isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove duplicated sudo.conf info in the sudo, sudoers and sudo_plugin

Browse Source 
manuals and cross-reference the new sudo.conf manual.
This commit is contained in:
Todd C. Miller
2013-02-05 16:12:39 -05:00
parent 5debfeeaf7
commit 14bf23c4a2
12 changed files with 670 additions and 1489 deletions
Download Patch File Download Diff File Expand all files Collapse all files

149
doc/sudo.cat
View File

@@ -24,7 +24,7 @@ DDEESSCCRRIIPPTTIIOONN
input/output logging. Third parties can develop and distribute their own
policy and I/O logging plugins to work seamlessly with the ssuuddoo front
end. The default security policy is _s_u_d_o_e_r_s, which is configured via the
file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_L_U_G_I_N_S section for more
file _/_e_t_c_/_s_u_d_o_e_r_s, or via LDAP. See the _P_l_u_g_i_n_s section for more
information.
The security policy determines what privileges, if any, a user has to run
@@ -54,7 +54,7 @@ DDEESSCCRRIIPPTTIIOONN
to read the user's password and output the password to the
standard output. If the SUDO_ASKPASS environment variable is
set, it specifies the path to the helper program. Otherwise,
if _/_e_t_c_/_s_u_d_o_._c_o_n_f contains a line specifying the askpass
if sudo.conf(4) contains a line specifying the askpass
program, that value will be used. For example:
# Path to askpass helper program
@@ -299,7 +299,7 @@ DDEESSCCRRIIPPTTIIOONN
CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
When ssuuddoo executes a command, the security policy specifies the execution
envionment for the command. Typically, the real and effective uid and
environment for the command. Typically, the real and effective uid and
gid are set to match those of the target user, as specified in the
password database, and the group vector is initialized based on the group
database (unless the --PP option was specified).
@@ -354,7 +354,7 @@ CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
As a special case, ssuuddoo will not relay signals that were sent by the
command it is running. This prevents the command from accidentally
killing itself. On some systems, the reboot(1m) command sends SIGTERM to
all non-system processes other than itself before rebooting the systyem.
all non-system processes other than itself before rebooting the system.
This prevents ssuuddoo from relaying the SIGTERM signal it received back to
reboot(1m), which might then exit before the system was actually rebooted,
leaving it in a half-dead state similar to single user mode. Note,
@@ -365,126 +365,13 @@ CCOOMMMMAANNDD EEXXEECCUUTTIIOONN
run using the eexxeecc() family of functions instead of ssyysstteemm() (which
interposes a shell between the command and the calling process).
PPLLUUGGIINNSS
Plugins are dynamically loaded based on the contents of the
_/_e_t_c_/_s_u_d_o_._c_o_n_f file. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it
contains no Plugin lines, ssuuddoo will use the traditional _s_u_d_o_e_r_s security
policy and I/O logging, which corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f
file.
#
# Default /etc/sudo.conf file
#
# Format:
# Plugin plugin_name plugin_path plugin_options ...
# Path askpass /path/to/askpass
# Path noexec /path/to/sudo_noexec.so
# Debug sudo /var/log/sudo_debug all@warn
# Set disable_coredump true
#
# The plugin_path is relative to /usr/local/libexec unless
# fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
# The plugin_options are optional.
#
Plugin policy_plugin sudoers.so
Plugin io_plugin sudoers.so
A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e
and the _p_a_t_h to the shared object containing the plugin. The _s_y_m_b_o_l___n_a_m_e
is the name of the struct policy_plugin or struct io_plugin in the plugin
shared object. The _p_a_t_h may be fully qualified or relative. If not
fully qualified it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any
additional parameters after the _p_a_t_h are passed as arguments to the
plugin's _o_p_e_n function. Lines that don't begin with Plugin, Path, Debug,
or Set are silently ignored.
The _/_e_t_c_/_s_u_d_o_._c_o_n_f file is always parsed in the ``C'' locale.
For more information, see the sudo_plugin(1m) manual.
PPAATTHHSS
A Path line consists of the Path keyword, followed by the name of the
path to set and its value. E.g.
Path noexec /usr/local/libexec/sudo_noexec.so
Path askpass /usr/X11R6/bin/ssh-askpass
The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
file:
askpass The fully qualified path to a helper program used to read the
user's password when no terminal is available. This may be the
case when ssuuddoo is executed from a graphical (as opposed to
text-based) application. The program specified by _a_s_k_p_a_s_s
should display the argument passed to it as the prompt and
write the user's password to the standard output. The value of
_a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment
variable.
noexec The fully-qualified path to a shared library containing dummy
versions of the eexxeeccvv(), eexxeeccvvee() and ffeexxeeccvvee() library
functions that just return an error. This is used to implement
the _n_o_e_x_e_c functionality on systems that support LD_PRELOAD or
its equivalent. Defaults to _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o.
DDEEBBUUGG FFLLAAGGSS
ssuuddoo versions 1.8.4 and higher support a flexible debugging framework
that can help track down what ssuuddoo is doing internally if there is a
problem.
A Debug line consists of the Debug keyword, followed by the name of the
program to debug (ssuuddoo, vviissuuddoo, ssuuddoorreeppllaayy), the debug file name and a
comma-separated list of debug flags. The debug flag syntax used by ssuuddoo
and the _s_u_d_o_e_r_s plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is free to
use a different format so long as it does not include a comma (`,').
For instance:
Debug sudo /var/log/sudo_debug all@warn,plugin@info
would log all debugging statements at the _w_a_r_n level and higher in
addition to those at the _i_n_f_o level for the plugin subsystem.
Currently, only one Debug entry per program is supported. The ssuuddoo Debug
entry is shared by the ssuuddoo front end, ssuuddooeeddiitt and the plugins. A
future release may add support for per-plugin Debug lines and/or support
for multiple debugging files for a single program.
The priorities used by the ssuuddoo front end, in order of decreasing
severity, are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g.
Each priority, when specified, also includes all priorities higher than
it. For example, a priority of _n_o_t_i_c_e would include debug messages
logged at _n_o_t_i_c_e and higher.
The following subsystems are used by the ssuuddoo front-end:
_a_l_l matches every subsystem
_a_r_g_s command line argument processing
_c_o_n_v user conversation
_e_d_i_t sudoedit
_e_x_e_c command execution
_m_a_i_n ssuuddoo main function
_n_e_t_i_f network interface handling
_p_c_o_m_m communication with the plugin
_p_l_u_g_i_n plugin configuration
_p_t_y pseudo-tty related code
_s_e_l_i_n_u_x SELinux-specific handling
_u_t_i_l utility functions
_u_t_m_p utmp handling
PPlluuggiinnss
Plugins are dynamically loaded based on the contents of the sudo.conf(4)
file. If no sudo.conf(4) file is present, or it contains no Plugin
lines, ssuuddoo will use the traditional _s_u_d_o_e_r_s security policy and I/O
logging. See the sudo.conf(4) manual for details of the _/_e_t_c_/_s_u_d_o_._c_o_n_f
file and the sudo_plugin(1m) manual for more information about the ssuuddoo
plugin architecture.
EEXXIITT VVAALLUUEE
Upon successful execution of a program, the exit status from _s_u_d_o will
@@ -526,15 +413,11 @@ SSEECCUURRIITTYY NNOOTTEESS
disables core dumps by default while it is executing (they are re-enabled
for the command that is run). To aid in debugging ssuuddoo crashes, you may
wish to re-enable core dumps by setting ``disable_coredump'' to false in
the _/_e_t_c_/_s_u_d_o_._c_o_n_f file as follows:
the sudo.conf(4) file as follows:
Set disable_coredump false
Note that by default, most operating systems disable core dumps from
setuid programs, which includes ssuuddoo. To actually get a ssuuddoo core file
you may need to enable core dumps for setuid processes. On BSD and Linux
systems this is accomplished via the sysctl command, on Solaris the
coreadm command can be used.
See the sudo.conf(4) manual for more information.
EENNVVIIRROONNMMEENNTT
ssuuddoo utilizes the following environment variables. The security policy
@@ -619,8 +502,8 @@ EEXXAAMMPPLLEESS
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
SSEEEE AALLSSOO
su(1), stat(2), login_cap(3), passwd(4), sudoers(4), sudo_plugin(1m),
sudoreplay(1m), visudo(1m)
su(1), stat(2), login_cap(3), passwd(4), sudo.conf(4), sudoers(4),
sudo_plugin(1m), sudoreplay(1m), visudo(1m)
HHIISSTTOORRYY
See the HISTORY file in the ssuuddoo distribution
@@ -670,4 +553,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details.
Sudo 1.8.7 November 12, 2012 Sudo 1.8.7
Sudo 1.8.7 February 5, 2013 Sudo 1.8.7

18
doc/sudo.conf.cat
View File

@@ -47,12 +47,18 @@ DDEESSCCRRIIPPTTIIOONN
Plugin sudoers_policy /usr/local/libexec/sudoers.so
Any additional parameters after the _p_a_t_h are passed as arguments to the
plugin's _o_p_e_n function. For example, to override the compile-time
default sudoers file mode:
Starting with ssuuddoo 1.8.5, any additional parameters after the _p_a_t_h are
passed as arguments to the plugin's _o_p_e_n function. For example, to
override the compile-time default sudoers file mode:
Plugin sudoers_policy sudoers.so sudoers_mode=0440
The same shared object may contain multiple plugins, each with a
different symbol name. The shared object file must be owned by uid 0 and
only writable by its owner. Because of ambiguities that arise from
composite policies, only a single policy plugin may be specified. This
limitation does not apply to I/O plugins.
If no ssuuddoo..ccoonnff file is present, or if it contains no Plugin lines, the
ssuuddooeerrss plugin will be used as the default security policy and for I/O
logging (if enabled by the policy). This is equivalent to the following:
@@ -102,7 +108,7 @@ DDEESSCCRRIIPPTTIIOONN
Note that most operating systems disable core dumps from setuid
programs, including ssuuddoo. To actually get a ssuuddoo core file you
will likely need to enable core dumps for setuid processes. On
BSD and Linux systems this is accomplished via the sysctl
BSD and Linux systems this is accomplished in the sysctl
command. On Solaris, the coreadm command is used to configure
core dump behavior.
@@ -298,7 +304,7 @@ EEXXAAMMPPLLEESS
#Set group_source static
SSEEEE AALLSSOO
sudoers(4), sudo(1m), sudo_plugin(1m),
sudoers(4), sudo(1m), sudo_plugin(1m)
HHIISSTTOORRYY
See the HISTORY file in the ssuuddoo distribution
@@ -330,4 +336,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details.
Sudo 1.8.7 February 1, 2013 Sudo 1.8.7
Sudo 1.8.7 February 5, 2013 Sudo 1.8.7

17
doc/sudo.conf.man.in
View File

@@ -16,7 +16,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.TH "SUDO" "5" "February 1, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
.TH "SUDO" "5" "February 5, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -124,7 +124,9 @@ Plugin sudoers_policy @PLUGINDIR@/sudoers.so
.RE
.fi
.PP
Any additional parameters after the
Starting with
\fBsudo\fR
1.8.5, any additional parameters after the
\fIpath\fR
are passed as arguments to the plugin's
\fIopen\fR
@@ -137,6 +139,13 @@ Plugin sudoers_policy sudoers.so sudoers_mode=0440
.RE
.fi
.PP
The same shared object may contain multiple plugins, each with a
different symbol name.
The shared object file must be owned by uid 0 and only writable by its owner.
Because of ambiguities that arise from composite policies, only a single
policy plugin may be specified.
This limitation does not apply to I/O plugins.
.PP
If no
\fBsudo.conf\fR
file is present, or if it contains no
@@ -239,7 +248,7 @@ including
To actually get a
\fBsudo\fR
core file you will likely need to enable core dumps for setuid processes.
On BSD and Linux systems this is accomplished via the
On BSD and Linux systems this is accomplished in the
sysctl
command.
On Solaris, the
@@ -533,7 +542,7 @@ Plugin io_plugin sudoers.so
.SH "SEE ALSO"
sudoers(@mansectform@),
sudo(@mansectsu@),
sudo_plugin(@mansectsu@),
sudo_plugin(@mansectsu@)
.SH "HISTORY"
See the HISTORY file in the
\fBsudo\fR

13
doc/sudo.conf.mdoc.in
View File

@@ -114,7 +114,9 @@ is equivalent to:
Plugin sudoers_policy @PLUGINDIR@/sudoers.so
.Ed
.Pp
Any additional parameters after the
Starting with
.Nm sudo
1.8.5, any additional parameters after the
.Em path
are passed as arguments to the plugin's
.Em open
@@ -124,6 +126,13 @@ For example, to override the compile-time default sudoers file mode:
Plugin sudoers_policy sudoers.so sudoers_mode=0440
.Ed
.Pp
The same shared object may contain multiple plugins, each with a
different symbol name.
The shared object file must be owned by uid 0 and only writable by its owner.
Because of ambiguities that arise from composite policies, only a single
policy plugin may be specified.
This limitation does not apply to I/O plugins.
.Pp
If no
.Nm sudo.conf
file is present, or if it contains no
@@ -216,7 +225,7 @@ including
To actually get a
.Nm sudo
core file you will likely need to enable core dumps for setuid processes.
On BSD and Linux systems this is accomplished via the
On BSD and Linux systems this is accomplished in the
.Xr sysctl
command.
On Solaris, the

268
doc/sudo.man.in
View File

@@ -1,7 +1,7 @@
.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in
.\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.TH "SUDO" "@mansectsu@" "November 12, 2012" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.TH "SUDO" "@mansectsu@" "February 5, 2013" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -99,7 +99,7 @@ which is configured via the file
\fI@sysconfdir@/sudoers\fR,
or via LDAP.
See the
\fIPLUGINS\fR
\fIPlugins\fR
section for more information.
.PP
The security policy determines what privileges, if any, a user has
@@ -162,7 +162,7 @@ If the
environment variable is set, it specifies the path to the helper
program.
Otherwise, if
\fI@sysconfdir@/sudo.conf\fR
sudo.conf(@mansectform@)
contains a line specifying the askpass program, that value will be
used.
For example:
@@ -694,7 +694,7 @@ for more information.
When
\fBsudo\fR
executes a command, the security policy specifies the execution
envionment for the command.
environment for the command.
Typically, the real and effective uid and gid are set to
match those of the target user, as specified in the password database,
and the group vector is initialized based on the group database
@@ -796,7 +796,7 @@ reboot(@mansectsu@)
command sends
\fRSIGTERM\fR
to all non-system processes other than itself before rebooting
the systyem.
the system.
This prevents
\fBsudo\fR
from relaying the
@@ -823,250 +823,28 @@ are run using the
family of functions instead of
\fBsystem\fR()
(which interposes a shell between the command and the calling process).
.SH "PLUGINS"
.SS "Plugins"
Plugins are dynamically loaded based on the contents of the
\fI@sysconfdir@/sudo.conf\fR
sudo.conf(@mansectform@)
file.
If no
\fI@sysconfdir@/sudo.conf\fR
sudo.conf(@mansectform@)
file is present, or it contains no
\fRPlugin\fR
lines,
\fBsudo\fR
will use the traditional
\fIsudoers\fR
security policy and I/O logging, which corresponds to the following
security policy and I/O logging.
See the
sudo.conf(@mansectform@)
manual for details of the
\fI@sysconfdir@/sudo.conf\fR
file.
.nf
.sp
.RS 0n
#
# Default @sysconfdir@/sudo.conf file
#
# Format:
# Plugin plugin_name plugin_path plugin_options ...
# Path askpass /path/to/askpass
# Path noexec /path/to/sudo_noexec.so
# Debug sudo /var/log/sudo_debug all@warn
# Set disable_coredump true
#
# The plugin_path is relative to @PLUGINDIR@ unless
# fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
# The plugin_options are optional.
#
Plugin policy_plugin sudoers.so
Plugin io_plugin sudoers.so
.RE
.fi
.PP
A
\fRPlugin\fR
line consists of the
\fRPlugin\fR
keyword, followed by the
\fIsymbol_name\fR
and the
\fIpath\fR
to the shared object containing the plugin.
The
\fIsymbol_name\fR
is the name of the
\fRstruct policy_plugin\fR
or
\fRstruct io_plugin\fR
in the plugin shared object.
The
\fIpath\fR
may be fully qualified or relative.
If not fully qualified it is relative to the
\fI@PLUGINDIR@\fR
directory.
Any additional parameters after the
\fIpath\fR
are passed as arguments to the plugin's
\fIopen\fR
function.
Lines that don't begin with
\fRPlugin\fR,
\fRPath\fR,
\fRDebug\fR,
or
\fRSet\fR
are silently ignored.
.PP
The
\fI@sysconfdir@/sudo.conf\fR
file is always parsed in the
``\fRC\fR''
locale.
.PP
For more information, see the
file and the
sudo_plugin(@mansectsu@)
manual.
.SH "PATHS"
A
\fRPath\fR
line consists of the
\fRPath\fR
keyword, followed by the name of the path to set and its value.
E.g.
.nf
.sp
.RS 6n
Path noexec @noexec_file@
Path askpass /usr/X11R6/bin/ssh-askpass
.RE
.fi
.PP
The following plugin-agnostic paths may be set in the
\fI@sysconfdir@/sudo.conf\fR
file:
.TP 10n
askpass
The fully qualified path to a helper program used to read the user's
password when no terminal is available.
This may be the case when
manual for more information about the
\fBsudo\fR
is executed from a graphical (as opposed to text-based) application.
The program specified by
\fIaskpass\fR
should display the argument passed to it as the prompt and write
the user's password to the standard output.
The value of
\fIaskpass\fR
may be overridden by the
\fRSUDO_ASKPASS\fR
environment variable.
.TP 10n
noexec
The fully-qualified path to a shared library containing dummy
versions of the
\fBexecv\fR(),
\fBexecve\fR()
and
\fBfexecve\fR()
library functions that just return an error.
This is used to implement the
\fInoexec\fR
functionality on systems that support
\fRLD_PRELOAD\fR
or its equivalent.
Defaults to
\fI@noexec_file@\fR.
.SH "DEBUG FLAGS"
\fBsudo\fR
versions 1.8.4 and higher support a flexible debugging framework
that can help track down what
\fBsudo\fR
is doing internally if there is a problem.
.PP
A
\fRDebug\fR
line consists of the
\fRDebug\fR
keyword, followed by the name of the program to debug
(\fBsudo\fR, \fBvisudo\fR, \fBsudoreplay\fR),
the debug file name and a comma-separated list of debug flags.
The debug flag syntax used by
\fBsudo\fR
and the
\fIsudoers\fR
plugin is
\fIsubsystem\fR@\fIpriority\fR
but the plugin is free to use a different format so long as it does
not include a comma
(`\&,').
.PP
For instance:
.nf
.sp
.RS 6n
Debug sudo /var/log/sudo_debug all@warn,plugin@info
.RE
.fi
.PP
would log all debugging statements at the
\fIwarn\fR
level and higher in addition to those at the
\fIinfo\fR
level for the plugin subsystem.
.PP
Currently, only one
\fRDebug\fR
entry per program is supported.
The
\fBsudo\fR
\fRDebug\fR
entry is shared by the
\fBsudo\fR
front end,
\fBsudoedit\fR
and the plugins.
A future release may add support for per-plugin
\fRDebug\fR
lines and/or support for multiple debugging files for a single
program.
.PP
The priorities used by the
\fBsudo\fR
front end, in order of decreasing severity, are:
\fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
and
\fIdebug\fR.
Each priority, when specified, also includes all priorities higher
than it.
For example, a priority of
\fInotice\fR
would include debug messages logged at
\fInotice\fR
and higher.
.PP
The following subsystems are used by the
\fBsudo\fR
front-end:
.TP 12n
\fIall\fR
matches every subsystem
.TP 12n
\fIargs\fR
command line argument processing
.TP 12n
\fIconv\fR
user conversation
.TP 12n
\fIedit\fR
sudoedit
.TP 12n
\fIexec\fR
command execution
.TP 12n
\fImain\fR
\fBsudo\fR
main function
.TP 12n
\fInetif\fR
network interface handling
.TP 12n
\fIpcomm\fR
communication with the plugin
.TP 12n
\fIplugin\fR
plugin configuration
.TP 12n
\fIpty\fR
pseudo-tty related code
.TP 12n
\fIselinux\fR
SELinux-specific handling
.TP 12n
\fIutil\fR
utility functions
.TP 12n
\fIutmp\fR
utmp handling
plugin architecture.
.SH "EXIT VALUE"
Upon successful execution of a program, the exit status from
\fIsudo\fR
@@ -1148,7 +926,7 @@ To aid in debugging
crashes, you may wish to re-enable core dumps by setting
``disable_coredump''
to false in the
\fI@sysconfdir@/sudo.conf\fR
sudo.conf(@mansectform@)
file as follows:
.nf
.sp
@@ -1157,14 +935,9 @@ Set disable_coredump false
.RE
.fi
.PP
Note that by default, most operating systems disable core dumps
from setuid programs, which includes
\fBsudo\fR.
To actually get a
\fBsudo\fR
core file you may need to enable core dumps for setuid processes.
On BSD and Linux systems this is accomplished via the sysctl command,
on Solaris the coreadm command can be used.
See the
sudo.conf(@mansectform@)
manual for more information.
.SH "ENVIRONMENT"
\fBsudo\fR
utilizes the following environment variables.
@@ -1333,6 +1106,7 @@ su(1),
stat(2),
login_cap(3),
passwd(@mansectform@),
sudo.conf(@mansectform@),
sudoers(@mansectform@),
sudo_plugin(@mansectsu@),
sudoreplay(@mansectsu@),

248
doc/sudo.mdoc.in
View File

@@ -1,5 +1,5 @@
.\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
@@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.Dd November 12, 2012
.Dd February 5, 2013
.Dt SUDO @mansectsu@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -139,7 +139,7 @@ which is configured via the file
.Pa @sysconfdir@/sudoers ,
or via LDAP.
See the
.Sx PLUGINS
.Sx Plugins
section for more information.
.Pp
The security policy determines what privileges, if any, a user has
@@ -202,7 +202,7 @@ If the
environment variable is set, it specifies the path to the helper
program.
Otherwise, if
.Pa @sysconfdir@/sudo.conf
.Xr sudo.conf @mansectform@
contains a line specifying the askpass program, that value will be
used.
For example:
@@ -687,7 +687,7 @@ for more information.
When
.Nm sudo
executes a command, the security policy specifies the execution
envionment for the command.
environment for the command.
Typically, the real and effective uid and gid are set to
match those of the target user, as specified in the password database,
and the group vector is initialized based on the group database
@@ -780,7 +780,7 @@ On some systems, the
command sends
.Dv SIGTERM
to all non-system processes other than itself before rebooting
the systyem.
the system.
This prevents
.Nm sudo
from relaying the
@@ -807,230 +807,28 @@ are run using the
family of functions instead of
.Fn system
(which interposes a shell between the command and the calling process).
.Sh PLUGINS
.Ss Plugins
Plugins are dynamically loaded based on the contents of the
.Pa @sysconfdir@/sudo.conf
.Xr sudo.conf @mansectform@
file.
If no
.Pa @sysconfdir@/sudo.conf
.Xr sudo.conf @mansectform@
file is present, or it contains no
.Li Plugin
lines,
.Nm sudo
will use the traditional
.Em sudoers
security policy and I/O logging, which corresponds to the following
security policy and I/O logging.
See the
.Xr sudo.conf @mansectform@
manual for details of the
.Pa @sysconfdir@/sudo.conf
file.
.Bd -literal
#
# Default @sysconfdir@/sudo.conf file
#
# Format:
# Plugin plugin_name plugin_path plugin_options ...
# Path askpass /path/to/askpass
# Path noexec /path/to/sudo_noexec.so
# Debug sudo /var/log/sudo_debug all@warn
# Set disable_coredump true
#
# The plugin_path is relative to @PLUGINDIR@ unless
# fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
# The plugin_options are optional.
#
Plugin policy_plugin sudoers.so
Plugin io_plugin sudoers.so
.Ed
.Pp
A
.Li Plugin
line consists of the
.Li Plugin
keyword, followed by the
.Em symbol_name
and the
.Em path
to the shared object containing the plugin.
The
.Em symbol_name
is the name of the
.Li struct policy_plugin
or
.Li struct io_plugin
in the plugin shared object.
The
.Em path
may be fully qualified or relative.
If not fully qualified it is relative to the
.Pa @PLUGINDIR@
directory.
Any additional parameters after the
.Em path
are passed as arguments to the plugin's
.Em open
function.
Lines that don't begin with
.Li Plugin ,
.Li Path ,
.Li Debug ,
or
.Li Set
are silently ignored.
.Pp
The
.Pa @sysconfdir@/sudo.conf
file is always parsed in the
.Dq Li C
locale.
.Pp
For more information, see the
file and the
.Xr sudo_plugin @mansectsu@
manual.
.Sh PATHS
A
.Li Path
line consists of the
.Li Path
keyword, followed by the name of the path to set and its value.
E.g.
.Bd -literal -offset indent
Path noexec @noexec_file@
Path askpass /usr/X11R6/bin/ssh-askpass
.Ed
.Pp
The following plugin-agnostic paths may be set in the
.Pa @sysconfdir@/sudo.conf
file:
.Bl -tag -width 8n
.It askpass
The fully qualified path to a helper program used to read the user's
password when no terminal is available.
This may be the case when
manual for more information about the
.Nm sudo
is executed from a graphical (as opposed to text-based) application.
The program specified by
.Em askpass
should display the argument passed to it as the prompt and write
the user's password to the standard output.
The value of
.Em askpass
may be overridden by the
.Ev SUDO_ASKPASS
environment variable.
.It noexec
The fully-qualified path to a shared library containing dummy
versions of the
.Fn execv ,
.Fn execve
and
.Fn fexecve
library functions that just return an error.
This is used to implement the
.Em noexec
functionality on systems that support
.Ev LD_PRELOAD
or its equivalent.
Defaults to
.Pa @noexec_file@ .
.El
.Sh DEBUG FLAGS
.Nm sudo
versions 1.8.4 and higher support a flexible debugging framework
that can help track down what
.Nm sudo
is doing internally if there is a problem.
.Pp
A
.Li Debug
line consists of the
.Li Debug
keyword, followed by the name of the program to debug
.Pq Nm sudo , Nm visudo , Nm sudoreplay ,
the debug file name and a comma-separated list of debug flags.
The debug flag syntax used by
.Nm sudo
and the
.Em sudoers
plugin is
.Em subsystem Ns No @ Ns Em priority
but the plugin is free to use a different format so long as it does
not include a comma
.Pq Ql \&, .
.Pp
For instance:
.Bd -literal -offset indent
Debug sudo /var/log/sudo_debug all@warn,plugin@info
.Ed
.Pp
would log all debugging statements at the
.Em warn
level and higher in addition to those at the
.Em info
level for the plugin subsystem.
.Pp
Currently, only one
.Li Debug
entry per program is supported.
The
.Nm sudo
.Li Debug
entry is shared by the
.Nm sudo
front end,
.Nm sudoedit
and the plugins.
A future release may add support for per-plugin
.Li Debug
lines and/or support for multiple debugging files for a single
program.
.Pp
The priorities used by the
.Nm sudo
front end, in order of decreasing severity, are:
.Em crit , err , warn , notice , diag , info , trace
and
.Em debug .
Each priority, when specified, also includes all priorities higher
than it.
For example, a priority of
.Em notice
would include debug messages logged at
.Em notice
and higher.
.Pp
The following subsystems are used by the
.Nm sudo
front-end:
.Bl -tag -width Fl
.It Em all
matches every subsystem
.It Em args
command line argument processing
.It Em conv
user conversation
.It Em edit
sudoedit
.It Em exec
command execution
.It Em main
.Nm sudo
main function
.It Em netif
network interface handling
.It Em pcomm
communication with the plugin
.It Em plugin
plugin configuration
.It Em pty
pseudo-tty related code
.It Em selinux
SELinux-specific handling
.It Em util
utility functions
.It Em utmp
utmp handling
.El
plugin architecture.
.Sh EXIT VALUE
Upon successful execution of a program, the exit status from
.Em sudo
@@ -1112,20 +910,15 @@ To aid in debugging
crashes, you may wish to re-enable core dumps by setting
.Dq disable_coredump
to false in the
.Pa @sysconfdir@/sudo.conf
.Xr sudo.conf @mansectform@
file as follows:
.Bd -literal -offset indent
Set disable_coredump false
.Ed
.Pp
Note that by default, most operating systems disable core dumps
from setuid programs, which includes
.Nm sudo .
To actually get a
.Nm sudo
core file you may need to enable core dumps for setuid processes.
On BSD and Linux systems this is accomplished via the sysctl command,
on Solaris the coreadm command can be used.
See the
.Xr sudo.conf @mansectform@
manual for more information.
.Sh ENVIRONMENT
.Nm sudo
utilizes the following environment variables.
@@ -1261,6 +1054,7 @@ $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
.Xr stat 2 ,
.Xr login_cap 3 ,
.Xr passwd @mansectform@ ,
.Xr sudo.conf @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo_plugin @mansectsu@ ,
.Xr sudoreplay @mansectsu@ ,

109
doc/sudo_plugin.cat
View File

@@ -5,11 +5,10 @@ NNAAMMEE
DDEESSCCRRIIPPTTIIOONN
Starting with version 1.8, ssuuddoo supports a plugin API for policy and
session logging. By default, the _s_u_d_o_e_r_s policy plugin and an associated
session logging. By default, the ssuuddooeerrss policy plugin and an associated
I/O logging plugin are used. Via the plugin API, ssuuddoo can be configured
to use alternate policy and/or I/O logging plugins provided by third
parties. The plugins to be used are specified via the _/_e_t_c_/_s_u_d_o_._c_o_n_f
file.
parties. The plugins to be used are specified in the sudo.conf(4) file.
The API is versioned with a major and minor number. The minor version
number is incremented when additions are made. The major number is
@@ -18,50 +17,11 @@ DDEESSCCRRIIPPTTIIOONN
The plugin API is defined by the sudo_plugin.h header file.
TThhee ssuuddoo..ccoonnff ffiillee
The _/_e_t_c_/_s_u_d_o_._c_o_n_f file contains plugin configuration directives. The
primary keyword is the Plugin directive, which causes a plugin to be
loaded. It is always parsed in the ``C'' locale.
A Plugin line consists of the Plugin keyword, followed by the _s_y_m_b_o_l___n_a_m_e
and the _p_a_t_h to the shared object containing the plugin. The _s_y_m_b_o_l___n_a_m_e
is the name of the struct policy_plugin or struct io_plugin in the plugin
shared object. The _p_a_t_h may be fully qualified or relative. If not
fully qualified it is relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory. Any
additional parameters after the _p_a_t_h are passed as options to the
plugin's ooppeenn() function. Lines that don't begin with Plugin, Path,
Debug or Set are silently ignored.
The same shared object may contain multiple plugins, each with a
different symbol name. The shared object file must be owned by uid 0 and
only writable by its owner. Because of ambiguities that arise from
composite policies, only a single policy plugin may be specified. This
limitation does not apply to I/O plugins.
#
# Default /etc/sudo.conf file
#
# Format:
# Plugin plugin_name plugin_path plugin_options ...
# Path askpass /path/to/askpass
# Path noexec /path/to/sudo_noexec.so
# Debug sudo /var/log/sudo_debug all@warn
# Set disable_coredump true
#
# The plugin_path is relative to /usr/local/libexec unless
# fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
# The plugin_options are optional.
#
Plugin sudoers_policy sudoers.so
Plugin sudoers_io sudoers.so
PPoolliiccyy pplluuggiinn AAPPII
A policy plugin must declare and populate a policy_plugin struct in the
global scope. This structure contains pointers to the functions that
implement the ssuuddoo policy checks. The name of the symbol should be
specified in _/_e_t_c_/_s_u_d_o_._c_o_n_f along with a path to the plugin so that ssuuddoo
specified in sudo.conf(4) along with a path to the plugin so that ssuuddoo
can load it.
struct policy_plugin {
@@ -143,26 +103,14 @@ DDEESSCCRRIIPPTTIIOONN
debug_flags=string
A comma-separated list of debug flags that correspond
to ssuuddoo's Debug entry in _/_e_t_c_/_s_u_d_o_._c_o_n_f, if there is
one. The flags are passed to the plugin as they appear
in _/_e_t_c_/_s_u_d_o_._c_o_n_f. The syntax used by ssuuddoo and the
_s_u_d_o_e_r_s plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is
free to use a different format so long as it does not
include a comma (`,').
For reference, the priorities supported by the ssuuddoo
front end and _s_u_d_o_e_r_s are: _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e,
_d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g.
The following subsystems are defined: _m_a_i_n, _m_e_m_o_r_y,
_a_r_g_s, _e_x_e_c, _p_t_y, _u_t_m_p, _c_o_n_v, _p_c_o_m_m, _u_t_i_l, _l_i_s_t, _n_e_t_i_f,
_a_u_d_i_t, _e_d_i_t, _s_e_l_i_n_u_x, _l_d_a_p, _m_a_t_c_h, _p_a_r_s_e_r, _a_l_i_a_s,
_d_e_f_a_u_l_t_s, _a_u_t_h, _e_n_v, _l_o_g_g_i_n_g, _n_s_s, _r_b_t_r_e_e, _p_e_r_m_s,
_p_l_u_g_i_n. The subsystem _a_l_l includes every subsystem.
There is not currently a way to specify a set of debug
flags specific to the plugin--the flags are shared by
ssuuddoo and the plugin.
to ssuuddoo's Debug entry in sudo.conf(4), if there is one.
The flags are passed to the plugin as they appear in
sudo.conf(4). The syntax used by ssuuddoo and the ssuuddooeerrss
plugin is _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y but the plugin is free to
use a different format so long as it does not include a
comma (`,'). There is not currently a way to specify a
set of debug flags specific to the plugin--the flags
are shared by ssuuddoo and the plugin.
debug_level=number
This setting has been deprecated in favor of
@@ -297,9 +245,9 @@ DDEESSCCRRIIPPTTIIOONN
version 1.2
tcpgid=int
The ID of the forground process group associated with
the terminal device associcated with the ssuuddoo process
or -1 if there is no terminal present. Only available
The ID of the foreground process group associated with
the terminal device associated with the ssuuddoo process or
-1 if there is no terminal present. Only available
starting with API version 1.2
user=string
@@ -682,7 +630,7 @@ DDEESSCCRRIIPPTTIIOONN
int (*validate)(void);
The vvaalliiddaattee() function is called when ssuuddoo is run with the --vv
flag. For policy plugins such as _s_u_d_o_e_r_s that cache authentication
flag. For policy plugins such as ssuuddooeerrss that cache authentication
credentials, this function will validate and cache the credentials.
The vvaalliiddaattee() function should be NULL if the plugin does not
@@ -697,7 +645,7 @@ DDEESSCCRRIIPPTTIIOONN
void (*invalidate)(int remove);
The iinnvvaalliiddaattee() function is called when ssuuddoo is called with the --kk
or --KK flag. For policy plugins such as _s_u_d_o_e_r_s that cache
or --KK flag. For policy plugins such as ssuuddooeerrss that cache
authentication credentials, this function will invalidate the
credentials. If the _r_e_m_o_v_e flag is set, the plugin may remove the
credentials instead of simply invalidating them.
@@ -1282,17 +1230,16 @@ DDEESSCCRRIIPPTTIIOONN
Unlike, SUDO_CONV_INFO_MSG and Dv SUDO_CONV_ERROR_MSG , messages sent
with the SUDO_CONV_DEBUG_MSG _m_s_g___t_y_p_e are not directly user-visible.
Instead, they are logged to the file specified in the Debug statement (if
any) in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
file. This allows a plugin to log debugging information and is intended
to be used in conjunction with the _d_e_b_u_g___f_l_a_g_s setting.
any) in the sudo.conf(4). file. This allows a plugin to log debugging
information and is intended to be used in conjunction with the
_d_e_b_u_g___f_l_a_g_s setting.
See the sample plugin for an example of the ccoonnvveerrssaattiioonn() function
usage.
SSuuddooeerrss ggrroouupp pplluuggiinn AAPPII
The _s_u_d_o_e_r_s module supports a plugin interface to allow non-Unix group
lookups. This can be used to query a group source other than the
The ssuuddooeerrss plugin supports its own plugin interface to allow non-Unix
group lookups. This can be used to query a group source other than the
standard Unix group database. A sample group plugin is bundled with ssuuddoo
that implements file-based lookups. Third party group plugins include a
QAS AD plugin available from Quest Software.
@@ -1315,7 +1262,7 @@ DDEESSCCRRIIPPTTIIOONN
version
The version field should be set to GROUP_API_VERSION.
This allows _s_u_d_o_e_r_s to determine the API version the group plugin
This allows ssuuddooeerrss to determine the API version the group plugin
was built against.
init
@@ -1332,9 +1279,9 @@ DDEESSCCRRIIPPTTIIOONN
The function arguments are as follows:
version
The version passed in by _s_u_d_o_e_r_s allows the plugin to
The version passed in by ssuuddooeerrss allows the plugin to
determine the major and minor version number of the group
plugin API supported by _s_u_d_o_e_r_s.
plugin API supported by ssuuddooeerrss.
plugin_printf
A pointer to a pprriinnttff()-style function that may be used to
@@ -1349,7 +1296,7 @@ DDEESSCCRRIIPPTTIIOONN
cleanup
void (*cleanup)();
The cclleeaannuupp() function is called when _s_u_d_o_e_r_s has finished its
The cclleeaannuupp() function is called when ssuuddooeerrss has finished its
group checks. The plugin should free any memory it has allocated
and close open file handles.
@@ -1401,7 +1348,7 @@ PPLLUUGGIINN AAPPII CCHHAANNGGEELLOOGG
Version 1.2
The Policy and I/O logging plugins' ooppeenn() functions are now passed
a list of plugin options if any are specified in _/_e_t_c_/_s_u_d_o_._c_o_n_f.
a list of plugin parameters if any are specified in sudo.conf(4).
A simple hooks API has been introduced to allow plugins to hook in
to the system's environment handling functions.
@@ -1419,7 +1366,7 @@ PPLLUUGGIINN AAPPII CCHHAANNGGEELLOOGG
common signals while the plugin functions are run.
SSEEEE AALLSSOO
sudoers(4), sudo(1m)
sudo.conf(4), sudoers(4), sudo(1m)
BBUUGGSS
If you feel you have found a bug in ssuuddoo, please submit a bug report at
@@ -1437,4 +1384,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details.
Sudo 1.8.7 Janurary 11, 2013 Sudo 1.8.7
Sudo 1.8.7 February 5, 2013 Sudo 1.8.7

166
doc/sudo_plugin.man.in
View File

@@ -16,7 +16,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.TH "SUDO_PLUGIN" "5" "Janurary 11, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
.TH "SUDO_PLUGIN" "5" "February 5, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -28,14 +28,14 @@ Starting with version 1.8,
supports a plugin API
for policy and session logging.
By default, the
\fIsudoers\fR
\fBsudoers\fR
policy plugin and an associated I/O logging plugin are used.
Via the plugin API,
\fBsudo\fR
can be configured to use alternate policy and/or I/O logging plugins
provided by third parties.
The plugins to be used are specified via the
\fI@sysconfdir@/sudo.conf\fR
The plugins to be used are specified in the
sudo.conf(@mansectform@)
file.
.PP
The API is versioned with a major and minor number.
@@ -47,81 +47,6 @@ major version matches.
The plugin API is defined by the
\fRsudo_plugin.h\fR
header file.
.SS "The sudo.conf file"
The
\fI@sysconfdir@/sudo.conf\fR
file contains plugin configuration directives.
The primary keyword is the
\fRPlugin\fR
directive, which causes a plugin to be loaded.
It is always parsed in the
``\fRC\fR''
locale.
.PP
A
\fRPlugin\fR
line consists of the
\fRPlugin\fR
keyword, followed by the
\fIsymbol_name\fR
and the
\fIpath\fR
to the shared object containing the plugin.
The
\fIsymbol_name\fR
is the name of the
\fRstruct policy_plugin\fR
or
\fRstruct io_plugin\fR
in the plugin shared object.
The
\fIpath\fR
may be fully qualified or relative.
If not fully qualified it is relative to the
\fI@PLUGINDIR@\fR
directory.
Any additional parameters after the
\fIpath\fR
are passed as options to the plugin's
\fBopen\fR()
function.
Lines that don't begin with
\fRPlugin\fR,
\fRPath\fR,
\fRDebug\fR
or
\fRSet\fR
are silently ignored.
.PP
The same shared object may contain multiple plugins, each with a
different symbol name.
The shared object file must be owned by uid 0 and only writable by its owner.
Because of ambiguities that arise from composite policies, only a single
policy plugin may be specified.
This limitation does not apply to I/O plugins.
.nf
.sp
.RS 0n
#
# Default @sysconfdir@/sudo.conf file
#
# Format:
# Plugin plugin_name plugin_path plugin_options ...
# Path askpass /path/to/askpass
# Path noexec /path/to/sudo_noexec.so
# Debug sudo /var/log/sudo_debug all@warn
# Set disable_coredump true
#
# The plugin_path is relative to @PLUGINDIR@ unless
# fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
# The plugin_options are optional.
#
Plugin sudoers_policy sudoers.so
Plugin sudoers_io sudoers.so
.RE
.fi
.SS "Policy plugin API"
A policy plugin must declare and populate a
\fRpolicy_plugin\fR
@@ -130,7 +55,7 @@ This structure contains pointers to the functions that implement the
\fBsudo\fR
policy checks.
The name of the symbol should be specified in
\fI@sysconfdir@/sudo.conf\fR
sudo.conf(@mansectform@)
along with a path to the plugin so that
\fBsudo\fR
can load it.
@@ -260,66 +185,19 @@ A comma-separated list of debug flags that correspond to
\fBsudo\fR's
\fRDebug\fR
entry in
\fI@sysconfdir@/sudo.conf\fR,
sudo.conf(@mansectform@),
if there is one.
The flags are passed to the plugin as they appear in
\fI@sysconfdir@/sudo.conf\fR.
sudo.conf(@mansectform@).
The syntax used by
\fBsudo\fR
and the
\fIsudoers\fR
\fBsudoers\fR
plugin is
\fIsubsystem\fR@\fIpriority\fR
but the plugin is free to use a different
format so long as it does not include a comma
(`,\&').
.sp
For reference, the priorities supported by the
\fBsudo\fR
front end and
\fIsudoers\fR
are:
\fIcrit\fR,
\fIerr\fR,
\fIwarn\fR,
\fInotice\fR,
\fIdiag\fR,
\fIinfo\fR,
\fItrace\fR
and
\fIdebug\fR.
.sp
The following subsystems are defined:
\fImain\fR,
\fImemory\fR,
\fIargs\fR,
\fIexec\fR,
\fIpty\fR,
\fIutmp\fR,
\fIconv\fR,
\fIpcomm\fR,
\fIutil\fR,
\fIlist\fR,
\fInetif\fR,
\fIaudit\fR,
\fIedit\fR,
\fIselinux\fR,
\fIldap\fR,
\fImatch\fR,
\fIparser\fR,
\fIalias\fR,
\fIdefaults\fR,
\fIauth\fR,
\fIenv\fR,
\fIlogging\fR,
\fInss\fR,
\fIrbtree\fR,
\fIperms\fR,
\fIplugin\fR.
The subsystem
\fIall\fR
includes every subsystem.
.sp
There is not currently a way to specify a set of debug flags specific
to the plugin--the flags are shared by
\fBsudo\fR
@@ -542,8 +420,8 @@ to.
Only available starting with API version 1.2
.TP 6n
tcpgid=int
The ID of the forground process group associated with the terminal
device associcated with the
The ID of the foreground process group associated with the terminal
device associated with the
\fBsudo\fR
process or \-1 if there is no
terminal present.
@@ -1178,7 +1056,7 @@ is run with the
\fB\-v\fR
flag.
For policy plugins such as
\fIsudoers\fR
\fBsudoers\fR
that cache
authentication credentials, this function will validate and cache
the credentials.
@@ -1222,7 +1100,7 @@ or
\fB\-K\fR
flag.
For policy plugins such as
\fIsudoers\fR
\fBsudoers\fR
that
cache authentication credentials, this function will invalidate the
credentials.
@@ -2359,8 +2237,7 @@ user-visible.
Instead, they are logged to the file specified in the
\fRDebug\fR
statement (if any) in the
\fI@sysconfdir@/sudo.conf\fR
.PP
sudo.conf(@mansectform@).
file.
This allows a plugin to log debugging information and is intended
to be used in conjunction with the
@@ -2372,8 +2249,8 @@ See the sample plugin for an example of the
function usage.
.SS "Sudoers group plugin API"
The
\fIsudoers\fR
module supports a plugin interface to allow non-Unix
\fBsudoers\fR
plugin supports its own plugin interface to allow non-Unix
group lookups.
This can be used to query a group source other than the standard Unix
group database.
@@ -2411,7 +2288,7 @@ The
field should be set to GROUP_API_VERSION.
.sp
This allows
\fIsudoers\fR
\fBsudoers\fR
to determine the API version the group plugin
was built against.
.TP 6n
@@ -2443,10 +2320,10 @@ The function arguments are as follows:
.TP 6n
version
The version passed in by
\fIsudoers\fR
\fBsudoers\fR
allows the plugin to determine the
major and minor version number of the group plugin API supported by
\fIsudoers\fR.
\fBsudoers\fR.
.TP 6n
plugin_printf
A pointer to a
@@ -2480,7 +2357,7 @@ void (*cleanup)();
The
\fBcleanup\fR()
function is called when
\fIsudoers\fR
\fBsudoers\fR
has finished its
group checks.
The plugin should free any memory it has allocated and close open file handles.
@@ -2567,8 +2444,8 @@ Version 1.2
The Policy and I/O logging plugins'
\fBopen\fR()
functions are now passed
a list of plugin options if any are specified in
\fI@sysconfdir@/sudo.conf\fR.
a list of plugin parameters if any are specified in
sudo.conf(@mansectform@).
.sp
A simple hooks API has been introduced to allow plugins to hook in to the
system's environment handling functions.
@@ -2592,6 +2469,7 @@ The
front end now installs default signal handlers to trap common signals
while the plugin functions are run.
.SH "SEE ALSO"
sudo.conf(@mansectform@),
sudoers(@mansectform@),
sudo(@mansectsu@)
.SH "BUGS"

163
doc/sudo_plugin.mdoc.in
View File

@@ -14,7 +14,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd Janurary 11, 2013
.Dd February 5, 2013
.Dt SUDO_PLUGIN @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -26,14 +26,14 @@ Starting with version 1.8,
supports a plugin API
for policy and session logging.
By default, the
.Em sudoers
.Nm sudoers
policy plugin and an associated I/O logging plugin are used.
Via the plugin API,
.Nm sudo
can be configured to use alternate policy and/or I/O logging plugins
provided by third parties.
The plugins to be used are specified via the
.Pa @sysconfdir@/sudo.conf
The plugins to be used are specified in the
.Xr sudo.conf @mansectform@
file.
.Pp
The API is versioned with a major and minor number.
@@ -45,78 +45,6 @@ major version matches.
The plugin API is defined by the
.Li sudo_plugin.h
header file.
.Ss The sudo.conf file
The
.Pa @sysconfdir@/sudo.conf
file contains plugin configuration directives.
The primary keyword is the
.Li Plugin
directive, which causes a plugin to be loaded.
It is always parsed in the
.Dq Li C
locale.
.Pp
A
.Li Plugin
line consists of the
.Li Plugin
keyword, followed by the
.Em symbol_name
and the
.Em path
to the shared object containing the plugin.
The
.Em symbol_name
is the name of the
.Li struct policy_plugin
or
.Li struct io_plugin
in the plugin shared object.
The
.Em path
may be fully qualified or relative.
If not fully qualified it is relative to the
.Pa @PLUGINDIR@
directory.
Any additional parameters after the
.Em path
are passed as options to the plugin's
.Fn open
function.
Lines that don't begin with
.Li Plugin ,
.Li Path ,
.Li Debug
or
.Li Set
are silently ignored.
.Pp
The same shared object may contain multiple plugins, each with a
different symbol name.
The shared object file must be owned by uid 0 and only writable by its owner.
Because of ambiguities that arise from composite policies, only a single
policy plugin may be specified.
This limitation does not apply to I/O plugins.
.Bd -literal
#
# Default @sysconfdir@/sudo.conf file
#
# Format:
# Plugin plugin_name plugin_path plugin_options ...
# Path askpass /path/to/askpass
# Path noexec /path/to/sudo_noexec.so
# Debug sudo /var/log/sudo_debug all@warn
# Set disable_coredump true
#
# The plugin_path is relative to @PLUGINDIR@ unless
# fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
# The plugin_options are optional.
#
Plugin sudoers_policy sudoers.so
Plugin sudoers_io sudoers.so
.Ed
.Ss Policy plugin API
A policy plugin must declare and populate a
.Li policy_plugin
@@ -125,7 +53,7 @@ This structure contains pointers to the functions that implement the
.Nm sudo
policy checks.
The name of the symbol should be specified in
.Pa @sysconfdir@/sudo.conf
.Xr sudo.conf @mansectform@
along with a path to the plugin so that
.Nm sudo
can load it.
@@ -243,66 +171,19 @@ A comma-separated list of debug flags that correspond to
.Nm sudo Ns No 's
.Li Debug
entry in
.Pa @sysconfdir@/sudo.conf ,
.Xr sudo.conf @mansectform@ ,
if there is one.
The flags are passed to the plugin as they appear in
.Pa @sysconfdir@/sudo.conf .
.Xr sudo.conf @mansectform@ .
The syntax used by
.Nm sudo
and the
.Em sudoers
.Nm sudoers
plugin is
.Em subsystem Ns No @ Ns Em priority
but the plugin is free to use a different
format so long as it does not include a comma
.Pq Ql ,\& .
.Pp
For reference, the priorities supported by the
.Nm sudo
front end and
.Em sudoers
are:
.Em crit ,
.Em err ,
.Em warn ,
.Em notice ,
.Em diag ,
.Em info ,
.Em trace
and
.Em debug .
.Pp
The following subsystems are defined:
.Em main ,
.Em memory ,
.Em args ,
.Em exec ,
.Em pty ,
.Em utmp ,
.Em conv ,
.Em pcomm ,
.Em util ,
.Em list ,
.Em netif ,
.Em audit ,
.Em edit ,
.Em selinux ,
.Em ldap ,
.Em match ,
.Em parser ,
.Em alias ,
.Em defaults ,
.Em auth ,
.Em env ,
.Em logging ,
.Em nss ,
.Em rbtree ,
.Em perms ,
.Em plugin .
The subsystem
.Em all
includes every subsystem.
.Pp
There is not currently a way to specify a set of debug flags specific
to the plugin--the flags are shared by
.Nm sudo
@@ -496,8 +377,8 @@ process belongs
to.
Only available starting with API version 1.2
.It tcpgid=int
The ID of the forground process group associated with the terminal
device associcated with the
The ID of the foreground process group associated with the terminal
device associated with the
.Nm sudo
process or \-1 if there is no
terminal present.
@@ -1038,7 +919,7 @@ is run with the
.Fl v
flag.
For policy plugins such as
.Em sudoers
.Nm sudoers
that cache
authentication credentials, this function will validate and cache
the credentials.
@@ -1074,7 +955,7 @@ or
.Fl K
flag.
For policy plugins such as
.Em sudoers
.Nm sudoers
that
cache authentication credentials, this function will invalidate the
credentials.
@@ -2047,8 +1928,7 @@ user-visible.
Instead, they are logged to the file specified in the
.Li Debug
statement (if any) in the
.Pa @sysconfdir@/sudo.conf
.Pp
.Xr sudo.conf @mansectform@ .
file.
This allows a plugin to log debugging information and is intended
to be used in conjunction with the
@@ -2060,8 +1940,8 @@ See the sample plugin for an example of the
function usage.
.Ss Sudoers group plugin API
The
.Em sudoers
module supports a plugin interface to allow non-Unix
.Nm sudoers
plugin supports its own plugin interface to allow non-Unix
group lookups.
This can be used to query a group source other than the standard Unix
group database.
@@ -2096,7 +1976,7 @@ The
field should be set to GROUP_API_VERSION.
.Pp
This allows
.Em sudoers
.Nm sudoers
to determine the API version the group plugin
was built against.
.It init
@@ -2124,10 +2004,10 @@ The function arguments are as follows:
.Bl -tag -width 4n
.It version
The version passed in by
.Em sudoers
.Nm sudoers
allows the plugin to determine the
major and minor version number of the group plugin API supported by
.Em sudoers .
.Nm sudoers .
.It plugin_printf
A pointer to a
.Fn printf Ns No -style
@@ -2153,7 +2033,7 @@ void (*cleanup)();
The
.Fn cleanup
function is called when
.Em sudoers
.Nm sudoers
has finished its
group checks.
The plugin should free any memory it has allocated and close open file handles.
@@ -2223,8 +2103,8 @@ list as an argument.
The Policy and I/O logging plugins'
.Fn open
functions are now passed
a list of plugin options if any are specified in
.Pa @sysconfdir@/sudo.conf .
a list of plugin parameters if any are specified in
.Xr sudo.conf @mansectform@ .
.Pp
A simple hooks API has been introduced to allow plugins to hook in to the
system's environment handling functions.
@@ -2248,6 +2128,7 @@ front end now installs default signal handlers to trap common signals
while the plugin functions are run.
.El
.Sh SEE ALSO
.Xr sudo.conf @mansectform@ ,
.Xr sudoers @mansectform@ ,
.Xr sudo @mansectsu@
.Sh BUGS

232
doc/sudoers.cat
View File

@@ -1,15 +1,57 @@
SUDOERS(4) Programmer's Manual SUDOERS(4)
NNAAMMEE
ssuuddooeerrss - default sudo security policy module
ssuuddooeerrss - default sudo security policy plugin
DDEESSCCRRIIPPTTIIOONN
The _s_u_d_o_e_r_s policy module determines a user's ssuuddoo privileges. It is the
The _s_u_d_o_e_r_s policy plugin determines a user's ssuuddoo privileges. It is the
default ssuuddoo policy plugin. The policy is driven by the _/_e_t_c_/_s_u_d_o_e_r_s
file or, optionally in LDAP. The policy format is described in detail in
the _S_U_D_O_E_R_S _F_I_L_E _F_O_R_M_A_T section. For information on storing _s_u_d_o_e_r_s
policy information in LDAP, please see sudoers.ldap(4).
CCoonnffiigguurriinngg ssuuddoo..ccoonnff ffoorr ssuuddooeerrss
ssuuddoo consults the sudo.conf(4) file to determine which policy and and I/O
logging plugins to load. If no sudo.conf(4) file is present, or if it
contains no Plugin lines, ssuuddooeerrss will be used for policy decisions and
I/O logging. To explicitly configure sudo.conf(4) to use the ssuuddooeerrss
plugin, the following configuration can be used.
Plugin policy_plugin sudoers.so
Plugin io_plugin sudoers.so
Starting with ssuuddoo 1.8.5, it is possible to specify optional arguments to
the ssuuddooeerrss plugin in the sudo.conf(4) file. These arguments, if
present, should be listed after the path to the plugin (i.e. after
_s_u_d_o_e_r_s_._s_o). Multiple arguments may be specified, separated by white
space. For example:
Plugin sudoers_policy sudoers.so sudoers_mode=0400
The following plugin arguments are supported:
sudoers_file=pathname
The _s_u_d_o_e_r_s___f_i_l_e arguments can be used to override the default
path to the _s_u_d_o_e_r_s file.
sudoers_uid=uid
The _s_u_d_o_e_r_s___u_i_d arguments can be used to override the default
owner of the sudoers file. It should be specified as a numeric
user ID.
sudoers_gid=gid
The _s_u_d_o_e_r_s___g_i_d arguments can be used to override the default
group of the sudoers file. It must be specified as a numeric
group ID (not a group name).
sudoers_mode=mode
The _s_u_d_o_e_r_s___m_o_d_e arguments can be used to override the default
file mode for the sudoers file. It should be specified as an
octal value.
For more information on configuring sudo.conf(4), please refer to its
manual.
AAuutthheennttiiccaattiioonn aanndd llooggggiinngg
The _s_u_d_o_e_r_s security policy requires that most users authenticate
themselves before they can use ssuuddoo. A password is not required if the
@@ -1253,9 +1295,9 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
escape %h will expand to the host name of the machine.
Default is ``*** SECURITY information for %h ***''.
noexec_file This option is no longer supported. The path to the
noexec file should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f
file.
noexec_file As of ssuuddoo version 1.8.1 this option is no longer
supported. The path to the noexec file should now be
set in the sudo.conf(4) file.
passprompt The default prompt to use when asking for a password;
can be overridden via the --pp option or the SUDO_PROMPT
@@ -1600,9 +1642,9 @@ LLOOGG FFOORRMMAATT
when the _s_u_d_o_e_r_s file is located on a remote file system that maps
user ID 0 to a different value. Normally, ssuuddooeerrss tries to open
_s_u_d_o_e_r_s using group permissions to avoid this problem. Consider
changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s by adding an option like
``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s
file) to the ssuuddooeerrss plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
either changing the ownership of _/_e_t_c_/_s_u_d_o_e_r_s or adding an argument
like ``sudoers_uid=N'' (where `N' is the user ID that owns the _s_u_d_o_e_r_s
file) to the end of the ssuuddooeerrss Plugin line in the sudo.conf(4) file.
unable to stat /etc/sudoers
The _/_e_t_c_/_s_u_d_o_e_r_s file is missing.
@@ -1614,21 +1656,21 @@ LLOOGG FFOORRMMAATT
/etc/sudoers is owned by uid N, should be 0
The _s_u_d_o_e_r_s file has the wrong owner. If you wish to change the
_s_u_d_o_e_r_s file owner, please add ``sudoers_uid=N'' (where `N' is the
user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin line in the
_/_e_t_c_/_s_u_d_o_._c_o_n_f file.
user ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin line in the
sudo.conf(4) file.
/etc/sudoers is world writable
The permissions on the _s_u_d_o_e_r_s file allow all users to write to it.
The _s_u_d_o_e_r_s file must not be world-writable, the default file mode is
0440 (readable by owner and group, writable by none). The default
mode may be changed via the ``sudoers_mode'' option to the ssuuddooeerrss
plugin line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
Plugin line in the sudo.conf(4) file.
/etc/sudoers is owned by gid N, should be 1
The _s_u_d_o_e_r_s file has the wrong group ownership. If you wish to change
the _s_u_d_o_e_r_s file group ownership, please add ``sudoers_gid=N'' (where
`N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss plugin
line in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
`N' is the group ID that owns the _s_u_d_o_e_r_s file) to the ssuuddooeerrss Plugin
line in the sudo.conf(4) file.
unable to open /var/adm/sudo/username/ttyname
_s_u_d_o_e_r_s was unable to read or create the user's time stamp file.
@@ -1668,110 +1710,6 @@ LLOOGG FFOORRMMAATT
_l_o_g_l_i_n_e_l_e_n option is set to 0 (or negated with a `!'), word wrap
will be disabled.
SSUUDDOO..CCOONNFF
The _/_e_t_c_/_s_u_d_o_._c_o_n_f file determines which plugins the ssuuddoo front end will
load. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it contains no Plugin
lines, ssuuddoo will use the _s_u_d_o_e_r_s security policy and I/O logging, which
corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
#
# Default /etc/sudo.conf file
#
# Format:
# Plugin plugin_name plugin_path plugin_options ...
# Path askpass /path/to/askpass
# Path noexec /path/to/sudo_noexec.so
# Debug sudo /var/log/sudo_debug all@warn
# Set disable_coredump true
#
# The plugin_path is relative to /usr/local/libexec unless
# fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
# The plugin_options are optional.
#
Plugin policy_plugin sudoers.so
Plugin io_plugin sudoers.so
PPlluuggiinn ooppttiioonnss
Starting with ssuuddoo 1.8.5, it is possible to pass options to the _s_u_d_o_e_r_s
plugin. Options may be listed after the path to the plugin (i.e. after
_s_u_d_o_e_r_s_._s_o); multiple options should be space-separated. For example:
Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
The following plugin options are supported:
sudoers_file=pathname
The _s_u_d_o_e_r_s___f_i_l_e option can be used to override the default
path to the _s_u_d_o_e_r_s file.
sudoers_uid=uid
The _s_u_d_o_e_r_s___u_i_d option can be used to override the default
owner of the sudoers file. It should be specified as a numeric
user ID.
sudoers_gid=gid
The _s_u_d_o_e_r_s___g_i_d option can be used to override the default
group of the sudoers file. It should be specified as a numeric
group ID.
sudoers_mode=mode
The _s_u_d_o_e_r_s___m_o_d_e option can be used to override the default
file mode for the sudoers file. It should be specified as an
octal value.
DDeebbuugg ffllaaggss
Versions 1.8.4 and higher of the _s_u_d_o_e_r_s plugin support a debugging
framework that can help track down what the plugin is doing internally if
there is a problem. This can be configured in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file as
described in sudo(1m).
The _s_u_d_o_e_r_s plugin uses the same debug flag format as the ssuuddoo front-end:
_s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y.
The priorities used by _s_u_d_o_e_r_s, in order of decreasing severity, are:
_c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority,
when specified, also includes all priorities higher than it. For
example, a priority of _n_o_t_i_c_e would include debug messages logged at
_n_o_t_i_c_e and higher.
The following subsystems are used by _s_u_d_o_e_r_s:
_a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
_a_l_l matches every subsystem
_a_u_d_i_t BSM and Linux audit code
_a_u_t_h user authentication
_d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings
_e_n_v environment handling
_l_d_a_p LDAP-based sudoers
_l_o_g_g_i_n_g logging support
_m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s
_n_e_t_i_f network interface handling
_n_s_s network service switch handling in _s_u_d_o_e_r_s
_p_a_r_s_e_r _s_u_d_o_e_r_s file parsing
_p_e_r_m_s permission setting
_p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin.
_p_t_y pseudo-tty related code
_r_b_t_r_e_e redblack tree internals
_u_t_i_l utility functions
FFIILLEESS
_/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration
@@ -2100,8 +2038,64 @@ SSEECCUURRIITTYY NNOOTTEESS
stamp file is stale and will ignore it. Administrators should not rely
on this feature as it is not universally available.
DDEEBBUUGGGGIINNGG
Versions 1.8.4 and higher of the ssuuddooeerrss plugin support a flexible
debugging framework that can help track down what the plugin is doing
internally if there is a problem. This can be configured in the
sudo.conf(4) file.
The ssuuddooeerrss plugin uses the same debug flag format as the ssuuddoo front-end:
_s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y.
The priorities used by ssuuddooeerrss, in order of decreasing severity, are:
_c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority,
when specified, also includes all priorities higher than it. For
example, a priority of _n_o_t_i_c_e would include debug messages logged at
_n_o_t_i_c_e and higher.
The following subsystems are used by the ssuuddooeerrss plugin:
_a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
_a_l_l matches every subsystem
_a_u_d_i_t BSM and Linux audit code
_a_u_t_h user authentication
_d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings
_e_n_v environment handling
_l_d_a_p LDAP-based sudoers
_l_o_g_g_i_n_g logging support
_m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s
_n_e_t_i_f network interface handling
_n_s_s network service switch handling in _s_u_d_o_e_r_s
_p_a_r_s_e_r _s_u_d_o_e_r_s file parsing
_p_e_r_m_s permission setting
_p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin.
_p_t_y pseudo-tty related code
_r_b_t_r_e_e redblack tree internals
_u_t_i_l utility functions
For example:
Debug sudo /var/log/sudo_debug match@info,nss@info
For more information, see the sudo.conf(4) manual.
SSEEEE AALLSSOO
ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3),
ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(4),
sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m)
CCAAVVEEAATTSS
@@ -2131,4 +2125,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
complete details.
Sudo 1.8.7 January 27, 2013 Sudo 1.8.7
Sudo 1.8.7 February 5, 2013 Sudo 1.8.7

414
doc/sudoers.man.in
View File

@@ -2,7 +2,7 @@
.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in
.\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@@ -21,16 +21,16 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.TH "SUDOERS" "@mansectsu@" "January 27, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
.TH "SUDOERS" "@mansectsu@" "February 5, 2013" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
.nh
.if n .ad l
.SH "NAME"
\fBsudoers\fR
\- default sudo security policy module
\- default sudo security policy plugin
.SH "DESCRIPTION"
The
\fIsudoers\fR
policy module determines a user's
policy plugin determines a user's
\fBsudo\fR
privileges.
It is the default
@@ -48,6 +48,81 @@ For information on storing
policy information
in LDAP, please see
sudoers.ldap(@mansectform@).
.SS "Configuring sudo.conf for sudoers"
\fBsudo\fR
consults the
sudo.conf(@mansectform@)
file to determine which policy and and I/O logging plugins to load.
If no
sudo.conf(@mansectform@)
file is present, or if it contains no
\fRPlugin\fR
lines,
\fBsudoers\fR
will be used for policy decisions and I/O logging.
To explicitly configure
sudo.conf(@mansectform@)
to use the
\fBsudoers\fR
plugin, the following configuration can be used.
.nf
.sp
.RS 6n
Plugin policy_plugin sudoers.so
Plugin io_plugin sudoers.so
.RE
.fi
.PP
Starting with
\fBsudo\fR
1.8.5, it is possible to specify optional arguments to the
\fBsudoers\fR
plugin in the
sudo.conf(@mansectform@)
file.
These arguments, if present, should be listed after the path to the plugin
(i.e.\& after
\fIsudoers.so\fR).
Multiple arguments may be specified, separated by white space.
For example:
.nf
.sp
.RS 6n
Plugin sudoers_policy sudoers.so sudoers_mode=0400
.RE
.fi
.PP
The following plugin arguments are supported:
.TP 10n
sudoers_file=pathname
The
\fIsudoers_file\fR
arguments can be used to override the default path
to the
\fIsudoers\fR
file.
.TP 10n
sudoers_uid=uid
The
\fIsudoers_uid\fR
arguments can be used to override the default owner of the sudoers file.
It should be specified as a numeric user ID.
.TP 10n
sudoers_gid=gid
The
\fIsudoers_gid\fR
arguments can be used to override the default group of the sudoers file.
It must be specified as a numeric group ID (not a group name).
.TP 10n
sudoers_mode=mode
The
\fIsudoers_mode\fR
arguments can be used to override the default file mode for the sudoers file.
It should be specified as an octal value.
.PP
For more information on configuring
sudo.conf(@mansectform@),
please refer to its manual.
.SS "Authentication and logging"
The
\fIsudoers\fR
@@ -2652,9 +2727,11 @@ Default is
``\fR@mailsub@\fR''.
.TP 18n
noexec_file
This option is no longer supported.
As of
\fBsudo\fR
version 1.8.1 this option is no longer supported.
The path to the noexec file should now be set in the
\fI@sysconfdir@/sudo.conf\fR
sudo.conf(@mansectform@)
file.
.TP 18n
passprompt
@@ -3317,18 +3394,19 @@ Normally,
tries to open
\fIsudoers\fR
using group permissions to avoid this problem.
Consider changing the ownership of
Consider either changing the ownership of
\fI@sysconfdir@/sudoers\fR
by adding an option like
or adding an argument like
``sudoers_uid=N''
(where
`N'
is the user ID that owns the
\fIsudoers\fR
file) to the
file) to the end of the
\fBsudoers\fR
plugin line in the
\fI@sysconfdir@/sudo.conf\fR
\fRPlugin\fR
line in the
sudo.conf(@mansectform@)
file.
.TP 3n
unable to stat @sysconfdir@/sudoers
@@ -3355,8 +3433,9 @@ is the user ID that owns the
\fIsudoers\fR
file) to the
\fBsudoers\fR
plugin line in the
\fI@sysconfdir@/sudo.conf\fR
\fRPlugin\fR
line in the
sudo.conf(@mansectform@)
file.
.TP 3n
@sysconfdir@/sudoers is world writable
@@ -3371,8 +3450,9 @@ The default mode may be changed via the
``sudoers_mode''
option to the
\fBsudoers\fR
plugin line in the
\fI@sysconfdir@/sudo.conf\fR
\fRPlugin\fR
line in the
sudo.conf(@mansectform@)
file.
.TP 3n
@sysconfdir@/sudoers is owned by gid N, should be 1
@@ -3389,8 +3469,9 @@ is the group ID that owns the
\fIsudoers\fR
file) to the
\fBsudoers\fR
plugin line in the
\fI@sysconfdir@/sudo.conf\fR
\fRPlugin\fR
line in the
sudo.conf(@mansectform@)
file.
.TP 3n
unable to open @timedir@/username/ttyname
@@ -3470,193 +3551,6 @@ If the
option is set to 0 (or negated with a
`\&!'),
word wrap will be disabled.
.SH "SUDO.CONF"
The
\fI@sysconfdir@/sudo.conf\fR
file determines which plugins the
\fBsudo\fR
front end will load.
If no
\fI@sysconfdir@/sudo.conf\fR
file
is present, or it contains no
\fRPlugin\fR
lines,
\fBsudo\fR
will use the
\fIsudoers\fR
security policy and I/O logging, which corresponds to the following
\fI@sysconfdir@/sudo.conf\fR
file.
.nf
.sp
.RS 0n
#
# Default @sysconfdir@/sudo.conf file
#
# Format:
# Plugin plugin_name plugin_path plugin_options ...
# Path askpass /path/to/askpass
# Path noexec /path/to/sudo_noexec.so
# Debug sudo /var/log/sudo_debug all@warn
# Set disable_coredump true
#
# The plugin_path is relative to @PLUGINDIR@ unless
# fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
# The plugin_options are optional.
#
Plugin policy_plugin sudoers.so
Plugin io_plugin sudoers.so
.RE
.fi
.SS "Plugin options"
Starting with
\fBsudo\fR
1.8.5, it is possible to pass options to the
\fIsudoers\fR
plugin.
Options may be listed after the path to the plugin (i.e.\& after
\fIsudoers.so\fR);
multiple options should be space-separated.
For example:
.nf
.sp
.RS 0n
Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
.RE
.fi
.PP
The following plugin options are supported:
.TP 10n
sudoers_file=pathname
The
\fIsudoers_file\fR
option can be used to override the default path
to the
\fIsudoers\fR
file.
.TP 10n
sudoers_uid=uid
The
\fIsudoers_uid\fR
option can be used to override the default owner of the sudoers file.
It should be specified as a numeric user ID.
.TP 10n
sudoers_gid=gid
The
\fIsudoers_gid\fR
option can be used to override the default group of the sudoers file.
It should be specified as a numeric group ID.
.TP 10n
sudoers_mode=mode
The
\fIsudoers_mode\fR
option can be used to override the default file mode for the sudoers file.
It should be specified as an octal value.
.SS "Debug flags"
Versions 1.8.4 and higher of the
\fIsudoers\fR
plugin support a debugging framework that can help track down what the
plugin is doing internally if there is a problem.
This can be configured in the
\fI@sysconfdir@/sudo.conf\fR
file as described in
sudo(@mansectsu@).
.PP
The
\fIsudoers\fR
plugin uses the same debug flag format as the
\fBsudo\fR
front-end:
\fIsubsystem\fR@\fIpriority\fR.
.PP
The priorities used by
\fIsudoers\fR,
in order of decreasing severity,
are:
\fIcrit\fR,
\fIerr\fR,
\fIwarn\fR,
\fInotice\fR,
\fIdiag\fR,
\fIinfo\fR,
\fItrace\fR
and
\fIdebug\fR.
Each priority, when specified, also includes all priorities higher than it.
For example, a priority of
\fInotice\fR
would include debug messages logged at
\fInotice\fR
and higher.
.PP
The following subsystems are used by
\fIsudoers\fR:
.TP 10n
\fIalias\fR
\fRUser_Alias\fR,
\fRRunas_Alias\fR,
\fRHost_Alias\fR
and
\fRCmnd_Alias\fR
processing
.TP 10n
\fIall\fR
matches every subsystem
.TP 10n
\fIaudit\fR
BSM and Linux audit code
.TP 10n
\fIauth\fR
user authentication
.TP 10n
\fIdefaults\fR
\fIsudoers\fR
\fIDefaults\fR
settings
.TP 10n
\fIenv\fR
environment handling
.TP 10n
\fIldap\fR
LDAP-based sudoers
.TP 10n
\fIlogging\fR
logging support
.TP 10n
\fImatch\fR
matching of users, groups, hosts and netgroups in
\fIsudoers\fR
.TP 10n
\fInetif\fR
network interface handling
.TP 10n
\fInss\fR
network service switch handling in
\fIsudoers\fR
.TP 10n
\fIparser\fR
\fIsudoers\fR
file parsing
.TP 10n
\fIperms\fR
permission setting
.TP 10n
\fIplugin\fR
The equivalent of
\fImain\fR
for the plugin.
.TP 10n
\fIpty\fR
pseudo-tty related code
.TP 10n
\fIrbtree\fR
redblack tree internals
.TP 10n
\fIutil\fR
utility functions
.SH "FILES"
.TP 26n
\fI@sysconfdir@/sudo.conf\fR
@@ -4309,6 +4203,117 @@ is able to determine when a tty-based time stamp file is stale and will
ignore it.
Administrators should not rely on this feature as it is not universally
available.
.SH "DEBUGGING"
Versions 1.8.4 and higher of the
\fBsudoers\fR
plugin support a flexible debugging framework that can help track
down what the plugin is doing internally if there is a problem.
This can be configured in the
sudo.conf(@mansectform@)
file.
.PP
The
\fBsudoers\fR
plugin uses the same debug flag format as the
\fBsudo\fR
front-end:
\fIsubsystem\fR@\fIpriority\fR.
.PP
The priorities used by
\fBsudoers\fR,
in order of decreasing severity,
are:
\fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
and
\fIdebug\fR.
Each priority, when specified, also includes all priorities higher
than it.
For example, a priority of
\fInotice\fR
would include debug messages logged at
\fInotice\fR
and higher.
.PP
The following subsystems are used by the
\fBsudoers\fR
plugin:
.TP 10n
\fIalias\fR
\fRUser_Alias\fR,
\fRRunas_Alias\fR,
\fRHost_Alias\fR
and
\fRCmnd_Alias\fR
processing
.TP 10n
\fIall\fR
matches every subsystem
.TP 10n
\fIaudit\fR
BSM and Linux audit code
.TP 10n
\fIauth\fR
user authentication
.TP 10n
\fIdefaults\fR
\fIsudoers\fR
\fIDefaults\fR
settings
.TP 10n
\fIenv\fR
environment handling
.TP 10n
\fIldap\fR
LDAP-based sudoers
.TP 10n
\fIlogging\fR
logging support
.TP 10n
\fImatch\fR
matching of users, groups, hosts and netgroups in
\fIsudoers\fR
.TP 10n
\fInetif\fR
network interface handling
.TP 10n
\fInss\fR
network service switch handling in
\fIsudoers\fR
.TP 10n
\fIparser\fR
\fIsudoers\fR
file parsing
.TP 10n
\fIperms\fR
permission setting
.TP 10n
\fIplugin\fR
The equivalent of
\fImain\fR
for the plugin.
.TP 10n
\fIpty\fR
pseudo-tty related code
.TP 10n
\fIrbtree\fR
redblack tree internals
.TP 10n
\fIutil\fR
utility functions
.PD 0
.PP
.PD
For example:
.nf
.sp
.RS 0n
Debug sudo /var/log/sudo_debug match@info,nss@info
.RE
.fi
.PP
For more information, see the
sudo.conf(@mansectform@)
manual.
.SH "SEE ALSO"
ssh(1),
su(1),
@@ -4316,6 +4321,7 @@ fnmatch(3),
glob(3),
mktemp(3),
strftime(3),
sudo.conf(@mansectform@),
sudoers.ldap(@mansectform@),
sudo_plugin(@mansectsu@),
sudo(@mansectsu@),

362
doc/sudoers.mdoc.in
View File

@@ -1,6 +1,6 @@
.\"
.\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@@ -19,16 +19,16 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.Dd January 27, 2013
.Dd February 5, 2013
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Nm sudoers
.Nd default sudo security policy module
.Nd default sudo security policy plugin
.Sh DESCRIPTION
The
.Em sudoers
policy module determines a user's
policy plugin determines a user's
.Nm sudo
privileges.
It is the default
@@ -46,6 +46,73 @@ For information on storing
policy information
in LDAP, please see
.Xr sudoers.ldap @mansectform@ .
.Ss Configuring sudo.conf for sudoers
.Nm sudo
consults the
.Xr sudo.conf @mansectform@
file to determine which policy and and I/O logging plugins to load.
If no
.Xr sudo.conf @mansectform@
file is present, or if it contains no
.Li Plugin
lines,
.Nm sudoers
will be used for policy decisions and I/O logging.
To explicitly configure
.Xr sudo.conf @mansectform@
to use the
.Nm sudoers
plugin, the following configuration can be used.
.Bd -literal -offset indent
Plugin policy_plugin sudoers.so
Plugin io_plugin sudoers.so
.Ed
.Pp
Starting with
.Nm sudo
1.8.5, it is possible to specify optional arguments to the
.Nm sudoers
plugin in the
.Xr sudo.conf @mansectform@
file.
These arguments, if present, should be listed after the path to the plugin
(i.e.\& after
.Pa sudoers.so ) .
Multiple arguments may be specified, separated by white space.
For example:
.Bd -literal -offset indent
Plugin sudoers_policy sudoers.so sudoers_mode=0400
.Ed
.Pp
The following plugin arguments are supported:
.Bl -tag -width 8n
.It sudoers_file=pathname
The
.Em sudoers_file
arguments can be used to override the default path
to the
.Em sudoers
file.
.It sudoers_uid=uid
The
.Em sudoers_uid
arguments can be used to override the default owner of the sudoers file.
It should be specified as a numeric user ID.
.It sudoers_gid=gid
The
.Em sudoers_gid
arguments can be used to override the default group of the sudoers file.
It must be specified as a numeric group ID (not a group name).
.It sudoers_mode=mode
The
.Em sudoers_mode
arguments can be used to override the default file mode for the sudoers file.
It should be specified as an octal value.
.El
.Pp
For more information on configuring
.Xr sudo.conf @mansectform@ ,
please refer to its manual.
.Ss Authentication and logging
The
.Em sudoers
@@ -2481,9 +2548,11 @@ will expand to the host name of the machine.
Default is
.Dq Li @mailsub@ .
.It noexec_file
This option is no longer supported.
As of
.Nm sudo
version 1.8.1 this option is no longer supported.
The path to the noexec file should now be set in the
.Pa @sysconfdir@/sudo.conf
.Xr sudo.conf @mansectform@
file.
.It passprompt
The default prompt to use when asking for a password; can be overridden via the
@@ -3071,18 +3140,19 @@ Normally,
tries to open
.Em sudoers
using group permissions to avoid this problem.
Consider changing the ownership of
Consider either changing the ownership of
.Pa @sysconfdir@/sudoers
by adding an option like
or adding an argument like
.Dq sudoers_uid=N
(where
.Sq N
is the user ID that owns the
.Em sudoers
file) to the
file) to the end of the
.Nm sudoers
plugin line in the
.Pa @sysconfdir@/sudo.conf
.Li Plugin
line in the
.Xr sudo.conf @mansectform@
file.
.It unable to stat @sysconfdir@/sudoers
The
@@ -3106,8 +3176,9 @@ is the user ID that owns the
.Em sudoers
file) to the
.Nm sudoers
plugin line in the
.Pa @sysconfdir@/sudo.conf
.Li Plugin
line in the
.Xr sudo.conf @mansectform@
file.
.It @sysconfdir@/sudoers is world writable
The permissions on the
@@ -3121,8 +3192,9 @@ The default mode may be changed via the
.Dq sudoers_mode
option to the
.Nm sudoers
plugin line in the
.Pa @sysconfdir@/sudo.conf
.Li Plugin
line in the
.Xr sudo.conf @mansectform@
file.
.It @sysconfdir@/sudoers is owned by gid N, should be 1
The
@@ -3138,8 +3210,9 @@ is the group ID that owns the
.Em sudoers
file) to the
.Nm sudoers
plugin line in the
.Pa @sysconfdir@/sudo.conf
.Li Plugin
line in the
.Xr sudo.conf @mansectform@
file.
.It unable to open @timedir@/username/ttyname
.Em sudoers
@@ -3216,170 +3289,6 @@ option is set to 0 (or negated with a
.Ql \&! ) ,
word wrap will be disabled.
.El
.Sh SUDO.CONF
The
.Pa @sysconfdir@/sudo.conf
file determines which plugins the
.Nm sudo
front end will load.
If no
.Pa @sysconfdir@/sudo.conf
file
is present, or it contains no
.Li Plugin
lines,
.Nm sudo
will use the
.Em sudoers
security policy and I/O logging, which corresponds to the following
.Pa @sysconfdir@/sudo.conf
file.
.Bd -literal
#
# Default @sysconfdir@/sudo.conf file
#
# Format:
# Plugin plugin_name plugin_path plugin_options ...
# Path askpass /path/to/askpass
# Path noexec /path/to/sudo_noexec.so
# Debug sudo /var/log/sudo_debug all@warn
# Set disable_coredump true
#
# The plugin_path is relative to @PLUGINDIR@ unless
# fully qualified.
# The plugin_name corresponds to a global symbol in the plugin
# that contains the plugin interface structure.
# The plugin_options are optional.
#
Plugin policy_plugin sudoers.so
Plugin io_plugin sudoers.so
.Ed
.Ss Plugin options
Starting with
.Nm sudo
1.8.5, it is possible to pass options to the
.Em sudoers
plugin.
Options may be listed after the path to the plugin (i.e.\& after
.Pa sudoers.so ) ;
multiple options should be space-separated.
For example:
.Bd -literal
Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
.Ed
.Pp
The following plugin options are supported:
.Bl -tag -width 8n
.It sudoers_file=pathname
The
.Em sudoers_file
option can be used to override the default path
to the
.Em sudoers
file.
.It sudoers_uid=uid
The
.Em sudoers_uid
option can be used to override the default owner of the sudoers file.
It should be specified as a numeric user ID.
.It sudoers_gid=gid
The
.Em sudoers_gid
option can be used to override the default group of the sudoers file.
It should be specified as a numeric group ID.
.It sudoers_mode=mode
The
.Em sudoers_mode
option can be used to override the default file mode for the sudoers file.
It should be specified as an octal value.
.El
.Ss Debug flags
Versions 1.8.4 and higher of the
.Em sudoers
plugin support a debugging framework that can help track down what the
plugin is doing internally if there is a problem.
This can be configured in the
.Pa @sysconfdir@/sudo.conf
file as described in
.Xr sudo @mansectsu@ .
.Pp
The
.Em sudoers
plugin uses the same debug flag format as the
.Nm sudo
front-end:
.Em subsystem Ns No @ Ns Em priority .
.Pp
The priorities used by
.Em sudoers ,
in order of decreasing severity,
are:
.Em crit ,
.Em err ,
.Em warn ,
.Em notice ,
.Em diag ,
.Em info ,
.Em trace
and
.Em debug .
Each priority, when specified, also includes all priorities higher than it.
For example, a priority of
.Em notice
would include debug messages logged at
.Em notice
and higher.
.Pp
The following subsystems are used by
.Em sudoers :
.Bl -tag -width 8n
.It Em alias
.Li User_Alias ,
.Li Runas_Alias ,
.Li Host_Alias
and
.Li Cmnd_Alias
processing
.It Em all
matches every subsystem
.It Em audit
BSM and Linux audit code
.It Em auth
user authentication
.It Em defaults
.Em sudoers
.Em Defaults
settings
.It Em env
environment handling
.It Em ldap
LDAP-based sudoers
.It Em logging
logging support
.It Em match
matching of users, groups, hosts and netgroups in
.Em sudoers
.It Em netif
network interface handling
.It Em nss
network service switch handling in
.Em sudoers
.It Em parser
.Em sudoers
file parsing
.It Em perms
permission setting
.It Em plugin
The equivalent of
.Em main
for the plugin.
.It Em pty
pseudo-tty related code
.It Em rbtree
redblack tree internals
.It Em util
utility functions
.El
.Sh FILES
.Bl -tag -width 24n
.It Pa @sysconfdir@/sudo.conf
@@ -3962,6 +3871,96 @@ is able to determine when a tty-based time stamp file is stale and will
ignore it.
Administrators should not rely on this feature as it is not universally
available.
.Sh DEBUGGING
Versions 1.8.4 and higher of the
.Nm sudoers
plugin support a flexible debugging framework that can help track
down what the plugin is doing internally if there is a problem.
This can be configured in the
.Xr sudo.conf @mansectform@
file.
.Pp
The
.Nm sudoers
plugin uses the same debug flag format as the
.Nm sudo
front-end:
.Em subsystem Ns No @ Ns Em priority .
.Pp
The priorities used by
.Nm sudoers ,
in order of decreasing severity,
are:
.Em crit , err , warn , notice , diag , info , trace
and
.Em debug .
Each priority, when specified, also includes all priorities higher
than it.
For example, a priority of
.Em notice
would include debug messages logged at
.Em notice
and higher.
.Pp
The following subsystems are used by the
.Nm sudoers
plugin:
.Bl -tag -width 8n
.It Em alias
.Li User_Alias ,
.Li Runas_Alias ,
.Li Host_Alias
and
.Li Cmnd_Alias
processing
.It Em all
matches every subsystem
.It Em audit
BSM and Linux audit code
.It Em auth
user authentication
.It Em defaults
.Em sudoers
.Em Defaults
settings
.It Em env
environment handling
.It Em ldap
LDAP-based sudoers
.It Em logging
logging support
.It Em match
matching of users, groups, hosts and netgroups in
.Em sudoers
.It Em netif
network interface handling
.It Em nss
network service switch handling in
.Em sudoers
.It Em parser
.Em sudoers
file parsing
.It Em perms
permission setting
.It Em plugin
The equivalent of
.Em main
for the plugin.
.It Em pty
pseudo-tty related code
.It Em rbtree
redblack tree internals
.It Em util
utility functions
.El
For example:
.Bd -literal
Debug sudo /var/log/sudo_debug match@info,nss@info
.Ed
.Pp
For more information, see the
.Xr sudo.conf @mansectform@
manual.
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr su 1 ,
@@ -3969,6 +3968,7 @@ available.
.Xr glob 3 ,
.Xr mktemp 3 ,
.Xr strftime 3 ,
.Xr sudo.conf @mansectform@ ,
.Xr sudoers.ldap @mansectform@ ,
.Xr sudo_plugin @mansectsu@ ,
.Xr sudo @mansectsu@ ,