From 9d49f861c85a1e2fd0651e77656e62167ad0e03e Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 28 Oct 2024 09:33:23 -0600 Subject: [PATCH] Run igor on other docs too, not just man pages --- NEWS | 32 ++++++++++++++++---------------- README.LDAP.md | 2 +- docs/Makefile.in | 26 ++++++++++++++------------ docs/SECURITY.md | 2 +- docs/TROUBLESHOOTING.md | 10 +++++----- docs/UPGRADE.md | 8 ++++---- 6 files changed, 41 insertions(+), 39 deletions(-) diff --git a/NEWS b/NEWS index 1a30dad342..061f242e61 100644 --- a/NEWS +++ b/NEWS @@ -263,7 +263,7 @@ What's new in Sudo 1.9.14 The sudoers plugin will now change the root directory id needed before performing command matching. Previously, the root directory was simply prepended to the path that was being processed. - + * When NETGROUP_BASE is set in the ldap.conf file, sudo will now perform its own netgroup lookups of the host name instead of using the system innetgr(3) function. This guarantees that user @@ -273,7 +273,7 @@ What's new in Sudo 1.9.14 * Fixed a bug introduced in sudo 1.9.13 that resulted in a missing " ; " separator between environment variables and the command in log entries. - + * The visudo utility now displays a warning when it ignores a file in an include dir such as /etc/sudoers.d. @@ -442,7 +442,7 @@ What's new in Sudo 1.9.13 * Sudo no longer checks the ownership and mode of the plugins that it loads. Plugins are configured via either the sudo.conf or sudoers file which are trusted configuration files. These checks - suffered from time-of-check vs. time-of-use race conditions and + suffered from time-of-check versus time-of-use race conditions and complicate loading plugins that are not simple paths. Ownership and mode checks are still performed when loading the sudo.conf and sudoers files, which do not suffer from race conditions. @@ -531,7 +531,7 @@ What's new in Sudo 1.9.12 security policy. The new "intercept_verify" sudoers setting can be used to control this behavior. - * Fixed running commands with a relative path (e.g. ./foo) in + * Fixed running commands with a relative path (e.g., ./foo) in intercept mode. Previously, this would fail if sudo's current working directory was different from that of the command. @@ -831,7 +831,7 @@ What's new in Sudo 1.9.9 * visudo now only warns about an undefined alias or a cycle in an alias once for each alias. - + * The sudoRole cn was truncated by a single character in warning messages. GitHub issue #115. @@ -997,7 +997,7 @@ What's new in Sudo 1.9.8 * The new "log_exit_status" sudoers setting can be used to log the exit status commands run via sudo. This is also a corresponding "log_exit" setting in the sudo_logsrvd.conf eventlog stanza. - + * Support for logging sudo_logsrvd errors via syslog or to a file. Previously, most sudo_logsrvd errors were only visible in the debug log. @@ -1089,7 +1089,7 @@ What's new in Sudo 1.9.7 * The "fuzz" Makefile target now runs all the fuzzers for 8192 passes (can be overridden via the FUZZ_RUNS variable). This makes it easier to run the fuzzers in-tree. To run a fuzzer indefinitely, - set FUZZ_RUNS=-1, e.g. "make FUZZ_RUNS=-1 fuzz". + set FUZZ_RUNS=-1, e.g., "make FUZZ_RUNS=-1 fuzz". * Fixed fuzzing on FreeBSD where the ld.lld linker returns an error by default when a symbol is multiply-defined. @@ -1766,7 +1766,7 @@ What's new in Sudo 1.8.30 * Sudo now treats an attempt to run "sudo sudoedit" as simply "sudoedit". If the sudoers file contains a fully-qualified path to sudoedit, sudo will now treat it simply as "sudoedit" (with - no path). Visudo will will now treat a fully-qualified path + no path). Visudo will now treat a fully-qualified path to sudoedit as an error. Bug #871. * Fixed a bug introduced in sudo 1.8.28 where sudo would warn about @@ -2826,7 +2826,7 @@ What's new in Sudo 1.8.15 * When the command sudo is running dies due to a signal, sudo will now send itself that same signal with the default signal handler installed instead of exiting. The bash shell appears to ignore - some signals, e.g. SIGINT, unless the command being run is killed + some signals, e.g., SIGINT, unless the command being run is killed by that signal. This makes the behavior of commands run under sudo the same as without sudo when bash is the shell. Bug #722 @@ -3758,7 +3758,7 @@ What's new in Sudo 1.8.5? * On systems with an SVR4-style /proc file system, the /proc/pid/psinfo file is now uses to determine the controlling terminal, if possible. - This allows tty-based tickets to work properly even when, e.g. + This allows tty-based tickets to work properly even when, e.g., standard input, output and error are redirected to /dev/null. * The output of "sudoreplay -l" is now sorted by file name (or @@ -3766,7 +3766,7 @@ What's new in Sudo 1.8.5? order in which they were found on the file system. * Sudo now behaves properly when I/O logging is enabled and the - controlling terminal is revoked (e.g. the running sshd is killed). + controlling terminal is revoked (e.g., the running sshd is killed). Previously, sudo may have exited without calling the I/O plugin's close function which can lead to an incomplete I/O log. @@ -3877,19 +3877,19 @@ What's new in Sudo 1.8.4? * The deprecated "noexec_file" sudoers option is no longer supported. * Fixed a race condition when I/O logging is not enabled that could - result in tty-generated signals (e.g. control-C) being received + result in tty-generated signals (e.g., control-C) being received by the command twice. * If none of the standard input, output or error are connected to a tty device, sudo will now check its parent's standard input, output or error for the tty name on systems with /proc and BSD systems that support the KERN_PROC_PID sysctl. This allows - tty-based tickets to work properly even when, e.g. standard + tty-based tickets to work properly even when, e.g., standard input, output and error are redirected to /dev/null. * Added the --enable-kerb5-instance configure option to allow people using Kerberos V authentication to specify a custom - instance so the principal name can be, e.g. "username/sudo" + instance so the principal name can be, e.g., "username/sudo" similar to how ksu uses "username/root". * Fixed a bug where a pattern like "/usr/*" included /usr/bin/ in @@ -4076,7 +4076,7 @@ What's new in Sudo 1.8.1? fixed. * Sudo will now create an entry in the utmp (or utmpx) file when - allocating a pseudo-tty (e.g. when logging I/O). The "set_utmp" + allocating a pseudo-tty (e.g., when logging I/O). The "set_utmp" and "utmp_runas" sudoers file options can be used to control this. Other policy plugins may use the "set_utmp" and "utmp_user" entries in the command_info list. @@ -4377,7 +4377,7 @@ What's new in Sudo 1.7.3? now taken into account when looking up users and groups. Sudo now applies the correct the user and group ids when running a command as a user whose account details come from a different - source (e.g. LDAP or DCE vs. local files). + source (e.g., LDAP or DCE versus local files). * Support for multiple 'sudoers_base' and 'uri' entries in ldap.conf. When multiple entries are listed, sudo will try each one in the diff --git a/README.LDAP.md b/README.LDAP.md index bccda62f5b..7eb4da0b96 100644 --- a/README.LDAP.md +++ b/README.LDAP.md @@ -60,7 +60,7 @@ can store sudoers content. For OpenLDAP, there are two options, depending on how slapd is configured. The first option is to copy the file schema.OpenLDAP to the schema -directory (e.g. /etc/openldap/schema). You must then edit your +directory (e.g., /etc/openldap/schema). You must then edit your slapd.conf and add an include line the new schema, for example: # Sudo LDAP schema diff --git a/docs/Makefile.in b/docs/Makefile.in index b9ba1bb4cf..ed67bb70b6 100644 --- a/docs/Makefile.in +++ b/docs/Makefile.in @@ -102,18 +102,20 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ all: $(DEVDOCS) $(DOCS) -igor: all - @if [ "$(mantype)" != "mdoc" ]; then \ - echo "make igor only supported for mdoc manuals" 1>&2; \ - exit 1; \ - else \ - rval=0; \ - for m in $(DOCS); do \ - echo $(IGOR) -D $$m; \ - $(IGOR) -D $$m || rval=`expr $$rval + $$?`; \ - done; \ - exit $$rval; \ - fi +igor: + @rval=0; \ + for f in *.mdoc.in; do \ + echo $(IGOR) -D $$f; \ + $(IGOR) -D $$f || rval=`expr $$rval + $$?`; \ + done; \ + for f in $(OTHER_DOCS) $(OTHER_DOCS_LDAP); do \ + case `basename $$f` in \ + [A-Z][A-Z]*) \ + echo $(IGOR) -abrw $$f; \ + $(IGOR) -abrw $$f || rval=`expr $$rval + $$?`;; \ + esac; \ + done; \ + exit $$rval lint: all @if [ "$(mantype)" != "mdoc" ]; then \ diff --git a/docs/SECURITY.md b/docs/SECURITY.md index 1bb2680f7e..953ebfbd9d 100644 --- a/docs/SECURITY.md +++ b/docs/SECURITY.md @@ -13,7 +13,7 @@ We try to respond to security issues in a timely manner but understand that Sudo Include as much of the following information as possible to help us better understand the nature and scope of the potential issue: - * Type of issue (e.g. buffer overflow, privilege escalation, etc.) + * Type of issue (e.g., buffer overflow, privilege escalation, etc.) * Full paths of source file(s) related to the issue * The location of the affected source code (tag/branch/commit or direct URL) * Any special configuration required to reproduce the issue diff --git a/docs/TROUBLESHOOTING.md b/docs/TROUBLESHOOTING.md index 2d3b72173e..216ed11690 100644 --- a/docs/TROUBLESHOOTING.md +++ b/docs/TROUBLESHOOTING.md @@ -95,10 +95,10 @@ It just says "Sorry, try again." three times and exits. > Don't forget to send a SIGHUP to your syslogd so that it re-reads > its conf file. Also, remember that syslogd does *not* create > log files, you need to create the file before syslogd will log -> to it (e.g.: touch /var/log/sudo). +> to it (e.g., `touch /var/log/sudo`). -> The facility (e.g. 'auth.debug') must be separated from -> the destination (e.g. '/var/log/auth' or '@loghost') by tabs, +> The facility (e.g., 'auth.debug') must be separated from +> the destination (e.g., '/var/log/auth' or '@loghost') by tabs, > *not* spaces. This is a common error. #### Sudo won't accept my password, even when entered correctly @@ -137,9 +137,9 @@ It just says "Sorry, try again." three times and exits. > site you may be interested in sudo's LDAP sudoers support, see > [README.LDAP.md](../README.LDAP.md) and the sudoers.ldap manual. -#### I don't run sendmail, does this mean that I cannot use sudo? +#### I don't run sendmail, can I still use sudo? -> No, you just need to disable mailing with a line like: +> Yes, you just need to disable mailing with a line like: Defaults !mailerpath diff --git a/docs/UPGRADE.md b/docs/UPGRADE.md index b3a161d6a3..81f7285edc 100644 --- a/docs/UPGRADE.md +++ b/docs/UPGRADE.md @@ -294,8 +294,8 @@ Notes on upgrading from an older release important that the time stamp files not persist when the system reboots. For this reason, the default location for the time stamp files has changed back to a directory located in `/var/run`. - Systems that do not have `/var/run` (e.g. AIX) or that do not clear - it on boot (e.g. HP-UX) will need to clear the time stamp + Systems that do not have `/var/run` (e.g., AIX) or that do not clear + it on boot (e.g., HP-UX) will need to clear the time stamp directory via a start up script. Such a script is installed by default on AIX and HP-UX systems. @@ -504,7 +504,7 @@ Notes on upgrading from an older release When sudo is build with LDAP support the `/etc/nsswitch.conf` file is now used to determine the sudoers sea ch order. sudo will default to only using `/etc/sudoers` unless `/etc/nsswitch.conf` says otherwise. - This can be changed with an nsswitch.conf line, e.g.: + This can be changed with an nsswitch.conf line, for example: sudoers: ldap files @@ -548,7 +548,7 @@ Notes on upgrading from an older release Prior to sudo 1.6.9, the TERM and PATH environment variables would always be preserved even if the env_keep option was redefined. That is no longer the case. Consequently, if - env_keep is set with "=" and not simply appended to (i.e. using + env_keep is set with "=" and not simply appended to (i.e., using "+="), PATH and TERM must be explicitly included in the list of environment variables to keep. The LOGNAME, SHELL, USER, and USERNAME environment variables are still always set.