|
 |
110381 |
diff -up ./doc/sudoers.cat.lookup ./doc/sudoers.cat
|
|
|
110381 |
--- ./doc/sudoers.cat.lookup 2017-04-25 13:17:51.073190114 +0200
|
|
|
110381 |
+++ ./doc/sudoers.cat 2017-04-25 13:17:51.081190069 +0200
|
|
|
110381 |
@@ -1140,24 +1140,39 @@ S?SU?UD?DO?OE?ER?RS?S O?OP?PT?TI?IO?ON?N
|
|
|
110381 |
_?o_?n by default.
|
|
|
110381 |
|
|
|
110381 |
match_group_by_gid
|
|
|
110381 |
- By default, when matching groups, s?su?ud?do?oe?er?rs?s will first
|
|
|
110381 |
- resolve all the user's group IDs to group names and
|
|
|
110381 |
- then compare those group names to any group names
|
|
|
110381 |
- listed in the _?s_?u_?d_?o_?e_?r_?s file. This works well on systems
|
|
|
110381 |
- where the number of groups listed in the _?s_?u_?d_?o_?e_?r_?s file
|
|
|
110381 |
- is larger than the number of groups a typical user
|
|
|
110381 |
- belongs to. On systems where group lookups are slow,
|
|
|
110381 |
- where users may belong to a large number of groups, and
|
|
|
110381 |
- where the number of groups listed in the _?s_?u_?d_?o_?e_?r_?s file
|
|
|
110381 |
- is relatively small, it may be prohibitively expensive
|
|
|
110381 |
- and running commands via s?su?ud?do?o may take longer than
|
|
|
110381 |
- normal. On such systems it may be faster to use the
|
|
|
110381 |
+ By default, s?su?ud?do?oe?er?rs?s will look up each group the user is
|
|
|
110381 |
+ a member of by group ID to determine the group name
|
|
|
110381 |
+ (this is only done once). The resulting list of the
|
|
|
110381 |
+ user's group names is used when matching groups listed
|
|
|
110381 |
+ in the _?s_?u_?d_?o_?e_?r_?s file. This works well on systems where
|
|
|
110381 |
+ the number of groups listed in the _?s_?u_?d_?o_?e_?r_?s file is
|
|
|
110381 |
+ larger than the number of groups a typical user belongs
|
|
|
110381 |
+ to. On systems where group lookups are slow, where
|
|
|
110381 |
+ users may belong to a large number of groups, and where
|
|
|
110381 |
+ the number of groups listed in the _?s_?u_?d_?o_?e_?r_?s file is
|
|
|
110381 |
+ relatively small, it may be prohibitively expensive and
|
|
|
110381 |
+ running commands via s?su?ud?do?o may take longer than normal.
|
|
|
110381 |
+ On such systems it may be faster to use the
|
|
|
110381 |
_?m_?a_?t_?c_?h_?__?g_?r_?o_?u_?p_?__?b_?y_?__?g_?i_?d flag to avoid resolving the user's
|
|
|
110381 |
- group IDs to group names and instead resolve all group
|
|
|
110381 |
- names listed in the _?s_?u_?d_?o_?e_?r_?s file, matching by group ID
|
|
|
110381 |
- instead of by group name. The _?m_?a_?t_?c_?h_?__?g_?r_?o_?u_?p_?__?b_?y_?__?g_?i_?d flag
|
|
|
110381 |
- has no effect when _?s_?u_?d_?o_?e_?r_?s data is stored in LDAP.
|
|
|
110381 |
- This flag is _?o_?f_?f by default.
|
|
|
110381 |
+ group IDs to group names. In this case, s?su?ud?do?oe?er?rs?s must
|
|
|
110381 |
+ look up any group name listed in the _?s_?u_?d_?o_?e_?r_?s file and
|
|
|
110381 |
+ use the group ID instead of the group name when
|
|
|
110381 |
+ determining whether the user is a member of the group.
|
|
|
110381 |
+
|
|
|
110381 |
+ Note that if _?m_?a_?t_?c_?h_?__?g_?r_?o_?u_?p_?__?b_?y_?__?g_?i_?d is enabled, group
|
|
|
110381 |
+ database lookups performed by s?su?ud?do?oe?er?rs?s will be keyed by
|
|
|
110381 |
+ group name as opposed to group ID. On systems where
|
|
|
110381 |
+ there are multiple sources for the group database, it
|
|
|
110381 |
+ is possible to have conflicting group names or group
|
|
|
110381 |
+ IDs in the local _?/_?e_?t_?c_?/_?g_?r_?o_?u_?p file and the remote group
|
|
|
110381 |
+ database. On such systems, enabling or disabling
|
|
|
110381 |
+ _?m_?a_?t_?c_?h_?__?g_?r_?o_?u_?p_?__?b_?y_?__?g_?i_?d can be used to choose whether group
|
|
|
110381 |
+ database queries are performed by name (enabled) or ID
|
|
|
110381 |
+ (disabled), which may aid in working around group entry
|
|
|
110381 |
+ conflicts.
|
|
|
110381 |
+
|
|
|
110381 |
+ The _?m_?a_?t_?c_?h_?__?g_?r_?o_?u_?p_?__?b_?y_?__?g_?i_?d flag has no effect when _?s_?u_?d_?o_?e_?r_?s
|
|
|
110381 |
+ data is stored in LDAP. This flag is _?o_?f_?f by default.
|
|
|
110381 |
|
|
|
110381 |
This setting is only supported by version 1.8.18 or
|
|
|
110381 |
higher.
|
|
|
110381 |
diff -up ./doc/sudoers.man.in.lookup ./doc/sudoers.man.in
|
|
|
110381 |
--- ./doc/sudoers.man.in.lookup 2017-04-25 13:17:51.074190108 +0200
|
|
|
110381 |
+++ ./doc/sudoers.man.in 2017-04-25 13:17:51.082190064 +0200
|
|
|
110381 |
@@ -2423,10 +2423,12 @@ This flag is
|
|
|
110381 |
by default.
|
|
|
110381 |
.TP 18n
|
|
|
110381 |
match_group_by_gid
|
|
|
110381 |
-By default, when matching groups,
|
|
|
110381 |
+By default,
|
|
|
110381 |
\fBsudoers\fR
|
|
|
110381 |
-will first resolve all the user's group IDs to group names and then
|
|
|
110381 |
-compare those group names to any group names listed in the
|
|
|
110381 |
+will look up each group the user is a member of by group ID to
|
|
|
110381 |
+determine the group name (this is only done once).
|
|
|
110381 |
+The resulting list of the user's group names is used when matching
|
|
|
110381 |
+groups listed in the
|
|
|
110381 |
\fIsudoers\fR
|
|
|
110381 |
file.
|
|
|
110381 |
This works well on systems where the number of groups listed in the
|
|
|
110381 |
@@ -2442,10 +2444,29 @@ running commands via
|
|
|
110381 |
may take longer than normal.
|
|
|
110381 |
On such systems it may be faster to use the
|
|
|
110381 |
\fImatch_group_by_gid\fR
|
|
|
110381 |
-flag to avoid resolving the user's group IDs to group names and
|
|
|
110381 |
-instead resolve all group names listed in the
|
|
|
110381 |
+flag to avoid resolving the user's group IDs to group names.
|
|
|
110381 |
+In this case,
|
|
|
110381 |
+\fBsudoers\fR
|
|
|
110381 |
+must look up any group name listed in the
|
|
|
110381 |
\fIsudoers\fR
|
|
|
110381 |
-file, matching by group ID instead of by group name.
|
|
|
110381 |
+file and use the group ID instead of the group name when determining
|
|
|
110381 |
+whether the user is a member of the group.
|
|
|
110381 |
+.sp
|
|
|
110381 |
+Note that if
|
|
|
110381 |
+\fImatch_group_by_gid\fR
|
|
|
110381 |
+is enabled, group database lookups performed by
|
|
|
110381 |
+\fBsudoers\fR
|
|
|
110381 |
+will be keyed by group name as opposed to group ID.
|
|
|
110381 |
+On systems where there are multiple sources for the group database,
|
|
|
110381 |
+it is possible to have conflicting group names or group IDs in the local
|
|
|
110381 |
+\fI/etc/group\fR
|
|
|
110381 |
+file and the remote group database.
|
|
|
110381 |
+On such systems, enabling or disabling
|
|
|
110381 |
+\fImatch_group_by_gid\fR
|
|
|
110381 |
+can be used to choose whether group database queries are performed
|
|
|
110381 |
+by name (enabled) or ID (disabled), which may aid in working around
|
|
|
110381 |
+group entry conflicts.
|
|
|
110381 |
+.sp
|
|
|
110381 |
The
|
|
|
110381 |
\fImatch_group_by_gid\fR
|
|
|
110381 |
flag has no effect when
|
|
|
110381 |
diff -up ./doc/sudoers.mdoc.in.lookup ./doc/sudoers.mdoc.in
|
|
|
110381 |
--- ./doc/sudoers.mdoc.in.lookup 2017-04-25 13:17:51.075190102 +0200
|
|
|
110381 |
+++ ./doc/sudoers.mdoc.in 2017-04-25 13:17:51.082190064 +0200
|
|
|
110381 |
@@ -2268,10 +2268,12 @@ This flag is
|
|
|
110381 |
.Em @mail_no_user@
|
|
|
110381 |
by default.
|
|
|
110381 |
.It match_group_by_gid
|
|
|
110381 |
-By default, when matching groups,
|
|
|
110381 |
+By default,
|
|
|
110381 |
.Nm
|
|
|
110381 |
-will first resolve all the user's group IDs to group names and then
|
|
|
110381 |
-compare those group names to any group names listed in the
|
|
|
110381 |
+will look up each group the user is a member of by group ID to
|
|
|
110381 |
+determine the group name (this is only done once).
|
|
|
110381 |
+The resulting list of the user's group names is used when matching
|
|
|
110381 |
+groups listed in the
|
|
|
110381 |
.Em sudoers
|
|
|
110381 |
file.
|
|
|
110381 |
This works well on systems where the number of groups listed in the
|
|
|
110381 |
@@ -2287,10 +2289,29 @@ running commands via
|
|
|
110381 |
may take longer than normal.
|
|
|
110381 |
On such systems it may be faster to use the
|
|
|
110381 |
.Em match_group_by_gid
|
|
|
110381 |
-flag to avoid resolving the user's group IDs to group names and
|
|
|
110381 |
-instead resolve all group names listed in the
|
|
|
110381 |
+flag to avoid resolving the user's group IDs to group names.
|
|
|
110381 |
+In this case,
|
|
|
110381 |
+.Nm
|
|
|
110381 |
+must look up any group name listed in the
|
|
|
110381 |
.Em sudoers
|
|
|
110381 |
-file, matching by group ID instead of by group name.
|
|
|
110381 |
+file and use the group ID instead of the group name when determining
|
|
|
110381 |
+whether the user is a member of the group.
|
|
|
110381 |
+.Pp
|
|
|
110381 |
+Note that if
|
|
|
110381 |
+.Em match_group_by_gid
|
|
|
110381 |
+is enabled, group database lookups performed by
|
|
|
110381 |
+.Nm
|
|
|
110381 |
+will be keyed by group name as opposed to group ID.
|
|
|
110381 |
+On systems where there are multiple sources for the group database,
|
|
|
110381 |
+it is possible to have conflicting group names or group IDs in the local
|
|
|
110381 |
+.Pa /etc/group
|
|
|
110381 |
+file and the remote group database.
|
|
|
110381 |
+On such systems, enabling or disabling
|
|
|
110381 |
+.Em match_group_by_gid
|
|
|
110381 |
+can be used to choose whether group database queries are performed
|
|
|
110381 |
+by name (enabled) or ID (disabled), which may aid in working around
|
|
|
110381 |
+group entry conflicts.
|
|
|
110381 |
+.Pp
|
|
|
110381 |
The
|
|
|
110381 |
.Em match_group_by_gid
|
|
|
110381 |
flag has no effect when
|