Skip to content

Commit b04386f

Browse files
millertmillert
committed
Most Defaults entries are applied in order.
The exceptions are command-specific Defaults (which cannot be applied until the command's path is resolved) and a small number of "early" defaults that affect other entries.
1 parent 1bdead1 commit b04386f

File tree

2 files changed

+20
-16
lines changed

2 files changed

+20
-16
lines changed

docs/sudoers.man.in

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
.\"
33
.\" SPDX-License-Identifier: ISC
44
.\"
5-
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2024
5+
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2025
66
.\" Todd C. Miller <[email protected]>
77
.\"
88
.\" Permission to use, copy, modify, and distribute this software for any
@@ -25,7 +25,7 @@
2525
.nr BA @BAMAN@
2626
.nr LC @LCMAN@
2727
.nr PS @PSMAN@
28-
.TH "SUDOERS" "@mansectform@" "November 11, 2024" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
28+
.TH "SUDOERS" "@mansectform@" "February 14, 2025" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
2929
.nh
3030
.if n .ad l
3131
.SH "NAME"
@@ -1357,14 +1357,16 @@ It is not an error to use the
13571357
operator to remove an element
13581358
that does not exist in a list.
13591359
.PP
1360-
Defaults entries are parsed in the following order: global, host,
1361-
user, and runas Defaults first, then command defaults.
1362-
If there are multiple Defaults settings of the same type, the last
1363-
matching setting is used.
1364-
The following Defaults settings are parsed before all others since
1365-
they may affect subsequent entries:
1360+
In general Defaults settings are applied in order, later entries
1361+
will override earlier ones.
1362+
However, command-specific Defaults settings are applied later, once
1363+
the command's path is known.
1364+
In addition, the following Defaults settings must be applied before
1365+
all others since they may affect subsequent entries:
13661366
\fIfqdn\fR,
13671367
\fIgroup_plugin\fR,
1368+
\fIignore_unknown_defaults\fR,
1369+
\fImatch_group_by_gid\fR,
13681370
\fIrunas_default\fR,
13691371
\fIsudoers_locale\fR.
13701372
.PP

docs/sudoers.mdoc.in

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
.\"
22
.\" SPDX-License-Identifier: ISC
33
.\"
4-
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2024
4+
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2025
55
.\" Todd C. Miller <[email protected]>
66
.\"
77
.\" Permission to use, copy, modify, and distribute this software for any
@@ -25,7 +25,7 @@
2525
.nr BA @BAMAN@
2626
.nr LC @LCMAN@
2727
.nr PS @PSMAN@
28-
.Dd November 11, 2024
28+
.Dd February 14, 2025
2929
.Dt SUDOERS @mansectform@
3030
.Os Sudo @PACKAGE_VERSION@
3131
.Sh NAME
@@ -1302,14 +1302,16 @@ It is not an error to use the
13021302
operator to remove an element
13031303
that does not exist in a list.
13041304
.Pp
1305-
Defaults entries are parsed in the following order: global, host,
1306-
user, and runas Defaults first, then command defaults.
1307-
If there are multiple Defaults settings of the same type, the last
1308-
matching setting is used.
1309-
The following Defaults settings are parsed before all others since
1310-
they may affect subsequent entries:
1305+
In general Defaults settings are applied in order, later entries
1306+
will override earlier ones.
1307+
However, command-specific Defaults settings are applied later, once
1308+
the command's path is known.
1309+
In addition, the following Defaults settings must be applied before
1310+
all others since they may affect subsequent entries:
13111311
.Em fqdn ,
13121312
.Em group_plugin ,
1313+
.Em ignore_unknown_defaults ,
1314+
.Em match_group_by_gid ,
13131315
.Em runas_default ,
13141316
.Em sudoers_locale .
13151317
.Pp

0 commit comments

Comments
 (0)