Safer example for rule that can change non-root passwords. GNU

getopts allows options to follow arguments so we need to be able to deny things like "passwd root -q". From Paul "Joey" Clark. Bug #772
millert · Jan 17, 2017 · 57933a8 · 57933a8
1 parent b4f524f
commit 57933a8
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 7 deletions.
diff --git a/doc/sudoers.cat b/doc/sudoers.cat
@@ -2287,7 +2287,7 @@ EEXXAAMMPPLLEESS
 
      The user jjooee may only su(1) to operator.
 
-     pete            HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+     pete            HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
 
      %opers          ALL = (: ADMINGRP) /usr/sbin/
 
@@ -2640,4 +2640,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.19                    November 30, 2016                   Sudo 1.8.19
+Sudo 1.8.19                    January 17, 2017                    Sudo 1.8.19
diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "5" "November 30, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "January 17, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -4565,7 +4565,7 @@ to operator.
 .nf
 .sp
 .RS 0n
-pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
 
 %opers		ALL = (: ADMINGRP) /usr/sbin/
 .RE

diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd November 30, 2016
+.Dd January 17, 2017
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -4227,7 +4227,7 @@ may only
 .Xr su 1
 to operator.
 .Bd -literal
-pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
 
 %opers		ALL = (: ADMINGRP) /usr/sbin/
 .Ed

diff --git a/examples/sudoers b/examples/sudoers
@@ -88,7 +88,7 @@ operator	ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
 joe		ALL = /usr/bin/su operator
 
 # pete may change passwords for anyone but root on the hp snakes
-pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
 
 # bob may run anything on the sparc and sgi machines as any user
 # listed in the Runas_Alias "OP" (ie: root and operator)