost: ALL
+\& sudoCommand: ALL
+.Ve
+.SS "Anatomy of \s-1LDAP\s0 sudoers lookup"
+.IX Subsection "Anatomy of LDAP sudoers lookup"
+When looking up a sudoer using \s-1LDAP\s0 there are only two or three
+\&\s-1LDAP\s0 queries per invocation. The first query is to parse the global
+options. The second is to match against the user's name and the
+groups that the user belongs to. (The special \s-1ALL\s0 tag is matched
+in this query too.) If no match is returned for the user's name
+and groups, a third query returns all entries containing user
+netgroups and checks to see if the user belongs to any of them.
+.PP
+If timed entries are enabled with the \fB\s-1SUDOERS_TIMED\s0\fR configuration
+directive, the \s-1LDAP\s0 queries include a subfilter that limits retrieval
+to entries that satisfy the time constraints, if any.
+.SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
+.IX Subsection "Differences between LDAP and non-LDAP sudoers"
+There are some subtle differences in the way sudoers is handled
+once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0,
+\&\s-1LDAP\s0 ordering is arbitrary and you cannot expect that Attributes
+and Entries are returned in any specific order.
+.PP
+The order in which different entries are applied can be controlled
+using the \f(CW\*(C`sudoOrder\*(C'\fR attribute, but there is no way to guarantee
+the order of attributes within a specific entry. If there are
+conflicting command rules in an entry, the negative takes precedence.
+This is called paranoid behavior (not necessarily the most specific
+match).
+.PP
+Here is an example:
+.PP
+.Vb 5
+\& # /etc/sudoers:
+\& # Allow all commands except shell
+\& johnny ALL=(root) ALL,!/bin/sh
+\& # Always allows all commands because ALL is matched last
+\& puddles ALL=(root) !/bin/sh,ALL
+\&
+\& # LDAP equivalent of johnny
+\& # Allows all commands except shell
+\& dn: cn=role1,ou=Sudoers,dc=my\-domain,dc=com
+\& objectClass: sudoRole
+\& objectClass: top
+\& cn: role1
+\& sudoUser: johnny
+\& sudoHost: ALL
+\& sudoCommand: ALL
+\& sudoCommand: !/bin/sh
+\&
+\& # LDAP equivalent of puddles
+\& # Notice that even though ALL comes last, it still behaves like
+\& # role1 since the LDAP code assumes the more paranoid configuration
+\& dn: cn=role2,ou=Sudoers,dc=my\-domain,dc=com
+\& objectClass: sudoRole
+\& objectClass: top
+\& cn: role2
+\& sudoUser: puddles
+\& sudoHost: ALL
+\& sudoCommand: !/bin/sh
+\& sudoCommand: ALL
+.Ve
+.PP
+Another difference is that negations on the Host, User or Runas are
+currently ignored. For example, the following attributes do not
+behave the way one might expect.
+.PP
+.Vb 3
+\& # does not match all but joe
+\& # rather, does not match anyone
+\& sudoUser: !joe
+\&
+\& # does not match all but joe
+\& # rather, matches everyone including Joe
+\& sudoUser: ALL
+\& sudoUser: !joe
+\&
+\& # does not match all but web01
+\& # rather, matches all hosts including web01
+\& sudoHost: ALL
+\& sudoHost: !web01
+.Ve
+.SS "Sudoers Schema"
+.IX Subsection "Sudoers Schema"
+In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be
+installed on your \s-1LDAP\s0 server. In addition, be sure to index the
+\&'sudoUser' attribute.
+.PP
+Three versions of the schema: one for OpenLDAP servers (\fIschema.OpenLDAP\fR),
+one for Netscape-derived servers (\fIschema.iPlanet\fR), and one for
+Microsoft Active Directory (\fIschema.ActiveDirectory\fR) may
+be found in the \fBsudo\fR distribution.
+.PP
+The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0
+section.
+.SS "Configuring ldap.conf"
+.IX Subsection "Configuring ldap.conf"
+Sudo reads the \fI/etc/ldap.conf\fR file for LDAP-specific configuration.
+Typically, this file is shared amongst different LDAP-aware clients.
+As such, most of the settings are not \fBsudo\fR\-specific. Note that
+\&\fBsudo\fR parses \fI/etc/ldap.conf\fR itself and may support options
+that differ from those described in the \fIldap.conf\fR\|(5) manual.
+.PP
+Also note that on systems using the OpenLDAP libraries, default
+values specified in \fI/etc/openldap/ldap.conf\fR or the user's
+\&\fI.ldaprc\fR files are not used.
+.PP
+Only those options explicitly listed in \fI/etc/ldap.conf\fR as being
+supported by \fBsudo\fR are honored. Configuration options are listed
+below in upper case but are parsed in a case-independent manner.
+.IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4
+.IX Item "URI ldap[s]://[hostname[:port]] ..."
+Specifies a whitespace-delimited list of one or more URIs describing
+the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either
+\&\fBldap\fR or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0
+(\s-1SSL\s0) encryption. If no \fIport\fR is specified, the default is port
+389 for \f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR
+is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR
+lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple
+entries. Only systems using the OpenSSL libraries support the
+mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. The Netscape-derived
+libraries used on most commercial versions of Unix are only capable
+of supporting one or the other.
+.IP "\fB\s-1HOST\s0\fR name[:port] ..." 4
+.IX Item "HOST name[:port] ..."
+If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a
+whitespace-delimited list of \s-1LDAP\s0 servers to connect to. Each host
+may include an optional \fIport\fR separated by a colon (':'). The
+\&\fB\s-1HOST\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR specification
+and is included for backwards compatibility.
+.IP "\fB\s-1PORT\s0\fR port_number" 4
+.IX Item "PORT port_number"
+If no \fB\s-1URI\s0\fR is specified, the \fB\s-1PORT\s0\fR parameter specifies the
+default port to connect to on the \s-1LDAP\s0 server if a \fB\s-1HOST\s0\fR parameter
+does not specify the port itself. If no \fB\s-1PORT\s0\fR parameter is used,
+the default is port 389 for \s-1LDAP\s0 and port 636 for \s-1LDAP\s0 over \s-1TLS\s0
+(\s-1SSL\s0). The \fB\s-1PORT\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR
+specification and is included for backwards compatibility.
+.IP "\fB\s-1BIND_TIMELIMIT\s0\fR seconds" 4
+.IX Item "BIND_TIMELIMIT seconds"
+The \fB\s-1BIND_TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
+to wait while trying to connect to an \s-1LDAP\s0 server. If multiple \fB\s-1URI\s0\fRs or
+\&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying
+the next one in the list.
+.IP "\fB\s-1NETWORK_TIMEOUT\s0\fR seconds" 4
+.IX Item "NETWORK_TIMEOUT seconds"
+An alias for \fB\s-1BIND_TIMELIMIT\s0\fR for OpenLDAP compatibility.
+.IP "\fB\s-1TIMELIMIT\s0\fR seconds" 4
+.IX Item "TIMELIMIT seconds"
+The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
+to wait for a response to an \s-1LDAP\s0 query.
+.IP "\fB\s-1TIMEOUT\s0\fR seconds" 4
+.IX Item "TIMEOUT seconds"
+The \fB\s-1TIMEOUT\s0\fR parameter specifies the amount of time, in seconds,
+to wait for a response from the various \s-1LDAP\s0 APIs.
+.IP "\fB\s-1SUDOERS_BASE\s0\fR base" 4
+.IX Item "SUDOERS_BASE base"
+The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries. Typically
+this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain
+\&\f(CW\*(C`example.com\*(C'\fR. Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified,
+in which case they are queried in the order specified.
+.IP "\fB\s-1SUDOERS_SEARCH_FILTER\s0\fR ldap_filter" 4
+.IX Item "SUDOERS_SEARCH_FILTER ldap_filter"
+An \s-1LDAP\s0 filter which is used to restrict the set of records returned
+when performing a \fBsudo\fR \s-1LDAP\s0 query. Typically, this is of the
+form \f(CW\*(C`attribute=value\*(C'\fR or \f(CW\*(C`(&(attribute=value)(attribute2=value2))\*(C'\fR.
+.IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4
+.IX Item "SUDOERS_TIMED on/true/yes/off/false/no"
+Whether or not to evaluate the \f(CW\*(C`sudoNotBefore\*(C'\fR and \f(CW\*(C`sudoNotAfter\*(C'\fR
+attributes that implement time-dependent sudoers entries.
+.IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4
+.IX Item "SUDOERS_DEBUG debug_level"
+This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries. Debugging
+information is printed to the standard error. A value of 1 results
+in a moderate amount of debugging information. A value of 2 shows
+the results of the matches themselves. This parameter should not
+be set in a production environment as the extra information is
+likely to confuse users.
+.IP "\fB\s-1BINDDN\s0\fR \s-1DN\s0" 4
+.IX Item "BINDDN DN"
+The \fB\s-1BINDDN\s0\fR parameter specifies the identity, in the form of a
+Distinguished Name (\s-1DN\s0), to use when performing \s-1LDAP\s0 operations.
+If not specified, \s-1LDAP\s0 operations are performed with an anonymous
+identity. By default, most \s-1LDAP\s0 servers will allow anonymous access.
+.IP "\fB\s-1BINDPW\s0\fR secret" 4
+.IX Item "BINDPW secret"
+The \fB\s-1BINDPW\s0\fR parameter specifies the password to use when performing
+\&\s-1LDAP\s0 operations. This is typically used in conjunction with the
+\&\fB\s-1BINDDN\s0\fR parameter.
+.IP "\fB\s-1ROOTBINDDN\s0\fR \s-1DN\s0" 4
+.IX Item "ROOTBINDDN DN"
+The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of
+a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0
+operations, such as \fIsudoers\fR queries. The password corresponding
+to the identity should be stored in \fI/etc/ldap.secret\fR.
+If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any).
+.IP "\fB\s-1LDAP_VERSION\s0\fR number" 4
+.IX Item "LDAP_VERSION number"
+The version of the \s-1LDAP\s0 protocol to use when connecting to the server.
+The default value is protocol version 3.
+.IP "\fB\s-1SSL\s0\fR on/true/yes/off/false/no" 4
+.IX Item "SSL on/true/yes/off/false/no"
+If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`true\*(C'\fR or \f(CW\*(C`yes\*(C'\fR, \s-1TLS\s0
+(\s-1SSL\s0) encryption is always used when communicating with the \s-1LDAP\s0
+server. Typically, this involves connecting to the server on port
+636 (ldaps).
+.IP "\fB\s-1SSL\s0\fR start_tls" 4
+.IX Item "SSL start_tls"
+If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`start_tls\*(C'\fR, the \s-1LDAP\s0 server
+connection is initiated normally and \s-1TLS\s0 encryption is begun before
+the bind credentials are sent. This has the advantage of not
+requiring a dedicated port for encrypted communications. This
+parameter is only supported by \s-1LDAP\s0 servers that honor the \f(CW\*(C`start_tls\*(C'\fR
+extension, such as the OpenLDAP server.
+.IP "\fB\s-1TLS_CHECKPEER\s0\fR on/true/yes/off/false/no" 4
+.IX Item "TLS_CHECKPEER on/true/yes/off/false/no"
+If enabled, \fB\s-1TLS_CHECKPEER\s0\fR will cause the \s-1LDAP\s0 server's \s-1TLS\s0
+certificated to be verified. If the server's \s-1TLS\s0 certificate cannot
+be verified (usually because it is signed by an unknown certificate
+authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER\s0\fR
+is disabled, no check is made. Note that disabling the check creates
+an opportunity for man-in-the-middle attacks since the server's
+identity will not be authenticated. If possible, the \s-1CA\s0's certificate
+should be installed locally so it can be verified.
+.IP "\fB\s-1TLS_CACERT\s0\fR file name" 4
+.IX Item "TLS_CACERT file name"
+An alias for \fB\s-1TLS_CACERTFILE\s0\fR for OpenLDAP compatibility.
+.IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4
+.IX Item "TLS_CACERTFILE file name"
+The path to a certificate authority bundle which contains the certificates
+for all the Certificate Authorities the client knows to be valid,
+e.g. \fI/etc/ssl/ca\-bundle.pem\fR.
+This option is only supported by the OpenLDAP libraries.
+Netscape-derived \s-1LDAP\s0 libraries use the same certificate
+database for \s-1CA\s0 and client certificates (see \fB\s-1TLS_CERT\s0\fR).
+.IP "\fB\s-1TLS_CACERTDIR\s0\fR directory" 4
+.IX Item "TLS_CACERTDIR directory"
+Similar to \fB\s-1TLS_CACERTFILE\s0\fR but instead of a file, it is a
+directory containing individual Certificate Authority certificates,
+e.g. \fI/etc/ssl/certs\fR.
+The directory specified by \fB\s-1TLS_CACERTDIR\s0\fR is checked after
+\&\fB\s-1TLS_CACERTFILE\s0\fR.
+This option is only supported by the OpenLDAP libraries.
+.IP "\fB\s-1TLS_CERT\s0\fR file name" 4
+.IX Item "TLS_CERT file name"
+The path to a file containing the client certificate which can
+be used to authenticate the client to the \s-1LDAP\s0 server.
+The certificate type depends on the \s-1LDAP\s0 libraries used.
+.Sp
+OpenLDAP:
+ \f(CW\*(C`tls_cert /etc/ssl/client_cert.pem\*(C'\fR
+.Sp
+Netscape-derived:
+ \f(CW\*(C`tls_cert /var/ldap/cert7.db\*(C'\fR
+.Sp
+When using Netscape-derived libraries, this file may also contain
+Certificate Authority certificates.
+.IP "\fB\s-1TLS_KEY\s0\fR file name" 4
+.IX Item "TLS_KEY file name"
+The path to a file containing the private key which matches the
+certificate specified by \fB\s-1TLS_CERT\s0\fR. The private key must not be
+password-protected. The key type depends on the \s-1LDAP\s0 libraries
+used.
+.Sp
+OpenLDAP:
+ \f(CW\*(C`tls_key /etc/ssl/client_key.pem\*(C'\fR
+.Sp
+Netscape-derived:
+ \f(CW\*(C`tls_key /var/ldap/key3.db\*(C'\fR
+.IP "\fB\s-1TLS_RANDFILE\s0\fR file name" 4
+.IX Item "TLS_RANDFILE file name"
+The \fB\s-1TLS_RANDFILE\s0\fR parameter specifies the path to an entropy
+source for systems that lack a random device. It is generally used
+in conjunction with \fIprngd\fR or \fIegd\fR.
+This option is only supported by the OpenLDAP libraries.
+.IP "\fB\s-1TLS_CIPHERS\s0\fR cipher list" 4
+.IX Item "TLS_CIPHERS cipher list"
+The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict
+which encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections.
+See the OpenSSL manual for a list of valid ciphers.
+This option is only supported by the OpenLDAP libraries.
+.IP "\fB\s-1USE_SASL\s0\fR on/true/yes/off/false/no" 4
+.IX Item "USE_SASL on/true/yes/off/false/no"
+Enable \fB\s-1USE_SASL\s0\fR for \s-1LDAP\s0 servers that support \s-1SASL\s0 authentication.
+.IP "\fB\s-1SASL_AUTH_ID\s0\fR identity" 4
+.IX Item "SASL_AUTH_ID identity"
+The \s-1SASL\s0 user name to use when connecting to the \s-1LDAP\s0 server.
+By default, \fBsudo\fR will use an anonymous connection.
+.IP "\fB\s-1ROOTUSE_SASL\s0\fR on/true/yes/off/false/no" 4
+.IX Item "ROOTUSE_SASL on/true/yes/off/false/no"
+Enable \fB\s-1ROOTUSE_SASL\s0\fR to enable \s-1SASL\s0 authentication when connecting
+to an \s-1LDAP\s0 server from a privileged process, such as \fBsudo\fR.
+.IP "\fB\s-1ROOTSASL_AUTH_ID\s0\fR identity" 4
+.IX Item "ROOTSASL_AUTH_ID identity"
+The \s-1SASL\s0 user name to use when \fB\s-1ROOTUSE_SASL\s0\fR is enabled.
+.IP "\fB\s-1SASL_SECPROPS\s0\fR none/properties" 4
+.IX Item "SASL_SECPROPS none/properties"
+\&\s-1SASL\s0 security properties or \fInone\fR for no properties. See the
+\&\s-1SASL\s0 programmer's manual for details.
+.IP "\fB\s-1KRB5_CCNAME\s0\fR file name" 4
+.IX Item "KRB5_CCNAME file name"
+The path to the Kerberos 5 credential cache to use when authenticating
+with the remote server.
+.PP
+See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section.
+.SS "Configuring nsswitch.conf"
+.IX Subsection "Configuring nsswitch.conf"
+Unless it is disabled at build time, \fBsudo\fR consults the Name
+Service Switch file, \fI/etc/nsswitch.conf\fR, to specify the \fIsudoers\fR
+search order. Sudo looks for a line beginning with \f(CW\*(C`sudoers\*(C'\fR: and
+uses this to determine the search order. Note that \fBsudo\fR does
+not stop searching after the first match and later matches take
+precedence over earlier ones.
+.PP
+The following sources are recognized:
+.PP
+.Vb 2
+\& files read sudoers from F</etc/sudoers>
+\& ldap read sudoers from LDAP
+.Ve
+.PP
+In addition, the entry \f(CW\*(C`[NOTFOUND=return]\*(C'\fR will short-circuit the
+search if the user was not found in the preceding source.
+.PP
+To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
+exists), use:
+.PP
+.Vb 1
+\& sudoers: ldap files
+.Ve
+.PP
+The local \fIsudoers\fR file can be ignored completely by using:
+.PP
+.Vb 1
+\& sudoers: ldap
+.Ve
+.PP
+If the \fI/etc/nsswitch.conf\fR file is not present or there is no
+sudoers line, the following default is assumed:
+.PP
+.Vb 1
+\& sudoers: files
+.Ve
+.PP
+Note that \fI/etc/nsswitch.conf\fR is supported even when the underlying
+operating system does not use an nsswitch.conf file.
+.SS "Configuring netsvc.conf"
+.IX Subsection "Configuring netsvc.conf"
+On \s-1AIX\s0 systems, the \fI/etc/netsvc.conf\fR file is consulted instead of
+\&\fI/etc/nsswitch.conf\fR. \fBsudo\fR simply treats \fInetsvc.conf\fR as a
+variant of \fInsswitch.conf\fR; information in the previous section
+unrelated to the file format itself still applies.
+.PP
+To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
+exists), use:
+.PP
+.Vb 1
+\& sudoers = ldap, files
+.Ve
+.PP
+The local \fIsudoers\fR file can be ignored completely by using:
+.PP
+.Vb 1
+\& sudoers = ldap
+.Ve
+.PP
+To treat \s-1LDAP\s0 as authoratative and only use the local sudoers file
+if the user is not present in \s-1LDAP\s0, use:
+.PP
+.Vb 1
+\& sudoers = ldap = auth, files
+.Ve
+.PP
+Note that in the above example, the \f(CW\*(C`auth\*(C'\fR qualfier only affects
+user lookups; both \s-1LDAP\s0 and \fIsudoers\fR will be queried for \f(CW\*(C`Defaults\*(C'\fR
+entries.
+.PP
+If the \fI/etc/netsvc.conf\fR file is not present or there is no
+sudoers line, the following default is assumed:
+.PP
+.Vb 1
+\& sudoers = files
+.Ve
+.SH "FILES"
+.IX Header "FILES"
+.ie n .IP "\fI/etc/ldap.conf\fR" 24
+.el .IP "\fI/etc/ldap.conf\fR" 24
+.IX Item "/etc/ldap.conf"
+\&\s-1LDAP\s0 configuration file
+.ie n .IP "\fI/etc/nsswitch.conf\fR" 24
+.el .IP "\fI/etc/nsswitch.conf\fR" 24
+.IX Item "/etc/nsswitch.conf"
+determines sudoers source order
+.ie n .IP "\fI/etc/netsvc.conf\fR" 24
+.el .IP "\fI/etc/netsvc.conf\fR" 24
+.IX Item "/etc/netsvc.conf"
+determines sudoers source order on \s-1AIX\s0
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+.SS "Example ldap.conf"
+.IX Subsection "Example ldap.conf"
+.Vb 10
+\& # Either specify one or more URIs or one or more host:port pairs.
+\& # If neither is specified sudo will default to localhost, port 389.
+\& #
+\& #host ldapserver
+\& #host ldapserver1 ldapserver2:390
+\& #
+\& # Default port if host is specified without one, defaults to 389.
+\& #port 389
+\& #
+\& # URI will override the host and port settings.
+\& uri ldap://ldapserver
+\& #uri ldaps://secureldapserver
+\& #uri ldaps://secureldapserver ldap://ldapserver
+\& #
+\& # The amount of time, in seconds, to wait while trying to connect to
+\& # an LDAP server.
+\& bind_timelimit 30
+\& #
+\& # The amount of time, in seconds, to wait while performing an LDAP query.
+\& timelimit 30
+\& #
+\& # Must be set or sudo will ignore LDAP; may be specified multiple times.
+\& sudoers_base ou=SUDOers,dc=example,dc=com
+\& #
+\& # verbose sudoers matching from ldap
+\& #sudoers_debug 2
+\& #
+\& # Enable support for time\-based entries in sudoers.
+\& #sudoers_timed yes
+\& #
+\& # optional proxy credentials
+\& #binddn <who to search as>
+\& #bindpw <password>
+\& #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
+\& #
+\& # LDAP protocol version, defaults to 3
+\& #ldap_version 3
+\& #
+\& # Define if you want to use an encrypted LDAP connection.
+\& # Typically, you must also set the port to 636 (ldaps).
+\& #ssl on
+\& #
+\& # Define if you want to use port 389 and switch to
+\& # encryption before the bind credentials are sent.
+\& # Only supported by LDAP servers that support the start_tls
+\& # extension such as OpenLDAP.
+\& #ssl start_tls
+\& #
+\& # Additional TLS options follow that allow tweaking of the
+\& # SSL/TLS connection.
+\& #
+\& #tls_checkpeer yes # verify server SSL certificate
+\& #tls_checkpeer no # ignore server SSL certificate
+\& #
+\& # If you enable tls_checkpeer, specify either tls_cacertfile
+\& # or tls_cacertdir. Only supported when using OpenLDAP.
+\& #
+\& #tls_cacertfile /etc/certs/trusted_signers.pem
+\& #tls_cacertdir /etc/certs
+\& #
+\& # For systems that don\*(Aqt have /dev/random
+\& # use this along with PRNGD or EGD.pl to seed the
+\& # random number pool to generate cryptographic session keys.
+\& # Only supported when using OpenLDAP.
+\& #
+\& #tls_randfile /etc/egd\-pool
+\& #
+\& # You may restrict which ciphers are used. Consult your SSL
+\& # documentation for which options go here.
+\& # Only supported when using OpenLDAP.
+\& #
+\& #tls_ciphers <cipher\-list>
+\& #
+\& # Sudo can provide a client certificate when communicating to
+\& # the LDAP server.
+\& # Tips:
+\& # * Enable both lines at the same time.
+\& # * Do not password protect the key file.
+\& # * Ensure the keyfile is only readable by root.
+\& #
+\& # For OpenLDAP:
+\& #tls_cert /etc/certs/client_cert.pem
+\& #tls_key /etc/certs/client_key.pem
+\& #
+\& # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
+\& # a directory, in which case the files in the directory must have the
+\& # default names (e.g. cert8.db and key4.db), or the path to the cert
+\& # and key files themselves. However, a bug in version 5.0 of the LDAP
+\& # SDK will prevent specific file names from working. For this reason
+\& # it is suggested that tls_cert and tls_key be set to a directory,
+\& # not a file name.
+\& #
+\& # The certificate database specified by tls_cert may contain CA certs
+\& # and/or the client\*(Aqs cert. If the client\*(Aqs cert is included, tls_key
+\& # should be specified as well.
+\& # For backward compatibility, "sslpath" may be used in place of tls_cert.
+\& #tls_cert /var/ldap
+\& #tls_key /var/ldap
+\& #
+\& # If using SASL authentication for LDAP (OpenSSL)
+\& # use_sasl yes
+\& # sasl_auth_id <SASL user name>
+\& # rootuse_sasl yes
+\& # rootsasl_auth_id <SASL user name for root access>
+\& # sasl_secprops none
+\& # krb5_ccname /etc/.ldapcache
+.Ve
+.SS "Sudo schema for OpenLDAP"
+.IX Subsection "Sudo schema for OpenLDAP"
+The following schema, in OpenLDAP format, is included with \fBsudo\fR
+source and binary distributions as \fIschema.OpenLDAP\fR. Simply copy
+it to the schema directory (e.g. \fI/etc/openldap/schema\fR), add the
+proper \f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR.
+.PP
+.Vb 6
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.1
+\& NAME \*(AqsudoUser\*(Aq
+\& DESC \*(AqUser(s) who may run sudo\*(Aq
+\& EQUALITY caseExactIA5Match
+\& SUBSTR caseExactIA5SubstringsMatch
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+\&
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.2
+\& NAME \*(AqsudoHost\*(Aq
+\& DESC \*(AqHost(s) who may run sudo\*(Aq
+\& EQUALITY caseExactIA5Match
+\& SUBSTR caseExactIA5SubstringsMatch
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+\&
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.3
+\& NAME \*(AqsudoCommand\*(Aq
+\& DESC \*(AqCommand(s) to be executed by sudo\*(Aq
+\& EQUALITY caseExactIA5Match
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+\&
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.4
+\& NAME \*(AqsudoRunAs\*(Aq
+\& DESC \*(AqUser(s) impersonated by sudo\*(Aq
+\& EQUALITY caseExactIA5Match
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+\&
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.5
+\& NAME \*(AqsudoOption\*(Aq
+\& DESC \*(AqOptions(s) followed by sudo\*(Aq
+\& EQUALITY caseExactIA5Match
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+\&
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.6
+\& NAME \*(AqsudoRunAsUser\*(Aq
+\& DESC \*(AqUser(s) impersonated by sudo\*(Aq
+\& EQUALITY caseExactIA5Match
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+\&
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.7
+\& NAME \*(AqsudoRunAsGroup\*(Aq
+\& DESC \*(AqGroup(s) impersonated by sudo\*(Aq
+\& EQUALITY caseExactIA5Match
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+\&
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.8
+\& NAME \*(AqsudoNotBefore\*(Aq
+\& DESC \*(AqStart of time interval for which the entry is valid\*(Aq
+\& EQUALITY generalizedTimeMatch
+\& ORDERING generalizedTimeOrderingMatch
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+\&
+\& attributetype ( 1.3.6.1.4.1.15953.9.1.9
+\& NAME \*(AqsudoNotAfter\*(Aq
+\& DESC \*(AqEnd of time interval for which the entry is valid\*(Aq
+\& EQUALITY generalizedTimeMatch
+\& ORDERING generalizedTimeOrderingMatch
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+\&
+\& attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
+\& NAME \*(AqsudoOrder\*(Aq
+\& DESC \*(Aqan integer to order the sudoRole entries\*(Aq
+\& EQUALITY integerMatch
+\& ORDERING integerOrderingMatch
+\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+\&
+\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME \*(AqsudoRole\*(Aq SUP top STRUCTURAL
+\& DESC \*(AqSudoer Entries\*(Aq
+\& MUST ( cn )
+\& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
+\& sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
+\& sudoOrder $ description )
+\& )
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIldap.conf\fR\|(5), \fIsudoers\fR\|(5)
+.SH "CAVEATS"
+.IX Header "CAVEATS"
+Note that there are differences in the way that LDAP-based \fIsudoers\fR
+is parsed compared to file-based \fIsudoers\fR. See the \*(L"Differences
+between \s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information.
+.SH "BUGS"
+.IX Header "BUGS"
+If you feel you have found a bug in \fBsudo\fR, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
+.SH "SUPPORT"
+.IX Header "SUPPORT"
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+search the archives.
+.SH "DISCLAIMER"
+.IX Header "DISCLAIMER"
+\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
+file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
+for complete details.
Modified: trunk/contrib/sudo/sudoers.ldap.man.in
===================================================================
--- trunk/contrib/sudo/sudoers.ldap.man.in 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/sudoers.ldap.man.in 2014-10-02 03:32:57 UTC (rev 6804)
@@ -140,7 +140,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "February 21, 2011" "1.7.5rc1" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -463,6 +463,11 @@
this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain
\&\f(CW\*(C`example.com\*(C'\fR. Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified,
in which case they are queried in the order specified.
+.IP "\fB\s-1SUDOERS_SEARCH_FILTER\s0\fR ldap_filter" 4
+.IX Item "SUDOERS_SEARCH_FILTER ldap_filter"
+An \s-1LDAP\s0 filter which is used to restrict the set of records returned
+when performing a \fBsudo\fR \s-1LDAP\s0 query. Typically, this is of the
+form \f(CW\*(C`attribute=value\*(C'\fR or \f(CW\*(C`(&(attribute=value)(attribute2=value2))\*(C'\fR.
.IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4
.IX Item "SUDOERS_TIMED on/true/yes/off/false/no"
Whether or not to evaluate the \f(CW\*(C`sudoNotBefore\*(C'\fR and \f(CW\*(C`sudoNotAfter\*(C'\fR
Added: trunk/contrib/sudo/sudoers.ldap.pod
===================================================================
--- trunk/contrib/sudo/sudoers.ldap.pod (rev 0)
+++ trunk/contrib/sudo/sudoers.ldap.pod 2014-10-02 03:32:57 UTC (rev 6804)
@@ -0,0 +1,841 @@
+Copyright (c) 2003-2011
+ Todd C. Miller <Todd.Miller at courtesan.com>
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+=pod
+
+=head1 NAME
+
+sudoers.ldap - sudo LDAP configuration
+
+=head1 DESCRIPTION
+
+In addition to the standard I<sudoers> file, B<sudo> may be configured
+via LDAP. This can be especially useful for synchronizing I<sudoers>
+in a large, distributed environment.
+
+Using LDAP for I<sudoers> has several benefits:
+
+=over 4
+
+=item *
+
+B<sudo> no longer needs to read I<sudoers> in its entirety. When
+LDAP is used, there are only two or three LDAP queries per invocation.
+This makes it especially fast and particularly usable in LDAP
+environments.
+
+=item *
+
+B<sudo> no longer exits if there is a typo in I<sudoers>.
+It is not possible to load LDAP data into the server that does
+not conform to the sudoers schema, so proper syntax is guaranteed.
+It is still possible to have typos in a user or host name, but
+this will not prevent B<sudo> from running.
+
+=item *
+
+It is possible to specify per-entry options that override the global
+default options. F<@sysconfdir@/sudoers> only supports default options and
+limited options associated with user/host/commands/aliases. The
+syntax is complicated and can be difficult for users to understand.
+Placing the options directly in the entry is more natural.
+
+=item *
+
+The B<visudo> program is no longer needed. B<visudo> provides
+locking and syntax checking of the F<@sysconfdir@/sudoers> file.
+Since LDAP updates are atomic, locking is no longer necessary.
+Because syntax is checked when the data is inserted into LDAP, there
+is no need for a specialized tool to check syntax.
+
+=back
+
+Another major difference between LDAP and file-based I<sudoers>
+is that in LDAP, B<sudo>-specific Aliases are not supported.
+
+For the most part, there is really no need for B<sudo>-specific
+Aliases. Unix groups or user netgroups can be used in place of
+User_Aliases and Runas_Aliases. Host netgroups can be used in place
+of Host_Aliases. Since Unix groups and netgroups can also be stored
+in LDAP there is no real need for B<sudo>-specific aliases.
+
+Cmnd_Aliases are not really required either since it is possible
+to have multiple users listed in a C<sudoRole>. Instead of defining
+a Cmnd_Alias that is referenced by multiple users, one can create
+a C<sudoRole> that contains the commands and assign multiple users
+to it.
+
+=head2 SUDOers LDAP container
+
+The I<sudoers> configuration is contained in the C<ou=SUDOers> LDAP
+container.
+
+Sudo first looks for the C<cn=default> entry in the SUDOers container.
+If found, the multi-valued C<sudoOption> attribute is parsed in the
+same manner as a global C<Defaults> line in F<@sysconfdir@/sudoers>. In
+the following example, the C<SSH_AUTH_SOCK> variable will be preserved
+in the environment for all users.
+
+ dn: cn=defaults,ou=SUDOers,dc=example,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: defaults
+ description: Default sudoOption's go here
+ sudoOption: env_keep+=SSH_AUTH_SOCK
+
+The equivalent of a sudoer in LDAP is a C<sudoRole>. It consists of
+the following attributes:
+
+=over 4
+
+=item B<sudoUser>
+
+A user name, uid (prefixed with C<'#'>), Unix group (prefixed with
+a C<'%'>) or user netgroup (prefixed with a C<'+'>).
+
+=item B<sudoHost>
+
+A host name, IP address, IP network, or host netgroup (prefixed
+with a C<'+'>).
+The special value C<ALL> will match any host.
+
+=item B<sudoCommand>
+
+A Unix command with optional command line arguments, potentially
+including globbing characters (aka wild cards).
+The special value C<ALL> will match any command.
+If a command is prefixed with an exclamation point C<'!'>, the
+user will be prohibited from running that command.
+
+=item B<sudoOption>
+
+Identical in function to the global options described above, but
+specific to the C<sudoRole> in which it resides.
+
+=item B<sudoRunAsUser>
+
+A user name or uid (prefixed with C<'#'>) that commands may be run
+as or a Unix group (prefixed with a C<'%'>) or user netgroup (prefixed
+with a C<'+'>) that contains a list of users that commands may be
+run as.
+The special value C<ALL> will match any user.
+
+The C<sudoRunAsUser> attribute is only available in B<sudo> versions
+1.7.0 and higher. Older versions of B<sudo> use the C<sudoRunAs>
+attribute instead.
+
+=item B<sudoRunAsGroup>
+
+A Unix group or gid (prefixed with C<'#'>) that commands may be run as.
+The special value C<ALL> will match any group.
+
+The C<sudoRunAsGroup> attribute is only available in B<sudo> versions
+1.7.0 and higher.
+
+=item B<sudoNotBefore>
+
+A timestamp in the form C<yyyymmddHHMMZ> that can be used to provide
+a start date/time for when the C<sudoRole> will be valid. If
+multiple C<sudoNotBefore> entries are present, the earliest is used.
+Note that timestamps must be in Coordinated Universal Time (UTC),
+not the local timezone.
+
+The C<sudoNotBefore> attribute is only available in B<sudo> versions
+1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
+option in F<@ldap_conf@>.
+
+=item B<sudoNotAfter>
+
+A timestamp in the form C<yyyymmddHHMMZ> that indicates an expiration
+date/time, after which the C<sudoRole> will no longer be valid. If
+multiple C<sudoNotBefore> entries are present, the last one is used.
+Note that timestamps must be in Coordinated Universal Time (UTC),
+not the local timezone.
+
+The C<sudoNotAfter> attribute is only available in B<sudo> versions
+1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
+option in F<@ldap_conf@>.
+
+=item B<sudoOrder>
+
+The C<sudoRole> entries retrieved from the LDAP directory have no
+inherent order. The C<sudoOrder> attribute is an integer (or
+floating point value for LDAP servers that support it) that is used
+to sort the matching entries. This allows LDAP-based sudoers entries
+to more closely mimic the behaviour of the sudoers file, where the
+of the entries influences the result. If multiple entries match,
+the entry with the highest C<sudoOrder> attribute is chosen. This
+corresponds to the "last match" behavior of the sudoers file. If
+the C<sudoOrder> attribute is not present, a value of 0 is assumed.
+
+The C<sudoOrder> attribute is only available in B<sudo> versions
+1.7.5 and higher.
+
+=back
+
+Each attribute listed above should contain a single value, but there
+may be multiple instances of each attribute type. A C<sudoRole> must
+contain at least one C<sudoUser>, C<sudoHost> and C<sudoCommand>.
+
+The following example allows users in group wheel to run any command
+on any host via B<sudo>:
+
+ dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: %wheel
+ sudoUser: %wheel
+ sudoHost: ALL
+ sudoCommand: ALL
+
+=head2 Anatomy of LDAP sudoers lookup
+
+When looking up a sudoer using LDAP there are only two or three
+LDAP queries per invocation. The first query is to parse the global
+options. The second is to match against the user's name and the
+groups that the user belongs to. (The special ALL tag is matched
+in this query too.) If no match is returned for the user's name
+and groups, a third query returns all entries containing user
+netgroups and checks to see if the user belongs to any of them.
+
+If timed entries are enabled with the B<SUDOERS_TIMED> configuration
+directive, the LDAP queries include a subfilter that limits retrieval
+to entries that satisfy the time constraints, if any.
+
+=head2 Differences between LDAP and non-LDAP sudoers
+
+There are some subtle differences in the way sudoers is handled
+once in LDAP. Probably the biggest is that according to the RFC,
+LDAP ordering is arbitrary and you cannot expect that Attributes
+and Entries are returned in any specific order.
+
+The order in which different entries are applied can be controlled
+using the C<sudoOrder> attribute, but there is no way to guarantee
+the order of attributes within a specific entry. If there are
+conflicting command rules in an entry, the negative takes precedence.
+This is called paranoid behavior (not necessarily the most specific
+match).
+
+Here is an example:
+
+ # /etc/sudoers:
+ # Allow all commands except shell
+ johnny ALL=(root) ALL,!/bin/sh
+ # Always allows all commands because ALL is matched last
+ puddles ALL=(root) !/bin/sh,ALL
+
+ # LDAP equivalent of johnny
+ # Allows all commands except shell
+ dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role1
+ sudoUser: johnny
+ sudoHost: ALL
+ sudoCommand: ALL
+ sudoCommand: !/bin/sh
+
+ # LDAP equivalent of puddles
+ # Notice that even though ALL comes last, it still behaves like
+ # role1 since the LDAP code assumes the more paranoid configuration
+ dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role2
+ sudoUser: puddles
+ sudoHost: ALL
+ sudoCommand: !/bin/sh
+ sudoCommand: ALL
+
+Another difference is that negations on the Host, User or Runas are
+currently ignored. For example, the following attributes do not
+behave the way one might expect.
+
+ # does not match all but joe
+ # rather, does not match anyone
+ sudoUser: !joe
+
+ # does not match all but joe
+ # rather, matches everyone including Joe
+ sudoUser: ALL
+ sudoUser: !joe
+
+ # does not match all but web01
+ # rather, matches all hosts including web01
+ sudoHost: ALL
+ sudoHost: !web01
+
+=head2 Sudoers Schema
+
+In order to use B<sudo>'s LDAP support, the B<sudo> schema must be
+installed on your LDAP server. In addition, be sure to index the
+'sudoUser' attribute.
+
+Three versions of the schema: one for OpenLDAP servers (F<schema.OpenLDAP>),
+one for Netscape-derived servers (F<schema.iPlanet>), and one for
+Microsoft Active Directory (F<schema.ActiveDirectory>) may
+be found in the B<sudo> distribution.
+
+The schema for B<sudo> in OpenLDAP form is included in the L<EXAMPLES>
+section.
+
+=head2 Configuring ldap.conf
+
+Sudo reads the F<@ldap_conf@> file for LDAP-specific configuration.
+Typically, this file is shared amongst different LDAP-aware clients.
+As such, most of the settings are not B<sudo>-specific. Note that
+B<sudo> parses F<@ldap_conf@> itself and may support options
+that differ from those described in the L<ldap.conf(5)> manual.
+
+Also note that on systems using the OpenLDAP libraries, default
+values specified in F</etc/openldap/ldap.conf> or the user's
+F<.ldaprc> files are not used.
+
+Only those options explicitly listed in F<@ldap_conf@> as being
+supported by B<sudo> are honored. Configuration options are listed
+below in upper case but are parsed in a case-independent manner.
+
+=over 4
+
+=item B<URI> ldap[s]://[hostname[:port]] ...
+
+Specifies a whitespace-delimited list of one or more URIs describing
+the LDAP server(s) to connect to. The I<protocol> may be either
+B<ldap> or B<ldaps>, the latter being for servers that support TLS
+(SSL) encryption. If no I<port> is specified, the default is port
+389 for C<ldap://> or port 636 for C<ldaps://>. If no I<hostname>
+is specified, B<sudo> will connect to B<localhost>. Multiple B<URI>
+lines are treated identically to a B<URI> line containing multiple
+entries. Only systems using the OpenSSL libraries support the
+mixing of C<ldap://> and C<ldaps://> URIs. The Netscape-derived
+libraries used on most commercial versions of Unix are only capable
+of supporting one or the other.
+
+=item B<HOST> name[:port] ...
+
+If no B<URI> is specified, the B<HOST> parameter specifies a
+whitespace-delimited list of LDAP servers to connect to. Each host
+may include an optional I<port> separated by a colon (':'). The
+B<HOST> parameter is deprecated in favor of the B<URI> specification
+and is included for backwards compatibility.
+
+=item B<PORT> port_number
+
+If no B<URI> is specified, the B<PORT> parameter specifies the
+default port to connect to on the LDAP server if a B<HOST> parameter
+does not specify the port itself. If no B<PORT> parameter is used,
+the default is port 389 for LDAP and port 636 for LDAP over TLS
+(SSL). The B<PORT> parameter is deprecated in favor of the B<URI>
+specification and is included for backwards compatibility.
+
+=item B<BIND_TIMELIMIT> seconds
+
+The B<BIND_TIMELIMIT> parameter specifies the amount of time, in seconds,
+to wait while trying to connect to an LDAP server. If multiple B<URI>s or
+B<HOST>s are specified, this is the amount of time to wait before trying
+the next one in the list.
+
+=item B<NETWORK_TIMEOUT> seconds
+
+An alias for B<BIND_TIMELIMIT> for OpenLDAP compatibility.
+
+=item B<TIMELIMIT> seconds
+
+The B<TIMELIMIT> parameter specifies the amount of time, in seconds,
+to wait for a response to an LDAP query.
+
+=item B<TIMEOUT> seconds
+
+The B<TIMEOUT> parameter specifies the amount of time, in seconds,
+to wait for a response from the various LDAP APIs.
+
+=item B<SUDOERS_BASE> base
+
+The base DN to use when performing B<sudo> LDAP queries. Typically
+this is of the form C<ou=SUDOers,dc=example,dc=com> for the domain
+C<example.com>. Multiple B<SUDOERS_BASE> lines may be specified,
+in which case they are queried in the order specified.
+
+=item B<SUDOERS_SEARCH_FILTER> ldap_filter
+
+An LDAP filter which is used to restrict the set of records returned
+when performing a B<sudo> LDAP query. Typically, this is of the
+form C<attribute=value> or C<(&(attribute=value)(attribute2=value2))>.
+
+=item B<SUDOERS_TIMED> on/true/yes/off/false/no
+
+Whether or not to evaluate the C<sudoNotBefore> and C<sudoNotAfter>
+attributes that implement time-dependent sudoers entries.
+
+=item B<SUDOERS_DEBUG> debug_level
+
+This sets the debug level for B<sudo> LDAP queries. Debugging
+information is printed to the standard error. A value of 1 results
+in a moderate amount of debugging information. A value of 2 shows
+the results of the matches themselves. This parameter should not
+be set in a production environment as the extra information is
+likely to confuse users.
+
+=item B<BINDDN> DN
+
+The B<BINDDN> parameter specifies the identity, in the form of a
+Distinguished Name (DN), to use when performing LDAP operations.
+If not specified, LDAP operations are performed with an anonymous
+identity. By default, most LDAP servers will allow anonymous access.
+
+=item B<BINDPW> secret
+
+The B<BINDPW> parameter specifies the password to use when performing
+LDAP operations. This is typically used in conjunction with the
+B<BINDDN> parameter.
+
+=item B<ROOTBINDDN> DN
+
+The B<ROOTBINDDN> parameter specifies the identity, in the form of
+a Distinguished Name (DN), to use when performing privileged LDAP
+operations, such as I<sudoers> queries. The password corresponding
+to the identity should be stored in F<@ldap_secret@>.
+If not specified, the B<BINDDN> identity is used (if any).
+
+=item B<LDAP_VERSION> number
+
+The version of the LDAP protocol to use when connecting to the server.
+The default value is protocol version 3.
+
+=item B<SSL> on/true/yes/off/false/no
+
+If the B<SSL> parameter is set to C<on>, C<true> or C<yes>, TLS
+(SSL) encryption is always used when communicating with the LDAP
+server. Typically, this involves connecting to the server on port
+636 (ldaps).
+
+=item B<SSL> start_tls
+
+If the B<SSL> parameter is set to C<start_tls>, the LDAP server
+connection is initiated normally and TLS encryption is begun before
+the bind credentials are sent. This has the advantage of not
+requiring a dedicated port for encrypted communications. This
+parameter is only supported by LDAP servers that honor the C<start_tls>
+extension, such as the OpenLDAP server.
+
+=item B<TLS_CHECKPEER> on/true/yes/off/false/no
+
+If enabled, B<TLS_CHECKPEER> will cause the LDAP server's TLS
+certificated to be verified. If the server's TLS certificate cannot
+be verified (usually because it is signed by an unknown certificate
+authority), B<sudo> will be unable to connect to it. If B<TLS_CHECKPEER>
+is disabled, no check is made. Note that disabling the check creates
+an opportunity for man-in-the-middle attacks since the server's
+identity will not be authenticated. If possible, the CA's certificate
+should be installed locally so it can be verified.
+
+=item B<TLS_CACERT> file name
+
+An alias for B<TLS_CACERTFILE> for OpenLDAP compatibility.
+
+=item B<TLS_CACERTFILE> file name
+
+The path to a certificate authority bundle which contains the certificates
+for all the Certificate Authorities the client knows to be valid,
+e.g. F</etc/ssl/ca-bundle.pem>.
+This option is only supported by the OpenLDAP libraries.
+Netscape-derived LDAP libraries use the same certificate
+database for CA and client certificates (see B<TLS_CERT>).
+
+=item B<TLS_CACERTDIR> directory
+
+Similar to B<TLS_CACERTFILE> but instead of a file, it is a
+directory containing individual Certificate Authority certificates,
+e.g. F</etc/ssl/certs>.
+The directory specified by B<TLS_CACERTDIR> is checked after
+B<TLS_CACERTFILE>.
+This option is only supported by the OpenLDAP libraries.
+
+=item B<TLS_CERT> file name
+
+The path to a file containing the client certificate which can
+be used to authenticate the client to the LDAP server.
+The certificate type depends on the LDAP libraries used.
+
+OpenLDAP:
+ C<tls_cert /etc/ssl/client_cert.pem>
+
+Netscape-derived:
+ C<tls_cert /var/ldap/cert7.db>
+
+When using Netscape-derived libraries, this file may also contain
+Certificate Authority certificates.
+
+=item B<TLS_KEY> file name
+
+The path to a file containing the private key which matches the
+certificate specified by B<TLS_CERT>. The private key must not be
+password-protected. The key type depends on the LDAP libraries
+used.
+
+OpenLDAP:
+ C<tls_key /etc/ssl/client_key.pem>
+
+Netscape-derived:
+ C<tls_key /var/ldap/key3.db>
+
+=item B<TLS_RANDFILE> file name
+
+The B<TLS_RANDFILE> parameter specifies the path to an entropy
+source for systems that lack a random device. It is generally used
+in conjunction with I<prngd> or I<egd>.
+This option is only supported by the OpenLDAP libraries.
+
+=item B<TLS_CIPHERS> cipher list
+
+The B<TLS_CIPHERS> parameter allows the administer to restrict
+which encryption algorithms may be used for TLS (SSL) connections.
+See the OpenSSL manual for a list of valid ciphers.
+This option is only supported by the OpenLDAP libraries.
+
+=item B<USE_SASL> on/true/yes/off/false/no
+
+Enable B<USE_SASL> for LDAP servers that support SASL authentication.
+
+=item B<SASL_AUTH_ID> identity
+
+The SASL user name to use when connecting to the LDAP server.
+By default, B<sudo> will use an anonymous connection.
+
+=item B<ROOTUSE_SASL> on/true/yes/off/false/no
+
+Enable B<ROOTUSE_SASL> to enable SASL authentication when connecting
+to an LDAP server from a privileged process, such as B<sudo>.
+
+=item B<ROOTSASL_AUTH_ID> identity
+
+The SASL user name to use when B<ROOTUSE_SASL> is enabled.
+
+=item B<SASL_SECPROPS> none/properties
+
+SASL security properties or I<none> for no properties. See the
+SASL programmer's manual for details.
+
+=item B<KRB5_CCNAME> file name
+
+The path to the Kerberos 5 credential cache to use when authenticating
+with the remote server.
+
+=back
+
+See the C<ldap.conf> entry in the L<EXAMPLES> section.
+
+=head2 Configuring nsswitch.conf
+
+Unless it is disabled at build time, B<sudo> consults the Name
+Service Switch file, F<@nsswitch_conf@>, to specify the I<sudoers>
+search order. Sudo looks for a line beginning with C<sudoers>: and
+uses this to determine the search order. Note that B<sudo> does
+not stop searching after the first match and later matches take
+precedence over earlier ones.
+
+The following sources are recognized:
+
+ files read sudoers from F<@sysconfdir@/sudoers>
+ ldap read sudoers from LDAP
+
+In addition, the entry C<[NOTFOUND=return]> will short-circuit the
+search if the user was not found in the preceding source.
+
+To consult LDAP first followed by the local sudoers file (if it
+exists), use:
+
+ sudoers: ldap files
+
+The local I<sudoers> file can be ignored completely by using:
+
+ sudoers: ldap
+
+If the F<@nsswitch_conf@> file is not present or there is no
+sudoers line, the following default is assumed:
+
+ sudoers: files
+
+Note that F<@nsswitch_conf@> is supported even when the underlying
+operating system does not use an nsswitch.conf file.
+
+=head2 Configuring netsvc.conf
+
+On AIX systems, the F<@netsvc_conf@> file is consulted instead of
+F<@nsswitch_conf@>. B<sudo> simply treats I<netsvc.conf> as a
+variant of I<nsswitch.conf>; information in the previous section
+unrelated to the file format itself still applies.
+
+To consult LDAP first followed by the local sudoers file (if it
+exists), use:
+
+ sudoers = ldap, files
+
+The local I<sudoers> file can be ignored completely by using:
+
+ sudoers = ldap
+
+To treat LDAP as authoratative and only use the local sudoers file
+if the user is not present in LDAP, use:
+
+ sudoers = ldap = auth, files
+
+Note that in the above example, the C<auth> qualfier only affects
+user lookups; both LDAP and I<sudoers> will be queried for C<Defaults>
+entries.
+
+If the F<@netsvc_conf@> file is not present or there is no
+sudoers line, the following default is assumed:
+
+ sudoers = files
+
+=head1 FILES
+
+=over 24
+
+=item F<@ldap_conf@>
+
+LDAP configuration file
+
+=item F<@nsswitch_conf@>
+
+determines sudoers source order
+
+=item F<@netsvc_conf@>
+
+determines sudoers source order on AIX
+
+=back
+
+=head1 EXAMPLES
+
+=head2 Example ldap.conf
+
+ # Either specify one or more URIs or one or more host:port pairs.
+ # If neither is specified sudo will default to localhost, port 389.
+ #
+ #host ldapserver
+ #host ldapserver1 ldapserver2:390
+ #
+ # Default port if host is specified without one, defaults to 389.
+ #port 389
+ #
+ # URI will override the host and port settings.
+ uri ldap://ldapserver
+ #uri ldaps://secureldapserver
+ #uri ldaps://secureldapserver ldap://ldapserver
+ #
+ # The amount of time, in seconds, to wait while trying to connect to
+ # an LDAP server.
+ bind_timelimit 30
+ #
+ # The amount of time, in seconds, to wait while performing an LDAP query.
+ timelimit 30
+ #
+ # Must be set or sudo will ignore LDAP; may be specified multiple times.
+ sudoers_base ou=SUDOers,dc=example,dc=com
+ #
+ # verbose sudoers matching from ldap
+ #sudoers_debug 2
+ #
+ # Enable support for time-based entries in sudoers.
+ #sudoers_timed yes
+ #
+ # optional proxy credentials
+ #binddn <who to search as>
+ #bindpw <password>
+ #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
+ #
+ # LDAP protocol version, defaults to 3
+ #ldap_version 3
+ #
+ # Define if you want to use an encrypted LDAP connection.
+ # Typically, you must also set the port to 636 (ldaps).
+ #ssl on
+ #
+ # Define if you want to use port 389 and switch to
+ # encryption before the bind credentials are sent.
+ # Only supported by LDAP servers that support the start_tls
+ # extension such as OpenLDAP.
+ #ssl start_tls
+ #
+ # Additional TLS options follow that allow tweaking of the
+ # SSL/TLS connection.
+ #
+ #tls_checkpeer yes # verify server SSL certificate
+ #tls_checkpeer no # ignore server SSL certificate
+ #
+ # If you enable tls_checkpeer, specify either tls_cacertfile
+ # or tls_cacertdir. Only supported when using OpenLDAP.
+ #
+ #tls_cacertfile /etc/certs/trusted_signers.pem
+ #tls_cacertdir /etc/certs
+ #
+ # For systems that don't have /dev/random
+ # use this along with PRNGD or EGD.pl to seed the
+ # random number pool to generate cryptographic session keys.
+ # Only supported when using OpenLDAP.
+ #
+ #tls_randfile /etc/egd-pool
+ #
+ # You may restrict which ciphers are used. Consult your SSL
+ # documentation for which options go here.
+ # Only supported when using OpenLDAP.
+ #
+ #tls_ciphers <cipher-list>
+ #
+ # Sudo can provide a client certificate when communicating to
+ # the LDAP server.
+ # Tips:
+ # * Enable both lines at the same time.
+ # * Do not password protect the key file.
+ # * Ensure the keyfile is only readable by root.
+ #
+ # For OpenLDAP:
+ #tls_cert /etc/certs/client_cert.pem
+ #tls_key /etc/certs/client_key.pem
+ #
+ # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
+ # a directory, in which case the files in the directory must have the
+ # default names (e.g. cert8.db and key4.db), or the path to the cert
+ # and key files themselves. However, a bug in version 5.0 of the LDAP
+ # SDK will prevent specific file names from working. For this reason
+ # it is suggested that tls_cert and tls_key be set to a directory,
+ # not a file name.
+ #
+ # The certificate database specified by tls_cert may contain CA certs
+ # and/or the client's cert. If the client's cert is included, tls_key
+ # should be specified as well.
+ # For backward compatibility, "sslpath" may be used in place of tls_cert.
+ #tls_cert /var/ldap
+ #tls_key /var/ldap
+ #
+ # If using SASL authentication for LDAP (OpenSSL)
+ # use_sasl yes
+ # sasl_auth_id <SASL user name>
+ # rootuse_sasl yes
+ # rootsasl_auth_id <SASL user name for root access>
+ # sasl_secprops none
+ # krb5_ccname /etc/.ldapcache
+
+=head2 Sudo schema for OpenLDAP
+
+The following schema, in OpenLDAP format, is included with B<sudo>
+source and binary distributions as F<schema.OpenLDAP>. Simply copy
+it to the schema directory (e.g. F</etc/openldap/schema>), add the
+proper C<include> line in C<slapd.conf> and restart B<slapd>.
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.1
+ NAME 'sudoUser'
+ DESC 'User(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.2
+ NAME 'sudoHost'
+ DESC 'Host(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.3
+ NAME 'sudoCommand'
+ DESC 'Command(s) to be executed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.4
+ NAME 'sudoRunAs'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.5
+ NAME 'sudoOption'
+ DESC 'Options(s) followed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.6
+ NAME 'sudoRunAsUser'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.7
+ NAME 'sudoRunAsGroup'
+ DESC 'Group(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.8
+ NAME 'sudoNotBefore'
+ DESC 'Start of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.9
+ NAME 'sudoNotAfter'
+ DESC 'End of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+ attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
+ NAME 'sudoOrder'
+ DESC 'an integer to order the sudoRole entries'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+ objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+ DESC 'Sudoer Entries'
+ MUST ( cn )
+ MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
+ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
+ sudoOrder $ description )
+ )
+
+=head1 SEE ALSO
+
+L<ldap.conf(5)>, L<sudoers(5)>
+
+=head1 CAVEATS
+
+Note that there are differences in the way that LDAP-based I<sudoers>
+is parsed compared to file-based I<sudoers>. See the L<Differences
+between LDAP and non-LDAP sudoers> section for more information.
+
+=head1 BUGS
+
+If you feel you have found a bug in B<sudo>, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
+
+=head1 SUPPORT
+
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+
+=head1 DISCLAIMER
+
+B<sudo> is provided ``AS IS'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the LICENSE
+file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
+for complete details.
Modified: trunk/contrib/sudo/sudoers.man.in
===================================================================
--- trunk/contrib/sudo/sudoers.man.in 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/sudoers.man.in 2014-10-02 03:32:57 UTC (rev 6804)
@@ -148,7 +148,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "February 21, 2011" "1.7.5rc1" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -246,26 +246,33 @@
\& User \*(Aq,\*(Aq User_List
\&
\& User ::= \*(Aq!\*(Aq* user name |
-\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
-\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
-\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
-\& \*(Aq!\*(Aq* \*(Aq%:\*(Aqnonunix_group |
+\& \*(Aq!\*(Aq* #uid |
+\& \*(Aq!\*(Aq* %group |
+\& \*(Aq!\*(Aq* %#gid |
+\& \*(Aq!\*(Aq* +netgroup |
+\& \*(Aq!\*(Aq* %:nonunix_group |
+\& \*(Aq!\*(Aq* %:#nonunix_gid |
\& \*(Aq!\*(Aq* User_Alias
.Ve
.PP
-A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, uids (prefixed
-with '#'), system groups (prefixed with '%'), netgroups (prefixed
-with '+') and \f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with
-zero or more '!' operators. An odd number of '!' operators negate
-the value of the item; an even number just cancel each other out.
+A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, user ids
+(prefixed with '#'), system group names and ids (prefixed with '%'
+and '%#' respectively), netgroups (prefixed with '+'), non-Unix
+group names and IDs (prefixed with '%:' and '%:#' respectively) and
+\&\f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with zero or more
+\&'!' operators. An odd number of '!' operators negate the value of
+the item; an even number just cancel each other out.
.PP
-A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR or \f(CW\*(C`nonunix_group\*(C'\fR may
-be enclosed in double quotes to avoid the need for escaping special
-characters. Alternately, special characters may be specified in
-escaped hex mode, e.g. \ex20 for space.
+A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`uid\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`gid\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR, \f(CW\*(C`nonunix_group\*(C'\fR
+or \f(CW\*(C`nonunix_gid\*(C'\fR may be enclosed in double quotes to avoid the
+need for escaping special characters. Alternately, special characters
+may be specified in escaped hex mode, e.g. \ex20 for space. When
+using double quotes, any prefix characters must be included inside
+the quotes.
.PP
-The \f(CW\*(C`nonunix_group\*(C'\fR syntax depends on the underlying implementation.
-For instance, the \s-1QAS\s0 \s-1AD\s0 backend supports the following formats:
+The \f(CW\*(C`nonunix_group\*(C'\fR and \f(CW\*(C`nonunix_gid\*(C'\fR syntax depends on the
+underlying implementation. For instance, the \s-1QAS\s0 \s-1AD\s0 backend supports
+the following formats:
.IP "\(bu" 4
Group in the same domain: \*(L"Group Name\*(R"
.IP "\(bu" 4
@@ -273,8 +280,10 @@
.IP "\(bu" 4
Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
.PP
-Note that quotes around group names are optional. Unquoted strings must
-use a backslash (\e) to escape spaces and the '@' symbol.
+Note that quotes around group names are optional. Unquoted strings
+must use a backslash (\e) to escape spaces and special characters.
+See \*(L"Other special characters and reserved words\*(R" for a list of
+characters that need to be escaped.
.PP
.Vb 2
\& Runas_List ::= Runas_Member |
@@ -281,8 +290,11 @@
\& Runas_Member \*(Aq,\*(Aq Runas_List
\&
\& Runas_Member ::= \*(Aq!\*(Aq* user name |
-\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
-\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
+\& \*(Aq!\*(Aq* #uid |
+\& \*(Aq!\*(Aq* %group |
+\& \*(Aq!\*(Aq* %#gid |
+\& \*(Aq!\*(Aq* %:nonunix_group |
+\& \*(Aq!\*(Aq* %:#nonunix_gid |
\& \*(Aq!\*(Aq* +netgroup |
\& \*(Aq!\*(Aq* Runas_Alias
.Ve
@@ -301,7 +313,7 @@
\& Host ::= \*(Aq!\*(Aq* host name |
\& \*(Aq!\*(Aq* ip_addr |
\& \*(Aq!\*(Aq* network(/netmask)? |
-\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
+\& \*(Aq!\*(Aq* +netgroup |
\& \*(Aq!\*(Aq* Host_Alias
.Ve
.PP
@@ -429,7 +441,7 @@
(and as what user) on specified hosts. By default, commands are
run as \fBroot\fR, but this can be changed on a per-command basis.
.PP
-The basic structure of a user specification is `who = where (as_whom)
+The basic structure of a user specification is `who where = (as_whom)
what'. Let's break that down into its constituent parts:
.SS "Runas_Spec"
.IX Subsection "Runas_Spec"
@@ -591,13 +603,14 @@
.IX Subsection "SETENV and NOSETENV"
.PP
These tags override the value of the \fIsetenv\fR option on a per-command
-basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, any
-environment variables set on the command line way are not subject
-to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or
-\&\fIenv_keep\fR. As such, only trusted users should be allowed to set
-variables in this manner. If the command matched is \fB\s-1ALL\s0\fR, the
-\&\f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this default may
-be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag.
+basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, the user
+may disable the \fIenv_reset\fR option from the command line via the
+\&\fB\-E\fR option. Additionally, environment variables set on the command
+line are not subject to the restrictions imposed by \fIenv_check\fR,
+\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
+be allowed to set variables in this manner. If the command matched
+is \fB\s-1ALL\s0\fR, the \f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this
+default may be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag.
.PP
\fI\s-1LOG_INPUT\s0 and \s-1NOLOG_INPUT\s0\fR
.IX Subsection "LOG_INPUT and NOLOG_INPUT"
@@ -754,7 +767,7 @@
.PP
The following characters must be escaped with a backslash ('\e') when
used as part of a word (e.g.\ a user name or host name):
-\&'@', '!', '=', ':', ',', '(', ')', '\e'.
+\&'!', '=', ':', ',', '(', ')', '\e'.
.SH "SUDOERS OPTIONS"
.IX Header "SUDOERS OPTIONS"
\&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
@@ -861,6 +874,37 @@
.IX Item "log_host"
If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file.
This flag is \fIoff\fR by default.
+.IP "log_input" 16
+.IX Item "log_input"
+If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
+user input.
+If the standard input is not connected to the user's tty, due to
+I/O redirection or because the command is part of a pipeline, that
+input is also captured and stored in a separate log file.
+.Sp
+Input is logged to the directory specified by the \fIiolog_dir\fR
+option (\fI at iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
+is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
+.Sp
+Note that user input may contain sensitive information such as
+passwords (even if they are not echoed to the screen), which will
+be stored in the log file unencrypted. In most cases, logging the
+command output via \fIlog_output\fR is all that is required.
+.IP "log_output" 16
+.IX Item "log_output"
+If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
+output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
+If the standard output or standard error is not connected to the
+user's tty, due to I/O redirection or because the command is part
+of a pipeline, that output is also captured and stored in separate
+log files.
+.Sp
+Output is logged to the directory specified by the \fIiolog_dir\fR
+option (\fI at iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
+is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
+.Sp
+Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
+can also be used to list or search the available logs.
.IP "log_year" 16
.IX Item "log_year"
If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
@@ -1013,32 +1057,6 @@
include the target user's name. Note that this flag precludes the
use of a uid not listed in the passwd database as an argument to
the \fB\-u\fR option. This flag is \fIoff\fR by default.
-.IP "log_input" 16
-.IX Item "log_input"
-If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
-user input.
-If the standard input is not connected to the user's tty, due to
-I/O redirection or because the command is part of a pipeline, that
-input is also captured and stored in a separate log file.
-.Sp
-Input is logged to the \fI/var/log/sudo\-io\fR directory using a unique
-session \s-1ID\s0 that is included in the normal \fBsudo\fR log line, prefixed
-with \fITSID=\fR.
-.IP "log_output" 16
-.IX Item "log_output"
-If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
-output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
-If the standard output or standard error is not connected to the
-user's tty, due to I/O redirection or because the command is part
-of a pipeline, that output is also captured and stored in separate
-log files.
-.Sp
-Output is logged to the
-\&\fI/var/log/sudo\-io\fR directory using a unique session \s-1ID\s0 that is
-included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
-.Sp
-Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
-can also be used to list or search the available logs.
.IP "tty_tickets" 16
.IX Item "tty_tickets"
If set, users must authenticate on a per-tty basis. With this flag
Added: trunk/contrib/sudo/sudoers.pod
===================================================================
--- trunk/contrib/sudo/sudoers.pod (rev 0)
+++ trunk/contrib/sudo/sudoers.pod 2014-10-02 03:32:57 UTC (rev 6804)
@@ -0,0 +1,1737 @@
+Copyright (c) 1994-1996, 1998-2005, 2007-2011
+ Todd C. Miller <Todd.Miller at courtesan.com>
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+Sponsored in part by the Defense Advanced Research Projects
+Agency (DARPA) and Air Force Research Laboratory, Air Force
+Materiel Command, USAF, under agreement number F39502-99-1-0512.
+
+=pod
+
+=head1 NAME
+
+sudoers - list of which users may execute what
+
+=head1 DESCRIPTION
+
+The I<sudoers> file is composed of two types of entries: aliases
+(basically variables) and user specifications (which specify who
+may run what).
+
+When multiple entries match for a user, they are applied in order.
+Where there are multiple matches, the last match is used (which is
+not necessarily the most specific match).
+
+The I<sudoers> grammar will be described below in Extended Backus-Naur
+Form (EBNF). Don't despair if you don't know what EBNF is; it is
+fairly simple, and the definitions below are annotated.
+
+=head2 Quick guide to EBNF
+
+EBNF is a concise and exact way of describing the grammar of a language.
+Each EBNF definition is made up of I<production rules>. E.g.,
+
+ symbol ::= definition | alternate1 | alternate2 ...
+
+Each I<production rule> references others and thus makes up a
+grammar for the language. EBNF also contains the following
+operators, which many readers will recognize from regular
+expressions. Do not, however, confuse them with "wildcard"
+characters, which have different meanings.
+
+=over 4
+
+=item C<?>
+
+Means that the preceding symbol (or group of symbols) is optional.
+That is, it may appear once or not at all.
+
+=item C<*>
+
+Means that the preceding symbol (or group of symbols) may appear
+zero or more times.
+
+=item C<+>
+
+Means that the preceding symbol (or group of symbols) may appear
+one or more times.
+
+=back
+
+Parentheses may be used to group symbols together. For clarity,
+we will use single quotes ('') to designate what is a verbatim character
+string (as opposed to a symbol name).
+
+=head2 Aliases
+
+There are four kinds of aliases: C<User_Alias>, C<Runas_Alias>,
+C<Host_Alias> and C<Cmnd_Alias>.
+
+ Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
+ 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
+ 'Host_Alias' Host_Alias (':' Host_Alias)* |
+ 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
+
+ User_Alias ::= NAME '=' User_List
+
+ Runas_Alias ::= NAME '=' Runas_List
+
+ Host_Alias ::= NAME '=' Host_List
+
+ Cmnd_Alias ::= NAME '=' Cmnd_List
+
+ NAME ::= [A-Z]([A-Z][0-9]_)*
+
+Each I<alias> definition is of the form
+
+ Alias_Type NAME = item1, item2, ...
+
+where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>,
+or C<Cmnd_Alias>. A C<NAME> is a string of uppercase letters, numbers,
+and underscore characters ('_'). A C<NAME> B<must> start with an
+uppercase letter. It is possible to put several alias definitions
+of the same type on a single line, joined by a colon (':'). E.g.,
+
+ Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
+
+The definitions of what constitutes a valid I<alias> member follow.
+
+ User_List ::= User |
+ User ',' User_List
+
+ User ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* +netgroup |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* User_Alias
+
+A C<User_List> is made up of one or more user names, user ids
+(prefixed with '#'), system group names and ids (prefixed with '%'
+and '%#' respectively), netgroups (prefixed with '+'), non-Unix
+group names and IDs (prefixed with '%:' and '%:#' respectively) and
+C<User_Alias>es. Each list item may be prefixed with zero or more
+'!' operators. An odd number of '!' operators negate the value of
+the item; an even number just cancel each other out.
+
+A C<user name>, C<uid>, C<group>, C<gid>, C<netgroup>, C<nonunix_group>
+or C<nonunix_gid> may be enclosed in double quotes to avoid the
+need for escaping special characters. Alternately, special characters
+may be specified in escaped hex mode, e.g. \x20 for space. When
+using double quotes, any prefix characters must be included inside
+the quotes.
+
+The C<nonunix_group> and C<nonunix_gid> syntax depends on the
+underlying implementation. For instance, the QAS AD backend supports
+the following formats:
+
+=over 4
+
+=item *
+
+Group in the same domain: "Group Name"
+
+=item *
+
+Group in any domain: "Group Name at FULLY.QUALIFIED.DOMAIN"
+
+=item *
+
+Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
+
+=back
+
+Note that quotes around group names are optional. Unquoted strings
+must use a backslash (\) to escape spaces and special characters.
+See L<"Other special characters and reserved words"> for a list of
+characters that need to be escaped.
+
+ Runas_List ::= Runas_Member |
+ Runas_Member ',' Runas_List
+
+ Runas_Member ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* +netgroup |
+ '!'* Runas_Alias
+
+A C<Runas_List> is similar to a C<User_List> except that instead
+of C<User_Alias>es it can contain C<Runas_Alias>es. Note that
+user names and groups are matched as strings. In other words, two
+users (groups) with the same uid (gid) are considered to be distinct.
+If you wish to match all user names with the same uid (e.g.E<nbsp>root
+and toor), you can use a uid instead (#0 in the example given).
+
+ Host_List ::= Host |
+ Host ',' Host_List
+
+ Host ::= '!'* host name |
+ '!'* ip_addr |
+ '!'* network(/netmask)? |
+ '!'* +netgroup |
+ '!'* Host_Alias
+
+A C<Host_List> is made up of one or more host names, IP addresses,
+network numbers, netgroups (prefixed with '+') and other aliases.
+Again, the value of an item may be negated with the '!' operator.
+If you do not specify a netmask along with the network number,
+B<sudo> will query each of the local host's network interfaces and,
+if the network number corresponds to one of the hosts's network
+interfaces, the corresponding netmask will be used. The netmask
+may be specified either in standard IP address notation
+(e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::),
+or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A host name may
+include shell-style wildcards (see the L<Wildcards> section below),
+but unless the C<host name> command on your machine returns the fully
+qualified host name, you'll need to use the I<fqdn> option for
+wildcards to be useful. Note B<sudo> only inspects actual network
+interfaces; this means that IP address 127.0.0.1 (localhost) will
+never match. Also, the host name "localhost" will only match if
+that is the actual host name, which is usually only the case for
+non-networked systems.
+
+ Cmnd_List ::= Cmnd |
+ Cmnd ',' Cmnd_List
+
+ commandname ::= file name |
+ file name args |
+ file name '""'
+
+ Cmnd ::= '!'* commandname |
+ '!'* directory |
+ '!'* "sudoedit" |
+ '!'* Cmnd_Alias
+
+A C<Cmnd_List> is a list of one or more commandnames, directories, and other
+aliases. A commandname is a fully qualified file name which may include
+shell-style wildcards (see the L<Wildcards> section below). A simple
+file name allows the user to run the command with any arguments he/she
+wishes. However, you may also specify command line arguments (including
+wildcards). Alternately, you can specify C<""> to indicate that the command
+may only be run B<without> command line arguments. A directory is a
+fully qualified path name ending in a '/'. When you specify a directory
+in a C<Cmnd_List>, the user will be able to run any file within that directory
+(but not in any subdirectories therein).
+
+If a C<Cmnd> has associated command line arguments, then the arguments
+in the C<Cmnd> must match exactly those given by the user on the command line
+(or match the wildcards if there are any). Note that the following
+characters must be escaped with a '\' if they are used in command
+arguments: ',', ':', '=', '\'. The special command C<"sudoedit">
+is used to permit a user to run B<sudo> with the B<-e> option (or
+as B<sudoedit>). It may take command line arguments just as
+a normal command does.
+
+=head2 Defaults
+
+Certain configuration options may be changed from their default
+values at runtime via one or more C<Default_Entry> lines. These
+may affect all users on any host, all users on a specific host, a
+specific user, a specific command, or commands being run as a specific user.
+Note that per-command entries may not include command line arguments.
+If you need to specify arguments, define a C<Cmnd_Alias> and reference
+that instead.
+
+ Default_Type ::= 'Defaults' |
+ 'Defaults' '@' Host_List |
+ 'Defaults' ':' User_List |
+ 'Defaults' '!' Cmnd_List |
+ 'Defaults' '>' Runas_List
+
+ Default_Entry ::= Default_Type Parameter_List
+
+ Parameter_List ::= Parameter |
+ Parameter ',' Parameter_List
+
+ Parameter ::= Parameter '=' Value |
+ Parameter '+=' Value |
+ Parameter '-=' Value |
+ '!'* Parameter
+
+Parameters may be B<flags>, B<integer> values, B<strings>, or B<lists>.
+Flags are implicitly boolean and can be turned off via the '!'
+operator. Some integer, string and list parameters may also be
+used in a boolean context to disable them. Values may be enclosed
+in double quotes (C<">) when they contain multiple words. Special
+characters may be escaped with a backslash (C<\>).
+
+Lists have two additional assignment operators, C<+=> and C<-=>.
+These operators are used to add to and delete from a list respectively.
+It is not an error to use the C<-=> operator to remove an element
+that does not exist in a list.
+
+Defaults entries are parsed in the following order: generic, host
+and user Defaults first, then runas Defaults and finally command
+defaults.
+
+See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
+
+=head2 User Specification
+
+ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
+ (':' Host_List '=' Cmnd_Spec_List)*
+
+ Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
+
+ Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
+
+ Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
+
+ SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
+
+ Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
+ 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
+ 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
+
+A B<user specification> determines which commands a user may run
+(and as what user) on specified hosts. By default, commands are
+run as B<root>, but this can be changed on a per-command basis.
+
+The basic structure of a user specification is `who where = (as_whom)
+what'. Let's break that down into its constituent parts:
+
+=head2 Runas_Spec
+
+A C<Runas_Spec> determines the user and/or the group that a command
+may be run as. A fully-specified C<Runas_Spec> consists of two
+C<Runas_List>s (as defined above) separated by a colon (':') and
+enclosed in a set of parentheses. The first C<Runas_List> indicates
+which users the command may be run as via B<sudo>'s B<-u> option.
+The second defines a list of groups that can be specified via
+B<sudo>'s B<-g> option. If both C<Runas_List>s are specified, the
+command may be run with any combination of users and groups listed
+in their respective C<Runas_List>s. If only the first is specified,
+the command may be run as any user in the list but no B<-g> option
+may be specified. If the first C<Runas_List> is empty but the
+second is specified, the command may be run as the invoking user
+with the group set to any listed in the C<Runas_List>. If no
+C<Runas_Spec> is specified the command may be run as B<root> and
+no group may be specified.
+
+A C<Runas_Spec> sets the default for the commands that follow it.
+What this means is that for the entry:
+
+ dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
+
+The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
+F</usr/bin/lprm> -- but only as B<operator>. E.g.,
+
+ $ sudo -u operator /bin/ls
+
+It is also possible to override a C<Runas_Spec> later on in an
+entry. If we modify the entry like so:
+
+ dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+
+Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
+but F</bin/kill> and F</usr/bin/lprm> as B<root>.
+
+We can extend this to allow B<dgb> to run C</bin/ls> with either
+the user or group set to B<operator>:
+
+ dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
+ /usr/bin/lprm
+
+Note that while the group portion of the C<Runas_Spec> permits the
+user to run as command with that group, it does not force the user
+to do so. If no group is specified on the command line, the command
+will run with the group listed in the target user's password database
+entry. The following would all be permitted by the sudoers entry above:
+
+ $ sudo -u operator /bin/ls
+ $ sudo -u operator -g operator /bin/ls
+ $ sudo -g operator /bin/ls
+
+In the following example, user B<tcm> may run commands that access
+a modem device file with the dialer group.
+
+ tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
+ /usr/local/bin/minicom
+
+Note that in this example only the group will be set, the command
+still runs as user B<tcm>. E.g.
+
+ $ sudo -g dialer /usr/bin/cu
+
+Multiple users and groups may be present in a C<Runas_Spec>, in
+which case the user may select any combination of users and groups
+via the B<-u> and B<-g> options. In this example:
+
+ alan ALL = (root, bin : operator, system) ALL
+
+user B<alan> may run any command as either user root or bin,
+optionally setting the group to operator or system.
+
+=head2 SELinux_Spec
+
+On systems with SELinux support, I<sudoers> entries may optionally have
+an SELinux role and/or type associated with a command. If a role or
+type is specified with the command it will override any default values
+specified in I<sudoers>. A role or type specified on the command line,
+however, will supercede the values in I<sudoers>.
+
+=head2 Tag_Spec
+
+A command may have zero or more tags associated with it. There are
+eight possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>,
+C<EXEC>, C<SETENV>, C<NOSETENV>, C<LOG_INPUT>, C<NOLOG_INPUT>,
+C<LOG_OUTPUT> and C<NOLOG_OUTPUT>. Once a tag is set on a C<Cmnd>,
+subsequent C<Cmnd>s in the C<Cmnd_Spec_List>, inherit the tag unless
+it is overridden by the opposite tag (i.e.: C<PASSWD> overrides
+C<NOPASSWD> and C<NOEXEC> overrides C<EXEC>).
+
+=head3 NOPASSWD and PASSWD
+
+By default, B<sudo> requires that a user authenticate him or herself
+before running a command. This behavior can be modified via the
+C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
+a default for the commands that follow it in the C<Cmnd_Spec_List>.
+Conversely, the C<PASSWD> tag can be used to reverse things.
+For example:
+
+ ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+
+would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
+F</usr/bin/lprm> as B<root> on the machine rushmore without
+authenticating himself. If we only want B<ray> to be able to
+run F</bin/kill> without a password the entry would be:
+
+ ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+
+Note, however, that the C<PASSWD> tag has no effect on users who are
+in the group specified by the I<exempt_group> option.
+
+By default, if the C<NOPASSWD> tag is applied to any of the entries
+for a user on the current host, he or she will be able to run
+C<sudo -l> without a password. Additionally, a user may only run
+C<sudo -v> without a password if the C<NOPASSWD> tag is present
+for all a user's entries that pertain to the current host.
+This behavior may be overridden via the verifypw and listpw options.
+
+=head3 NOEXEC and EXEC
+
+If B<sudo> has been compiled with I<noexec> support and the underlying
+operating system supports it, the C<NOEXEC> tag can be used to prevent
+a dynamically-linked executable from running further commands itself.
+
+In the following example, user B<aaron> may run F</usr/bin/more>
+and F</usr/bin/vi> but shell escapes will be disabled.
+
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+
+See the L<PREVENTING SHELL ESCAPES> section below for more details
+on how C<NOEXEC> works and whether or not it will work on your system.
+
+=head3 SETENV and NOSETENV
+
+These tags override the value of the I<setenv> option on a per-command
+basis. Note that if C<SETENV> has been set for a command, the user
+may disable the I<env_reset> option from the command line via the
+B<-E> option. Additionally, environment variables set on the command
+line are not subject to the restrictions imposed by I<env_check>,
+I<env_delete>, or I<env_keep>. As such, only trusted users should
+be allowed to set variables in this manner. If the command matched
+is B<ALL>, the C<SETENV> tag is implied for that command; this
+default may be overridden by use of the C<NOSETENV> tag.
+
+=head3 LOG_INPUT and NOLOG_INPUT
+
+These tags override the value of the I<log_input> option on a
+per-command basis. For more information, see the description of
+I<log_input> in the L<"SUDOERS OPTIONS"> section below.
+
+=head3 LOG_OUTPUT and NOLOG_OUTPUT
+
+These tags override the value of the I<log_output> option on a
+per-command basis. For more information, see the description of
+I<log_output> in the L<"SUDOERS OPTIONS"> section below.
+
+=head2 Wildcards
+
+B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
+to be used in host names, path names and command line arguments in
+the I<sudoers> file. Wildcard matching is done via the B<POSIX>
+L<glob(3)> and L<fnmatch(3)> routines. Note that these are I<not>
+regular expressions.
+
+=over 8
+
+=item C<*>
+
+Matches any set of zero or more characters.
+
+=item C<?>
+
+Matches any single character.
+
+=item C<[...]>
+
+Matches any character in the specified range.
+
+=item C<[!...]>
+
+Matches any character B<not> in the specified range.
+
+=item C<\x>
+
+For any character "x", evaluates to "x". This is used to
+escape special characters such as: "*", "?", "[", and "}".
+
+=back
+
+POSIX character classes may also be used if your system's L<glob(3)>
+and L<fnmatch(3)> functions support them. However, because the
+C<':'> character has special meaning in I<sudoers>, it must be
+escaped. For example:
+
+ /bin/ls [[\:alpha\:]]*
+
+Would match any file name beginning with a letter.
+
+Note that a forward slash ('/') will B<not> be matched by
+wildcards used in the path name. When matching the command
+line arguments, however, a slash B<does> get matched by
+wildcards. This is to make a path like:
+
+ /usr/bin/*
+
+match F</usr/bin/who> but not F</usr/bin/X11/xterm>.
+
+=head2 Exceptions to wildcard rules
+
+The following exceptions apply to the above rules:
+
+=over 8
+
+=item C<"">
+
+If the empty string C<""> is the only command line argument in the
+I<sudoers> entry it means that command is not allowed to be run
+with B<any> arguments.
+
+=back
+
+=head2 Including other files from within sudoers
+
+It is possible to include other I<sudoers> files from within the
+I<sudoers> file currently being parsed using the C<#include> and
+C<#includedir> directives.
+
+This can be used, for example, to keep a site-wide I<sudoers> file
+in addition to a local, per-machine file. For the sake of this
+example the site-wide I<sudoers> will be F</etc/sudoers> and the
+per-machine one will be F</etc/sudoers.local>. To include
+F</etc/sudoers.local> from within F</etc/sudoers> we would use the
+following line in F</etc/sudoers>:
+
+=over 4
+
+C<#include /etc/sudoers.local>
+
+=back
+
+When B<sudo> reaches this line it will suspend processing of the
+current file (F</etc/sudoers>) and switch to F</etc/sudoers.local>.
+Upon reaching the end of F</etc/sudoers.local>, the rest of
+F</etc/sudoers> will be processed. Files that are included may
+themselves include other files. A hard limit of 128 nested include
+files is enforced to prevent include file loops.
+
+The file name may include the C<%h> escape, signifying the short form
+of the host name. I.e., if the machine's host name is "xerxes", then
+
+C<#include /etc/sudoers.%h>
+
+will cause B<sudo> to include the file F</etc/sudoers.xerxes>.
+
+The C<#includedir> directive can be used to create a F<sudo.d>
+directory that the system package manager can drop I<sudoers> rules
+into as part of package installation. For example, given:
+
+C<#includedir /etc/sudoers.d>
+
+B<sudo> will read each file in F</etc/sudoers.d>, skipping file
+names that end in C<~> or contain a C<.> character to avoid causing
+problems with package manager or editor temporary/backup files.
+Files are parsed in sorted lexical order. That is,
+F</etc/sudoers.d/01_first> will be parsed before
+F</etc/sudoers.d/10_second>. Be aware that because the sorting is
+lexical, not numeric, F</etc/sudoers.d/1_whoops> would be loaded
+B<after> F</etc/sudoers.d/10_second>. Using a consistent number
+of leading zeroes in the file names can be used to avoid such
+problems.
+
+Note that unlike files included via C<#include>, B<visudo> will not
+edit the files in a C<#includedir> directory unless one of them
+contains a syntax error. It is still possible to run B<visudo>
+with the C<-f> flag to edit the files directly.
+
+=head2 Other special characters and reserved words
+
+The pound sign ('#') is used to indicate a comment (unless it is
+part of a #include directive or unless it occurs in the context of
+a user name and is followed by one or more digits, in which case
+it is treated as a uid). Both the comment character and any text
+after it, up to the end of the line, are ignored.
+
+The reserved word B<ALL> is a built-in I<alias> that always causes
+a match to succeed. It can be used wherever one might otherwise
+use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
+You should not try to define your own I<alias> called B<ALL> as the
+built-in alias will be used in preference to your own. Please note
+that using B<ALL> can be dangerous since in a command context, it
+allows the user to run B<any> command on the system.
+
+An exclamation point ('!') can be used as a logical I<not> operator
+both in an I<alias> and in front of a C<Cmnd>. This allows one to
+exclude certain values. Note, however, that using a C<!> in
+conjunction with the built-in C<ALL> alias to allow a user to
+run "all but a few" commands rarely works as intended (see SECURITY
+NOTES below).
+
+Long lines can be continued with a backslash ('\') as the last
+character on the line.
+
+Whitespace between elements in a list as well as special syntactic
+characters in a I<User Specification> ('=', ':', '(', ')') is optional.
+
+The following characters must be escaped with a backslash ('\') when
+used as part of a word (e.g.E<nbsp>a user name or host name):
+'!', '=', ':', ',', '(', ')', '\'.
+
+=head1 SUDOERS OPTIONS
+
+B<sudo>'s behavior can be modified by C<Default_Entry> lines, as
+explained earlier. A list of all supported Defaults parameters,
+grouped by type, are listed below.
+
+B<Boolean Flags>:
+
+=over 16
+
+=item always_set_home
+
+If enabled, B<sudo> will set the C<HOME> environment variable to the
+home directory of the target user (which is root unless the B<-u>
+option is used). This effectively means that the B<-H> option is
+always implied. Note that C<HOME> is already set when the the
+I<env_reset> option is enabled, so I<always_set_home> is only
+effective for configurations where either I<env_reset> is disabled
+or C<HOME> is present in the I<env_keep> list.
+This flag is I<off> by default.
+
+=item authenticate
+
+If set, users must authenticate themselves via a password (or other
+means of authentication) before they may run commands. This default
+may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
+This flag is I<on> by default.
+
+=item closefrom_override
+
+If set, the user may use B<sudo>'s B<-C> option which
+overrides the default starting point at which B<sudo> begins
+closing open file descriptors. This flag is I<off> by default.
+
+=item compress_io
+
+If set, and B<sudo> is configured to log a command's input or output,
+the I/O logs will be compressed using B<zlib>. This flag is I<on>
+by default when B<sudo> is compiled with B<zlib> support.
+
+=item env_editor
+
+If set, B<visudo> will use the value of the EDITOR or VISUAL
+environment variables before falling back on the default editor list.
+Note that this may create a security hole as it allows the user to
+run any arbitrary command as root without logging. A safer alternative
+is to place a colon-separated list of editors in the C<editor>
+variable. B<visudo> will then only use the EDITOR or VISUAL if
+they match a value specified in C<editor>. This flag is I<@env_editor@> by
+default.
+
+=item env_reset
+
+If set, B<sudo> will reset the environment to only contain the
+LOGNAME, MAIL, SHELL, USER, USERNAME and the C<SUDO_*> variables. Any
+variables in the caller's environment that match the C<env_keep>
+and C<env_check> lists are then added. The default contents of the
+C<env_keep> and C<env_check> lists are displayed when B<sudo> is
+run by root with the I<-V> option. If the I<secure_path> option
+is set, its value will be used for the C<PATH> environment variable.
+This flag is I<@env_reset@> by default.
+
+=item fast_glob
+
+Normally, B<sudo> uses the L<glob(3)> function to do shell-style
+globbing when matching path names. However, since it accesses the
+file system, L<glob(3)> can take a long time to complete for some
+patterns, especially when the pattern references a network file
+system that is mounted on demand (automounted). The I<fast_glob>
+option causes B<sudo> to use the L<fnmatch(3)> function, which does
+not access the file system to do its matching. The disadvantage
+of I<fast_glob> is that it is unable to match relative path names
+such as F<./ls> or F<../bin/ls>. This has security implications
+when path names that include globbing characters are used with the
+negation operator, C<'!'>, as such rules can be trivially bypassed.
+As such, this option should not be used when I<sudoers> contains rules
+that contain negated path names which include globbing characters.
+This flag is I<off> by default.
+
+=item fqdn
+
+Set this flag if you want to put fully qualified host names in the
+I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
+You may still use the short form if you wish (and even mix the two).
+Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
+which may make B<sudo> unusable if DNS stops working (for example
+if the machine is not plugged into the network). Also note that
+you must use the host's official name as DNS knows it. That is,
+you may not use a host alias (C<CNAME> entry) due to performance
+issues and the fact that there is no way to get all aliases from
+DNS. If your machine's host name (as returned by the C<hostname>
+command) is already fully qualified you shouldn't need to set
+I<fqdn>. This flag is I<@fqdn@> by default.
+
+=item ignore_dot
+
+If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH>
+environment variable; the C<PATH> itself is not modified. This
+flag is I<@ignore_dot@> by default.
+
+=item ignore_local_sudoers
+
+If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped.
+This is intended for Enterprises that wish to prevent the usage of local
+sudoers files so that only LDAP is used. This thwarts the efforts of
+rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>.
+When this option is present, F<@sysconfdir@/sudoers> does not even need to
+exist. Since this option tells B<sudo> how to behave when no specific LDAP
+entries have been matched, this sudoOption is only meaningful for the
+C<cn=defaults> section. This flag is I<off> by default.
+
+=item insults
+
+If set, B<sudo> will insult users when they enter an incorrect
+password. This flag is I<@insults@> by default.
+
+=item log_host
+
+If set, the host name will be logged in the (non-syslog) B<sudo> log file.
+This flag is I<off> by default.
+
+=item log_input
+
+If set, B<sudo> will run the command in a I<pseudo tty> and log all
+user input.
+If the standard input is not connected to the user's tty, due to
+I/O redirection or because the command is part of a pipeline, that
+input is also captured and stored in a separate log file.
+
+Input is logged to the directory specified by the I<iolog_dir>
+option (F<@iolog_dir@> by default) using a unique session ID that
+is included in the normal B<sudo> log line, prefixed with I<TSID=>.
+
+Note that user input may contain sensitive information such as
+passwords (even if they are not echoed to the screen), which will
+be stored in the log file unencrypted. In most cases, logging the
+command output via I<log_output> is all that is required.
+
+=item log_output
+
+If set, B<sudo> will run the command in a I<pseudo tty> and log all
+output that is sent to the screen, similar to the script(1) command.
+If the standard output or standard error is not connected to the
+user's tty, due to I/O redirection or because the command is part
+of a pipeline, that output is also captured and stored in separate
+log files.
+
+Output is logged to the directory specified by the I<iolog_dir>
+option (F<@iolog_dir@> by default) using a unique session ID that
+is included in the normal B<sudo> log line, prefixed with I<TSID=>.
+
+Output logs may be viewed with the L<sudoreplay(8)> utility, which
+can also be used to list or search the available logs.
+
+=item log_year
+
+If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
+This flag is I<off> by default.
+
+=item long_otp_prompt
+
+When validating with a One Time Password (OPT) scheme such as
+B<S/Key> or B<OPIE>, a two-line prompt is used to make it easier
+to cut and paste the challenge to a local window. It's not as
+pretty as the default but some people find it more convenient. This
+flag is I<@long_otp_prompt@> by default.
+
+=item mail_always
+
+Send mail to the I<mailto> user every time a users runs B<sudo>.
+This flag is I<off> by default.
+
+=item mail_badpass
+
+Send mail to the I<mailto> user if the user running B<sudo> does not
+enter the correct password. This flag is I<off> by default.
+
+=item mail_no_host
+
+If set, mail will be sent to the I<mailto> user if the invoking
+user exists in the I<sudoers> file, but is not allowed to run
+commands on the current host. This flag is I<@mail_no_host@> by default.
+
+=item mail_no_perms
+
+If set, mail will be sent to the I<mailto> user if the invoking
+user is allowed to use B<sudo> but the command they are trying is not
+listed in their I<sudoers> file entry or is explicitly denied.
+This flag is I<@mail_no_perms@> by default.
+
+=item mail_no_user
+
+If set, mail will be sent to the I<mailto> user if the invoking
+user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
+by default.
+
+=item noexec
+
+If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
+tag has been set, unless overridden by a C<EXEC> tag. See the
+description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL
+ESCAPES> section at the end of this manual. This flag is I<off> by default.
+
+=item path_info
+
+Normally, B<sudo> will tell the user when a command could not be
+found in their C<PATH> environment variable. Some sites may wish
+to disable this as it could be used to gather information on the
+location of executables that the normal user does not have access
+to. The disadvantage is that if the executable is simply not in
+the user's C<PATH>, B<sudo> will tell the user that they are not
+allowed to run it, which can be confusing. This flag is I<@path_info@>
+by default.
+
+=item passprompt_override
+
+The password prompt specified by I<passprompt> will normally only
+be used if the password prompt provided by systems such as PAM matches
+the string "Password:". If I<passprompt_override> is set, I<passprompt>
+will always be used. This flag is I<off> by default.
+
+=item preserve_groups
+
+By default, B<sudo> will initialize the group vector to the list of
+groups the target user is in. When I<preserve_groups> is set, the
+user's existing group vector is left unaltered. The real and
+effective group IDs, however, are still set to match the target
+user. This flag is I<off> by default.
+
+=item pwfeedback
+
+By default, B<sudo> reads the password like most other Unix programs,
+by turning off echo until the user hits the return (or enter) key.
+Some users become confused by this as it appears to them that B<sudo>
+has hung at this point. When I<pwfeedback> is set, B<sudo> will
+provide visual feedback when the user presses a key. Note that
+this does have a security impact as an onlooker may be able to
+determine the length of the password being entered.
+This flag is I<off> by default.
+
+=item requiretty
+
+If set, B<sudo> will only run when the user is logged in to a real
+tty. When this flag is set, B<sudo> can only be run from a login
+session and not via other means such as L<cron(8)> or cgi-bin scripts.
+This flag is I<off> by default.
+
+=item root_sudo
+
+If set, root is allowed to run B<sudo> too. Disabling this prevents users
+from "chaining" B<sudo> commands to get a root shell by doing something
+like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo>
+will also prevent root from running B<sudoedit>.
+Disabling I<root_sudo> provides no real additional security; it
+exists purely for historical reasons.
+This flag is I<@root_sudo@> by default.
+
+=item rootpw
+
+If set, B<sudo> will prompt for the root password instead of the password
+of the invoking user. This flag is I<off> by default.
+
+=item runaspw
+
+If set, B<sudo> will prompt for the password of the user defined by the
+I<runas_default> option (defaults to C<@runas_default@>) instead of the
+password of the invoking user. This flag is I<off> by default.
+
+=item set_home
+
+If enabled and B<sudo> is invoked with the B<-s> option the C<HOME>
+environment variable will be set to the home directory of the target
+user (which is root unless the B<-u> option is used). This effectively
+makes the B<-s> option imply B<-H>. Note that C<HOME> is already
+set when the the I<env_reset> option is enabled, so I<set_home> is
+only effective for configurations where either I<env_reset> is disabled
+or C<HOME> is present in the I<env_keep> list.
+This flag is I<off> by default.
+
+=item set_logname
+
+Normally, B<sudo> will set the C<LOGNAME>, C<USER> and C<USERNAME>
+environment variables to the name of the target user (usually root
+unless the B<-u> option is given). However, since some programs
+(including the RCS revision control system) use C<LOGNAME> to
+determine the real identity of the user, it may be desirable to
+change this behavior. This can be done by negating the set_logname
+option. Note that if the I<env_reset> option has not been disabled,
+entries in the I<env_keep> list will override the value of
+I<set_logname>. This flag is I<on> by default.
+
+=item setenv
+
+Allow the user to disable the I<env_reset> option from the command
+line. Additionally, environment variables set via the command line
+are not subject to the restrictions imposed by I<env_check>,
+I<env_delete>, or I<env_keep>. As such, only trusted users should
+be allowed to set variables in this manner. This flag is I<off>
+by default.
+
+=item shell_noargs
+
+If set and B<sudo> is invoked with no arguments it acts as if the
+B<-s> option had been given. That is, it runs a shell as root (the
+shell is determined by the C<SHELL> environment variable if it is
+set, falling back on the shell listed in the invoking user's
+/etc/passwd entry if not). This flag is I<off> by default.
+
+=item stay_setuid
+
+Normally, when B<sudo> executes a command the real and effective
+UIDs are set to the target user (root by default). This option
+changes that behavior such that the real UID is left as the invoking
+user's UID. In other words, this makes B<sudo> act as a setuid
+wrapper. This can be useful on systems that disable some potentially
+dangerous functionality when a program is run setuid. This option
+is only effective on systems with either the setreuid() or setresuid()
+function. This flag is I<off> by default.
+
+=item targetpw
+
+If set, B<sudo> will prompt for the password of the user specified
+by the B<-u> option (defaults to C<root>) instead of the password
+of the invoking user. In addition, the timestamp file name will
+include the target user's name. Note that this flag precludes the
+use of a uid not listed in the passwd database as an argument to
+the B<-u> option. This flag is I<off> by default.
+
+=item tty_tickets
+
+If set, users must authenticate on a per-tty basis. With this flag
+enabled, B<sudo> will use a file named for the tty the user is
+logged in on in the user's time stamp directory. If disabled, the
+time stamp of the directory is used instead. This flag is
+I<@tty_tickets@> by default.
+
+=item umask_override
+
+If set, B<sudo> will set the umask as specified by I<sudoers> without
+modification. This makes it possible to specify a more permissive
+umask in I<sudoers> than the user's own umask and matches historical
+behavior. If I<umask_override> is not set, B<sudo> will set the
+umask to be the union of the user's umask and what is specified in
+I<sudoers>. This flag is I<@umask_override@> by default.
+
+=item use_loginclass
+
+If set, B<sudo> will apply the defaults specified for the target user's
+login class if one exists. Only available if B<sudo> is configured with
+the --with-logincap option. This flag is I<off> by default.
+
+=item use_pty
+
+If set, B<sudo> will run the command in a pseudo-pty even if no I/O
+logging is being gone. A malicious program run under B<sudo> could
+conceivably fork a background process that retains to the user's
+terminal device after the main program has finished executing. Use
+of this option will make that impossible.
+
+=item visiblepw
+
+By default, B<sudo> will refuse to run if the user must enter a
+password but it is not possible to disable echo on the terminal.
+If the I<visiblepw> flag is set, B<sudo> will prompt for a password
+even when it would be visible on the screen. This makes it possible
+to run things like C<"rsh somehost sudo ls"> since L<rsh(1)> does
+not allocate a tty. This flag is I<off> by default.
+
+=back
+
+B<Integers>:
+
+=over 16
+
+=item closefrom
+
+Before it executes a command, B<sudo> will close all open file
+descriptors other than standard input, standard output and standard
+error (ie: file descriptors 0-2). The I<closefrom> option can be used
+to specify a different file descriptor at which to start closing.
+The default is C<3>.
+
+=item passwd_tries
+
+The number of tries a user gets to enter his/her password before
+B<sudo> logs the failure and exits. The default is C<@passwd_tries@>.
+
+=back
+
+B<Integers that can be used in a boolean context>:
+
+=over 16
+
+=item loglinelen
+
+Number of characters per line for the file log. This value is used
+to decide when to wrap lines for nicer log files. This has no
+effect on the syslog log file, only the file log. The default is
+C<@loglen@> (use 0 or negate the option to disable word wrap).
+
+=item passwd_timeout
+
+Number of minutes before the B<sudo> password prompt times out, or
+C<0> for no timeout. The timeout may include a fractional component
+if minute granularity is insufficient, for example C<2.5>. The
+default is C<@password_timeout@>.
+
+=item timestamp_timeout
+
+Number of minutes that can elapse before B<sudo> will ask for a
+passwd again. The timeout may include a fractional component if
+minute granularity is insufficient, for example C<2.5>. The default
+is C<@timeout@>. Set this to C<0> to always prompt for a password.
+If set to a value less than C<0> the user's timestamp will never
+expire. This can be used to allow users to create or delete their
+own timestamps via C<sudo -v> and C<sudo -k> respectively.
+
+=item umask
+
+Umask to use when running the command. Negate this option or set
+it to 0777 to preserve the user's umask. The actual umask that is
+used will be the union of the user's umask and the value of the
+I<umask> option, which defaults to C<@sudo_umask@>. This guarantees
+that B<sudo> never lowers the umask when running a command. Note
+on systems that use PAM, the default PAM configuration may specify
+its own umask which will override the value set in I<sudoers>.
+
+=back
+
+B<Strings>:
+
+=over 16
+
+=item badpass_message
+
+Message that is displayed if a user enters an incorrect password.
+The default is C<@badpass_message@> unless insults are enabled.
+
+=item editor
+
+A colon (':') separated list of editors allowed to be used with
+B<visudo>. B<visudo> will choose the editor that matches the user's
+EDITOR environment variable if possible, or the first editor in the
+list that exists and is executable. The default is C<"@editor@">.
+
+=item iolog_dir
+
+The directory in which to store input/output logs when the I<log_input>
+or I<log_output> options are enabled or when the C<LOG_INPUT> or
+C<LOG_OUTPUT> tags are present for a command.
+The default is C<"@iolog_dir@">.
+
+=item mailsub
+
+Subject of the mail sent to the I<mailto> user. The escape C<%h>
+will expand to the host name of the machine.
+Default is C<@mailsub@>.
+
+=item noexec_file
+
+Path to a shared library containing dummy versions of the execv(),
+execve() and fexecve() library functions that just return an error.
+This is used to implement the I<noexec> functionality on systems that
+support C<LD_PRELOAD> or its equivalent. Defaults to F<@noexec_file@>.
+
+=item passprompt
+
+The default prompt to use when asking for a password; can be overridden
+via the B<-p> option or the C<SUDO_PROMPT> environment variable.
+The following percent (`C<%>') escapes are supported:
+
+=over 4
+
+=item C<%H>
+
+expanded to the local host name including the domain name
+(on if the machine's host name is fully qualified or the I<fqdn>
+option is set)
+
+=item C<%h>
+
+expanded to the local host name without the domain name
+
+=item C<%p>
+
+expanded to the user whose password is being asked for (respects the
+I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
+
+=item C<%U>
+
+expanded to the login name of the user the command will
+be run as (defaults to root)
+
+=item C<%u>
+
+expanded to the invoking user's login name
+
+=item C<%%>
+
+two consecutive C<%> characters are collapsed into a single C<%> character
+
+=back
+
+The default value is C<@passprompt@>.
+
+=item role
+
+The default SELinux role to use when constructing a new security
+context to run the command. The default role may be overridden on
+a per-command basis in I<sudoers> or via command line options.
+This option is only available whe B<sudo> is built with SELinux support.
+
+=item runas_default
+
+The default user to run commands as if the B<-u> option is not specified
+on the command line. This defaults to C<@runas_default@>.
+
+=item syslog_badpri
+
+Syslog priority to use when user authenticates unsuccessfully.
+Defaults to C<@badpri@>.
+
+The following syslog priorities are supported: B<alert>, B<crit>,
+B<debug>, B<emerg>, B<err>, B<info>, B<notice>, and B<warning>.
+
+=item syslog_goodpri
+
+Syslog priority to use when user authenticates successfully.
+Defaults to C<@goodpri@>.
+
+See L<syslog_badpri> for the list of supported syslog priorities.
+
+=item sudoers_locale
+
+Locale to use when parsing the sudoers file, logging commands, and
+sending email. Note that changing the locale may affect how sudoers
+is interpreted. Defaults to C<"C">.
+
+=item timestampdir
+
+The directory in which B<sudo> stores its timestamp files.
+The default is F<@timedir@>.
+
+=item timestampowner
+
+The owner of the timestamp directory and the timestamps stored therein.
+The default is C<root>.
+
+=item type
+
+The default SELinux type to use when constructing a new security
+context to run the command. The default type may be overridden on
+a per-command basis in I<sudoers> or via command line options.
+This option is only available whe B<sudo> is built with SELinux support.
+
+=back
+
+B<Strings that can be used in a boolean context>:
+
+=over 12
+
+=item askpass
+
+The I<askpass> option specifies the fully qualified path to a helper
+program used to read the user's password when no terminal is
+available. This may be the case when B<sudo> is executed from a
+graphical (as opposed to text-based) application. The program
+specified by I<askpass> should display the argument passed to it
+as the prompt and write the user's password to the standard output.
+The value of I<askpass> may be overridden by the C<SUDO_ASKPASS>
+environment variable.
+
+=item env_file
+
+The I<env_file> options specifies the fully qualified path to a
+file containing variables to be set in the environment of the program
+being run. Entries in this file should either be of the form
+C<VARIABLE=value> or C<export VARIABLE=value>. The value may
+optionally be surrounded by single or double quotes. Variables in
+this file are subject to other B<sudo> environment settings such
+as I<env_keep> and I<env_check>.
+
+=item exempt_group
+
+Users in this group are exempt from password and PATH requirements.
+This is not set by default.
+
+=item lecture
+
+This option controls when a short lecture will be printed along with
+the password prompt. It has the following possible values:
+
+=over 8
+
+=item always
+
+Always lecture the user.
+
+=item never
+
+Never lecture the user.
+
+=item once
+
+Only lecture the user the first time they run B<sudo>.
+
+=back
+
+If no value is specified, a value of I<once> is implied.
+Negating the option results in a value of I<never> being used.
+The default value is I<@lecture@>.
+
+=item lecture_file
+
+Path to a file containing an alternate B<sudo> lecture that will
+be used in place of the standard lecture if the named file exists.
+By default, B<sudo> uses a built-in lecture.
+
+=item listpw
+
+This option controls when a password will be required when a
+user runs B<sudo> with the B<-l> option. It has the following possible values:
+
+=over 8
+
+=item all
+
+All the user's I<sudoers> entries for the current host must have
+the C<NOPASSWD> flag set to avoid entering a password.
+
+=item always
+
+The user must always enter a password to use the B<-l> option.
+
+=item any
+
+At least one of the user's I<sudoers> entries for the current host
+must have the C<NOPASSWD> flag set to avoid entering a password.
+
+=item never
+
+The user need never enter a password to use the B<-l> option.
+
+=back
+
+If no value is specified, a value of I<any> is implied.
+Negating the option results in a value of I<never> being used.
+The default value is I<any>.
+
+=item logfile
+
+Path to the B<sudo> log file (not the syslog log file). Setting a path
+turns on logging to a file; negating this option turns it off.
+By default, B<sudo> logs via syslog.
+
+=item mailerflags
+
+Flags to use when invoking mailer. Defaults to B<-t>.
+
+=item mailerpath
+
+Path to mail program used to send warning mail.
+Defaults to the path to sendmail found at configure time.
+
+=item mailfrom
+
+Address to use for the "from" address when sending warning and error
+mail. The address should be enclosed in double quotes (C<">) to
+protect against B<sudo> interpreting the C<@> sign. Defaults to
+the name of the user running B<sudo>.
+
+=item mailto
+
+Address to send warning and error mail to. The address should
+be enclosed in double quotes (C<">) to protect against B<sudo>
+interpreting the C<@> sign. Defaults to C<@mailto@>.
+
+=item secure_path
+
+Path used for every command run from B<sudo>. If you don't trust the
+people running B<sudo> to have a sane C<PATH> environment variable you may
+want to use this. Another use is if you want to have the "root path"
+be separate from the "user path." Users in the group specified by the
+I<exempt_group> option are not affected by I<secure_path>.
+This option is @secure_path@ by default.
+
+=item syslog
+
+Syslog facility if syslog is being used for logging (negate to
+disable syslog logging). Defaults to C<@logfac@>.
+
+The following syslog facilities are supported: B<authpriv> (if your
+OS supports it), B<auth>, B<daemon>, B<user>, B<local0>, B<local1>,
+B<local2>, B<local3>, B<local4>, B<local5>, B<local6>, and B<local7>.
+
+=item verifypw
+
+This option controls when a password will be required when a user runs
+B<sudo> with the B<-v> option. It has the following possible values:
+
+=over 8
+
+=item all
+
+All the user's I<sudoers> entries for the current host must have
+the C<NOPASSWD> flag set to avoid entering a password.
+
+=item always
+
+The user must always enter a password to use the B<-v> option.
+
+=item any
+
+At least one of the user's I<sudoers> entries for the current host
+must have the C<NOPASSWD> flag set to avoid entering a password.
+
+=item never
+
+The user need never enter a password to use the B<-v> option.
+
+=back
+
+If no value is specified, a value of I<all> is implied.
+Negating the option results in a value of I<never> being used.
+The default value is I<all>.
+
+=back
+
+B<Lists that can be used in a boolean context>:
+
+=over 16
+
+=item env_check
+
+Environment variables to be removed from the user's environment if
+the variable's value contains C<%> or C</> characters. This can
+be used to guard against printf-style format vulnerabilities in
+poorly-written programs. The argument may be a double-quoted,
+space-separated list or a single value without double-quotes. The
+list can be replaced, added to, deleted from, or disabled by using
+the C<=>, C<+=>, C<-=>, and C<!> operators respectively. Regardless
+of whether the C<env_reset> option is enabled or disabled, variables
+specified by C<env_check> will be preserved in the environment if
+they pass the aforementioned check. The default list of environment
+variables to check is displayed when B<sudo> is run by root with
+the I<-V> option.
+
+=item env_delete
+
+Environment variables to be removed from the user's environment
+when the I<env_reset> option is not in effect. The argument may
+be a double-quoted, space-separated list or a single value without
+double-quotes. The list can be replaced, added to, deleted from,
+or disabled by using the C<=>, C<+=>, C<-=>, and C<!> operators
+respectively. The default list of environment variables to remove
+is displayed when B<sudo> is run by root with the I<-V> option.
+Note that many operating systems will remove potentially dangerous
+variables from the environment of any setuid process (such as
+B<sudo>).
+
+=item env_keep
+
+Environment variables to be preserved in the user's environment
+when the I<env_reset> option is in effect. This allows fine-grained
+control over the environment B<sudo>-spawned processes will receive.
+The argument may be a double-quoted, space-separated list or a
+single value without double-quotes. The list can be replaced, added
+to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
+C<!> operators respectively. The default list of variables to keep
+is displayed when B<sudo> is run by root with the I<-V> option.
+
+=back
+
+=head1 FILES
+
+=over 24
+
+=item F<@sysconfdir@/sudoers>
+
+List of who can run what
+
+=item F</etc/group>
+
+Local groups file
+
+=item F</etc/netgroup>
+
+List of network groups
+
+=item F<@iolog_dir@>
+
+I/O log files
+
+=back
+
+=head1 EXAMPLES
+
+Below are example I<sudoers> entries. Admittedly, some of
+these are a bit contrived. First, we allow a few environment
+variables to pass and then define our I<aliases>:
+
+ # Run X applications through sudo; HOME is used to find the
+ # .Xauthority file. Note that other programs use HOME to find
+ # configuration files and this may lead to privilege escalation!
+ Defaults env_keep += "DISPLAY HOME"
+
+ # User alias specification
+ User_Alias FULLTIMERS = millert, mikef, dowdy
+ User_Alias PARTTIMERS = bostley, jwfox, crawl
+ User_Alias WEBMASTERS = will, wendy, wim
+
+ # Runas alias specification
+ Runas_Alias OP = root, operator
+ Runas_Alias DB = oracle, sybase
+ Runas_Alias ADMINGRP = adm, oper
+
+ # Host alias specification
+ Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
+ SGI = grolsch, dandelion, black :\
+ ALPHA = widget, thalamus, foobar :\
+ HPPA = boa, nag, python
+ Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+ Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+ Host_Alias SERVERS = master, mail, www, ns
+ Host_Alias CDROM = orion, perseus, hercules
+
+ # Cmnd alias specification
+ Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
+ /usr/sbin/restore, /usr/sbin/rrestore
+ Cmnd_Alias KILL = /usr/bin/kill
+ Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+ Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
+ Cmnd_Alias HALT = /usr/sbin/halt
+ Cmnd_Alias REBOOT = /usr/sbin/reboot
+ Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
+ /usr/local/bin/tcsh, /usr/bin/rsh, \
+ /usr/local/bin/zsh
+ Cmnd_Alias SU = /usr/bin/su
+ Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
+
+Here we override some of the compiled in default values. We want
+B<sudo> to log via L<syslog(3)> using the I<auth> facility in all
+cases. We don't want to subject the full time staff to the B<sudo>
+lecture, user B<millert> need not give a password, and we don't
+want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment
+variables when running commands as root. Additionally, on the
+machines in the I<SERVERS> C<Host_Alias>, we keep an additional
+local log file and make sure we log the year in each log line since
+the log entries will be kept around for several years. Lastly, we
+disable shell escapes for the commands in the PAGERS C<Cmnd_Alias>
+(F</usr/bin/more>, F</usr/bin/pg> and F</usr/bin/less>).
+
+ # Override built-in defaults
+ Defaults syslog=auth
+ Defaults>root !set_logname
+ Defaults:FULLTIMERS !lecture
+ Defaults:millert !authenticate
+ Defaults at SERVERS log_year, logfile=/var/log/sudo.log
+ Defaults!PAGERS noexec
+
+The I<User specification> is the part that actually determines who may
+run what.
+
+ root ALL = (ALL) ALL
+ %wheel ALL = (ALL) ALL
+
+We let B<root> and any user in group B<wheel> run any command on any
+host as any user.
+
+ FULLTIMERS ALL = NOPASSWD: ALL
+
+Full time sysadmins (B<millert>, B<mikef>, and B<dowdy>) may run any
+command on any host without authenticating themselves.
+
+ PARTTIMERS ALL = ALL
+
+Part time sysadmins (B<bostley>, B<jwfox>, and B<crawl>) may run any
+command on any host but they must authenticate themselves first
+(since the entry lacks the C<NOPASSWD> tag).
+
+ jack CSNETS = ALL
+
+The user B<jack> may run any command on the machines in the I<CSNETS> alias
+(the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>).
+Of those networks, only C<128.138.204.0> has an explicit netmask (in
+CIDR notation) indicating it is a class C network. For the other
+networks in I<CSNETS>, the local machine's netmask will be used
+during matching.
+
+ lisa CUNETS = ALL
+
+The user B<lisa> may run any command on any host in the I<CUNETS> alias
+(the class B network C<128.138.0.0>).
+
+ operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
+ sudoedit /etc/printcap, /usr/oper/bin/
+
+The B<operator> user may run commands limited to simple maintenance.
+Here, those are commands related to backups, killing processes, the
+printing system, shutting down the system, and any commands in the
+directory F</usr/oper/bin/>.
+
+ joe ALL = /usr/bin/su operator
+
+The user B<joe> may only L<su(1)> to operator.
+
+ pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+
+ %opers ALL = (: ADMINGRP) /usr/sbin/
+
+Users in the B<opers> group may run commands in F</usr/sbin/> as themselves
+with any group in the I<ADMINGRP> C<Runas_Alias> (the B<adm> and B<oper>
+groups).
+
+The user B<pete> is allowed to change anyone's password except for
+root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
+does not take multiple user names on the command line.
+
+ bob SPARC = (OP) ALL : SGI = (OP) ALL
+
+The user B<bob> may run anything on the I<SPARC> and I<SGI> machines
+as any user listed in the I<OP> C<Runas_Alias> (B<root> and B<operator>).
+
+ jim +biglab = ALL
+
+The user B<jim> may run any command on machines in the I<biglab> netgroup.
+B<sudo> knows that "biglab" is a netgroup due to the '+' prefix.
+
+ +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+
+Users in the B<secretaries> netgroup need to help manage the printers
+as well as add and remove users, so they are allowed to run those
+commands on all machines.
+
+ fred ALL = (DB) NOPASSWD: ALL
+
+The user B<fred> can run commands as any user in the I<DB> C<Runas_Alias>
+(B<oracle> or B<sybase>) without giving a password.
+
+ john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+
+On the I<ALPHA> machines, user B<john> may su to anyone except root
+but he is not allowed to specify any options to the L<su(1)> command.
+
+ jen ALL, !SERVERS = ALL
+
+The user B<jen> may run any command on any machine except for those
+in the I<SERVERS> C<Host_Alias> (master, mail, www and ns).
+
+ jill SERVERS = /usr/bin/, !SU, !SHELLS
+
+For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run
+any commands in the directory F</usr/bin/> except for those commands
+belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>.
+
+ steve CSNETS = (operator) /usr/local/op_commands/
+
+The user B<steve> may run any command in the directory /usr/local/op_commands/
+but only as user operator.
+
+ matt valkyrie = KILL
+
+On his personal workstation, valkyrie, B<matt> needs to be able to
+kill hung processes.
+
+ WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
+
+On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will,
+wendy, and wim), may run any command as user www (which owns the
+web pages) or simply L<su(1)> to www.
+
+ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+
+Any user may mount or unmount a CD-ROM on the machines in the CDROM
+C<Host_Alias> (orion, perseus, hercules) without entering a password.
+This is a bit tedious for users to type, so it is a prime candidate
+for encapsulating in a shell script.
+
+=head1 SECURITY NOTES
+
+It is generally not effective to "subtract" commands from C<ALL>
+using the '!' operator. A user can trivially circumvent this
+by copying the desired command to a different name and then
+executing that. For example:
+
+ bill ALL = ALL, !SU, !SHELLS
+
+Doesn't really prevent B<bill> from running the commands listed in
+I<SU> or I<SHELLS> since he can simply copy those commands to a
+different name, or use a shell escape from an editor or other
+program. Therefore, these kind of restrictions should be considered
+advisory at best (and reinforced by policy).
+
+Furthermore, if the I<fast_glob> option is in use, it is not possible
+to reliably negate commands where the path name includes globbing
+(aka wildcard) characters. This is because the C library's
+L<fnmatch(3)> function cannot resolve relative paths. While this
+is typically only an inconvenience for rules that grant privileges,
+it can result in a security issue for rules that subtract or revoke
+privileges.
+
+For example, given the following I<sudoers> entry:
+
+ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+
+User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is
+enabled by changing to F</usr/bin> and running C<./passwd root> instead.
+
+=head1 PREVENTING SHELL ESCAPES
+
+Once B<sudo> executes a program, that program is free to do whatever
+it pleases, including run other programs. This can be a security
+issue since it is not uncommon for a program to allow shell escapes,
+which lets a user bypass B<sudo>'s access control and logging.
+Common programs that permit shell escapes include shells (obviously),
+editors, paginators, mail and terminal programs.
+
+There are two basic approaches to this problem:
+
+=over 10
+
+=item restrict
+
+Avoid giving users access to commands that allow the user to run
+arbitrary commands. Many editors have a restricted mode where shell
+escapes are disabled, though B<sudoedit> is a better solution to
+running editors via B<sudo>. Due to the large number of programs that
+offer shell escapes, restricting users to the set of programs that
+do not is often unworkable.
+
+=item noexec
+
+Many systems that support shared libraries have the ability to
+override default library functions by pointing an environment
+variable (usually C<LD_PRELOAD>) to an alternate shared library.
+On such systems, B<sudo>'s I<noexec> functionality can be used to
+prevent a program run by B<sudo> from executing any other programs.
+Note, however, that this applies only to native dynamically-linked
+executables. Statically-linked executables and foreign executables
+running under binary emulation are not affected.
+
+To tell whether or not B<sudo> supports I<noexec>, you can run
+the following as root:
+
+ sudo -V | grep "dummy exec"
+
+If the resulting output contains a line that begins with:
+
+ File containing dummy exec functions:
+
+then B<sudo> may be able to replace the exec family of functions
+in the standard library with its own that simply return an error.
+Unfortunately, there is no foolproof way to know whether or not
+I<noexec> will work at compile-time. I<noexec> should work on
+SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX
+11.x. It is known B<not> to work on AIX and UnixWare. I<noexec>
+is expected to work on most operating systems that support the
+C<LD_PRELOAD> environment variable. Check your operating system's
+manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
+dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported.
+
+To enable I<noexec> for a command, use the C<NOEXEC> tag as documented
+in the User Specification section above. Here is that example again:
+
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+
+This allows user B<aaron> to run F</usr/bin/more> and F</usr/bin/vi>
+with I<noexec> enabled. This will prevent those two commands from
+executing other commands (such as a shell). If you are unsure
+whether or not your system is capable of supporting I<noexec> you
+can always just try it out and see if it works.
+
+=back
+
+Note that restricting shell escapes is not a panacea. Programs
+running as root are still capable of many potentially hazardous
+operations (such as changing or overwriting files) that could lead
+to unintended privilege escalation. In the specific case of an
+editor, a safer approach is to give the user permission to run
+B<sudoedit>.
+
+=head1 SEE ALSO
+
+L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<glob(3)>, L<sudo(8)>, L<visudo(8)>
+
+=head1 CAVEATS
+
+The I<sudoers> file should B<always> be edited by the B<visudo>
+command which locks the file and does grammatical checking. It is
+imperative that I<sudoers> be free of syntax errors since B<sudo>
+will not run with a syntactically incorrect I<sudoers> file.
+
+When using netgroups of machines (as opposed to users), if you
+store fully qualified host name in the netgroup (as is usually the
+case), you either need to have the machine's host name be fully qualified
+as returned by the C<hostname> command or use the I<fqdn> option in
+I<sudoers>.
+
+=head1 BUGS
+
+If you feel you have found a bug in B<sudo>, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
+
+=head1 SUPPORT
+
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+
+=head1 DISCLAIMER
+
+B<sudo> is provided ``AS IS'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the LICENSE
+file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
+for complete details.
Modified: trunk/contrib/sudo/sudoreplay.cat
===================================================================
--- trunk/contrib/sudo/sudoreplay.cat 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/sudoreplay.cat 2014-10-02 03:32:57 UTC (rev 6804)
@@ -61,7 +61,7 @@
-1.7.5rc1 February 21, 2011 1
+1.7.6 April 9, 2011 1
@@ -127,7 +127,7 @@
-1.7.5rc1 February 21, 2011 2
+1.7.6 April 9, 2011 2
@@ -193,7 +193,7 @@
-1.7.5rc1 February 21, 2011 3
+1.7.6 April 9, 2011 3
@@ -259,7 +259,7 @@
-1.7.5rc1 February 21, 2011 4
+1.7.6 April 9, 2011 4
@@ -325,6 +325,6 @@
-1.7.5rc1 February 21, 2011 5
+1.7.6 April 9, 2011 5
Added: trunk/contrib/sudo/sudoreplay.man
===================================================================
--- trunk/contrib/sudo/sudoreplay.man (rev 0)
+++ trunk/contrib/sudo/sudoreplay.man 2014-10-02 03:32:57 UTC (rev 6804)
@@ -0,0 +1,408 @@
+.\" Copyright (c) 2009-2010 Todd C. Miller <Todd.Miller at courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings. \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+. ds -- \(*W-
+. ds PI pi
+. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
+. ds L" ""
+. ds R" ""
+. ds C`
+. ds C'
+'br\}
+.el\{\
+. ds -- \|\(em\|
+. ds PI \(*p
+. ds L" ``
+. ds R" ''
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD. Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.ie \nF \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
+..
+. nr % 0
+. rr F
+.\}
+.el \{\
+. de IX
+..
+.\}
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear. Run. Save yourself. No user-serviceable parts.
+. \" fudge factors for nroff and troff
+.if n \{\
+. ds #H 0
+. ds #V .8m
+. ds #F .3m
+. ds #[ \f1
+. ds #] \fP
+.\}
+.if t \{\
+. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+. ds #V .6m
+. ds #F 0
+. ds #[ \&
+. ds #] \&
+.\}
+. \" simple accents for nroff and troff
+.if n \{\
+. ds ' \&
+. ds ` \&
+. ds ^ \&
+. ds , \&
+. ds ~ ~
+. ds /
+.\}
+.if t \{\
+. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+. \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+. \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+. \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+. ds : e
+. ds 8 ss
+. ds o a
+. ds d- d\h'-1'\(ga
+. ds D- D\h'-1'\(hy
+. ds th \o'bp'
+. ds Th \o'LP'
+. ds ae ae
+. ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "SUDOREPLAY 8"
+.TH SUDOREPLAY 8 "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+sudoreplay \- replay sudo session logs
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR \fIdirectory\fR] [\fB\-f\fR \fIfilter\fR] [\fB\-m\fR \fImax_wait\fR] [\fB\-s\fR \fIspeed_factor\fR] \s-1ID\s0
+.PP
+\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR \fIdirectory\fR] \-l [search expression]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+\&\fBsudoreplay\fR plays back or lists the session logs created by
+\&\fBsudo\fR. When replaying, \fBsudoreplay\fR can play the session back
+in real-time, or the playback speed may be adjusted (faster or
+slower) based on the command line options. The \fI\s-1ID\s0\fR should be
+a six character sequence of digits and upper case letters, e.g.
+0100A5, which is logged by \fBsudo\fR when a command is run with
+session logging enabled.
+.PP
+In list mode, \fBsudoreplay\fR can be used to find the \s-1ID\s0 of a session
+based on a number of criteria such as the user, tty or command run.
+.PP
+In replay mode, if the standard output has not been redirected,
+\&\fBsudoreplay\fR will act on the following keys:
+.IP "' ' (space)" 8
+.IX Item "' ' (space)"
+Pause output; press any key to resume.
+.IP "'<'" 8
+Reduce the playback speed by one half.
+.IP "'>'" 8
+Double the playback speed.
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+\&\fBsudoreplay\fR accepts the following command line options:
+.IP "\-d \fIdirectory\fR" 12
+.IX Item "-d directory"
+Use \fIdirectory\fR to for the session logs instead of the default,
+\&\fI/var/log/sudo\-io\fR.
+.IP "\-f \fIfilter\fR" 12
+.IX Item "-f filter"
+By default, \fBsudoreplay\fR will play back the command's standard
+output, standard error and tty output. The \fI\-f\fR option can be
+used to select which of these to output. The \fIfilter\fR argument
+is a comma-separated list, consisting of one or more of following:
+\&\fIstdout\fR, \fIstderr\fR, and \fIttyout\fR.
+.IP "\-h" 12
+.IX Item "-h"
+The \fB\-h\fR (\fIhelp\fR) option causes \fBsudoreplay\fR to print a short
+help message to the standard output and exit.
+.IP "\-l [\fIsearch expression\fR]" 12
+.IX Item "-l [search expression]"
+Enable \*(L"list mode\*(R". In this mode, \fBsudoreplay\fR will list available
+session IDs. If a \fIsearch expression\fR is specified, it will be
+used to restrict the IDs that are displayed. An expression is
+composed of the following predicates:
+.RS 12
+.IP "command \fIcommand pattern\fR" 8
+.IX Item "command command pattern"
+Evaluates to true if the command run matches \fIcommand pattern\fR.
+On systems with \s-1POSIX\s0 regular expression support, the pattern may
+be an extended regular expression. On systems without \s-1POSIX\s0 regular
+expression support, a simple substring match is performed instead.
+.IP "cwd \fIdirectory\fR" 8
+.IX Item "cwd directory"
+Evaluates to true if the command was run with the specified current
+working directory.
+.IP "fromdate \fIdate\fR" 8
+.IX Item "fromdate date"
+Evaluates to true if the command was run on or after \fIdate\fR.
+See \*(L"Date and time format\*(R" for a description of supported
+date and time formats.
+.IP "group \fIrunas_group\fR" 8
+.IX Item "group runas_group"
+Evaluates to true if the command was run with the specified
+\&\fIrunas_group\fR. Note that unless a \fIrunas_group\fR was explicitly
+specified when \fBsudo\fR was run this field will be empty in the log.
+.IP "runas \fIrunas_user\fR" 8
+.IX Item "runas runas_user"
+Evaluates to true if the command was run as the specified \fIrunas_user\fR.
+Note that \fBsudo\fR runs commands as user \fIroot\fR by default.
+.IP "todate \fIdate\fR" 8
+.IX Item "todate date"
+Evaluates to true if the command was run on or prior to \fIdate\fR.
+See \*(L"Date and time format\*(R" for a description of supported
+date and time formats.
+.IP "tty \fItty\fR" 8
+.IX Item "tty tty"
+Evaluates to true if the command was run on the specified terminal
+device. The \fItty\fR should be specified without the \fI/dev/\fR prefix,
+e.g. \fItty01\fR instead of \fI/dev/tty01\fR.
+.IP "user \fIuser name\fR" 8
+.IX Item "user user name"
+Evaluates to true if the \s-1ID\s0 matches a command run by \fIuser name\fR.
+.RE
+.RS 12
+.Sp
+Predicates may be abbreviated to the shortest unique string (currently
+all predicates may be shortened to a single character).
+.Sp
+Predicates may be combined using \fIand\fR, \fIor\fR and \fI!\fR operators
+as well as \f(CW\*(Aq(\*(Aq\fR and \f(CW\*(Aq)\*(Aq\fR for grouping (note that parentheses
+must generally be escaped from the shell). The \fIand\fR operator is
+optional, adjacent predicates have an implied \fIand\fR unless separated
+by an \fIor\fR.
+.RE
+.IP "\-m \fImax_wait\fR" 12
+.IX Item "-m max_wait"
+Specify an upper bound on how long to wait between key presses or
+output data. By default, \fBsudo_replay\fR will accurately reproduce
+the delays between key presses or program output. However, this
+can be tedious when the session includes long pauses. When the
+\&\fI\-m\fR option is specified, \fBsudoreplay\fR will limit these pauses
+to at most \fImax_wait\fR seconds. The value may be specified as a
+floating point number, .e.g. \fI2.5\fR.
+.IP "\-s \fIspeed_factor\fR" 12
+.IX Item "-s speed_factor"
+This option causes \fBsudoreplay\fR to adjust the number of seconds
+it will wait between key presses or program output. This can be
+used to slow down or speed up the display. For example, a
+\&\fIspeed_factor\fR of \fI2\fR would make the output twice as fast whereas
+a \fIspeed_factor\fR of <.5> would make the output twice as slow.
+.IP "\-V" 12
+.IX Item "-V"
+The \fB\-V\fR (version) option causes \fBsudoreplay\fR to print its version number
+and exit.
+.SS "Date and time format"
+.IX Subsection "Date and time format"
+The time and date may be specified multiple ways, common formats include:
+.IP "\s-1HH:MM:SS\s0 am \s-1MM/DD/CCYY\s0 timezone" 8
+.IX Item "HH:MM:SS am MM/DD/CCYY timezone"
+24 hour time may be used in place of am/pm.
+.IP "\s-1HH:MM:SS\s0 am Month, Day Year timezone" 8
+.IX Item "HH:MM:SS am Month, Day Year timezone"
+24 hour time may be used in place of am/pm, and month and day names
+may be abbreviated. Note that month and day of the week names must
+be specified in English.
+.IP "CCYY-MM-DD \s-1HH:MM:SS\s0" 8
+.IX Item "CCYY-MM-DD HH:MM:SS"
+\&\s-1ISO\s0 time format
+.IP "\s-1DD\s0 Month \s-1CCYY\s0 \s-1HH:MM:SS\s0" 8
+.IX Item "DD Month CCYY HH:MM:SS"
+The month name may be abbreviated.
+.PP
+Either time or date may be omitted, the am/pm and timezone are
+optional. If no date is specified, the current day is assumed; if
+no time is specified, the first second of the specified date is
+used. The less significant parts of both time and date may also
+be omitted, in which case zero is assumed. For example, the following
+are all valid:
+.PP
+The following are all valid time and date specifications:
+.IP "now" 8
+.IX Item "now"
+The current time and date.
+.IP "tomorrow" 8
+.IX Item "tomorrow"
+Exactly one day from now.
+.IP "yesterday" 8
+.IX Item "yesterday"
+24 hours ago.
+.IP "2 hours ago" 8
+.IX Item "2 hours ago"
+2 hours ago.
+.IP "next Friday" 8
+.IX Item "next Friday"
+The first second of the next Friday.
+.IP "this week" 8
+.IX Item "this week"
+The current time but the first day of the coming week.
+.IP "a fortnight ago" 8
+.IX Item "a fortnight ago"
+The current time but 14 days ago.
+.IP "10:01 am 9/17/2009" 8
+.IX Item "10:01 am 9/17/2009"
+10:01 am, September 17, 2009.
+.IP "10:01 am" 8
+.IX Item "10:01 am"
+10:01 am on the current day.
+.IP "10" 8
+.IX Item "10"
+10:00 am on the current day.
+.IP "9/17/2009" 8
+.IX Item "9/17/2009"
+00:00 am, September 17, 2009.
+.IP "10:01 am Sep 17, 2009" 8
+.IX Item "10:01 am Sep 17, 2009"
+10:01 am, September 17, 2009.
+.SH "FILES"
+.IX Header "FILES"
+.IP "\fI/var/log/sudo\-io\fR" 24
+.IX Item "/var/log/sudo-io"
+The default I/O log directory.
+.IP "\fI/var/log/sudo\-io/00/00/01/log\fR" 24
+.IX Item "/var/log/sudo-io/00/00/01/log"
+Example session log info.
+.IP "\fI/var/log/sudo\-io/00/00/01/stdin\fR" 24
+.IX Item "/var/log/sudo-io/00/00/01/stdin"
+Example session standard input log.
+.IP "\fI/var/log/sudo\-io/00/00/01/stdout\fR" 24
+.IX Item "/var/log/sudo-io/00/00/01/stdout"
+Example session standard output log.
+.IP "\fI/var/log/sudo\-io/00/00/01/stderr\fR" 24
+.IX Item "/var/log/sudo-io/00/00/01/stderr"
+Example session standard error log.
+.IP "\fI/var/log/sudo\-io/00/00/01/ttyin\fR" 24
+.IX Item "/var/log/sudo-io/00/00/01/ttyin"
+Example session tty input file.
+.IP "\fI/var/log/sudo\-io/00/00/01/ttyout\fR" 24
+.IX Item "/var/log/sudo-io/00/00/01/ttyout"
+Example session tty output file.
+.IP "\fI/var/log/sudo\-io/00/00/01/timing\fR" 24
+.IX Item "/var/log/sudo-io/00/00/01/timing"
+Example session timing file.
+.PP
+Note that the \fIstdin\fR, \fIstdout\fR and \fIstderr\fR files will be empty
+unless \fBsudo\fR was used as part of a pipeline for a particular
+command.
+.SH "EXAMPLES"
+.IX Header "EXAMPLES"
+List sessions run by user \fImillert\fR:
+.PP
+.Vb 1
+\& sudoreplay \-l user millert
+.Ve
+.PP
+List sessions run by user \fIbob\fR with a command containing the string vi:
+.PP
+.Vb 1
+\& sudoreplay \-l user bob command vi
+.Ve
+.PP
+List sessions run by user \fIjeff\fR that match a regular expression:
+.PP
+.Vb 1
+\& sudoreplay \-l user jeff command \*(Aq/bin/[a\-z]*sh\*(Aq
+.Ve
+.PP
+List sessions run by jeff or bob on the console:
+.PP
+.Vb 1
+\& sudoreplay \-l ( user jeff or user bob ) tty console
+.Ve
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIsudo\fR\|(8), \fIscript\fR\|(1)
+.SH "AUTHOR"
+.IX Header "AUTHOR"
+Todd C. Miller
+.SH "BUGS"
+.IX Header "BUGS"
+If you feel you have found a bug in \fBsudoreplay\fR, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
+.SH "SUPPORT"
+.IX Header "SUPPORT"
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+search the archives.
+.SH "DISCLAIMER"
+.IX Header "DISCLAIMER"
+\&\fBsudoreplay\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
+file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
+for complete details.
Modified: trunk/contrib/sudo/sudoreplay.man.in
===================================================================
--- trunk/contrib/sudo/sudoreplay.man.in 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/sudoreplay.man.in 2014-10-02 03:32:57 UTC (rev 6804)
@@ -139,7 +139,7 @@
.\" ========================================================================
.\"
.IX Title "SUDOREPLAY @mansectsu@"
-.TH SUDOREPLAY @mansectsu@ "February 21, 2011" "1.7.5rc1" "MAINTENANCE COMMANDS"
+.TH SUDOREPLAY @mansectsu@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
Added: trunk/contrib/sudo/sudoreplay.pod
===================================================================
--- trunk/contrib/sudo/sudoreplay.pod (rev 0)
+++ trunk/contrib/sudo/sudoreplay.pod 2014-10-02 03:32:57 UTC (rev 6804)
@@ -0,0 +1,346 @@
+Copyright (c) 2009-2010 Todd C. Miller <Todd.Miller at courtesan.com>
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+=pod
+
+=head1 NAME
+
+sudoreplay - replay sudo session logs
+
+=head1 SYNOPSIS
+
+B<sudoreplay> [B<-h>] [B<-d> I<directory>] [B<-f> I<filter>] [B<-m> I<max_wait>] [B<-s> I<speed_factor>] ID
+
+B<sudoreplay> [B<-h>] [B<-d> I<directory>] -l [search expression]
+
+=head1 DESCRIPTION
+
+B<sudoreplay> plays back or lists the session logs created by
+B<sudo>. When replaying, B<sudoreplay> can play the session back
+in real-time, or the playback speed may be adjusted (faster or
+slower) based on the command line options. The I<ID> should be
+a six character sequence of digits and upper case letters, e.g.
+0100A5, which is logged by B<sudo> when a command is run with
+session logging enabled.
+
+In list mode, B<sudoreplay> can be used to find the ID of a session
+based on a number of criteria such as the user, tty or command run.
+
+In replay mode, if the standard output has not been redirected,
+B<sudoreplay> will act on the following keys:
+
+=over 8
+
+=item ' ' (space)
+
+Pause output; press any key to resume.
+
+=item '<'
+
+Reduce the playback speed by one half.
+
+=item '>'
+
+Double the playback speed.
+
+=back
+
+=head1 OPTIONS
+
+B<sudoreplay> accepts the following command line options:
+
+=over 12
+
+=item -d I<directory>
+
+Use I<directory> to for the session logs instead of the default,
+F</var/log/sudo-io>.
+
+=item -f I<filter>
+
+By default, B<sudoreplay> will play back the command's standard
+output, standard error and tty output. The I<-f> option can be
+used to select which of these to output. The I<filter> argument
+is a comma-separated list, consisting of one or more of following:
+I<stdout>, I<stderr>, and I<ttyout>.
+
+=item -h
+
+The B<-h> (I<help>) option causes B<sudoreplay> to print a short
+help message to the standard output and exit.
+
+=item -l [I<search expression>]
+
+Enable "list mode". In this mode, B<sudoreplay> will list available
+session IDs. If a I<search expression> is specified, it will be
+used to restrict the IDs that are displayed. An expression is
+composed of the following predicates:
+
+=over 8
+
+=item command I<command pattern>
+
+Evaluates to true if the command run matches I<command pattern>.
+On systems with POSIX regular expression support, the pattern may
+be an extended regular expression. On systems without POSIX regular
+expression support, a simple substring match is performed instead.
+
+=item cwd I<directory>
+
+Evaluates to true if the command was run with the specified current
+working directory.
+
+=item fromdate I<date>
+
+Evaluates to true if the command was run on or after I<date>.
+See L<"Date and time format"> for a description of supported
+date and time formats.
+
+=item group I<runas_group>
+
+Evaluates to true if the command was run with the specified
+I<runas_group>. Note that unless a I<runas_group> was explicitly
+specified when B<sudo> was run this field will be empty in the log.
+
+=item runas I<runas_user>
+
+Evaluates to true if the command was run as the specified I<runas_user>.
+Note that B<sudo> runs commands as user I<root> by default.
+
+=item todate I<date>
+
+Evaluates to true if the command was run on or prior to I<date>.
+See L<"Date and time format"> for a description of supported
+date and time formats.
+
+=item tty I<tty>
+
+Evaluates to true if the command was run on the specified terminal
+device. The I<tty> should be specified without the F</dev/> prefix,
+e.g. F<tty01> instead of F</dev/tty01>.
+
+=item user I<user name>
+
+Evaluates to true if the ID matches a command run by I<user name>.
+
+=back
+
+Predicates may be abbreviated to the shortest unique string (currently
+all predicates may be shortened to a single character).
+
+Predicates may be combined using I<and>, I<or> and I<!> operators
+as well as C<'('> and C<')'> for grouping (note that parentheses
+must generally be escaped from the shell). The I<and> operator is
+optional, adjacent predicates have an implied I<and> unless separated
+by an I<or>.
+
+=item -m I<max_wait>
+
+Specify an upper bound on how long to wait between key presses or
+output data. By default, B<sudo_replay> will accurately reproduce
+the delays between key presses or program output. However, this
+can be tedious when the session includes long pauses. When the
+I<-m> option is specified, B<sudoreplay> will limit these pauses
+to at most I<max_wait> seconds. The value may be specified as a
+floating point number, .e.g. I<2.5>.
+
+=item -s I<speed_factor>
+
+This option causes B<sudoreplay> to adjust the number of seconds
+it will wait between key presses or program output. This can be
+used to slow down or speed up the display. For example, a
+I<speed_factor> of I<2> would make the output twice as fast whereas
+a I<speed_factor> of <.5> would make the output twice as slow.
+
+=item -V
+
+The B<-V> (version) option causes B<sudoreplay> to print its version number
+and exit.
+
+=back
+
+=head2 Date and time format
+
+The time and date may be specified multiple ways, common formats include:
+
+=over 8
+
+=item HH:MM:SS am MM/DD/CCYY timezone
+
+24 hour time may be used in place of am/pm.
+
+=item HH:MM:SS am Month, Day Year timezone
+
+24 hour time may be used in place of am/pm, and month and day names
+may be abbreviated. Note that month and day of the week names must
+be specified in English.
+
+=item CCYY-MM-DD HH:MM:SS
+
+ISO time format
+
+=item DD Month CCYY HH:MM:SS
+
+The month name may be abbreviated.
+
+=back
+
+Either time or date may be omitted, the am/pm and timezone are
+optional. If no date is specified, the current day is assumed; if
+no time is specified, the first second of the specified date is
+used. The less significant parts of both time and date may also
+be omitted, in which case zero is assumed. For example, the following
+are all valid:
+
+The following are all valid time and date specifications:
+
+=over 8
+
+=item now
+
+The current time and date.
+
+=item tomorrow
+
+Exactly one day from now.
+
+=item yesterday
+
+24 hours ago.
+
+=item 2 hours ago
+
+2 hours ago.
+
+=item next Friday
+
+The first second of the next Friday.
+
+=item this week
+
+The current time but the first day of the coming week.
+
+=item a fortnight ago
+
+The current time but 14 days ago.
+
+=item 10:01 am 9/17/2009
+
+10:01 am, September 17, 2009.
+
+=item 10:01 am
+
+10:01 am on the current day.
+
+=item 10
+
+10:00 am on the current day.
+
+=item 9/17/2009
+
+00:00 am, September 17, 2009.
+
+=item 10:01 am Sep 17, 2009
+
+10:01 am, September 17, 2009.
+
+=back
+
+=head1 FILES
+
+=over 24
+
+=item F</var/log/sudo-io>
+
+The default I/O log directory.
+
+=item F</var/log/sudo-io/00/00/01/log>
+
+Example session log info.
+
+=item F</var/log/sudo-io/00/00/01/stdin>
+
+Example session standard input log.
+
+=item F</var/log/sudo-io/00/00/01/stdout>
+
+Example session standard output log.
+
+=item F</var/log/sudo-io/00/00/01/stderr>
+
+Example session standard error log.
+
+=item F</var/log/sudo-io/00/00/01/ttyin>
+
+Example session tty input file.
+
+=item F</var/log/sudo-io/00/00/01/ttyout>
+
+Example session tty output file.
+
+=item F</var/log/sudo-io/00/00/01/timing>
+
+Example session timing file.
+
+=back
+
+Note that the I<stdin>, I<stdout> and I<stderr> files will be empty
+unless B<sudo> was used as part of a pipeline for a particular
+command.
+
+=head1 EXAMPLES
+
+List sessions run by user I<millert>:
+
+ sudoreplay -l user millert
+
+List sessions run by user I<bob> with a command containing the string vi:
+
+ sudoreplay -l user bob command vi
+
+List sessions run by user I<jeff> that match a regular expression:
+
+ sudoreplay -l user jeff command '/bin/[a-z]*sh'
+
+List sessions run by jeff or bob on the console:
+
+ sudoreplay -l ( user jeff or user bob ) tty console
+
+=head1 SEE ALSO
+
+L<sudo(8)>, L<script(1)>
+
+=head1 AUTHOR
+
+Todd C. Miller
+
+=head1 BUGS
+
+If you feel you have found a bug in B<sudoreplay>, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
+
+=head1 SUPPORT
+
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+
+=head1 DISCLAIMER
+
+B<sudoreplay> is provided ``AS IS'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the LICENSE
+file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
+for complete details.
Modified: trunk/contrib/sudo/testsudoers.c
===================================================================
--- trunk/contrib/sudo/testsudoers.c 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/testsudoers.c 2014-10-02 03:32:57 UTC (rev 6804)
@@ -111,7 +111,8 @@
struct userspec *us;
char *p, *grfile, *pwfile, *runas_group, *runas_user;
char hbuf[MAXHOSTNAMELEN + 1];
- int ch, dflag, rval, matched;
+ int match, host_match, runas_match, cmnd_match;
+ int ch, dflag;
#if defined(SUDO_DEVEL) && defined(__OpenBSD__)
malloc_options = "AFGJPR";
@@ -166,8 +167,8 @@
if (argc < 2) {
if (!dflag)
usage();
- if ((sudo_user.pw = sudo_getpwnam("nobody")) == NULL)
- errorx(1, "no passwd entry for nobody!");
+ if ((sudo_user.pw = sudo_getpwnam("root")) == NULL)
+ errorx(1, "no passwd entry for root!");
user_cmnd = user_base = "true";
} else {
if ((sudo_user.pw = sudo_getpwnam(*argv)) == NULL)
@@ -195,7 +196,7 @@
}
/* Fill in user_args from NewArgv. */
- if (NewArgc > 1) {
+ if (NewArgc > 0) {
char *to, **from;
size_t size, n;
@@ -222,10 +223,12 @@
/* Allocate space for data structures in the parser. */
init_parser("sudoers", 0);
- if (yyparse() != 0 || parse_error)
+ if (yyparse() != 0 || parse_error) {
+ parse_error = TRUE;
(void) fputs("Does not parse", stdout);
- else
+ } else {
(void) fputs("Parses OK", stdout);
+ }
if (!update_defaults(SETDEF_ALL))
(void) fputs(" (problem with defaults entries)", stdout);
@@ -247,12 +250,12 @@
(void) putchar('\n');
dump_sudoers();
if (argc < 2)
- exit(0);
+ exit(parse_error ? 1 : 0);
}
- /* This loop must match the one in sudoers_lookup() */
+ /* This loop must match the one in sudo_file_lookup() */
printf("\nEntries for user %s:\n", user_name);
- matched = UNSPEC;
+ match = UNSPEC;
tq_foreach_rev(&userspecs, us) {
if (userlist_matches(sudo_user.pw, &us->users) != ALLOW)
continue;
@@ -260,17 +263,19 @@
putchar('\n');
print_privilege(priv); /* XXX */
putchar('\n');
- if (hostlist_matches(&priv->hostlist) == ALLOW) {
+ host_match = hostlist_matches(&priv->hostlist);
+ if (host_match == ALLOW) {
puts("\thost matched");
tq_foreach_rev(&priv->cmndlist, cs) {
- if (runaslist_matches(&cs->runasuserlist,
- &cs->runasgrouplist) == ALLOW) {
+ runas_match = runaslist_matches(&cs->runasuserlist,
+ &cs->runasgrouplist);
+ if (runas_match == ALLOW) {
puts("\trunas matched");
- rval = cmnd_matches(cs->cmnd);
- if (rval != UNSPEC)
- matched = rval;
- printf("\tcmnd %s\n", rval == ALLOW ? "allowed" :
- rval == DENY ? "denied" : "unmatched");
+ cmnd_match = cmnd_matches(cs->cmnd);
+ if (cmnd_match != UNSPEC)
+ match = cmnd_match;
+ printf("\tcmnd %s\n", match == ALLOW ? "allowed" :
+ match == DENY ? "denied" : "unmatched");
}
}
} else
@@ -277,10 +282,19 @@
puts("\thost unmatched");
}
}
- printf("\nCommand %s\n", matched == ALLOW ? "allowed" :
- matched == DENY ? "denied" : "unmatched");
+ printf("\nCommand %s\n", match == ALLOW ? "allowed" :
+ match == DENY ? "denied" : "unmatched");
- exit(0);
+ /*
+ * Exit codes:
+ * 0 - parsed OK and command matched.
+ * 1 - parse error
+ * 2 - command not matched
+ * 3 - command denied
+ */
+ if (parse_error)
+ exit(1);
+ exit(match == ALLOW ? 0 : match + 3);
}
void
@@ -449,8 +463,11 @@
c = (struct sudo_command *) m->name;
printf("%s%s%s", c->cmnd, c->args ? " " : "",
c->args ? c->args : "");
- } else
+ } else if (m->type == ALL) {
+ fputs("ALL", stdout);
+ } else {
fputs(m->name, stdout);
+ }
}
putchar('\n');
return 0;
@@ -478,14 +495,27 @@
tq_foreach_fwd(&p->cmndlist, cs) {
if (cs != tq_first(&p->cmndlist))
fputs(", ", stdout);
- /* XXX - runasgrouplist too */
- if (!tq_empty(&cs->runasuserlist)) {
+ if (!tq_empty(&cs->runasuserlist) || !tq_empty(&cs->runasgrouplist)) {
fputs("(", stdout);
- tq_foreach_fwd(&cs->runasuserlist, m) {
- if (m != tq_first(&cs->runasuserlist))
- fputs(", ", stdout);
- print_member(m);
+ if (!tq_empty(&cs->runasuserlist)) {
+ tq_foreach_fwd(&cs->runasuserlist, m) {
+ if (m != tq_first(&cs->runasuserlist))
+ fputs(", ", stdout);
+ print_member(m);
+ }
+ } else if (tq_empty(&cs->runasgrouplist)) {
+ fputs(def_runas_default, stdout);
+ } else {
+ fputs(sudo_user.pw->pw_name, stdout);
}
+ if (!tq_empty(&cs->runasgrouplist)) {
+ fputs(" : ", stdout);
+ tq_foreach_fwd(&cs->runasgrouplist, m) {
+ if (m != tq_first(&cs->runasgrouplist))
+ fputs(", ", stdout);
+ print_member(m);
+ }
+ }
fputs(") ", stdout);
}
#ifdef HAVE_SELINUX
Modified: trunk/contrib/sudo/toke.c
===================================================================
--- trunk/contrib/sudo/toke.c 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/toke.c 2014-10-02 03:32:57 UTC (rev 6804)
@@ -289,74 +289,77 @@
*yy_cp = '\0'; \
yy_c_buf_p = yy_cp;
-#define YY_NUM_RULES 54
-#define YY_END_OF_BUFFER 55
-static yyconst short int yy_accept[588] =
+#define YY_NUM_RULES 59
+#define YY_END_OF_BUFFER 60
+static yyconst short int yy_accept[607] =
{ 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 55, 42, 50, 49, 48, 53, 53, 42,
- 43, 44, 42, 45, 42, 42, 42, 42, 47, 46,
- 37, 37, 37, 37, 37, 37, 37, 53, 42, 42,
- 50, 41, 53, 37, 37, 37, 37, 37, 1, 53,
- 42, 42, 16, 15, 16, 15, 15, 53, 53, 53,
- 2, 8, 7, 8, 3, 8, 4, 53, 12, 12,
- 12, 10, 11, 42, 0, 50, 48, 0, 52, 0,
- 42, 32, 0, 0, 31, 0, 40, 40, 0, 42,
- 42, 0, 42, 42, 42, 42, 0, 35, 37, 37,
+ 0, 0, 60, 47, 55, 54, 53, 46, 58, 32,
+ 48, 49, 32, 50, 47, 47, 47, 47, 52, 51,
+ 58, 42, 42, 42, 42, 42, 42, 42, 42, 42,
+ 42, 58, 47, 47, 55, 58, 42, 42, 42, 42,
+ 42, 2, 58, 1, 47, 47, 17, 16, 17, 16,
+ 16, 58, 58, 58, 3, 9, 8, 9, 4, 9,
+ 5, 58, 13, 13, 13, 11, 12, 47, 0, 55,
+ 53, 0, 57, 0, 47, 34, 0, 32, 0, 33,
+ 0, 45, 45, 0, 47, 47, 0, 47, 47, 47,
- 37, 37, 37, 37, 37, 42, 51, 42, 50, 0,
- 0, 0, 0, 0, 0, 42, 42, 42, 42, 42,
- 1, 0, 38, 38, 0, 42, 16, 16, 14, 13,
- 14, 0, 0, 2, 8, 0, 5, 6, 8, 8,
- 12, 0, 12, 12, 0, 9, 0, 0, 32, 0,
- 0, 42, 42, 42, 42, 42, 0, 0, 35, 35,
+ 47, 0, 37, 42, 42, 42, 42, 42, 42, 42,
+ 42, 42, 42, 47, 56, 47, 55, 0, 0, 0,
+ 0, 0, 0, 47, 47, 47, 47, 47, 2, 1,
+ 0, 1, 43, 43, 0, 47, 17, 17, 15, 14,
+ 15, 0, 0, 3, 9, 0, 6, 7, 9, 9,
+ 13, 0, 13, 13, 0, 10, 0, 0, 0, 34,
+ 34, 0, 0, 47, 47, 47, 47, 47, 0, 0,
+ 37, 37, 42, 39, 42, 42, 42, 42, 42, 42,
+ 42, 42, 42, 42, 47, 0, 0, 0, 0, 0,
+ 0, 47, 47, 47, 47, 47, 0, 47, 10, 0,
+
+ 47, 47, 47, 47, 47, 47, 0, 38, 38, 38,
+ 0, 0, 37, 37, 37, 37, 37, 37, 37, 42,
+ 42, 42, 42, 42, 42, 42, 42, 40, 42, 41,
+ 47, 0, 0, 0, 0, 0, 0, 47, 47, 47,
+ 47, 47, 47, 47, 0, 0, 38, 38, 38, 0,
+ 37, 37, 0, 37, 37, 37, 37, 37, 37, 37,
+ 37, 37, 37, 37, 0, 25, 42, 42, 42, 42,
+ 42, 42, 42, 42, 47, 0, 0, 0, 0, 47,
+ 47, 47, 47, 47, 47, 47, 47, 0, 38, 0,
+ 37, 37, 37, 0, 0, 0, 37, 37, 37, 37,
+
37, 37, 37, 37, 37, 37, 37, 37, 37, 42,
- 0, 0, 0, 0, 0, 0, 42, 42, 42, 42,
- 42, 0, 42, 9, 0, 42, 42, 42, 42, 42,
- 42, 0, 36, 36, 36, 0, 0, 35, 35, 35,
+ 42, 42, 42, 42, 42, 42, 42, 47, 0, 0,
+ 0, 47, 47, 47, 35, 35, 35, 0, 0, 37,
+ 37, 37, 37, 37, 37, 37, 0, 0, 0, 0,
+ 0, 37, 37, 37, 37, 37, 37, 37, 37, 37,
+ 37, 37, 37, 37, 37, 42, 42, 0, 24, 42,
+ 42, 42, 42, 0, 23, 0, 26, 47, 0, 0,
+ 0, 47, 47, 47, 47, 35, 35, 35, 35, 0,
+ 37, 0, 37, 37, 37, 37, 37, 37, 37, 37,
+ 37, 37, 37, 0, 0, 0, 37, 37, 37, 37,
- 35, 35, 35, 35, 37, 37, 37, 37, 37, 37,
- 37, 37, 37, 42, 0, 0, 0, 0, 0, 0,
- 42, 42, 42, 42, 42, 42, 42, 0, 0, 36,
- 36, 36, 0, 35, 35, 0, 35, 35, 35, 35,
- 35, 35, 35, 35, 35, 35, 35, 0, 24, 37,
- 37, 37, 37, 37, 37, 37, 37, 42, 0, 0,
- 0, 0, 42, 42, 42, 42, 42, 42, 42, 42,
- 0, 36, 0, 35, 35, 35, 0, 0, 0, 35,
- 35, 35, 35, 35, 35, 35, 35, 35, 35, 35,
- 35, 35, 37, 37, 37, 37, 37, 37, 37, 37,
+ 37, 37, 37, 37, 37, 37, 37, 37, 37, 42,
+ 42, 42, 42, 42, 42, 44, 0, 0, 0, 47,
+ 20, 43, 36, 36, 36, 36, 37, 0, 0, 0,
+ 37, 37, 37, 37, 37, 37, 37, 37, 37, 37,
+ 37, 37, 37, 0, 0, 0, 0, 0, 37, 37,
+ 37, 37, 37, 37, 37, 37, 42, 42, 42, 42,
+ 0, 22, 0, 27, 0, 20, 0, 0, 47, 0,
+ 47, 47, 47, 36, 36, 36, 36, 0, 0, 0,
+ 0, 0, 37, 37, 37, 37, 37, 37, 37, 37,
+ 37, 37, 37, 37, 37, 37, 37, 37, 37, 37,
- 42, 0, 0, 0, 42, 42, 42, 33, 33, 33,
- 0, 0, 35, 35, 35, 35, 35, 35, 35, 0,
- 0, 0, 0, 0, 35, 35, 35, 35, 35, 35,
- 35, 35, 35, 35, 35, 35, 35, 35, 37, 37,
- 0, 23, 37, 37, 37, 37, 0, 22, 0, 25,
- 42, 0, 0, 0, 42, 42, 42, 42, 33, 33,
- 33, 33, 0, 35, 0, 35, 35, 35, 35, 35,
- 35, 35, 35, 35, 35, 35, 0, 0, 0, 35,
- 35, 35, 35, 35, 35, 35, 35, 35, 35, 35,
- 35, 35, 37, 37, 37, 37, 37, 37, 39, 0,
+ 37, 37, 0, 30, 42, 42, 42, 0, 0, 0,
+ 21, 20, 0, 0, 0, 0, 0, 20, 0, 47,
+ 47, 47, 0, 0, 0, 37, 37, 37, 37, 37,
+ 37, 37, 37, 37, 37, 37, 37, 37, 37, 37,
+ 37, 37, 37, 0, 28, 42, 42, 21, 0, 18,
+ 0, 0, 20, 47, 47, 47, 47, 47, 0, 0,
+ 0, 0, 0, 37, 37, 37, 37, 37, 37, 37,
+ 37, 0, 31, 42, 0, 47, 47, 47, 37, 37,
+ 37, 37, 37, 37, 0, 29, 0, 47, 47, 47,
+ 47, 47, 37, 37, 37, 37, 37, 0, 19, 35,
- 0, 0, 42, 19, 38, 42, 34, 34, 34, 35,
- 0, 0, 0, 35, 35, 35, 35, 35, 35, 35,
- 35, 35, 35, 35, 35, 35, 0, 0, 0, 0,
- 0, 35, 35, 35, 35, 35, 35, 35, 35, 37,
- 37, 37, 37, 0, 21, 0, 26, 0, 19, 0,
- 0, 42, 0, 42, 42, 42, 34, 34, 34, 34,
- 34, 0, 0, 0, 0, 0, 35, 35, 35, 35,
- 35, 35, 35, 35, 35, 35, 35, 35, 35, 35,
- 35, 35, 35, 35, 35, 35, 0, 29, 37, 37,
- 37, 0, 0, 0, 20, 19, 0, 0, 19, 0,
-
- 42, 42, 42, 34, 34, 0, 0, 0, 35, 35,
- 35, 35, 35, 35, 35, 35, 35, 35, 35, 35,
- 35, 35, 35, 35, 35, 35, 0, 27, 37, 37,
- 20, 0, 17, 0, 42, 42, 42, 42, 42, 0,
- 0, 0, 0, 0, 35, 35, 35, 35, 35, 35,
- 35, 35, 0, 30, 37, 0, 42, 42, 42, 35,
- 35, 35, 35, 35, 35, 0, 28, 0, 42, 42,
- 42, 42, 42, 35, 35, 35, 35, 35, 0, 18,
- 33, 33, 33, 33, 33, 33, 0
+ 35, 35, 35, 35, 35, 0
} ;
static yyconst int yy_ec[256] =
@@ -369,12 +372,12 @@
19, 20, 21, 22, 22, 22, 23, 24, 1, 1,
25, 26, 10, 27, 28, 29, 30, 31, 32, 29,
33, 34, 35, 36, 36, 37, 36, 38, 39, 40,
- 36, 41, 42, 43, 44, 45, 46, 47, 36, 36,
- 10, 48, 10, 1, 49, 1, 50, 51, 52, 53,
+ 36, 41, 42, 43, 44, 45, 46, 47, 48, 36,
+ 10, 49, 10, 1, 50, 1, 51, 52, 53, 54,
- 54, 55, 56, 56, 57, 56, 56, 58, 59, 60,
- 61, 56, 56, 62, 63, 64, 65, 56, 56, 56,
- 56, 56, 1, 1, 1, 1, 1, 1, 1, 1,
+ 55, 56, 57, 57, 58, 57, 57, 59, 60, 61,
+ 62, 57, 57, 63, 64, 65, 66, 57, 57, 57,
+ 57, 57, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
@@ -391,581 +394,587 @@
1, 1, 1, 1, 1
} ;
-static yyconst int yy_meta[66] =
+static yyconst int yy_meta[67] =
{ 0,
- 1, 2, 3, 4, 5, 2, 1, 6, 6, 1,
- 1, 2, 1, 7, 8, 9, 9, 9, 9, 9,
- 9, 9, 9, 10, 11, 6, 1, 9, 9, 9,
- 9, 9, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 12, 13, 14,
- 14, 14, 14, 14, 14, 13, 13, 13, 13, 13,
- 13, 13, 13, 13, 13
+ 1, 2, 3, 4, 5, 6, 1, 7, 7, 1,
+ 1, 8, 1, 9, 10, 11, 11, 11, 11, 11,
+ 11, 11, 11, 12, 13, 7, 1, 11, 11, 11,
+ 11, 11, 1, 1, 1, 1, 1, 1, 1, 1,
+ 1, 1, 1, 1, 1, 1, 1, 1, 14, 15,
+ 16, 16, 16, 16, 16, 16, 15, 15, 15, 15,
+ 15, 15, 15, 15, 15, 15
} ;
-static yyconst short int yy_base[652] =
+static yyconst short int yy_base[671] =
{ 0,
- 0, 64, 65, 70, 75, 100, 147, 211, 275, 322,
- 86, 111, 2608, 2559, 2604, 3633, 2601, 3633, 368, 44,
- 3633, 3633, 2542, 3633, 113, 378, 124, 146, 2551, 3633,
- 433, 2521, 483, 2528, 2527, 2528, 2513, 537, 154, 36,
- 150, 3633, 561, 2483, 2479, 2460, 2455, 2456, 2508, 203,
- 288, 45, 0, 3633, 2503, 3633, 0, 305, 616, 71,
- 0, 2458, 3633, 61, 3633, 71, 3633, 80, 2457, 109,
- 131, 3633, 124, 2440, 638, 2485, 2482, 2482, 3633, 211,
- 219, 83, 2436, 336, 2427, 663, 410, 2424, 688, 234,
- 699, 2416, 2423, 356, 500, 169, 2412, 145, 739, 0,
+ 0, 65, 67, 72, 99, 114, 162, 227, 292, 340,
+ 86, 125, 2840, 2790, 2836, 3665, 2833, 3665, 387, 70,
+ 3665, 3665, 2771, 3665, 136, 397, 133, 159, 2795, 3665,
+ 3665, 453, 2781, 33, 504, 2770, 2767, 2777, 2765, 2771,
+ 2754, 559, 170, 19, 165, 583, 38, 49, 2739, 68,
+ 2727, 81, 219, 2771, 305, 48, 0, 3665, 2761, 3665,
+ 0, 250, 639, 119, 0, 2709, 3665, 108, 3665, 112,
+ 3665, 140, 2699, 98, 121, 3665, 195, 2693, 661, 2739,
+ 2736, 2736, 3665, 227, 247, 300, 316, 152, 354, 2681,
+ 686, 373, 2670, 711, 352, 722, 2692, 2669, 375, 414,
- 2403, 2401, 262, 2391, 2372, 134, 3633, 130, 524, 2346,
- 2333, 2304, 2299, 2300, 94, 72, 229, 235, 198, 237,
- 2330, 569, 567, 2277, 793, 196, 0, 2320, 153, 3633,
- 3633, 578, 190, 0, 2275, 344, 3633, 3633, 2254, 303,
- 2251, 2285, 310, 241, 245, 2278, 2276, 2264, 2215, 818,
- 545, 831, 866, 901, 936, 2248, 2235, 976, 286, 1017,
- 1057, 2226, 2206, 2198, 2193, 2199, 2192, 2179, 2188, 242,
- 2158, 2162, 2134, 2134, 2139, 313, 265, 2142, 273, 272,
- 295, 600, 271, 2189, 2187, 635, 345, 1099, 1134, 511,
- 307, 2108, 2107, 685, 350, 2106, 2105, 339, 716, 1169,
+ 302, 2656, 57, 763, 0, 2628, 2625, 2614, 505, 2602,
+ 2606, 2599, 2601, 202, 3665, 153, 546, 2572, 2565, 2549,
+ 2537, 2524, 200, 110, 244, 28, 111, 252, 171, 2578,
+ 422, 2577, 565, 2529, 818, 262, 0, 2573, 179, 3665,
+ 3665, 599, 269, 0, 2513, 453, 3665, 3665, 2512, 548,
+ 2490, 2533, 206, 253, 323, 2535, 2524, 2513, 607, 615,
+ 306, 722, 586, 831, 867, 903, 939, 2499, 2456, 980,
+ 333, 1022, 1063, 0, 2430, 2394, 2363, 2364, 2374, 2369,
+ 2327, 2330, 2329, 2328, 266, 2289, 2283, 2272, 2274, 2279,
+ 409, 334, 2279, 145, 335, 83, 672, 278, 2327, 2325,
- 724, 404, 1210, 758, 2077, 358, 377, 2054, 2046, 2036,
- 2034, 2015, 2022, 357, 2006, 2008, 1993, 2005, 1977, 377,
- 355, 580, 379, 391, 1252, 1287, 1322, 2014, 1992, 790,
- 1990, 1988, 1987, 1985, 529, 815, 593, 839, 596, 1357,
- 0, 849, 1368, 874, 660, 1409, 884, 435, 3633, 1941,
- 1932, 1945, 1925, 1915, 1886, 1886, 1854, 561, 1828, 1811,
- 1783, 557, 110, 508, 568, 912, 369, 1451, 1486, 922,
- 1818, 1800, 1799, 1782, 1519, 646, 955, 995, 1036, 658,
- 671, 749, 1074, 772, 1561, 0, 1109, 1572, 1082, 892,
- 1613, 1118, 1744, 1740, 603, 513, 1723, 1729, 624, 724,
+ 627, 259, 1106, 1142, 741, 210, 2293, 2279, 683, 513,
+ 2275, 2271, 352, 747, 1178, 780, 788, 1220, 815, 2270,
+ 400, 325, 2261, 2258, 2248, 2246, 2242, 0, 2240, 0,
+ 489, 2223, 2213, 2198, 2211, 2198, 420, 407, 529, 490,
+ 491, 1263, 1299, 1335, 2235, 2234, 839, 2234, 2232, 2228,
+ 2226, 528, 848, 657, 856, 665, 1371, 0, 877, 1382,
+ 886, 894, 1424, 913, 570, 3665, 2208, 2197, 2198, 2177,
+ 2184, 2193, 2190, 2169, 558, 2145, 2098, 2099, 648, 626,
+ 530, 559, 923, 336, 1467, 1503, 964, 2138, 2137, 2108,
+ 2086, 1537, 551, 1000, 1041, 1082, 653, 694, 797, 1049,
- 768, 1719, 1673, 570, 555, 460, 824, 1654, 1688, 1722,
- 1690, 1677, 1676, 1142, 1757, 1150, 963, 1797, 1188, 1158,
- 1626, 1229, 1262, 1272, 901, 922, 1243, 1297, 1297, 1308,
- 1839, 0, 1310, 1850, 1330, 1003, 1891, 1340, 1595, 1598,
- 764, 3633, 1579, 1571, 1535, 1519, 780, 3633, 875, 3633,
- 736, 1504, 1482, 656, 953, 636, 897, 1386, 626, 1932,
- 1966, 1395, 1487, 1431, 1428, 815, 1459, 1037, 2001, 0,
- 487, 2012, 1467, 1196, 2052, 1496, 1506, 1538, 1591, 1179,
- 1220, 1442, 1477, 1630, 1664, 2094, 0, 1666, 2105, 1638,
- 1278, 1675, 1411, 1409, 1354, 1350, 924, 961, 1318, 1307,
+ 923, 1580, 0, 1116, 1591, 1090, 1008, 1633, 1125, 2069,
+ 2065, 747, 686, 2046, 2005, 786, 926, 905, 2014, 1982,
+ 679, 634, 544, 915, 1675, 1710, 1745, 2015, 1978, 1962,
+ 1150, 1781, 1158, 1133, 1822, 1197, 1166, 1954, 1239, 1273,
+ 1207, 950, 951, 962, 991, 1247, 1073, 1865, 0, 1283,
+ 1876, 1307, 1315, 1918, 1323, 1923, 1923, 1188, 3665, 1924,
+ 1898, 1893, 1873, 1286, 3665, 1336, 3665, 707, 1790, 1783,
+ 786, 930, 764, 1298, 1358, 1041, 1960, 1995, 1400, 1823,
+ 1799, 1348, 708, 1406, 1348, 2031, 0, 559, 2042, 1441,
+ 1449, 2083, 1477, 1487, 1513, 1523, 1230, 1290, 1458, 1548,
- 1274, 1061, 675, 1708, 1254, 2147, 2182, 2217, 2252, 1212,
- 1699, 1732, 1743, 1171, 1263, 1341, 1707, 1428, 2287, 0,
- 608, 2298, 1774, 1477, 2338, 1816, 1782, 1135, 1869, 1910,
- 1942, 1506, 1529, 1901, 826, 860, 2380, 0, 980, 1041,
- 1103, 1087, 1041, 1042, 3633, 1058, 3633, 992, 1541, 1962,
- 708, 899, 291, 1058, 1950, 1319, 2390, 2425, 2460, 2495,
- 1827, 1974, 1011, 1985, 2031, 2071, 927, 920, 1592, 1744,
- 2077, 1758, 2530, 0, 1061, 2541, 2122, 1877, 2581, 2157,
- 2131, 2166, 2191, 1807, 912, 1128, 1194, 3633, 1235, 835,
- 802, 765, 818, 721, 767, 1614, 1836, 2217, 1930, 2252,
+ 1557, 1602, 2126, 0, 1613, 2137, 1650, 1565, 1660, 1765,
+ 1763, 1680, 1675, 1359, 1406, 1626, 1601, 1577, 897, 938,
+ 1695, 1589, 2180, 2216, 2252, 2288, 1611, 1686, 1720, 1731,
+ 1563, 1478, 1504, 1694, 1524, 2324, 0, 617, 2335, 1753,
+ 1761, 2376, 1769, 1798, 1550, 1808, 1841, 1851, 1335, 1358,
+ 1887, 714, 825, 2419, 0, 926, 1407, 1508, 1506, 1471,
+ 1547, 3665, 1616, 3665, 1423, 1731, 1907, 1512, 1575, 1910,
+ 1915, 1935, 1498, 2429, 2465, 1971, 1611, 1977, 1457, 2005,
+ 2015, 1987, 1408, 1254, 1732, 1782, 2059, 1842, 2501, 0,
+ 1025, 2512, 2067, 2100, 2553, 2108, 2155, 2164, 2189, 1769,
- 2623, 2658, 2693, 2265, 1515, 2230, 2275, 2317, 779, 761,
- 1986, 2013, 2355, 2032, 2728, 0, 1122, 2739, 2363, 1919,
- 2400, 683, 2409, 2434, 2326, 676, 1393, 3633, 1434, 623,
- 3633, 657, 3633, 1251, 2442, 1387, 2781, 2816, 2475, 2481,
- 635, 2508, 2518, 2560, 543, 526, 2148, 427, 424, 2600,
- 0, 1233, 1595, 3633, 1596, 2213, 2851, 2886, 2921, 2566,
- 2631, 2639, 389, 0, 350, 1597, 3633, 349, 2647, 1685,
- 2956, 2991, 2669, 3633, 2680, 2702, 2450, 3633, 215, 3633,
- 2715, 2757, 2765, 82, 2798, 2806, 3633, 3039, 3053, 3067,
- 3081, 3095, 3109, 3123, 3137, 3151, 3157, 3171, 3185, 1355,
+ 1207, 1189, 1634, 3665, 1699, 1162, 1113, 1074, 1118, 384,
+ 1040, 2211, 2218, 2238, 2243, 2263, 2288, 2249, 2307, 2596,
+ 2632, 2668, 2304, 2354, 2395, 1025, 1006, 1889, 2016, 2362,
+ 2043, 2704, 0, 1224, 2715, 2403, 2437, 2445, 992, 2454,
+ 2474, 2483, 903, 1921, 3665, 1941, 839, 3665, 843, 3665,
+ 1306, 2489, 2529, 2537, 1911, 2758, 2794, 2573, 2579, 811,
+ 2607, 2617, 2642, 640, 629, 2109, 535, 447, 2650, 0,
+ 1428, 1942, 3665, 2044, 2216, 2830, 2866, 2902, 2676, 2684,
+ 2692, 337, 0, 333, 2067, 3665, 327, 2733, 1912, 2938,
+ 2974, 2743, 3665, 2767, 2777, 2658, 3665, 166, 3665, 2805,
- 3199, 3213, 3227, 3241, 3255, 3269, 3283, 3289, 3296, 3310,
- 3324, 3330, 3337, 3343, 3349, 3355, 3362, 3368, 3374, 3380,
- 3387, 3395, 3401, 3407, 3413, 3420, 3428, 3434, 3440, 3447,
- 3455, 3461, 3469, 3476, 3484, 3490, 3498, 3505, 3513, 3527,
- 3541, 3547, 3555, 3562, 3576, 3582, 3590, 3596, 3604, 862,
- 3618
+ 2813, 2847, 63, 2855, 2881, 3665, 3023, 3039, 3055, 3071,
+ 3087, 3103, 3119, 3135, 3151, 3157, 3173, 3189, 1498, 3205,
+ 3221, 3237, 3253, 3269, 3285, 3301, 3307, 3314, 3330, 3346,
+ 3352, 3359, 3365, 3371, 3377, 3384, 3390, 3396, 3402, 3409,
+ 3417, 3423, 3429, 3435, 3442, 3450, 3456, 3462, 3469, 3477,
+ 3483, 3491, 3498, 3506, 3512, 3520, 3527, 3535, 3551, 3567,
+ 3573, 3581, 3588, 3604, 3610, 3618, 3624, 3632, 1295, 3648
} ;
-static yyconst short int yy_def[652] =
+static yyconst short int yy_def[671] =
{ 0,
- 587, 1, 1, 1, 588, 588, 589, 589, 590, 590,
- 591, 591, 587, 592, 587, 587, 587, 587, 593, 594,
- 587, 587, 595, 587, 596, 592, 26, 26, 597, 587,
- 587, 31, 31, 33, 33, 33, 33, 592, 26, 592,
- 587, 587, 593, 31, 31, 33, 33, 33, 587, 587,
- 598, 592, 599, 587, 599, 587, 599, 587, 593, 587,
- 600, 601, 587, 601, 587, 601, 587, 602, 603, 603,
- 603, 587, 587, 592, 592, 587, 587, 604, 587, 605,
- 587, 594, 606, 594, 595, 595, 596, 607, 592, 592,
- 26, 597, 91, 91, 91, 91, 608, 609, 31, 33,
+ 606, 1, 1, 1, 607, 607, 608, 608, 609, 609,
+ 610, 610, 606, 611, 606, 606, 606, 606, 612, 613,
+ 606, 606, 614, 606, 615, 611, 26, 26, 616, 606,
+ 606, 606, 32, 32, 32, 35, 35, 35, 35, 35,
+ 35, 611, 26, 611, 606, 612, 32, 32, 35, 35,
+ 35, 606, 606, 606, 617, 611, 618, 606, 618, 606,
+ 618, 606, 612, 606, 619, 620, 606, 620, 606, 620,
+ 606, 621, 622, 622, 622, 606, 606, 611, 611, 606,
+ 606, 623, 606, 624, 606, 613, 606, 625, 613, 614,
+ 614, 615, 626, 611, 611, 26, 616, 96, 96, 96,
- 33, 33, 33, 33, 33, 592, 587, 592, 587, 587,
- 587, 587, 587, 587, 604, 592, 91, 592, 592, 592,
- 587, 587, 598, 610, 592, 592, 599, 599, 587, 587,
- 587, 605, 587, 600, 601, 601, 587, 587, 601, 601,
- 603, 587, 603, 603, 587, 587, 604, 611, 606, 606,
- 587, 592, 592, 592, 91, 155, 612, 587, 613, 587,
- 31, 33, 33, 33, 33, 33, 33, 33, 33, 592,
- 587, 587, 587, 587, 587, 604, 592, 155, 592, 592,
- 592, 587, 592, 587, 611, 592, 592, 592, 592, 592,
- 592, 614, 615, 615, 194, 616, 615, 617, 160, 587,
+ 96, 627, 628, 35, 35, 35, 35, 35, 35, 35,
+ 35, 35, 35, 611, 606, 611, 606, 606, 606, 606,
+ 606, 606, 623, 611, 96, 611, 611, 611, 606, 606,
+ 606, 606, 617, 629, 611, 611, 618, 618, 606, 606,
+ 606, 624, 606, 619, 620, 620, 606, 606, 620, 620,
+ 622, 606, 622, 622, 606, 606, 623, 630, 606, 606,
+ 625, 625, 606, 611, 611, 611, 96, 167, 631, 606,
+ 632, 606, 104, 35, 35, 35, 35, 35, 35, 35,
+ 35, 35, 35, 35, 611, 606, 606, 606, 606, 606,
+ 623, 611, 167, 611, 611, 611, 606, 611, 606, 630,
- 200, 200, 587, 200, 33, 33, 33, 33, 33, 33,
- 33, 33, 33, 592, 587, 587, 587, 587, 587, 604,
- 592, 592, 592, 592, 592, 592, 592, 587, 618, 618,
- 230, 618, 619, 620, 621, 587, 622, 203, 622, 622,
- 240, 622, 587, 243, 243, 587, 243, 587, 587, 33,
- 33, 33, 33, 33, 33, 33, 33, 592, 587, 587,
- 587, 604, 592, 592, 592, 592, 592, 592, 592, 592,
- 623, 623, 624, 625, 587, 587, 587, 587, 587, 626,
- 626, 627, 246, 627, 627, 285, 627, 587, 288, 288,
- 587, 288, 33, 33, 33, 33, 33, 33, 33, 33,
+ 611, 611, 611, 611, 611, 611, 633, 634, 634, 209,
+ 635, 634, 636, 172, 606, 215, 215, 606, 215, 35,
+ 35, 35, 35, 35, 35, 35, 35, 35, 35, 35,
+ 611, 606, 606, 606, 606, 606, 623, 611, 611, 611,
+ 611, 611, 611, 611, 606, 637, 637, 247, 637, 638,
+ 639, 640, 606, 641, 218, 641, 641, 257, 641, 606,
+ 260, 260, 606, 260, 606, 606, 35, 35, 35, 35,
+ 35, 35, 35, 35, 611, 606, 606, 606, 623, 611,
+ 611, 611, 611, 611, 611, 611, 611, 642, 642, 643,
+ 644, 606, 606, 606, 606, 606, 645, 645, 646, 263,
- 592, 587, 587, 604, 592, 592, 592, 592, 592, 592,
- 587, 628, 629, 275, 587, 315, 315, 587, 315, 587,
- 587, 587, 587, 587, 587, 630, 630, 631, 291, 631,
- 631, 331, 631, 587, 334, 334, 587, 334, 33, 33,
- 587, 587, 33, 33, 33, 33, 587, 587, 587, 587,
- 592, 587, 587, 604, 592, 592, 592, 592, 592, 592,
- 592, 592, 587, 632, 587, 633, 318, 633, 633, 369,
- 369, 587, 372, 372, 587, 372, 587, 587, 587, 587,
- 634, 634, 635, 337, 635, 635, 386, 635, 587, 389,
- 389, 389, 33, 33, 33, 33, 33, 33, 592, 587,
+ 646, 646, 302, 646, 606, 305, 305, 606, 305, 35,
+ 35, 35, 35, 35, 35, 35, 35, 611, 606, 606,
+ 623, 611, 611, 611, 611, 611, 611, 606, 647, 648,
+ 292, 606, 332, 332, 606, 332, 606, 606, 606, 606,
+ 606, 606, 649, 649, 650, 308, 650, 650, 348, 650,
+ 606, 351, 351, 606, 351, 35, 35, 606, 606, 35,
+ 35, 35, 35, 606, 606, 606, 606, 611, 606, 606,
+ 623, 611, 611, 611, 611, 611, 611, 611, 611, 606,
+ 651, 606, 652, 335, 652, 652, 386, 386, 606, 389,
+ 389, 606, 389, 606, 606, 606, 606, 653, 653, 654,
- 587, 604, 592, 592, 592, 592, 592, 592, 592, 587,
- 587, 587, 587, 636, 636, 637, 375, 637, 637, 419,
- 419, 587, 422, 422, 587, 422, 587, 587, 587, 587,
- 587, 587, 638, 638, 639, 639, 639, 437, 437, 33,
- 33, 33, 33, 587, 587, 587, 587, 587, 587, 604,
- 604, 592, 640, 641, 592, 592, 592, 592, 592, 592,
- 592, 587, 587, 587, 587, 587, 587, 642, 642, 643,
- 425, 643, 643, 473, 473, 587, 476, 476, 587, 476,
- 587, 587, 587, 587, 644, 644, 587, 587, 33, 33,
- 33, 587, 645, 604, 592, 640, 640, 640, 641, 641,
+ 354, 654, 654, 403, 654, 606, 406, 406, 406, 35,
+ 35, 35, 35, 35, 35, 611, 606, 606, 623, 611,
+ 611, 611, 611, 611, 611, 611, 606, 606, 606, 606,
+ 655, 655, 656, 392, 656, 656, 436, 436, 606, 439,
+ 439, 606, 439, 606, 606, 606, 606, 606, 606, 657,
+ 657, 658, 658, 658, 454, 454, 35, 35, 35, 35,
+ 606, 606, 606, 606, 606, 606, 623, 623, 611, 659,
+ 660, 611, 611, 611, 611, 611, 611, 606, 606, 606,
+ 606, 606, 606, 661, 661, 662, 442, 662, 662, 489,
+ 489, 606, 492, 492, 606, 492, 606, 606, 606, 606,
- 592, 592, 592, 592, 592, 587, 587, 587, 587, 646,
- 646, 647, 479, 647, 647, 515, 515, 587, 518, 518,
- 518, 587, 587, 587, 587, 587, 587, 587, 33, 33,
- 587, 645, 587, 604, 592, 592, 592, 592, 592, 587,
- 587, 587, 587, 587, 587, 648, 648, 649, 649, 649,
- 550, 550, 587, 587, 33, 604, 592, 592, 592, 587,
- 587, 587, 587, 650, 650, 587, 587, 651, 592, 592,
- 592, 592, 592, 587, 587, 587, 587, 587, 651, 587,
- 592, 592, 592, 592, 592, 592, 0, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
+ 663, 663, 606, 606, 35, 35, 35, 606, 664, 623,
+ 611, 659, 659, 659, 659, 606, 659, 660, 660, 611,
+ 611, 611, 606, 606, 606, 606, 665, 665, 666, 495,
+ 666, 666, 532, 532, 606, 535, 535, 535, 606, 606,
+ 606, 606, 606, 606, 606, 35, 35, 606, 664, 606,
+ 623, 606, 606, 611, 611, 611, 611, 611, 606, 606,
+ 606, 606, 606, 606, 667, 667, 668, 668, 668, 569,
+ 569, 606, 606, 35, 623, 611, 611, 611, 606, 606,
+ 606, 606, 669, 669, 606, 606, 670, 611, 611, 611,
+ 611, 611, 606, 606, 606, 606, 606, 670, 606, 611,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587
+ 611, 611, 611, 611, 611, 0, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606
} ;
-static yyconst short int yy_nxt[3699] =
+static yyconst short int yy_nxt[3732] =
{ 0,
14, 15, 16, 17, 18, 19, 20, 21, 22, 14,
23, 24, 14, 14, 25, 26, 27, 28, 26, 26,
- 26, 26, 26, 29, 30, 18, 14, 31, 31, 31,
- 31, 32, 33, 33, 33, 33, 34, 35, 33, 36,
- 33, 37, 33, 33, 33, 33, 33, 38, 14, 39,
- 39, 39, 39, 39, 39, 14, 14, 14, 14, 14,
- 14, 14, 40, 14, 14, 41, 49, 83, 42, 43,
- 50, 49, 133, 107, 42, 50, 15, 54, 55, 51,
- 56, 140, 107, 75, 51, 137, 56, 70, 16, 71,
- 72, 84, 75, 44, 45, 138, 79, 46, 56, 57,
+ 26, 26, 26, 29, 30, 31, 14, 32, 33, 33,
+ 33, 34, 35, 35, 35, 35, 36, 37, 35, 38,
+ 39, 40, 41, 35, 35, 35, 35, 35, 42, 14,
+ 43, 43, 43, 43, 43, 43, 14, 14, 14, 14,
+ 14, 14, 14, 44, 14, 14, 45, 79, 52, 105,
+ 46, 170, 53, 52, 105, 87, 79, 53, 54, 107,
+ 172, 55, 129, 54, 116, 105, 55, 74, 16, 75,
+ 76, 194, 130, 88, 47, 48, 79, 124, 49, 153,
- 108, 15, 54, 55, 47, 56, 587, 48, 136, 126,
- 143, 56, 70, 16, 71, 72, 88, 88, 136, 75,
- 88, 88, 58, 56, 57, 145, 146, 52, 141, 75,
- 84, 177, 52, 73, 144, 133, 107, 305, 88, 94,
- 94, 94, 94, 94, 94, 94, 94, 58, 15, 16,
- 17, 109, 59, 176, 133, 107, 142, 75, 73, 158,
- 89, 95, 95, 95, 95, 95, 96, 74, 160, 93,
- 93, 93, 93, 93, 93, 93, 93, 75, 142, 110,
- 111, 75, 170, 112, 156, 156, 156, 156, 156, 156,
- 113, 133, 107, 114, 60, 61, 61, 61, 61, 61,
+ 15, 58, 59, 125, 60, 50, 111, 35, 51, 35,
+ 60, 79, 35, 136, 35, 15, 58, 59, 89, 60,
+ 143, 115, 60, 61, 154, 60, 74, 16, 75, 76,
+ 56, 79, 147, 127, 77, 56, 148, 60, 61, 93,
+ 93, 150, 115, 93, 93, 238, 152, 62, 99, 99,
+ 99, 99, 99, 99, 99, 99, 146, 87, 79, 79,
+ 146, 93, 62, 15, 16, 17, 117, 63, 599, 152,
+ 192, 195, 129, 77, 100, 100, 100, 100, 100, 101,
+ 143, 115, 130, 78, 94, 98, 98, 98, 98, 98,
+ 98, 98, 98, 79, 118, 119, 155, 156, 120, 151,
- 61, 61, 61, 61, 61, 61, 61, 61, 61, 61,
- 61, 61, 15, 16, 17, 122, 59, 580, 81, 81,
- 81, 81, 81, 81, 81, 81, 81, 81, 81, 81,
- 81, 81, 81, 81, 81, 81, 81, 81, 81, 81,
- 81, 81, 74, 75, 144, 75, 145, 146, 183, 152,
- 153, 154, 152, 152, 152, 152, 152, 180, 60, 61,
- 61, 61, 61, 61, 61, 61, 61, 61, 61, 61,
- 61, 61, 61, 61, 61, 61, 15, 16, 17, 63,
- 59, 75, 75, 178, 75, 64, 65, 66, 142, 75,
- 181, 124, 124, 164, 497, 124, 124, 179, 165, 67,
+ 162, 79, 83, 143, 115, 121, 185, 153, 122, 238,
+ 64, 65, 65, 65, 65, 65, 65, 65, 65, 65,
+ 65, 65, 65, 65, 65, 65, 65, 65, 15, 16,
+ 17, 131, 63, 97, 85, 85, 85, 85, 85, 85,
+ 85, 85, 85, 85, 85, 85, 85, 85, 85, 85,
+ 79, 139, 115, 140, 152, 141, 154, 78, 79, 140,
+ 191, 141, 85, 85, 85, 85, 85, 85, 85, 85,
+ 143, 115, 201, 141, 141, 64, 65, 65, 65, 65,
+ 65, 65, 65, 65, 65, 65, 65, 65, 65, 65,
+ 65, 65, 65, 15, 16, 17, 67, 63, 141, 193,
- 158, 166, 214, 167, 133, 107, 129, 107, 130, 199,
- 131, 143, 75, 124, 130, 79, 131, 221, 75, 75,
- 75, 223, 68, 15, 16, 17, 63, 59, 131, 131,
- 92, 224, 64, 65, 66, 125, 221, 82, 498, 82,
- 82, 82, 75, 82, 82, 135, 67, 82, 135, 135,
- 136, 580, 131, 158, 75, 135, 221, 142, 186, 248,
- 82, 82, 199, 365, 220, 232, 232, 232, 135, 68,
- 79, 156, 156, 156, 156, 156, 156, 156, 156, 79,
- 80, 249, 266, 81, 81, 81, 81, 81, 81, 81,
- 81, 90, 75, 91, 91, 91, 91, 91, 91, 91,
+ 79, 152, 68, 69, 70, 606, 196, 79, 134, 134,
+ 79, 606, 134, 134, 79, 198, 71, 168, 168, 168,
+ 168, 168, 168, 606, 155, 156, 79, 231, 159, 599,
+ 134, 160, 160, 160, 160, 160, 160, 160, 160, 241,
+ 72, 15, 16, 17, 67, 63, 382, 170, 89, 283,
+ 68, 69, 70, 135, 162, 86, 214, 86, 86, 267,
+ 530, 86, 86, 268, 71, 86, 170, 164, 165, 166,
+ 164, 164, 164, 164, 164, 214, 93, 93, 86, 86,
+ 93, 93, 79, 79, 79, 240, 83, 238, 72, 83,
+ 168, 168, 168, 168, 168, 168, 168, 168, 93, 84,
- 91, 92, 75, 263, 75, 93, 93, 93, 93, 93,
- 258, 250, 513, 88, 88, 251, 75, 88, 88, 241,
- 241, 241, 241, 241, 242, 75, 75, 93, 93, 93,
- 93, 93, 93, 74, 262, 88, 248, 587, 75, 74,
- 365, 221, 74, 74, 265, 74, 74, 74, 99, 99,
- 99, 99, 99, 99, 99, 99, 92, 89, 249, 74,
- 99, 99, 99, 99, 99, 100, 100, 100, 100, 100,
- 100, 100, 100, 100, 100, 100, 100, 100, 100, 100,
- 75, 100, 93, 93, 93, 93, 93, 93, 74, 74,
- 74, 74, 74, 74, 74, 74, 74, 74, 100, 100,
+ 79, 265, 85, 85, 85, 85, 85, 85, 85, 85,
+ 95, 83, 96, 96, 96, 96, 96, 96, 96, 96,
+ 97, 94, 83, 266, 98, 98, 98, 98, 98, 168,
+ 168, 168, 168, 168, 168, 168, 168, 85, 85, 85,
+ 85, 85, 85, 85, 85, 79, 551, 98, 98, 98,
+ 98, 98, 98, 78, 145, 79, 280, 145, 145, 78,
+ 606, 237, 78, 78, 145, 78, 78, 78, 104, 104,
+ 104, 104, 104, 104, 104, 104, 97, 145, 279, 78,
+ 104, 104, 104, 104, 104, 105, 105, 105, 105, 106,
+ 105, 105, 105, 105, 105, 105, 105, 105, 105, 105,
- 100, 100, 100, 100, 100, 100, 587, 75, 414, 414,
- 100, 100, 100, 100, 100, 156, 156, 156, 156, 156,
- 156, 156, 156, 356, 186, 109, 187, 187, 187, 187,
- 187, 187, 74, 74, 74, 74, 74, 74, 106, 107,
- 74, 74, 74, 158, 74, 74, 88, 343, 74, 513,
- 88, 344, 199, 110, 111, 75, 88, 112, 75, 79,
- 74, 74, 74, 79, 113, 306, 471, 114, 88, 88,
- 124, 124, 79, 80, 124, 124, 81, 81, 81, 81,
- 81, 81, 81, 81, 81, 81, 81, 81, 81, 81,
- 81, 81, 124, 587, 587, 587, 587, 587, 587, 587,
+ 105, 79, 105, 98, 98, 98, 98, 98, 98, 78,
+ 78, 78, 78, 78, 78, 78, 78, 78, 78, 105,
+ 105, 105, 105, 105, 105, 105, 105, 606, 249, 249,
+ 249, 105, 105, 105, 105, 105, 177, 79, 79, 79,
+ 105, 178, 170, 275, 179, 282, 180, 117, 382, 143,
+ 115, 214, 97, 238, 78, 78, 78, 78, 78, 78,
+ 114, 115, 78, 78, 78, 170, 78, 78, 134, 134,
+ 78, 265, 134, 134, 214, 118, 119, 79, 79, 120,
+ 431, 431, 78, 78, 78, 83, 121, 93, 323, 122,
+ 134, 93, 79, 266, 281, 84, 146, 93, 85, 85,
- 587, 124, 75, 92, 341, 124, 236, 158, 75, 587,
- 158, 124, 355, 301, 125, 75, 238, 115, 79, 238,
- 307, 304, 354, 124, 124, 347, 342, 75, 132, 468,
- 468, 587, 587, 587, 587, 587, 587, 587, 587, 74,
- 358, 74, 74, 74, 264, 74, 74, 348, 540, 74,
- 225, 226, 227, 225, 225, 225, 225, 225, 79, 533,
- 158, 74, 74, 74, 85, 555, 85, 85, 85, 199,
- 85, 85, 158, 75, 85, 286, 286, 286, 286, 286,
- 287, 238, 75, 75, 236, 158, 85, 85, 85, 87,
- 158, 74, 74, 87, 238, 74, 74, 158, 404, 87,
+ 85, 85, 85, 85, 85, 85, 79, 79, 373, 93,
+ 93, 318, 324, 135, 606, 606, 606, 606, 606, 606,
+ 606, 606, 160, 160, 160, 160, 160, 160, 160, 160,
+ 160, 160, 160, 160, 160, 160, 160, 160, 484, 484,
+ 123, 83, 242, 243, 244, 242, 242, 242, 242, 242,
+ 83, 142, 530, 322, 606, 606, 606, 606, 606, 606,
+ 606, 606, 78, 487, 78, 78, 78, 170, 78, 78,
+ 253, 170, 78, 134, 79, 79, 255, 134, 606, 170,
+ 255, 83, 79, 134, 78, 78, 78, 90, 255, 90,
+ 90, 90, 372, 90, 90, 134, 134, 90, 247, 247,
- 230, 230, 231, 232, 232, 232, 232, 232, 196, 402,
- 79, 87, 87, 74, 155, 155, 155, 155, 155, 155,
- 155, 155, 75, 79, 452, 349, 155, 155, 155, 155,
- 155, 204, 204, 204, 204, 204, 204, 204, 204, 240,
- 240, 240, 240, 240, 240, 240, 240, 350, 155, 155,
- 155, 155, 155, 155, 161, 161, 161, 161, 161, 161,
- 161, 161, 236, 158, 494, 341, 161, 161, 161, 161,
- 161, 587, 283, 239, 239, 239, 239, 239, 239, 239,
- 239, 347, 534, 75, 471, 587, 158, 342, 155, 155,
- 155, 155, 155, 155, 123, 283, 74, 74, 123, 399,
+ 248, 249, 249, 249, 249, 249, 211, 253, 170, 90,
+ 90, 90, 92, 321, 78, 78, 92, 255, 78, 78,
+ 360, 382, 92, 161, 361, 161, 161, 253, 170, 161,
+ 161, 384, 371, 161, 92, 92, 78, 167, 167, 167,
+ 167, 167, 167, 167, 167, 161, 161, 161, 358, 167,
+ 167, 167, 167, 167, 201, 79, 202, 202, 202, 202,
+ 202, 202, 219, 219, 219, 219, 219, 219, 219, 219,
+ 359, 416, 167, 167, 167, 167, 167, 167, 173, 173,
+ 173, 173, 173, 173, 173, 173, 97, 364, 83, 79,
+ 173, 173, 173, 173, 173, 257, 257, 257, 257, 257,
- 74, 74, 417, 348, 123, 272, 272, 272, 272, 272,
- 272, 272, 272, 196, 75, 75, 123, 123, 74, 149,
- 533, 149, 149, 149, 351, 149, 149, 531, 365, 149,
- 277, 278, 279, 277, 277, 277, 277, 277, 367, 236,
- 158, 149, 149, 149, 186, 530, 187, 187, 187, 187,
- 187, 187, 187, 187, 247, 247, 247, 247, 247, 247,
- 247, 247, 236, 158, 281, 281, 281, 281, 281, 281,
- 578, 75, 238, 587, 158, 578, 349, 529, 75, 186,
- 357, 188, 188, 188, 188, 188, 188, 188, 188, 285,
- 285, 285, 285, 285, 285, 285, 285, 587, 350, 284,
+ 257, 257, 257, 258, 258, 258, 258, 258, 259, 365,
+ 253, 170, 79, 167, 167, 167, 167, 167, 167, 133,
+ 300, 78, 78, 133, 559, 78, 78, 421, 606, 133,
+ 256, 256, 256, 256, 256, 256, 256, 256, 606, 170,
+ 419, 133, 133, 78, 201, 550, 202, 202, 202, 202,
+ 202, 202, 202, 202, 289, 289, 289, 289, 289, 289,
+ 289, 289, 211, 294, 295, 296, 294, 294, 294, 294,
+ 294, 264, 264, 264, 264, 264, 264, 264, 264, 79,
+ 201, 574, 203, 203, 203, 203, 203, 203, 203, 203,
+ 253, 170, 298, 298, 298, 298, 298, 298, 467, 83,
- 284, 284, 284, 284, 284, 284, 284, 332, 332, 332,
- 332, 332, 333, 75, 186, 158, 189, 189, 189, 189,
- 189, 190, 187, 187, 238, 444, 158, 308, 309, 310,
- 308, 308, 308, 308, 308, 266, 158, 267, 267, 267,
- 267, 267, 267, 417, 75, 283, 75, 445, 75, 74,
- 367, 191, 191, 191, 191, 191, 191, 191, 191, 75,
- 405, 495, 446, 191, 191, 191, 191, 191, 320, 75,
- 321, 321, 321, 321, 321, 321, 321, 321, 370, 370,
- 370, 370, 370, 371, 447, 191, 191, 191, 191, 191,
- 191, 193, 194, 195, 195, 195, 195, 195, 195, 196,
+ 255, 302, 302, 302, 302, 302, 302, 302, 302, 303,
+ 303, 303, 303, 303, 304, 79, 201, 170, 204, 204,
+ 204, 204, 204, 205, 202, 202, 606, 366, 301, 301,
+ 301, 301, 301, 301, 301, 301, 606, 170, 325, 326,
+ 327, 325, 325, 325, 325, 325, 300, 501, 501, 367,
+ 468, 79, 78, 79, 206, 206, 206, 206, 206, 206,
+ 206, 206, 368, 79, 170, 170, 206, 206, 206, 206,
+ 206, 79, 374, 255, 300, 253, 170, 283, 79, 284,
+ 284, 284, 284, 284, 284, 300, 79, 420, 469, 206,
+ 206, 206, 206, 206, 206, 208, 209, 210, 210, 210,
- 75, 485, 485, 197, 197, 197, 197, 197, 320, 403,
- 322, 322, 322, 322, 322, 322, 322, 322, 387, 387,
- 387, 387, 387, 388, 462, 197, 197, 197, 197, 197,
- 197, 158, 200, 201, 202, 200, 200, 200, 200, 200,
- 203, 492, 487, 444, 204, 204, 204, 204, 204, 320,
- 587, 323, 323, 323, 323, 323, 324, 321, 321, 446,
- 367, 497, 450, 79, 488, 445, 204, 204, 204, 204,
- 204, 204, 205, 205, 205, 205, 205, 205, 205, 205,
- 491, 447, 510, 510, 205, 205, 205, 205, 205, 292,
- 292, 292, 292, 292, 292, 292, 292, 331, 331, 331,
+ 210, 210, 210, 211, 253, 170, 170, 212, 212, 212,
+ 212, 212, 79, 337, 346, 338, 338, 338, 338, 338,
+ 338, 338, 338, 349, 349, 349, 349, 349, 350, 487,
+ 212, 212, 212, 212, 212, 212, 170, 215, 216, 217,
+ 215, 215, 215, 215, 215, 218, 527, 527, 434, 219,
+ 219, 219, 219, 219, 337, 375, 339, 339, 339, 339,
+ 339, 339, 339, 339, 309, 309, 309, 309, 309, 309,
+ 309, 309, 219, 219, 219, 219, 219, 219, 220, 220,
+ 220, 220, 220, 220, 220, 220, 606, 170, 79, 79,
+ 220, 220, 220, 220, 220, 337, 346, 340, 340, 340,
- 331, 331, 331, 331, 331, 500, 191, 191, 191, 191,
- 191, 191, 186, 451, 187, 187, 187, 187, 187, 187,
- 187, 187, 236, 158, 327, 327, 327, 327, 327, 327,
- 490, 587, 283, 330, 330, 330, 330, 330, 330, 330,
- 330, 236, 158, 546, 546, 489, 75, 186, 427, 187,
- 187, 187, 187, 187, 187, 187, 187, 319, 319, 319,
- 319, 319, 319, 319, 319, 369, 369, 369, 369, 369,
- 369, 369, 369, 377, 378, 379, 377, 377, 377, 377,
- 377, 75, 236, 158, 237, 237, 237, 237, 237, 237,
- 237, 237, 238, 158, 367, 487, 239, 239, 239, 239,
+ 340, 340, 341, 338, 338, 348, 348, 348, 348, 348,
+ 348, 348, 348, 206, 206, 206, 206, 206, 206, 201,
+ 550, 202, 202, 202, 202, 202, 202, 202, 202, 253,
+ 170, 344, 344, 344, 344, 344, 344, 548, 606, 300,
+ 347, 347, 347, 347, 347, 347, 347, 347, 387, 387,
+ 387, 387, 387, 388, 79, 201, 547, 202, 202, 202,
+ 202, 202, 202, 202, 202, 336, 336, 336, 336, 336,
+ 336, 336, 336, 386, 386, 386, 386, 386, 386, 386,
+ 386, 394, 395, 396, 394, 394, 394, 394, 394, 358,
+ 79, 253, 170, 254, 254, 254, 254, 254, 254, 254,
- 239, 587, 283, 368, 368, 368, 368, 368, 368, 368,
- 368, 420, 420, 420, 420, 420, 421, 488, 239, 239,
- 239, 239, 239, 239, 158, 243, 244, 245, 243, 243,
- 243, 243, 243, 246, 158, 314, 527, 247, 247, 247,
- 247, 247, 320, 329, 321, 321, 321, 321, 321, 321,
- 321, 321, 556, 79, 564, 564, 236, 158, 528, 247,
- 247, 247, 247, 247, 247, 266, 283, 267, 267, 267,
- 267, 267, 267, 267, 267, 320, 365, 321, 321, 321,
- 321, 321, 321, 321, 321, 320, 367, 321, 321, 321,
- 321, 321, 321, 438, 438, 438, 438, 438, 439, 75,
+ 254, 255, 253, 170, 546, 256, 256, 256, 256, 256,
+ 606, 359, 385, 385, 385, 385, 385, 385, 385, 385,
+ 337, 170, 338, 338, 338, 338, 338, 338, 256, 256,
+ 256, 256, 256, 256, 170, 260, 261, 262, 260, 260,
+ 260, 260, 260, 263, 170, 565, 565, 264, 264, 264,
+ 264, 264, 337, 300, 338, 338, 338, 338, 338, 338,
+ 338, 338, 355, 355, 355, 355, 355, 355, 355, 355,
+ 264, 264, 264, 264, 264, 264, 283, 434, 284, 284,
+ 284, 284, 284, 284, 284, 284, 337, 364, 338, 338,
+ 338, 338, 338, 338, 338, 338, 253, 170, 399, 399,
- 266, 75, 268, 268, 268, 268, 268, 268, 268, 268,
- 236, 158, 338, 338, 338, 338, 338, 338, 338, 338,
- 329, 587, 158, 236, 158, 382, 382, 382, 382, 382,
- 382, 329, 455, 329, 75, 266, 449, 269, 269, 269,
- 269, 269, 270, 267, 267, 386, 386, 386, 386, 386,
- 386, 386, 386, 587, 365, 385, 385, 385, 385, 385,
- 385, 385, 385, 448, 417, 75, 75, 134, 134, 75,
- 236, 158, 281, 281, 281, 281, 281, 281, 281, 281,
- 238, 236, 158, 282, 282, 282, 282, 282, 282, 282,
- 282, 283, 443, 442, 527, 284, 284, 284, 284, 284,
+ 399, 399, 399, 399, 170, 597, 346, 575, 83, 365,
+ 597, 79, 283, 346, 285, 285, 285, 285, 285, 285,
+ 285, 285, 403, 403, 403, 403, 403, 403, 403, 403,
+ 404, 404, 404, 404, 404, 405, 606, 366, 402, 402,
+ 402, 402, 402, 402, 402, 402, 79, 79, 283, 170,
+ 286, 286, 286, 286, 286, 287, 284, 284, 346, 367,
+ 461, 606, 422, 428, 429, 430, 428, 428, 428, 428,
+ 428, 384, 170, 423, 424, 425, 426, 423, 423, 423,
+ 423, 401, 462, 79, 253, 170, 298, 298, 298, 298,
+ 298, 298, 298, 298, 255, 253, 170, 299, 299, 299,
- 535, 406, 407, 408, 409, 406, 406, 406, 406, 358,
- 359, 359, 359, 359, 359, 359, 528, 284, 284, 284,
- 284, 284, 284, 158, 288, 289, 290, 288, 288, 288,
- 288, 288, 291, 75, 75, 553, 292, 292, 292, 292,
- 292, 587, 75, 411, 412, 413, 411, 411, 411, 411,
- 411, 417, 441, 440, 314, 236, 158, 554, 292, 292,
- 292, 292, 292, 292, 266, 329, 267, 267, 267, 267,
- 267, 267, 267, 267, 376, 376, 376, 376, 376, 376,
- 376, 376, 419, 419, 419, 419, 419, 419, 419, 419,
- 236, 158, 474, 474, 474, 474, 474, 475, 75, 266,
+ 299, 299, 299, 299, 299, 300, 79, 463, 503, 301,
+ 301, 301, 301, 301, 375, 376, 376, 376, 376, 376,
+ 376, 393, 393, 393, 393, 393, 393, 393, 393, 464,
+ 504, 384, 301, 301, 301, 301, 301, 301, 170, 305,
+ 306, 307, 305, 305, 305, 305, 305, 308, 79, 583,
+ 583, 309, 309, 309, 309, 309, 436, 436, 436, 436,
+ 436, 436, 436, 436, 437, 437, 437, 437, 437, 438,
+ 478, 253, 170, 508, 309, 309, 309, 309, 309, 309,
+ 283, 346, 284, 284, 284, 284, 284, 284, 284, 284,
+ 606, 382, 435, 435, 435, 435, 435, 435, 435, 435,
- 384, 267, 267, 267, 267, 267, 267, 267, 267, 587,
- 234, 418, 418, 418, 418, 418, 418, 418, 418, 427,
- 158, 428, 428, 428, 428, 428, 428, 428, 428, 329,
- 505, 505, 505, 75, 315, 316, 317, 315, 315, 315,
- 315, 315, 318, 158, 453, 401, 319, 319, 319, 319,
- 319, 427, 384, 429, 429, 429, 429, 429, 429, 429,
- 429, 400, 75, 398, 453, 397, 453, 453, 319, 319,
- 319, 319, 319, 319, 236, 158, 327, 327, 327, 327,
- 327, 327, 327, 327, 283, 236, 158, 328, 328, 328,
- 328, 328, 328, 328, 328, 329, 553, 566, 566, 330,
+ 444, 384, 445, 445, 445, 445, 445, 445, 445, 445,
+ 507, 472, 144, 144, 83, 79, 283, 382, 284, 284,
+ 284, 284, 284, 284, 284, 284, 444, 434, 446, 446,
+ 446, 446, 446, 446, 446, 446, 444, 606, 447, 447,
+ 447, 447, 447, 448, 445, 445, 79, 434, 461, 506,
+ 505, 79, 332, 333, 334, 332, 332, 332, 332, 332,
+ 335, 253, 170, 444, 336, 336, 336, 336, 336, 510,
+ 462, 401, 409, 409, 409, 409, 409, 409, 409, 409,
+ 455, 455, 455, 455, 455, 456, 384, 336, 336, 336,
+ 336, 336, 336, 253, 170, 344, 344, 344, 344, 344,
- 330, 330, 330, 330, 427, 365, 430, 430, 430, 430,
- 430, 431, 428, 428, 396, 417, 395, 587, 554, 567,
- 567, 330, 330, 330, 330, 330, 330, 158, 334, 335,
- 336, 334, 334, 334, 334, 334, 337, 394, 393, 320,
- 338, 338, 338, 338, 338, 392, 392, 392, 392, 392,
- 392, 392, 392, 437, 437, 437, 437, 437, 437, 437,
- 437, 498, 338, 338, 338, 338, 338, 338, 358, 359,
- 359, 359, 359, 359, 359, 359, 359, 587, 158, 236,
- 158, 434, 434, 434, 434, 434, 434, 384, 587, 384,
- 436, 436, 436, 436, 436, 436, 436, 436, 569, 314,
+ 344, 344, 344, 300, 253, 170, 345, 345, 345, 345,
+ 345, 345, 345, 345, 346, 606, 170, 463, 347, 347,
+ 347, 347, 347, 79, 472, 401, 253, 170, 451, 451,
+ 451, 451, 451, 451, 331, 503, 401, 79, 511, 464,
+ 466, 347, 347, 347, 347, 347, 347, 170, 351, 352,
+ 353, 351, 351, 351, 351, 351, 354, 504, 465, 79,
+ 355, 355, 355, 355, 355, 454, 454, 454, 454, 454,
+ 454, 454, 454, 606, 79, 453, 453, 453, 453, 453,
+ 453, 453, 453, 355, 355, 355, 355, 355, 355, 375,
+ 376, 376, 376, 376, 376, 376, 376, 376, 470, 478,
- 234, 75, 358, 360, 360, 360, 360, 360, 360, 360,
- 360, 453, 462, 196, 463, 463, 463, 463, 463, 463,
- 463, 463, 426, 426, 426, 426, 426, 426, 426, 426,
- 353, 453, 75, 453, 454, 75, 358, 361, 361, 361,
- 361, 361, 362, 359, 359, 462, 352, 464, 464, 464,
- 464, 464, 464, 464, 464, 75, 462, 365, 465, 465,
- 465, 465, 465, 466, 463, 463, 346, 471, 345, 75,
- 365, 587, 366, 366, 366, 366, 366, 366, 366, 366,
- 367, 471, 340, 339, 368, 368, 368, 368, 368, 473,
- 473, 473, 473, 473, 473, 473, 473, 481, 482, 483,
+ 544, 479, 479, 479, 479, 479, 479, 479, 479, 443,
+ 443, 443, 443, 443, 443, 443, 443, 460, 470, 459,
+ 470, 471, 545, 79, 375, 377, 377, 377, 377, 377,
+ 377, 377, 377, 478, 470, 480, 480, 480, 480, 480,
+ 480, 480, 480, 79, 478, 382, 481, 481, 481, 481,
+ 481, 482, 479, 479, 470, 434, 470, 470, 79, 375,
+ 378, 378, 378, 378, 378, 379, 376, 376, 489, 489,
+ 489, 489, 489, 489, 489, 489, 490, 490, 490, 490,
+ 490, 491, 606, 170, 488, 488, 488, 488, 488, 488,
+ 488, 488, 401, 79, 382, 382, 383, 383, 383, 383,
- 481, 481, 481, 481, 481, 314, 368, 368, 368, 368,
- 368, 368, 372, 373, 374, 372, 372, 372, 372, 372,
- 375, 158, 234, 196, 376, 376, 376, 376, 376, 587,
- 384, 472, 472, 472, 472, 472, 472, 472, 472, 587,
- 455, 196, 505, 505, 505, 259, 376, 376, 376, 376,
- 376, 376, 236, 158, 382, 382, 382, 382, 382, 382,
- 382, 382, 329, 236, 158, 383, 383, 383, 383, 383,
- 383, 383, 383, 384, 75, 303, 302, 385, 385, 385,
- 385, 385, 427, 498, 428, 428, 428, 428, 428, 428,
- 428, 428, 516, 516, 516, 516, 516, 517, 300, 385,
+ 383, 383, 383, 383, 384, 487, 458, 457, 385, 385,
+ 385, 385, 385, 497, 498, 499, 497, 497, 497, 497,
+ 497, 444, 331, 445, 445, 445, 445, 445, 445, 445,
+ 445, 385, 385, 385, 385, 385, 385, 389, 390, 391,
+ 389, 389, 389, 389, 389, 392, 251, 418, 417, 393,
+ 393, 393, 393, 393, 444, 606, 445, 445, 445, 445,
+ 445, 445, 445, 445, 444, 487, 445, 445, 445, 445,
+ 445, 445, 393, 393, 393, 393, 393, 393, 253, 170,
+ 399, 399, 399, 399, 399, 399, 399, 399, 346, 253,
+ 170, 400, 400, 400, 400, 400, 400, 400, 400, 401,
- 385, 385, 385, 385, 385, 158, 389, 390, 391, 389,
- 389, 389, 389, 389, 236, 158, 299, 298, 392, 392,
- 392, 392, 392, 427, 384, 428, 428, 428, 428, 428,
- 428, 428, 428, 587, 551, 551, 551, 551, 551, 552,
- 392, 392, 392, 392, 392, 392, 358, 359, 359, 359,
- 359, 359, 359, 359, 359, 427, 297, 428, 428, 428,
- 428, 428, 428, 450, 79, 501, 502, 503, 501, 501,
- 501, 501, 501, 296, 295, 294, 493, 500, 293, 75,
- 358, 359, 359, 359, 359, 359, 359, 359, 359, 506,
- 507, 508, 506, 506, 506, 506, 506, 75, 462, 365,
+ 253, 170, 382, 402, 402, 402, 402, 402, 467, 83,
+ 401, 513, 487, 514, 515, 516, 513, 415, 514, 515,
+ 516, 509, 544, 414, 554, 588, 402, 402, 402, 402,
+ 402, 402, 170, 406, 407, 408, 406, 406, 406, 406,
+ 406, 413, 572, 572, 545, 409, 409, 409, 409, 409,
+ 520, 521, 522, 520, 520, 520, 520, 520, 517, 79,
+ 79, 412, 411, 519, 573, 573, 410, 337, 409, 409,
+ 409, 409, 409, 409, 375, 376, 376, 376, 376, 376,
+ 376, 376, 376, 79, 472, 331, 473, 473, 473, 473,
+ 473, 473, 523, 524, 525, 523, 523, 523, 523, 523,
- 463, 463, 463, 463, 463, 463, 463, 463, 275, 471,
- 234, 196, 271, 75, 365, 196, 415, 415, 415, 415,
- 415, 415, 415, 415, 367, 365, 365, 416, 416, 416,
- 416, 416, 416, 416, 416, 417, 513, 98, 259, 418,
- 418, 418, 418, 418, 462, 587, 463, 463, 463, 463,
- 463, 463, 463, 463, 261, 513, 259, 260, 259, 257,
- 256, 418, 418, 418, 418, 418, 418, 422, 423, 424,
- 422, 422, 422, 422, 422, 425, 255, 254, 253, 426,
- 426, 426, 426, 426, 462, 252, 463, 463, 463, 463,
- 463, 463, 480, 480, 480, 480, 480, 480, 480, 480,
+ 478, 251, 479, 479, 479, 479, 479, 479, 79, 375,
+ 376, 376, 376, 376, 376, 376, 376, 376, 478, 79,
+ 479, 479, 479, 479, 479, 479, 479, 479, 478, 382,
+ 479, 479, 479, 479, 479, 479, 479, 479, 211, 530,
+ 370, 369, 363, 79, 382, 585, 432, 432, 432, 432,
+ 432, 432, 432, 432, 384, 382, 606, 433, 433, 433,
+ 433, 433, 433, 433, 433, 434, 530, 586, 585, 435,
+ 435, 435, 435, 435, 496, 496, 496, 496, 496, 496,
+ 496, 496, 532, 532, 532, 532, 532, 532, 532, 532,
+ 586, 362, 435, 435, 435, 435, 435, 435, 439, 440,
- 92, 426, 426, 426, 426, 426, 426, 236, 158, 434,
- 434, 434, 434, 434, 434, 434, 434, 384, 236, 158,
- 435, 435, 435, 435, 435, 435, 435, 435, 196, 234,
- 196, 98, 436, 436, 436, 436, 436, 515, 515, 515,
- 515, 515, 515, 515, 515, 158, 522, 522, 522, 522,
- 522, 522, 522, 522, 436, 436, 436, 436, 436, 436,
- 455, 365, 456, 456, 456, 456, 456, 456, 456, 456,
- 587, 513, 514, 514, 514, 514, 514, 514, 514, 514,
- 158, 523, 523, 523, 523, 523, 523, 523, 523, 79,
- 184, 222, 219, 218, 75, 455, 217, 457, 457, 457,
+ 441, 439, 439, 439, 439, 439, 442, 357, 356, 331,
+ 443, 443, 443, 443, 443, 533, 533, 533, 533, 533,
+ 534, 606, 382, 531, 531, 531, 531, 531, 531, 531,
+ 531, 251, 530, 443, 443, 443, 443, 443, 443, 253,
+ 170, 451, 451, 451, 451, 451, 451, 451, 451, 401,
+ 253, 170, 452, 452, 452, 452, 452, 452, 452, 452,
+ 211, 211, 276, 320, 453, 453, 453, 453, 453, 170,
+ 539, 539, 539, 539, 539, 539, 539, 539, 170, 540,
+ 540, 540, 540, 540, 540, 540, 540, 453, 453, 453,
+ 453, 453, 453, 472, 319, 473, 473, 473, 473, 473,
- 457, 457, 457, 457, 457, 158, 524, 524, 524, 524,
- 524, 525, 522, 522, 556, 79, 216, 215, 496, 213,
- 212, 496, 496, 211, 496, 496, 210, 568, 496, 75,
- 455, 209, 458, 458, 458, 458, 458, 459, 460, 460,
- 496, 496, 496, 540, 208, 541, 541, 541, 541, 541,
- 541, 541, 541, 499, 207, 206, 499, 499, 98, 499,
- 499, 90, 150, 499, 75, 455, 79, 461, 461, 461,
- 456, 456, 456, 456, 456, 499, 499, 499, 79, 184,
- 504, 504, 504, 504, 504, 504, 504, 504, 540, 141,
- 542, 542, 542, 542, 542, 542, 542, 542, 142, 75,
+ 473, 473, 473, 170, 541, 541, 541, 541, 541, 542,
+ 539, 539, 606, 317, 606, 606, 606, 575, 83, 513,
+ 316, 514, 515, 516, 315, 314, 313, 312, 79, 472,
+ 587, 474, 474, 474, 474, 474, 474, 474, 474, 606,
+ 311, 514, 515, 516, 606, 310, 606, 606, 516, 292,
+ 606, 251, 606, 606, 606, 211, 288, 211, 103, 517,
+ 276, 278, 276, 277, 79, 472, 517, 475, 475, 475,
+ 475, 475, 476, 477, 477, 552, 276, 274, 553, 553,
+ 553, 553, 553, 553, 553, 553, 517, 273, 272, 271,
+ 270, 517, 269, 97, 211, 512, 512, 519, 251, 512,
- 365, 136, 469, 469, 469, 469, 469, 469, 469, 469,
- 417, 365, 75, 470, 470, 470, 470, 470, 470, 470,
- 470, 471, 136, 128, 182, 472, 472, 472, 472, 472,
- 540, 121, 543, 543, 543, 543, 543, 544, 541, 541,
- 158, 522, 522, 522, 522, 522, 522, 472, 472, 472,
- 472, 472, 472, 476, 477, 478, 476, 476, 476, 476,
- 476, 479, 175, 174, 173, 480, 480, 480, 480, 480,
- 521, 521, 521, 521, 521, 521, 521, 521, 550, 550,
- 550, 550, 550, 550, 550, 550, 172, 480, 480, 480,
- 480, 480, 480, 236, 158, 486, 486, 486, 486, 486,
+ 79, 472, 211, 477, 477, 477, 473, 473, 473, 473,
+ 473, 512, 512, 512, 518, 518, 103, 559, 518, 560,
+ 560, 560, 560, 560, 560, 560, 560, 83, 199, 239,
+ 518, 518, 518, 236, 235, 234, 79, 382, 233, 485,
+ 485, 485, 485, 485, 485, 485, 485, 434, 382, 232,
+ 486, 486, 486, 486, 486, 486, 486, 486, 487, 230,
+ 229, 228, 488, 488, 488, 488, 488, 559, 227, 561,
+ 561, 561, 561, 561, 561, 561, 561, 538, 538, 538,
+ 538, 538, 538, 538, 538, 488, 488, 488, 488, 488,
+ 488, 492, 493, 494, 492, 492, 492, 492, 492, 495,
- 486, 486, 486, 455, 171, 460, 460, 460, 460, 460,
- 460, 460, 460, 587, 169, 549, 549, 549, 549, 549,
- 549, 549, 549, 158, 522, 522, 522, 522, 522, 522,
- 522, 522, 168, 163, 162, 98, 74, 75, 455, 98,
- 460, 460, 460, 460, 460, 460, 460, 460, 158, 522,
- 522, 522, 522, 522, 522, 522, 522, 557, 558, 559,
- 557, 557, 557, 557, 557, 574, 574, 574, 574, 574,
- 574, 151, 75, 455, 86, 460, 460, 460, 460, 460,
- 460, 504, 504, 150, 79, 77, 76, 75, 535, 75,
- 536, 536, 536, 536, 536, 536, 560, 561, 562, 560,
+ 226, 225, 224, 496, 496, 496, 496, 496, 559, 223,
+ 562, 562, 562, 562, 562, 563, 560, 560, 569, 569,
+ 569, 569, 569, 569, 569, 569, 496, 496, 496, 496,
+ 496, 496, 253, 170, 502, 502, 502, 502, 502, 502,
+ 502, 502, 472, 222, 473, 473, 473, 473, 473, 473,
+ 473, 473, 570, 570, 570, 570, 570, 571, 606, 221,
+ 568, 568, 568, 568, 568, 568, 568, 568, 170, 539,
+ 539, 539, 539, 539, 539, 539, 539, 79, 472, 103,
+ 473, 473, 473, 473, 473, 473, 473, 473, 170, 539,
+ 539, 539, 539, 539, 539, 539, 539, 170, 539, 539,
- 560, 560, 560, 560, 142, 136, 128, 75, 455, 121,
- 504, 504, 504, 504, 504, 504, 504, 504, 120, 119,
- 118, 540, 75, 541, 541, 541, 541, 541, 541, 541,
- 541, 540, 117, 541, 541, 541, 541, 541, 541, 541,
- 541, 116, 75, 365, 105, 511, 511, 511, 511, 511,
- 511, 511, 511, 471, 365, 104, 512, 512, 512, 512,
- 512, 512, 512, 512, 513, 103, 102, 101, 514, 514,
- 514, 514, 514, 540, 98, 541, 541, 541, 541, 541,
- 541, 574, 574, 574, 574, 574, 574, 574, 574, 86,
- 514, 514, 514, 514, 514, 514, 518, 519, 520, 518,
+ 539, 539, 539, 539, 553, 553, 553, 553, 553, 553,
+ 553, 553, 95, 79, 382, 83, 528, 528, 528, 528,
+ 528, 528, 528, 528, 487, 382, 83, 529, 529, 529,
+ 529, 529, 529, 529, 529, 530, 199, 151, 152, 531,
+ 531, 531, 531, 531, 553, 553, 553, 553, 553, 553,
+ 553, 553, 576, 577, 578, 576, 576, 576, 576, 576,
+ 146, 146, 531, 531, 531, 531, 531, 531, 535, 536,
+ 537, 535, 535, 535, 535, 535, 138, 197, 132, 132,
+ 538, 538, 538, 538, 538, 79, 554, 190, 555, 555,
+ 555, 555, 555, 555, 579, 580, 581, 579, 579, 579,
- 518, 518, 518, 518, 77, 76, 75, 587, 521, 521,
- 521, 521, 521, 365, 587, 565, 565, 565, 565, 565,
- 565, 565, 565, 587, 587, 587, 587, 587, 587, 587,
- 521, 521, 521, 521, 521, 521, 535, 587, 536, 536,
- 536, 536, 536, 536, 536, 536, 575, 575, 575, 575,
- 575, 575, 575, 575, 576, 576, 576, 576, 576, 577,
- 574, 574, 581, 582, 583, 581, 581, 581, 581, 581,
- 75, 535, 587, 537, 537, 537, 537, 537, 537, 537,
- 537, 587, 569, 587, 570, 570, 570, 570, 570, 570,
- 587, 587, 587, 587, 75, 574, 574, 574, 574, 574,
+ 579, 579, 189, 538, 538, 538, 538, 538, 538, 554,
+ 188, 555, 555, 555, 555, 555, 555, 555, 555, 187,
+ 559, 79, 560, 560, 560, 560, 560, 560, 560, 560,
+ 559, 186, 560, 560, 560, 560, 560, 560, 560, 560,
+ 184, 183, 182, 181, 79, 554, 176, 556, 556, 556,
+ 556, 556, 556, 556, 556, 559, 175, 560, 560, 560,
+ 560, 560, 560, 382, 174, 584, 584, 584, 584, 584,
+ 584, 584, 584, 593, 593, 593, 593, 593, 593, 103,
+ 79, 554, 78, 557, 557, 557, 557, 557, 558, 555,
+ 555, 593, 593, 593, 593, 593, 593, 593, 593, 594,
- 574, 574, 574, 587, 587, 75, 535, 587, 538, 538,
- 538, 538, 538, 539, 536, 536, 75, 574, 574, 574,
- 574, 574, 574, 574, 574, 587, 587, 587, 587, 587,
- 584, 584, 584, 584, 584, 584, 584, 584, 587, 587,
- 75, 365, 587, 547, 547, 547, 547, 547, 547, 547,
- 547, 513, 365, 587, 548, 548, 548, 548, 548, 548,
- 548, 548, 75, 587, 587, 587, 549, 549, 549, 549,
- 549, 587, 581, 581, 581, 581, 581, 581, 581, 581,
- 585, 585, 585, 585, 585, 586, 584, 584, 549, 549,
- 549, 549, 549, 549, 535, 587, 536, 536, 536, 536,
+ 594, 594, 594, 594, 594, 594, 594, 595, 595, 595,
+ 595, 595, 596, 593, 593, 103, 79, 382, 163, 566,
+ 566, 566, 566, 566, 566, 566, 566, 530, 382, 91,
+ 567, 567, 567, 567, 567, 567, 567, 567, 83, 81,
+ 80, 79, 568, 568, 568, 568, 568, 152, 600, 601,
+ 602, 600, 600, 600, 600, 600, 588, 146, 589, 589,
+ 589, 589, 589, 589, 138, 568, 568, 568, 568, 568,
+ 568, 554, 132, 555, 555, 555, 555, 555, 555, 555,
+ 555, 79, 593, 593, 593, 593, 593, 593, 593, 593,
+ 128, 79, 593, 593, 593, 593, 593, 593, 593, 593,
- 536, 536, 536, 536, 75, 587, 587, 587, 587, 587,
- 587, 587, 75, 584, 584, 584, 584, 584, 584, 584,
- 584, 584, 584, 584, 584, 584, 584, 587, 75, 535,
- 587, 536, 536, 536, 536, 536, 536, 536, 536, 587,
- 587, 587, 587, 587, 587, 75, 587, 587, 587, 587,
- 587, 587, 587, 75, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 75, 569, 587, 570, 570, 570, 570,
- 570, 570, 570, 570, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 75, 569,
+ 126, 113, 112, 111, 110, 109, 79, 554, 108, 555,
+ 555, 555, 555, 555, 555, 555, 555, 105, 103, 91,
+ 603, 603, 603, 603, 603, 603, 603, 603, 600, 600,
+ 600, 600, 600, 600, 600, 600, 81, 80, 79, 606,
+ 606, 606, 79, 588, 606, 589, 589, 589, 589, 589,
+ 589, 589, 589, 79, 606, 606, 606, 606, 606, 606,
+ 606, 79, 604, 604, 604, 604, 604, 605, 603, 603,
+ 603, 603, 603, 603, 603, 603, 603, 603, 79, 588,
+ 606, 590, 590, 590, 590, 590, 590, 590, 590, 606,
+ 606, 606, 606, 606, 606, 79, 603, 603, 603, 603,
- 587, 571, 571, 571, 571, 571, 571, 571, 571, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 75, 569, 587, 572, 572, 572, 572,
- 572, 573, 570, 570, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 75, 569,
- 587, 570, 570, 570, 570, 570, 570, 570, 570, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
+ 603, 603, 606, 79, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 79, 588, 606, 591, 591, 591,
+ 591, 591, 592, 589, 589, 606, 606, 606, 606, 79,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 79, 588, 606, 589, 589, 589, 589, 589, 589, 589,
+ 589, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 79, 588, 606, 589,
+ 589, 589, 589, 589, 589, 589, 589, 606, 606, 606,
- 587, 587, 587, 75, 569, 587, 570, 570, 570, 570,
- 570, 570, 570, 570, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 75, 53,
- 53, 53, 53, 53, 53, 53, 53, 53, 53, 53,
- 53, 53, 53, 18, 18, 18, 18, 18, 18, 18,
- 18, 18, 18, 18, 18, 18, 18, 62, 62, 62,
- 62, 62, 62, 62, 62, 62, 62, 62, 62, 62,
- 62, 69, 69, 69, 69, 69, 69, 69, 69, 69,
- 69, 69, 69, 69, 69, 74, 587, 587, 587, 587,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 79, 57, 57, 57, 57, 57, 57, 57,
+ 57, 57, 57, 57, 57, 57, 57, 57, 57, 31,
+ 31, 31, 31, 31, 31, 31, 31, 31, 31, 31,
+ 31, 31, 31, 31, 31, 66, 66, 66, 66, 66,
+ 66, 66, 66, 66, 66, 66, 66, 66, 66, 66,
+ 66, 73, 73, 73, 73, 73, 73, 73, 73, 73,
+ 73, 73, 73, 73, 73, 73, 73, 78, 606, 606,
+ 606, 606, 606, 606, 606, 78, 78, 78, 606, 606,
- 587, 74, 74, 74, 587, 587, 74, 74, 74, 78,
- 78, 78, 78, 78, 78, 78, 78, 78, 78, 78,
- 78, 78, 78, 82, 587, 587, 587, 587, 587, 82,
- 82, 82, 82, 587, 82, 82, 82, 85, 587, 587,
- 587, 587, 587, 85, 85, 85, 587, 587, 85, 85,
- 85, 87, 587, 587, 87, 87, 87, 87, 87, 87,
- 587, 587, 87, 87, 87, 97, 97, 587, 587, 587,
- 97, 123, 587, 587, 123, 123, 123, 123, 123, 123,
- 587, 587, 123, 123, 123, 127, 587, 587, 127, 127,
- 127, 127, 127, 127, 587, 127, 587, 127, 127, 135,
+ 78, 78, 78, 82, 82, 82, 82, 82, 82, 82,
+ 82, 82, 82, 82, 82, 82, 82, 82, 82, 86,
+ 606, 606, 606, 606, 86, 606, 606, 86, 86, 86,
+ 86, 606, 86, 86, 86, 90, 606, 606, 606, 606,
+ 606, 606, 606, 90, 90, 90, 606, 606, 90, 90,
+ 90, 92, 606, 606, 92, 92, 606, 92, 606, 92,
+ 92, 92, 606, 606, 92, 92, 92, 102, 102, 606,
+ 606, 606, 102, 133, 606, 606, 133, 133, 606, 133,
+ 606, 133, 133, 133, 606, 606, 133, 133, 133, 137,
+ 606, 606, 137, 137, 606, 137, 606, 137, 137, 137,
- 587, 587, 135, 587, 135, 135, 135, 135, 135, 587,
- 135, 135, 135, 139, 139, 139, 139, 139, 139, 139,
- 139, 139, 139, 139, 139, 139, 139, 141, 141, 587,
- 141, 587, 141, 141, 141, 141, 141, 141, 141, 141,
- 141, 147, 147, 147, 147, 147, 147, 147, 147, 147,
- 147, 147, 147, 147, 147, 148, 148, 587, 148, 148,
- 148, 148, 148, 148, 148, 148, 148, 148, 148, 149,
- 587, 587, 587, 587, 587, 149, 149, 149, 587, 587,
- 149, 149, 149, 88, 587, 587, 88, 88, 88, 88,
- 88, 88, 587, 587, 88, 88, 88, 157, 157, 587,
+ 606, 137, 606, 137, 137, 145, 606, 606, 145, 606,
+ 606, 145, 606, 145, 145, 145, 145, 606, 145, 145,
+ 145, 149, 149, 149, 149, 149, 149, 149, 149, 149,
+ 149, 149, 149, 149, 149, 149, 149, 151, 151, 606,
+ 151, 606, 151, 151, 151, 151, 151, 151, 151, 151,
+ 151, 151, 151, 157, 157, 157, 157, 157, 157, 157,
+ 157, 157, 157, 157, 157, 157, 157, 157, 157, 158,
+ 158, 606, 158, 158, 158, 158, 158, 158, 158, 158,
+ 158, 158, 158, 158, 158, 161, 606, 606, 606, 606,
+ 161, 606, 606, 161, 161, 161, 606, 606, 161, 161,
- 587, 587, 157, 159, 159, 159, 587, 587, 587, 159,
- 124, 587, 587, 124, 124, 124, 124, 124, 124, 587,
- 587, 124, 124, 124, 185, 185, 185, 185, 185, 185,
- 185, 185, 185, 185, 185, 185, 185, 185, 192, 192,
- 587, 587, 587, 192, 198, 198, 198, 587, 587, 587,
- 198, 228, 228, 587, 587, 587, 228, 229, 229, 587,
- 587, 587, 229, 233, 233, 587, 587, 587, 233, 235,
- 235, 235, 587, 587, 587, 235, 271, 271, 587, 587,
- 587, 271, 273, 273, 587, 587, 587, 273, 274, 274,
- 587, 587, 587, 274, 276, 276, 276, 587, 587, 587,
+ 161, 93, 606, 606, 93, 93, 606, 93, 606, 93,
+ 93, 93, 606, 606, 93, 93, 93, 169, 169, 606,
+ 606, 606, 169, 171, 171, 171, 606, 606, 606, 171,
+ 134, 606, 606, 134, 134, 606, 134, 606, 134, 134,
+ 134, 606, 606, 134, 134, 134, 200, 200, 200, 200,
+ 200, 200, 200, 200, 200, 200, 200, 200, 200, 200,
+ 200, 200, 207, 207, 606, 606, 606, 207, 213, 213,
+ 213, 606, 606, 606, 213, 245, 245, 606, 606, 606,
+ 245, 246, 246, 606, 606, 606, 246, 250, 250, 606,
+ 606, 606, 250, 252, 252, 252, 606, 606, 606, 252,
- 276, 280, 280, 280, 280, 587, 587, 587, 280, 311,
- 311, 587, 587, 587, 311, 312, 312, 587, 587, 587,
- 312, 313, 313, 587, 587, 587, 313, 325, 325, 325,
- 587, 587, 587, 325, 326, 326, 326, 326, 587, 587,
- 587, 326, 363, 363, 587, 587, 587, 363, 364, 364,
- 587, 587, 587, 364, 380, 380, 380, 587, 587, 587,
- 380, 381, 381, 381, 381, 587, 587, 587, 381, 410,
- 410, 587, 587, 587, 410, 414, 587, 414, 414, 587,
- 587, 587, 414, 432, 432, 432, 587, 587, 587, 432,
- 433, 433, 433, 433, 587, 587, 587, 433, 467, 467,
+ 288, 288, 606, 606, 606, 288, 290, 290, 606, 606,
+ 606, 290, 291, 291, 606, 606, 606, 291, 293, 293,
+ 293, 606, 606, 606, 293, 297, 297, 297, 297, 606,
+ 606, 606, 297, 328, 328, 606, 606, 606, 328, 329,
+ 329, 606, 606, 606, 329, 330, 330, 606, 606, 606,
+ 330, 342, 342, 342, 606, 606, 606, 342, 343, 343,
+ 343, 343, 606, 606, 606, 343, 380, 380, 606, 606,
+ 606, 380, 381, 381, 606, 606, 606, 381, 397, 397,
+ 397, 606, 606, 606, 397, 398, 398, 398, 398, 606,
+ 606, 606, 398, 427, 427, 606, 606, 606, 427, 431,
- 587, 587, 587, 467, 468, 587, 468, 468, 587, 587,
- 587, 468, 484, 484, 484, 587, 587, 587, 484, 485,
- 485, 485, 587, 587, 587, 587, 485, 496, 587, 587,
- 496, 587, 587, 496, 496, 496, 587, 587, 496, 496,
- 496, 499, 587, 587, 499, 587, 587, 499, 499, 499,
- 587, 587, 499, 499, 499, 509, 509, 587, 587, 587,
- 509, 510, 587, 510, 510, 587, 587, 587, 510, 526,
- 526, 587, 587, 587, 587, 526, 532, 532, 532, 532,
- 532, 532, 532, 532, 532, 532, 532, 532, 532, 532,
- 545, 545, 587, 587, 587, 545, 546, 587, 546, 546,
+ 606, 431, 431, 606, 606, 606, 431, 449, 449, 449,
+ 606, 606, 606, 449, 450, 450, 450, 450, 606, 606,
+ 606, 450, 483, 483, 606, 606, 606, 483, 484, 606,
+ 484, 484, 606, 606, 606, 484, 500, 500, 500, 606,
+ 606, 606, 500, 501, 501, 501, 606, 606, 606, 606,
+ 501, 512, 512, 606, 512, 512, 512, 606, 606, 512,
+ 512, 512, 606, 606, 512, 512, 512, 518, 518, 606,
+ 518, 518, 518, 606, 606, 518, 518, 518, 606, 606,
+ 518, 518, 518, 526, 526, 606, 606, 606, 526, 527,
+ 606, 527, 527, 606, 606, 606, 527, 543, 543, 606,
- 587, 587, 587, 546, 563, 563, 587, 587, 587, 563,
- 564, 587, 564, 587, 587, 587, 587, 564, 579, 579,
- 579, 579, 579, 579, 579, 579, 579, 579, 579, 579,
- 579, 579, 13, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587
+ 606, 606, 606, 543, 549, 549, 549, 549, 549, 549,
+ 549, 549, 549, 549, 549, 549, 549, 549, 549, 549,
+ 564, 564, 606, 606, 606, 564, 565, 606, 565, 565,
+ 606, 606, 606, 565, 582, 582, 606, 606, 606, 582,
+ 583, 606, 583, 606, 606, 606, 606, 583, 598, 598,
+ 598, 598, 598, 598, 598, 598, 598, 598, 598, 598,
+ 598, 598, 598, 598, 13, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606
} ;
-static yyconst short int yy_chk[3699] =
+static yyconst short int yy_chk[3732] =
{ 0,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
@@ -973,407 +982,411 @@
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 2, 3, 20, 2, 2,
- 3, 4, 60, 60, 4, 4, 5, 5, 5, 3,
- 5, 68, 68, 40, 4, 64, 5, 11, 11, 11,
- 11, 20, 52, 2, 2, 66, 115, 2, 5, 5,
+ 1, 1, 1, 1, 1, 1, 2, 44, 3, 34,
+ 2, 103, 3, 4, 47, 20, 126, 4, 3, 34,
+ 103, 3, 52, 4, 44, 48, 4, 11, 11, 11,
+ 11, 126, 52, 20, 2, 2, 56, 47, 2, 74,
- 40, 6, 6, 6, 2, 6, 82, 2, 64, 52,
- 70, 6, 12, 12, 12, 12, 25, 25, 66, 116,
- 25, 25, 5, 6, 6, 73, 73, 3, 73, 584,
- 82, 116, 4, 11, 71, 106, 106, 263, 25, 27,
- 27, 27, 27, 27, 27, 27, 27, 6, 7, 7,
- 7, 41, 7, 115, 129, 129, 70, 263, 12, 98,
- 25, 28, 28, 28, 28, 28, 28, 39, 98, 39,
- 39, 39, 39, 39, 39, 39, 39, 108, 71, 41,
- 41, 106, 108, 41, 96, 96, 96, 96, 96, 96,
- 41, 133, 133, 41, 7, 7, 7, 7, 7, 7,
+ 5, 5, 5, 48, 5, 2, 50, 3, 2, 3,
+ 5, 603, 4, 56, 4, 6, 6, 6, 20, 6,
+ 64, 64, 5, 5, 75, 6, 12, 12, 12, 12,
+ 3, 196, 68, 50, 11, 4, 70, 6, 6, 25,
+ 25, 72, 72, 25, 25, 196, 74, 5, 27, 27,
+ 27, 27, 27, 27, 27, 27, 68, 88, 124, 127,
+ 70, 25, 6, 7, 7, 7, 45, 7, 598, 75,
+ 124, 127, 129, 12, 28, 28, 28, 28, 28, 28,
+ 139, 139, 129, 43, 25, 43, 43, 43, 43, 43,
+ 43, 43, 43, 194, 45, 45, 77, 77, 45, 77,
+ 88, 116, 123, 114, 114, 45, 116, 153, 45, 194,
7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
- 7, 7, 8, 8, 8, 50, 8, 579, 50, 50,
- 50, 50, 50, 50, 50, 50, 80, 80, 80, 80,
- 80, 80, 80, 80, 81, 81, 81, 81, 81, 81,
- 81, 81, 117, 126, 144, 119, 145, 145, 126, 90,
- 90, 90, 90, 90, 90, 90, 90, 119, 8, 8,
+ 7, 7, 7, 7, 7, 7, 7, 7, 8, 8,
+ 8, 53, 8, 206, 53, 53, 53, 53, 53, 53,
+ 53, 53, 84, 84, 84, 84, 84, 84, 84, 84,
+ 114, 62, 62, 62, 153, 62, 154, 125, 206, 62,
+ 123, 62, 85, 85, 85, 85, 85, 85, 85, 85,
+ 143, 143, 202, 62, 62, 8, 8, 8, 8, 8,
8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
- 8, 8, 8, 8, 8, 8, 9, 9, 9, 9,
- 9, 90, 118, 117, 120, 9, 9, 9, 144, 170,
- 120, 51, 51, 103, 453, 51, 51, 118, 103, 9,
+ 8, 8, 8, 9, 9, 9, 9, 9, 62, 125,
- 159, 103, 170, 103, 140, 140, 58, 58, 58, 159,
- 58, 143, 177, 51, 58, 176, 58, 177, 183, 180,
- 179, 180, 9, 10, 10, 10, 10, 10, 58, 58,
- 191, 183, 10, 10, 10, 51, 179, 84, 453, 84,
- 84, 84, 181, 84, 84, 136, 10, 84, 136, 136,
- 140, 568, 58, 198, 191, 136, 181, 143, 187, 206,
- 84, 84, 198, 565, 176, 195, 195, 195, 136, 10,
- 19, 94, 94, 94, 94, 94, 94, 94, 94, 220,
- 19, 206, 267, 19, 19, 19, 19, 19, 19, 19,
- 19, 26, 187, 26, 26, 26, 26, 26, 26, 26,
+ 128, 154, 9, 9, 9, 86, 128, 202, 55, 55,
+ 136, 161, 55, 55, 185, 136, 9, 101, 101, 101,
+ 101, 101, 101, 86, 155, 155, 198, 185, 87, 587,
+ 55, 87, 87, 87, 87, 87, 87, 87, 87, 198,
+ 9, 10, 10, 10, 10, 10, 584, 171, 86, 284,
+ 10, 10, 10, 55, 161, 89, 171, 89, 89, 222,
+ 582, 89, 89, 222, 10, 89, 213, 95, 95, 95,
+ 95, 95, 95, 95, 95, 213, 92, 92, 89, 89,
+ 92, 92, 192, 195, 284, 195, 510, 192, 10, 19,
+ 99, 99, 99, 99, 99, 99, 99, 99, 92, 19,
- 26, 26, 221, 221, 214, 26, 26, 26, 26, 26,
- 214, 207, 563, 87, 87, 207, 267, 87, 87, 202,
- 202, 202, 202, 202, 202, 26, 223, 26, 26, 26,
- 26, 26, 26, 31, 220, 87, 248, 549, 224, 31,
- 548, 223, 31, 31, 224, 31, 31, 31, 31, 31,
- 31, 31, 31, 31, 31, 31, 31, 87, 248, 31,
- 31, 31, 31, 31, 31, 31, 31, 31, 31, 31,
- 31, 31, 31, 31, 31, 31, 31, 31, 31, 31,
- 31, 31, 31, 31, 31, 31, 31, 31, 31, 31,
- 31, 31, 31, 31, 31, 31, 31, 31, 33, 33,
+ 95, 221, 19, 19, 19, 19, 19, 19, 19, 19,
+ 26, 191, 26, 26, 26, 26, 26, 26, 26, 26,
+ 26, 92, 237, 221, 26, 26, 26, 26, 26, 100,
+ 100, 100, 100, 100, 100, 100, 100, 131, 131, 131,
+ 131, 131, 131, 131, 131, 26, 510, 26, 26, 26,
+ 26, 26, 26, 32, 146, 238, 238, 146, 146, 32,
+ 568, 191, 32, 32, 146, 32, 32, 32, 32, 32,
+ 32, 32, 32, 32, 32, 32, 32, 146, 237, 32,
+ 32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
+ 32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
- 33, 33, 33, 33, 33, 33, 33, 306, 371, 371,
- 33, 33, 33, 33, 33, 95, 95, 95, 95, 95,
- 95, 95, 95, 306, 190, 109, 190, 190, 190, 190,
- 190, 190, 33, 33, 33, 33, 33, 33, 38, 38,
- 38, 38, 38, 235, 38, 38, 151, 296, 38, 546,
- 151, 296, 235, 109, 109, 264, 151, 109, 190, 262,
- 38, 38, 38, 43, 109, 264, 545, 109, 151, 151,
- 123, 123, 304, 43, 123, 123, 43, 43, 43, 43,
- 43, 43, 43, 43, 122, 122, 122, 122, 122, 122,
- 122, 122, 123, 132, 132, 132, 132, 132, 132, 132,
+ 32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
+ 32, 32, 32, 32, 32, 32, 32, 32, 32, 35,
+ 35, 35, 35, 35, 35, 35, 35, 35, 210, 210,
+ 210, 35, 35, 35, 35, 35, 109, 231, 240, 241,
+ 35, 109, 252, 231, 109, 241, 109, 117, 567, 150,
+ 150, 252, 239, 240, 35, 35, 35, 35, 35, 35,
+ 42, 42, 42, 42, 42, 293, 42, 42, 133, 133,
+ 42, 265, 133, 133, 293, 117, 117, 239, 281, 117,
+ 388, 388, 42, 42, 42, 46, 117, 163, 281, 117,
+ 133, 163, 323, 265, 239, 46, 150, 163, 46, 46,
- 132, 182, 305, 222, 295, 182, 237, 237, 258, 239,
- 239, 182, 305, 258, 123, 265, 237, 43, 59, 239,
- 265, 262, 304, 182, 182, 299, 295, 222, 59, 421,
- 421, 59, 59, 59, 59, 59, 59, 59, 59, 75,
- 359, 75, 75, 75, 222, 75, 75, 299, 541, 75,
- 186, 186, 186, 186, 186, 186, 186, 186, 354, 532,
- 276, 75, 75, 75, 86, 530, 86, 86, 86, 276,
- 86, 86, 280, 359, 86, 245, 245, 245, 245, 245,
- 245, 280, 186, 356, 281, 281, 86, 86, 86, 89,
- 526, 89, 89, 89, 281, 89, 89, 522, 356, 89,
+ 46, 46, 46, 46, 46, 46, 275, 282, 323, 163,
+ 163, 275, 282, 133, 142, 142, 142, 142, 142, 142,
+ 142, 142, 159, 159, 159, 159, 159, 159, 159, 159,
+ 160, 160, 160, 160, 160, 160, 160, 160, 438, 438,
+ 46, 63, 201, 201, 201, 201, 201, 201, 201, 201,
+ 279, 63, 565, 280, 63, 63, 63, 63, 63, 63,
+ 63, 63, 79, 564, 79, 79, 79, 297, 79, 79,
+ 254, 254, 79, 197, 280, 201, 297, 197, 256, 256,
+ 254, 321, 322, 197, 79, 79, 79, 91, 256, 91,
+ 91, 91, 322, 91, 91, 197, 197, 91, 209, 209,
- 194, 194, 194, 194, 194, 194, 194, 194, 194, 354,
- 451, 89, 89, 89, 91, 91, 91, 91, 91, 91,
- 91, 91, 403, 494, 403, 300, 91, 91, 91, 91,
- 91, 199, 199, 199, 199, 199, 199, 199, 199, 201,
- 201, 201, 201, 201, 201, 201, 201, 300, 91, 91,
- 91, 91, 91, 91, 99, 99, 99, 99, 99, 99,
- 99, 99, 282, 282, 451, 341, 99, 99, 99, 99,
- 99, 204, 282, 204, 204, 204, 204, 204, 204, 204,
- 204, 347, 494, 351, 510, 284, 284, 341, 99, 99,
- 99, 99, 99, 99, 125, 284, 125, 125, 125, 351,
+ 209, 209, 209, 209, 209, 209, 209, 298, 298, 91,
+ 91, 91, 94, 279, 94, 94, 94, 298, 94, 94,
+ 313, 383, 94, 162, 313, 162, 162, 452, 452, 162,
+ 162, 383, 321, 162, 94, 94, 94, 96, 96, 96,
+ 96, 96, 96, 96, 96, 162, 162, 162, 312, 96,
+ 96, 96, 96, 96, 205, 368, 205, 205, 205, 205,
+ 205, 205, 214, 214, 214, 214, 214, 214, 214, 214,
+ 312, 368, 96, 96, 96, 96, 96, 96, 104, 104,
+ 104, 104, 104, 104, 104, 104, 104, 316, 371, 205,
+ 104, 104, 104, 104, 104, 216, 216, 216, 216, 216,
- 125, 125, 509, 347, 125, 230, 230, 230, 230, 230,
- 230, 230, 230, 230, 495, 301, 125, 125, 125, 150,
- 493, 150, 150, 150, 301, 150, 150, 492, 366, 150,
- 236, 236, 236, 236, 236, 236, 236, 236, 366, 435,
- 435, 150, 150, 150, 152, 491, 152, 152, 152, 152,
- 152, 152, 152, 152, 238, 238, 238, 238, 238, 238,
- 238, 238, 242, 242, 242, 242, 242, 242, 242, 242,
- 650, 307, 242, 436, 436, 650, 349, 490, 152, 153,
- 307, 153, 153, 153, 153, 153, 153, 153, 153, 244,
- 244, 244, 244, 244, 244, 244, 244, 247, 349, 247,
+ 216, 216, 216, 217, 217, 217, 217, 217, 217, 316,
+ 299, 299, 373, 104, 104, 104, 104, 104, 104, 135,
+ 299, 135, 135, 135, 560, 135, 135, 373, 219, 135,
+ 219, 219, 219, 219, 219, 219, 219, 219, 453, 453,
+ 371, 135, 135, 135, 164, 549, 164, 164, 164, 164,
+ 164, 164, 164, 164, 247, 247, 247, 247, 247, 247,
+ 247, 247, 247, 253, 253, 253, 253, 253, 253, 253,
+ 253, 255, 255, 255, 255, 255, 255, 255, 255, 164,
+ 165, 547, 165, 165, 165, 165, 165, 165, 165, 165,
+ 259, 259, 259, 259, 259, 259, 259, 259, 419, 419,
- 247, 247, 247, 247, 247, 247, 247, 290, 290, 290,
- 290, 290, 290, 153, 154, 325, 154, 154, 154, 154,
- 154, 154, 154, 154, 325, 397, 485, 266, 266, 266,
- 266, 266, 266, 266, 266, 270, 326, 270, 270, 270,
- 270, 270, 270, 468, 357, 326, 452, 397, 154, 155,
- 467, 155, 155, 155, 155, 155, 155, 155, 155, 266,
- 357, 452, 398, 155, 155, 155, 155, 155, 277, 270,
- 277, 277, 277, 277, 277, 277, 277, 277, 317, 317,
- 317, 317, 317, 317, 398, 155, 155, 155, 155, 155,
- 155, 158, 158, 158, 158, 158, 158, 158, 158, 158,
+ 259, 261, 261, 261, 261, 261, 261, 261, 261, 262,
+ 262, 262, 262, 262, 262, 165, 166, 543, 166, 166,
+ 166, 166, 166, 166, 166, 166, 264, 317, 264, 264,
+ 264, 264, 264, 264, 264, 264, 301, 301, 283, 283,
+ 283, 283, 283, 283, 283, 283, 301, 456, 456, 317,
+ 419, 166, 167, 318, 167, 167, 167, 167, 167, 167,
+ 167, 167, 318, 324, 342, 343, 167, 167, 167, 167,
+ 167, 283, 324, 342, 343, 344, 344, 287, 372, 287,
+ 287, 287, 287, 287, 287, 344, 420, 372, 420, 167,
+ 167, 167, 167, 167, 167, 170, 170, 170, 170, 170,
- 355, 439, 439, 158, 158, 158, 158, 158, 278, 355,
- 278, 278, 278, 278, 278, 278, 278, 278, 336, 336,
- 336, 336, 336, 336, 463, 158, 158, 158, 158, 158,
- 158, 160, 160, 160, 160, 160, 160, 160, 160, 160,
- 160, 448, 440, 444, 160, 160, 160, 160, 160, 279,
- 368, 279, 279, 279, 279, 279, 279, 279, 279, 446,
- 368, 454, 402, 402, 440, 444, 160, 160, 160, 160,
- 160, 160, 161, 161, 161, 161, 161, 161, 161, 161,
- 443, 446, 475, 475, 161, 161, 161, 161, 161, 283,
- 283, 283, 283, 283, 283, 283, 283, 289, 289, 289,
+ 170, 170, 170, 170, 345, 345, 539, 170, 170, 170,
+ 170, 170, 287, 294, 345, 294, 294, 294, 294, 294,
+ 294, 294, 294, 307, 307, 307, 307, 307, 307, 527,
+ 170, 170, 170, 170, 170, 170, 172, 172, 172, 172,
+ 172, 172, 172, 172, 172, 172, 491, 491, 526, 172,
+ 172, 172, 172, 172, 295, 376, 295, 295, 295, 295,
+ 295, 295, 295, 295, 300, 300, 300, 300, 300, 300,
+ 300, 300, 172, 172, 172, 172, 172, 172, 173, 173,
+ 173, 173, 173, 173, 173, 173, 347, 347, 511, 376,
+ 173, 173, 173, 173, 173, 296, 347, 296, 296, 296,
- 289, 289, 289, 289, 289, 454, 161, 161, 161, 161,
- 161, 161, 188, 402, 188, 188, 188, 188, 188, 188,
- 188, 188, 287, 287, 287, 287, 287, 287, 287, 287,
- 442, 292, 287, 292, 292, 292, 292, 292, 292, 292,
- 292, 486, 486, 517, 517, 441, 188, 189, 428, 189,
- 189, 189, 189, 189, 189, 189, 189, 314, 314, 314,
- 314, 314, 314, 314, 314, 316, 316, 316, 316, 316,
- 316, 316, 316, 320, 320, 320, 320, 320, 320, 320,
- 320, 189, 200, 200, 200, 200, 200, 200, 200, 200,
- 200, 200, 200, 380, 414, 487, 200, 200, 200, 200,
+ 296, 296, 296, 296, 296, 306, 306, 306, 306, 306,
+ 306, 306, 306, 173, 173, 173, 173, 173, 173, 203,
+ 509, 203, 203, 203, 203, 203, 203, 203, 203, 304,
+ 304, 304, 304, 304, 304, 304, 304, 508, 309, 304,
+ 309, 309, 309, 309, 309, 309, 309, 309, 334, 334,
+ 334, 334, 334, 334, 203, 204, 507, 204, 204, 204,
+ 204, 204, 204, 204, 204, 331, 331, 331, 331, 331,
+ 331, 331, 331, 333, 333, 333, 333, 333, 333, 333,
+ 333, 337, 337, 337, 337, 337, 337, 337, 337, 358,
+ 204, 215, 215, 215, 215, 215, 215, 215, 215, 215,
- 200, 319, 380, 319, 319, 319, 319, 319, 319, 319,
- 319, 374, 374, 374, 374, 374, 374, 487, 200, 200,
- 200, 200, 200, 200, 203, 203, 203, 203, 203, 203,
- 203, 203, 203, 203, 381, 410, 489, 203, 203, 203,
- 203, 203, 322, 381, 322, 322, 322, 322, 322, 322,
- 322, 322, 534, 534, 552, 552, 327, 327, 489, 203,
- 203, 203, 203, 203, 203, 225, 327, 225, 225, 225,
- 225, 225, 225, 225, 225, 323, 415, 323, 323, 323,
- 323, 323, 323, 323, 323, 324, 415, 324, 324, 324,
- 324, 324, 324, 391, 391, 391, 391, 391, 391, 225,
+ 215, 215, 502, 502, 506, 215, 215, 215, 215, 215,
+ 336, 358, 336, 336, 336, 336, 336, 336, 336, 336,
+ 341, 501, 341, 341, 341, 341, 341, 341, 215, 215,
+ 215, 215, 215, 215, 218, 218, 218, 218, 218, 218,
+ 218, 218, 218, 218, 397, 534, 534, 218, 218, 218,
+ 218, 218, 339, 397, 339, 339, 339, 339, 339, 339,
+ 339, 339, 346, 346, 346, 346, 346, 346, 346, 346,
+ 218, 218, 218, 218, 218, 218, 242, 484, 242, 242,
+ 242, 242, 242, 242, 242, 242, 340, 364, 340, 340,
+ 340, 340, 340, 340, 340, 340, 350, 350, 350, 350,
- 226, 405, 226, 226, 226, 226, 226, 226, 226, 226,
- 328, 328, 329, 329, 329, 329, 329, 329, 329, 329,
- 328, 330, 330, 333, 333, 333, 333, 333, 333, 333,
- 333, 330, 456, 333, 226, 227, 401, 227, 227, 227,
- 227, 227, 227, 227, 227, 335, 335, 335, 335, 335,
- 335, 335, 335, 338, 416, 338, 338, 338, 338, 338,
- 338, 338, 338, 400, 416, 399, 456, 600, 600, 227,
- 240, 240, 240, 240, 240, 240, 240, 240, 240, 240,
- 240, 243, 243, 243, 243, 243, 243, 243, 243, 243,
- 243, 243, 396, 395, 527, 243, 243, 243, 243, 243,
+ 350, 350, 350, 350, 398, 669, 350, 551, 551, 364,
+ 669, 242, 243, 398, 243, 243, 243, 243, 243, 243,
+ 243, 243, 352, 352, 352, 352, 352, 352, 352, 352,
+ 353, 353, 353, 353, 353, 353, 355, 366, 355, 355,
+ 355, 355, 355, 355, 355, 355, 374, 243, 244, 449,
+ 244, 244, 244, 244, 244, 244, 244, 244, 449, 366,
+ 414, 385, 374, 382, 382, 382, 382, 382, 382, 382,
+ 382, 385, 450, 375, 375, 375, 375, 375, 375, 375,
+ 375, 450, 414, 244, 257, 257, 257, 257, 257, 257,
+ 257, 257, 257, 257, 257, 260, 260, 260, 260, 260,
- 536, 358, 358, 358, 358, 358, 358, 358, 358, 362,
- 362, 362, 362, 362, 362, 362, 527, 243, 243, 243,
- 243, 243, 243, 246, 246, 246, 246, 246, 246, 246,
- 246, 246, 246, 358, 536, 529, 246, 246, 246, 246,
- 246, 418, 362, 365, 365, 365, 365, 365, 365, 365,
- 365, 418, 394, 393, 364, 382, 382, 529, 246, 246,
- 246, 246, 246, 246, 268, 382, 268, 268, 268, 268,
- 268, 268, 268, 268, 367, 367, 367, 367, 367, 367,
- 367, 367, 373, 373, 373, 373, 373, 373, 373, 373,
- 383, 383, 424, 424, 424, 424, 424, 424, 268, 269,
+ 260, 260, 260, 260, 260, 260, 375, 415, 457, 260,
+ 260, 260, 260, 260, 379, 379, 379, 379, 379, 379,
+ 379, 384, 384, 384, 384, 384, 384, 384, 384, 415,
+ 457, 483, 260, 260, 260, 260, 260, 260, 263, 263,
+ 263, 263, 263, 263, 263, 263, 263, 263, 379, 571,
+ 571, 263, 263, 263, 263, 263, 390, 390, 390, 390,
+ 390, 390, 390, 390, 391, 391, 391, 391, 391, 391,
+ 479, 399, 399, 465, 263, 263, 263, 263, 263, 263,
+ 285, 399, 285, 285, 285, 285, 285, 285, 285, 285,
+ 393, 432, 393, 393, 393, 393, 393, 393, 393, 393,
- 383, 269, 269, 269, 269, 269, 269, 269, 269, 376,
- 363, 376, 376, 376, 376, 376, 376, 376, 376, 377,
- 432, 377, 377, 377, 377, 377, 377, 377, 377, 432,
- 505, 505, 505, 269, 275, 275, 275, 275, 275, 275,
- 275, 275, 275, 433, 449, 353, 275, 275, 275, 275,
- 275, 378, 433, 378, 378, 378, 378, 378, 378, 378,
- 378, 352, 505, 346, 449, 345, 449, 449, 275, 275,
- 275, 275, 275, 275, 285, 285, 285, 285, 285, 285,
- 285, 285, 285, 285, 285, 288, 288, 288, 288, 288,
- 288, 288, 288, 288, 288, 288, 553, 555, 566, 288,
+ 394, 432, 394, 394, 394, 394, 394, 394, 394, 394,
+ 460, 473, 619, 619, 468, 285, 286, 433, 286, 286,
+ 286, 286, 286, 286, 286, 286, 395, 433, 395, 395,
+ 395, 395, 395, 395, 395, 395, 396, 435, 396, 396,
+ 396, 396, 396, 396, 396, 396, 473, 435, 461, 459,
+ 458, 286, 292, 292, 292, 292, 292, 292, 292, 292,
+ 292, 400, 400, 445, 292, 292, 292, 292, 292, 468,
+ 461, 400, 401, 401, 401, 401, 401, 401, 401, 401,
+ 408, 408, 408, 408, 408, 408, 431, 292, 292, 292,
+ 292, 292, 292, 302, 302, 302, 302, 302, 302, 302,
- 288, 288, 288, 288, 379, 469, 379, 379, 379, 379,
- 379, 379, 379, 379, 344, 469, 343, 496, 553, 555,
- 566, 288, 288, 288, 288, 288, 288, 291, 291, 291,
- 291, 291, 291, 291, 291, 291, 291, 340, 339, 321,
- 291, 291, 291, 291, 291, 384, 384, 384, 384, 384,
- 384, 384, 384, 390, 390, 390, 390, 390, 390, 390,
- 390, 496, 291, 291, 291, 291, 291, 291, 308, 308,
- 308, 308, 308, 308, 308, 308, 308, 385, 385, 388,
- 388, 388, 388, 388, 388, 388, 388, 385, 392, 388,
- 392, 392, 392, 392, 392, 392, 392, 392, 570, 313,
+ 302, 302, 302, 302, 305, 305, 305, 305, 305, 305,
+ 305, 305, 305, 305, 305, 402, 402, 463, 305, 305,
+ 305, 305, 305, 469, 477, 402, 405, 405, 405, 405,
+ 405, 405, 405, 405, 427, 503, 405, 422, 469, 463,
+ 418, 305, 305, 305, 305, 305, 305, 308, 308, 308,
+ 308, 308, 308, 308, 308, 308, 308, 503, 417, 477,
+ 308, 308, 308, 308, 308, 407, 407, 407, 407, 407,
+ 407, 407, 407, 409, 416, 409, 409, 409, 409, 409,
+ 409, 409, 409, 308, 308, 308, 308, 308, 308, 325,
+ 325, 325, 325, 325, 325, 325, 325, 325, 421, 428,
- 312, 308, 309, 309, 309, 309, 309, 309, 309, 309,
- 309, 404, 411, 311, 411, 411, 411, 411, 411, 411,
- 411, 411, 417, 417, 417, 417, 417, 417, 417, 417,
- 303, 404, 570, 404, 404, 309, 310, 310, 310, 310,
- 310, 310, 310, 310, 310, 412, 302, 412, 412, 412,
- 412, 412, 412, 412, 412, 404, 413, 470, 413, 413,
- 413, 413, 413, 413, 413, 413, 298, 470, 297, 310,
- 315, 472, 315, 315, 315, 315, 315, 315, 315, 315,
- 315, 472, 294, 293, 315, 315, 315, 315, 315, 423,
- 423, 423, 423, 423, 423, 423, 423, 427, 427, 427,
+ 505, 428, 428, 428, 428, 428, 428, 428, 428, 434,
+ 434, 434, 434, 434, 434, 434, 434, 413, 421, 412,
+ 421, 421, 505, 325, 326, 326, 326, 326, 326, 326,
+ 326, 326, 326, 429, 466, 429, 429, 429, 429, 429,
+ 429, 429, 429, 421, 430, 485, 430, 430, 430, 430,
+ 430, 430, 430, 430, 466, 485, 466, 466, 326, 327,
+ 327, 327, 327, 327, 327, 327, 327, 327, 440, 440,
+ 440, 440, 440, 440, 440, 440, 441, 441, 441, 441,
+ 441, 441, 443, 500, 443, 443, 443, 443, 443, 443,
+ 443, 443, 500, 327, 332, 486, 332, 332, 332, 332,
- 427, 427, 427, 427, 427, 274, 315, 315, 315, 315,
- 315, 315, 318, 318, 318, 318, 318, 318, 318, 318,
- 318, 484, 273, 272, 318, 318, 318, 318, 318, 426,
- 484, 426, 426, 426, 426, 426, 426, 426, 426, 497,
- 461, 271, 461, 461, 461, 261, 318, 318, 318, 318,
- 318, 318, 331, 331, 331, 331, 331, 331, 331, 331,
- 331, 331, 331, 334, 334, 334, 334, 334, 334, 334,
- 334, 334, 334, 334, 461, 260, 259, 334, 334, 334,
- 334, 334, 429, 497, 429, 429, 429, 429, 429, 429,
- 429, 429, 478, 478, 478, 478, 478, 478, 257, 334,
+ 332, 332, 332, 332, 332, 486, 411, 410, 332, 332,
+ 332, 332, 332, 444, 444, 444, 444, 444, 444, 444,
+ 444, 446, 381, 446, 446, 446, 446, 446, 446, 446,
+ 446, 332, 332, 332, 332, 332, 332, 335, 335, 335,
+ 335, 335, 335, 335, 335, 335, 380, 370, 369, 335,
+ 335, 335, 335, 335, 447, 488, 447, 447, 447, 447,
+ 447, 447, 447, 447, 448, 488, 448, 448, 448, 448,
+ 448, 448, 335, 335, 335, 335, 335, 335, 348, 348,
+ 348, 348, 348, 348, 348, 348, 348, 348, 348, 351,
+ 351, 351, 351, 351, 351, 351, 351, 351, 351, 351,
- 334, 334, 334, 334, 334, 337, 337, 337, 337, 337,
- 337, 337, 337, 337, 434, 434, 256, 255, 337, 337,
- 337, 337, 337, 430, 434, 430, 430, 430, 430, 430,
- 430, 430, 430, 499, 520, 520, 520, 520, 520, 520,
- 337, 337, 337, 337, 337, 337, 360, 360, 360, 360,
- 360, 360, 360, 360, 360, 431, 254, 431, 431, 431,
- 431, 431, 431, 450, 450, 455, 455, 455, 455, 455,
- 455, 455, 455, 253, 252, 251, 450, 499, 250, 360,
- 361, 361, 361, 361, 361, 361, 361, 361, 361, 462,
- 462, 462, 462, 462, 462, 462, 462, 455, 464, 511,
+ 451, 451, 528, 351, 351, 351, 351, 351, 467, 467,
+ 451, 470, 528, 470, 470, 470, 471, 363, 471, 471,
+ 471, 467, 544, 362, 555, 589, 351, 351, 351, 351,
+ 351, 351, 354, 354, 354, 354, 354, 354, 354, 354,
+ 354, 361, 546, 572, 544, 354, 354, 354, 354, 354,
+ 472, 472, 472, 472, 472, 472, 472, 472, 470, 555,
+ 589, 360, 357, 471, 546, 572, 356, 338, 354, 354,
+ 354, 354, 354, 354, 377, 377, 377, 377, 377, 377,
+ 377, 377, 377, 472, 476, 330, 476, 476, 476, 476,
+ 476, 476, 478, 478, 478, 478, 478, 478, 478, 478,
- 464, 464, 464, 464, 464, 464, 464, 464, 234, 511,
- 233, 232, 231, 361, 369, 229, 369, 369, 369, 369,
- 369, 369, 369, 369, 369, 372, 512, 372, 372, 372,
- 372, 372, 372, 372, 372, 372, 512, 228, 219, 372,
- 372, 372, 372, 372, 465, 514, 465, 465, 465, 465,
- 465, 465, 465, 465, 218, 514, 217, 216, 215, 213,
- 212, 372, 372, 372, 372, 372, 372, 375, 375, 375,
- 375, 375, 375, 375, 375, 375, 211, 210, 209, 375,
- 375, 375, 375, 375, 466, 208, 466, 466, 466, 466,
- 466, 466, 471, 471, 471, 471, 471, 471, 471, 471,
+ 482, 329, 482, 482, 482, 482, 482, 482, 377, 378,
+ 378, 378, 378, 378, 378, 378, 378, 378, 480, 476,
+ 480, 480, 480, 480, 480, 480, 480, 480, 481, 529,
+ 481, 481, 481, 481, 481, 481, 481, 481, 328, 529,
+ 320, 319, 315, 378, 386, 574, 386, 386, 386, 386,
+ 386, 386, 386, 386, 386, 389, 531, 389, 389, 389,
+ 389, 389, 389, 389, 389, 389, 531, 574, 585, 389,
+ 389, 389, 389, 389, 487, 487, 487, 487, 487, 487,
+ 487, 487, 493, 493, 493, 493, 493, 493, 493, 493,
+ 585, 314, 389, 389, 389, 389, 389, 389, 392, 392,
- 205, 375, 375, 375, 375, 375, 375, 386, 386, 386,
- 386, 386, 386, 386, 386, 386, 386, 386, 389, 389,
- 389, 389, 389, 389, 389, 389, 389, 389, 197, 196,
- 193, 192, 389, 389, 389, 389, 389, 477, 477, 477,
- 477, 477, 477, 477, 477, 481, 481, 481, 481, 481,
- 481, 481, 481, 481, 389, 389, 389, 389, 389, 389,
- 406, 547, 406, 406, 406, 406, 406, 406, 406, 406,
- 480, 547, 480, 480, 480, 480, 480, 480, 480, 480,
- 482, 482, 482, 482, 482, 482, 482, 482, 482, 185,
- 184, 178, 175, 174, 406, 407, 173, 407, 407, 407,
+ 392, 392, 392, 392, 392, 392, 392, 311, 310, 291,
+ 392, 392, 392, 392, 392, 494, 494, 494, 494, 494,
+ 494, 496, 566, 496, 496, 496, 496, 496, 496, 496,
+ 496, 290, 566, 392, 392, 392, 392, 392, 392, 403,
+ 403, 403, 403, 403, 403, 403, 403, 403, 403, 403,
+ 406, 406, 406, 406, 406, 406, 406, 406, 406, 406,
+ 289, 288, 278, 277, 406, 406, 406, 406, 406, 497,
+ 497, 497, 497, 497, 497, 497, 497, 497, 498, 498,
+ 498, 498, 498, 498, 498, 498, 498, 406, 406, 406,
+ 406, 406, 406, 423, 276, 423, 423, 423, 423, 423,
- 407, 407, 407, 407, 407, 483, 483, 483, 483, 483,
- 483, 483, 483, 483, 556, 556, 172, 171, 498, 169,
- 168, 498, 498, 167, 498, 498, 166, 556, 498, 407,
- 408, 165, 408, 408, 408, 408, 408, 408, 408, 408,
- 498, 498, 498, 506, 164, 506, 506, 506, 506, 506,
- 506, 506, 506, 500, 163, 162, 500, 500, 157, 500,
- 500, 156, 149, 500, 408, 409, 148, 409, 409, 409,
- 409, 409, 409, 409, 409, 500, 500, 500, 147, 146,
- 504, 504, 504, 504, 504, 504, 504, 504, 507, 142,
- 507, 507, 507, 507, 507, 507, 507, 507, 141, 409,
+ 423, 423, 423, 499, 499, 499, 499, 499, 499, 499,
+ 499, 499, 512, 274, 512, 512, 512, 575, 575, 513,
+ 273, 513, 513, 513, 272, 271, 270, 269, 423, 424,
+ 575, 424, 424, 424, 424, 424, 424, 424, 424, 514,
+ 268, 514, 514, 514, 515, 267, 515, 515, 515, 251,
+ 518, 250, 518, 518, 518, 249, 248, 246, 245, 512,
+ 236, 235, 234, 233, 424, 425, 513, 425, 425, 425,
+ 425, 425, 425, 425, 425, 516, 232, 229, 516, 516,
+ 516, 516, 516, 516, 516, 516, 514, 227, 226, 225,
+ 224, 515, 223, 220, 212, 517, 517, 518, 211, 517,
- 419, 139, 419, 419, 419, 419, 419, 419, 419, 419,
- 419, 422, 504, 422, 422, 422, 422, 422, 422, 422,
- 422, 422, 135, 128, 124, 422, 422, 422, 422, 422,
- 508, 121, 508, 508, 508, 508, 508, 508, 508, 508,
- 525, 525, 525, 525, 525, 525, 525, 422, 422, 422,
- 422, 422, 422, 425, 425, 425, 425, 425, 425, 425,
- 425, 425, 114, 113, 112, 425, 425, 425, 425, 425,
- 513, 513, 513, 513, 513, 513, 513, 513, 519, 519,
- 519, 519, 519, 519, 519, 519, 111, 425, 425, 425,
- 425, 425, 425, 437, 437, 437, 437, 437, 437, 437,
+ 425, 426, 208, 426, 426, 426, 426, 426, 426, 426,
+ 426, 517, 517, 517, 519, 519, 207, 523, 519, 523,
+ 523, 523, 523, 523, 523, 523, 523, 200, 199, 193,
+ 519, 519, 519, 190, 189, 188, 426, 436, 187, 436,
+ 436, 436, 436, 436, 436, 436, 436, 436, 439, 186,
+ 439, 439, 439, 439, 439, 439, 439, 439, 439, 184,
+ 183, 182, 439, 439, 439, 439, 439, 524, 181, 524,
+ 524, 524, 524, 524, 524, 524, 524, 530, 530, 530,
+ 530, 530, 530, 530, 530, 439, 439, 439, 439, 439,
+ 439, 442, 442, 442, 442, 442, 442, 442, 442, 442,
- 437, 437, 437, 457, 110, 457, 457, 457, 457, 457,
- 457, 457, 457, 521, 105, 521, 521, 521, 521, 521,
- 521, 521, 521, 523, 523, 523, 523, 523, 523, 523,
- 523, 523, 104, 102, 101, 97, 93, 457, 458, 92,
- 458, 458, 458, 458, 458, 458, 458, 458, 524, 524,
- 524, 524, 524, 524, 524, 524, 524, 535, 535, 535,
- 535, 535, 535, 535, 535, 577, 577, 577, 577, 577,
- 577, 88, 458, 459, 85, 459, 459, 459, 459, 459,
- 459, 459, 459, 83, 78, 77, 76, 74, 539, 535,
- 539, 539, 539, 539, 539, 539, 540, 540, 540, 540,
+ 180, 179, 178, 442, 442, 442, 442, 442, 525, 177,
+ 525, 525, 525, 525, 525, 525, 525, 525, 536, 536,
+ 536, 536, 536, 536, 536, 536, 442, 442, 442, 442,
+ 442, 442, 454, 454, 454, 454, 454, 454, 454, 454,
+ 454, 454, 474, 176, 474, 474, 474, 474, 474, 474,
+ 474, 474, 537, 537, 537, 537, 537, 537, 538, 175,
+ 538, 538, 538, 538, 538, 538, 538, 538, 540, 540,
+ 540, 540, 540, 540, 540, 540, 540, 474, 475, 169,
+ 475, 475, 475, 475, 475, 475, 475, 475, 541, 541,
+ 541, 541, 541, 541, 541, 541, 541, 542, 542, 542,
- 540, 540, 540, 540, 69, 62, 55, 459, 460, 49,
- 460, 460, 460, 460, 460, 460, 460, 460, 48, 47,
- 46, 542, 539, 542, 542, 542, 542, 542, 542, 542,
- 542, 543, 45, 543, 543, 543, 543, 543, 543, 543,
- 543, 44, 460, 473, 37, 473, 473, 473, 473, 473,
- 473, 473, 473, 473, 476, 36, 476, 476, 476, 476,
- 476, 476, 476, 476, 476, 35, 34, 32, 476, 476,
- 476, 476, 476, 544, 29, 544, 544, 544, 544, 544,
- 544, 560, 560, 560, 560, 560, 560, 560, 560, 23,
- 476, 476, 476, 476, 476, 476, 479, 479, 479, 479,
+ 542, 542, 542, 542, 552, 552, 552, 552, 552, 552,
+ 552, 552, 168, 475, 489, 158, 489, 489, 489, 489,
+ 489, 489, 489, 489, 489, 492, 157, 492, 492, 492,
+ 492, 492, 492, 492, 492, 492, 156, 152, 151, 492,
+ 492, 492, 492, 492, 553, 553, 553, 553, 553, 553,
+ 553, 553, 554, 554, 554, 554, 554, 554, 554, 554,
+ 149, 145, 492, 492, 492, 492, 492, 492, 495, 495,
+ 495, 495, 495, 495, 495, 495, 138, 134, 132, 130,
+ 495, 495, 495, 495, 495, 554, 558, 122, 558, 558,
+ 558, 558, 558, 558, 559, 559, 559, 559, 559, 559,
- 479, 479, 479, 479, 17, 15, 14, 13, 479, 479,
- 479, 479, 479, 550, 0, 550, 550, 550, 550, 550,
- 550, 550, 550, 0, 0, 0, 0, 0, 0, 0,
- 479, 479, 479, 479, 479, 479, 501, 0, 501, 501,
- 501, 501, 501, 501, 501, 501, 561, 561, 561, 561,
- 561, 561, 561, 561, 562, 562, 562, 562, 562, 562,
- 562, 562, 569, 569, 569, 569, 569, 569, 569, 569,
- 501, 502, 0, 502, 502, 502, 502, 502, 502, 502,
- 502, 0, 573, 0, 573, 573, 573, 573, 573, 573,
- 0, 0, 0, 0, 569, 575, 575, 575, 575, 575,
+ 559, 559, 121, 495, 495, 495, 495, 495, 495, 520,
+ 120, 520, 520, 520, 520, 520, 520, 520, 520, 119,
+ 561, 558, 561, 561, 561, 561, 561, 561, 561, 561,
+ 562, 118, 562, 562, 562, 562, 562, 562, 562, 562,
+ 113, 112, 111, 110, 520, 521, 108, 521, 521, 521,
+ 521, 521, 521, 521, 521, 563, 107, 563, 563, 563,
+ 563, 563, 563, 569, 106, 569, 569, 569, 569, 569,
+ 569, 569, 569, 596, 596, 596, 596, 596, 596, 102,
+ 521, 522, 98, 522, 522, 522, 522, 522, 522, 522,
+ 522, 579, 579, 579, 579, 579, 579, 579, 579, 580,
- 575, 575, 575, 0, 0, 502, 503, 0, 503, 503,
- 503, 503, 503, 503, 503, 503, 573, 576, 576, 576,
- 576, 576, 576, 576, 576, 0, 0, 0, 0, 0,
- 581, 581, 581, 581, 581, 581, 581, 581, 0, 0,
- 503, 515, 0, 515, 515, 515, 515, 515, 515, 515,
- 515, 515, 518, 0, 518, 518, 518, 518, 518, 518,
- 518, 518, 581, 0, 0, 0, 518, 518, 518, 518,
- 518, 0, 582, 582, 582, 582, 582, 582, 582, 582,
- 583, 583, 583, 583, 583, 583, 583, 583, 518, 518,
- 518, 518, 518, 518, 537, 0, 537, 537, 537, 537,
+ 580, 580, 580, 580, 580, 580, 580, 581, 581, 581,
+ 581, 581, 581, 581, 581, 97, 522, 532, 93, 532,
+ 532, 532, 532, 532, 532, 532, 532, 532, 535, 90,
+ 535, 535, 535, 535, 535, 535, 535, 535, 82, 81,
+ 80, 78, 535, 535, 535, 535, 535, 73, 588, 588,
+ 588, 588, 588, 588, 588, 588, 592, 66, 592, 592,
+ 592, 592, 592, 592, 59, 535, 535, 535, 535, 535,
+ 535, 556, 54, 556, 556, 556, 556, 556, 556, 556,
+ 556, 588, 594, 594, 594, 594, 594, 594, 594, 594,
+ 51, 592, 595, 595, 595, 595, 595, 595, 595, 595,
- 537, 537, 537, 537, 582, 0, 0, 0, 0, 0,
- 0, 0, 583, 585, 585, 585, 585, 585, 585, 585,
- 585, 586, 586, 586, 586, 586, 586, 0, 537, 538,
- 0, 538, 538, 538, 538, 538, 538, 538, 538, 0,
- 0, 0, 0, 0, 0, 585, 0, 0, 0, 0,
- 0, 0, 0, 586, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 538, 557, 0, 557, 557, 557, 557,
- 557, 557, 557, 557, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 557, 558,
+ 49, 41, 40, 39, 38, 37, 556, 557, 36, 557,
+ 557, 557, 557, 557, 557, 557, 557, 33, 29, 23,
+ 600, 600, 600, 600, 600, 600, 600, 600, 601, 601,
+ 601, 601, 601, 601, 601, 601, 17, 15, 14, 13,
+ 0, 0, 557, 576, 0, 576, 576, 576, 576, 576,
+ 576, 576, 576, 600, 0, 0, 0, 0, 0, 0,
+ 0, 601, 602, 602, 602, 602, 602, 602, 602, 602,
+ 604, 604, 604, 604, 604, 604, 604, 604, 576, 577,
+ 0, 577, 577, 577, 577, 577, 577, 577, 577, 0,
+ 0, 0, 0, 0, 0, 602, 605, 605, 605, 605,
- 0, 558, 558, 558, 558, 558, 558, 558, 558, 0,
+ 605, 605, 0, 604, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 577, 578, 0, 578, 578, 578,
+ 578, 578, 578, 578, 578, 0, 0, 0, 0, 605,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 558, 559, 0, 559, 559, 559, 559,
- 559, 559, 559, 559, 0, 0, 0, 0, 0, 0,
+ 578, 590, 0, 590, 590, 590, 590, 590, 590, 590,
+ 590, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 559, 571,
- 0, 571, 571, 571, 571, 571, 571, 571, 571, 0,
+ 0, 0, 0, 0, 0, 0, 590, 591, 0, 591,
+ 591, 591, 591, 591, 591, 591, 591, 0, 0, 0,
+
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 591, 607, 607, 607, 607, 607, 607, 607,
+ 607, 607, 607, 607, 607, 607, 607, 607, 607, 608,
+ 608, 608, 608, 608, 608, 608, 608, 608, 608, 608,
+ 608, 608, 608, 608, 608, 609, 609, 609, 609, 609,
+ 609, 609, 609, 609, 609, 609, 609, 609, 609, 609,
+ 609, 610, 610, 610, 610, 610, 610, 610, 610, 610,
+ 610, 610, 610, 610, 610, 610, 610, 611, 0, 0,
+ 0, 0, 0, 0, 0, 611, 611, 611, 0, 0,
- 0, 0, 0, 571, 572, 0, 572, 572, 572, 572,
- 572, 572, 572, 572, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 572, 588,
- 588, 588, 588, 588, 588, 588, 588, 588, 588, 588,
- 588, 588, 588, 589, 589, 589, 589, 589, 589, 589,
- 589, 589, 589, 589, 589, 589, 589, 590, 590, 590,
- 590, 590, 590, 590, 590, 590, 590, 590, 590, 590,
- 590, 591, 591, 591, 591, 591, 591, 591, 591, 591,
- 591, 591, 591, 591, 591, 592, 0, 0, 0, 0,
+ 611, 611, 611, 612, 612, 612, 612, 612, 612, 612,
+ 612, 612, 612, 612, 612, 612, 612, 612, 612, 613,
+ 0, 0, 0, 0, 613, 0, 0, 613, 613, 613,
+ 613, 0, 613, 613, 613, 614, 0, 0, 0, 0,
+ 0, 0, 0, 614, 614, 614, 0, 0, 614, 614,
+ 614, 615, 0, 0, 615, 615, 0, 615, 0, 615,
+ 615, 615, 0, 0, 615, 615, 615, 616, 616, 0,
+ 0, 0, 616, 617, 0, 0, 617, 617, 0, 617,
+ 0, 617, 617, 617, 0, 0, 617, 617, 617, 618,
+ 0, 0, 618, 618, 0, 618, 0, 618, 618, 618,
- 0, 592, 592, 592, 0, 0, 592, 592, 592, 593,
- 593, 593, 593, 593, 593, 593, 593, 593, 593, 593,
- 593, 593, 593, 594, 0, 0, 0, 0, 0, 594,
- 594, 594, 594, 0, 594, 594, 594, 595, 0, 0,
- 0, 0, 0, 595, 595, 595, 0, 0, 595, 595,
- 595, 596, 0, 0, 596, 596, 596, 596, 596, 596,
- 0, 0, 596, 596, 596, 597, 597, 0, 0, 0,
- 597, 598, 0, 0, 598, 598, 598, 598, 598, 598,
- 0, 0, 598, 598, 598, 599, 0, 0, 599, 599,
- 599, 599, 599, 599, 0, 599, 0, 599, 599, 601,
+ 0, 618, 0, 618, 618, 620, 0, 0, 620, 0,
+ 0, 620, 0, 620, 620, 620, 620, 0, 620, 620,
+ 620, 621, 621, 621, 621, 621, 621, 621, 621, 621,
+ 621, 621, 621, 621, 621, 621, 621, 622, 622, 0,
+ 622, 0, 622, 622, 622, 622, 622, 622, 622, 622,
+ 622, 622, 622, 623, 623, 623, 623, 623, 623, 623,
+ 623, 623, 623, 623, 623, 623, 623, 623, 623, 624,
+ 624, 0, 624, 624, 624, 624, 624, 624, 624, 624,
+ 624, 624, 624, 624, 624, 625, 0, 0, 0, 0,
+ 625, 0, 0, 625, 625, 625, 0, 0, 625, 625,
- 0, 0, 601, 0, 601, 601, 601, 601, 601, 0,
- 601, 601, 601, 602, 602, 602, 602, 602, 602, 602,
- 602, 602, 602, 602, 602, 602, 602, 603, 603, 0,
- 603, 0, 603, 603, 603, 603, 603, 603, 603, 603,
- 603, 604, 604, 604, 604, 604, 604, 604, 604, 604,
- 604, 604, 604, 604, 604, 605, 605, 0, 605, 605,
- 605, 605, 605, 605, 605, 605, 605, 605, 605, 606,
- 0, 0, 0, 0, 0, 606, 606, 606, 0, 0,
- 606, 606, 606, 607, 0, 0, 607, 607, 607, 607,
- 607, 607, 0, 0, 607, 607, 607, 608, 608, 0,
+ 625, 626, 0, 0, 626, 626, 0, 626, 0, 626,
+ 626, 626, 0, 0, 626, 626, 626, 627, 627, 0,
+ 0, 0, 627, 628, 628, 628, 0, 0, 0, 628,
+ 629, 0, 0, 629, 629, 0, 629, 0, 629, 629,
+ 629, 0, 0, 629, 629, 629, 630, 630, 630, 630,
+ 630, 630, 630, 630, 630, 630, 630, 630, 630, 630,
+ 630, 630, 631, 631, 0, 0, 0, 631, 632, 632,
+ 632, 0, 0, 0, 632, 633, 633, 0, 0, 0,
+ 633, 634, 634, 0, 0, 0, 634, 635, 635, 0,
+ 0, 0, 635, 636, 636, 636, 0, 0, 0, 636,
- 0, 0, 608, 609, 609, 609, 0, 0, 0, 609,
- 610, 0, 0, 610, 610, 610, 610, 610, 610, 0,
- 0, 610, 610, 610, 611, 611, 611, 611, 611, 611,
- 611, 611, 611, 611, 611, 611, 611, 611, 612, 612,
- 0, 0, 0, 612, 613, 613, 613, 0, 0, 0,
- 613, 614, 614, 0, 0, 0, 614, 615, 615, 0,
- 0, 0, 615, 616, 616, 0, 0, 0, 616, 617,
- 617, 617, 0, 0, 0, 617, 618, 618, 0, 0,
- 0, 618, 619, 619, 0, 0, 0, 619, 620, 620,
- 0, 0, 0, 620, 621, 621, 621, 0, 0, 0,
+ 637, 637, 0, 0, 0, 637, 638, 638, 0, 0,
+ 0, 638, 639, 639, 0, 0, 0, 639, 640, 640,
+ 640, 0, 0, 0, 640, 641, 641, 641, 641, 0,
+ 0, 0, 641, 642, 642, 0, 0, 0, 642, 643,
+ 643, 0, 0, 0, 643, 644, 644, 0, 0, 0,
+ 644, 645, 645, 645, 0, 0, 0, 645, 646, 646,
+ 646, 646, 0, 0, 0, 646, 647, 647, 0, 0,
+ 0, 647, 648, 648, 0, 0, 0, 648, 649, 649,
+ 649, 0, 0, 0, 649, 650, 650, 650, 650, 0,
+ 0, 0, 650, 651, 651, 0, 0, 0, 651, 652,
- 621, 622, 622, 622, 622, 0, 0, 0, 622, 623,
- 623, 0, 0, 0, 623, 624, 624, 0, 0, 0,
- 624, 625, 625, 0, 0, 0, 625, 626, 626, 626,
- 0, 0, 0, 626, 627, 627, 627, 627, 0, 0,
- 0, 627, 628, 628, 0, 0, 0, 628, 629, 629,
- 0, 0, 0, 629, 630, 630, 630, 0, 0, 0,
- 630, 631, 631, 631, 631, 0, 0, 0, 631, 632,
- 632, 0, 0, 0, 632, 633, 0, 633, 633, 0,
- 0, 0, 633, 634, 634, 634, 0, 0, 0, 634,
- 635, 635, 635, 635, 0, 0, 0, 635, 636, 636,
+ 0, 652, 652, 0, 0, 0, 652, 653, 653, 653,
+ 0, 0, 0, 653, 654, 654, 654, 654, 0, 0,
+ 0, 654, 655, 655, 0, 0, 0, 655, 656, 0,
+ 656, 656, 0, 0, 0, 656, 657, 657, 657, 0,
+ 0, 0, 657, 658, 658, 658, 0, 0, 0, 0,
+ 658, 659, 659, 0, 659, 659, 659, 0, 0, 659,
+ 659, 659, 0, 0, 659, 659, 659, 660, 660, 0,
+ 660, 660, 660, 0, 0, 660, 660, 660, 0, 0,
+ 660, 660, 660, 661, 661, 0, 0, 0, 661, 662,
+ 0, 662, 662, 0, 0, 0, 662, 663, 663, 0,
- 0, 0, 0, 636, 637, 0, 637, 637, 0, 0,
- 0, 637, 638, 638, 638, 0, 0, 0, 638, 639,
- 639, 639, 0, 0, 0, 0, 639, 640, 0, 0,
- 640, 0, 0, 640, 640, 640, 0, 0, 640, 640,
- 640, 641, 0, 0, 641, 0, 0, 641, 641, 641,
- 0, 0, 641, 641, 641, 642, 642, 0, 0, 0,
- 642, 643, 0, 643, 643, 0, 0, 0, 643, 644,
- 644, 0, 0, 0, 0, 644, 645, 645, 645, 645,
- 645, 645, 645, 645, 645, 645, 645, 645, 645, 645,
- 646, 646, 0, 0, 0, 646, 647, 0, 647, 647,
+ 0, 0, 0, 663, 664, 664, 664, 664, 664, 664,
+ 664, 664, 664, 664, 664, 664, 664, 664, 664, 664,
+ 665, 665, 0, 0, 0, 665, 666, 0, 666, 666,
+ 0, 0, 0, 666, 667, 667, 0, 0, 0, 667,
+ 668, 0, 668, 0, 0, 0, 0, 668, 670, 670,
+ 670, 670, 670, 670, 670, 670, 670, 670, 670, 670,
+ 670, 670, 670, 670, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
- 0, 0, 0, 647, 648, 648, 0, 0, 0, 648,
- 649, 0, 649, 0, 0, 0, 0, 649, 651, 651,
- 651, 651, 651, 651, 651, 651, 651, 651, 651, 651,
- 651, 651, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587, 587, 587,
- 587, 587, 587, 587, 587, 587, 587, 587
-
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606, 606, 606, 606, 606, 606, 606, 606, 606, 606,
+ 606
} ;
static yy_state_type yy_last_accepting_state;
@@ -1456,38 +1469,29 @@
# include <ndir.h>
# endif
#endif
+#include <errno.h>
#include <ctype.h>
#include "sudo.h"
#include "parse.h"
+#include "toke.h"
#include <gram.h>
extern YYSTYPE yylval;
extern int parse_error;
-int sudolineno = 1;
+int sudolineno;
char *sudoers;
-static int sawspace = 0;
-static int prev_state = INITIAL;
-static int arg_len = 0;
-static int arg_size = 0;
-static int append __P((char *, int));
-static int _fill __P((char *, int, int));
-static int fill_cmnd __P((char *, int));
-static int fill_args __P((char *, int, int));
+static int continued, prev_state, sawspace;
+
static int _push_include __P((char *, int));
static int pop_include __P((void));
-static int ipv6_valid __P((const char *s));
static char *parse_include __P((char *));
-extern void yyerror __P((const char *));
-#define fill(a, b) _fill(a, b, 0)
+#define fill(a, b) fill_txt(a, b, 0)
#define push_include(_p) (_push_include((_p), FALSE))
#define push_includedir(_p) (_push_include((_p), TRUE))
-/* realloc() to size + COMMANDARGINC to make room for command args */
-#define COMMANDARGINC 64
-
#ifdef TRACELEXER
#define LEXTRACE(msg) fputs(msg, stderr)
#else
@@ -1505,7 +1509,7 @@
#define INSTR 5
-#line 1508 "lex.yy.c"
+#line 1512 "lex.yy.c"
/* Macros after this point can all be overridden by user definitions in
* section 1.
@@ -1659,9 +1663,9 @@
register char *yy_cp, *yy_bp;
register int yy_act;
-#line 129 "toke.l"
+#line 120 "toke.l"
-#line 1664 "lex.yy.c"
+#line 1668 "lex.yy.c"
if ( yy_init )
{
@@ -1713,13 +1717,13 @@
while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
{
yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 588 )
+ if ( yy_current_state >= 607 )
yy_c = yy_meta[(unsigned int) yy_c];
}
yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
++yy_cp;
}
- while ( yy_base[yy_current_state] != 3633 );
+ while ( yy_base[yy_current_state] != 3665 );
yy_find_action:
yy_act = yy_accept[yy_current_state];
@@ -1747,12 +1751,20 @@
case 1:
YY_RULE_SETUP
-#line 130 "toke.l"
-BEGIN STARTDEFS;
+#line 121 "toke.l"
+{
+ LEXTRACE(", ");
+ return ',';
+ } /* return ',' */
YY_BREAK
case 2:
YY_RULE_SETUP
-#line 132 "toke.l"
+#line 126 "toke.l"
+BEGIN STARTDEFS;
+ YY_BREAK
+case 3:
+YY_RULE_SETUP
+#line 128 "toke.l"
{
BEGIN INDEFS;
LEXTRACE("DEFVAR ");
@@ -1762,9 +1774,9 @@
}
YY_BREAK
-case 3:
+case 4:
YY_RULE_SETUP
-#line 141 "toke.l"
+#line 137 "toke.l"
{
BEGIN STARTDEFS;
LEXTRACE(", ");
@@ -1771,33 +1783,33 @@
return ',';
} /* return ',' */
YY_BREAK
-case 4:
+case 5:
YY_RULE_SETUP
-#line 147 "toke.l"
+#line 143 "toke.l"
{
LEXTRACE("= ");
return '=';
} /* return '=' */
YY_BREAK
-case 5:
+case 6:
YY_RULE_SETUP
-#line 152 "toke.l"
+#line 148 "toke.l"
{
LEXTRACE("+= ");
return '+';
} /* return '+' */
YY_BREAK
-case 6:
+case 7:
YY_RULE_SETUP
-#line 157 "toke.l"
+#line 153 "toke.l"
{
LEXTRACE("-= ");
return '-';
} /* return '-' */
YY_BREAK
-case 7:
+case 8:
YY_RULE_SETUP
-#line 162 "toke.l"
+#line 158 "toke.l"
{
LEXTRACE("BEGINSTR ");
yylval.string = NULL;
@@ -1805,9 +1817,9 @@
BEGIN INSTR;
}
YY_BREAK
-case 8:
+case 9:
YY_RULE_SETUP
-#line 169 "toke.l"
+#line 165 "toke.l"
{
LEXTRACE("WORD(2) ");
if (!fill(yytext, yyleng))
@@ -1817,27 +1829,42 @@
YY_BREAK
-case 9:
+case 10:
YY_RULE_SETUP
-#line 178 "toke.l"
+#line 174 "toke.l"
{
/* Line continuation char followed by newline. */
++sudolineno;
- LEXTRACE("\n");
+ continued = TRUE;
}
YY_BREAK
-case 10:
+case 11:
YY_RULE_SETUP
-#line 184 "toke.l"
+#line 180 "toke.l"
{
LEXTRACE("ENDSTR ");
BEGIN prev_state;
+
+ if (yylval.string == NULL) {
+ LEXTRACE("ERROR "); /* empty string */
+ return ERROR;
+ }
if (prev_state == INITIAL) {
switch (yylval.string[0]) {
case '%':
+ if (yylval.string[1] == '\0' ||
+ (yylval.string[1] == ':' &&
+ yylval.string[2] == '\0')) {
+ LEXTRACE("ERROR "); /* empty group */
+ return ERROR;
+ }
LEXTRACE("USERGROUP ");
return USERGROUP;
case '+':
+ if (yylval.string[1] == '\0') {
+ LEXTRACE("ERROR "); /* empty netgroup */
+ return ERROR;
+ }
LEXTRACE("NETGROUP ");
return NETGROUP;
}
@@ -1846,9 +1873,9 @@
return WORD;
}
YY_BREAK
-case 11:
+case 12:
YY_RULE_SETUP
-#line 201 "toke.l"
+#line 212 "toke.l"
{
LEXTRACE("BACKSLASH ");
if (!append(yytext, yyleng))
@@ -1855,9 +1882,9 @@
yyterminate();
}
YY_BREAK
-case 12:
+case 13:
YY_RULE_SETUP
-#line 207 "toke.l"
+#line 218 "toke.l"
{
LEXTRACE("STRBODY ");
if (!append(yytext, yyleng))
@@ -1866,9 +1893,9 @@
YY_BREAK
-case 13:
+case 14:
YY_RULE_SETUP
-#line 215 "toke.l"
+#line 226 "toke.l"
{
/* quoted fnmatch glob char, pass verbatim */
LEXTRACE("QUOTEDCHAR ");
@@ -1877,9 +1904,9 @@
sawspace = FALSE;
}
YY_BREAK
-case 14:
+case 15:
YY_RULE_SETUP
-#line 223 "toke.l"
+#line 234 "toke.l"
{
/* quoted sudoers special char, strip backslash */
LEXTRACE("QUOTEDCHAR ");
@@ -1888,9 +1915,9 @@
sawspace = FALSE;
}
YY_BREAK
-case 15:
+case 16:
YY_RULE_SETUP
-#line 231 "toke.l"
+#line 242 "toke.l"
{
BEGIN INITIAL;
yyless(0);
@@ -1897,9 +1924,9 @@
return COMMAND;
} /* end of command line args */
YY_BREAK
-case 16:
+case 17:
YY_RULE_SETUP
-#line 237 "toke.l"
+#line 248 "toke.l"
{
LEXTRACE("ARG ");
if (!fill_args(yytext, yyleng, sawspace))
@@ -1908,12 +1935,17 @@
} /* a command line arg */
YY_BREAK
-case 17:
+case 18:
YY_RULE_SETUP
-#line 245 "toke.l"
+#line 256 "toke.l"
{
char *path;
+ if (continued) {
+ LEXTRACE("ERROR ");
+ return ERROR;
+ }
+
if ((path = parse_include(yytext)) == NULL)
yyterminate();
@@ -1924,12 +1956,17 @@
yyterminate();
}
YY_BREAK
-case 18:
+case 19:
YY_RULE_SETUP
-#line 258 "toke.l"
+#line 274 "toke.l"
{
char *path;
+ if (continued) {
+ LEXTRACE("ERROR ");
+ return ERROR;
+ }
+
if ((path = parse_include(yytext)) == NULL)
yyterminate();
@@ -1943,16 +1980,27 @@
yyterminate();
}
YY_BREAK
-case 19:
+case 20:
YY_RULE_SETUP
-#line 274 "toke.l"
+#line 295 "toke.l"
{
+ char deftype;
int n;
+
+ if (continued) {
+ LEXTRACE("ERROR ");
+ return ERROR;
+ }
+
for (n = 0; isblank((unsigned char)yytext[n]); n++)
continue;
- n += 8;
+ n += sizeof("Defaults") - 1;
+ if ((deftype = yytext[n++]) != '\0') {
+ while (isblank((unsigned char)yytext[n]))
+ n++;
+ }
BEGIN GOTDEFS;
- switch (yytext[n++]) {
+ switch (deftype) {
case ':':
yyless(n);
LEXTRACE("DEFAULTS_USER ");
@@ -1975,11 +2023,17 @@
}
}
YY_BREAK
-case 20:
+case 21:
YY_RULE_SETUP
-#line 303 "toke.l"
+#line 335 "toke.l"
{
int n;
+
+ if (continued) {
+ LEXTRACE("ERROR ");
+ return ERROR;
+ }
+
for (n = 0; isblank((unsigned char)yytext[n]); n++)
continue;
switch (yytext[n]) {
@@ -1998,9 +2052,9 @@
}
}
YY_BREAK
-case 21:
+case 22:
YY_RULE_SETUP
-#line 323 "toke.l"
+#line 361 "toke.l"
{
/* cmnd does not require passwd for this user */
LEXTRACE("NOPASSWD ");
@@ -2007,9 +2061,9 @@
return NOPASSWD;
}
YY_BREAK
-case 22:
+case 23:
YY_RULE_SETUP
-#line 329 "toke.l"
+#line 367 "toke.l"
{
/* cmnd requires passwd for this user */
LEXTRACE("PASSWD ");
@@ -2016,74 +2070,83 @@
return PASSWD;
}
YY_BREAK
-case 23:
+case 24:
YY_RULE_SETUP
-#line 335 "toke.l"
+#line 373 "toke.l"
{
LEXTRACE("NOEXEC ");
return NOEXEC;
}
YY_BREAK
-case 24:
+case 25:
YY_RULE_SETUP
-#line 340 "toke.l"
+#line 378 "toke.l"
{
LEXTRACE("EXEC ");
return EXEC;
}
YY_BREAK
-case 25:
+case 26:
YY_RULE_SETUP
-#line 345 "toke.l"
+#line 383 "toke.l"
{
LEXTRACE("SETENV ");
return SETENV;
}
YY_BREAK
-case 26:
+case 27:
YY_RULE_SETUP
-#line 350 "toke.l"
+#line 388 "toke.l"
{
LEXTRACE("NOSETENV ");
return NOSETENV;
}
YY_BREAK
-case 27:
+case 28:
YY_RULE_SETUP
-#line 355 "toke.l"
+#line 393 "toke.l"
{
LEXTRACE("LOG_OUTPUT ");
return LOG_OUTPUT;
}
YY_BREAK
-case 28:
+case 29:
YY_RULE_SETUP
-#line 360 "toke.l"
+#line 398 "toke.l"
{
LEXTRACE("NOLOG_OUTPUT ");
return NOLOG_OUTPUT;
}
YY_BREAK
-case 29:
+case 30:
YY_RULE_SETUP
-#line 365 "toke.l"
+#line 403 "toke.l"
{
LEXTRACE("LOG_INPUT ");
return LOG_INPUT;
}
YY_BREAK
-case 30:
+case 31:
YY_RULE_SETUP
-#line 370 "toke.l"
+#line 408 "toke.l"
{
LEXTRACE("NOLOG_INPUT ");
return NOLOG_INPUT;
}
YY_BREAK
-case 31:
+case 32:
YY_RULE_SETUP
-#line 375 "toke.l"
+#line 413 "toke.l"
{
+ /* empty group or netgroup */
+ LEXTRACE("ERROR ");
+ return ERROR;
+ }
+ YY_BREAK
+case 33:
+YY_RULE_SETUP
+#line 419 "toke.l"
+{
/* netgroup */
if (!fill(yytext, yyleng))
yyterminate();
@@ -2091,11 +2154,11 @@
return NETGROUP;
}
YY_BREAK
-case 32:
+case 34:
YY_RULE_SETUP
-#line 383 "toke.l"
+#line 427 "toke.l"
{
- /* UN*X group */
+ /* group */
if (!fill(yytext, yyleng))
yyterminate();
LEXTRACE("USERGROUP ");
@@ -2102,9 +2165,9 @@
return USERGROUP;
}
YY_BREAK
-case 33:
+case 35:
YY_RULE_SETUP
-#line 391 "toke.l"
+#line 435 "toke.l"
{
if (!fill(yytext, yyleng))
yyterminate();
@@ -2112,9 +2175,9 @@
return NTWKADDR;
}
YY_BREAK
-case 34:
+case 36:
YY_RULE_SETUP
-#line 398 "toke.l"
+#line 442 "toke.l"
{
if (!fill(yytext, yyleng))
yyterminate();
@@ -2122,9 +2185,9 @@
return NTWKADDR;
}
YY_BREAK
-case 35:
+case 37:
YY_RULE_SETUP
-#line 405 "toke.l"
+#line 449 "toke.l"
{
if (!ipv6_valid(yytext)) {
LEXTRACE("ERROR ");
@@ -2136,9 +2199,9 @@
return NTWKADDR;
}
YY_BREAK
-case 36:
+case 38:
YY_RULE_SETUP
-#line 416 "toke.l"
+#line 460 "toke.l"
{
if (!ipv6_valid(yytext)) {
LEXTRACE("ERROR ");
@@ -2150,25 +2213,44 @@
return NTWKADDR;
}
YY_BREAK
-case 37:
+case 39:
YY_RULE_SETUP
-#line 427 "toke.l"
+#line 471 "toke.l"
{
- if (strcmp(yytext, "ALL") == 0) {
- LEXTRACE("ALL ");
- return ALL;
- }
+ LEXTRACE("ALL ");
+ return ALL;
+
+ }
+ YY_BREAK
+case 40:
+YY_RULE_SETUP
+#line 477 "toke.l"
+{
#ifdef HAVE_SELINUX
- /* XXX - restrict type/role to initial state */
- if (strcmp(yytext, "TYPE") == 0) {
- LEXTRACE("TYPE ");
- return TYPE;
- }
- if (strcmp(yytext, "ROLE") == 0) {
- LEXTRACE("ROLE ");
- return ROLE;
- }
-#endif /* HAVE_SELINUX */
+ LEXTRACE("ROLE ");
+ return ROLE;
+#else
+ goto got_alias;
+#endif
+ }
+ YY_BREAK
+case 41:
+YY_RULE_SETUP
+#line 486 "toke.l"
+{
+#ifdef HAVE_SELINUX
+ LEXTRACE("TYPE ");
+ return TYPE;
+#else
+ goto got_alias;
+#endif
+ }
+ YY_BREAK
+case 42:
+YY_RULE_SETUP
+#line 495 "toke.l"
+{
+ got_alias:
if (!fill(yytext, yyleng))
yyterminate();
LEXTRACE("ALIAS ");
@@ -2175,9 +2257,9 @@
return ALIAS;
}
YY_BREAK
-case 38:
+case 43:
YY_RULE_SETUP
-#line 449 "toke.l"
+#line 503 "toke.l"
{
/* no command args allowed for Defaults!/path */
if (!fill_cmnd(yytext, yyleng))
@@ -2186,9 +2268,9 @@
return COMMAND;
}
YY_BREAK
-case 39:
+case 44:
YY_RULE_SETUP
-#line 457 "toke.l"
+#line 511 "toke.l"
{
BEGIN GOTCMND;
LEXTRACE("COMMAND ");
@@ -2196,9 +2278,9 @@
yyterminate();
} /* sudo -e */
YY_BREAK
-case 40:
+case 45:
YY_RULE_SETUP
-#line 464 "toke.l"
+#line 518 "toke.l"
{
/* directories can't have args... */
if (yytext[yyleng - 1] == '/') {
@@ -2214,9 +2296,9 @@
}
} /* a pathname */
YY_BREAK
-case 41:
+case 46:
YY_RULE_SETUP
-#line 479 "toke.l"
+#line 533 "toke.l"
{
LEXTRACE("BEGINSTR ");
yylval.string = NULL;
@@ -2224,9 +2306,9 @@
BEGIN INSTR;
}
YY_BREAK
-case 42:
+case 47:
YY_RULE_SETUP
-#line 486 "toke.l"
+#line 540 "toke.l"
{
/* a word */
if (!fill(yytext, yyleng))
@@ -2235,93 +2317,101 @@
return WORD;
}
YY_BREAK
-case 43:
+case 48:
YY_RULE_SETUP
-#line 494 "toke.l"
+#line 548 "toke.l"
{
LEXTRACE("( ");
return '(';
}
YY_BREAK
-case 44:
+case 49:
YY_RULE_SETUP
-#line 499 "toke.l"
+#line 553 "toke.l"
{
LEXTRACE(") ");
return ')';
}
YY_BREAK
-case 45:
+case 50:
YY_RULE_SETUP
-#line 504 "toke.l"
+#line 558 "toke.l"
{
LEXTRACE(", ");
return ',';
} /* return ',' */
YY_BREAK
-case 46:
+case 51:
YY_RULE_SETUP
-#line 509 "toke.l"
+#line 563 "toke.l"
{
LEXTRACE("= ");
return '=';
} /* return '=' */
YY_BREAK
-case 47:
+case 52:
YY_RULE_SETUP
-#line 514 "toke.l"
+#line 568 "toke.l"
{
LEXTRACE(": ");
return ':';
} /* return ':' */
YY_BREAK
-case 48:
+case 53:
YY_RULE_SETUP
-#line 519 "toke.l"
+#line 573 "toke.l"
{
- if (yyleng % 2 == 1)
+ if (yyleng & 1) {
+ LEXTRACE("!");
return '!'; /* return '!' */
+ }
}
YY_BREAK
-case 49:
+case 54:
YY_RULE_SETUP
-#line 524 "toke.l"
+#line 580 "toke.l"
{
+ if (YY_START == INSTR) {
+ LEXTRACE("ERROR ");
+ return ERROR; /* line break in string */
+ }
BEGIN INITIAL;
++sudolineno;
+ continued = FALSE;
LEXTRACE("\n");
return COMMENT;
} /* return newline */
YY_BREAK
-case 50:
+case 55:
YY_RULE_SETUP
-#line 531 "toke.l"
+#line 592 "toke.l"
{ /* throw away space/tabs */
sawspace = TRUE; /* but remember for fill_args */
}
YY_BREAK
-case 51:
+case 56:
YY_RULE_SETUP
-#line 535 "toke.l"
+#line 596 "toke.l"
{
sawspace = TRUE; /* remember for fill_args */
++sudolineno;
- LEXTRACE("\n\t");
+ continued = TRUE;
} /* throw away EOL after \ */
YY_BREAK
-case 52:
+case 57:
YY_RULE_SETUP
-#line 541 "toke.l"
+#line 602 "toke.l"
{
BEGIN INITIAL;
++sudolineno;
- LEXTRACE("\n");
+ continued = FALSE;
+ LEXTRACE("#\n");
return COMMENT;
} /* comment, not uid/gid */
YY_BREAK
-case 53:
+case 58:
YY_RULE_SETUP
-#line 548 "toke.l"
+#line 610 "toke.l"
{
LEXTRACE("ERROR ");
return ERROR;
@@ -2333,7 +2423,7 @@
case YY_STATE_EOF(STARTDEFS):
case YY_STATE_EOF(INDEFS):
case YY_STATE_EOF(INSTR):
-#line 553 "toke.l"
+#line 615 "toke.l"
{
if (YY_START != INITIAL) {
BEGIN INITIAL;
@@ -2344,12 +2434,12 @@
yyterminate();
}
YY_BREAK
-case 54:
+case 59:
YY_RULE_SETUP
-#line 563 "toke.l"
+#line 625 "toke.l"
ECHO;
YY_BREAK
-#line 2352 "lex.yy.c"
+#line 2442 "lex.yy.c"
case YY_END_OF_BUFFER:
{
@@ -2640,7 +2730,7 @@
while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
{
yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 588 )
+ if ( yy_current_state >= 607 )
yy_c = yy_meta[(unsigned int) yy_c];
}
yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
@@ -2675,11 +2765,11 @@
while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
{
yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 588 )
+ if ( yy_current_state >= 607 )
yy_c = yy_meta[(unsigned int) yy_c];
}
yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
- yy_is_jam = (yy_current_state == 587);
+ yy_is_jam = (yy_current_state == 606);
return yy_is_jam ? 0 : yy_current_state;
}
@@ -3240,179 +3330,8 @@
return 0;
}
#endif
-#line 563 "toke.l"
+#line 625 "toke.l"
-static unsigned char
-hexchar(s)
- const char *s;
-{
- int i;
- int result = 0;
-
- s += 2; /* skip \\x */
- for (i = 0; i < 2; i++) {
- switch (*s) {
- case 'A':
- case 'a':
- result += 10;
- break;
- case 'B':
- case 'b':
- result += 11;
- break;
- case 'C':
- case 'c':
- result += 12;
- break;
- case 'D':
- case 'd':
- result += 13;
- break;
- case 'E':
- case 'e':
- result += 14;
- break;
- case 'F':
- case 'f':
- result += 15;
- break;
- default:
- result += *s - '0';
- break;
- }
- if (i == 0) {
- result *= 16;
- s++;
- }
- }
- return (unsigned char)result;
-}
-
-static int
-_fill(src, len, olen)
- char *src;
- int len, olen;
-{
- char *dst;
-
- dst = olen ? realloc(yylval.string, olen + len + 1) : malloc(len + 1);
- if (dst == NULL) {
- yyerror("unable to allocate memory");
- return FALSE;
- }
- yylval.string = dst;
-
- /* Copy the string and collapse any escaped characters. */
- dst += olen;
- while (len--) {
- if (*src == '\\' && len) {
- if (src[1] == 'x' && len >= 3 &&
- isxdigit((unsigned char) src[2]) &&
- isxdigit((unsigned char) src[3])) {
- *dst++ = hexchar(src);
- src += 4;
- len -= 3;
- } else {
- src++;
- len--;
- *dst++ = *src++;
- }
- } else {
- *dst++ = *src++;
- }
- }
- *dst = '\0';
- return TRUE;
-}
-
-static int
-append(src, len)
- char *src;
- int len;
-{
- int olen = 0;
-
- if (yylval.string != NULL)
- olen = strlen(yylval.string);
-
- return _fill(src, len, olen);
-}
-
-#define SPECIAL(c) \
- ((c) == ',' || (c) == ':' || (c) == '=' || (c) == ' ' || (c) == '\t' || (c) == '#')
-
-static int
-fill_cmnd(src, len)
- char *src;
- int len;
-{
- char *dst;
- int i;
-
- arg_len = arg_size = 0;
-
- dst = yylval.command.cmnd = (char *) malloc(len + 1);
- if (yylval.command.cmnd == NULL) {
- yyerror("unable to allocate memory");
- return FALSE;
- }
-
- /* Copy the string and collapse any escaped sudo-specific characters. */
- for (i = 0; i < len; i++) {
- if (src[i] == '\\' && i != len - 1 && SPECIAL(src[i + 1]))
- *dst++ = src[++i];
- else
- *dst++ = src[i];
- }
- *dst = '\0';
-
- yylval.command.args = NULL;
- return TRUE;
-}
-
-static int
-fill_args(s, len, addspace)
- char *s;
- int len;
- int addspace;
-{
- int new_len;
- char *p;
-
- if (yylval.command.args == NULL) {
- addspace = 0;
- new_len = len;
- } else
- new_len = arg_len + len + addspace;
-
- if (new_len >= arg_size) {
- /* Allocate more space than we need for subsequent args */
- while (new_len >= (arg_size += COMMANDARGINC))
- ;
-
- p = yylval.command.args ?
- (char *) realloc(yylval.command.args, arg_size) :
- (char *) malloc(arg_size);
- if (p == NULL) {
- efree(yylval.command.args);
- yyerror("unable to allocate memory");
- return FALSE;
- } else
- yylval.command.args = p;
- }
-
- /* Efficiently append the arg (with a leading space if needed). */
- p = yylval.command.args + arg_len;
- if (addspace)
- *p++ = ' ';
- if (strlcpy(p, s, arg_size - (p - yylval.command.args)) != len) {
- yyerror("fill_args: buffer overflow"); /* paranoia */
- return FALSE;
- }
- arg_len = new_len;
- return TRUE;
-}
-
struct path_list {
char *path;
struct path_list *next;
@@ -3451,8 +3370,16 @@
struct path_list **sorted = NULL;
if (!(dir = opendir(dirpath))) {
- yyerror(dirpath);
- return NULL;
+ if (errno != ENOENT) {
+ char *errbuf;
+ if (asprintf(&errbuf, "%s: %s", dirpath, strerror(errno)) != -1) {
+ yyerror(errbuf);
+ free(errbuf);
+ } else {
+ yyerror("unable to allocate memory");
+ }
+ }
+ goto done;
}
while ((dent = readdir(dir))) {
/* Ignore files that end in '~' or have a '.' in them. */
@@ -3466,6 +3393,7 @@
}
if (stat(path, &sb) != 0 || !S_ISREG(sb.st_mode)) {
efree(path);
+ path = NULL;
continue;
}
pl = malloc(sizeof(*pl));
@@ -3551,7 +3479,11 @@
efree(istack);
istack = NULL;
istacksize = idepth = 0;
+ sudolineno = 1;
keepopen = FALSE;
+ sawspace = FALSE;
+ continued = FALSE;
+ prev_state = INITIAL;
}
static int
@@ -3592,7 +3524,13 @@
}
} else {
if ((fp = open_sudoers(path, TRUE, &keepopen)) == NULL) {
- yyerror(path);
+ char *errbuf;
+ if (asprintf(&errbuf, "%s: %s", path, strerror(errno)) != -1) {
+ yyerror(errbuf);
+ free(errbuf);
+ } else {
+ yyerror("unable to allocate memory");
+ }
return FALSE;
}
istack[idepth].more = NULL;
@@ -3703,26 +3641,3 @@
return path;
}
-
-/*
- * Check to make sure an IPv6 address does not contain multiple instances
- * of the string "::". Assumes strlen(s) >= 1.
- * Returns TRUE if address is valid else FALSE.
- */
-static int
-ipv6_valid(s)
- const char *s;
-{
- int nmatch = 0;
-
- for (; *s != '\0'; s++) {
- if (s[0] == ':' && s[1] == ':') {
- if (++nmatch > 1)
- break;
- }
- if (s[0] == '/')
- nmatch = 0; /* reset if we hit netmask */
- }
-
- return nmatch <= 1;
-}
Modified: trunk/contrib/sudo/toke.l
===================================================================
--- trunk/contrib/sudo/toke.l 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/toke.l 2014-10-02 03:32:57 UTC (rev 6804)
@@ -65,6 +65,7 @@
# include <ndir.h>
# endif
#endif
+#include <errno.h>
#include <ctype.h>
#include "sudo.h"
#include "parse.h"
@@ -73,11 +74,11 @@
extern YYSTYPE yylval;
extern int parse_error;
-int sudolineno = 1;
+int sudolineno;
char *sudoers;
-static int sawspace = 0;
-static int prev_state = INITIAL;
+static int continued, prev_state, sawspace;
+
static int _push_include __P((char *, int));
static int pop_include __P((void));
static char *parse_include __P((char *));
@@ -117,6 +118,11 @@
%x INSTR
%%
+<GOTDEFS>[[:blank:]]*,[[:blank:]]* {
+ LEXTRACE(", ");
+ return ',';
+ } /* return ',' */
+
<GOTDEFS>[[:blank:]]+ BEGIN STARTDEFS;
<STARTDEFS>{DEFVAR} {
@@ -168,18 +174,33 @@
\\[[:blank:]]*\n[[:blank:]]* {
/* Line continuation char followed by newline. */
++sudolineno;
- LEXTRACE("\n");
+ continued = TRUE;
}
\" {
LEXTRACE("ENDSTR ");
BEGIN prev_state;
+
+ if (yylval.string == NULL) {
+ LEXTRACE("ERROR "); /* empty string */
+ return ERROR;
+ }
if (prev_state == INITIAL) {
switch (yylval.string[0]) {
case '%':
+ if (yylval.string[1] == '\0' ||
+ (yylval.string[1] == ':' &&
+ yylval.string[2] == '\0')) {
+ LEXTRACE("ERROR "); /* empty group */
+ return ERROR;
+ }
LEXTRACE("USERGROUP ");
return USERGROUP;
case '+':
+ if (yylval.string[1] == '\0') {
+ LEXTRACE("ERROR "); /* empty netgroup */
+ return ERROR;
+ }
LEXTRACE("NETGROUP ");
return NETGROUP;
}
@@ -235,6 +256,11 @@
<INITIAL>^#include[[:blank:]]+\/.*\n {
char *path;
+ if (continued) {
+ LEXTRACE("ERROR ");
+ return ERROR;
+ }
+
if ((path = parse_include(yytext)) == NULL)
yyterminate();
@@ -248,6 +274,11 @@
<INITIAL>^#includedir[[:blank:]]+\/.*\n {
char *path;
+ if (continued) {
+ LEXTRACE("ERROR ");
+ return ERROR;
+ }
+
if ((path = parse_include(yytext)) == NULL)
yyterminate();
@@ -261,13 +292,24 @@
yyterminate();
}
-<INITIAL>^[[:blank:]]*Defaults([:@>\!]\!?{WORD})? {
+<INITIAL>^[[:blank:]]*Defaults([:@>\!][[:blank:]]*\!*\"?({ID}|{WORD}))? {
+ char deftype;
int n;
+
+ if (continued) {
+ LEXTRACE("ERROR ");
+ return ERROR;
+ }
+
for (n = 0; isblank((unsigned char)yytext[n]); n++)
continue;
- n += 8;
+ n += sizeof("Defaults") - 1;
+ if ((deftype = yytext[n++]) != '\0') {
+ while (isblank((unsigned char)yytext[n]))
+ n++;
+ }
BEGIN GOTDEFS;
- switch (yytext[n++]) {
+ switch (deftype) {
case ':':
yyless(n);
LEXTRACE("DEFAULTS_USER ");
@@ -292,6 +334,12 @@
<INITIAL>^[[:blank:]]*(Host|Cmnd|User|Runas)_Alias {
int n;
+
+ if (continued) {
+ LEXTRACE("ERROR ");
+ return ERROR;
+ }
+
for (n = 0; isblank((unsigned char)yytext[n]); n++)
continue;
switch (yytext[n]) {
@@ -362,6 +410,12 @@
return NOLOG_INPUT;
}
+<INITIAL,GOTDEFS>(\+|\%|\%:) {
+ /* empty group or netgroup */
+ LEXTRACE("ERROR ");
+ return ERROR;
+ }
+
\+{WORD} {
/* netgroup */
if (!fill(yytext, yyleng))
@@ -370,8 +424,8 @@
return NETGROUP;
}
-\%:?{WORD} {
- /* UN*X group */
+\%:?({WORD}|{ID}) {
+ /* group */
if (!fill(yytext, yyleng))
yyterminate();
LEXTRACE("USERGROUP ");
@@ -385,7 +439,7 @@
return NTWKADDR;
}
-{IPV4ADDR}\/([12][0-9]*|3[0-2]*) {
+{IPV4ADDR}\/([12]?[0-9]|3[0-2]) {
if (!fill(yytext, yyleng))
yyterminate();
LEXTRACE("NTWKADDR ");
@@ -414,22 +468,32 @@
return NTWKADDR;
}
+ALL {
+ LEXTRACE("ALL ");
+ return ALL;
+
+ }
+
+<INITIAL>ROLE {
+#ifdef HAVE_SELINUX
+ LEXTRACE("ROLE ");
+ return ROLE;
+#else
+ goto got_alias;
+#endif
+ }
+
+<INITIAL>TYPE {
+#ifdef HAVE_SELINUX
+ LEXTRACE("TYPE ");
+ return TYPE;
+#else
+ goto got_alias;
+#endif
+ }
+
[[:upper:]][[:upper:][:digit:]_]* {
- if (strcmp(yytext, "ALL") == 0) {
- LEXTRACE("ALL ");
- return ALL;
- }
-#ifdef HAVE_SELINUX
- /* XXX - restrict type/role to initial state */
- if (strcmp(yytext, "TYPE") == 0) {
- LEXTRACE("TYPE ");
- return TYPE;
- }
- if (strcmp(yytext, "ROLE") == 0) {
- LEXTRACE("ROLE ");
- return ROLE;
- }
-#endif /* HAVE_SELINUX */
+ got_alias:
if (!fill(yytext, yyleng))
yyterminate();
LEXTRACE("ALIAS ");
@@ -466,7 +530,7 @@
}
} /* a pathname */
-<INITIAL,GOTDEFS>^\" {
+<INITIAL,GOTDEFS>\" {
LEXTRACE("BEGINSTR ");
yylval.string = NULL;
prev_state = YY_START;
@@ -507,13 +571,20 @@
} /* return ':' */
<*>!+ {
- if (yyleng % 2 == 1)
+ if (yyleng & 1) {
+ LEXTRACE("!");
return '!'; /* return '!' */
+ }
}
<*>\n {
+ if (YY_START == INSTR) {
+ LEXTRACE("ERROR ");
+ return ERROR; /* line break in string */
+ }
BEGIN INITIAL;
++sudolineno;
+ continued = FALSE;
LEXTRACE("\n");
return COMMENT;
} /* return newline */
@@ -525,13 +596,14 @@
<*>\\[[:blank:]]*\n {
sawspace = TRUE; /* remember for fill_args */
++sudolineno;
- LEXTRACE("\n\t");
+ continued = TRUE;
} /* throw away EOL after \ */
<INITIAL,STARTDEFS,INDEFS>#(-[^\n0-9].*|[^\n0-9-].*)?\n {
BEGIN INITIAL;
++sudolineno;
- LEXTRACE("\n");
+ continued = FALSE;
+ LEXTRACE("#\n");
return COMMENT;
} /* comment, not uid/gid */
@@ -589,8 +661,16 @@
struct path_list **sorted = NULL;
if (!(dir = opendir(dirpath))) {
- yyerror(dirpath);
- return NULL;
+ if (errno != ENOENT) {
+ char *errbuf;
+ if (asprintf(&errbuf, "%s: %s", dirpath, strerror(errno)) != -1) {
+ yyerror(errbuf);
+ free(errbuf);
+ } else {
+ yyerror("unable to allocate memory");
+ }
+ }
+ goto done;
}
while ((dent = readdir(dir))) {
/* Ignore files that end in '~' or have a '.' in them. */
@@ -604,6 +684,7 @@
}
if (stat(path, &sb) != 0 || !S_ISREG(sb.st_mode)) {
efree(path);
+ path = NULL;
continue;
}
pl = malloc(sizeof(*pl));
@@ -689,7 +770,11 @@
efree(istack);
istack = NULL;
istacksize = idepth = 0;
+ sudolineno = 1;
keepopen = FALSE;
+ sawspace = FALSE;
+ continued = FALSE;
+ prev_state = INITIAL;
}
static int
@@ -730,7 +815,13 @@
}
} else {
if ((fp = open_sudoers(path, TRUE, &keepopen)) == NULL) {
- yyerror(path);
+ char *errbuf;
+ if (asprintf(&errbuf, "%s: %s", path, strerror(errno)) != -1) {
+ yyerror(errbuf);
+ free(errbuf);
+ } else {
+ yyerror("unable to allocate memory");
+ }
return FALSE;
}
istack[idepth].more = NULL;
Added: trunk/contrib/sudo/visudo.8
===================================================================
--- trunk/contrib/sudo/visudo.8 (rev 0)
+++ trunk/contrib/sudo/visudo.8 2014-10-02 03:32:57 UTC (rev 6804)
@@ -0,0 +1,307 @@
+.\" Copyright (c) 1996,1998-2005, 2007-2010
+.\" Todd C. Miller <Todd.Miller at courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" Sponsored in part by the Defense Advanced Research Projects
+.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
+.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
+.\"
+.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
+.\"
+.\" Standard preamble:
+.\" ========================================================================
+.de Sp \" Vertical space (when we can't use .PP)
+.if t .sp .5v
+.if n .sp
+..
+.de Vb \" Begin verbatim text
+.ft CW
+.nf
+.ne \\$1
+..
+.de Ve \" End verbatim text
+.ft R
+.fi
+..
+.\" Set up some character translations and predefined strings. \*(-- will
+.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
+.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
+.ie n \{\
+. ds -- \(*W-
+. ds PI pi
+. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
+. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
+. ds L" ""
+. ds R" ""
+. ds C`
+. ds C'
+'br\}
+.el\{\
+. ds -- \|\(em\|
+. ds PI \(*p
+. ds L" ``
+. ds R" ''
+'br\}
+.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\"
+.\" If the F register is turned on, we'll generate index entries on stderr for
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
+.\" entries marked with X<> in POD. Of course, you'll have to process the
+.\" output yourself in some meaningful fashion.
+.ie \nF \{\
+. de IX
+. tm Index:\\$1\t\\n%\t"\\$2"
+..
+. nr % 0
+. rr F
+.\}
+.el \{\
+. de IX
+..
+.\}
+.\"
+.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
+.\" Fear. Run. Save yourself. No user-serviceable parts.
+. \" fudge factors for nroff and troff
+.if n \{\
+. ds #H 0
+. ds #V .8m
+. ds #F .3m
+. ds #[ \f1
+. ds #] \fP
+.\}
+.if t \{\
+. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
+. ds #V .6m
+. ds #F 0
+. ds #[ \&
+. ds #] \&
+.\}
+. \" simple accents for nroff and troff
+.if n \{\
+. ds ' \&
+. ds ` \&
+. ds ^ \&
+. ds , \&
+. ds ~ ~
+. ds /
+.\}
+.if t \{\
+. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
+. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
+. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
+. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
+. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
+. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
+.\}
+. \" troff and (daisy-wheel) nroff accents
+.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
+.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
+.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
+.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
+.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
+.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
+.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
+.ds ae a\h'-(\w'a'u*4/10)'e
+.ds Ae A\h'-(\w'A'u*4/10)'E
+. \" corrections for vroff
+.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
+.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
+. \" for low resolution devices (crt and lpr)
+.if \n(.H>23 .if \n(.V>19 \
+\{\
+. ds : e
+. ds 8 ss
+. ds o a
+. ds d- d\h'-1'\(ga
+. ds D- D\h'-1'\(hy
+. ds th \o'bp'
+. ds Th \o'LP'
+. ds ae ae
+. ds Ae AE
+.\}
+.rm #[ #] #H #V #F C
+.\" ========================================================================
+.\"
+.IX Title "VISUDO 8"
+.TH VISUDO 8 "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
+.SH "NAME"
+visudo \- edit the sudoers file
+.SH "SYNOPSIS"
+.IX Header "SYNOPSIS"
+\&\fBvisudo\fR [\fB\-chqsV\fR] [\fB\-f\fR \fIsudoers\fR]
+.SH "DESCRIPTION"
+.IX Header "DESCRIPTION"
+\&\fBvisudo\fR edits the \fIsudoers\fR file in a safe fashion, analogous to
+\&\fIvipw\fR\|(8). \fBvisudo\fR locks the \fIsudoers\fR file against multiple
+simultaneous edits, provides basic sanity checks, and checks
+for parse errors. If the \fIsudoers\fR file is currently being
+edited you will receive a message to try again later.
+.PP
+There is a hard-coded list of one or more editors that \fBvisudo\fR will
+use set at compile-time that may be overridden via the \fIeditor\fR \fIsudoers\fR
+\&\f(CW\*(C`Default\*(C'\fR variable. This list defaults to \f(CW"/usr/bin/vi"\fR. Normally,
+\&\fBvisudo\fR does not honor the \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR environment
+variables unless they contain an editor in the aforementioned editors
+list. However, if \fBvisudo\fR is configured with the \fI\-\-with\-env\-editor\fR
+option or the \fIenv_editor\fR \f(CW\*(C`Default\*(C'\fR variable is set in \fIsudoers\fR,
+\&\fBvisudo\fR will use any the editor defines by \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR.
+Note that this can be a security hole since it allows the user to
+execute any program they wish simply by setting \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR.
+.PP
+\&\fBvisudo\fR parses the \fIsudoers\fR file after the edit and will
+not save the changes if there is a syntax error. Upon finding
+an error, \fBvisudo\fR will print a message stating the line number(s)
+where the error occurred and the user will receive the
+\&\*(L"What now?\*(R" prompt. At this point the user may enter \*(L"e\*(R"
+to re-edit the \fIsudoers\fR file, \*(L"x\*(R" to exit without
+saving the changes, or \*(L"Q\*(R" to quit and save changes. The
+\&\*(L"Q\*(R" option should be used with extreme care because if \fBvisudo\fR
+believes there to be a parse error, so will \fBsudo\fR and no one
+will be able to \fBsudo\fR again until the error is fixed.
+If \*(L"e\*(R" is typed to edit the \fIsudoers\fR file after a parse error
+has been detected, the cursor will be placed on the line where the
+error occurred (if the editor supports this feature).
+.SH "OPTIONS"
+.IX Header "OPTIONS"
+\&\fBvisudo\fR accepts the following command line options:
+.IP "\-c" 12
+.IX Item "-c"
+Enable \fBcheck-only\fR mode. The existing \fIsudoers\fR file will be
+checked for syntax and a message will be printed to the
+standard output detailing the status of \fIsudoers\fR.
+If the syntax check completes successfully, \fBvisudo\fR will
+exit with a value of 0. If a syntax error is encountered,
+\&\fBvisudo\fR will exit with a value of 1.
+.IP "\-f \fIsudoers\fR" 12
+.IX Item "-f sudoers"
+Specify and alternate \fIsudoers\fR file location. With this option
+\&\fBvisudo\fR will edit (or check) the \fIsudoers\fR file of your choice,
+instead of the default, \fI/etc/sudoers\fR. The lock file used
+is the specified \fIsudoers\fR file with \*(L".tmp\*(R" appended to it.
+In \fBcheck-only\fR mode only, the argument to \fB\-f\fR may be \*(L"\-\*(R",
+indicating that \fIsudoers\fR will be read from the standard input.
+.IP "\-h" 12
+.IX Item "-h"
+The \fB\-h\fR (\fIhelp\fR) option causes \fBvisudo\fR to print a short help message
+to the standard output and exit.
+.IP "\-q" 12
+.IX Item "-q"
+Enable \fBquiet\fR mode. In this mode details about syntax errors
+are not printed. This option is only useful when combined with
+the \fB\-c\fR option.
+.IP "\-s" 12
+.IX Item "-s"
+Enable \fBstrict\fR checking of the \fIsudoers\fR file. If an alias is
+used before it is defined, \fBvisudo\fR will consider this a parse
+error. Note that it is not possible to differentiate between an
+alias and a host name or user name that consists solely of uppercase
+letters, digits, and the underscore ('_') character.
+.IP "\-V" 12
+.IX Item "-V"
+The \fB\-V\fR (version) option causes \fBvisudo\fR to print its version number
+and exit.
+.SH "ENVIRONMENT"
+.IX Header "ENVIRONMENT"
+The following environment variables may be consulted depending on
+the value of the \fIeditor\fR and \fIenv_editor\fR \fIsudoers\fR variables:
+.ie n .IP "\*(C`VISUAL\*(C'" 16
+.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16
+.IX Item "VISUAL"
+Invoked by visudo as the editor to use
+.ie n .IP "\*(C`EDITOR\*(C'" 16
+.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16
+.IX Item "EDITOR"
+Used by visudo if \s-1VISUAL\s0 is not set
+.SH "FILES"
+.IX Header "FILES"
+.ie n .IP "\fI/etc/sudoers\fR" 24
+.el .IP "\fI/etc/sudoers\fR" 24
+.IX Item "/etc/sudoers"
+List of who can run what
+.ie n .IP "\fI/etc/sudoers.tmp\fR" 24
+.el .IP "\fI/etc/sudoers.tmp\fR" 24
+.IX Item "/etc/sudoers.tmp"
+Lock file for visudo
+.SH "DIAGNOSTICS"
+.IX Header "DIAGNOSTICS"
+.IP "sudoers file busy, try again later." 4
+.IX Item "sudoers file busy, try again later."
+Someone else is currently editing the \fIsudoers\fR file.
+.ie n .IP "/etc/sudoers.tmp: Permission denied" 4
+.el .IP "\f(CW at sysconfdir\fR@/sudoers.tmp: Permission denied" 4
+.IX Item "/etc/sudoers.tmp: Permission denied"
+You didn't run \fBvisudo\fR as root.
+.IP "Can't find you in the passwd database" 4
+.IX Item "Can't find you in the passwd database"
+Your userid does not appear in the system passwd file.
+.IP "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" 4
+.IX Item "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined"
+Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias
+or you have a user or host name listed that consists solely of
+uppercase letters, digits, and the underscore ('_') character. In
+the latter case, you can ignore the warnings (\fBsudo\fR will not
+complain). In \fB\-s\fR (strict) mode these are errors, not warnings.
+.IP "Warning: unused {User,Runas,Host,Cmnd}_Alias" 4
+.IX Item "Warning: unused {User,Runas,Host,Cmnd}_Alias"
+The specified {User,Runas,Host,Cmnd}_Alias was defined but never
+used. You may wish to comment out or remove the unused alias. In
+\&\fB\-s\fR (strict) mode this is an error, not a warning.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIvi\fR\|(1), \fIsudoers\fR\|(5), \fIsudo\fR\|(8), \fIvipw\fR\|(8)
+.SH "AUTHOR"
+.IX Header "AUTHOR"
+Many people have worked on \fIsudo\fR over the years; this version of
+\&\fBvisudo\fR was written by:
+.PP
+.Vb 1
+\& Todd Miller
+.Ve
+.PP
+See the \s-1HISTORY\s0 file in the sudo distribution or visit
+http://www.sudo.ws/sudo/history.html for more details.
+.SH "CAVEATS"
+.IX Header "CAVEATS"
+There is no easy way to prevent a user from gaining a root shell if
+the editor used by \fBvisudo\fR allows shell escapes.
+.SH "BUGS"
+.IX Header "BUGS"
+If you feel you have found a bug in \fBvisudo\fR, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
+.SH "SUPPORT"
+.IX Header "SUPPORT"
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+search the archives.
+.SH "DISCLAIMER"
+.IX Header "DISCLAIMER"
+\&\fBvisudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
+file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
+for complete details.
Modified: trunk/contrib/sudo/visudo.cat
===================================================================
--- trunk/contrib/sudo/visudo.cat 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/visudo.cat 2014-10-02 03:32:57 UTC (rev 6804)
@@ -61,7 +61,7 @@
-1.7.5rc1 February 21, 2011 1
+1.7.6 April 9, 2011 1
@@ -127,7 +127,7 @@
-1.7.5rc1 February 21, 2011 2
+1.7.6 April 9, 2011 2
@@ -193,6 +193,6 @@
-1.7.5rc1 February 21, 2011 3
+1.7.6 April 9, 2011 3
Modified: trunk/contrib/sudo/visudo.man.in
===================================================================
--- trunk/contrib/sudo/visudo.man.in 2014-10-02 03:20:49 UTC (rev 6803)
+++ trunk/contrib/sudo/visudo.man.in 2014-10-02 03:32:57 UTC (rev 6804)
@@ -144,7 +144,7 @@
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "February 21, 2011" "1.7.5rc1" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
Added: trunk/contrib/sudo/visudo.pod
===================================================================
--- trunk/contrib/sudo/visudo.pod (rev 0)
+++ trunk/contrib/sudo/visudo.pod 2014-10-02 03:32:57 UTC (rev 6804)
@@ -0,0 +1,213 @@
+Copyright (c) 1996,1998-2005, 2007-2010
+ Todd C. Miller <Todd.Miller at courtesan.com>
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+Sponsored in part by the Defense Advanced Research Projects
+Agency (DARPA) and Air Force Research Laboratory, Air Force
+Materiel Command, USAF, under agreement number F39502-99-1-0512.
+
+=pod
+
+=head1 NAME
+
+visudo - edit the sudoers file
+
+=head1 SYNOPSIS
+
+B<visudo> [B<-chqsV>] [B<-f> I<sudoers>]
+
+=head1 DESCRIPTION
+
+B<visudo> edits the I<sudoers> file in a safe fashion, analogous to
+L<vipw(8)>. B<visudo> locks the I<sudoers> file against multiple
+simultaneous edits, provides basic sanity checks, and checks
+for parse errors. If the I<sudoers> file is currently being
+edited you will receive a message to try again later.
+
+There is a hard-coded list of one or more editors that B<visudo> will
+use set at compile-time that may be overridden via the I<editor> I<sudoers>
+C<Default> variable. This list defaults to C<"@editor@">. Normally,
+B<visudo> does not honor the C<VISUAL> or C<EDITOR> environment
+variables unless they contain an editor in the aforementioned editors
+list. However, if B<visudo> is configured with the I<--with-env-editor>
+option or the I<env_editor> C<Default> variable is set in I<sudoers>,
+B<visudo> will use any the editor defines by C<VISUAL> or C<EDITOR>.
+Note that this can be a security hole since it allows the user to
+execute any program they wish simply by setting C<VISUAL> or C<EDITOR>.
+
+B<visudo> parses the I<sudoers> file after the edit and will
+not save the changes if there is a syntax error. Upon finding
+an error, B<visudo> will print a message stating the line number(s)
+where the error occurred and the user will receive the
+"What now?" prompt. At this point the user may enter "e"
+to re-edit the I<sudoers> file, "x" to exit without
+saving the changes, or "Q" to quit and save changes. The
+"Q" option should be used with extreme care because if B<visudo>
+believes there to be a parse error, so will B<sudo> and no one
+will be able to B<sudo> again until the error is fixed.
+If "e" is typed to edit the I<sudoers> file after a parse error
+has been detected, the cursor will be placed on the line where the
+error occurred (if the editor supports this feature).
+
+=head1 OPTIONS
+
+B<visudo> accepts the following command line options:
+
+=over 12
+
+=item -c
+
+Enable B<check-only> mode. The existing I<sudoers> file will be
+checked for syntax and a message will be printed to the
+standard output detailing the status of I<sudoers>.
+If the syntax check completes successfully, B<visudo> will
+exit with a value of 0. If a syntax error is encountered,
+B<visudo> will exit with a value of 1.
+
+=item -f I<sudoers>
+
+Specify and alternate I<sudoers> file location. With this option
+B<visudo> will edit (or check) the I<sudoers> file of your choice,
+instead of the default, F<@sysconfdir@/sudoers>. The lock file used
+is the specified I<sudoers> file with ".tmp" appended to it.
+In B<check-only> mode only, the argument to B<-f> may be "-",
+indicating that I<sudoers> will be read from the standard input.
+
+=item -h
+
+The B<-h> (I<help>) option causes B<visudo> to print a short help message
+to the standard output and exit.
+
+=item -q
+
+Enable B<quiet> mode. In this mode details about syntax errors
+are not printed. This option is only useful when combined with
+the B<-c> option.
+
+=item -s
+
+Enable B<strict> checking of the I<sudoers> file. If an alias is
+used before it is defined, B<visudo> will consider this a parse
+error. Note that it is not possible to differentiate between an
+alias and a host name or user name that consists solely of uppercase
+letters, digits, and the underscore ('_') character.
+
+=item -V
+
+The B<-V> (version) option causes B<visudo> to print its version number
+and exit.
+
+=back
+
+=head1 ENVIRONMENT
+
+The following environment variables may be consulted depending on
+the value of the I<editor> and I<env_editor> I<sudoers> variables:
+
+=over 16
+
+=item C<VISUAL>
+
+Invoked by visudo as the editor to use
+
+=item C<EDITOR>
+
+Used by visudo if VISUAL is not set
+
+=back
+
+=head1 FILES
+
+=over 24
+
+=item F<@sysconfdir@/sudoers>
+
+List of who can run what
+
+=item F<@sysconfdir@/sudoers.tmp>
+
+Lock file for visudo
+
+=back
+
+=head1 DIAGNOSTICS
+
+=over 4
+
+=item sudoers file busy, try again later.
+
+Someone else is currently editing the I<sudoers> file.
+
+=item @sysconfdir@/sudoers.tmp: Permission denied
+
+You didn't run B<visudo> as root.
+
+=item Can't find you in the passwd database
+
+Your userid does not appear in the system passwd file.
+
+=item Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
+
+Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias
+or you have a user or host name listed that consists solely of
+uppercase letters, digits, and the underscore ('_') character. In
+the latter case, you can ignore the warnings (B<sudo> will not
+complain). In B<-s> (strict) mode these are errors, not warnings.
+
+=item Warning: unused {User,Runas,Host,Cmnd}_Alias
+
+The specified {User,Runas,Host,Cmnd}_Alias was defined but never
+used. You may wish to comment out or remove the unused alias. In
+B<-s> (strict) mode this is an error, not a warning.
+
+=back
+
+=head1 SEE ALSO
+
+L<vi(1)>, L<sudoers(5)>, L<sudo(8)>, L<vipw(8)>
+
+=head1 AUTHOR
+
+Many people have worked on I<sudo> over the years; this version of
+B<visudo> was written by:
+
+ Todd Miller
+
+See the HISTORY file in the sudo distribution or visit
+http://www.sudo.ws/sudo/history.html for more details.
+
+=head1 CAVEATS
+
+There is no easy way to prevent a user from gaining a root shell if
+the editor used by B<visudo> allows shell escapes.
+
+=head1 BUGS
+
+If you feel you have found a bug in B<visudo>, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
+
+=head1 SUPPORT
+
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+
+=head1 DISCLAIMER
+
+B<visudo> is provided ``AS IS'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the LICENSE
+file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
+for complete details.
Added: trunk/contrib/sudo/zlib/zconf.h
===================================================================
--- trunk/contrib/sudo/zlib/zconf.h (rev 0)
+++ trunk/contrib/sudo/zlib/zconf.h 2014-10-02 03:32:57 UTC (rev 6804)
@@ -0,0 +1,437 @@
+/* zlib/zconf.h. Generated from zconf.h.in by configure. */
+/* zconf.h -- configuration of the zlib compression library
+ * Copyright (C) 1995-2010 Jean-loup Gailly.
+ * For conditions of distribution and use, see copyright notice in zlib.h
+ */
+
+/* @(#) $Id$ */
+
+#ifndef ZCONF_H
+#define ZCONF_H
+
+/* The following four defines are enabled by sudo's configure script. */
+#define HAVE_UNISTD_H 1
+#define HAVE_VSNPRINTF 1
+#define HAVE_MEMCPY 1
+/* #undef _FILE_OFFSET_BITS */
+/* #undef _LARGE_FILES */
+/* #undef const */
+
+/*
+ * If you *really* need a unique prefix for all types and library functions,
+ * compile with -DZ_PREFIX. The "standard" zlib should be compiled without it.
+ * Even better than compiling with -DZ_PREFIX would be to use configure to set
+ * this permanently in zconf.h using "./configure --zprefix".
+ */
+#ifdef Z_PREFIX /* may be set to #if 1 by ./configure */
+
+/* all linked symbols */
+# define _dist_code z__dist_code
+# define _length_code z__length_code
+# define _tr_align z__tr_align
+# define _tr_flush_block z__tr_flush_block
+# define _tr_init z__tr_init
+# define _tr_stored_block z__tr_stored_block
+# define _tr_tally z__tr_tally
+# define adler32 z_adler32
+# define adler32_combine z_adler32_combine
+# define adler32_combine64 z_adler32_combine64
+# define compress z_compress
+# define compress2 z_compress2
+# define compressBound z_compressBound
+# define crc32 z_crc32
+# define crc32_combine z_crc32_combine
+# define crc32_combine64 z_crc32_combine64
+# define deflate z_deflate
+# define deflateBound z_deflateBound
+# define deflateCopy z_deflateCopy
+# define deflateEnd z_deflateEnd
+# define deflateInit2_ z_deflateInit2_
+# define deflateInit_ z_deflateInit_
+# define deflateParams z_deflateParams
+# define deflatePrime z_deflatePrime
+# define deflateReset z_deflateReset
+# define deflateSetDictionary z_deflateSetDictionary
+# define deflateSetHeader z_deflateSetHeader
+# define deflateTune z_deflateTune
+# define deflate_copyright z_deflate_copyright
+# define get_crc_table z_get_crc_table
+# define gz_error z_gz_error
+# define gz_intmax z_gz_intmax
+# define gz_strwinerror z_gz_strwinerror
+# define gzbuffer z_gzbuffer
+# define gzclearerr z_gzclearerr
+# define gzclose z_gzclose
+# define gzclose_r z_gzclose_r
+# define gzclose_w z_gzclose_w
+# define gzdirect z_gzdirect
+# define gzdopen z_gzdopen
+# define gzeof z_gzeof
+# define gzerror z_gzerror
+# define gzflush z_gzflush
+# define gzgetc z_gzgetc
+# define gzgets z_gzgets
+# define gzoffset z_gzoffset
+# define gzoffset64 z_gzoffset64
+# define gzopen z_gzopen
+# define gzopen64 z_gzopen64
+# define gzprintf z_gzprintf
+# define gzputc z_gzputc
+# define gzputs z_gzputs
+# define gzread z_gzread
+# define gzrewind z_gzrewind
+# define gzseek z_gzseek
+# define gzseek64 z_gzseek64
+# define gzsetparams z_gzsetparams
+# define gztell z_gztell
+# define gztell64 z_gztell64
+# define gzungetc z_gzungetc
+# define gzwrite z_gzwrite
+# define inflate z_inflate
+# define inflateBack z_inflateBack
+# define inflateBackEnd z_inflateBackEnd
+# define inflateBackInit_ z_inflateBackInit_
+# define inflateCopy z_inflateCopy
+# define inflateEnd z_inflateEnd
+# define inflateGetHeader z_inflateGetHeader
+# define inflateInit2_ z_inflateInit2_
+# define inflateInit_ z_inflateInit_
+# define inflateMark z_inflateMark
+# define inflatePrime z_inflatePrime
+# define inflateReset z_inflateReset
+# define inflateReset2 z_inflateReset2
+# define inflateSetDictionary z_inflateSetDictionary
+# define inflateSync z_inflateSync
+# define inflateSyncPoint z_inflateSyncPoint
+# define inflateUndermine z_inflateUndermine
+# define inflate_copyright z_inflate_copyright
+# define inflate_fast z_inflate_fast
+# define inflate_table z_inflate_table
+# define uncompress z_uncompress
+# define zError z_zError
+# define zcalloc z_zcalloc
+# define zcfree z_zcfree
+# define zlibCompileFlags z_zlibCompileFlags
+# define zlibVersion z_zlibVersion
+
+/* all zlib typedefs in zlib.h and zconf.h */
+# define Byte z_Byte
+# define Bytef z_Bytef
+# define alloc_func z_alloc_func
+# define charf z_charf
+# define free_func z_free_func
+# define gzFile z_gzFile
+# define gz_header z_gz_header
+# define gz_headerp z_gz_headerp
+# define in_func z_in_func
+# define intf z_intf
+# define out_func z_out_func
+# define uInt z_uInt
+# define uIntf z_uIntf
+# define uLong z_uLong
+# define uLongf z_uLongf
+# define voidp z_voidp
+# define voidpc z_voidpc
+# define voidpf z_voidpf
+
+/* all zlib structs in zlib.h and zconf.h */
+# define gz_header_s z_gz_header_s
+# define internal_state z_internal_state
+
+#endif
+
+#if defined(__MSDOS__) && !defined(MSDOS)
+# define MSDOS
+#endif
+#if (defined(OS_2) || defined(__OS2__)) && !defined(OS2)
+# define OS2
+#endif
+#if defined(_WINDOWS) && !defined(WINDOWS)
+# define WINDOWS
+#endif
+#if defined(_WIN32) || defined(_WIN32_WCE) || defined(__WIN32__)
+# ifndef WIN32
+# define WIN32
+# endif
+#endif
+#if (defined(MSDOS) || defined(OS2) || defined(WINDOWS)) && !defined(WIN32)
+# if !defined(__GNUC__) && !defined(__FLAT__) && !defined(__386__)
+# ifndef SYS16BIT
+# define SYS16BIT
+# endif
+# endif
+#endif
+
+/*
+ * Compile with -DMAXSEG_64K if the alloc function cannot allocate more
+ * than 64k bytes at a time (needed on systems with 16-bit int).
+ */
+#ifdef SYS16BIT
+# define MAXSEG_64K
+#endif
+#ifdef MSDOS
+# define UNALIGNED_OK
+#endif
+
+#ifdef __STDC_VERSION__
+# ifndef STDC
+# define STDC
+# endif
+# if __STDC_VERSION__ >= 199901L
+# ifndef STDC99
+# define STDC99
+# endif
+# endif
+#endif
+#if !defined(STDC) && (defined(__STDC__) || defined(__cplusplus))
+# define STDC
+#endif
+#if !defined(STDC) && (defined(__GNUC__) || defined(__BORLANDC__))
+# define STDC
+#endif
+#if !defined(STDC) && (defined(MSDOS) || defined(WINDOWS) || defined(WIN32))
+# define STDC
+#endif
+#if !defined(STDC) && (defined(OS2) || defined(__HOS_AIX__))
+# define STDC
+#endif
+
+#if defined(__OS400__) && !defined(STDC) /* iSeries (formerly AS/400). */
+# define STDC
+#endif
+
+#ifndef STDC
+# ifndef const /* cannot use !defined(STDC) && !defined(const) on Mac */
+# define const /* note: need a more gentle solution here */
+# endif
+#endif
+
+/* Some Mac compilers merge all .h files incorrectly: */
+#if defined(__MWERKS__)||defined(applec)||defined(THINK_C)||defined(__SC__)
+# define NO_DUMMY_DECL
+#endif
+
+/* Maximum value for memLevel in deflateInit2 */
+#ifndef MAX_MEM_LEVEL
+# ifdef MAXSEG_64K
+# define MAX_MEM_LEVEL 8
+# else
+# define MAX_MEM_LEVEL 9
+# endif
+#endif
+
+/* Maximum value for windowBits in deflateInit2 and inflateInit2.
+ * WARNING: reducing MAX_WBITS makes minigzip unable to extract .gz files
+ * created by gzip. (Files created by minigzip can still be extracted by
+ * gzip.)
+ */
+#ifndef MAX_WBITS
+# define MAX_WBITS 15 /* 32K LZ77 window */
+#endif
+
+/* The memory requirements for deflate are (in bytes):
+ (1 << (windowBits+2)) + (1 << (memLevel+9))
+ that is: 128K for windowBits=15 + 128K for memLevel = 8 (default values)
+ plus a few kilobytes for small objects. For example, if you want to reduce
+ the default memory requirements from 256K to 128K, compile with
+ make CFLAGS="-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7"
+ Of course this will generally degrade compression (there's no free lunch).
+
+ The memory requirements for inflate are (in bytes) 1 << windowBits
+ that is, 32K for windowBits=15 (default value) plus a few kilobytes
+ for small objects.
+*/
+
+ /* Type declarations */
+
+#ifndef OF /* function prototypes */
+# ifdef STDC
+# define OF(args) args
+# else
+# define OF(args) ()
+# endif
+#endif
+
+/* The following definitions for FAR are needed only for MSDOS mixed
+ * model programming (small or medium model with some far allocations).
+ * This was tested only with MSC; for other MSDOS compilers you may have
+ * to define NO_MEMCPY in zutil.h. If you don't need the mixed model,
+ * just define FAR to be empty.
+ */
+#ifdef SYS16BIT
+# if defined(M_I86SM) || defined(M_I86MM)
+ /* MSC small or medium model */
+# define SMALL_MEDIUM
+# ifdef _MSC_VER
+# define FAR _far
+# else
+# define FAR far
+# endif
+# endif
+# if (defined(__SMALL__) || defined(__MEDIUM__))
+ /* Turbo C small or medium model */
+# define SMALL_MEDIUM
+# ifdef __BORLANDC__
+# define FAR _far
+# else
+# define FAR far
+# endif
+# endif
+#endif
+
+#if defined(WINDOWS) || defined(WIN32)
+ /* If building or using zlib as a DLL, define ZLIB_DLL.
+ * This is not mandatory, but it offers a little performance increase.
+ */
+# ifdef ZLIB_DLL
+# if defined(WIN32) && (!defined(__BORLANDC__) || (__BORLANDC__ >= 0x500))
+# ifdef ZLIB_INTERNAL
+# define ZEXTERN extern __declspec(dllexport)
+# else
+# define ZEXTERN extern __declspec(dllimport)
+# endif
+# endif
+# endif /* ZLIB_DLL */
+ /* If building or using zlib with the WINAPI/WINAPIV calling convention,
+ * define ZLIB_WINAPI.
+ * Caution: the standard ZLIB1.DLL is NOT compiled using ZLIB_WINAPI.
+ */
+# ifdef ZLIB_WINAPI
+# ifdef FAR
+/* # undef FAR */
+# endif
+# include <windows.h>
+ /* No need for _export, use ZLIB.DEF instead. */
+ /* For complete Windows compatibility, use WINAPI, not __stdcall. */
+# define ZEXPORT WINAPI
+# ifdef WIN32
+# define ZEXPORTVA WINAPIV
+# else
+# define ZEXPORTVA FAR CDECL
+# endif
+# endif
+#endif
+
+#if defined (__BEOS__)
+# ifdef ZLIB_DLL
+# ifdef ZLIB_INTERNAL
+# define ZEXPORT __declspec(dllexport)
+# define ZEXPORTVA __declspec(dllexport)
+# else
+# define ZEXPORT __declspec(dllimport)
+# define ZEXPORTVA __declspec(dllimport)
+# endif
+# endif
+#endif
+
+#ifndef ZEXTERN
+# define ZEXTERN extern
+#endif
+#ifndef ZEXPORT
+# define ZEXPORT
+#endif
+#ifndef ZEXPORTVA
+# define ZEXPORTVA
+#endif
+
+#ifndef FAR
+# define FAR
+#endif
+
+#if !defined(__MACTYPES__)
+typedef unsigned char Byte; /* 8 bits */
+#endif
+typedef unsigned int uInt; /* 16 bits or more */
+typedef unsigned long uLong; /* 32 bits or more */
+
+#ifdef SMALL_MEDIUM
+ /* Borland C/C++ and some old MSC versions ignore FAR inside typedef */
+# define Bytef Byte FAR
+#else
+ typedef Byte FAR Bytef;
+#endif
+typedef char FAR charf;
+typedef int FAR intf;
+typedef uInt FAR uIntf;
+typedef uLong FAR uLongf;
+
+#ifdef STDC
+ typedef void const *voidpc;
+ typedef void FAR *voidpf;
+ typedef void *voidp;
+#else
+ typedef Byte const *voidpc;
+ typedef Byte FAR *voidpf;
+ typedef Byte *voidp;
+#endif
+
+#ifdef HAVE_UNISTD_H /* may be set to #if 1 by ./configure */
+# define Z_HAVE_UNISTD_H
+#endif
+
+#ifdef STDC
+# include <sys/types.h> /* for off_t */
+#endif
+
+/* a little trick to accommodate both "#define _LARGEFILE64_SOURCE" and
+ * "#define _LARGEFILE64_SOURCE 1" as requesting 64-bit operations, (even
+ * though the former does not conform to the LFS document), but considering
+ * both "#undef _LARGEFILE64_SOURCE" and "#define _LARGEFILE64_SOURCE 0" as
+ * equivalently requesting no 64-bit operations
+ */
+#if -_LARGEFILE64_SOURCE - -1 == 1
+/* # undef _LARGEFILE64_SOURCE */
+#endif
+
+#if defined(Z_HAVE_UNISTD_H) || defined(_LARGEFILE64_SOURCE)
+# include <unistd.h> /* for SEEK_* and off_t */
+# ifdef VMS
+# include <unixio.h> /* for off_t */
+# endif
+# ifndef z_off_t
+# define z_off_t off_t
+# endif
+#endif
+
+#ifndef SEEK_SET
+# define SEEK_SET 0 /* Seek from beginning of file. */
+# define SEEK_CUR 1 /* Seek from current position. */
+# define SEEK_END 2 /* Set file pointer to EOF plus "offset" */
+#endif
+
+#ifndef z_off_t
+# define z_off_t long
+#endif
+
+#if defined(_LARGEFILE64_SOURCE) && _LFS64_LARGEFILE-0
+# define z_off64_t off64_t
+#else
+# define z_off64_t z_off_t
+#endif
+
+#if defined(__OS400__)
+# define NO_vsnprintf
+#endif
+
+#if defined(__MVS__)
+# define NO_vsnprintf
+#endif
+
+/* MVS linker does not support external names larger than 8 bytes */
+#if defined(__MVS__)
+ #pragma map(deflateInit_,"DEIN")
+ #pragma map(deflateInit2_,"DEIN2")
+ #pragma map(deflateEnd,"DEEND")
+ #pragma map(deflateBound,"DEBND")
+ #pragma map(inflateInit_,"ININ")
+ #pragma map(inflateInit2_,"ININ2")
+ #pragma map(inflateEnd,"INEND")
+ #pragma map(inflateSync,"INSY")
+ #pragma map(inflateSetDictionary,"INSEDI")
+ #pragma map(compressBound,"CMBND")
+ #pragma map(inflate_table,"INTABL")
+ #pragma map(inflate_fast,"INFA")
+ #pragma map(inflate_copyright,"INCOPY")
+#endif
+
+#endif /* ZCONF_H */
More information about the Midnightbsd-cvs
mailing list